5661f5046ab903945ad3b06780382d06e57f30eba08d7d32584cef256b4eb205

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 20:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
Size

414KB
MD5

253895d0f753b43c6ac23030543a317f
SHA1

a50eaa802bcf918bf05d15447cc85f5193343e36
SHA256

5661f5046ab903945ad3b06780382d06e57f30eba08d7d32584cef256b4eb205
SHA512

a4e9d91f147d2922aaec35d386050822b7b090bf33f506df2defcde22415f902bf71c912dc6ca5681539df9f39ffadbfa139efccba0fc6180a87297d5e898ea1
SSDEEP

12288:n7/CbvBkSiu436qv618YBHkNBX6jH7v+ug:n7abJkS1S6qy18sQBX6H+/

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2800	wmpscfgs.exe
2784	wmpscfgs.exe
2624	wmpscfgs.exe
1332	wmpscfgs.exe
764	wmpscfgs.exe

Loads dropped DLL 4 IoCs

pid	Process
2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\program files (x86)\\internet explorer\\wmpscfgs.exe"	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\program files (x86)\\internet explorer\\wmpscfgs.exe"	wmpscfgs.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\adobe\acrotray .exe	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002c77f6d9c7ae89498832e5df367d842100000000020000000000106600000001000020000000de68bca4627c5295582c58f5d97b801d06582bc3fe39661d8d8b48a8fae17b92000000000e80000000020000200000002a346145ca9ece95795dd0cbf2ab4e211015594518a5c2ce377ac619cf0596d2200000001b0ef2de2a653832cb8be703b614a5e4ec60306ef9ca8227d41dcc9c6f7790c540000000d8d92179c3685888b7ff15fbc7ecd5bf0ff682c0221b2ea9dbda06308ab650e90eac0b93a37f7d6eae0a0779cbf0d1a99c7e73005c29aee27967cddc72f0fb21	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04d69d3f419db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FEB8B481-85E7-11EF-BD41-DEC97E11E4FF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002c77f6d9c7ae89498832e5df367d842100000000020000000000106600000001000020000000dd6b632f286b528963fd0d36daeed8afe0e2aa5c0475b1ad7cfd3e58f26b0c22000000000e8000000002000020000000f65920e3a8126404af972e23c04a09422ba22b9deb2eb0465132707a8fdfa49a9000000080e879cd493d62896a15c19b78119fb67c1bcb2faf388f1464eb265e4445b2d939997c7bf6d4091405bdd218264d5cc082e2cfd9df0cb2e0357b4ed0dc5ac09c98dd8ab0fad33769aec42cf2f822db399835a3bcbe6032bcff26b3a6bcd1a424386f8871c859806f2ef128b7e8db1213f266ea064d5f13910ebce816617c7ef55e77990f5eebe8385ac95eeb1e73a18c4000000098b73b4dcadc88e6e2007fcda7a9f4f9ab009a9ea12143a9dcf4878ccbf6b4a4e0852979d19a437e097a4e8b714a352d479f0e54c31d31c43ad2de130fbb1c1a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
2784	wmpscfgs.exe
2800	wmpscfgs.exe
2800	wmpscfgs.exe
2784	wmpscfgs.exe
2624	wmpscfgs.exe
1332	wmpscfgs.exe
764	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
Token: SeDebugPrivilege	2784	wmpscfgs.exe
Token: SeDebugPrivilege	2800	wmpscfgs.exe
Token: SeDebugPrivilege	2624	wmpscfgs.exe
Token: SeDebugPrivilege	1332	wmpscfgs.exe
Token: SeDebugPrivilege	764	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2204	iexplore.exe
2204	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2204	iexplore.exe
2204	iexplore.exe
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2204	iexplore.exe
2204	iexplore.exe
3068	IEXPLORE.EXE
3068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2800	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2800	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2800	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2800	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2784	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2784	2252	253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2624	2800	wmpscfgs.exe	32
PID 2800 wrote to memory of 2624	2800	wmpscfgs.exe	32
PID 2800 wrote to memory of 2624	2800	wmpscfgs.exe	32
PID 2800 wrote to memory of 2624	2800	wmpscfgs.exe	32
PID 2800 wrote to memory of 1332	2800	wmpscfgs.exe	34
PID 2800 wrote to memory of 1332	2800	wmpscfgs.exe	34
PID 2800 wrote to memory of 1332	2800	wmpscfgs.exe	34
PID 2800 wrote to memory of 1332	2800	wmpscfgs.exe	34
PID 2800 wrote to memory of 764	2800	wmpscfgs.exe	35
PID 2800 wrote to memory of 764	2800	wmpscfgs.exe	35
PID 2800 wrote to memory of 764	2800	wmpscfgs.exe	35
PID 2800 wrote to memory of 764	2800	wmpscfgs.exe	35
PID 2204 wrote to memory of 2396	2204	iexplore.exe	37
PID 2204 wrote to memory of 2396	2204	iexplore.exe	37
PID 2204 wrote to memory of 2396	2204	iexplore.exe	37
PID 2204 wrote to memory of 2396	2204	iexplore.exe	37
PID 2204 wrote to memory of 3068	2204	iexplore.exe	39
PID 2204 wrote to memory of 3068	2204	iexplore.exe	39
PID 2204 wrote to memory of 3068	2204	iexplore.exe	39
PID 2204 wrote to memory of 3068	2204	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\253895d0f753b43c6ac23030543a317f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\program files (x86)\internet explorer\wmpscfgs.exe
  "C:\program files (x86)\internet explorer\wmpscfgs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\program files (x86)\internet explorer\wmpscfgs.exe
    "C:\program files (x86)\internet explorer\wmpscfgs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\program files (x86)\internet explorer\wmpscfgs.exe
    "C:\program files (x86)\internet explorer\wmpscfgs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2396
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:865284 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
427KB

MD5
be8452e6983f0c902dff4a894dcb2af5

SHA1
fbdea4724c73b21ef37bf9933bc7ab2f86b8a086

SHA256
568d327111841e05e9b62a73be36c9c3776da2805cab54f4373c21aea5d42e39

SHA512
4254deafeddc5048fa79350bccbcd1e767df5d711c90844784a9e1076056c70ac57bf31c424576ea2b58f68c26b1c4be4f57770e833826caa79a2ddb433971d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c62bd00c576e68d511b2beea911d7e0a

SHA1
dba7dd64d883fecfe4cb0197ef7ed18262d362bb

SHA256
26d0537b4cbf0d20e254d4a54725a012b606f441c6d3182d786d7d232617d6ff

SHA512
a9c9f5f2300403a8bd8af571e0774fc7f28b5d753eb852e4f83e16d9dd2593951908d684ee3c01b2bdbee3c4d1aef18366ab07c5d7dfcb245221238c859b4f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46e5d717a1eccef3ce781c4afc7eefb0

SHA1
24d6083699fafc29370e21a1a7f96c3a703c13d0

SHA256
4374f9a71ff7334e610155c720531b17b1a308dacbcb63fd37d4720e1d470dc2

SHA512
70084643fa461319af56db17027ca4f305f844cc3a472775cf2a84c7fe31504806b00d0f3bd381d9d9c69b26c1db2e25c6c966a0d85d8d97b2096d6ffb534d68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f63ef73ee74be1c0959890592416001

SHA1
a046fa049e991c3fd539dd974b44540f7fcfb07d

SHA256
06ef21ae9b5a47897519dc95608bca4412f3e031f933a958d8e719772d442af1

SHA512
899509b11360102ddd63899700a7b41fed538650539e98d140f966950c75d91e17d8766437475709a4642bb044e523133bcd4961e8b2d2e4d757a0199f950937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1bb3a52f536e11926df74d7017a5d15

SHA1
71f90cdd89756eef987c29bf6ca9c3db0ef09e31

SHA256
dc5cfd06529cb1e4e8e004836b716c5e5fed18110fe21251c1fdf81ba84801ff

SHA512
182b4571b05c1724d0c62415c7b2ab141eecc2778af697737a1159be3bc5c05dc6d1a4b4c098953b9341ce2888a9648502e3dac8055b22779ac1940b6d67a775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6df4465a7e2ec36eebd332fb5b764c6c

SHA1
670ca778fbf4686f27743d86ec054aca7605f92f

SHA256
a8a241d54ff4edf62d4310337fb882ee7c9ec1d039909619a3b8dc5269097688

SHA512
94ef52a5772219e7115102e2813fb9fc74a82a8413b5fd0e571d9fb994f63022b6e873af76f94ec9080ff2eb588c79a5a2e7dfc564bb5abd93b361b7face0427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77450e312e032042be12e964a6821849

SHA1
179092905234b7f8d077b57c92058b45096bde4a

SHA256
425ed5fd8d9f34b8d72083f1dee8c08e012b58fc6d6cadb065b1fe8dd39df78c

SHA512
a33af8d56fc04541322d287dc0a2ca65741fa3e3611e0091316b8f3c06928cbaeb39b224cf0cb19844c997c2ce5d0f07342ec37a04688878f6636c0bc79765a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e786d5a62118592b235cb73a51830d3

SHA1
53a30504ba322d7a2c2b8223e3979db46cafff72

SHA256
489bb7c9c7bb3e21e5b2240095d45176f10c57ae7c831dcd8bc1aab9b1b053f8

SHA512
77d5bd8d8f731574d6400757a789a8e5c1493580ced7c57948e3aeeefb7f395b505e4a8ba750bbcc3c01e7d379988a5031ee5327ea73bee4cdd45d14d6b66591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddb06b0681ec9ff8e1b946d3702104ca

SHA1
2c4eca4300dcbac652c53dcf8720b5f8afc52f94

SHA256
1f3af76f50f0a7957cd50aab9cbb5f791f5181f7bf1864e821041112cbeca056

SHA512
eae4425285381d8f26d33e8d77b7b613b036e56a034a8607c3d64daa64ae20c503f677363295bb79426a685465f0549012f28e06abf1b885f7b5651f54034a28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9e595a787d532a73795be30c90e3331

SHA1
f524ba7c0bab8c335ec348034d8cd283b6a04e2d

SHA256
c155f0cec620a454e2e6b940b72722b829475bd73669b11db7394eee4821ff78

SHA512
5e72ae03f71b780d10c25b9a64d0772bf66d8569022c8137f315ee9c596d237f0afa1db77bd506806deb9e93331a8c726bcb77d5552669c579be88ce1c263484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5092777045c661862ac2a5f542224993

SHA1
196ea2b4c9d0d98fbb9ac94bff7cc5d560bd88a7

SHA256
6d6f9549fc71813e31e53d234c34051c565cb31b3cd6d8772ca5de3b9e5055fc

SHA512
78d033345eac9b38b69552f7cded22feec45ff4626631280b340e8e747a19e88625e8b49b7bcb81f8bfd93fb83793cc116548ffa8f6032ebb811ae6908df3395

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be4c775d6dbfbf16e87a77c666a027d2

SHA1
c7183983efb98af6ff506e9744e3a6920ced69e4

SHA256
3cad19f6649449b18c9a33ab99a2410141f072af2f5eb632fdf5d59d1d2f69a9

SHA512
e7539db8a4143bbd342e02e542550707b9be0e954a83f8536d64a778f9e310d345ee6cc66941d8ed68f767075076967d72426c4069b2ebec9a1bb2324ea7dcbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bb50894d0441e7d909e6bbaf18f39a7

SHA1
3eff07997c717fd1b6cbccfe586102481b9f3098

SHA256
c897c33ac29aa1d8ff4f658eea4a8660412a2ccb8d204f9ccdce10979ab48e70

SHA512
b4e592cd051b304a8c2b6885835b4d0519062f1e8a31f4f01f86310a7420fbd1158681c87125971f5e2375aef4e4655865babec518a9192d46d3a7e36f0460ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4939501223e5a292a4ff38d19770c15f

SHA1
b73e2933f25cd084fe3067a0e0fd14a53e352230

SHA256
fabc04985d63c0bc13a885c92ed203e9beb8cd1f4890b155902424a14212431d

SHA512
d0f4f53c03c430975a8d1cae2528d6b76279b39709d4d9ec6050207ecb3f0e171e0d551332d0a8540736dfc49c0d97162ab9314b949c3e6924699a1cf6405ae8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c4a0f4a1909ba90aeee1d53c55e5c10

SHA1
20265d18456654df506c31d550122f91511799d9

SHA256
31685b43cfd62776d44a5751f3cb85c8bb3153eb4fec56de40d1af8652013fc9

SHA512
53d79cd387ab97191ec942f31c3dcd62828d1fdad4035b12ddc782d55ed25b277549c27936bf14c19d6d57eeeb774268ddb8d91a44696556b8a2c11bca835e26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b7c07df227b85658a6bfae33a683b59

SHA1
da2b0c422920c377ed1013abd012bf38cb5b30b6

SHA256
3c00e1960f3f91f7cac8d623ef3c37e082e10b1912a6e76ac64182761fd2eef1

SHA512
2c66cbed434f3403d51d51f30a629ce8cf60a944dae06c47a464832748fcd1389e6952e31bc3d8766b5766a9e502c3ac450bbbe62a688de821d7ce5b0efe5a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a705511bf6898e273e2115e0af99df3

SHA1
90f1149bbc028d1e4957dd47102b089a4191886e

SHA256
cfdb0852bd1c480f81ae2513ba203edc332bc2543fdfc6b7d53b349d354d02a7

SHA512
ab0d40667f21a3a71dfe81d87a82efa772ba7053d11d59047e6831cd36ad0b557e7a4ccd9442f4314dba8c867b447ee60160af810b351c628ee7418ce8758580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b31a650b3f3d2b8ea02f78ccc768897

SHA1
0a282de7090aad8b041017d9b1d42a87f8900a26

SHA256
d31e853b6db616f034f7b52d3ad0535910a1a69e4a46c2cd56889c1b96de527a

SHA512
fe60d7a6350c5b713a197f66ea47e54b318848efa34117335216fee7efe37d85923455e631f3867a33bf5793ddef8903dd18a15a48eeab7a416e56cf948b774f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8ac3e69a97002109aecaecc074cf09f

SHA1
90910b59346980edcf221dfd5448812f0b30acb6

SHA256
98154ea1c2048e88b1b213079acd46ecfee4ec4331c4b0fd19623e4626b581ee

SHA512
c23a0e07e55791c8106d6f64fccd1607ffa7a6e19add163b51aa08b09812ddd8e92e7076538e57cf3af2f788c53cc419f7a13aee80f1770e6e129cbcdb359379

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd798d8810daf8944fc9fc71620a63b7

SHA1
534934fea5133a44ca8be432e44d8027ba494c91

SHA256
88819bd27560f46999f5c0b2ffcf3008a1bb6d50c88280288f7b8d0a38670f61

SHA512
58a34def6dd9694de0eb60ab6d34cf0263e78f2ce6eb4a65d5753b1f3516ac6a815de314b8d8692c2de4b58867b6ab28610e6891d3b4befee673b35613fe797f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAAC3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB62.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\??\c:\program files (x86)\adobe\acrotray .exe

Filesize
464KB

MD5
55741b42eb3dd335164498b058e5e9fd

SHA1
3064c504b5c7d750c185212d640103194796f4f3

SHA256
c490fa3f73afa38458dcf9934412a4c3d64aff2555449b5f3bf396e55e8187f4

SHA512
b8a25245822fa579d411a952fd5a7b726a8c50f3782d01c891eb4488af38e3a0b9c856371318f599e320588f123c55327450a551d3f3935e0b0ca36088527914

Download Submit
\??\c:\program files (x86)\adobe\acrotray.exe

Filesize
464KB

MD5
f174a335cae1b2741b421aec6bd3878e

SHA1
2a2fc59157788f408d90e717b8035663ba753cfd

SHA256
20b32cacc4f17b2abcfda4d9b9287e7f3db6be8d96becd4209ae00ecc846182a

SHA512
5e27ed68fd51fa5a6acd258b6dc13e5c451e84ea9cb04147c8e706ce46f0517e51a9f01420a6565be81df43a49d8b430eadc01a21c09ce251dfddd5477ceff2d

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
450KB

MD5
cd208ee83fd6c06272a9c0048e9cf9a5

SHA1
9fab7f3c10e20e2237ed7fead972e64e467ebdef

SHA256
788dba27b6a5b98b46c6ead8b2e01618b282457f531b842c85823dec4c209186

SHA512
3ee1ee2dfbe1970e559c98e908d532a43147982415e9836e236a183c32f8388bfdb69026db8e1dedad3712736dfb6ffba019d1ae5856893c8462f802df6babf7

Download Submit
memory/2252-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2800-46-0x0000000002400000-0x0000000002402000-memory.dmp

Filesize
8KB

Download