a3528d1769254239abf14c2a3271ba710a91d23cadfbce619fba6d99495ede91

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
Size

2.9MB
MD5

2a41b8df5b88e7e57ad356486e45ae11
SHA1

79c84e0684aefc93c039b7405dbcb3650bc1c0ce
SHA256

a3528d1769254239abf14c2a3271ba710a91d23cadfbce619fba6d99495ede91
SHA512

2b96ea703dea11564816d3067872c7c5ac7c8d692d0b2931e446ab3d2716a48ea90dce65865abc76252bb4ba827b68061ef270b5f4443e7313a74b20d824989f
SSDEEP

49152:lnqLvvJ9Fod/OpY1Jf+YvoVkXrYErnuKlAhUpd01RMEEWIjf5EfdNQmvLc1UGn:ZqjTyop1CrYsuKlAhUpCMEEFjf5YLzjC

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 7 IoCs

pid	Process
2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
604	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MultipleSearchReplaceShellExt.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Windows\system32\MultipleSearchReplaceShellExt.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\ICSharpCode.SharpZipLib.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\replace2.ico	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\QuitOfficeApplications.exe	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\license_agreement.rtf	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\PdfSharp.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\ddb.dat	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\4dotsLanguageDownloader.exe	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\Uninstall.exe	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.exe	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.chm	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\regexp.txt	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\settings.xml	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\unrar.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\itextsharp.dll	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
File created	C:\Program Files (x86)\4dots Software\Multiple Search and Replace\4dots Software Product CATALOG.url	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000018ef7-149.dat	nsis_installer_1
behavioral1/files/0x0005000000018ef7-149.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434639268"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000e7fb0b0f593a1dfa505493b08e5a09fbf148404337c80205d4c76a52ff2dc78a000000000e80000000020000200000002377cdbff36f019a05b2faa8ab1719cc731e6ab295016f55888624af1b399b9c2000000063a4c99ab99d0132fcc4cf89bdbb1a012c3002f1aa7f29fcca613a6906dffdfd40000000b5d015d689eef760a87a6e9c8d6634093806753b6e610f1d467971b30dc79f6b1f3e5ee9c6bcba93d393d23c84d117e802ab05b050690807158bdbc6cc176282	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000a50ec7bf884c2812cbd82c10caaa03c8787a21a9f04f2d38e5794e1fe232b5ac000000000e8000000002000020000000fe7221538834c6124187febcaf1a45b1d92ef9123cc43120f7b63d4eaa6d0eb090000000afcf90f6588b975c773a7c0ebc06c2243384f351f8da28d59a1563b2523690e4fbcb3fc9fb8b15c432e7f98e6d5c4ef885f9726ab752f9b2848a0544a0c647c1e2a2097a6a80b4ad181ba768b477c0497eed2b778dc27ecef07c47934041fb46f3f7409e594e57db615c6da395055f7a71619c914f15a42090a6668c3ce3994e03f0eb4c37aa27785b344c92ebf75e3c400000006d2891603dbda25c17f36197d8890e447f082d15836b7113e0434a0668e0cdef8216619eae2f6211ccd6d43b76fc0abf8fcc7839c42a31bceb942728acccf61b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{171986A1-863B-11EF-B6DF-4A174794FC88} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b37ded471adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32\ = "C:\\Windows\\system32\\MultipleSearchReplaceShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\ = "MultipleSearchReplaceShellExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373}\ = "MultipleSearchReplaceExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MultipleSearchReplaceExt.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MultipleSearchReplaceExt.DLL\AppID = "{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MultipleSearchReplace	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MultipleSearchReplace\ = "{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\MultipleSearchReplace	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\MultipleSearchReplace\ = "{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2124	iexplore.exe
2124	iexplore.exe
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 604	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	30
PID 2656 wrote to memory of 604	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	30
PID 2656 wrote to memory of 604	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	30
PID 2656 wrote to memory of 604	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	30
PID 2656 wrote to memory of 604	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	30
PID 2656 wrote to memory of 604	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	30
PID 2656 wrote to memory of 604	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2124	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2124	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2124	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2124	2656	2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe	32
PID 2124 wrote to memory of 2312	2124	iexplore.exe	33
PID 2124 wrote to memory of 2312	2124	iexplore.exe	33
PID 2124 wrote to memory of 2312	2124	iexplore.exe	33
PID 2124 wrote to memory of 2312	2124	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MultipleSearchReplaceShellExt.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:604
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.4dots-software.com/multiple-search-replace/?afterinstall=true&version=5.5
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
1141c2939ebfbf5dfe3db457a0c1fdda

SHA1
a5837764d9850aab566d7749986fde46a00e058f

SHA256
eb6834bd454249694cebae3a3d81d98acd1f6d199495ca4f28e68a2ecfd69760

SHA512
f305e607e6bc16e3d4dd0f8e89263ac5caec5cd6555000560b3a17a07fc62dea64f6cb0aaf57f46d2d26b47b489b64180c3a7f1cba100a33fc06b799312a6d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b4f723ce9bba73a6168f329cfc910495

SHA1
621b8db5892b0d95c1fc65dc24571d00b760b3dd

SHA256
13450a0191c1501ca90c19b30df9b9a00c4886292eddd4a7af65a5988aaddf6a

SHA512
79cbe720ca53164739ca05ad27d985320bcdd20c8c024e0ee2e5d43a0c6582d53cdfb3fcc61f63ba0fda1a4831cca68dc9bb2dee8198cc26c4569ddb92e4fda4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aca6584980763b7a7dd0dd9f134570c0

SHA1
e59d09f1bc0fccc66508599c42a68b9e8ceb3d45

SHA256
eee2d5f6a86976f5e5ba9fb5c5e0028f1a68515f42bf01873f9191ae07511c44

SHA512
5aa49fbfc2b00ac3c2e3aa9e31113e11971f0c10ef9887418c095296be8ef8bc5dff6034c2533f79bb451aa6f760c7f21ff7c83394cdc46b013825b60a6ba8f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
741442783285fd7ae733ed5645016110

SHA1
60b45ab94267202f7b856662480be14055529dd4

SHA256
d98dca889ab97b501d0a91eb31029c2c1f6afe7e280ef861feee6271a1dfb49c

SHA512
356497426cb497a58a9ac35ffe4cbd7ce4d63a8d3d0619ba136e060e44c496c9ea98e0a8eb2bffe585fcd0701295d21a467d38f12744ad286d84a4d2b60fed8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8e8a0306bc9d3b39acfeaa963a8cd14

SHA1
73b4beac8741c2227de9a139882320ded84c97a1

SHA256
3e5c36a5afea4cf43e959fb71a85061ba19a5844b61a620da464e4b507aed7db

SHA512
bf42ef16a64383e4de3c64ee14f4102e97b56caad16938f77cea53b1a1cfb34175fdfa39949b7f2cbfa431209a23cca9662449020767e89785e8c3eb11dc40d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3be80b4090a733f685485bb2b03f3206

SHA1
ee8cf474200c07fe6e57aba0855f0514f2285f6e

SHA256
25f2e68498ceab43d9463d8a4dbabc3261f2dbd9d04cd05f6d516855ee7a5ab2

SHA512
7c441af71ef1448f0044cf26dd51b60cc71470ad6e8ab2c36eaf899940f980dda3101d334c233569e4b984fa18a274dc55b98d2687e190f8434c7ea0b3c91ca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c0ebd8ca015257dd9095a3705c341a7

SHA1
8bfa3f5904412f2eb591bc245269a039afd6a70b

SHA256
074e3fa7c3f073b9a008d9ac3cdd326e02afc1cc896ce588bb2787840da7d6ba

SHA512
87a97ba52c2d1aa200cad76803d101c828db8559d12cf83525d94fc1e91de02181e253f8663fd2c18056f86897bbd30041bbf315c08eb956b4ccf98a75a6c993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4d588dcf39ce6a85613d7b817c61b91

SHA1
587911ef15c6ec5e31841d64f7d6d8c9932dea3a

SHA256
fa083ecf902d3ec234d73c113b0457764bcaeff4f8f4cb8ccd4d8d84057bbc1a

SHA512
d2c38a7069332aa6e0b4e1c1a6e903bbb731702d51f4cadad9d92eab0750f3520997236d0fb0c3e7e6f0d909f85b875ca2317ab976ad0b86ee2dfbd6f07a773f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50ea58f6d7a37dd2b1bf30da97c20456

SHA1
f30a01fdc324c98692b203f11ffdf819235e278a

SHA256
3a1994f29821aad7deca6226d8bc35641d946bb9056910cd95cd729223e6edca

SHA512
1c10f2c8d13dbae671f4ff4a25df8bf5dcfb3e6366e2909409071e9c5c4c3e17c18c8ff866d9575ffbbf5a0fcfecb7122188d0605f8a8f4fe65a9803d9bd009b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f22c0f7e081caeeb66bfb0b51d7a88f9

SHA1
a6ba959c15eeaef806dd4a385b1a67e5530b07e7

SHA256
3a3782a55edc82ff24e82528a5c9111921bdd132159fabbc90227a6a59e7de9b

SHA512
ae89672cb0d8b36a06de52fc39a6b3d2c8613d1a7d37c8affb84ef8724efe572daddb7a04c0d6862634f07d97c2234899cf3fc5eb7b8ab8d7c61dc2643550f0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99be2badb1dad45c979975fda9a35849

SHA1
673f5046487b7f590f22d3dba7074c1815e5055c

SHA256
d7dfd066c3d70161e65134b5be18b7889d90dba9e5f763fdd9bbcc68246b2ffb

SHA512
5de6b95876f4b32fadbb5b2481868c77a75bc8c0354f59ddc94fed24ea782ea493a012d1871ca646f9dabdca1e858cf3e66eaf28a015306a547a1be0c8dcbc50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64f034c6a0cb49f4934fc6ae7f067304

SHA1
1341afa128ac9a5d21c931513da35f410bd47301

SHA256
766e9a7161b4084cc8aa9623cec767022f068bbad9985ca4b7967e46d75a7f0c

SHA512
302a87073fdbbb6961ab3e051d41b1fc369429525bcc3f06cdacccda550648c49e17f2388a12f968ea61ba504dc205f2db3a2f44df480fcdb9a611e1b7e1d282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bfbc389451f345136339e6bf633c427

SHA1
1187aa1d2d02bcee96f1ac4385891ec626146248

SHA256
cc570f853258e786d883d3d0dc637c310c7b2b636ff133037ddfd34414b3db48

SHA512
302669cec6324902f674cb457e60225a0706cb2f38d92de2e627862fade03657a7ccfd7c8c2247e8725efaf94a6ee6efa6db99cf330074d75fa2a53efe2c446d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dc22d6e81f0b59068013809b58852ab

SHA1
cde4aa5f81e1018c1e2b14036bdf0a9aa384c017

SHA256
de0092c3a379467c695cf748178628a9e72b9c7afb96239033adac5a5d3dcaa4

SHA512
c24e468deca19d671837db462bb588caaca83774778e67ca689918a1f76dbc4f140c148d04015d49b3a161c3c4a621b36ed3ccc0fae20372e31e7b7c4341a894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61294d7741ef68f35c37aa2bb3d03e58

SHA1
1dd2feac71c610f5937fd1bf46b332a877632584

SHA256
9075ce9b1506f4278922f59572e167589440e62b8d5a0f375bc3d47e3789f657

SHA512
a841626bf7039ace89987544de6ac5f9858f4648401e9c9e6353b5d74044924edfb4cb60e87ee4a493aa23721a9f855da35aba57b14bacce85b19be9ad9e06dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffef116b30e018a914e74f95da8658fb

SHA1
b04f99b91cc147b3efe8929155f6d3b9e1343f97

SHA256
5afd004a6ba362f9850e7d8282280c9fc188ba3bb9d84e1c8eef199d223a3571

SHA512
1af3851ac05e665d7a4f4e5002c4ab5c9710230cf3418c201b318bbc68c64b60f18188bf293c377c8134797d155885599780c7760cc4ef27dd6be3953a2065b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eee82abe14bbe12919377f7016840286

SHA1
315642a0f565ba1a110252c418d443347351bbe7

SHA256
5a3cbe12810dc81d733a4ff581bb6802c3e274a0943b060873921c303a1875ea

SHA512
d5c50789241cca3bdc1dc7dd9b2bf27109a9b5cbbcfc101b1d02c8b4ed4b7ba9b08d18e0a200f0971003f4ac871851d43a0d26180261d969438de64c7917d8d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1ed41c51c0ff17aa698ef24c88ed6de

SHA1
7d9123eb921647f2248eb1ab4474d32c63b3e5ad

SHA256
e25daa443dfabe7d642f0cdade1728e33979462bdac0c2d4d2620e2366d75c5d

SHA512
fb7b83140420e72d291de336ad8e82e6640d52ce46c634484e5a30eaa1e32c43fad0866173765e14210d1bdf1c219ba4536287470abb21dc84e68d966bf04a1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
456276fb8ec9c60c8160b661fc27e0e8

SHA1
5c6f28bf52ef02f2b3d95a9b3525a738cd2997e4

SHA256
e1827b428e853d64c2b6fa87c1a8790ec6ee16e528cc960618893e142c6917c5

SHA512
2b46c17c26d8e0a6e14446cc51e6f705c9feb570f8182815d546a952a3241837acee68de3edff27a6c08122d17c06b14e513e6dcae7baf10c51dd5d31418242f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
656c68cb82ba76c0b17b2911baacaa83

SHA1
7e7f434957223c4c68a5952244dddd338a8482ff

SHA256
9764a7a2b8ba18088269f122f30d532402abaf10dc63b204b96b88b1f53b4559

SHA512
0fcd38f2862fba07616b4d905b467cacc73f39577867c81bf2a368feb51ef71c4bab894f0c952eb998243beef2adffed342eebfdde5ef0eb2d589da1d76aa958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\err[1].htm

Filesize
246B

MD5
529ff9bf14facaeb7845427395ccf90b

SHA1
23f4b4bee8c18eef986b4f955c78ef33509227b3

SHA256
9ba351fe78ef6097542d29ac676724177dff8348d4437fd3ed65930fd86ed380

SHA512
f6c3d86c65ef925ac0f1d48f4285dbb08c55c58098ca9d4d09bb7457568c52596ec569cfce6cca01457e994e24ec972b3f38078a7d320074df9320336eb2d8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\err[1].htm

Filesize
242B

MD5
628065463119e6b645b92b589e648053

SHA1
49e85c35a3a13da53818828095084ca67d4b7f9c

SHA256
ecab543170beada437363ce7f16ae89fb006d4321b01624ddac10927a72e96bb

SHA512
0ea2c6a0a29c573e92f1671504045cf9c3c8bb1a34c257778c6c9133359842adaab79f8d8549b10b5f83714ef9d0c106672ecd10b818ef19e849d4f8d642eab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\err[1].htm

Filesize
249B

MD5
b688c32485981150084db6d746108057

SHA1
875617a345c038d5a6520ff7db1b0e35cc9abb44

SHA256
c4b793042fc9f013c4394e0f40619af6b9dc76c79d72d2b7759b62ed13f9d4cc

SHA512
c7d97051b1815c3fe9a1a818162c797c3d84bde0cd80251a59fd5d76581e0d2858d92add8db6c18c9e5fb2f9e48098b6f2ccc4859005fae6071e2aed7ca9b56f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\err[2].htm

Filesize
246B

MD5
e34cc169b569df4068e8200916f81a51

SHA1
8c943033162284237aaafa7ff1f895152cca9569

SHA256
8ccadc57c15c11df755da7b547ad88df99a742d41af3245c1aabde084296627f

SHA512
dc4004be212dd426fc459ca19983e7e3d2ca8758ab8074be8d1458499b1adf099f4c2d09dece3f08787ee7f6e7ef851f63e3aca4a517050d4dcafeb5e58cf713

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC85.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD64.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4BFF.tmp\NSISAdditionalActionsPage.ini

Filesize
652B

MD5
8004aada086822a1697b017360f01a12

SHA1
bdf722b4c7d2aeecc76e4246b242a46b9871371c

SHA256
cfa855996e68db7cd6b83f1122154930dec4fd9b49034944eb7edbc251acd593

SHA512
ad274cd4cc281ea63c6fedace12de8ebdd3d32baeebb5859aa3029363fe11167ed5cd1bdb699bf3132af66ba7683799153210b48901813b82b7a0134a324d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4BFF.tmp\NSISAdditionalActionsPage.ini

Filesize
604B

MD5
a41afb207855fb800a22a3abbbd52b01

SHA1
726a03f0ddef87b298bb04d5cebcba6a8ab8b835

SHA256
7600ad7673be20799a3d751c050df39fd3fd4e2b5a69d01fc29786fa96281330

SHA512
e13690b895779eeab3b9c4827381872574c1627c27089b1acfdd6cc1aeb501dfe334c8f26a481dd31915a8f514de95e325c57ca1f1b440ebd1919a7f16876e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4BFF.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.exe

Filesize
958KB

MD5
52b67d8b4b8d6c1cf8035b88a7f1b3cc

SHA1
43ffd2bb7ff726b829e040b0f65e3aea08f1ed90

SHA256
fe66807a5bb7449d8081befd70c58a3ffb85ad70fd05803578c5524c51659f08

SHA512
04e2f5c9619d8329038028194b91ac5c55e530869380b27e01f0db812d22d9939d2db8f0a374d679bbae0a0adcfff5f9da86bffcdfe469053b3685d8970d14c6

Download Submit
\Program Files (x86)\4dots Software\Multiple Search and Replace\Uninstall.exe

Filesize
63KB

MD5
b13f6afe67ae66b5f291aab876f00e5e

SHA1
e01712278dca1a55e86b606501c204770614f96f

SHA256
17d16dca59163fbe4b947c2b023558a1e3840f0b8fbf2a6b777bfb252e1ef7f3

SHA512
1fa89bcb9c4982bd43d0700aa29e373646f9de75cd9e7ade92f71b1cc4b41830051f476db3316d838efed8b71045e3dd07c4b47112f6e4ef15798c499a186ab3

Download Submit
\Users\Admin\AppData\Local\Temp\nso4BFF.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
\Users\Admin\AppData\Local\Temp\nso4BFF.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
\Users\Admin\AppData\Local\Temp\nso4BFF.tmp\nsDialogs.dll

Filesize
9KB

MD5
eac1c3707970fe7c71b2d760c34763fa

SHA1
f275e659ad7798994361f6ccb1481050aba30ff8

SHA256
062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3

SHA512
3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

Download Submit
\Windows\System32\MultipleSearchReplaceShellExt.dll

Filesize
33KB

MD5
ace9f19e19a07de0fe7e0f1e858a523c

SHA1
898c63c2f9c32d1148f8618a6f9dee89984a8f9d

SHA256
7e79de7c3ef68b615e86a732597a8022de71a14d81be4b4978db39a67cfc3d57

SHA512
a2e32fe5c3652824572f8f1a9a7b145e1c17cb6fbffa52903cffa548f450df89d996b933f95726bb514dfaa16c7d9b2ffa1caedf6ccbf6f1a577b48b0b052ebb

Download Submit