2f0561ca66243dce8d067b61cd398117037e42d0d1c98d64d8533794499dbef7

Analysis

max time kernel
113s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 13:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

3021bebe0ad697645610da95b58a2c67_JaffaCakes118.dll
Size

95KB
MD5

3021bebe0ad697645610da95b58a2c67
SHA1

cb16838cc50a10dcaae556ed18f166f3156fb1e1
SHA256

2f0561ca66243dce8d067b61cd398117037e42d0d1c98d64d8533794499dbef7
SHA512

02913aa9888b6d9d9191b43d9808d664ff271045d0dd44ba395fc956729886c5e7271691b66b0ebbb7eeb69c2580b9abb31a1aa7cb2425cb4c5f2764e35d213d
SSDEEP

1536:QLNmUOWTi0OFAAK1m3FJ/4RTQg2ImVFiLo5XL20y0Pikclr:uTPOaAKsFJQRTQPIUV1Pit

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2756	rundll32.exe
16	2756	rundll32.exe
23	2756	rundll32.exe
24	2756	rundll32.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDll = "C:\\PROGRA~3\\lfetta.pzz"	regedit.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	rundll32.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-2-0x0000000000980000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/2680-1-0x0000000000980000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/2756-7-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx
behavioral1/memory/2756-8-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx
behavioral1/memory/2756-11-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx
behavioral1/memory/2756-15-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx
behavioral1/memory/2756-14-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx
behavioral1/memory/2680-19-0x0000000000980000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/2680-21-0x0000000000980000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/2756-23-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx
behavioral1/memory/2680-24-0x0000000000980000-0x00000000009B3000-memory.dmp	upx
behavioral1/memory/2756-457-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx
behavioral1/memory/2756-456-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx
behavioral1/memory/2756-923-0x00000000002B0000-0x00000000002E3000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\PROGRA~3\lfetta.reg	rundll32.exe
File created	C:\PROGRA~3\attefl.plz	rundll32.exe
File created	C:\PROGRA~3\lfetta.pff	rundll32.exe
File opened for modification	C:\PROGRA~3\lfetta.pff	rundll32.exe
File created	C:\PROGRA~3\lfetta.ctrl	rundll32.exe
File created	C:\PROGRA~3\811sekaCaffaJ_76c2a85b59ad016546796da0ebeb1203.pff	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0350221-870C-11EF-A2A3-4E0B11BE40FD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434729271"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1772	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2756	rundll32.exe
Token: 33	2112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2112	AUDIODG.EXE
Token: 33	2112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2112	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2716	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe
2716	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2716	iexplore.exe
2716	iexplore.exe
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 764 wrote to memory of 2680	764	rundll32.exe	31
PID 2680 wrote to memory of 2756	2680	rundll32.exe	32
PID 2680 wrote to memory of 2756	2680	rundll32.exe	32
PID 2680 wrote to memory of 2756	2680	rundll32.exe	32
PID 2680 wrote to memory of 2756	2680	rundll32.exe	32
PID 2680 wrote to memory of 2756	2680	rundll32.exe	32
PID 2680 wrote to memory of 2756	2680	rundll32.exe	32
PID 2680 wrote to memory of 2756	2680	rundll32.exe	32
PID 2680 wrote to memory of 2716	2680	rundll32.exe	33
PID 2680 wrote to memory of 2716	2680	rundll32.exe	33
PID 2680 wrote to memory of 2716	2680	rundll32.exe	33
PID 2680 wrote to memory of 2716	2680	rundll32.exe	33
PID 2716 wrote to memory of 2584	2716	iexplore.exe	34
PID 2716 wrote to memory of 2584	2716	iexplore.exe	34
PID 2716 wrote to memory of 2584	2716	iexplore.exe	34
PID 2716 wrote to memory of 2584	2716	iexplore.exe	34
PID 2716 wrote to memory of 3004	2716	iexplore.exe	35
PID 2716 wrote to memory of 3004	2716	iexplore.exe	35
PID 2716 wrote to memory of 3004	2716	iexplore.exe	35
PID 2680 wrote to memory of 2716	2680	rundll32.exe	33
PID 2680 wrote to memory of 2716	2680	rundll32.exe	33
PID 2756 wrote to memory of 1772	2756	rundll32.exe	37
PID 2756 wrote to memory of 1772	2756	rundll32.exe	37
PID 2756 wrote to memory of 1772	2756	rundll32.exe	37
PID 2756 wrote to memory of 1772	2756	rundll32.exe	37

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3021bebe0ad697645610da95b58a2c67_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3021bebe0ad697645610da95b58a2c67_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\attefl.plz,GL300
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" -s C:\PROGRA~3\lfetta.reg
      4⤵
      Server Software Component: Terminal Services DLL
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1772
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2584
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:3004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\attefl.plz

Filesize
95KB

MD5
3021bebe0ad697645610da95b58a2c67

SHA1
cb16838cc50a10dcaae556ed18f166f3156fb1e1

SHA256
2f0561ca66243dce8d067b61cd398117037e42d0d1c98d64d8533794499dbef7

SHA512
02913aa9888b6d9d9191b43d9808d664ff271045d0dd44ba395fc956729886c5e7271691b66b0ebbb7eeb69c2580b9abb31a1aa7cb2425cb4c5f2764e35d213d

Download Submit
C:\ProgramData\lfetta.reg

Filesize
273B

MD5
79c96155d24c31d8d6e7e616c21f9371

SHA1
0d3e192c9e8261cbf4561cea2e85beb26a222e6e

SHA256
f585b51b4fd92a7da156accbe9de449449fec19ba99cbdccd305102a5ef9ee57

SHA512
4e6e6643de148fda8ebb973816117edb083c359d19aca410c4dd7091a052815baa1383dd594931df346dcd0952ddb788840b6d5303afb5a3b9865de810dc95ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1780dab32ea2f165fe44c05d24f28e8

SHA1
0ebf09bec9fbdc7838d5a519478b18aab9c15b82

SHA256
7f328c79c06773086e6769dbbc2a3d7a12da4cf9c1302801e258ad72a7503c31

SHA512
3d6936e87c77c29c3452bb1d1e67de8304fdbe69196f921c99a13867ab9a33dda38de21380572934b97c7d7e496fb550b07db352cd252bdd308b6c8861182338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8bcbbb30b58d57ea38ca53507bcc2e2

SHA1
1a6807e68cd781133ec02ff26c3b29e439b254fc

SHA256
13143068c26193b1f181dc2903585ea7ee3d9ac0712a49c87e2902f202ccd01c

SHA512
05a50f79f9ceebd358c7a25239a3df2aee3056d98c858d1d8f4aeb85b437361e9381710f877b4b2c01959d05402137af6ebc16e1e98649a7831cd62e5dbc7e16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3798a7d93d3701b3de76a0edd1952a44

SHA1
11289645d42805049b7614268ecdf3b010794ed2

SHA256
4918f1291002b3140146c63e66b83db700a6ebe71ab69b6a179032edd9b1e6ed

SHA512
cd3b3aef9b100590c128260e28fefc7283b0c8f0c7acd2e6a9f5ca4ba8057b5f2f894c72eb35c7b4216b21661029a184a4abe2deb7aee31ea56a015dffc314bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6ba6dfc661eee389f88c72f3a507304

SHA1
e4584667cf5947176ec17ded57bf6337472e7225

SHA256
86a6fee6f0aa9a92b3981f8bb51c095baa9e689f1df31fe4a548ab0f4aea0f71

SHA512
0ffc6095054b2a1279e845e166558e5d1dcf21aef4250fead130c82a5328135df9ef4b558cec6efa29e009cb68d73bf72c17507fe25fcfa0709ae5a02a7dce64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8085bcef028f2fbd547042cfb7a7d3aa

SHA1
c2a4af336662eeb233d45861663d17041be613f4

SHA256
6996517b5254020ce3bf8844eefa911be9149f0468a25e9617bf7a284e9fffc5

SHA512
bbce342139401c58178c9b1f097b2740811db0b34f361cba962e6ee1b9f5bbc75560cc05164b7267d708da3d9f8404d7fda9207d2d21c12b0cc73eb0b7abf98c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4233bf9f60a567ac981541ac0b06d4dc

SHA1
cca5e69d8dd5adb9d316b60f1e009ffa4f92fa06

SHA256
7a0bfde5e9b562808eecdf570fcd6142d5276bacb7697c0970332a9641e33b47

SHA512
76d71063e18f52bef456fb127ce2088a3a525af954d742d701566157b8984e2145c9ea287c32c399095b802007c97040c5d78172d1ede96a82866d60d2483828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bad653b0a404d34147ef77b1222ca6db

SHA1
18b4a9811e12327dc18c989b358bbe8f66747100

SHA256
0247fc7a519f8880ff5601d9200b4c26f8ec2e09303e0e46aea7936dc760b7f1

SHA512
4d506bef5166a4d1390a102d12a398f47848e14e64342fb7e89aacd31fda709c0a464f3be78f999b80c91b01a059cf79f6bbe319ee3275b8b70d8a25a31af915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
802b073f4e99f1b0ddcb1c6cc4f3fe80

SHA1
249b9b8fc40037d1ca66df6a14ab45c0a3386b72

SHA256
5e4fa4e2bf596985a14b28cca9ff8378bb8433b301077c89a3a2eff75559fbd7

SHA512
bead63c6a389ef66cab98d557b4540729ad8c9e17bf644577c011f231abcc820b31ced7f0d5a877bc530161bcb7a46592305669502fce4613ecb8d6857b00c0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fa8bf40f6e866e58e85af60153bde5d

SHA1
38d8fb251e0473110b409a648e9020572598ecfc

SHA256
b59538c8cae7b9796a18307c488c0239b7fe34ea4a1d5307e79caa389c27baeb

SHA512
7f95d06111d4c09bb8b9b6904125c82e04df73ab381e8ce0de29a932f5716644d1510ee7a31eee4b0d5766e320b197c65c86073cb47d506079ce75833783092b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1d99bbc2d161e6958a69f633dec27e5

SHA1
771ed1b693050b0c342205cb065cf08f1308c64f

SHA256
d6927dc0d555518ea45d62e137d3dbbc95b45ea97f696571bdf9fb5deca22774

SHA512
baf85ed00644f26f85ebdb15566701bb1598b312abf35fa4b1057048befb360bacd86605f3f2140f46fa6fb5e319c23f7600986799e29adacf5e415b371a223d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25a3f7b2cc1d313c1834b06783a47348

SHA1
dfbacc511a1e7f80e1932bdffcd89216af04f754

SHA256
46bf83e75c6dbeec27b08eb9f4e6ce6d7d516f71f3cf8ee1fc23bcc56be6713e

SHA512
191cf016c76b76db18cedb496f035a8a7074af66a94cd3ee957aac007dbb6d7c184b9ae3339152d352f51d7d069ec4893df788707df67a749085b4491990be72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9f15e449b47315ae530af9fcd9fa328

SHA1
5f9d48a52a9240efe57007bf7d5dc4b7bdffc8af

SHA256
c92bf27ca5f3e0de0e4bf34801d3023d2c0433702549f78f95191f78590e2df2

SHA512
69469f2111c8884291a70f87243df8a56cd6684bb441833f051e6bb0c03c57aa188bbd652b6ab168dd0dccee5aa556bd37325c4ad19aaeafb8b12b1b64444f3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1034a720eeef6408bd27c4b945712386

SHA1
41a98acfcb623dfb610c139b0561b3518715b86c

SHA256
6a86f67bdee3cd63f8738140001ced6c55650adbeb1f78251ef414ad237dd99a

SHA512
9b0a114b842c4f2b9cccd20b51550dd6be6f499d2064bddaebc7c39366561192b7ed5a6cc92e663ec80cd02fb89824650073393c65d970953c187ab485eb15c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec36af155c24304bb3c4fbed90128688

SHA1
3659fe99681b82f67a3000e39dd39325c64f898c

SHA256
e8cc78640a4731bd49a49ff6b4d99a26dbc37a82029291a116636087e5e37146

SHA512
82fce00a8b31049f7ebf56b646d3dcf1ea0b422650b788710f53448446c79bd61ef88c91a5a1077cc9ed062572b4dc46c761f532cbba54800238f7316c7a0ad2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9661457a7c2799e4a5f4f5d567416005

SHA1
becc07ddc6096a04f157d2801623a6b93431c1ae

SHA256
250276daa48fa80a73605f0af46b61b5366fc5202478949c51f71bbab08495b9

SHA512
b7ee06618872f74f18e76d633048b9f07323185fa48f0a887617b4ac64a65d5bac7e9295cc3b0006cd23640b1d10217fc66a2354433eb8b5d12127ed6b95757f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d1b9fd4d824220d5cf733ee278afd93

SHA1
bdc67a901504b9420efe06bd2ac3cdcce95a0a2e

SHA256
b8ca09e69df4fc08b06b804d370214cbe57c6324f2cf1be067782b4d942aae9b

SHA512
3cdd294652f341de0f32b61641792875554e7410d131409ad8725fac957bed71dd21dd692f6f0d09e4d5d51bbc8bac523d6841373cb2b278d80e2a579e6843d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad23b15c8039588ea03f15ae727fba00

SHA1
d6aafa201bdda5a50183a25357f7e2f2cc28c9d1

SHA256
2a4f81a120db6d45b1471870a2710d2087c4749f9ead85ade08663784e5241c3

SHA512
a2e2bb5c6843dbc4ccfac3fe6ebfaebea94104e5b1890a87535cee63c775a253daaee1a93d4c1c50396880b2f7a569dd376475b3d63718f34eee295e4756a79a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
528643515db0e71e2161f089c062e824

SHA1
d1fca8f67bce151b8502a265e14d8d31a14e9cb7

SHA256
1a92aaa79e60cb374b2536461e06f966a674bde1c81fb61ff62ebf047f2904a9

SHA512
5623544b5ff37dadaeea3f62a226824a23e159fb8d70d46ffcd6df18e0c6d1a00377a3635c5e0a67a1b39607836809fa85dd8fb96ab294eb1d6acdbaeb4d6a82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c162aaafcb3d9dc1d303d01ffd1b39e

SHA1
f8e45035aa4f64b2b5f245a5996becc82d1c6892

SHA256
4d8f82a6f407668e35a2ead08b1a0cf8d43b566d0e8344a7b7bcdb138ecb3f27

SHA512
3ac53033e99e7aed215d4ce4aeaa7a9867bb5cea696adce7e49e1c30fcd5b51ba5581085ebd1a8c1165edd907f5ac074e91c32b171d348af4a0e28755aa75590

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b42ed5adb807f725f74d847b3233f8d1

SHA1
e3dbea3b2f87825c2bab82fb1804ccf653521a3e

SHA256
8ebf8389bc066e6aa8a897efcba59bb6e67cda7fba58c0bc776b85344d9e37f7

SHA512
b1833e7afb581ce6a177223d786d521f04867d52207bc4604032da9fd5e68b81abce59b0ca10f72b80c6126cdf7490235151707d05652bce17baf97a72e2b389

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66adbfa8d62a447ef07e8241f3f6b10f

SHA1
6d8998f67a4d96e72c943eb3cd2511e980c87594

SHA256
d8f3bb6bd909fe5f1e9a1c9711df272141f9eeaf14e2aeb2d15c8407fcc15106

SHA512
74f7e8dc2a3e75ddc94f346cbf5944b3bf8cc4dd0b731727bddf3bc9aa15bc3d809753e148627b2ca721d1d1714f97bf0a5952c5873a2733f45b66214b0882df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2A1F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A80.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2680-0-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2680-18-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2680-24-0x0000000000980000-0x00000000009B3000-memory.dmp

Filesize
204KB

Download
memory/2680-21-0x0000000000980000-0x00000000009B3000-memory.dmp

Filesize
204KB

Download
memory/2680-1-0x0000000000980000-0x00000000009B3000-memory.dmp

Filesize
204KB

Download
memory/2680-2-0x0000000000980000-0x00000000009B3000-memory.dmp

Filesize
204KB

Download
memory/2680-19-0x0000000000980000-0x00000000009B3000-memory.dmp

Filesize
204KB

Download
memory/2756-14-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2756-6-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/2756-15-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2756-7-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2756-8-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2756-456-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2756-20-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/2756-457-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2756-11-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2756-23-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2756-923-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download