d50697db020a87c4843a91669fb17587a2350b7721fd5b94d77bdd92da0e76a1

Analysis

max time kernel
130s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 02:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
Size

471KB
MD5

456ab83b78276865f72bbfd8f6094bf2
SHA1

49dd30ec3e8d3e33d4a5b5b27278bf9ff54974c8
SHA256

d50697db020a87c4843a91669fb17587a2350b7721fd5b94d77bdd92da0e76a1
SHA512

ed2ea1a5f1411ad1c6aa393aaf7b9053ea7304c6d00c5f21ff23a10826e35ed280135dda559285e2ff5ed5008b7cf5569651a0e3aa668b27396fc7af23a2a81b
SSDEEP

6144:sm5UsluzKOjFiDNZzOammnzjsajwG1M6U0Zm0+Ucoabg7sJiqfgzpnoKWJcmWYDr:smqslOKXjNfU0U6QKpnDWamuc

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2740	wmpscfgs.exe
2992	wmpscfgs.exe
2220	wmpscfgs.exe
340	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
2740	wmpscfgs.exe
2740	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\259491407.dat	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\259491173.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435121804"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1094f465ab1edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9F4E5701-8A9E-11EF-BE2D-CA3CF52169FD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000167fe4ae5c811e0b9ae13a017130e43d8fdd7b1f58ef3cc820670863c1f1f82a000000000e800000000200002000000061fe08e6fadc326291949ff3baf27a39d36b6249a2da8c26f58cc31575338c9a20000000c07523361adc7086f24a534ccf47a94f56d06d91b6a7617e080dbb2b98c2dfb840000000d55b7f992452a66afa879d6e81e8c77335aafab4fd47bfb1c052f4412cfb52f6bacdf5d03063e92c817f216448ca02c3cf50602f45638164a81655a62e01fe9c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000053c713787ee569c4b795bce0bc6e817adcb7dbd7b5dba74dadfbc24c6f7b98fe000000000e8000000002000020000000cc83a622334b025e483b474cb93e7b76ac7aacdb5b1e0e171f8d233560fa3b5190000000bbe4a9974399f1336d15f41a27c09724cc9e3e7247cffc0bc2b08cf2b6f898430d9e79a8b09701b20100746352dc791ed24c93be82fc25859379289eaa3cd3894c73f4cf2339c8ea03090db82ff0e22a5e7582dede903031e204cc67744fcf81371c1cdb71c63201a9c28022ff629237ad425b0d7610599bff26f3369eda9d8ef82f146f573c559bae3ebad1b6dd32f1400000000de5399ef8d53997a95cb121f252dc255202351d914c3a7458a486163bb786049c8e3946ffb98aa0b5a1ae7772eb8f27b6754230a16a20adbdf5292da162d42a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
2740	wmpscfgs.exe
2740	wmpscfgs.exe
2992	wmpscfgs.exe
2992	wmpscfgs.exe
340	wmpscfgs.exe
2220	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
Token: SeDebugPrivilege	2740	wmpscfgs.exe
Token: SeDebugPrivilege	2992	wmpscfgs.exe
Token: SeDebugPrivilege	340	wmpscfgs.exe
Token: SeDebugPrivilege	2220	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3052	iexplore.exe
3052	iexplore.exe
3052	iexplore.exe
3052	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3052	iexplore.exe
3052	iexplore.exe
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
3052	iexplore.exe
3052	iexplore.exe
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
3052	iexplore.exe
3052	iexplore.exe
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
3052	iexplore.exe
3052	iexplore.exe
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2740	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2740	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2740	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2740	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2992	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2992	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2992	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2992	2536	456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe	31
PID 3052 wrote to memory of 1364	3052	iexplore.exe	33
PID 3052 wrote to memory of 1364	3052	iexplore.exe	33
PID 3052 wrote to memory of 1364	3052	iexplore.exe	33
PID 3052 wrote to memory of 1364	3052	iexplore.exe	33
PID 2740 wrote to memory of 2220	2740	wmpscfgs.exe	35
PID 2740 wrote to memory of 2220	2740	wmpscfgs.exe	35
PID 2740 wrote to memory of 2220	2740	wmpscfgs.exe	35
PID 2740 wrote to memory of 2220	2740	wmpscfgs.exe	35
PID 2740 wrote to memory of 340	2740	wmpscfgs.exe	36
PID 2740 wrote to memory of 340	2740	wmpscfgs.exe	36
PID 2740 wrote to memory of 340	2740	wmpscfgs.exe	36
PID 2740 wrote to memory of 340	2740	wmpscfgs.exe	36
PID 3052 wrote to memory of 2304	3052	iexplore.exe	37
PID 3052 wrote to memory of 2304	3052	iexplore.exe	37
PID 3052 wrote to memory of 2304	3052	iexplore.exe	37
PID 3052 wrote to memory of 2304	3052	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\456ab83b78276865f72bbfd8f6094bf2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1364
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:209931 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49375f6d017a70ec5c9095304cf98246

SHA1
b3a88f28ce3bd2d029c6f3942bd66b34ac735ec6

SHA256
08a590529a1deb6f27637db8876915cc86fe960ec7a777fdfed13e541168d80e

SHA512
deba66332aaecb63d048b1dc2b25e26b8676f4996890972108fa19ec1711c3c0c77c79ce59cde0893e63bfbbe0da1aed4782f465cce9750d8d88c0219f444b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38ff6777fb33fe2ad8a326eed523a113

SHA1
fb76ee816cf1818479ee7e22dbeb7e26ab8668ed

SHA256
67f543521a5653e7d5290fbb84c33f9d0bbc4d70e6dfd653b7cd7f873981ee1a

SHA512
bd25fb5c8a38871225f66d3b5f91e2509f09798f7b685ca21e2088a29cfd909fc380c272e14f83f27d8039cebad29dc6050596895d6d0c11db513d8af7456848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11386c116fd49d5bc66e49dd45f7f87f

SHA1
c74cd678f25de8d6f48d14977a0ebf8498e9470a

SHA256
b3b6eb0cf12896bcda6b3fec8fbfef4ac05812fc2a3f74f830330766db2a7b5d

SHA512
526725b4326e18e71c097d56cb3a44f2fae3cea39d8201908033381e4d180bbc7d58a472e5c477f7b5dca7111700c6597208a61c869a0c4a0d6763c1535f099c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef1f7f326c9ac0585e9b8b77cbeb1083

SHA1
18621833f086a5585bf18461c78d4e887ec545c3

SHA256
2c3897b6ca878b2f58e559cf1c0bd5274d50e02c67513621150dd3a209c477b5

SHA512
d825eee580f366a24e0117343b6ddc482ee1708586ca7fb498809e5c84c8ab2b33cc7e529bffc202f1631039a4e3b75d526af03ca8e7fcf746326a8bfd06f14f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bcc48737e9c98fca9d0fcc6f93590b8

SHA1
0630698ea884d3b6e6028f0398f96a3613d93866

SHA256
acd97b57501b7323f15054ad67c78e5a49843e828b10386e4be503f181d58788

SHA512
dab4bf20018c3edd60449cedcb505be57b3ad1d7a9bd976118d33aa3899908daf898aa9f51ca16982ae7fbdf1e8fd0d43d6ac6dfca63f440456305667909302f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80a843c51ed0aba6653bf4ccf3650c4a

SHA1
54b4a26b34a63f9fb305f2272979aad6c3d16876

SHA256
4d09f53fc172b6f66fc138debe9b601d89970f5d62eb3e3a3a9a23514514326e

SHA512
3afa7dc76dca52d3b1c515c29dd8537babe6bad11fac086757c83b77edf3ddca14a509baa6b0adf216c07aa8138d3d67ff3236161c569062dde3f149611b19a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d03b8cd4b5e9b90e6d485982cf1c3455

SHA1
ff2fb6f5436fdcdd6f0bb7e58c41053d4b2e3b21

SHA256
523af3c3aa6f4a5b6742416c209049c78f077816ce066bf9e6dcf45d195c5641

SHA512
2cb59b7e8324b41f6a8a33b32c0698e2d5a1e54b811b4917171f8232014708ee8e1022df6873bcb6ef320978e385f61d22e6021c886befea50aa676b3ce62ec0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53eca52e124f611a7423cbbcda3622dd

SHA1
4427ae23f121987f61dfed2ec1d187ac18217301

SHA256
22a0da4b0d34b7da1180acfd1c721c915126a308fb24924f077988960f3f5fe8

SHA512
a64914f41fd22285388d4fc496d34c1983d9f82dfdd18524f94e95af5585c982fdcfdf9cd1318b00b616d7f439595fc4a3272aee4db036404f8adfaf18a39cec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e12547ea0ec4d16867f4910cfb9c8ca7

SHA1
028db50c5c5859ba35ee62f4e0d1cfd3a9423ff3

SHA256
f4e299d1a1abc65be8dcc4f918a1ab90f34d1fb3b960ee62ff0e1fd13ebb0c79

SHA512
cf4cb1a1c6e1ed71b332d2e4152687ad175d28c275b22d48c6f7505732c15169cb48ab26b0de1cec87c83ed6dfb81ce5417388ff24f2d25e763db92e2138dca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72de765416ce3f173700dba3a9c71993

SHA1
64ed14f461c73822ad11fcc9961a2cc865acbc8f

SHA256
cf174fc103db8c0f13cc423ad43feea2d056112292b83f6150dd452a5f1a0ed9

SHA512
790896e12d0e68a47253646992a8ba5a79b2a98645e2ff70eb01a9dac180dd25646de377b77095f8a6592f10fe85ba0cc5e8a8f9357b198bc6d7ddc971431a2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28bb5c65174065153bf8f4f14844df7b

SHA1
f0ec3635e6bc4a00fbd597f54e0094ee25fffc4b

SHA256
f8c4ce2cfd03fda7f8f460f31dc9528b91ded22aed183af6f68d9fba6a5451ea

SHA512
274b5de53f8d9cec96b950d077bee6e7dfa9643676029b95de1c5133c964d0a731cda15a43aa9464be5d8ebe201536bc9f88f4d505bdbdda8281e7a5a3664b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c099e48cedff3e06a3b43e8e9a6bd20b

SHA1
584083d84c249330988e26fac889caf6c01dcc3a

SHA256
bb60d43e9400a01bf9176dc4d421ee8818872eab71a022a379e013f9d3e7929b

SHA512
87ec68cc489fad9f9a3728145df1ac3ffbfcb626f5de23a98b4b001733020b0f45f05ae00faa6184517acc417e23d41287cd6adbc6b26ae5f95e87a018a86aad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a04e005f3f14f86d7d8076d47d93663

SHA1
b2c6f42023d40617d7f4b10b3af495daaf32a44b

SHA256
a19b0414411299b599760686eb99f12b0fcac3147911b0a8724f56241f2b9b80

SHA512
6d67cfa88f39679a1d78b3fa67a52d2d74da082c510087ef5b1b639facc78c446b902b54c0127c86976c535ec935deb081b65343828649a272aeac2b2b299516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7a5f08cb14da9de2a8fb707ed82859c

SHA1
cd391557adc02669e70c848a23c6118cd936b0be

SHA256
ff0a3efa96b2277642df6c864c954a95d27f8b41a96aa490e64667a73e856013

SHA512
0effdc78391bf02571cf1690aa539448c5985e1dee278e0156c94c702899a3efd62483c0d2c8220b0a25346acbdc02bea8adea61eeba09d070ab82005f0abc6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c2cf44d4da0412d5e18d8788e2ee73a

SHA1
5200259294cde4f7c7c2b7394891604cc4964562

SHA256
40cbe4ff3ec4163cb556d0a9bcdb6f6675a1c9134bfb0726f2f6939f90f60d6d

SHA512
7e73b9cdf78601731352800e6f6783598d241e97216a7cf78400663684b247b701a54c08dc5d472e2c016ca61275a853c35dcbf3a20306c8a444de4c213338c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7096f2a7c1cad5e922b4a7ac0380d3a6

SHA1
a55ba4eec36fd06cea47b62ffec0792978311c0e

SHA256
d9c3609c2baadc6e333c9ca814cead2f75884371b832f7bf1767732b268fa6fc

SHA512
298416053419049431baf55195e316922024680f406fac65e44bdaa4bb5cb03a418e210c0098ea9ee38b4454201708badfbbc3af7161c44e9ec4573982f47776

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c7252be3f3b0a51adc257cc9430584c

SHA1
a18e3091a4980e8fbeeeefc83147a08c5aaea677

SHA256
e16cd1912865badea92ac3b83cc6c2f90cfa0fad8c51afaa596abca1f7d83a0b

SHA512
9bd27a1e16dadcecc181a5c4f5c29bb53516c6f77022ffd2e103ad5f01bfb061a7c19d282ee3b12829b2ce6efeea978d435c5a14cb0d0f84e57492d0ebf63033

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
339e1f8aad44555279d7c43646470a5c

SHA1
7183428446c248936bbb45d847b167fd22842e52

SHA256
583842d40488a00ed1d53d55f08e1ec50bb06995ff1a363528d86bf950cb8890

SHA512
4c4b5fd5f903afab267c9d835c2e10cd8c8ec65d0efc1e77fccfac75185f9d807c1114ffcdc51db81777537e9605f91cd9126c0e02177f4df0ab3be78d7984ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58a3d83ca01dbb9c5687cfd95dd22beb

SHA1
5ffc395c5f4ccdc219fd076206ac063cbf2bf03b

SHA256
2dde52fc4203275e40b32babb8763a6ba77be217460e6347aacf68bd48303dc8

SHA512
bfb84bfd506b052d696120992480a4816ec5681156858d1209a2f0e05c11a9caef1f36f3d6e6e3456f04cdc69c99a4358c5c476abe65ecb116a4f0d0bb2c7ffa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f63cec191e7f0520bc70f8d0e9b761fe

SHA1
f5db307306e42128349e03626cbe3a72110d0025

SHA256
7203e0df0c3489617dc7557ec963911389d3c4798493e2cbca650520e140e7b9

SHA512
252a48ab63a51a2d068eca93222553647ee899c1aae596b24a83094cc55c55085639ab1683989fdc4e4b5d37b9ff0d8a2b18bb948fb2019f1e89a25d0d2e501a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\bmvuiMbtq[1].js

Filesize
33KB

MD5
285520bc859a840449187cc43864a1cb

SHA1
3d85ac9801d3cc9a3577bc6f6ef3c754d2677dff

SHA256
ac8e37a73437f2c13789726ea053c21fcdfd485896aabd6498702064968e34da

SHA512
7d99e9b95ed4fdc8a510b3830e7948be99d55edfac91ec71c4c7e534176a25ebe48c1955dc39a950f1a3322ef7d18910048c16492ebb9ff54d517a294602d6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAB8C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC4C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
496KB

MD5
c8bc1c3a35536c532f9a20ebc96897ed

SHA1
98c15e4eadb2e2ac41db1e86143e2f6d6c3ecf4c

SHA256
c2c3ef391244de981346c8d7271dbe92c62fc6dab0a3c14c50f0af11fc347635

SHA512
7dd5562276775aa7b12b54b3b76f0f8b03ee6970531696e319afe4b9e6e9e11d1c6b7a0578db9ee500136e6e1c625708e4a897bd1471a2c820b64b8a4a6a99b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EN05BMN6.txt

Filesize
107B

MD5
851da3fc774efb948d76bd41c3212265

SHA1
7a37b129a830935d3d9f1491d2f8284d52e9b79a

SHA256
2966bff61f17bbdf7ab1447de24d2af3c7e056cf61d7abc4010c8ff7c4fe1fdf

SHA512
f5434f9c39c63cee898bb08fd00e0e75af87257fc976e0b7035c075d7331f9aed369a06d6f821d8ef704634dc24ea108e496cd1afa157899536161cd859483d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WB5M7FXS.txt

Filesize
123B

MD5
6f4f4b581efb0141127aa37662b381aa

SHA1
bab914773269e1601814103feefc0adde5ccf4e5

SHA256
a4d5cc580d2188cef28c0fc88ef83057326c3a5b2bf18b6899fbcbec49af4e6f

SHA512
ec8c3c0e2ed94fef2a5f5872597f1ef62586bc63c52284c7cfdb2da317897f031aaa7dd265909ad8db5bd02f08fb4fd9857374b7034e550f5db7a3844bffe7fd

Download Submit
\??\c:\program files (x86)\adobe\acrotray .exe

Filesize
499KB

MD5
25a94cd4bbef29f2f15ec4f219d21f4f

SHA1
60990cc430b0a9ffe91c5f2691222d2f9b7fa7b4

SHA256
ac2441b3d02b4510b76faa56d9e8d93b75d4bd5654ebea59c0a3b843e35c3766

SHA512
e69282c76bde67f837c5603a769dd55816a818cf0d758f0ebc0d8953a4dfbf8b8ac9baa1c778f132ebd3e05c90ab00d2c7e8a9c2d52abf758a095423abb778d7

Download Submit
\??\c:\program files (x86)\adobe\acrotray.exe

Filesize
535KB

MD5
f9fb034677a4ed60f34aef95d1ff0a32

SHA1
f785fe03683bdb1bdbe399b0c3742a08d1a7ac86

SHA256
f49136db96ad0a3449ad63c5d8502a0857a84451c1175b978fa0472c397ed2c5

SHA512
7d951b44937b8c20bb1145bde65ad0b7e3c4e81d5b6618e7de176a98b88115f12c0c6598993b9fd2fa1186a4c6bd7ffdd493caf6ded5a405d5921da3dfc91715

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
497KB

MD5
32cf0d8c8ea5da0050de327d6d71e473

SHA1
4a0839508a8fae8bbfdf0d4ed0e8123d1fa798c9

SHA256
783fc585eb693f27809633c423ce5f311074c9438a09ad15ab8479120e0978f3

SHA512
c5d3fffaeb68936508942f053aa0f734f30ffcab8d98ac0436b204b9f5e6abbe0abf8a3bfa2403e5d31d356b12baccdac9e27468f9c149530279d6c5e6f1a704

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
499KB

MD5
dad9ed3349968fc985c4a487b0f42ffc

SHA1
57a6bb066a21ab17a0ba22a45bebb92f5c3f4ded

SHA256
cf3756c0db7db1aa00415e53ea4f09469194d08e71a1ac934f6e9c90f84178bf

SHA512
760e9c768c69822a92b0a0de1c960faf07131f61c044913498b2c4463f93d0e78c2599dd8d19cc4506d3cef275109bb2f6ac1ac31b678b7d60b2ffb8317f4c95

Download Submit
memory/340-84-0x0000000000400000-0x000000000042542C-memory.dmp

Filesize
149KB

Download
memory/2220-88-0x0000000000400000-0x000000000042542C-memory.dmp

Filesize
149KB

Download
memory/2220-65-0x0000000000400000-0x000000000042542C-memory.dmp

Filesize
149KB

Download
memory/2536-0-0x0000000000400000-0x000000000042542C-memory.dmp

Filesize
149KB

Download
memory/2536-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2536-11-0x0000000000260000-0x0000000000286000-memory.dmp

Filesize
152KB

Download
memory/2536-20-0x0000000000260000-0x0000000000286000-memory.dmp

Filesize
152KB

Download
memory/2536-26-0x0000000000260000-0x0000000000286000-memory.dmp

Filesize
152KB

Download
memory/2536-25-0x0000000000400000-0x000000000042542C-memory.dmp

Filesize
149KB

Download
memory/2536-35-0x0000000000260000-0x0000000000286000-memory.dmp

Filesize
152KB

Download
memory/2740-34-0x0000000000400000-0x000000000042542C-memory.dmp

Filesize
149KB

Download
memory/2740-28-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2740-517-0x0000000000300000-0x0000000000326000-memory.dmp

Filesize
152KB

Download
memory/2740-17-0x0000000000400000-0x000000000042542C-memory.dmp

Filesize
149KB

Download
memory/2740-66-0x0000000000300000-0x0000000000326000-memory.dmp

Filesize
152KB

Download
memory/2740-68-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/2992-36-0x0000000000400000-0x000000000042542C-memory.dmp

Filesize
149KB

Download
memory/2992-46-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download