cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841

Analysis

max time kernel
1563s
max time network
1564s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
Size

77KB
MD5

9448fc34ecb9f95825442ae14c39fda6
SHA1

7dd4a2005211ddc5e001cc8ecd857929797a08f9
SHA256

a1566b0b4783b58fefb512872ed01310fe5c9c3a64303f547739787be68a45da
SHA512

b33e2eafb9f3b75a151312c0fbceb6c88e3c851624b0847b8229ffaf375dbe29a6f88ee0a0f3003344007751301c095ce4558dec0afa9bfe471a0f012aa84203
SSDEEP

1536:RdloGy9Cy3QuQv8VtYOxJ06pifrpE/Aw1f:R/oGYQ/kVphpif611f

Score

10^/10

defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1972	cmd.exe	35

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 1 IoCs

Processes:

2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USC40-92KTX-TZTXH-TOFTR.html	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exeWMIC.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
1220	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000084c5900d1ae2eaa865db0dc21c787c153481e7cad4e13dda2aba5efb4a5bf256000000000e8000000002000020000000ee8bd03e137882599eead42b54bb41beae61f201a28c1a52b5220820c8cf8cd3200000000f836ac911a903c65a8b75f06050a60f65c7682daea7d738a0a58412c0d5dc3b4000000067e8eec6a38ce814d762a41218414c8fab43295893eba163fcab168ed2fcba0a916c103c6e72cbf2c79bb7f77c2c18f7bcfca6aca073fd9214686669cbebbb7f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09F48201-9FFD-11EF-841E-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000a016a65d4b10862d0d7cfde10243dca1fcc85775c68f4a1f1a99dda3739fb281000000000e8000000002000020000000350176f77c504b1769631ed9b93f9ad762b156f5fcf43e5d39abdaa998997d8590000000730f07e9e72b1229e3bb7a58f7fcaf17efea89d7de78aece5a4e9773d306de6035370ec68a2d726f088289bf9cbc54de4600229ba21e8e64235185baa87d33cfc94fbfe76951b483d99d07b5f2d7390fbe5cca3651827bd9a2b115265ea054872db9980ee3d0554d41fcd212c02b27a9b36b70ccd718135974d8def2236e39faf12dcff73fb6f5f9142178f6f064290a40000000ee017bd8e883087e67eaca67af6f55b03d8b23adc15d151fa5e806f2cbb9e407f00ac656eb2cc3aafef61bd285bc3c54428974d439cb9fff4ecdfa62d8f1130f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437471328"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b570de0934db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe
Token: SeTakeOwnershipPrivilege	2748	WMIC.exe
Token: SeLoadDriverPrivilege	2748	WMIC.exe
Token: SeSystemProfilePrivilege	2748	WMIC.exe
Token: SeSystemtimePrivilege	2748	WMIC.exe
Token: SeProfSingleProcessPrivilege	2748	WMIC.exe
Token: SeIncBasePriorityPrivilege	2748	WMIC.exe
Token: SeCreatePagefilePrivilege	2748	WMIC.exe
Token: SeBackupPrivilege	2748	WMIC.exe
Token: SeRestorePrivilege	2748	WMIC.exe
Token: SeShutdownPrivilege	2748	WMIC.exe
Token: SeDebugPrivilege	2748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2748	WMIC.exe
Token: SeRemoteShutdownPrivilege	2748	WMIC.exe
Token: SeUndockPrivilege	2748	WMIC.exe
Token: SeManageVolumePrivilege	2748	WMIC.exe
Token: 33	2748	WMIC.exe
Token: 34	2748	WMIC.exe
Token: 35	2748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe
Token: SeTakeOwnershipPrivilege	2748	WMIC.exe
Token: SeLoadDriverPrivilege	2748	WMIC.exe
Token: SeSystemProfilePrivilege	2748	WMIC.exe
Token: SeSystemtimePrivilege	2748	WMIC.exe
Token: SeProfSingleProcessPrivilege	2748	WMIC.exe
Token: SeIncBasePriorityPrivilege	2748	WMIC.exe
Token: SeCreatePagefilePrivilege	2748	WMIC.exe
Token: SeBackupPrivilege	2748	WMIC.exe
Token: SeRestorePrivilege	2748	WMIC.exe
Token: SeShutdownPrivilege	2748	WMIC.exe
Token: SeDebugPrivilege	2748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2748	WMIC.exe
Token: SeRemoteShutdownPrivilege	2748	WMIC.exe
Token: SeUndockPrivilege	2748	WMIC.exe
Token: SeManageVolumePrivilege	2748	WMIC.exe
Token: 33	2748	WMIC.exe
Token: 34	2748	WMIC.exe
Token: 35	2748	WMIC.exe
Token: SeBackupPrivilege	856	vssvc.exe
Token: SeRestorePrivilege	856	vssvc.exe
Token: SeAuditPrivilege	856	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
2640	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
2640	iexplore.exe
2640	iexplore.exe
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exeiexplore.execmd.exe

description	pid	Process	procid_target
PID 1920 wrote to memory of 2748	1920	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe	31
PID 1920 wrote to memory of 2748	1920	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe	31
PID 1920 wrote to memory of 2748	1920	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe	31
PID 1920 wrote to memory of 2748	1920	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe	31
PID 1920 wrote to memory of 2640	1920	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe	33
PID 1920 wrote to memory of 2640	1920	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe	33
PID 1920 wrote to memory of 2640	1920	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe	33
PID 1920 wrote to memory of 2640	1920	2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe	33
PID 2640 wrote to memory of 1888	2640	iexplore.exe	34
PID 2640 wrote to memory of 1888	2640	iexplore.exe	34
PID 2640 wrote to memory of 1888	2640	iexplore.exe	34
PID 2640 wrote to memory of 1888	2640	iexplore.exe	34
PID 1876 wrote to memory of 1220	1876	cmd.exe	38
PID 1876 wrote to memory of 1220	1876	cmd.exe	38
PID 1876 wrote to memory of 1220	1876	cmd.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\USC40-92KTX-TZTXH-TOFTR.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1888

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /quiet /all
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /quiet /all
  2⤵
  - Interacts with shadow copies
  PID:1220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35f70bcce77e0e42e73f5ce947ea544f

SHA1
ade781c62b5e6435fa2be60d8209845ca2f2d163

SHA256
39671e7bddafa180fd5f40ebfcb814d94ce2699ebf71aa0af79e8188e40dce4d

SHA512
f16aa1019feb95ecc07b375f290e774c01853029824044edf87ada65c91d47f028ceb47850061c382a762eb2a0a2b0af75dbffed28c21cd66bbbbe5e365c712d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f1071fca8d7062d20c8aa4921fca238

SHA1
ac0e7f0afc824faa5f11100abb6fe6cd952f6bb1

SHA256
f9e81a901941f136b4b35c34b77361a61cc7e0db48b7aefe0d022b0caad9f55e

SHA512
92d130e23742e1b658813c5933ece18ae9a090c35b6f80d49b003c995f7f4f0b25509403f064daa5febe542a5ee0262fc2e673c1d182fff16967e1095a49d6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60c36f5c576d37ce62327db330796290

SHA1
7b9767c226d5b99042a84f64b9d8799744de86df

SHA256
a24534c2622eda642d8072fe54a6686279a07e84442865fa05a8bb82accc1825

SHA512
d53f874a27ce2176ccf9cf7c40fb4a4fe34eb6ec611f9256d6c5a79fdae00ead828795a44375c44498a0576e00442fab25801ac2dc3a69973788809d1b154c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c83383ea30a9b4ea9e7ea334e8cf638

SHA1
8877a24ee679cc7107f7636ceaa30f43843c93ee

SHA256
79132a89a72a66160e5dc1ed9a20c1ce9e30f5faaa22168366a9f70a9b998b89

SHA512
d030c2a716ee2ad77d880927135d1d3dd5c04227200efff75b90d2ea916825884b264f36ee350d810bb11439f31a8b7f207b9c267441741ed07852aa5ee7e64a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e15ebedb1bbdabbc2a8e12ea8546a50

SHA1
707ec0ed9e30820af238bcc1ecee3a1fdf4a8408

SHA256
6c5822c6df7a0ffd2c8a9d4cff4855bbc1a1b5bfc222921296c6c412262b4ce4

SHA512
9cb124afc3af27b5442229eb8532c88da75b74bd636c86c2914fe8ea867059f6a80d9781cb7e23352b22cc27905ed830199a1beb42103f044ea59111fb791eed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58761a135fc0f08c7f71f89d7befcbed

SHA1
e5fed1817af50d5e34c4fb10e3d512a1e3728282

SHA256
d5f98214b50e99821e7616bc9e89cf80b551a5652ebb66fee565d3beffa02d60

SHA512
e29a7980d2c57c471ac028552aa29fb449e1ea81509819f805342c08c7f47a918b919631c19605269bd22eea92072e7c82f2570c9ad01a91e83db81ff7a774f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29bcfa832899d5ea61983a60b4caf396

SHA1
b9c4da08b12278237ec97eb055a9c313cbd4dc8c

SHA256
9adede5ea17790430c5e4ae68d4ca72deb4ccc0340aa3fb09844db01a458b632

SHA512
c1dbe71b4d49947a466257f512aabd7961b8281e74a8457c0ecbeb505d11b45b63f831b3bd27f62b8dd62433eee29d0bc5fc727d5534cf5b42cefb1112866311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6594f73c7281d37ff47796eb91b30325

SHA1
b65041d740290655a1d80818154f8f695e7d1d73

SHA256
e2bc299b69af66cab4e423229156e22c15684aa1998ce3c8036435ef144b47b1

SHA512
4b9e33cbb2b32fdbc5680430e8ecd8463adafd6b124650c32a312fe6f70b9ddb958d53d9b401f2e58efbc949bfe96901cf44400fc20e146b5d5a22a4f389be99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be6ca77d6c8a93bb960cf2394b3e67e2

SHA1
85ae5d9cd3555328099b442344bbe16887595850

SHA256
b29fc696c9ac2d52a72386323debb37da0814573db7d250ca66a201ac05d021d

SHA512
068d37bedeb535162536e6d4b9a9518edd4156585a557eb9681df2338bf1675fa62a99567591aa44fd3c8dc984965aa8f84cba157ba7c335f515765ad41b4aa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04293b48a51e350334855d2eb6033938

SHA1
038d00dbd318a943d64466bd9635c10a0eea3a98

SHA256
2f5c44c118aaf015bb938f451cf813d04776898ac76910e9219217d1b845664b

SHA512
81f8db90f355902b0a75c0c59f73e5b8c28ec52b760a4b2fcc4350ee56f96a356ade79c17d881834a1c305303045454acb864962b5dfdcbc3ed8cfb7a5ddc752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c54428c44bd69a35da27545a82035c4f

SHA1
cb72b0e55cb23eb97cdc8c460cf633965845a358

SHA256
618aef777a649570a83db1d35fb2fc27f22662f89cf62900f63487e280f1d693

SHA512
223f67a0956b8bc8e6ffdf714e779f089edae5ba16535d6d10649687a04aa6e5f1031b348ae80e39758a3138c80fed6787f91d2533b6e9c38abbad1276fa9e60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecc50df89b92a05c44e72788208f5cfc

SHA1
74f196670048a55691211e156fc7c4e4432c1a2e

SHA256
5d68fa5a7b9e7b8373de9a3176ee4ff2d8aa47fbdb60839ea8fc7ebb41179608

SHA512
2df23175347d79ef23ec0129445223e329e2d25158c52832dade191fb6af29240f9c99457146d169c7cf2a2b1199221f9fcdbe2b7db6104ef75bc98326283579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0163d5a0e5ea6ab874c09bfb5e34ac7

SHA1
0df302caf26367a3d251267a2ba5dd8ed44ce56c

SHA256
15863fe57e806d5721da17871d5f6ee1d8daed2afc7f6466f551fe30e3d363a4

SHA512
5c2a6879e478c7ec8f8c0bd533ddb7bf83bd6ef540dd9134b7a44393ab4082e400bedcf7304c9406f8f1a8a238a32b8a4801cd06452ab6bb8c8c2eb6ab0c5be6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d953099df889c82f05155ba19671b0c

SHA1
cea78b383f94d142eccb4c64a76747c4977e53e0

SHA256
7b03747d985136d6308a764c3f8af3fb4dda9715363a32b574791706d309f60f

SHA512
172b53343cb1dad01ae3edf4b27fb3da2c0b971d537b2645a28aabe053f096068c014760ffa70b07fb5536f63f1153063fe9c6485074180276e6f4737d4c0ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c953ae996123bcec05e0fdb67e71c461

SHA1
2a2c995beeb4fe47ae8c040fbd17ca46b88befc4

SHA256
1e6523b6b3c1722bb3a30e2d406bfad5d7b454e3cb149314ae5423e2007d92ac

SHA512
2902df4784bae41032b79af72e7a6463f6c5d7263cdd006ecb69da3579808b68ac58d5b2d124dd559c8a74553e0e87df8830e852dc37a6aea1d35a4f9e4f5695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58493728265701a5cb0b374329b7e197

SHA1
c49425620f23c4d80fe4580f17731ebd9678d98e

SHA256
1e380d30e5933ceee3a65aaa721a019be975d94cbfc0a225664d67479b42db9b

SHA512
0fa594f84bd7168e1e7180278fea57e3ea36c731f7b1c98ae0db3b0dd17c2f2e7dbeb5999592572dad9ebc51896f20979053539c8e8b2d3fa918ccaf7d87f48b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
919064d1b3128968726c1a3d2d81357f

SHA1
adf9ba1c65e96c25b2e6c01c004d4fc8cd461938

SHA256
7f7e18395436bd2105523d2b995d87f4ddeb0f0bc9dbe3836200ca5ace51732c

SHA512
b8fc8a2195f468e129d2feac30f7b50fa703e1913ec6bd24fe2fbedb86e14c9c2b88c708e78b77bed71ff163accba1a86f5ae29e2db0eb0ed853bb2f9fc6a7dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7c38e20715610c9529fd25e408c8fa6

SHA1
c3f023259cb19b63a875970bde1ed0d05340044d

SHA256
22b61c4dc0093f333305fbc744ca2411477a93f1ce2f497126e129cbc314c582

SHA512
26ab98b0a54ccfb8884cc4ce60921ecc3317dc20e5f13f93c29ba60e9708680266ef8402b1de1ba3ce337dd5921a2565efe3baa7cbc4605c5136125c9bdacf8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab2d45c09d3ccb27fd9f1bdb23a0334f

SHA1
cf09219a0005b5d29230af4d52a5d872dba0a478

SHA256
2d201bfc0bd098511422ee95c666cd29feca3a6ef4d16d2cc5e55bf0377ed944

SHA512
1c51c6b8ac3fee5e2eb63e4b11979cbc7025ae8c575328b59df861dd6338c7cf4a4ea38ba0ccde5cae0079261ee821e3e3bc59273c26d4f456f0139932633d2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87a02ba1c472453e03c070fbfdcae906

SHA1
15891290f19e4737def027577f11b394d97e042a

SHA256
979cc13614f4ba429fdbec0b145432b703c77e48fb50d86ecb61192a7e843e04

SHA512
753113f4c5966dbc5a30df45c7076d75459923c02918b6e47e4905f89d50966f7c91175e68dd63f489c8777827b6d4073f58ea49e3d45d10c27e688937c5d414

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23ddc12a37c0064db924f7743bfb8c43

SHA1
75106834e1deef50126306aa1dbdb293ba792279

SHA256
2bcf85a7b992bf0c0f020bb951f7f0e78d6668dca9d15fa0999be1f5d916a95b

SHA512
9e178cac151852b5af2dd96877db34bba0266b7d52c51ef074fdd8ff94ff316986d859bf1e091368181b5f94ea20fd637efed98c44e45b40a15b3321f3db9720

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12F7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1348.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\USC40-92KTX-TZTXH-TOFTR.html

Filesize
16KB

MD5
9ee2f7a20b04769a32f0e56d1d74cb60

SHA1
8105308dc98dddb9a496a450122f0626e85aa8b9

SHA256
2e6c1e08bbb0beb50992dbf71bf41b0cb891c77091ab6f6836255c87b14dd188

SHA512
4079edd8e61bf9586187b5cc9f96e8f0109a4aaa361d0a2e273cdde6b7bf8236aecece75a724455a54ec41f1880d0145d3357a986546c81df61bca99e9d4700c

Download Submit
memory/1920-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1920-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1920-2-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1920-3-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/1920-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1920-94-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download