stormkitty | 714b920e2e9691e98d269641f49a958a9324ed6bec404620c4fa2db5624a7e27

Analysis

max time kernel
134s
max time network
135s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1538f2496409067d29289d9223e22a39.exe
Size

843KB
MD5

1538f2496409067d29289d9223e22a39
SHA1

a5b76c1277270fc2644399fe9ada46fcf7c20489
SHA256

714b920e2e9691e98d269641f49a958a9324ed6bec404620c4fa2db5624a7e27
SHA512

04b94808d1f79c526cb673b47f75064bffaa28b6b44ca2efc669fa43ddbc7091d51722a8781d6b29bee46eaec3567d1f80400678df3410d3a05bd828d90ad4d1
SSDEEP

12288:lGWGDHK/4O4v9tIr8aVwDTadGRmNQ51038WcqhVTnvJkxmwH4E6:lGTX9tIr8gw/wPS638QhVN84

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122de-7.dat	family_stormkitty

Stormkitty family
stormkitty

Executes dropped EXE 3 IoCs

pid	Process
2460	svchost‌.exe
2328	svchost‌.exe
2304	svchost‌.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\svchost‌.exe	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe
File opened for modification	C:\Windows\System32\svchost‌.exe	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost‌.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost‌.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost‌.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b387dc6f5bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000000b23900076d3f7301a2a71f43d07b2ed79de7213e69d5195a2a8e7358125c245000000000e8000000002000020000000644abca295d43202568d2ac7be66e04a1f3823d1dcf672bc1d25d0076b26e21520000000e454122db43e0930f4d4d646619bc26e5a8f0a6c0706d581b25150ec45fce1fc40000000273db606a66d358f7706efcd67f2a2ca1501d149d3f56beef211f77253735a348c67216d8f854b2515e844cc7123dac4ff5925629808f2a3c4124b0907db7534	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{036C65A1-C763-11EF-A0E6-E6A546A1E709} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf0000000002000000000010660000000100002000000003711e9de78274afdfde07a62532e3b15b2d59e08a805af3e6c1cfb5b62106f2000000000e800000000200002000000074ced0d45b421368f762ee41997477a2c7ea6d43bab7b04151a5c71c47f90bf89000000072f15120999cea42d7c625624750a713c5fbe8ff5a73808b0d46e7df42e7fef5f0bc5726b2dde87e1b7e5d71dfd826c8617387008d5b35c4104b4c7f687139b16a921d834fd237f0585b0168cd9344e747e95c476a4cb21383c5807237e8f66ab60a8c327fced65b1b87628adbb521518cee788531f619dfead16596410688b3ea89ffe99dffd3718ebdf657ce905b1240000000dd7aa7264628a309f59666b7851e2803004537fef6fee0021be1301bff6a59352c8d4e321916dc803c87ef79ed2e466f6780a3c1979ab4eb0b475e576b4b023b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441803222"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2264	iexplore.exe
2264	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2264	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2264	iexplore.exe
2264	iexplore.exe
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2984	2580	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe	31
PID 2580 wrote to memory of 2984	2580	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe	31
PID 2580 wrote to memory of 2984	2580	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe	31
PID 2996 wrote to memory of 2460	2996	taskeng.exe	34
PID 2996 wrote to memory of 2460	2996	taskeng.exe	34
PID 2996 wrote to memory of 2460	2996	taskeng.exe	34
PID 2996 wrote to memory of 2460	2996	taskeng.exe	34
PID 2460 wrote to memory of 2264	2460	svchost‌.exe	36
PID 2460 wrote to memory of 2264	2460	svchost‌.exe	36
PID 2460 wrote to memory of 2264	2460	svchost‌.exe	36
PID 2460 wrote to memory of 2264	2460	svchost‌.exe	36
PID 2264 wrote to memory of 2892	2264	iexplore.exe	37
PID 2264 wrote to memory of 2892	2264	iexplore.exe	37
PID 2264 wrote to memory of 2892	2264	iexplore.exe	37
PID 2264 wrote to memory of 2892	2264	iexplore.exe	37
PID 2996 wrote to memory of 2328	2996	taskeng.exe	39
PID 2996 wrote to memory of 2328	2996	taskeng.exe	39
PID 2996 wrote to memory of 2328	2996	taskeng.exe	39
PID 2996 wrote to memory of 2328	2996	taskeng.exe	39
PID 2264 wrote to memory of 1740	2264	iexplore.exe	40
PID 2264 wrote to memory of 1740	2264	iexplore.exe	40
PID 2264 wrote to memory of 1740	2264	iexplore.exe	40
PID 2264 wrote to memory of 1740	2264	iexplore.exe	40
PID 2996 wrote to memory of 2304	2996	taskeng.exe	41
PID 2996 wrote to memory of 2304	2996	taskeng.exe	41
PID 2996 wrote to memory of 2304	2996	taskeng.exe	41
PID 2996 wrote to memory of 2304	2996	taskeng.exe	41
PID 2264 wrote to memory of 2416	2264	iexplore.exe	42
PID 2264 wrote to memory of 2416	2264	iexplore.exe	42
PID 2264 wrote to memory of 2416	2264	iexplore.exe	42
PID 2264 wrote to memory of 2416	2264	iexplore.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1538f2496409067d29289d9223e22a39.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1538f2496409067d29289d9223e22a39.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\schtasks.exe
  schtasks /run /TN Update
  2⤵
  PID:2984

C:\Windows\system32\taskeng.exe
taskeng.exe {DA4E7344-068F-42C6-8350-D339FB9769B4} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\System32\svchost‌.exe
  C:\Windows\System32\svchost‌.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost‌.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2892
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:406547 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1740
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:406562 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2416
- C:\Windows\System32\svchost‌.exe
  C:\Windows\System32\svchost‌.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Windows\System32\svchost‌.exe
  C:\Windows\System32\svchost‌.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
82a31b37ffcf876c09fbc67db59dbac8

SHA1
62179fd49e661385013067d933262330476a1cca

SHA256
946e8fe24e52f78428263eaa5f4ba101cab4395e586faa2fc0fe0ced46c23efd

SHA512
056d55f39b18e06b7a24ce72e51500924b981ec3348e5a818f4c721b1f9afedbe7f07fbabd910c5b05a2568cca95e333715c46bdcce6d5ecdf2c623a5850fe79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba6f3e64825acf0fb204d5795c1bab97

SHA1
0d7f1b9718eb5ae658f6c9e64de86bbaec373de7

SHA256
8616a278da58a81c6e3437f4da397eab5eaa883cd23a8cac36194b6e0f277e29

SHA512
d56e9c8cb66f6c069cbc87002bb3a7fa61462cf219a7985826a65bea1e3cd9491002453f1211305c0f9503972d4dc47029e2ae68537e4033d36f35b8c47a2aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7693ef0b9c0222cba8155f3ed6efedaf

SHA1
161282b6d6ee03d471eff370aa5db90140c7e5c8

SHA256
5b2bfa7b9a551152a4497124efb9fc8c8a1b6c90c361ffc12602d867b9981b74

SHA512
cdd3de7a49a55a4edfd25d81da5eeaf49b1aaface7d08880a1644cc20d5e218de49cf3fa5c989a941b95ebfde8401053e1f0d6941ea8ca93b5798cba3d2c2681

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22739095a612b318e753207bad446ad0

SHA1
0d2844ca49a25e3c8351995426e4baaae80a9600

SHA256
730baebf532b5eb9144edcf7465cab10cc9bc35c1dcaa79cae83cbc410efa53d

SHA512
23b42cf125a0f18dd2fbdd40cc481e4715384b48904364892491f8a8591b42d577335ebaef0df14f612cc559da3f0798470aa16c46529b43e645c99517a258f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83a4ac6f58acf929123ddf66d6399a3c

SHA1
a26ab66878be950518f32a9d6f93f0a4bafb2e56

SHA256
473f049ecc0aee7dfe1ea2c300b7a12e79b4213278b3b2d450a6f5ef938493aa

SHA512
2eec5b810b8882cb74b0a49ba39a2bd5820438d8eb969c84580daaf85a058bda4f415d9993d9941a552d253791882334e506c5a5cec9a781a7c5f1e294d2607e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02def3e0aa0aa6de8ac42fe6773742f3

SHA1
8fc0d94e0de467421d3d1e069c6fb3a28a47a881

SHA256
6d1b8264e697c37bc5b8f678ec564ea76ad11718f00ab7b5be82281a6e9bb6ff

SHA512
42a6bfad0dc84139be46f9a58870cfcf8efad5910ac11c22d9543f299d4cda10aafe997c6b4e3d9dec2616036f25e97ed86bd38c20bce349f4eef1f46f872632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ce3efd800e4554194c3b4044fa8c6ee

SHA1
dbbf8f4aef89b6c00d120ad9ea449cab92085236

SHA256
85686c6be8f04ee3a8026c86bf4b57dfe7b8116fbfd02a9db8b14bc0baa147c6

SHA512
0204b4f8dac6791973c3a2e282a8883ef2a8b3fc8596e061d99239dc23588a26655a80070855af066a7c23dcaecfe995d21cf7b8d6330cc0e07888c5fadd2c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d3379347f008cf3e447564de2bfee1d

SHA1
4e483791f8cb048df9081e603126c374783c225a

SHA256
15f0edbaad4a4e3cc8414dadf3fdfb6cc60f3bcf07fdf7189746d180714bb61a

SHA512
341e438c1269fd0ccb26cee97c1d8cecb56cff34ec7854a8bce68e18f4216dd484f29cfdd3ff656c0f7c8d6650957af7916383c8b2b08bd00d26140995c9fa10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3f5c1b8a4947ee06975b022cf7a92c8

SHA1
0a0aac80103a71d4f140687e328e5e5bbd0199ff

SHA256
20e515fbfa87053ad969e7a458e4d1b4bf823b46dd596d4b953432d86a78a4dc

SHA512
758e663b3fbe5eda3be0304ade9f8b312d68ff296ce498472e5d35f14af839e35abc1bc0b60f5d3a3fd6c93333b1f5c1719a0e7a22236274951d9147e7756be1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f60c1c2413c80f4c909e782c4bc981f

SHA1
ac2f6df95d1a4b195cc5c54e9f617f259089024b

SHA256
c5fef0d1c2464e11447f05acd1e34f0d0b98c7ad85409ca9cf815d974856cab1

SHA512
d6d854006874c9ce6be340f75f4b5567fb42efd859b2dc9a46f34ee6b2785b6e6fa3fd1e3b668781a13d99eecfb914afafd5a9a4c3e5e4336f063266e8f5ee2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0e0e3eb4e90f9ccf0dff97e75608243

SHA1
36a2c8e9331bcf7b2ec11f1929ff20ee4223b2c5

SHA256
8cbb427c71681190b4a4aa0234bc6d87fc1c4d90bbd1eb37f36be8a23f690166

SHA512
0e94cdf9dd38a402739b70481e817bbcd4959f473643f12c003c86d726e7a4f333f742c9ab11e274d6522c80cefe798d16af3b71197ea89a061ccbcb5b2b61ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68bea17608c6d80ebbcdd724d348e9fc

SHA1
68608a9b8a566a87ee0828a964e05994dccbe708

SHA256
c9fd0b111a986b31e1b16d07848b32133f41b18073ced844e9505a6b1c82a6bf

SHA512
5381cb47e37b220df3db001bf6ef41b2688fc0754bd7f1cec7bdfd727a0bfccfe2e095f1aadd7a30ba153db46909629af284ffb86cda9efdd672c1e896faa4f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49074283891be600c0debeb636a9a86f

SHA1
120c7170ba9c1042b0ea897c9c9505aa372d1b88

SHA256
839795b489055f7b3d6e8bf203f5aceb696f3cdd98b005990d8d30e2c360edaf

SHA512
a0f02f036423e9315d3aaab16973e0379052bef6fcf122e85fada5c1cfe2105663dbdafd49ca3d71443391b5c3fccabb996906c8daead2575a14a9a738d1d5f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddf4c906cf5c1132cd59e753c36b2e9f

SHA1
782869614938f66ea357f9cb58ee86da6b17aa16

SHA256
bca7a5e4a913f5bc98b9b413ffa1f880431eee1c1e7a68af58aa77d7e6c5ce8e

SHA512
5784c396929372534213927ee5e5047bc8b433181af8d4fae0a37399a63294a7619640f1da3cccb8b6ecf8953647abb1e97246c6976f8f2d5ef006fa64611226

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71948618b0b1d3b1120dac1bd043cda7

SHA1
8ec4a730a69ae9bd60319aebaa24c9a6909faa33

SHA256
ab6f7835f369bb344478003cff3c7c78c25319aa65b652893985eea38144c7e6

SHA512
0d5f6e9cdb71bfe1578ca36a0c52472cbf93ac43c97a3df0e7e2ab2fabdfe56bc845dfa28fe25fddaa4973e05966c00fcc83ef292e235a3be06fc55667b4edb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a82802e8a7373ec8561a888f174d7903

SHA1
e3f0ab29a083563cc4c36847759d0856be2c31ac

SHA256
de3b351624864e5daa68d9dc95f045a95286ac19f678fb2bc1b7f2d4e3bd128a

SHA512
a3789a75df2cc4adb8385fbc56b63a9a45669d71f84a54f53204f269d73baa8bd2c68dce03d358e62443c4b9f1713f11e39524175218e02c09b0611bebaa7a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d25b513a9e52e9752a7c8ea63161717

SHA1
5bfc7498ad650dff9eabae8b997f9b5ad6b914d6

SHA256
76f3294c44757786fa2e89c22735a6fa5c62904e2c8b4b39c51ad8df5405885d

SHA512
6c65c9ba1693a815ed1d9e03c572c8e1e87d6f3851b4f4c5deefc6beb768ef6bbb45fe518e00353dbd0600ae6e9cb53de620157e3644305662267b9a19324ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3c51e9678718a147948d71fd8af2e79

SHA1
a37643c7f1d5459d0e5217afae52ff184f483cbf

SHA256
ba33bb0d089dd3f158696e44dc13f4893765a0f7097eaa849bd8b8eeaaea6476

SHA512
0063ce784df4b8816620143de104b4ed92fb59e6aab326f77b4b973f4f6bf2d48a0d587dc4114487dcc069339d95db58f56d78555ccd0eb3485918d3bbd282be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b10ddd70f4c8433e5e6c9b01d70a9e54

SHA1
d4a5bc3e7bd441b50f37909d99cbf6856f34564c

SHA256
5d3f0a2f89433345abd568437a4a7eb4055bce030659ee6d1db510917c39ae72

SHA512
a4d76819d5a67406b27060c4589a69a1daeba735b0d57800c8a05435bfa6d775825e3516bb4d26c742fdc30cacb44dc89eb4d0e73ad1b78f0e8f290f441b9357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bc06f9a66c9f2bd9fbdb0276bf804a0

SHA1
e21a41c3af77f963d628e308e9c6455218d2013f

SHA256
598e31953aa8bb6bf394d33d3ee42ced608eae96c0c911df06cbc0f5523807e9

SHA512
527ec12372aacab6fedc647d8dae60e3625883a94afe924902d767ba389deee9805b15b13f6976bcafb0a2e4110eb0aabc449a78a296fd538449200d9c7dc1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e249f0c25c3a950b237212929067877e

SHA1
b8b2ef96b83e76922d77d3f2088b18a00aa233f2

SHA256
9596d1219081a62b30977fc9f55177814dc99ceeb329136963c9a297c6662a63

SHA512
9b226637bd91368aa40ae12d7a416805897609b1141bbc5794b8c635cd1b313b5c6bf39ce588f7e80ca96d45e58fe6361323a6eee2264b9e888469c0fd1dcbfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1be4c4c34c8398b84d6de21c0a4d181

SHA1
1832b7cf04e14fc71c92944520dd2d10028b2b34

SHA256
b2eb5528a5c36a0bf6bc9e0bdf6ef5bda1592fa2a089616e7e0c63279f3aac3f

SHA512
a49b2bc0a590baf7fbf147039e867417c3086ef43b0e851688dd859cf7e1d33f5f88d49710c60489441140f19d30d0f91bb3da8f22f9c3d1ace4a6e814199e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aafa11c430b65b4de99187ab021e21a

SHA1
8793da0d8c35d6bdffe0faf6b6f51558483b7ae1

SHA256
a35967d2f3609351eb5488b5a318efaa29f8af256135e6d903b7c9bd2d722f3e

SHA512
e512af25fc162e2b0c6a68eadfa8fb70077951c8bb14304569052deb9acc3e822e18c036266597af2f02fff9e09751d9b6e1495957027a2c6d26968b17602ef8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eda558e3deead4dd230ecc15ef90b77

SHA1
9d9b2a46ac48765b42acac430012e47ea559db74

SHA256
5df3052a70eef37fe35f0deadb249959f4e04b10404775d9a3513ce342da5024

SHA512
732f8035ec7ede8c133739741c9d83641f4c12ab194a752ffb11fea08285e100d62f54bf2874553847008eccd6ce1f0962d2355f8eb701b66f3158d64b20af78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e26af8d23376e36ef2dbd7663026f48b

SHA1
781e228cd19e80861d44852362082684d6c3359f

SHA256
e55a82bad72db66754cf01b38c1a04906e8fba807328189f81ecac429843a8f0

SHA512
bf3e6eeaf1a7097c7c819969d26800657c6aa3f73ecc0f7c42a6dddf4dc85c7c44c866551c75b6c3c4504751ad87e0c51e8d0287d71caf10b91d1245d5c006c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40b7a8513bf08adfff23d856a9da85f7

SHA1
b77b77156b4667986ff6ae5dd7b863c19d75ccbf

SHA256
f0e5942b6ab1e18fdef1e336bf9472814ded3391916e80a90a4b8a8193dcfc35

SHA512
9c6c663d101fdd4e6c3a6bfed112e8650efb24f15eadc00db7e8f5511cf5b5c2468c68b9731008aa5cb1dce23d570f1d5dcb14e753812923976f4891a91a6aba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71ce5b71ad2d0f19f7a931d2500f20a6

SHA1
e16dc08c8ea446915e4898d3814b7822d0a72077

SHA256
05149b96c6dca2d83c4171da081a825822608066bcb7d406ce67af333e1ebb27

SHA512
76f28cd59bfcb56a4da13b5b474d14677bb0574a3eec8e35ebd73ac48513a49c7b60a18bc346c4c4953abf7a5b51ed74d456940fd1069c2854c1da29df7c1482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d7b0e009d3566fae0f051ffda6be4db

SHA1
3c24c81f26598de3626cc61fa6f62a5cc537c3a5

SHA256
a5b743119ce32af60d23aa7a010b457c59ec83557bcc474a0af1d6368d80d6db

SHA512
9abd6523449d6c5f6774f06172b8dbc1819fef472d24d4d4ae8e42a0ccca33c416d76457a063fe78b2c622f08190e37b5fd7a1ecaeaf45e69b541f585351496a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b46ae7e4d0110e3017028e97c36453c7

SHA1
e38ae9043eefee1e44a2786637a8cedcd1f9cc95

SHA256
65ca73bada4e4f0d4a14fb338f59429c7b9bb4687492539f30e258903f6c2153

SHA512
b47bc307896b85f4579a9995b794842ebf7621b1662703bdb0dda1c4680ed3a71902b827655d9083e6c0ef43e612c63790f433d85358253d2aa0432f8e01c17e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72f910d96e14f5e16901ca36832e56f8

SHA1
787731d991abd1b3b236db40807b2a1fbe02d8b3

SHA256
2d1246eb08744c707d0651b1d2b1b60c35fe35dd9e05a77ebbc19cef7223fa75

SHA512
d0707033896415257bdaded4ead710e1b05b7bbe530923d8ff09033b6c97a09a43583837a967296d482af1af64bdb0f2992c9774559fc43962f50b2877a0d8b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48d3047acf8e79a8f2229dc9817bed66

SHA1
41264bcdd35f152a9af73b982a5794e49bd4a157

SHA256
cfa600e73fe9e1b51ca1376f8a4938a9bc25a45a4768d9f746dc6b28e752c06e

SHA512
0b3f932ca27e2c66fb46dea0656af4cbc85a117cd9bcb3d58d1d2e93e1d8103f0b16d87965fb9c25cb86f11432bc314b1cfa8d8a7be86205d17deaae328e3667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5db01004069b60b2ffe3420954c7fae3

SHA1
30f12b4662518f0a179ca03436808e88b95a8584

SHA256
c38350f1d3716e91c088c122f17a7ee9ab54eab1a61b51ae7c1a07766cb842d2

SHA512
808a245c3b4ef38996e3913b7a6950571a10d97fc9cee52f13fc8f4cf9abc4c582f3514d7cdac164923d7febd49f5eeb6332793e6de4e507da97f8b8c0a2765c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDFE6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE16F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\svchost‌.exe

Filesize
660KB

MD5
5bec8d7c881f1ce48a094715ca77aab8

SHA1
d6152df4e0443293caef5efc9a89f046a0fb583d

SHA256
fd0ae8e49b453646c28a7b2b6ef4b77f17586d7192ca3c8d647a0bf8abf810c7

SHA512
255996257ad2e03d6f04e9f41df673ef7b314ac98de415c626e0d34a0da7d686e6e29ee0ba43f9d61f34a89512abd2746628256cb162e49fb7f20f596ed6b593

Download Submit
memory/2580-5-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-4-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-1-0x0000000000160000-0x000000000023A000-memory.dmp

Filesize
872KB

Download
memory/2580-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download