4862536534ea3f44daaffceb5facaeb873eee8c386e6b13b3ba31f89702a6ce6

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe
Size

560KB
MD5

a873ed2e9c4122eb074d46c39cd74c05
SHA1

8d20bb63aa39f68f9f7df89684bac9d71f0e545a
SHA256

4862536534ea3f44daaffceb5facaeb873eee8c386e6b13b3ba31f89702a6ce6
SHA512

a2993a2fad15ea54ee281788ca8d749373b7bcd6b8dd031f0ce022f9d18cb4ed0fad4461933f14e2668a8a653a9cacb25fe886f86dbd882418d39f9bf051e7f0
SSDEEP

12288:zxfyTJlFpTyMPUIpzX8MZAi58suLUgcEfKWEJRz:zxfyVlFpTyMPUIpzsMZAOuLUYf0J

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	327663578.exe

Loads dropped DLL 1 IoCs

pid	Process
2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	327663578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2784	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	31
PID 2544 wrote to memory of 2784	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	31
PID 2544 wrote to memory of 2784	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	31
PID 2544 wrote to memory of 2784	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	31
PID 2544 wrote to memory of 2704	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	32
PID 2544 wrote to memory of 2704	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	32
PID 2544 wrote to memory of 2704	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	32
PID 2544 wrote to memory of 2704	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	32
PID 2704 wrote to memory of 948	2704	vbc.exe	34
PID 2704 wrote to memory of 948	2704	vbc.exe	34
PID 2704 wrote to memory of 948	2704	vbc.exe	34
PID 2704 wrote to memory of 948	2704	vbc.exe	34
PID 2544 wrote to memory of 2584	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	35
PID 2544 wrote to memory of 2584	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	35
PID 2544 wrote to memory of 2584	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	35
PID 2544 wrote to memory of 2584	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	35
PID 2584 wrote to memory of 2756	2584	vbc.exe	37
PID 2584 wrote to memory of 2756	2584	vbc.exe	37
PID 2584 wrote to memory of 2756	2584	vbc.exe	37
PID 2584 wrote to memory of 2756	2584	vbc.exe	37
PID 2544 wrote to memory of 1692	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	38
PID 2544 wrote to memory of 1692	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	38
PID 2544 wrote to memory of 1692	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	38
PID 2544 wrote to memory of 1692	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	38
PID 1692 wrote to memory of 1688	1692	vbc.exe	40
PID 1692 wrote to memory of 1688	1692	vbc.exe	40
PID 1692 wrote to memory of 1688	1692	vbc.exe	40
PID 1692 wrote to memory of 1688	1692	vbc.exe	40
PID 2544 wrote to memory of 2932	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	41
PID 2544 wrote to memory of 2932	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	41
PID 2544 wrote to memory of 2932	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	41
PID 2544 wrote to memory of 2932	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	41
PID 2932 wrote to memory of 1864	2932	vbc.exe	43
PID 2932 wrote to memory of 1864	2932	vbc.exe	43
PID 2932 wrote to memory of 1864	2932	vbc.exe	43
PID 2932 wrote to memory of 1864	2932	vbc.exe	43
PID 2544 wrote to memory of 1724	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	44
PID 2544 wrote to memory of 1724	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	44
PID 2544 wrote to memory of 1724	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	44
PID 2544 wrote to memory of 1724	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	44
PID 1724 wrote to memory of 1388	1724	vbc.exe	46
PID 1724 wrote to memory of 1388	1724	vbc.exe	46
PID 1724 wrote to memory of 1388	1724	vbc.exe	46
PID 1724 wrote to memory of 1388	1724	vbc.exe	46
PID 2544 wrote to memory of 2676	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	47
PID 2544 wrote to memory of 2676	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	47
PID 2544 wrote to memory of 2676	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	47
PID 2544 wrote to memory of 2676	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	47
PID 2676 wrote to memory of 1436	2676	vbc.exe	49
PID 2676 wrote to memory of 1436	2676	vbc.exe	49
PID 2676 wrote to memory of 1436	2676	vbc.exe	49
PID 2676 wrote to memory of 1436	2676	vbc.exe	49
PID 2544 wrote to memory of 2912	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	50
PID 2544 wrote to memory of 2912	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	50
PID 2544 wrote to memory of 2912	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	50
PID 2544 wrote to memory of 2912	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	50
PID 2912 wrote to memory of 2268	2912	vbc.exe	52
PID 2912 wrote to memory of 2268	2912	vbc.exe	52
PID 2912 wrote to memory of 2268	2912	vbc.exe	52
PID 2912 wrote to memory of 2268	2912	vbc.exe	52
PID 2544 wrote to memory of 1872	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	53
PID 2544 wrote to memory of 1872	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	53
PID 2544 wrote to memory of 1872	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	53
PID 2544 wrote to memory of 1872	2544	JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe	53

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a873ed2e9c4122eb074d46c39cd74c05.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\327663578.exe
  "C:\Users\Admin\AppData\Local\Temp\327663578.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d0av2anl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5734.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vk4jufop.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57B1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skt6vsjf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5810.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc580F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kwna6gcn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES585E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc585D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g3hslql2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58AB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lk4njgml.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58F9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmcrop_1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5986.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5985.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59E3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hauhxasc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A21.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1224
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A6F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.0.vb

Filesize
269B

MD5
d23be0f25aad85f020361539d7d898e0

SHA1
d9162a4dd7e37e788d85327c2d15b536d096d7c3

SHA256
d8f028262f2ed59041f19809dfe9d6e718f02a596618ec83756b07c5ddef11ab

SHA512
129b34a6384cd82c4de6747b28e65aea21d753b62cddd6c50ec1f5f7638c0c3086607aaedbd47a9bdc93974daf168f0967485e135577c30d44c20dd52fe930d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3w2oe5aj.cmdline

Filesize
164B

MD5
2f94b623f4da1cc19436f98cf39d65ab

SHA1
e14c37942519e52b3ee8f7183bbd38df46891f16

SHA256
7458cb8c9f8eaff12835095aaaa20ab9927e8cb10ace94f04c329b5041f15d3a

SHA512
223ef67424f3e596d870b5ed4d6ad6af8bb95428187bffa497957c2ceab9e863bb60287db1cf18fe2260a9576c8ceaefcf423604b2a6f67429d632a8847f0199

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.0.vb

Filesize
278B

MD5
f6c95993c10d7f52846cccad3a0d0f3b

SHA1
a9930d22cbff97abd49a10da9f1c24a9effd0f65

SHA256
1d045334b0f37519c01cd1bfe03d381ba7282d6646f7a71f66c4c499b6a936bd

SHA512
19c4951721e5d1247b850632517aacaaf6bcf4cf9a901c429342f9856347f29303da0141ec6761d42e24a3b445877c28376cb1ec4d1e14c6e83d728c198e1a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wmwyn7e.cmdline

Filesize
173B

MD5
052f0c90c670e62566801f9762e027db

SHA1
dc09bc2115abf09206cadff65f364c08e1147183

SHA256
c0384e40771e35cde0c78832c3908a915deafd38f837aa867c0ad2c97da57499

SHA512
7aaecb70baaa1acbe1e03e287b2240886a99f71c317ff3d7215ed16049e19f2ff36089f82714b42ca8cb7e52bd3ca22e8ab9882d63dd9512387191487419b7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5735.tmp

Filesize
1KB

MD5
83974377c93a0016408b2ff30de6c735

SHA1
435a55f79229aad6ff23ee1ed99475daf3196ef2

SHA256
41efbed56634320cd726e390a5744230507f9b8a182d15a0984a0c1467f79c69

SHA512
56a0b1babd56933320d2eed3169066244bb4520fb3890a9ff5c8baeac2ea8d0c047b94557c6c2cdd061e3c8ac34b4f5e03764625348b4a7946ac65ee960d708d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES57B2.tmp

Filesize
1KB

MD5
1c10cc6ab916f976588698d1a359c9b5

SHA1
79f13a41ecae55d0769e6c34ddb0f9e57a4fb883

SHA256
78ffea1ccc37658c6ef82ef62be2159beafa4d3d68b965bace50e62294aeb835

SHA512
e4edd2eb6952273523313351e641ef769e924249b3abb01766283fa1c0d7820058a57cb9b5e48ba8ac9471f04b7a7e2b9d361ecc4b69d138c536fc59e095d45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5810.tmp

Filesize
1KB

MD5
ccb4812836545fd3af6e056f4a2b3d8b

SHA1
73e1d6048edbae9d87a8a3c67e38d8aed277776f

SHA256
5cd66757861a7ff91f7e409840bf6bee831cd427eb4edef55d9019d3f7416c87

SHA512
ff25a7d2e839d6c617c35bac04b95d999be495eda72291e2509e5d00e9d11280ce06e39fa9fc323d450475e51dd94a78e409ccca07f8c7a32e1113c65620ee66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES585E.tmp

Filesize
1KB

MD5
9ee1de251e8615bb7db0fd4ec9a62aab

SHA1
c0d61aa24ba4eea7e1bfd661f5e1599b508eaea6

SHA256
5b31b772f037c0536e4d6e0811a45b9c348bf77df866d5dad7e9d58282883f8d

SHA512
c281ee6c05c4adc23a4ab658bee752ac16499a8570fcb1df41c52ab8c02a4549fbb262db53f47834b0559b9e86a811508074707f3fe551d6b645b35c85e0d2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES58AC.tmp

Filesize
1KB

MD5
70abaeec478074ed3d929a357efe9d95

SHA1
edbc59440a28644acb88492f242e26ad45df4272

SHA256
e587588bd775bec61282e4ad9fc1396a17c5910e878e4e44aa91a844a215fdd5

SHA512
84613453293facf5e4fff98a8b1c141360b19046d917731c25b80f5118468cc2578ec6ede635df74d474c9be93e6fa449e15a975198e56a3a7570d66f4b2e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES58FA.tmp

Filesize
1KB

MD5
972e0fc6ba1c69fb5a2aad7aa53f9d63

SHA1
ff5a32fc06347c34f3f9c697f548f5d061e5e9d5

SHA256
55ea5c2c2a7274223a2c308d6665cbb83022533562a5801db166ac1bbbbb141e

SHA512
8697407220de7c8044f1a0d8c17ef0b4fb9fe031c54505b316fbf5d8f1ef91e55d8f9fa998a9ba013394875b14a6b3f96820e31c9cc4001a081baaadaa7d7a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5986.tmp

Filesize
1KB

MD5
9c2a8b195c4c95f0bee7214fd1b1b3b7

SHA1
6e27d138dfc3008ad01c4862a7cbb67b3111f086

SHA256
9a040d757e9e556ea0334db87518988af2174de92689987242e2ca41ba70779f

SHA512
fa24d5ff3908bd7f289c51d5677993c4dabfd80826e9788db9328b29c884ac7e6953de51580817fee98507ba2052d25725da87e673d8a95ded32543d64523aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES59E4.tmp

Filesize
1KB

MD5
84e15f96751ae7fbfdb7aea445e0c735

SHA1
a00945dc5cd6cc2923f857c4b58da196be813bdb

SHA256
0b6f068b0ca9a1668001f7487096a78b9d3407a28939961d7572a4bc513797c1

SHA512
d703497ace00b84de4cb8002a5f652945da101cc1810c9c6f36756fc788fba4957a2b7af5c8f6a258bf43160378f0ac94c1393395834b944d7ecd4657684354e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5A22.tmp

Filesize
1KB

MD5
d405e19c038f19b72d94be20749c5d39

SHA1
19511144ee83d0314cd911dfbe3eeece3831c3a0

SHA256
17fc51788670834df067c5c7070a77532ee819d87507f839f7cbc01b5e511d75

SHA512
21160197877082cd25e07ea6700dcb60d90c843d1a0a726419050ef91755410d25d617726f804b7275d3e1475ef3b1797a39fff0b675b72e2c73eec70c10e4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5A70.tmp

Filesize
1KB

MD5
5ad8213407ebc0ee4d2464991002ca4c

SHA1
6dd1e532dadde57f4ebe32da417ac261cf71688a

SHA256
6c5af448ef55ea55951cd06f87564e6525a18de65e2c7966aaf69eb2a2788712

SHA512
8a280cb9274a515b9ba14af26081265b77b7dd2072f7df5bdc25f42ca4f0f690416ed5b7c99e3bec6e14270581cf7b202ec2deb88cacd028c05a9a8e41ced1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0av2anl.0.vb

Filesize
267B

MD5
fd62ee9dd4c3e902ea3996365664382a

SHA1
d9ce8e5ff69c2448c9535f59f5ffcdc594d4cba0

SHA256
19c1a96b2821de22d3a2c57a21b42bb9445b24d7bf6e2f82f8e6b0c1849c914a

SHA512
068ef59d35ed956db8cc241b958c22617e6e7cc1a6003f95f77560f900f3b5e52172cae8d9820d83ef3876d4c85c8e43f1bd7354a02683bf930c8f9f951efea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0av2anl.cmdline

Filesize
162B

MD5
713269ab34761bae44337fcbeba4aee4

SHA1
0d8be0372d190ebc940280cd85c3ae5399336164

SHA256
eb8505674037b0e9ddc5cefeac82a7244121054ab3e22eab70ef91db4682f0ba

SHA512
81b847192870aa385ac8f3d1ca749b5b266f5d7b4a639ad2e0507d314da93fd93bf5ece8c5dcf8e82c5179fa5da1879d1765458a9f5e7ace069b1fa2877adabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3hslql2.0.vb

Filesize
276B

MD5
91db9d749b80b7bfd07524563f046ecb

SHA1
780d0d3185057fadb121e0a526a89260a7367d5b

SHA256
0d13e734ccd1fd940caa9526bc3459ccf5420189dfec2287e3818660cb029c18

SHA512
11c01940e1d88d5cef7c6d701102f7ee8eb1a3489ded2f412d648e07801f6cb6d9b2c4fde773b8453eaf92797814d7043d96c9b9fd06e037d42a7cc3eed6d45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3hslql2.cmdline

Filesize
171B

MD5
b4f0167598becf2c92cd7fdaa115e0e1

SHA1
612f79115b72c55709bc77629216dff843e5b1a3

SHA256
a5cfc2a9b1554cf075fd265eddadc0da3593141ac49e314ce119a66b641cca83

SHA512
2f5e5430bcf0f9ee98205534e6d0c09ae218ca4cb5b294a5b01db0c73f9c74435d9af512db927d9641529e5fd132b631c5374a75851f14bd0b3e0e7ea68997c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hauhxasc.0.vb

Filesize
275B

MD5
f905a83710cb30c3315fe9fffeb17b4c

SHA1
235f602eabdf656d1cf8e968178dfaface7b27a2

SHA256
06dcc5134188595e8d4dc0747cfa06491a7cc8e74b0bc117aadb185561811290

SHA512
233c0b9c860d84d22ccd184c14b0e74aa4a6f0bac81f163ccefb16b82f71ec2aa210e8a2d77295622dc384ecb677be08e50aeb3e646a8a911a15af841f77242e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hauhxasc.cmdline

Filesize
170B

MD5
fa87736d9c30dd9a2336995b9857b6b5

SHA1
3c61d976b3280cece4dce7e7e501dff7fe1286bd

SHA256
6063a0a8b8035c46e7333b3c0881492a1a70e98fd35c110e5065bc0fc60c8d89

SHA512
f4ac9d07cac446b7b1dc6a22eac002f04157fc63b13a2c074455a45e2b2ec396fe63f843d5750dd004929d087fa103c800a53a589222c7b51601caf2a3e116d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwna6gcn.0.vb

Filesize
274B

MD5
285105c113cbecb256d3d1293aaed2c9

SHA1
e3f56380a1bea78c52ae4ea5ff5f03956c77c76c

SHA256
8c0343815bee6b3a09ea48af9e0c204508885a7535f1a772250331d1e2fe8e9f

SHA512
e4c03023ff9b76b3bffd70d637be79e4500965a8c1e3c9fcefb16a63c44c4e381a2a6862c7eea853848be5ab6e561fb4d9945d02b560958edb391c671797a856

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwna6gcn.cmdline

Filesize
169B

MD5
cf46b4108690ee531d766a70b55efd0e

SHA1
936f9baad2bcc90690335d906a1857f59fe35140

SHA256
5ff68ef231b268f13488aadf01cc210cfaeac8962eb21aaafb7dc86f7dada7f5

SHA512
a1f9beb8f1f6ca5f0eb031636bd43f5fd905ba4f2545e0f36e69a54bbfd7df5d96f1c00c65894dfc7a7b3b62564ecd20f3935f1c14332efce90e849ff9706f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\lk4njgml.0.vb

Filesize
295B

MD5
bc90625349b8ddff681a2854a1f40611

SHA1
ca0239d34f80409d509c5e096cfd6ae4e0e905eb

SHA256
8ed6ade2ff68614c34d8bbdaa0b7eac43e5787b4831211afff08045c580e4355

SHA512
54b8e76338471b80ba8e6f6e4692b76c06fa3c5329a9a153288c6d442ca9f51dcd5077289c3f9ca75ffd85901bb6a4010512fac411c1fa2d95562d42329df45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lk4njgml.cmdline

Filesize
190B

MD5
c585416441f00bcf0816f91091546d8c

SHA1
4df0f256b1d2ab04d54d1341a48bcd141f20fd37

SHA256
cd58eed2a6b2b6d6ac7a48b63228656558135942913ee1ef9101529558664fd3

SHA512
4b129f68387c96f7d3fc8809152819f9537841686a93c3501ca95209041251bf4242ab1e13eb7ff84cc8c8e1a1bc2a7b777f098bb28de7817c3c2fddbf130f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\skt6vsjf.0.vb

Filesize
270B

MD5
7df77e87c644b2c1871fb2c45358c6a8

SHA1
b658fe9ebb491c8b596e6f683f4629af6efe4c8e

SHA256
ceb604733e4813f6c446e3240cba6b5118e307d5af4f53e970358db5959706cd

SHA512
4cb4a2cab3f20c0c9b8b0669291738fad26c2dedb6cce669880ecdad785f32c416f85cee5962e2e4a255acabef1211d387fc7356cb810a4f8222e2e5f56eb20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\skt6vsjf.cmdline

Filesize
165B

MD5
85552a69830a8ee5829e2e5261a1cd06

SHA1
434b128e81fad5cbc257d1a715fcccc8ef1ddc42

SHA256
8872b036b1443c225885709c4f7f6b17df91e10ca32eefdb00b2a7fc60e613a1

SHA512
dd6ff5a70e6408a018f8ec6b27febebed41eae9e6870537578550c30cc5c2dde19a315a697f86edc080a25851ad16712faf5a1bfe6d7f4b3e254a64d51fb6f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5734.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57B1.tmp

Filesize
684B

MD5
41857ef7e71c255abd4d5d2a9174e1a6

SHA1
95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c

SHA256
dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302

SHA512
ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc580F.tmp

Filesize
684B

MD5
453916f7e3952d736a473b0e2eea5430

SHA1
b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b

SHA256
b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe

SHA512
86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc585D.tmp

Filesize
700B

MD5
6ed26221ebae0c285cdced27b4e4dbac

SHA1
452e9440a9c5b47a4f54aefdde36c08592e17a38

SHA256
aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c

SHA512
c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc58F9.tmp

Filesize
748B

MD5
b548259248343e12d417d6c938cf8968

SHA1
19703c388a51a7ff81a3deb6a665212be2e6589a

SHA256
ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366

SHA512
73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5985.tmp

Filesize
676B

MD5
ba2c43095c1c82b8024e968d16bee036

SHA1
41ea006dbc9f0f6e80941d7547a980a1dde868e0

SHA256
1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72

SHA512
00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc59E3.tmp

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5A6F.tmp

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vk4jufop.0.vb

Filesize
271B

MD5
da17ec9882e37de89b39410bbd36f99b

SHA1
5a5e1d090e2926b2c2b2b1694cf39820adac1c40

SHA256
19a034b7779c9cf15010eceebbfdc1059da28c0aca92ef4bb50a3062e09ccb71

SHA512
502c4f476891da04ba5ed681b664670994d642a0c4949ed3777ac39b6952157f4179c117004f1477d4554feaff4abe12deea98724ce9a8b7ed4e9a3a19717a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vk4jufop.cmdline

Filesize
166B

MD5
f1966247c089d8c7c71205465feb3493

SHA1
36323e63f0b62398c746f59943f5c100638e4c2a

SHA256
f65c358ef54f5473d789425a3d2737bd8830758809279df3678a7f51e4e3f4d8

SHA512
8c9df8dd62a8445f9e565facef3310c6220497e7db6724fa51a42feef491d2c63268db1560b2b52e53182e49d697649804b80e018bc7724eafd8f46d270609e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmcrop_1.0.vb

Filesize
276B

MD5
f053c9fd1bd9f4712b5cd74f2b9d1184

SHA1
26bab75f8adb2e618952399b09b8c22b71863fc2

SHA256
c4454968628ce0aa4fe779a9b36653f098300f54ccb606551d8bd3ebb57f473a

SHA512
0eda15da77cd58c1f49ff960ba89db9bab4a9a3d875e48f9666b396913d5168b399f31a9db7582be487ec76a2874e6a5a0d2bcb5096b6a4f3675738fe1d928ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmcrop_1.cmdline

Filesize
171B

MD5
a4ef915f1828ff6efd4faa3a7650951a

SHA1
be730b464386438920fa1d64c0a0761e188bd2d8

SHA256
848b139fa47fd25cca39d074572ec1a1f5661aac77892502123ba5630967960a

SHA512
3c7a59b8c291ca698216bec8fdff2305f87d3fe2b88a1176a81f80c699836e3a765681fe6d72936f104776c441205b1f430adb28a43d64544fc81014136b06ba

Download Submit
\Users\Admin\AppData\Local\Temp\327663578.exe

Filesize
297KB

MD5
31488a2de66a4e13f6b88f27072ed4dd

SHA1
1b06b0400bffcb1a25b0bf2c697c521c21be14cc

SHA256
13974ab8091e52b1838bb55a5843f8113e7b8eeb867b112b6506b3cd2fc40ee2

SHA512
ed14a9299dd532b3f9d25640ea69bda993ebd0d22eb426bb15ae1aeba56684b81c65d413463b568e048ce502c7c838da0eea0ff22def08c81d46fb8184e8e442

Download Submit
memory/2544-3-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-2-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-1-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2544-0-0x0000000074361000-0x0000000074362000-memory.dmp

Filesize
4KB

Download
memory/2784-18-0x0000000000DF0000-0x0000000000E40000-memory.dmp

Filesize
320KB

Download
memory/2784-15-0x0000000070D2E000-0x0000000070D2F000-memory.dmp

Filesize
4KB

Download
memory/2784-154-0x0000000070D2E000-0x0000000070D2F000-memory.dmp

Filesize
4KB

Download