Overview

overview

10

Static

static

3

JaffaCakes...a5.exe

windows7-x64

10

JaffaCakes...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8a6cce77a711d9d113f98a58b6aa48a5.exe

  • Size

    203KB

  • MD5

    8a6cce77a711d9d113f98a58b6aa48a5

  • SHA1

    1fd42e056fa298ce1553fee307edc4b7cff5b680

  • SHA256

    da8d2cc4377dc08214a3c890595d97664ef8af254bf7b9455df334acfaa5f505

  • SHA512

    029c36819e379cc3a34c073e89481044087ed0fc0c97f917307b19aa4d24fa095cd800c4c3353b5ce61057a800917de8890ad5cc8c069210a9c91686adfc331f

  • SSDEEP

    6144:Vo01LUBA4I1P4u75D9CMnvt5kxCbSTPujr+OY:VTUBeP7XvkxbSjr+N

Score
10/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    defense_evasion
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Sets file to hidden 1 TTPs 6 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Modifies registry class 18 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 6 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a6cce77a711d9d113f98a58b6aa48a5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a6cce77a711d9d113f98a58b6aa48a5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4328
      • C:\Users\Admin\AppData\Local\Temp\inl7EB7.tmp
        C:\Users\Admin\AppData\Local\Temp\inl7EB7.tmp cdf1912.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4456
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4688
          • C:\Users\Admin\AppData\Local\Temp\ki18453.tmp
            C:\Users\Admin\AppData\Local\Temp\ki18453.tmp
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4960
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 592
              6⤵
              • Program crash
              PID:5664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Users\Admin\AppData\Local\Temp\lie7358.tmp
            C:\Users\Admin\AppData\Local\Temp\lie7358.tmp
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5480
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat" "
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3380
              • C:\Windows\SysWOW64\PING.EXE
                ping 88.99.00.00
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4480
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                7⤵
                • Modifies WinLogon for persistence
                • Modifies visibility of file extensions in Explorer
                • Checks computer location settings
                • Drops desktop.ini file(s)
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3592
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER~1.DAT,MainLoad
                  8⤵
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  PID:5320
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_ki2_tmp.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5964
          • C:\Users\Admin\AppData\Local\Temp\ki28991.tmp
            C:\Users\Admin\AppData\Local\Temp\ki28991.tmp
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:864
            • C:\Program Files\Common Files\19920306.exe
              "C:\Program Files\Common Files\19920306.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4604
            • C:\Program Files\Common Files\920306.exe
              "C:\Program Files\Common Files\920306.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4544
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~968E.bat "C:\Program Files\Common Files\920306.exe"
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3760
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\NTUSER_LOG.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                  8⤵
                  • Modifies WinLogon for persistence
                  • Modifies visibility of file extensions in Explorer
                  • Checks computer location settings
                  • Drops desktop.ini file(s)
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1788
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER~1.DAT,MainLoad
                    9⤵
                    • Loads dropped DLL
                    • Drops file in Program Files directory
                    • System Location Discovery: System Language Discovery
                    PID:4876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:5500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6132
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4960 -ip 4960
    1⤵
      PID:5864
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\RECYCLERMD4"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:5896
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\VolumeXX\desktop.ini"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:3208
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\VolumeXX"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2268
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\RECYCLERMD4"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2308
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\VolumeXX\desktop.ini"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2780
    • C:\Windows\system32\attrib.exe
      attrib +s +h "D:\VolumeXX"
      1⤵
      • Process spawned unexpected child process
      • Sets file to hidden
      • Views/modifies file attributes
      PID:5804

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Common Files\19920306.exe
      Filesize

      24.1MB

      MD5

      60eac4dfa04a9a6d58ad9b0349876ca1

      SHA1

      bacf8eaf68deb4212e504ddb8345d1b6a672e7f5

      SHA256

      df3adfe63d43ef8ce2dbff05a2e250870a98c83f9544a400af09e8e21616b5b3

      SHA512

      4b4807e2b97c3526ffa2730a92848fef1eccab2e68ea4735362562a722e9558141e99b3e7dabacf5e1a41e90548509bf14d9bff7abd3842d700fe065858f06d6

      Download Submit

    • C:\Program Files\Common Files\920306.exe
      Filesize

      24.0MB

      MD5

      12c64dc7a442b8ee37fd58daf72b99d4

      SHA1

      15c4ee5efde0500e56af10a845fa61a6f4e81b28

      SHA256

      0c4ce733e57836126962233885eae7e87d7e5804208497ec60eeef1193d2e5af

      SHA512

      444a7e2412e87c7b7d6ac912087959c58bb4c406b9e84b93bf3c09522848d6c6989206fddbe1112618d5c71ae78d23029c1a81e1a9ca3e98e437614e21f17b12

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Internat Explorer.html
      Filesize

      496B

      MD5

      5cdbde2f4ccbc0524c69c7cafcd2c37f

      SHA1

      7a1a648ec802a253e44e8c53692e8346b0d3b243

      SHA256

      66a7b213220ac2ad40b06f80140c1d470438a14c9969b16cb24e6db76759c46f

      SHA512

      60baae2839607647ec1129ef553d266de7672bc6c3267381fb35d505c31a63e29b94312da91ce911e79bd9988d83771681ee195e9be1cbd16b204dbcbe8bc375

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
      Filesize

      471B

      MD5

      4a326b4601ab30dfcfec12796d4473af

      SHA1

      fcc8ab255f002787a2f4756a6e7aaebc4ca0b5ff

      SHA256

      58c3470bcc9b953996e86f7741d7a6b1afe327c1c65788c2ef262c1beb6df10c

      SHA512

      2462008010263772ed24dbf2e6b9c002e29334c7529ddbc5f8272dbb41d5eb54dcc9556ade4dab79f32a10cdff67520882a5505f80dd23a752ea69407afd654e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
      Filesize

      412B

      MD5

      1c61d98e57756430ca5be35ca3796f64

      SHA1

      aa8b59293e03edd295f67079377dea553c201a49

      SHA256

      e5202ddc0eddc98a0ce78af82ea39b218c5ab8aa0a7dd176cd42c4b7def46c2a

      SHA512

      72376a7011e33bbfc29f09c6e1665059ad6e97bac2152707815dc135df2a89b3a1dcf89694b308d54e4eb75ba34cbea2d297da08464245d75ab5ea117e75975b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMQG84ST\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
      Filesize

      768B

      MD5

      d20d9eda31a2d0300e4589df7f352370

      SHA1

      79b46d2dbb489914cfedafdbc90e62951471b48e

      SHA256

      d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

      SHA512

      d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
      Filesize

      57B

      MD5

      b65c9a44f0e0c950a0c3afa0cdcf323f

      SHA1

      6abc961f89bdd80da6eaf9ba8eaa0415fd1c2a24

      SHA256

      b232518db14e1c9c09dfef71124cee0f24b0281777cfcb02076821713a33c9e3

      SHA512

      1a148c31950833267654b311bd634ad09f40bd560d3fe2873ce07aacf8258cc39cf8d7a85722957caca61c2de6459ec318ec9d13fcb5ea2bfbbefcf938ef1e7d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_ki2_tmp.bat
      Filesize

      45B

      MD5

      e9a5a33dd5e5d55b2b1c7ca94017ec36

      SHA1

      5be66fbaf3d02f64a53b99bc0a2c3959f6782752

      SHA256

      531e9ab84e23081416835abd259942bb09ea64edaba47b380a4653e1a05ef377

      SHA512

      cfac2dece66ab385efb24814586e3513b0c77caf3c80e0c488a0b393a575d6733dc04d74e6e18f54ccffcbe71f7ec83b01810eecf87b34e3c7a8cc9a0cef078f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat
      Filesize

      45B

      MD5

      620aee5abce897dda821453652a9a473

      SHA1

      ca652b4a25e4bffb6c7c885b894404a8ccd5d129

      SHA256

      357de45aa2999182f4cdb680282d9d2db276b477cb7e185d0bd6ad71461ee356

      SHA512

      5fec094af891238495a521ed67569bf5b1cfb7d4154fa43516a6dd969311b2568caf3e314924b3f96013b190508aeb4137294070a296823ea9d55199ef8eb08a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat
      Filesize

      45B

      MD5

      7b0d6dc6e6743ce65c35a0efec8d227f

      SHA1

      2b32b567323cbb4685b5e32c210c4cc9f30cf6c6

      SHA256

      d884c0fd1b9a4ba4afa7ed50f38a7b934df9f365e181b92b61171a5d3261f55a

      SHA512

      cb81b444a7935c399ea81605e4868c1a5159f172d64c3a5874c7cdcbd7d3a6277fb194d0a33ea19089d46a3ec488d0fb37bb432a6562a56857c8ecd327f1423d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat
      Filesize

      70B

      MD5

      edea5cd5060d69b6c558fea75e330a67

      SHA1

      929e7c5ca8c300a98ac6833d0e8fa912ca9fa5dd

      SHA256

      1ed1bc8bfd84479497b2c1e3d0ca1df56eb2f3d82a68862e8b50eead06889b39

      SHA512

      adbe14c811b915972709530049bb6934eacead6c5d19243ecea07abdd6c93aeede3fcae99f6419fb7ca1b2394dcef19e642be36f22c572de01b069dac2b4aa61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
      Filesize

      98B

      MD5

      8663de6fce9208b795dc913d1a6a3f5b

      SHA1

      882193f208cf012eaf22eeaa4fef3b67e7c67c15

      SHA256

      2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

      SHA512

      9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~968E.bat
      Filesize

      49B

      MD5

      b6e4ff01afc2e58b21843019507108c9

      SHA1

      01a3700dae89c5106a748af13f65b28c7c462d23

      SHA256

      7ca924de77456773a89cb7663463bedadf931deb66e02dd12498607f8540a564

      SHA512

      f70ed29c7ccd1647b0de0d2d5af321d7c32a1b324c3bfdea82a395011cd7e9727fe45ef77ffa3d795e9f6e215973a05ca5a9682e751b800f433fcc86b5909dcf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\NTUSER_LOG.hta
      Filesize

      7KB

      MD5

      d533fbcf6eec4c957935d4e81fbfcb56

      SHA1

      2fabf149662dadb7236766fa111e33990baa5def

      SHA256

      441f1948e33f12dd65b3f69dfdf34cfe3a3ab8c0cfbb32aa5502704386e5cdd4

      SHA512

      10f105a4c40dcac0a28f3f547850f9237a0f69158990dccaa198b3fd8d84b6f6c26c7c9e8ba353d813b80eaf98b8f620bb0e79bcbcdedde8b8c06906ba6f791b

      Download Submit

    • C:\Users\Admin\Favorites\°ËØÔɫͼ.url
      Filesize

      154B

      MD5

      8d681a59ea75e91f730bd9ce3c42e514

      SHA1

      9d426029daeebf03c9053761e0e5a9f447f98e9c

      SHA256

      afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

      SHA512

      ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

      Download Submit

    • C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url
      Filesize

      155B

      MD5

      5a17106c27138df10448c2c3be95f399

      SHA1

      56acc2ed4fea4171127a13dcdee08bdd39d674d6

      SHA256

      c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

      SHA512

      1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

      Download Submit

    • C:\Users\Admin\Favorites\´´ÒµÍ¶×ʺÃÏîÄ¿.url
      Filesize

      156B

      MD5

      8a275b261afcc166671132b6f03831e4

      SHA1

      03ac21edc1de2df748ee3a301a6b3de989c423c3

      SHA256

      0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

      SHA512

      269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

      Download Submit

    • C:\Users\Admin\Favorites\¿´¿´µçÓ°.url
      Filesize

      158B

      MD5

      d645085ab92574a2a17abd323415dde5

      SHA1

      49ebaa4499cacd9256f270f35f31684b7cd195b1

      SHA256

      41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

      SHA512

      a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

      Download Submit

    • C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url
      Filesize

      157B

      MD5

      993f72a439a3301caeb969c7faa7a8b9

      SHA1

      176244349a0463cd0fc38cad426d89dc3b055311

      SHA256

      b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

      SHA512

      c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
      Filesize

      425B

      MD5

      da68bc3b7c3525670a04366bc55629f5

      SHA1

      15fda47ecfead7db8f7aee6ca7570138ba7f1b71

      SHA256

      73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

      SHA512

      6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

      Download Submit

    • memory/864-91-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/864-106-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/4456-98-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/4456-41-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/4456-43-0x0000000000190000-0x0000000000193000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4456-56-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/4456-55-0x0000000000190000-0x0000000000193000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4544-104-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4544-117-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4736-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4736-0-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4736-19-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4736-20-0x00000000000D0000-0x00000000000D3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4876-115-0x000000006A6C0000-0x000000006A6CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4960-54-0x0000000023560000-0x0000000023595BE0-memory.dmp

      Filesize

      214KB

      Download

    • memory/4960-52-0x0000000023560000-0x0000000023595BE0-memory.dmp

      Filesize

      214KB

      Download

    • memory/5320-131-0x000000006A6C0000-0x000000006A6CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5480-82-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/5480-70-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download