Analysis

  • max time kernel
    123s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 03:49 UTC

General

  • Target

    a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe

  • Size

    50KB

  • MD5

    a1184e1690e4d0e3006f67ef21707693

  • SHA1

    0865edbe60c018baa5a0014a63977a4da008f5ca

  • SHA256

    33c396a39aae14f9ca745910a4b111bb812559a4bbe154cadca1381f2f5a9c1d

  • SHA512

    7ac54be3a7489d8c3bcd4b277b9fe8e671c7485137810fca90b2b89aa0c5134db93dbfe319d42e647d34d1e1b6dcf353c8a0201580660bfaeeece0bede9595ac

  • SSDEEP

    768:1kpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:QkQJcqwmIfj+ECJG/kvO

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Domain Trust Discovery 1 TTPs

    Attempt gathering information on domain trust relationships.

  • Permission Groups Discovery: Domain Groups 1 TTPs

    Attempt to find domain-level groups and permission settings.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

  • Discovers systems in the same network 1 TTPs 4 IoCs
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\ProgramData\Application Data\wmimgmt.exe
      "C:\ProgramData\Application Data\wmimgmt.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\findstr.exe
          findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
          4⤵
            PID:2804
          • C:\Windows\SysWOW64\chcp.com
            chcp
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2528
          • C:\Windows\SysWOW64\net.exe
            net user
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 user
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2548
          • C:\Windows\SysWOW64\net.exe
            net localgroup administrators
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup administrators
              5⤵
                PID:1192
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2948
            • C:\Windows\SysWOW64\systeminfo.exe
              systeminfo
              4⤵
              • System Location Discovery: System Language Discovery
              • Gathers system information
              PID:1476
            • C:\Windows\SysWOW64\reg.exe
              reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
              4⤵
                PID:2416
              • C:\Windows\SysWOW64\find.exe
                find "REG_"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1864
              • C:\Windows\SysWOW64\reg.exe
                reg query HKEY_CURRENT_USER\Software\Microsoft\Office
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2068
              • C:\Windows\SysWOW64\reg.exe
                reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
                4⤵
                • System Location Discovery: System Language Discovery
                PID:588
              • C:\Windows\SysWOW64\reg.exe
                reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1504
              • C:\Windows\SysWOW64\reg.exe
                reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2032
              • C:\Windows\SysWOW64\reg.exe
                reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2000
              • C:\Windows\SysWOW64\reg.exe
                reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2036
              • C:\Windows\SysWOW64\reg.exe
                reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1672
              • C:\Windows\SysWOW64\reg.exe
                reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2316
              • C:\Windows\SysWOW64\reg.exe
                reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s
                4⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:960
              • C:\Windows\SysWOW64\reg.exe
                reg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1932
              • C:\Windows\SysWOW64\reg.exe
                reg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2424
              • C:\Windows\SysWOW64\net.exe
                net user Admin
                4⤵
                • System Location Discovery: System Language Discovery
                PID:468
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 user Admin
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:2420
              • C:\Windows\SysWOW64\net.exe
                net user Admin /domain
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2448
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 user Admin /domain
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1752
              • C:\Windows\SysWOW64\net.exe
                net group
                4⤵
                  PID:1644
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 group
                    5⤵
                      PID:780
                  • C:\Windows\SysWOW64\net.exe
                    net group /domain
                    4⤵
                      PID:1688
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 group /domain
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:1768
                    • C:\Windows\SysWOW64\net.exe
                      net group "domain admins"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2832
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 group "domain admins"
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:1896
                    • C:\Windows\SysWOW64\net.exe
                      net group "domain admins" /domain
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:1052
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 group "domain admins" /domain
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:3064
                    • C:\Windows\SysWOW64\net.exe
                      net group "domain computers"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2232
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 group "domain computers"
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:2240
                    • C:\Windows\SysWOW64\net.exe
                      net group "domain computers" /domain
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:876
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 group "domain computers" /domain
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:2340
                    • C:\Windows\SysWOW64\net.exe
                      net group "domain controllers"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2208
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 group "domain controllers"
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:1080
                    • C:\Windows\SysWOW64\net.exe
                      net group "domain controllers" /domain
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2140
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 group "domain controllers" /domain
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:444
                    • C:\Windows\SysWOW64\ipconfig.exe
                      ipconfig /all
                      4⤵
                      • System Location Discovery: System Language Discovery
                      • Gathers network information
                      PID:1344
                    • C:\Windows\SysWOW64\NETSTAT.EXE
                      netstat -ano
                      4⤵
                      • System Location Discovery: System Language Discovery
                      • System Network Connections Discovery
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1496
                    • C:\Windows\SysWOW64\ARP.EXE
                      arp -a
                      4⤵
                      • Network Service Discovery
                      • System Location Discovery: System Language Discovery
                      PID:1304
                    • C:\Windows\SysWOW64\NETSTAT.EXE
                      netstat -r
                      4⤵
                      • Gathers network information
                      PID:1640
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:1780
                        • C:\Windows\SysWOW64\ROUTE.EXE
                          C:\Windows\system32\route.exe print
                          6⤵
                            PID:1996
                      • C:\Windows\SysWOW64\net.exe
                        net start
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:776
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 start
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:904
                      • C:\Windows\SysWOW64\net.exe
                        net use
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:2004
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo n"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:1680
                      • C:\Windows\SysWOW64\net.exe
                        net share
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:832
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 share
                          5⤵
                            PID:2260
                        • C:\Windows\SysWOW64\net.exe
                          net view /domain
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Discovers systems in the same network
                          PID:2376
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1812
                        • C:\Windows\SysWOW64\find.exe
                          find /i /v "------"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1072
                        • C:\Windows\SysWOW64\find.exe
                          find /i /v "domain"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2088
                        • C:\Windows\SysWOW64\find.exe
                          find /i /v "¬A╛╣"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2052
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
                          4⤵
                            PID:300
                          • C:\Windows\SysWOW64\find.exe
                            find /i /v "░⌡ªµª¿"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2184
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2860
                          • C:\Windows\SysWOW64\find.exe
                            find /i /v "├ⁿ┴ε"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2120
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
                            4⤵
                              PID:1880
                            • C:\Windows\SysWOW64\find.exe
                              find /i /v "completed successfully"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:1928
                            • C:\Windows\SysWOW64\net.exe
                              net view /domain:"WORKGROUP"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Discovers systems in the same network
                              PID:552
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:756
                            • C:\Windows\SysWOW64\find.exe
                              find "\\"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:556
                            • C:\Windows\SysWOW64\net.exe
                              net view \\MUYDDIIS
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Discovers systems in the same network
                              PID:1004
                            • C:\Windows\SysWOW64\net.exe
                              net view \\MUYDDIIS
                              4⤵
                              • Discovers systems in the same network
                              PID:872
                            • C:\Windows\SysWOW64\find.exe
                              find "Disk"
                              4⤵
                                PID:2136
                              • C:\Windows\SysWOW64\PING.EXE
                                ping -n 1 MUYDDIIS
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:2876
                              • C:\Windows\SysWOW64\findstr.exe
                                findstr /i "Pinging Reply Request Unknown"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                PID:2428

                        Network

                        • flag-us
                          DNS
                          windowsupdate.microsoft.com
                          wmimgmt.exe
                          Remote address:
                          8.8.8.8:53
                          Request
                          windowsupdate.microsoft.com
                          IN A
                          Response
                          windowsupdate.microsoft.com
                          IN CNAME
                          redir.update.msft.com.trafficmanager.net
                          redir.update.msft.com.trafficmanager.net
                          IN A
                          20.72.235.82
                        • flag-us
                          DNS
                          windowsupdate.microsoft.com
                          wmimgmt.exe
                          Remote address:
                          8.8.8.8:53
                          Request
                          windowsupdate.microsoft.com
                          IN A
                          Response
                          windowsupdate.microsoft.com
                          IN CNAME
                          redir.update.msft.com.trafficmanager.net
                          redir.update.msft.com.trafficmanager.net
                          IN A
                          20.72.235.82
                        No results found
                        • 8.8.8.8:53
                          windowsupdate.microsoft.com
                          dns
                          wmimgmt.exe
                          73 B
                          143 B
                          1
                          1

                          DNS Request

                          windowsupdate.microsoft.com

                          DNS Response

                          20.72.235.82

                        • 8.8.8.8:53
                          windowsupdate.microsoft.com
                          dns
                          wmimgmt.exe
                          73 B
                          143 B
                          1
                          1

                          DNS Request

                          windowsupdate.microsoft.com

                          DNS Response

                          20.72.235.82

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\wmimgmt.exe

                          Filesize

                          50KB

                          MD5

                          a1184e1690e4d0e3006f67ef21707693

                          SHA1

                          0865edbe60c018baa5a0014a63977a4da008f5ca

                          SHA256

                          33c396a39aae14f9ca745910a4b111bb812559a4bbe154cadca1381f2f5a9c1d

                          SHA512

                          7ac54be3a7489d8c3bcd4b277b9fe8e671c7485137810fca90b2b89aa0c5134db93dbfe319d42e647d34d1e1b6dcf353c8a0201580660bfaeeece0bede9595ac

                        • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

                          Filesize

                          24.9MB

                          MD5

                          21fb131b524eb2b60b2ea6dea1050618

                          SHA1

                          235d8778f3c0740b4d3f033ac1da89718309f457

                          SHA256

                          b6c186d07ff98812d30c501dcdc61a4240f8685b96748c0099b23b9e1c2539c3

                          SHA512

                          1893bde408fb8bc0dd3b1e791b676ba8d981d2599ff82e1cf93edc406757ed8482ac61fb43ced395819bbd23e928835abbf89a694b6c5b4eb4903ab137081d87

                        • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

                          Filesize

                          49B

                          MD5

                          9a8c2d0c510fd316456d479cd25a9d6c

                          SHA1

                          ea9fc69f9a8c7a2ed97a3f6ce6a9460f46b8e0d1

                          SHA256

                          75895b0b466a254f21114d9cf71d18ef2413a40aed6c3c989b6496dbb345068e

                          SHA512

                          617aecd798d2bc8d08cf9d771b3138068fda70091c9dac7d6a031a322829d55960b601baa3085301f34961c0eccaa18e20aa3823469d3d0eb21a639fcf61a0b8

                        • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

                          Filesize

                          7KB

                          MD5

                          4c59f9d7f01ab9379c629ad4d92a9d21

                          SHA1

                          80d61eb769e20a39680f2f07bfb88778b82e420d

                          SHA256

                          dbf711045aef0ec482ee36ea5beeba587c6331c46d5c749f32e422867163dc13

                          SHA512

                          d72c71cda4e5b265695a45297678698628540c649ef28bade8fdb916d9763b87aab27ef5ff443b1c0249be0d7f48c7a65f5f21bb2fa0416bfe8ba3a534ccf382

                        • C:\Users\Admin\AppData\Local\Temp\drivers.p

                          Filesize

                          15B

                          MD5

                          4ff8e80638f36abd8fb131c19425317b

                          SHA1

                          358665afaf5f88dfebcdb7c56e963693c520c136

                          SHA256

                          6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

                          SHA512

                          d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

                        • C:\Users\Admin\AppData\Local\Temp\ghi.bat

                          Filesize

                          4KB

                          MD5

                          b91bc08162fbc3445c5424b77183b807

                          SHA1

                          52b2a60db40cdcc655648a65210ed26219c033e1

                          SHA256

                          7cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a

                          SHA512

                          2f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35

                        • C:\Users\Admin\AppData\Local\Temp\s.log

                          Filesize

                          153B

                          MD5

                          b256c8a481b065860c2812e742f50250

                          SHA1

                          51ddf02764fb12d88822450e8a27f9deac85fe54

                          SHA256

                          b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

                          SHA512

                          f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

                        • C:\Users\Admin\AppData\Local\Temp\s.log

                          Filesize

                          64B

                          MD5

                          e29f80bf6f6a756e0bc6d7f5189a9bb2

                          SHA1

                          acdd1032b7dc189f8e68b390fe6fd964618acd72

                          SHA256

                          8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

                          SHA512

                          f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

                        • C:\Users\Admin\AppData\Local\Temp\t.log

                          Filesize

                          72B

                          MD5

                          59f2768506355d8bc50979f6d64ded26

                          SHA1

                          b2d315b3857bec8335c526a08d08d6a1b5f5c151

                          SHA256

                          7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

                          SHA512

                          e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

                        • C:\Users\Admin\AppData\Local\Temp\workgrp.tmp

                          Filesize

                          234B

                          MD5

                          9849feb6ad812a7e1ac909738b31da9a

                          SHA1

                          cf01ec9aece21ffdd610f9c6e29bd9fcc9466114

                          SHA256

                          d547e4e9b3633d74b9c05f4d394955fa691739bcaa6f80ca9854e3d296555612

                          SHA512

                          a19058ecfb5e37473f7cef9c0958de2c83ac48c810d57473bd106801101bd24a04f1702cbcde9a64db5a22e9b70f23c68748f601d954e0dde2692e915221ce7e

                        • memory/2668-0-0x0000000000400000-0x0000000000425000-memory.dmp

                          Filesize

                          148KB

                        • memory/2668-9-0x0000000000400000-0x0000000000425000-memory.dmp

                          Filesize

                          148KB

                        • memory/2788-98-0x0000000000400000-0x0000000000425000-memory.dmp

                          Filesize

                          148KB

                        We care about your privacy.

                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.