Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 22:00

General

  • Target

    defaaaf754d0ea2fe664e82061f56f74_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    defaaaf754d0ea2fe664e82061f56f74

  • SHA1

    d83c4b6cce9d18c3400f472d5d7f6a36d7f19319

  • SHA256

    c0e1d9f27d5d57b7dd90853012e16106be85923796d74f15fafa7825007adcbf

  • SHA512

    cbb88febe57a203c1b581acc15b8f2a7681093d6d19bb77da90611380f26abfb9cf3454a768cba43cc8ebaec86a30768e7eb2bc7b5e06ddbb0f81f38b5c82865

  • SSDEEP

    3072:boFZSQ895kPwaH8y0YrftKo8PiKxl8k7H4+CPolWyG6wYR5KKfKO9iYqE4xm:boTzwacQrfWHbYJPo0n67R5xT9WE4

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 36 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 8 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Modifies registry class 9 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\defaaaf754d0ea2fe664e82061f56f74_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\defaaaf754d0ea2fe664e82061f56f74_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\disppdbfwc.exe
      "C:\Users\Admin\AppData\Local\Temp\disppdbfwc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2640
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2176
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3368
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2312
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3352
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3444
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:3504
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4800
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1816
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1536
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3992
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4656
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:896
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4056
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:688
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3492
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1832
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:856
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:3280
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4192
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1576
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3324
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4084
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3420
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1948
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3448
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3812
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:2752
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4132
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3492
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3388
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:3836
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4072
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:5064
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2984
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:5004
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4768
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2812
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4472
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2696
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3940
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3136
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1128
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:2948
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4564
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:3492
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1460
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4908
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1504
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:5052
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:216
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4584
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3684
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3528
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3504
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:5068
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4788
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:892
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2952
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2884
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:3180
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4412
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1400
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1412
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4108
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3016
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5048
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\DISPPD~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4044
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:5012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 588
        3⤵
        • Program crash
        PID:4564
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Runs regedit.exe
        PID:1332
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1432 /prefetch:8
    1⤵
      PID:4132
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1028 -ip 1028
      1⤵
        PID:692
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        PID:2732
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:552
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:552 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1996

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        84231e6b703a4b64fa601076af9e016a

        SHA1

        210e330be937e617085d28bf356c990a49dce0a5

        SHA256

        e10b7b5f4f3291d340cebafd2d87bbec8689ffb1750a813a2887b6cd31ce61b3

        SHA512

        e13fcb1e344dbd4cd9429faa51f61615ce602908e3eabb7ae9190e745f38747b62b563ca9c0c71abecff1fc398afd2652d32ec37511061d2dff2356aaad0b8d4

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        0f39c869e98f46066e2103b97d4afb15

        SHA1

        e975038cc0fd3acb56ee5020eb428785fb685c38

        SHA256

        125e260590e5b8a64faa0df42a13e9f6362c3c501e8c615695e2fb2af4c6c0f7

        SHA512

        5568f71d60d281ef81789989d798fa7bdba2ccbc3a04d9905fda90b98103a686418e4acbccc342c76ec8bfb84f03897a70228d072d77f1289dd1df9b8d4acf02

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3781.tmp

        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\dnserror[1]

        Filesize

        2KB

        MD5

        2dc61eb461da1436f5d22bce51425660

        SHA1

        e1b79bcab0f073868079d807faec669596dc46c1

        SHA256

        acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

        SHA512

        a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\NewErrorPageTemplate[1]

        Filesize

        1KB

        MD5

        dfeabde84792228093a5a270352395b6

        SHA1

        e41258c9576721025926326f76063c2305586f76

        SHA256

        77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

        SHA512

        e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\errorPageStrings[1]

        Filesize

        4KB

        MD5

        d65ec06f21c379c87040b83cc1abac6b

        SHA1

        208d0a0bb775661758394be7e4afb18357e46c8b

        SHA256

        a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

        SHA512

        8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\down[1]

        Filesize

        748B

        MD5

        c4f558c4c8b56858f15c09037cd6625a

        SHA1

        ee497cc061d6a7a59bb66defea65f9a8145ba240

        SHA256

        39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

        SHA512

        d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\httpErrorPagesScripts[1]

        Filesize

        11KB

        MD5

        9234071287e637f85d721463c488704c

        SHA1

        cca09b1e0fba38ba29d3972ed8dcecefdef8c152

        SHA256

        65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

        SHA512

        87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

      • C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

        Filesize

        168B

        MD5

        e7efc2c945a798b4dab3fe50f1524592

        SHA1

        0bb937ccd89e40c91c0e58b376873ef909fe805b

        SHA256

        624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

        SHA512

        e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

      • C:\Users\Admin\AppData\Local\Temp\advsec32.dll

        Filesize

        4KB

        MD5

        3adea70969f52d365c119b3d25619de9

        SHA1

        d303a6ddd63ce993a8432f4daab5132732748843

        SHA256

        c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

        SHA512

        c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

      • C:\Users\Admin\AppData\Local\Temp\disppdbfwc.exe

        Filesize

        112KB

        MD5

        b84a148f40c3a694b930c5374f7a90cb

        SHA1

        333f5acc35ea0206f7d1deadcb94ca6ec9564d02

        SHA256

        7a3b78feba1670850602b7c33cb0968b4d89db609d98c81744b43cae23d563f5

        SHA512

        032ba7ba40ed36cddbcd9cedaf53db82db98ac35a122a3cf37fb95452cdc62f1a7cde68d232525114cafe0cab36451ea977e1ae3912449cc738b8b99797bee3b

      • C:\Users\Admin\AppData\Local\Temp\smss.exe

        Filesize

        18KB

        MD5

        b3624dd758ccecf93a1226cef252ca12

        SHA1

        fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

        SHA256

        4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

        SHA512

        c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

      • C:\Users\Admin\AppData\Local\Temp\win5.tmp

        Filesize

        233B

        MD5

        ba947d6bdd19e4f78a02678d9160fe2a

        SHA1

        33d3d9360345a5864690401e29bbb4e2d4f24b96

        SHA256

        6b789d76092d99ea06c44f740d136c71b67624faf9ac3ef20d7014b3a3cb4a7c

        SHA512

        e029d29b1dbf63c497bce1e72117b6c92309ac1d97e348ee63da5febdd6be130648e81b80388ec88193ffcf9092b376613ad7b698e94ee92745f68bcbdda2736

      • C:\Windows\SysWOW64\ipobjsql.exe

        Filesize

        1.7MB

        MD5

        defaaaf754d0ea2fe664e82061f56f74

        SHA1

        d83c4b6cce9d18c3400f472d5d7f6a36d7f19319

        SHA256

        c0e1d9f27d5d57b7dd90853012e16106be85923796d74f15fafa7825007adcbf

        SHA512

        cbb88febe57a203c1b581acc15b8f2a7681093d6d19bb77da90611380f26abfb9cf3454a768cba43cc8ebaec86a30768e7eb2bc7b5e06ddbb0f81f38b5c82865

      • memory/3092-34-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

      • memory/3092-29-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

      • memory/3092-0-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB