Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 05:47 UTC

General

  • Target

    eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe

  • Size

    845KB

  • MD5

    eab2df02d7c5647e4b2838349d81f7d2

  • SHA1

    f10d2e0ed5c13f04190cc141b51f1f60368f8164

  • SHA256

    e6c88149ac0c62690a6416eb46c5af8f790c2f25da974737ae7cb196e40b5f2b

  • SHA512

    5bbae44eb653d659528df12ba81022df23f055dff81fa45cff6ea1fecb8aaa87e23a46ce7f004c904251d62344f5a28e1364db523abb9e62fafa5c03feb96cac

  • SSDEEP

    24576:1fUT67H4f6l1iIf9mT9SiwDzZr+pHlgQzlxn68bpVFnh:1fi6LJ/5nZr+VlgQzlxhFVFnh

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4436
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 832
        3⤵
        • Program crash
        PID:3936
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 824
        3⤵
        • Program crash
        PID:2204
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1108
        3⤵
        • Program crash
        PID:3700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1128
        3⤵
        • Program crash
        PID:1120
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1168
        3⤵
        • Program crash
        PID:2612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1176
        3⤵
        • Program crash
        PID:4172
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1260
        3⤵
        • Program crash
        PID:4316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1176
        3⤵
        • Program crash
        PID:3304
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1176
        3⤵
        • Program crash
        PID:4108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1848
        3⤵
        • Program crash
        PID:2424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1172
        3⤵
        • Program crash
        PID:1696
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4436 -ip 4436
    1⤵
      PID:4952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4436 -ip 4436
      1⤵
        PID:4776
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4436 -ip 4436
        1⤵
          PID:4944
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4436 -ip 4436
          1⤵
            PID:2456
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4436 -ip 4436
            1⤵
              PID:4516
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4436 -ip 4436
              1⤵
                PID:3876
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4436 -ip 4436
                1⤵
                  PID:2200
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4436 -ip 4436
                  1⤵
                    PID:3152
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4436 -ip 4436
                    1⤵
                      PID:376
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:2688
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:1860
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:988
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2068
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4556
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:3152
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:5052
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2272
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SendNotifyMessage
                        PID:4144
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:1968
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                        PID:2984
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4504
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Modifies registry class
                          PID:2496
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        PID:4884
                      • C:\Windows\explorer.exe
                        C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious behavior: AddClipboardFormatListener
                        • Suspicious use of SetWindowsHookEx
                        PID:3228
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                        1⤵
                          PID:4828
                        • C:\Windows\system32\sihost.exe
                          sihost.exe
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4820
                          • C:\Windows\explorer.exe
                            explorer.exe /LOADSAVEDWINDOWS
                            2⤵
                            • Boot or Logon Autostart Execution: Active Setup
                            • Enumerates connected drives
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:2128
                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                          1⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:3784
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of SetWindowsHookEx
                          PID:332
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4436 -ip 4436
                          1⤵
                            PID:1128
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4436 -ip 4436
                            1⤵
                              PID:1124

                            Network

                            • flag-us
                              DNS
                              228.249.119.40.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              228.249.119.40.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              susanreno.com
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              susanreno.com
                              IN A
                              Response
                              susanreno.com
                              IN A
                              96.125.173.176
                            • flag-us
                              GET
                              http://susanreno.com/extras/p.php?id=152
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              Remote address:
                              96.125.173.176:80
                              Request
                              GET /extras/p.php?id=152 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
                              Host: susanreno.com
                              Cache-Control: no-cache
                              Response
                              HTTP/1.1 302 Found
                              Date: Thu, 19 Sep 2024 05:48:00 GMT
                              Server: Apache
                              Location: http://www.susanreno.com
                              Content-Length: 208
                              Content-Type: text/html; charset=iso-8859-1
                            • flag-us
                              DNS
                              www.susanreno.com
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              www.susanreno.com
                              IN A
                              Response
                              www.susanreno.com
                              IN CNAME
                              susanreno.com
                              susanreno.com
                              IN A
                              96.125.173.176
                            • flag-us
                              GET
                              http://www.susanreno.com/
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              Remote address:
                              96.125.173.176:80
                              Request
                              GET / HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
                              Cache-Control: no-cache
                              Host: www.susanreno.com
                              Connection: Keep-Alive
                              Response
                              HTTP/1.1 200 OK
                              Date: Thu, 19 Sep 2024 05:48:01 GMT
                              Server: Apache
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Transfer-Encoding: chunked
                              Content-Type: text/html; charset=UTF-8
                            • flag-us
                              DNS
                              oneathleticmom.com
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              oneathleticmom.com
                              IN A
                              Response
                            • flag-us
                              DNS
                              176.173.125.96.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              176.173.125.96.in-addr.arpa
                              IN PTR
                              Response
                              176.173.125.96.in-addr.arpa
                              IN PTR
                              wjw wjwebdesignscom
                            • flag-us
                              DNS
                              74.32.126.40.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              74.32.126.40.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              95.221.229.192.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              95.221.229.192.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              88.156.103.20.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              88.156.103.20.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              149.220.183.52.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              149.220.183.52.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              updateonlinedatabase.com
                              isecurity.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              updateonlinedatabase.com
                              IN A
                              Response
                            • 96.125.173.176:80
                              http://susanreno.com/extras/p.php?id=152
                              http
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              382 B
                              517 B
                              5
                              3

                              HTTP Request

                              GET http://susanreno.com/extras/p.php?id=152

                              HTTP Response

                              302
                            • 96.125.173.176:80
                              http://www.susanreno.com/
                              http
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              851 B
                              14.2kB
                              15
                              13

                              HTTP Request

                              GET http://www.susanreno.com/

                              HTTP Response

                              200
                            • 8.8.8.8:53
                              228.249.119.40.in-addr.arpa
                              dns
                              73 B
                              159 B
                              1
                              1

                              DNS Request

                              228.249.119.40.in-addr.arpa

                            • 8.8.8.8:53
                              susanreno.com
                              dns
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              59 B
                              75 B
                              1
                              1

                              DNS Request

                              susanreno.com

                              DNS Response

                              96.125.173.176

                            • 8.8.8.8:53
                              www.susanreno.com
                              dns
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              63 B
                              93 B
                              1
                              1

                              DNS Request

                              www.susanreno.com

                              DNS Response

                              96.125.173.176

                            • 8.8.8.8:53
                              oneathleticmom.com
                              dns
                              eab2df02d7c5647e4b2838349d81f7d2_JaffaCakes118.exe
                              64 B
                              137 B
                              1
                              1

                              DNS Request

                              oneathleticmom.com

                            • 8.8.8.8:53
                              176.173.125.96.in-addr.arpa
                              dns
                              73 B
                              107 B
                              1
                              1

                              DNS Request

                              176.173.125.96.in-addr.arpa

                            • 8.8.8.8:53
                              74.32.126.40.in-addr.arpa
                              dns
                              71 B
                              157 B
                              1
                              1

                              DNS Request

                              74.32.126.40.in-addr.arpa

                            • 8.8.8.8:53
                              95.221.229.192.in-addr.arpa
                              dns
                              73 B
                              144 B
                              1
                              1

                              DNS Request

                              95.221.229.192.in-addr.arpa

                            • 8.8.8.8:53
                              88.156.103.20.in-addr.arpa
                              dns
                              72 B
                              158 B
                              1
                              1

                              DNS Request

                              88.156.103.20.in-addr.arpa

                            • 8.8.8.8:53
                              149.220.183.52.in-addr.arpa
                              dns
                              73 B
                              147 B
                              1
                              1

                              DNS Request

                              149.220.183.52.in-addr.arpa

                            • 8.8.8.8:53
                              updateonlinedatabase.com
                              dns
                              isecurity.exe
                              70 B
                              143 B
                              1
                              1

                              DNS Request

                              updateonlinedatabase.com

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\isecurity.exe

                              Filesize

                              840KB

                              MD5

                              f51011d03e45d9b3a68940ce3d6d90f3

                              SHA1

                              b77669e69f8be58f18cd6771cc3862cd02d62963

                              SHA256

                              e7465c386bf4c717dc457062e438920fbaec75cf20473d71403def2e531a391e

                              SHA512

                              adab8c7cbf9cb8be7f43f651d5664e9e3d989cf81b1167897ecbeb890d10a8a432561e129109b28213844e5e836a5390b895112fc3bc1e192a97ed1e1c765724

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                              Filesize

                              471B

                              MD5

                              f21d1b257be226638cd7b9718b29c6af

                              SHA1

                              2d7f95d0dcf2462d366cfea77ceeb6fe4ad194f3

                              SHA256

                              5d5f424e1ae1c89835ebced7a048d08a27865c9b77715d0b327fa9cd221a4677

                              SHA512

                              e014452564c28acbc51715555b8f1bac5108cfbf71d1d2b38979b000fbbb12e839b31ea3ea4ecb3bc88153765a6db184d103f85a58e694cddd305eff5f2ac398

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                              Filesize

                              420B

                              MD5

                              f48b27e2cb05848e4b840e598abe74fb

                              SHA1

                              c27766d7c7c31546b91de9216a28fb4542a7250b

                              SHA256

                              c9efa20ecf3c266fcdf977bc3d46545edf93e0bc2e7ccf4d0e28f5578ceff3a9

                              SHA512

                              430cd0875988cbc44d3d220d49dfe23563a606faca0b8f48056695f082abd7c430ef68dbfc68ea3346e6c8946621d4d3659ba3de6ea85ef2777b58bf05bf61e9

                            • C:\Users\Admin\AppData\Local\IconCache.db

                              Filesize

                              15KB

                              MD5

                              74e8388b0ad006bdf09366a625fcefea

                              SHA1

                              9fe503b1d439dae62d64946db15ce2942a8dfe7d

                              SHA256

                              1d31ef8471fe3e34ce1056f84483d06e3d0e543ce28c023e476befe0dbc5805c

                              SHA512

                              d93f0f09ee71c14252023e99c8562d36597e48fc45c4ac0034c6a79b577ab6f92ca6238bc2ed68e104071747787a6eda8f473f5695f1d155cd4cb95a6e6d9db1

                            • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                              Filesize

                              1022B

                              MD5

                              dac6377e9c8566e4e05b7b6648f39360

                              SHA1

                              5a49196e0a2449497be5ace4641c81e206631655

                              SHA256

                              fe31c5fde542b29b88c88560ab2dfdbddac1639f72041de501e3c2b08aed6fcb

                              SHA512

                              97bc38a71b8f3a74724da3b0d8ad75a4bb72d97046acafee8c0d0162bf35c9250c10473266a3a34bf1617c2c6a2d1d9d569cbff6119a1810225dca6b5a5d7070

                            • C:\Users\Admin\AppData\Local\Temp\{94718A4B-71A7-4CD1-BFBC-40B9006A9913}.png

                              Filesize

                              6KB

                              MD5

                              099ba37f81c044f6b2609537fdb7d872

                              SHA1

                              470ef859afbce52c017874d77c1695b7b0f9cb87

                              SHA256

                              8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

                              SHA512

                              837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

                            • C:\Users\Public\Desktop\Internet Security.lnk

                              Filesize

                              682B

                              MD5

                              58cbad381b0090ca9104145d2b8451fc

                              SHA1

                              da9310e46be328cf592a9a64ff757b835ab34f98

                              SHA256

                              5dbad30dde2a92bb824182638ff8e66e4de7753ce7f8a44af142f65b68d24bc3

                              SHA512

                              bd8c19d7b0c7b8e9d02d16ab8753be64325a890f7c0e6633a430f9953215115703745540f43db4d5b2c93afb583ed9905a5cb8b5601d1aeb01e737c3fcc2fb4f

                            • memory/1860-29-0x00000000041B0000-0x00000000041B1000-memory.dmp

                              Filesize

                              4KB

                            • memory/2128-51-0x0000000003250000-0x0000000003251000-memory.dmp

                              Filesize

                              4KB

                            • memory/4144-41-0x00000000043A0000-0x00000000043A1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4436-19-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-76-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-21-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-28-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-91-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-33-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-35-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-18-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-16-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-17-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-14-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-90-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-89-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-88-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-85-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-60-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-67-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-74-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-75-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-22-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-77-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-83-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4436-84-0x0000000000400000-0x0000000000A33000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/4524-1-0x0000000000400000-0x0000000000506000-memory.dmp

                              Filesize

                              1.0MB

                            • memory/4524-2-0x0000000000400000-0x0000000000506000-memory.dmp

                              Filesize

                              1.0MB

                            • memory/4524-7-0x0000000000400000-0x0000000000506000-memory.dmp

                              Filesize

                              1.0MB

                            • memory/4524-0-0x00000000004F5000-0x00000000004F7000-memory.dmp

                              Filesize

                              8KB

                            • memory/4884-48-0x0000000004E80000-0x0000000004E81000-memory.dmp

                              Filesize

                              4KB

                            We care about your privacy.

                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.