Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 07:12

General

  • Target

    fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    fe079c4129d51477df121333b64bbcd7

  • SHA1

    0f5806f04a5376b372ad55a8ef5050dc8f815aed

  • SHA256

    13a080c9caacae77e705d5d7cd24cdeb0d45f3e74e26475e0a0898161eccca74

  • SHA512

    31787f83322a4f0fb919b630d5b05c28398ca4cbbac3965af6852417e7b2ef1362083a7edff5b984131e5de97e9ff707047ca4955bf1ea21ac92f2a51a5bffbf

  • SSDEEP

    3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 37 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Modifies registry class 9 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Users\Admin\AppData\Local\Temp\fwcprocfwc.exe
      "C:\Users\Admin\AppData\Local\Temp\fwcprocfwc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4060
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4396
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2368
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4224
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3612
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2104
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:432
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3464
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3356
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4072
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3120
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3448
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:216
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4728
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3316
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1764
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2524
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1172
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:672
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4772
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1276
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2176
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2488
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:4224
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1984
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1360
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4020
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:4528
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:768
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4048
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4940
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:4360
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1780
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4504
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1160
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:760
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1568
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2056
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:512
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2608
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5100
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1636
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4912
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:1808
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1424
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4800
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3012
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:4296
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1984
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:1292
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2104
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3464
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2760
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3800
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5008
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:3748
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4864
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3544
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2988
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4300
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2688
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:748
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1668
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2188
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3452
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:4596
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:700
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4920
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2220
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3236
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4632
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 588
        3⤵
        • Program crash
        PID:4368
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Runs regedit.exe
        PID:2576
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3028 -ip 3028
    1⤵
      PID:4652
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      PID:3048
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4788 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      471B

      MD5

      e81809e35464c6a8ccffb00fa7424f8a

      SHA1

      aca926d8ab54a834b33db7c5fb4355287d2cd2a7

      SHA256

      01c74bfb667bcffad25fd994026261a336a8e8dcf85ad629a75c87e838fcf744

      SHA512

      d807413cf4356a8861ae6bbfe5fd2792bdb5b81ec9fe64f6d567e505d001c847d8eeb4bc730599a5428afcf561d35ddf022d1d3079036d65a0e382d4737d5c28

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      404B

      MD5

      17b44899530ec721094b8b00427e4432

      SHA1

      7c3096cf8a53424a3070ca9d72b50b7f0ef6bade

      SHA256

      d9663b68f3f5c550c3975986dbff09737703dd730297b84db90c79eac1bf20be

      SHA512

      fa98f4cb5f76b6b56bfcd24b40a8f0fff49a90d2e8048687f08c096be8eea1a6eec807613f03907127c961464a64be31a59e44cf4c4cda0ec4ce1c36728298b0

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9A95.tmp

      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\NewErrorPageTemplate[1]

      Filesize

      1KB

      MD5

      dfeabde84792228093a5a270352395b6

      SHA1

      e41258c9576721025926326f76063c2305586f76

      SHA256

      77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

      SHA512

      e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\errorPageStrings[1]

      Filesize

      4KB

      MD5

      d65ec06f21c379c87040b83cc1abac6b

      SHA1

      208d0a0bb775661758394be7e4afb18357e46c8b

      SHA256

      a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

      SHA512

      8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5JGBC19U\dnserror[1]

      Filesize

      2KB

      MD5

      2dc61eb461da1436f5d22bce51425660

      SHA1

      e1b79bcab0f073868079d807faec669596dc46c1

      SHA256

      acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

      SHA512

      a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\down[1]

      Filesize

      748B

      MD5

      c4f558c4c8b56858f15c09037cd6625a

      SHA1

      ee497cc061d6a7a59bb66defea65f9a8145ba240

      SHA256

      39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

      SHA512

      d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\httpErrorPagesScripts[1]

      Filesize

      11KB

      MD5

      9234071287e637f85d721463c488704c

      SHA1

      cca09b1e0fba38ba29d3972ed8dcecefdef8c152

      SHA256

      65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

      SHA512

      87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

    • C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

      Filesize

      168B

      MD5

      e7efc2c945a798b4dab3fe50f1524592

      SHA1

      0bb937ccd89e40c91c0e58b376873ef909fe805b

      SHA256

      624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

      SHA512

      e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

    • C:\Users\Admin\AppData\Local\Temp\advsec32.dll

      Filesize

      4KB

      MD5

      3adea70969f52d365c119b3d25619de9

      SHA1

      d303a6ddd63ce993a8432f4daab5132732748843

      SHA256

      c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

      SHA512

      c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

    • C:\Users\Admin\AppData\Local\Temp\bot.log

      Filesize

      2KB

      MD5

      8e212694348776ed5863f6ca7668ef75

      SHA1

      9be15852ea8def700c788dd9d7eaf877431879cd

      SHA256

      6aa01ca893cbba618ef84a6bc038119bd53b5f14bfa502d78e1b8275d89d1117

      SHA512

      6da0334c8d1dde4b9603f1fd9e751b64bcb19e24d0d690b64ed80632f455a34f3eae0695b4a87f3d78be8077b5aa48356973eb9e795869240795c145427a5511

    • C:\Users\Admin\AppData\Local\Temp\bot.log

      Filesize

      5KB

      MD5

      243eb2b5da3cc18aadbe659500973d57

      SHA1

      c0ffe5e82cdbe3a7f0682510a02916836c7de6d8

      SHA256

      b3085e476db7fd21441e0454dc106483871479a003df4dd2a272e6c553241853

      SHA512

      c126cc3e3fbde0321fdf4e95536c7a0fe351436f3efe2ca2d61877f02ac6886ea0e329d1243d2f09830d66c606de86dca6a36cae2fee709e86c46644363b2731

    • C:\Users\Admin\AppData\Local\Temp\fwcprocfwc.exe

      Filesize

      104KB

      MD5

      bf839cb54473c333b2c151ad627eb39f

      SHA1

      34af1909ec77d2c3878724234b9b1e3141c91409

      SHA256

      d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

      SHA512

      23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

    • C:\Users\Admin\AppData\Local\Temp\smss.exe

      Filesize

      18KB

      MD5

      b3624dd758ccecf93a1226cef252ca12

      SHA1

      fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

      SHA256

      4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

      SHA512

      c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

    • C:\Users\Admin\AppData\Local\Temp\win5.tmp

      Filesize

      240B

      MD5

      ee926df00618b73a370f2dbcbe19ebeb

      SHA1

      eb775efca19c657d4cc02d21190db4f522ae750d

      SHA256

      6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

      SHA512

      6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

    • C:\Windows\SysWOW64\dnssvcpptp.exe

      Filesize

      1.6MB

      MD5

      fe079c4129d51477df121333b64bbcd7

      SHA1

      0f5806f04a5376b372ad55a8ef5050dc8f815aed

      SHA256

      13a080c9caacae77e705d5d7cd24cdeb0d45f3e74e26475e0a0898161eccca74

      SHA512

      31787f83322a4f0fb919b630d5b05c28398ca4cbbac3965af6852417e7b2ef1362083a7edff5b984131e5de97e9ff707047ca4955bf1ea21ac92f2a51a5bffbf

    • memory/3944-261-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

    • memory/3944-242-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

    • memory/3944-0-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB