Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 12:02

General

  • Target

    216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    216ca65ab4e45f62e1feb9ec72cadaf0

  • SHA1

    4c15261de134999b8ddc318886057fb4ea7517e6

  • SHA256

    cbf4704f11c6d4a57c374d2333f76eacef1d8ed7929a1af1f43ed4e5eaabf958

  • SHA512

    62dfea4e8b38802c9163fddc92904fcfaad70a05310433ec55c6e4d69d014a086f981756d415aeaa9540b399b00b82cc19db096cf563e8045fb986e38fe1694f

  • SSDEEP

    24576:NKoFi8yx1uJVsxu/XvcAcb5UPWbApAQCVZPkTfvAGBQDQYr2bs:NKiiPx1oVsUfcVFU+bApqVebHBQsYC

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 4 IoCs
  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 44 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Users\Admin\AppData\Roaming\WhTX.exe
        "C:\Users\Admin\AppData\Roaming\WhTX.exe" "C:\Users\Admin\AppData\Roaming\iXZCO"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1148
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\RWZ2VMBvk6.ini"
            5⤵
              PID:2792
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 80
                6⤵
                • Program crash
                PID:3656
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\9Vv8IqpyQr.ini"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:4960
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3324
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\5EUAPpKuc9.ini"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:728
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\FYkjEt8chL.ini"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:1956
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4512
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\Nku1ZAn7Cj.ini"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3148
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\KdUeDnut6U.ini"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:4112
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2768
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\TmjcVD7lUD.ini"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1996
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\ppoq2zG34I.ini"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:1044
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:856
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\YrSWU7t2tM.ini"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4640
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\381xZsBU4E.ini"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:3968
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3216
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\NAKgk3n4X9.ini"
              5⤵
                PID:4848
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 80
                  6⤵
                  • Program crash
                  PID:212
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\ti0qM6kA1T.ini"
                5⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:2944
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              4⤵
                PID:1064
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1060
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\1rFoeWw2PC.ini"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:3956
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\OuK3BI5KzG.ini"
                  5⤵
                  • Accesses Microsoft Outlook accounts
                  • System Location Discovery: System Language Discovery
                  PID:3240
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:116
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\7wyjdQiJoL.ini"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:3920
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\81smreuDB5.ini"
                  5⤵
                    PID:3296
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 80
                      6⤵
                      • Program crash
                      PID:4928
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  4⤵
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:1336
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\OSOZnlAWPv.ini"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:3452
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\ATuRYcsaDU.ini"
                    5⤵
                    • Accesses Microsoft Outlook accounts
                    • System Location Discovery: System Language Discovery
                    PID:4412
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  4⤵
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2528
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\UVEAjoUAgP.ini"
                    5⤵
                      PID:3924
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 80
                        6⤵
                        • Program crash
                        PID:892
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      /scomma "C:\Users\Admin\AppData\Local\Temp\CUaGWH7CMA.ini"
                      5⤵
                      • Accesses Microsoft Outlook accounts
                      • System Location Discovery: System Language Discovery
                      PID:1636
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    4⤵
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1704
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      /scomma "C:\Users\Admin\AppData\Local\Temp\OHWU7c7y6c.ini"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:1560
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      /scomma "C:\Users\Admin\AppData\Local\Temp\h6Oz0xjU63.ini"
                      5⤵
                      • Accesses Microsoft Outlook accounts
                      • System Location Discovery: System Language Discovery
                      PID:4864
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    4⤵
                      PID:4104
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      4⤵
                        PID:1492
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        4⤵
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:1220
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\0Ab2Fznhgd.ini"
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:4292
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\HgcOUL0G0h.ini"
                          5⤵
                          • Accesses Microsoft Outlook accounts
                          • System Location Discovery: System Language Discovery
                          PID:3632
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        4⤵
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:1380
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\4taVW4iOIk.ini"
                          5⤵
                            PID:2036
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 80
                              6⤵
                              • Program crash
                              PID:1164
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\mswbKYLQxV.ini"
                            5⤵
                              PID:4988
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 80
                                6⤵
                                • Program crash
                                PID:2892
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                            4⤵
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:2656
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                              /scomma "C:\Users\Admin\AppData\Local\Temp\RqXClRSkX5.ini"
                              5⤵
                                PID:2292
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 80
                                  6⤵
                                  • Program crash
                                  PID:2944
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                /scomma "C:\Users\Admin\AppData\Local\Temp\UDYyWvIICH.ini"
                                5⤵
                                • Accesses Microsoft Outlook accounts
                                • System Location Discovery: System Language Discovery
                                PID:4052
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                              4⤵
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:5080
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                /scomma "C:\Users\Admin\AppData\Local\Temp\dMowoMVAa0.ini"
                                5⤵
                                  PID:4012
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 80
                                    6⤵
                                    • Program crash
                                    PID:4724
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2792 -ip 2792
                          1⤵
                            PID:2368
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4848 -ip 4848
                            1⤵
                              PID:2476
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3296 -ip 3296
                              1⤵
                                PID:1152
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3924 -ip 3924
                                1⤵
                                  PID:4704
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2036 -ip 2036
                                  1⤵
                                    PID:2244
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4988 -ip 4988
                                    1⤵
                                      PID:2368
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2292 -ip 2292
                                      1⤵
                                        PID:2900
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 4012
                                        1⤵
                                          PID:516

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Temp\5EUAPpKuc9.ini

                                          Filesize

                                          5B

                                          MD5

                                          d1ea279fb5559c020a1b4137dc4de237

                                          SHA1

                                          db6f8988af46b56216a6f0daf95ab8c9bdb57400

                                          SHA256

                                          fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

                                          SHA512

                                          720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXE

                                          Filesize

                                          1.8MB

                                          MD5

                                          98c4f8e6cbf337a38504887861d63714

                                          SHA1

                                          a8988859b8d4b976680ee35c3598289fefdbc875

                                          SHA256

                                          6441cf49b87dc4b5e43fcbbf20c12efef3ba2ad9aebc4fbe10ac22c341ea67f2

                                          SHA512

                                          d5c316b36360576dfbffb53f513c618bfadff33f670878ccb4f46f3965c8ca308e8843be6d5ef942f04eb31277ae63a830662e156afe323b88d90592850af8fd

                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WhTX1

                                          Filesize

                                          915KB

                                          MD5

                                          4744edba858885bfe4d513e5ba6030ac

                                          SHA1

                                          7706ebc3097465571daf5bc0c26721a79e8b50c2

                                          SHA256

                                          b71c08e936ab72a27a822e2984a60e798591d2b71b352875f6aede464245724b

                                          SHA512

                                          14cf08f1227f320e36ed9b50de68fffea72393f59b921e81ad987f8cd19d9b3766f601063df474b99b6b948a8431232c900577ab633a3d8f13de0b2f69a36685

                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iXZCO

                                          Filesize

                                          492KB

                                          MD5

                                          af639e2097d320f5f1ab120d810da850

                                          SHA1

                                          2bd6e743fd19ce4c581cc53ab91314d45abf6044

                                          SHA256

                                          9e46e54f04d7a8642419db4f3e6d891476d2e1ddd2c339a2e87f82d11be221cc

                                          SHA512

                                          e5ea9c6b372be020eafe33214d1bdcb12358dbe2f47f63ca70039c1863a588d78a233478bb3712ef7ad7228f84470ec9aec34b2d1f50429cf7931760d3effb1c

                                        • C:\Users\Admin\AppData\Roaming\WhTX.exe

                                          Filesize

                                          915KB

                                          MD5

                                          b06e67f9767e5023892d9698703ad098

                                          SHA1

                                          acc07666f4c1d4461d3e1c263cf6a194a8dd1544

                                          SHA256

                                          8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

                                          SHA512

                                          7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

                                        • C:\Users\Admin\AppData\Roaming\iXZCO

                                          Filesize

                                          369KB

                                          MD5

                                          3fcf27371696b46d07890a695f75f394

                                          SHA1

                                          bc58d4d7e64925b273acb91d9a15f9da62efc845

                                          SHA256

                                          9d0d58afacd8a5b08c2c8d0be5eee42f75d148d8de42b49914f8a390fbcf05ca

                                          SHA512

                                          06b5fc740bfe94520dbe349cb42e957cf0cd05c80224fb53b341b86d1eb101f6706fcd7234bbc06ce4ad8333010eab427685d5184031cb4e441de88d3929b896

                                        • memory/728-45-0x0000000000400000-0x0000000000453000-memory.dmp

                                          Filesize

                                          332KB

                                        • memory/728-49-0x0000000000400000-0x0000000000453000-memory.dmp

                                          Filesize

                                          332KB

                                        • memory/728-48-0x0000000000400000-0x0000000000453000-memory.dmp

                                          Filesize

                                          332KB

                                        • memory/728-46-0x0000000000400000-0x0000000000453000-memory.dmp

                                          Filesize

                                          332KB

                                        • memory/1148-28-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1148-39-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1148-40-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1148-30-0x0000000000400000-0x0000000000442000-memory.dmp

                                          Filesize

                                          264KB

                                        • memory/1956-53-0x0000000000400000-0x000000000041F000-memory.dmp

                                          Filesize

                                          124KB

                                        • memory/1956-55-0x0000000000400000-0x000000000041F000-memory.dmp

                                          Filesize

                                          124KB

                                        • memory/1956-56-0x0000000000400000-0x000000000041F000-memory.dmp

                                          Filesize

                                          124KB

                                        • memory/4960-38-0x0000000000400000-0x000000000041F000-memory.dmp

                                          Filesize

                                          124KB

                                        • memory/4960-37-0x0000000000400000-0x000000000041F000-memory.dmp

                                          Filesize

                                          124KB

                                        • memory/4960-35-0x0000000000400000-0x000000000041F000-memory.dmp

                                          Filesize

                                          124KB

                                        • memory/4960-34-0x0000000000400000-0x000000000041F000-memory.dmp

                                          Filesize

                                          124KB