Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 03:05
Behavioral task
behavioral1
Sample
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe
-
Size
276KB
-
MD5
f95d0beafe5a035fb1cd6073ae4a76ae
-
SHA1
5969347c5b1f4156091b54edc834c997054cef82
-
SHA256
c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8
-
SHA512
3205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0
-
SSDEEP
6144:Hk4qmM6KhriUJ5qPFYLSuq0MFGsPIkEkaeXt8rCVgPm:E9XrrEYLlJUIk3X6+S
Malware Config
Extracted
cybergate
2.6
Powers
hackersgratis.no-ip.biz:1338
hackersgratis.no-ip.biz:81
hackersgratis.no-ip.biz:1533
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Win32
-
install_file
services.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
59255433
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Services = "C:\\Windows\\system32\\Win32\\services.exe" f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe Restart" f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P}\StubPath = "C:\\Windows\\system32\\Win32\\services.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SP84K854-82M2-7826-QAU6-U0D7RQIRD20P} f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1564 services.exe -
Processes:
resource yara_rule behavioral2/memory/4092-0-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4092-4-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4092-64-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2484-68-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2484-69-0x0000000024080000-0x00000000240E2000-memory.dmp upx C:\Windows\SysWOW64\Win32\services.exe upx behavioral2/memory/1720-75-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4092-90-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1720-138-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4092-137-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1564-157-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2484-159-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/1720-1281-0x00000000240F0000-0x0000000024152000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exef95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\Win32\services.exe f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Win32\services.exe f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Win32\services.exe f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Win32\ f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3324 1564 WerFault.exe services.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exepid process 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exepid process 1720 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1720 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Token: SeDebugPrivilege 1720 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exepid process 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exedescription pid process target process PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE PID 4092 wrote to memory of 3444 4092 f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
-
C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f95d0beafe5a035fb1cd6073ae4a76ae_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Win32\services.exe"C:\Windows\system32\Win32\services.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 5725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1564 -ip 15641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD557baee9c40963a02b29033e265168212
SHA1f47e2dcd9e95b1186b2db2bab3ce79770a21db0b
SHA2563be31be6ddb05484e59ead85d9aeda9bbd77ce4aae6a94c57b405a3de5cc382f
SHA51277125bd0457624b519079a9e135e534633f6f2b8fae7986995d5d9cf15438c31848bd154b3cd3a92807f983bca78abe2d23954e571fc524a0425fb8b1a8cba04
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD508db976670b354a30835611d4bfa4ac4
SHA1b5ceba1db6e4de229548f9e7c21a8a5e2317a216
SHA2561dadb25266433569412f0ac2624911e61fd959c4c04dab10751159d73753e78e
SHA5123a63cb6f675c3e734a39638f9a6ee5b787dfd80dd8e49f6e0687df6c90e4ccca703cbf99d61cb5ccb57e87cb3fbd89c02f8bc1adb64180ade20a457be96743c7
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53fe9727de3006525b31b42a305601c43
SHA16399bcd13d19f68c89f2e2d97bbe4a53af125474
SHA2567f8d2fd30f735a1aad547cdfe98a1cdb42a3bfa654c104bf87c237aace7ee794
SHA512a84757891931c488a58a194e6e2527b0650e7f22e7ac740f7218719669551c068d26131850749878fdbae802558e103f3a01a2146a6ed2ef6f5776e75d6c3812
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD557aa49514f026cca6b3c7d60e371e6ca
SHA1858a2cd012cbfd7a57b06b2a33d33fc8c4fbf7f4
SHA256a64e353f4e592fa6f4069ba40720746cfa18b7d7f4db6b4100a77c856e056cf0
SHA512dc21e8c470b15b5e552f09f3cd0dc0108466d90590e33b2b859b8030e6bdb35264fa025e15ea08ea66563d0c19577665578fee814fc9c846e6d7dd52f482d4a1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56f2f6ac6e2f74ef8a5cfb4ea068f4c5a
SHA18c082e8704eb8f0bd8fdb3e0928ec5bed77b2df2
SHA256974fae232046768f7d1d43ea96c057411c800ebaf5ed7fa66879f56f876bd65f
SHA51292619a2bd384e1dcf0f57c34304c0794c9fcbf082ce6db94aa7bedfe36bbc476b11eb1e8ee31aa3fb5cd7a1fd6ebd2f2be0df5d9d5fc792a2b19c85d345f1718
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD504c075218a6190a3504974c4af8f46c1
SHA18c92c808575089d161b7b67f3fe5058ec826a8da
SHA25666a086ea485ec1e033dd003e8b7bbdf4e70cd4e0ab792680c4ed7d9be7cf5136
SHA5124423d3330c8ff5cddb894c82ef2fb0302c2d8b6569ed2430b7d36b71ab4f5a024c15347ad08def11a5636646ae1d7becd15728a2f86c574627576b4cf9f2c08b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5796f6a1afad8feba1e545bd24e325b82
SHA137c31b65370888f4b5f2caf0a0d9d1cada7d00cc
SHA25639e8e945081db463260e8f12b238b6d6d2801cf6fe6ab1756ff8bf201af31c08
SHA512fc2da8598d6e904654828b132867f33a935c1a89f572b771a08b1c30b4689260c9a868c032106e960ed022e3e0bc41669347e0d90b3d5b032f9d9674d91b4858
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5cf531f5aef0e28a380e618468f0ef544
SHA1cc4f7ec429e9c231e76d8b79bafd47e49bcfb21a
SHA25683aca2784e274e6978c40106b6c6ac8f0d0b8c3344bc578e045b05ba00d1af8a
SHA512847dd2d54f3c6cf6a6b7f7367e3986e8ecbfa49f2e313f45cd1934f03635282ca6fec6f25be5c48e2ac0ea2908bc820762a8a2adf1e239fa9d779d61951f4b04
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d23c537b3f6f55753e521048d8868fff
SHA1bdbb759a2b0c3e3d64a99cede816eb62abc658be
SHA256c18d000fbeb149eeefaca8658466d47b93c2d01042577b6c480d51ede6322303
SHA512ea66033b94d03761fd7b768edb79c3366a78177efffdcb26bddebe52635d86d1af45b9a5dae8c5f4746077241c8a290411b6e14d245c6259181ad59422801980
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5461758c695e6084836ab6bad73de76fe
SHA1d066aa11e6dbcf381d5ebbed1986f6cb6984f29d
SHA256d9a54d1bb52c12ad02b58ae0b75d913623dbdecdf52de1d2dbc7d861ecab34e3
SHA51227d54b7e216e13d582ed0d46c6facdf69ea994f51e10653fa336b0dbd8bcffb1fc3ae4ad73e5aaf619189ec8fa11350cf5c10303ec19affcd16e4bd485ab0cb1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e1c17d2a61355a70a67876a1857e719f
SHA18ef8d49008bb6f838227dda6e823e935e2f5301a
SHA256ce58f19cee0edf1b9beed57a3808161e7dc39bbd191908ec7379528dabd16c6b
SHA512ec0cd42544b84627ad94c93857b1be2c1931e5dc1ed6ca21e344dce4efc5109fa0a88582e14e836f60e8b3483da30ddf63c93046feb0bb7b281f9c6ea2d9ba0f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50b224c63e2a4e19c665215b671307127
SHA1858585ff709ff3848e6362cefe6c5d457d9f8b4e
SHA256b86454d1c4a90dc00be4a8aeb913de67cf4b95df3868790de7a78e1e062ed63a
SHA51265f222686b76109ad6316bbd46bea73e4dd1017d4a3201a1151be7f36896b513851c4e32a130d600a5c2af803911088c981af5bc9acd52e24bc879138285c39b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d8fc2eb70b3c68f846cc3bf479a74487
SHA194659d10dbdc167b08f251aa475ed68a10be91d3
SHA256bc1833986cc84cefdb73b29e52bcbff22e16fe76c076578ac2dde95f7eed40e3
SHA5124335a95c97c5fc5ed17683576fb5f2352c80cc2103fc86d81bfb51aed2a4f2422b87b51d141b7d58a281ce8a6f95995f5e39ff3471fff2554606163ca510ec88
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD57a0c116b6ffaed03f924a8163ff018c3
SHA16e4fd807fdff68a4c59353cc2fa431eb12069d3e
SHA25635215a98bde83dc21a049901f92bff80be9bfbfb1386f996e347482010d4f03b
SHA512f09f38668c2c5dcf8e0be147e30aa97a3a9078961e785f43e0a4b390a6effd2b9255c964068365e6fa3208d902cd6577d40c012c6b14fb135f97445872a88797
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54fb0a0c917c6461fc88fbd283700c597
SHA1efd7784a0a695a8412252407bcde98ee65a4998f
SHA25635b981b47e65250aa3f67b7efd8e6ff12d8dcac679b78b59c06c028dcc362811
SHA512405a8f89b4ac7d39671b3c9c4ae0551f2a9b24a87e764e084a7a479a07655ef80fab9da508319a7540c7e4ee4716bda624f3996d381762a8182569f07f515ed8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54411608a726a822805ceaa5057f233c1
SHA1d44d35f2089e2f5019037669844233040cccf932
SHA2563e7b71b95f023fdfcae37fd4ad6bbccc9f8c9120afca1dff3126fe8b50157bf6
SHA51224b17445dd730d7a15b503f2bd1c735d3c36fe3779fece9d232a1fd692eac47d1688680b3b95f23088f62ca06efaca36c047409e2cdacb1fa4b1321e71955baa
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c07a95373d8e57ece4ed7c3b76081a45
SHA1143e61fbea59f248e0a00bdf06ba4fcc571e5fa1
SHA256fa08e0b0c9c3441f2731573f784a05e2c994fd6d3ae2e03668611b7a06fac245
SHA512cf6e486656de9700573c6b8f22569ca5eabe249cf86149b979cbe0adf294d23ea3a3beb9fa5d7d5b56e4d3ccfe2455374008458c31441afde6541c439802f226
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52fdd68081cf7f5d15e2b8b365dc746c4
SHA11bff0b8e37f4ed1743f362ba3908fca7c051f8fd
SHA25660523904008f301e580b786aec7998e310e43f40ea64b03215a4cfa99b0012d2
SHA5127fc89869434a4aeb6b746f3d6edf13d171f3b41b0fc4bfecddafcf31064c60b5985ed6555583aef1fb2d42bc93fff675b9eac572fd8d20053bceac77abef6858
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
C:\Windows\SysWOW64\Win32\services.exeFilesize
276KB
MD5f95d0beafe5a035fb1cd6073ae4a76ae
SHA15969347c5b1f4156091b54edc834c997054cef82
SHA256c073ec3681528b4bd6e140629e8f90d73b877755c1f49fc57903890976f6aaf8
SHA5123205e94f491f6032b33aa00ec78a37a07b02e08c308a1172d6b7b5605d6acd9d07d8bb36bd86d60d27147cb9496d9d37aff84e81d79363e5d59385c5ca0579b0
-
memory/1564-157-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1720-75-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1720-1281-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1720-138-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/2484-67-0x0000000003D20000-0x0000000003D21000-memory.dmpFilesize
4KB
-
memory/2484-69-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/2484-68-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/2484-159-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/2484-9-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/2484-8-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/4092-90-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4092-0-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4092-137-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4092-64-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4092-4-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB