Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
IP.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
IP.dll
Resource
win10v2004-20240419-en
General
-
Target
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe
-
Size
271KB
-
MD5
07b60dc343df2ab67d7a586d0a6a5be2
-
SHA1
cbf0ca5122b96ec8680c227b3b65ebb4a5a01c63
-
SHA256
64e167683e619a5c5bb9e13852cd1908ddebc7505f4074f53327b48d14538f1f
-
SHA512
65f28520985972538dea9d6536d64a7e49278f588ff1bc04a0dcacc2be532a291285735a8fdf4749ad16c9234a557cf91114088284b6cd2051e65be18915ed4e
-
SSDEEP
6144:Kn/L+GOmoEQ7m/7QPaNCIWGdsJFccfBvWlMdrauk+EsaI+tckmat9c9CP:0zOmoYQPssccfD9Nk+RaIBat97P
Malware Config
Extracted
C:\Users\Admin\Music\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 1544 1656 mshta.exe 1546 1656 mshta.exe 1548 1656 mshta.exe -
Contacts a large (517) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 3 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exepid process 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE772.bmp" 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription pid process target process PID 2380 set thread context of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\shellfishes 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Windows\cosset 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1724 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exepid process 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exeWMIC.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2612 WMIC.exe Token: SeSecurityPrivilege 2612 WMIC.exe Token: SeTakeOwnershipPrivilege 2612 WMIC.exe Token: SeLoadDriverPrivilege 2612 WMIC.exe Token: SeSystemProfilePrivilege 2612 WMIC.exe Token: SeSystemtimePrivilege 2612 WMIC.exe Token: SeProfSingleProcessPrivilege 2612 WMIC.exe Token: SeIncBasePriorityPrivilege 2612 WMIC.exe Token: SeCreatePagefilePrivilege 2612 WMIC.exe Token: SeBackupPrivilege 2612 WMIC.exe Token: SeRestorePrivilege 2612 WMIC.exe Token: SeShutdownPrivilege 2612 WMIC.exe Token: SeDebugPrivilege 2612 WMIC.exe Token: SeSystemEnvironmentPrivilege 2612 WMIC.exe Token: SeRemoteShutdownPrivilege 2612 WMIC.exe Token: SeUndockPrivilege 2612 WMIC.exe Token: SeManageVolumePrivilege 2612 WMIC.exe Token: 33 2612 WMIC.exe Token: 34 2612 WMIC.exe Token: 35 2612 WMIC.exe Token: SeIncreaseQuotaPrivilege 2612 WMIC.exe Token: SeSecurityPrivilege 2612 WMIC.exe Token: SeTakeOwnershipPrivilege 2612 WMIC.exe Token: SeLoadDriverPrivilege 2612 WMIC.exe Token: SeSystemProfilePrivilege 2612 WMIC.exe Token: SeSystemtimePrivilege 2612 WMIC.exe Token: SeProfSingleProcessPrivilege 2612 WMIC.exe Token: SeIncBasePriorityPrivilege 2612 WMIC.exe Token: SeCreatePagefilePrivilege 2612 WMIC.exe Token: SeBackupPrivilege 2612 WMIC.exe Token: SeRestorePrivilege 2612 WMIC.exe Token: SeShutdownPrivilege 2612 WMIC.exe Token: SeDebugPrivilege 2612 WMIC.exe Token: SeSystemEnvironmentPrivilege 2612 WMIC.exe Token: SeRemoteShutdownPrivilege 2612 WMIC.exe Token: SeUndockPrivilege 2612 WMIC.exe Token: SeManageVolumePrivilege 2612 WMIC.exe Token: 33 2612 WMIC.exe Token: 34 2612 WMIC.exe Token: 35 2612 WMIC.exe Token: SeBackupPrivilege 2568 vssvc.exe Token: SeRestorePrivilege 2568 vssvc.exe Token: SeAuditPrivilege 2568 vssvc.exe Token: SeDebugPrivilege 1724 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 1656 mshta.exe 1656 mshta.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2380 wrote to memory of 2552 2380 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 2552 wrote to memory of 2472 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 2472 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 2472 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 2472 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 2472 wrote to memory of 2612 2472 cmd.exe WMIC.exe PID 2472 wrote to memory of 2612 2472 cmd.exe WMIC.exe PID 2472 wrote to memory of 2612 2472 cmd.exe WMIC.exe PID 2552 wrote to memory of 1656 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe mshta.exe PID 2552 wrote to memory of 1656 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe mshta.exe PID 2552 wrote to memory of 1656 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe mshta.exe PID 2552 wrote to memory of 1656 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe mshta.exe PID 2552 wrote to memory of 1988 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 1988 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 1988 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 1988 2552 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 1988 wrote to memory of 1724 1988 cmd.exe taskkill.exe PID 1988 wrote to memory of 1724 1988 cmd.exe taskkill.exe PID 1988 wrote to memory of 1724 1988 cmd.exe taskkill.exe PID 1988 wrote to memory of 3056 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 3056 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 3056 1988 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"2⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\LollCassock.cFilesize
188KB
MD56e97c76619c74c94ec48b63623caaa6c
SHA1493120de19e2956f2f4e0cf976948ef88e720906
SHA2569b01fc363ec033c8e0ec9b64a3a68370f17b16693fb35c806ee84a6367867f1b
SHA512a8b08c12bcd1facfaaf63557fc1ea4ed3650bde86b1281316e84ea21a76e57df4c1c4fa4547587a2b5ffad771ae2c0b02bbc8802f1f4d08a0cc56443b2d0802a
-
C:\Users\Admin\AppData\Roaming\error_1.pngFilesize
4KB
MD54d29697b92ba6a9a66431b2cd4f6f1ba
SHA1e758f4cf96f34aea576fd66d5ec617fd26e77668
SHA256ebbcb52b69a1a6550b5b8a9639d9eb81275316c53de00f126f406c665c323226
SHA5124e11b1215870bb8c46f679b6d3de6beecfac0734a9f4c7156ff3a667b99e7fe30543588e8932211645fcfee6f6193480c9720e9985d9852aa0d9ca4491653396
-
C:\Users\Admin\AppData\Roaming\error_x.pngFilesize
3KB
MD5c888b0790e445ffabfb214be4c13fef9
SHA152d9be557c0c70ffd50c13e7fa831255e1047c2e
SHA256037083f1f746cef50e33b2319e39236336076c1fde6cdbc6d6707482bad50eab
SHA51283eed868d8ca425b36c153dcab402b22302d730a281e8fd0ff7699108841418cb5323c56af433826c625c438d112050413afb8b8ca8e601bdf812d14597e4916
-
C:\Users\Admin\Music\README.htaFilesize
60KB
MD53481067ad9c58f564de0fb0201653fa5
SHA179408d37739319831c89e7d6e9aa7a1a8d7e15f1
SHA2569937d4f4ac12554761b2b19ca2cd3e2b069812bc09d4d3cfaee73fa8a0b0d267
SHA5129a0c8ac0d7abd290e886113b4443737da25e5f6d4c04acdf1c4661b2b8f2e264a5a64e722468698593b76607e742e0e3e24328c3d488130279642fce15df3ff0
-
\Users\Admin\AppData\Local\Temp\nst2444.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
\Users\Admin\AppData\Roaming\IP.dllFilesize
89KB
MD538ed71d99dd2bb013c4bc8e065d87e3e
SHA1e11be1e6647911705a90ec0f55787d2dba3e6ca0
SHA256286069d12c8f12a00aef558d02426dfdbe3a6337b05dea53b70a3d3cfcf49ff9
SHA5120480789002f9dd3bc52e49eb534471ab1db81be9fd94522373d14a81735aea7e20a995748edc131b0ec6ba49b420c56a030e955cffdb45ba410392dc7a8c0983
-
memory/2380-33-0x0000000065100000-0x000000006511B000-memory.dmpFilesize
108KB
-
memory/2552-324-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-363-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-25-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-36-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-38-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-43-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-28-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-46-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-47-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-48-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-26-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2552-32-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-22-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-382-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-20-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-44-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-327-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-330-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-333-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-336-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-339-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-342-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-345-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-348-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-351-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-354-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-357-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-360-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-321-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-370-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2552-318-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB