Analysis
-
max time kernel
139s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
IP.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
IP.dll
Resource
win10v2004-20240419-en
General
-
Target
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe
-
Size
271KB
-
MD5
07b60dc343df2ab67d7a586d0a6a5be2
-
SHA1
cbf0ca5122b96ec8680c227b3b65ebb4a5a01c63
-
SHA256
64e167683e619a5c5bb9e13852cd1908ddebc7505f4074f53327b48d14538f1f
-
SHA512
65f28520985972538dea9d6536d64a7e49278f588ff1bc04a0dcacc2be532a291285735a8fdf4749ad16c9234a557cf91114088284b6cd2051e65be18915ed4e
-
SSDEEP
6144:Kn/L+GOmoEQ7m/7QPaNCIWGdsJFccfBvWlMdrauk+EsaI+tckmat9c9CP:0zOmoYQPssccfD9Nk+RaIBat97P
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (529) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exepid process 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA15C.bmp" 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription pid process target process PID 1396 set thread context of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\README.hta 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\shellfishes 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe File opened for modification C:\Windows\cosset 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4636 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exepid process 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exeWMIC.exevssvc.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4532 WMIC.exe Token: SeSecurityPrivilege 4532 WMIC.exe Token: SeTakeOwnershipPrivilege 4532 WMIC.exe Token: SeLoadDriverPrivilege 4532 WMIC.exe Token: SeSystemProfilePrivilege 4532 WMIC.exe Token: SeSystemtimePrivilege 4532 WMIC.exe Token: SeProfSingleProcessPrivilege 4532 WMIC.exe Token: SeIncBasePriorityPrivilege 4532 WMIC.exe Token: SeCreatePagefilePrivilege 4532 WMIC.exe Token: SeBackupPrivilege 4532 WMIC.exe Token: SeRestorePrivilege 4532 WMIC.exe Token: SeShutdownPrivilege 4532 WMIC.exe Token: SeDebugPrivilege 4532 WMIC.exe Token: SeSystemEnvironmentPrivilege 4532 WMIC.exe Token: SeRemoteShutdownPrivilege 4532 WMIC.exe Token: SeUndockPrivilege 4532 WMIC.exe Token: SeManageVolumePrivilege 4532 WMIC.exe Token: 33 4532 WMIC.exe Token: 34 4532 WMIC.exe Token: 35 4532 WMIC.exe Token: 36 4532 WMIC.exe Token: SeIncreaseQuotaPrivilege 4532 WMIC.exe Token: SeSecurityPrivilege 4532 WMIC.exe Token: SeTakeOwnershipPrivilege 4532 WMIC.exe Token: SeLoadDriverPrivilege 4532 WMIC.exe Token: SeSystemProfilePrivilege 4532 WMIC.exe Token: SeSystemtimePrivilege 4532 WMIC.exe Token: SeProfSingleProcessPrivilege 4532 WMIC.exe Token: SeIncBasePriorityPrivilege 4532 WMIC.exe Token: SeCreatePagefilePrivilege 4532 WMIC.exe Token: SeBackupPrivilege 4532 WMIC.exe Token: SeRestorePrivilege 4532 WMIC.exe Token: SeShutdownPrivilege 4532 WMIC.exe Token: SeDebugPrivilege 4532 WMIC.exe Token: SeSystemEnvironmentPrivilege 4532 WMIC.exe Token: SeRemoteShutdownPrivilege 4532 WMIC.exe Token: SeUndockPrivilege 4532 WMIC.exe Token: SeManageVolumePrivilege 4532 WMIC.exe Token: 33 4532 WMIC.exe Token: 34 4532 WMIC.exe Token: 35 4532 WMIC.exe Token: 36 4532 WMIC.exe Token: SeBackupPrivilege 4184 vssvc.exe Token: SeRestorePrivilege 4184 vssvc.exe Token: SeAuditPrivilege 4184 vssvc.exe Token: 33 4868 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4868 AUDIODG.EXE Token: SeDebugPrivilege 4636 taskkill.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1396 wrote to memory of 1176 1396 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe PID 1176 wrote to memory of 3052 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 1176 wrote to memory of 3052 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 3052 wrote to memory of 4532 3052 cmd.exe WMIC.exe PID 3052 wrote to memory of 4532 3052 cmd.exe WMIC.exe PID 1176 wrote to memory of 1044 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe mshta.exe PID 1176 wrote to memory of 1044 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe mshta.exe PID 1176 wrote to memory of 1044 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe mshta.exe PID 1176 wrote to memory of 288 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 1176 wrote to memory of 288 1176 07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe cmd.exe PID 288 wrote to memory of 4636 288 cmd.exe taskkill.exe PID 288 wrote to memory of 4636 288 cmd.exe taskkill.exe PID 288 wrote to memory of 4696 288 cmd.exe PING.EXE PID 288 wrote to memory of 4696 288 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "07b60dc343df2ab67d7a586d0a6a5be2_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x4e81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsn4DF2.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
C:\Users\Admin\AppData\Roaming\IP.dllFilesize
89KB
MD538ed71d99dd2bb013c4bc8e065d87e3e
SHA1e11be1e6647911705a90ec0f55787d2dba3e6ca0
SHA256286069d12c8f12a00aef558d02426dfdbe3a6337b05dea53b70a3d3cfcf49ff9
SHA5120480789002f9dd3bc52e49eb534471ab1db81be9fd94522373d14a81735aea7e20a995748edc131b0ec6ba49b420c56a030e955cffdb45ba410392dc7a8c0983
-
C:\Users\Admin\AppData\Roaming\LollCassock.cFilesize
188KB
MD5a9c5f3348c26939be8b23337f3357ac3
SHA1c5eaa8166a14136e4d333abdaa14000cb6c9b60b
SHA25695b54421371472d603e61dab5c4eac114fec812711f6fe060c46fa941d44b458
SHA5126541478f195b263044deee5c2b7f5dcbc1435f878eff086aecd4de56733aa96eb9a9355e083705cb73900923a916bcaecd8c1f7b57998e05689a5894ae07d54b
-
C:\Users\Admin\AppData\Roaming\README.htaFilesize
60KB
MD52a5347c470a81ef563696966019aae5e
SHA1d9c6d1abb99b0302194e058857f46a3073c6bd57
SHA2561b78e5ee03378fdccee74f554245c51ba8f7d9e21319573c0983b3457f3e5c44
SHA512e2c4b84649b3938a9218fbef41e4c093d1d5a11a2b144d123ef53af59a0a033b780facc61294e14a4be3917b52ec7be83f64f8dce1eeb8bd39ad23196080b38e
-
C:\Users\Admin\AppData\Roaming\error_1.pngFilesize
3KB
MD56f42ca6b4105204fcd946cc2ae17d9a1
SHA17d4a234e40ef4564943ece66d46d9e1417586887
SHA2567d4b3a73836005095e230d6d34297baa68f816b71cc6b78ced7a6f60b46c829c
SHA512724726aa1b898646522140872210fb4766d5c9998eed3192f112313081377e68077536f6589d98f3300909592584bf3b65820da253feea8eeb558153900cf97a
-
C:\Users\Admin\AppData\Roaming\error_x.pngFilesize
3KB
MD5801073269f05274bfb3c0afc03fa26af
SHA1637010c6c1e8d0d55d5e26ad706d165d30755a54
SHA256ee3ba98ba29d14aa9732353124bf3a9c2e6f287b85e89bc160b4e39a1e170068
SHA5125a28ac49338391ec5e2b241fb4ad33d6f3d947c357c2d9a693e6aabee6e2f9c52a2b85f2e82eed6782a2d9ec586a4baea817ee852f761ba8167202538d41c222
-
memory/1176-33-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-741-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-26-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-34-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-40-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-39-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-27-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-138-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-25-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-786-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-21-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-729-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-732-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-735-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-738-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-32-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-744-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-747-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-750-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-753-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-756-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-759-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-762-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-765-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-768-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-771-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-774-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1176-780-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1396-22-0x0000000065100000-0x000000006511B000-memory.dmpFilesize
108KB