Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 01:59
Static task
static1
Behavioral task
behavioral1
Sample
85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe
-
Size
953KB
-
MD5
85ab2898cb89505c95021511b1cc04ad
-
SHA1
e2813e59a5061b26071968546d3a2e229184afe0
-
SHA256
f08a007d5bb495d7caf8ce9a3244438e11edb3f2d44df754cb53526d78992172
-
SHA512
1416f61117d8180c7ade6a47148256869a82362e6f8b5a5db60ddb25bc6ffcf74ea6a5798cf29452d915b200e5a2b67ea09e7f0ad63b49bbd00ec0c9f15d571e
-
SSDEEP
24576:92O/GltkwWhpEO4BZPKOnrG89C51wfwmxhKbH3rUO46GIM:lI768sQwmxUT3iAM
Malware Config
Extracted
nanocore
1.2.2.0
franex.sytes.net:19055
franexserve.duckdns.org:19055
b419eeae-0d79-4132-aae3-286d9a62a602
-
activate_away_mode
true
-
backup_connection_host
franexserve.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-08-08T22:26:34.089187836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
19055
-
default_group
franex
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b419eeae-0d79-4132-aae3-286d9a62a602
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
franex.sytes.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mkk.exemkk.exepid process 2340 mkk.exe 1796 mkk.exe -
Loads dropped DLL 5 IoCs
Processes:
85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exemkk.exepid process 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe 2340 mkk.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mkk.exeRegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\mkk.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\\\kkd=bqt" mkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mkk.exedescription pid process target process PID 1796 set thread context of 2100 1796 mkk.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\ISS Host\isshost.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\ISS Host\isshost.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
mkk.exemkk.exeRegSvcs.exepid process 2340 mkk.exe 1796 mkk.exe 1796 mkk.exe 1796 mkk.exe 1796 mkk.exe 1796 mkk.exe 1796 mkk.exe 1796 mkk.exe 1796 mkk.exe 2100 RegSvcs.exe 2100 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 2100 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2100 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exemkk.exemkk.exedescription pid process target process PID 2156 wrote to memory of 2340 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe mkk.exe PID 2156 wrote to memory of 2340 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe mkk.exe PID 2156 wrote to memory of 2340 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe mkk.exe PID 2156 wrote to memory of 2340 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe mkk.exe PID 2156 wrote to memory of 2340 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe mkk.exe PID 2156 wrote to memory of 2340 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe mkk.exe PID 2156 wrote to memory of 2340 2156 85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe mkk.exe PID 2340 wrote to memory of 1796 2340 mkk.exe mkk.exe PID 2340 wrote to memory of 1796 2340 mkk.exe mkk.exe PID 2340 wrote to memory of 1796 2340 mkk.exe mkk.exe PID 2340 wrote to memory of 1796 2340 mkk.exe mkk.exe PID 2340 wrote to memory of 1796 2340 mkk.exe mkk.exe PID 2340 wrote to memory of 1796 2340 mkk.exe mkk.exe PID 2340 wrote to memory of 1796 2340 mkk.exe mkk.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe PID 1796 wrote to memory of 2100 1796 mkk.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\85ab2898cb89505c95021511b1cc04ad_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\68007679\mkk.exe"C:\Users\Admin\AppData\Local\Temp\68007679\mkk.exe" kkd=bqt2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\68007679\mkk.exeC:\Users\Admin\AppData\Local\Temp\68007679\mkk.exe C:\Users\Admin\AppData\Local\Temp\68007679\RNHDP3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\68007679\RNHDPFilesize
86KB
MD540f84a7f4c335ba4eeea491d4e0a559e
SHA133c9c001b345cf578f031d04c654107f593a7761
SHA2567e82e922a3acf2162f95dbf0a3e6d0f2d943d22d26a980bf98086c03e67d07fc
SHA5125fc0295c5dad8ebaab9624578c90c8fde88abaf721b3421b79e977f151bda1aa2a69c6b7712a4c52e8b0d056d1120f9d9f2e1764b730e5146cacc170fc2bc148
-
C:\Users\Admin\AppData\Local\Temp\68007679\ajp.icmFilesize
560B
MD5c5ee1e275ad9772b5f44e444cfe67d00
SHA190934f7ef5748eaf6539e7688e0c45a27e2c2a72
SHA2568d1c68c099832edc180e9a4f253ac82ba59fbcef8921259f8093ea98696fbf13
SHA512c56341b8a8d15176cfc81baa5289c00cd38848aa24afefed684693c8cbb19af03e0d9ff7ac1b00cf83778e0986f848ab8e46c2591c976de6874c36f9d74d1731
-
C:\Users\Admin\AppData\Local\Temp\68007679\ams.datFilesize
509B
MD5cdc44dd11d2b6799fa3c94c9ee7a7f51
SHA1f495615fe8479332dacdaabb73634f3c79518ece
SHA2566715048bb55cd844cf29bbfa150f1852e983f8e5a8b7c9200934e61c61c5f2b6
SHA512b4e5d91e8b2d678136919ab0a31d66015198080eaff6cdb4721632b67fc6aacbaa90411013be594b4e03a9341edbf94cc0dc46fb611f61f5a2ed4cde06546471
-
C:\Users\Admin\AppData\Local\Temp\68007679\bqn.docxFilesize
548B
MD5f79d3f9be14b98c58d404b42738a83ea
SHA10bfe1dc39c6b5d117ae753792cc002ffa7e9103b
SHA256bfa7aca421439ea8542a965e80aa77e4e538da57e380433fbe7c1af438c12a28
SHA512153a65dd65ee826fa0c49b217f252c1ce46fba6976d045771175c8b3506489d2f3b76c3890a2078375e8277bf1e7d5d3c87569e897c3cb1174cfff60bf374c56
-
C:\Users\Admin\AppData\Local\Temp\68007679\cxa.icoFilesize
548B
MD5fc7159cb0ff3d3569c0c3a40cf3eee7e
SHA1d8f587c8e19b2df38949014dd82a554f48736302
SHA256f8d966188f777059a30cd4962ca0f26f7e9f9e3522c3717521641ae908338000
SHA5121bd030920ba57e128ca3ed3ed19753ef8a7673022a650a95df6cd306b08457b2c2be777a8b463a4d9674688f9a4b47880aefe2e5a19c2dbcb37dff9bb1122d1a
-
C:\Users\Admin\AppData\Local\Temp\68007679\cxj.jpgFilesize
521B
MD5d84f68a96e6ed2ce2497cffc7ae3c3e3
SHA1a835bc92dcabd3115a9f73462d0e9bc8bc722dc2
SHA256a640a4d676836bb0a6aeae30ad90b84ad0bec86370537e3170adedbcca203970
SHA512260e8217b68501a3d2116b4a89cdff7867ab9514f0b95eff22e13d8c0bcae0072a9f80f31dbef526b7f61ed65b4f85936f755d67bf9db4561941a01ae6cbb605
-
C:\Users\Admin\AppData\Local\Temp\68007679\dcc.datFilesize
526B
MD5eaa308a3d4af323fb2327f53880e27d3
SHA1e6b856fa0bd02457c7ad01ed3356b71fa57c6c57
SHA25648882141ad677ca0053ded7f2740c041b9cf0ad975d633f4ddd173ded1b6a778
SHA512537fc07129117396c8bb1cc79f669b89a8f8851a1409a52482c74fa98d40d7aa664d96ebe4882566306ab875154f1c2200ccd118fdcf4127a78ff8932d5cd04b
-
C:\Users\Admin\AppData\Local\Temp\68007679\dwf.xlFilesize
564B
MD50737f6c4285a7f2c59f082941232f84d
SHA13221875e649d3065f7d1434611b026fc4153efbe
SHA256578666fedb9f774a5b868f19eb0218d15c14501cf9caab279963971e638c4a10
SHA512e2e8c714bfe726e5496fb2ceea6521ad2797a59d168f7038098dd92b38f9df2dc06e9d1895731a4dc1aa1b08a7d04a04f5a6d54b9bcc319577bb5b6962d7378b
-
C:\Users\Admin\AppData\Local\Temp\68007679\eed.docxFilesize
519B
MD5d5131a4bd63638c82ea0a3183b494889
SHA1ec93ed3f9ef3532ae8c151c67c5dcfd712bcc105
SHA256664234bd3621d7155a9fd3e60f49ff5c2cc9757b63cc732c73dc178ed840f967
SHA5120084197a0f2f95fde172e573769bb3962b6df946dda038cb6bfb0d54ed3c66087b18e07d26a2a5a7e4b83126fe47aea3d049539e7e53aaa861d4846ac7080517
-
C:\Users\Admin\AppData\Local\Temp\68007679\efx.icoFilesize
529B
MD54c4356bc25859026e078371eebd493c3
SHA1e47c62bb08e0015b3a69ba65ae546b92b6e96f66
SHA2568aaf06b0548f381809061ba28879ffad21a1960b3847de9f79815ae6a6895773
SHA5124a358fd712f78c55dd2b330271145d5eccb556ca808f84541bc32b4e9e85240efb211e3f8428b863d1eefb7ef43d4a638ecf764543475f839aeb5dacb3d80132
-
C:\Users\Admin\AppData\Local\Temp\68007679\eks.pptFilesize
510B
MD560a43db799c68f96ef3fc865e955ec95
SHA176fc7b7dd3551d3e6c94dfcc8a4f0d48c32d4a30
SHA2563d23813ddd0cf87c369b2060be533f458b2869074e0f6412af6c00dd764aab16
SHA512f2f16dd439e04cdd40036159f394dd218016a4394905e949adb79e66f98b8fbae5b5e7158dba18aac4ddcd70e3183020c47033e5106ecde43b3f9401c3cbba51
-
C:\Users\Admin\AppData\Local\Temp\68007679\elq.txtFilesize
590B
MD5254ba19a2e43475556f13e1bb6067f77
SHA1a0006e48af19b0746fab60599988393d06e781e4
SHA25652f7f131544b520ee11f5513541823362ab56263b26d3dab8e32173873632815
SHA5124b940cdc69b7cade89da7ba6a9a335ba6f90d44112ef5246f27cdd79189e00c2b9ad2f7760d2b4adf73d3269681501f67179af88fdf5b27909d360f425ad1d96
-
C:\Users\Admin\AppData\Local\Temp\68007679\fci.pptFilesize
566B
MD5c0274370f42d1e1e5980da7bbb63377c
SHA1be6d71dd5cbb9a04d677cfb2be535f6fb65787ba
SHA256e31092d9e3b2ccffdbe04b37ca0796858a09b537e049fd7834fa53171fe16c74
SHA512a2a40028403875288a9d3680f0c6752eff2db9e7716a24ad9e3ffcfd2879eb46eb17800e6e9cdfc671045ff969e00b52cf494306c107229f4c529c010bd25def
-
C:\Users\Admin\AppData\Local\Temp\68007679\fjo.pptFilesize
542B
MD5580b268149c5cafe38f49d41c90eb1a6
SHA1a1e2b0444d54c54fb36b41567477a20f67ad1964
SHA25689a37ae587f5e124a383c26f90e643578d07c1252bf07e134f15aebc1bc71c22
SHA5125b11e8921ab208a4ae1b2ec5c2a10e9562048bbb5d1ebca65916226a520b8e948da1d677f5d9e776749fa77fc0731575bf55616ab0fdc8ac46dcc2351a951f2c
-
C:\Users\Admin\AppData\Local\Temp\68007679\hot.jpgFilesize
588B
MD549c0423b1897c0386144824d8c82d045
SHA17abcfa8e44702ac1161f0b9a78b282284980099d
SHA25633149aba15442860efd13e9eea4d6e39e08f0b90fbcecd21f60ee55a8df102a3
SHA512a9acf41ebdfc27c351cf736cee9dd7c80daffd12568ef97b5d12365900efbcdd6e6106afa53704e35324eef5e32083cf01694cd372259995e4b295925404020f
-
C:\Users\Admin\AppData\Local\Temp\68007679\ios.icmFilesize
628B
MD528c8a6e4f4f8b13b5af306ba825b63d8
SHA1a31ad2d891a0706ee44bd701fe238f6cd135927f
SHA2564b400aef743d0d421901a4bfe514c7eb31206515fa22ed015df7442568f9253c
SHA51279d65de0257677c9c0d6abe238c47944a32a40a47e53252b658298f299950b0d486e86d4d343767fbedb6f68f27c1413bc7b5fb2040d4ae88d14883b3a358046
-
C:\Users\Admin\AppData\Local\Temp\68007679\ixb.xlFilesize
610B
MD5c127b3ca55726db631d39f147bc0ac1b
SHA180b13f06b6f77d7226f823499a81fa862d0fcd12
SHA2564b540bca94ef8ba180dd7e0d2418ab6a78ec889c74c697c83cb6cc4eb9c4f0bb
SHA5129aecb5323eba504d5530e4c2fe45e6b56508a8ff24987b388e8d6036d176cf087884abed5678400be7765c0ce33a57a3af167846c511e9426ad87f298016417a
-
C:\Users\Admin\AppData\Local\Temp\68007679\jph.pptFilesize
600B
MD53bc3542696c55111a92343e9fbde610b
SHA18344e88b218940d5d068b58f7a8d73016528b091
SHA2563f93668513d5cc638d10689159215a66b9ed5027a0ce6684c164a8e9a2dbf345
SHA5129bba8254cd546c3e9cd704487fb711d542d139308fa5d4756c8b09581b3a19274b799be67428028c786ea629569d34cd2e15187381915c4b8b79490f445f5adc
-
C:\Users\Admin\AppData\Local\Temp\68007679\kkd=bqtFilesize
124KB
MD57ce9ffb82b127c12cc32ffdcffe857dd
SHA148dd7c8988cc22fdba561590671540f93aed9016
SHA2567818b469d4000364e24aff98d4df416acfeac2c7707a6e1eece249e6c7a582ec
SHA51287f3b321631c8e13850756bb02993a92b71baf54744eda70a959b7dc9edd84d4bf2e40ef373b188cf4f1666e987983ac1e2e75b6a5d4fd552e23f0cbaa966c31
-
C:\Users\Admin\AppData\Local\Temp\68007679\nef.pptFilesize
543B
MD592d2303a877d7954c9fa682991f6bf15
SHA1f2b09c83f649e9b5fd7c918d42e8f3e6a4bfaec3
SHA2564025ad0a029b3d8c39893e83b7c2c7db0e3bd71daffdee1399030d44ce1c69c4
SHA512a598a484feed6ed86f79acb057fc098d472095eaea4eee96b8adb0aba01068ace2cdba6e90325ee1adf82e1540bdeb274ac2144db2b8da825b764f0ab7a38e78
-
C:\Users\Admin\AppData\Local\Temp\68007679\nfe.txtFilesize
524B
MD52a4d2dbc15f32c7918cc84bcd8b8a709
SHA1111c02aa846618b4508c2f2fd5bd4bf60332018c
SHA2560793945b2b3a7f83c61eef84d08d3b064533fc794e5803650367f78da4f844dd
SHA5122e5103cc498727173ee5606d817e0696572a435cae2718694c646d525b2cd8de50a9e7178141d19d92e8eb3da1dd2d5f9317d3d2ae6d269ba16d793a7c1a0ba6
-
C:\Users\Admin\AppData\Local\Temp\68007679\ojj.xlFilesize
584B
MD5972d0f549bf5aa1726a5db05a1976ad0
SHA1b1551e0b19443d27c779a4170180a3b9873932d0
SHA256a8b2e95cd8b7b433b58600e6f1302c43d9ff29d25bbd1f2f5c8f887047b945d3
SHA5125777ec51c16a73f3e7e7aad2000f3c98d73d4cbd22022e8f223feba66bf84ae41a9cf5dc961d29799a36a9f6ad73c37acfffd3dc44528eabcf96bc6eaf105d77
-
C:\Users\Admin\AppData\Local\Temp\68007679\oln.docxFilesize
570B
MD52e8053feca31aa4b294f50e7ab6795f4
SHA1b39874cc9e70505a2473c140704f3dc632175807
SHA256eea44f6a6a7c1f8e636dcca1cb5a5fd4a8916fbea8561c183f44855f7431ec00
SHA512c1c0e3b5dbdaf56e120fbb70cdbf64a10828554d981697a10c49fc0184891cfa39f4c7a1aa59eea5d621c9f898b1b16954a7b8728dbdfcb74118c7d25056c14d
-
C:\Users\Admin\AppData\Local\Temp\68007679\pij.xlFilesize
541B
MD54a1dc6c01953f47dd869ce8dc2745499
SHA17c704e600d8a6b887d1993ded833f64fe45af7a0
SHA256485d3085f3458a89ab90461a0adfb8eac77079f1825b0ad771960958f0b241a7
SHA512f0f6e724c7035304775958c71eb804818d87ffb693b81ed88a26a95eed49ceac7d0d0e67081585fef5d623858f9ff852379410e1c1a041d19a165fb609f6ed06
-
C:\Users\Admin\AppData\Local\Temp\68007679\pud.xlFilesize
592B
MD54e07b03f909b559277a3a42b5a92371c
SHA14d1194947fc004cb5cf1fab18102b6eab9bf838d
SHA256923dc3d2499ab7c6fd20175af029cb5dae46cbeafc5d9ae1c8178a2eac03d8e2
SHA512c95b49ce124de9429753c376c385fd7fa77c88f6e571d44239e933f28e00a030dbd7cb278260de48ff8e2aab709b5bd46d87f484e92d304e854614cabf3c53ea
-
C:\Users\Admin\AppData\Local\Temp\68007679\pxr.docxFilesize
613B
MD5d55946ea1acb7fc4c927bafa1e9ba2e8
SHA1e7272aa6b9cb3ca2ffd22874a7031e8e998bc83e
SHA2561f37d076b52fe048fbaa0198f5f2988835cb829df7b731bbf4e32c43328ee14c
SHA51276d143584ef9ab651f035fb8748e84b9d0531ff9448e64e4ca22e9185d0cc8d1f5c53e96d121dfcc2146586e799837c08cf5305de12f59c023c8077c2430b1d7
-
C:\Users\Admin\AppData\Local\Temp\68007679\qpo.datFilesize
512B
MD57d948fe8140b156d8045d494f1bc8c84
SHA1ffdfcba7deb9d97b90fa4be06a4a400e6113c276
SHA256f7cb97d8057222d8370edd0e404ba49d680c325e226145ecaf393de167a9c893
SHA51281285cef2efbc23065f3bcc6b3a08c5acaee98911336155f5deef4ffd6b1c7358eef932dd46945adc2633b3305636eb703d061c55df684f5205798079a651c3f
-
C:\Users\Admin\AppData\Local\Temp\68007679\rti.pdfFilesize
582KB
MD59f65a2ad32c8eb6d14cb4734a318609b
SHA14cbaf31c7c068efdd621f265e641350ec9e4519f
SHA2560bda6573c67817e2e2a750145cd1e5b63ee7dd96105a523569ff0be88f74cca8
SHA512c29ef07465a6c2519e65e751f88d22e118e7891e10aa39b53920b54f7bfc502defd241295734b24422169bd276809ffe3a4ac182c22bd3e7ec0b5189ae142b5d
-
C:\Users\Admin\AppData\Local\Temp\68007679\rwn.datFilesize
612B
MD502e672898c74f852703474f6d0a707c2
SHA1a04679881d9fcb6a65a817499c108b05a325efee
SHA2563db35c8a9336429fe4ebf9e56bd4ea16ab69644c6c663087b5bf08e718cfefac
SHA512b22d540e3105c2b868fbdad2c93b00951289addcca34bd63a38a9db0abaa88276cc00e5c0a22430ec4a79db1cb04742fabdd26bb5c5d07ad1ced9e8081fbc13c
-
C:\Users\Admin\AppData\Local\Temp\68007679\sbn.mp3Filesize
553B
MD52841047c0a3f6f2aa1d684fc61fdf03c
SHA1474880f0c3d06f63923b9da74a6632323e900a86
SHA256cc4cc52a6fc599fc42aa4850561dbc75057640f2bb6f81c9624e03d0be261796
SHA5123684d11cf193f686dff91e55673e0e4f9b9bbc79653e65407cae599c63db605cafe6411e74c6f6c15a984974c8d2f0de5bd3cde2dd430b8103d871d15fd484f0
-
C:\Users\Admin\AppData\Local\Temp\68007679\sth.mp3Filesize
531B
MD519dadcc6d40b21d887cb19e2e08806e0
SHA17aec3d10344f52e6b41ea1ab6751c21deb2bb6de
SHA2561411c40521c26a6cd967468a43814ae4d52226dba31d1cccb05610fee8c46fc2
SHA512cb837e6d87adcc0e3e04a506c35cfa64ecfb4905d04ece1c198b8f60e568e6f83b8c07f278f79c2a7871fd3eaa2d5699eb9e39b08e3885fc8ce0a51b7fce8532
-
C:\Users\Admin\AppData\Local\Temp\68007679\tae.mp4Filesize
521B
MD5e06a18ac403e96fc0ec3c156ec452d56
SHA1fdc0eaf15b1c178e979ed29f7f6167527fc6cede
SHA25637ff28644a0c63a3eebab6fce1cbdce335b532aa1225149f611737b4ef7a905c
SHA512cda5a2623c2f7f880e97fc640ffd2bd70a065ae1e502056e27f5051004becb35aea45747124373e3670cade547d636efb8594b95f8532fb8b29955616abf5eac
-
C:\Users\Admin\AppData\Local\Temp\68007679\thr.icoFilesize
514B
MD596ce6a01bc7b7ce427fd408a72b9ea82
SHA125cd2db287e6cff998f42aa6bfba6a8834a64d9a
SHA25635e4ae4d61f8ba1f1b263b87e15db1a72789ca05b8c82021981b51de2951ae53
SHA51240451361c0d86954bdc76985cf9e19fb75991f4280c6fc6badd60a234f1ce167adef5fa4bacea140326b25c0ee06f681e8234f05f69d680ce37562016e26adb9
-
C:\Users\Admin\AppData\Local\Temp\68007679\thw.mp3Filesize
572B
MD5b2e6c17d3bb139ce91a44af38c9e10b1
SHA1dd121de31443e44babeb98213ad38b245002b0ca
SHA25633b960d7b70678c9fe75532958c0188dc263cd5a0c0fd9f167df65ef11bd44de
SHA5126220a9f08e85dbf0e450c7c7e771ff5266ef651f0f30355005518a107d9bfcd71bd54101ed36d533ad63ead59b881a35275919127dad48dfb43cb3ee0c5a67b8
-
C:\Users\Admin\AppData\Local\Temp\68007679\tsn.icmFilesize
529B
MD55767af284b796e4431ae1b9bb17399ba
SHA1fab08a3565bd72c1b7307ac40c8c1fca80611677
SHA256b501a50a93a6a9c416c379c6656b6f012222d24a00430752f77d48a322a52af2
SHA5121e00f6359eb38c2d7885c9f930073ef281cdcbd31660cc0fcb482f56b6e81d1bb19c4bc0f93b775a695689443ce764b8c7767d4fbf1083aed4504e74ffbf2983
-
C:\Users\Admin\AppData\Local\Temp\68007679\uci.mp3Filesize
518B
MD5505463e3e5a6776675d25e32c05134b0
SHA1546609df2d7e2af909ae3057738840ab7fd9df5a
SHA25619af0175ae4af5dc5c2fff278daefcf643e87e4778e6f591fe7ba49de909e828
SHA512ebfe3eb553f5b36d86bb390aa849592e3fa6f18ee3c2699e1941979d82eabedbe2d55406b4962123ed6abd5f48b241f8f29e0b42a147880f629db1e7ea6f6fc1
-
C:\Users\Admin\AppData\Local\Temp\68007679\uge.pptFilesize
642B
MD52deeecef55bdc946e230a838931458c2
SHA1bed34edaca5b7eac5b31bcd93666bb6786cc9cc7
SHA256ee10cb6b65303843942f9710bf18adafa5f7fc2f56b4aeebab3a0b2a2c9c2533
SHA51269bd908fffbb81de6b47798388d92e0b33e16a419d679322338b60f4b723ea1a53b113cb49773b40607f611e0262811b188cd019bbb932cf3a475f16bb6bbe28
-
C:\Users\Admin\AppData\Local\Temp\68007679\umg.mp3Filesize
578B
MD52fd79912279ff9c331c2ae9075753197
SHA15bc86c9bdbf917a654a598553bb1fbd8754131d4
SHA256f78d947d3c467e8f088abcac250dd02e0e50e6f20be96bea72d10b58df5c7386
SHA51225ef3b32278d348a0d0c36907e2dffa443fe1f84be1d7f0848438aa1c538391ee21c002f18503a970ddf897a0a707eabb9261bd097487d61507aa67ff65e301b
-
C:\Users\Admin\AppData\Local\Temp\68007679\uoj.docxFilesize
520B
MD5bca4865c32cfca702f4abc0addbc23f1
SHA18a99b698498f26cfccfa0045f3fbbc9286966725
SHA2567b0e66f11c4d82e25d7e631f36a2e2512437cfeffd8e2baadf9ceebfe461b517
SHA512a6ac1fe321c2192814627b2e40e74f32dc40c2041260cdd535d59aee55dfefed8fbad63b709d5c857815daf25b92ec0e289c1126bce6fb42d8060be8de5728b0
-
C:\Users\Admin\AppData\Local\Temp\68007679\uwi.mp4Filesize
523B
MD5618a60360ad7a32405c9adf9cf41f82e
SHA1708bb9d31e765c2d018287d7cd7208daa81599b3
SHA2568710f9281b805558291c65b0282b0d4ad2b58e34cf1d98f444482997e5fbfb70
SHA5127e08b4d6e17d07e202791982b5fc5afa0656b070472d8aeab799ce0469413e187260b86ab10b9ae98135f57330431561cc25450af5b365496492aec1a4e23a57
-
C:\Users\Admin\AppData\Local\Temp\68007679\vkh.icoFilesize
535B
MD5f1e76b417412d16578fdf99504d401b4
SHA1650d84d25fca5bc1f3fa34e3109793c9546f897d
SHA2563b890653aa9f67f07de3efa52a82b7617ee275ce6188ad0ea3bbc93876494420
SHA5123f7b04dcd9e59dbfa1d39b50276d5aee690518e4c6edb3985e29c1a165621d2222932f8ba18756acf3a5d918db7f24df8479c284d863e1a0061c8c7551dac788
-
C:\Users\Admin\AppData\Local\Temp\68007679\wer.icmFilesize
585B
MD5ec7ac0f017fe80d828599f85faca5486
SHA13622be48ae1ea2d55d0ffa2d16fead7147f55b04
SHA25661fb1ef7e7e7a1d7f7256fa8121491191536fde0b746466d48efac296e990c04
SHA512135238ad7c3c5a5bceab0fec7195040eabbe4022409579c590815311c0c390f118caeb72fbaacbaeddcdff8f12f6953a4d583b18b974f7934be6536e007ea1fe
-
C:\Users\Admin\AppData\Local\Temp\68007679\wlj.mp4Filesize
533B
MD53cb9d0f5bc58725c8459113e0562b045
SHA1df2dcbe01127014cf721f6bf54c281069a1dd925
SHA25663fbc16fae4342ac5581a3fe3dd4f935749c19d04c28dffcddd202074c64825a
SHA51250089da5a67859191eb1cc5cf678e87348861da97d69c3c7af23841010a6dd53bc56114fd8394d56feb8dc9824d66fd229bef4da34877bb4fa7d8d3209bd86e1
-
C:\Users\Admin\AppData\Local\Temp\68007679\www.jpgFilesize
542B
MD57a6ba9b533ab4fa41111b3075b663f5c
SHA1b36170a24157ec6bad05288ff9ada833af97ade3
SHA256b9a833caa48f5ef5c75a24937147e31e50c12c54c2e2895d6afbb55fdb3267b2
SHA5121999ec651d8d184106c5ba5f271312f5656152918c150767b545d64bf1282519d0e64504bfe044a8ebdc7cf915560578802ea2ef47dd1f12b51435c9d053ec1b
-
C:\Users\Admin\AppData\Local\Temp\68007679\xjk.datFilesize
559B
MD5c1179820c95d9a98c0d10d5ac16b0d55
SHA1e992c47f21f1dc8fc1ed82f06cdd47cfc9edc80e
SHA256afc4a52a8add8e08a15ae5b51fab0539ab23ef4ad1cc6588d3a304b2cd2251d2
SHA512975867978cee3d8219939b1af05f8eff0527f63de52a6651cdcd55f1c19941f8cd61b9d277dc457c37059cff7c378cf2472d234880998bde07476d0db5f0d3d7
-
C:\Users\Admin\AppData\Local\Temp\68007679\xtj.pdfFilesize
542B
MD53c2441e34d821da4add0a7e4832b2c9d
SHA1748b0a3dd07d84acc7c5339f6e153294737421a1
SHA256df1edafbac625b525a2bd9d35a6035fca19f7246560672f5a241111822ad35ac
SHA512abcbb234531354d692f38dc34d93a49abb8d9854d874a7120c4999b0e3d0eecf0096899df18561282461226ff1c0559cd03f9927a962fcf4079bf97da09efc67
-
\Users\Admin\AppData\Local\Temp\68007679\mkk.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/2100-171-0x00000000004F0000-0x00000000004FA000-memory.dmpFilesize
40KB
-
memory/2100-170-0x0000000000550000-0x000000000056E000-memory.dmpFilesize
120KB
-
memory/2100-169-0x00000000004E0000-0x00000000004EA000-memory.dmpFilesize
40KB
-
memory/2100-156-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-157-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-165-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-159-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-161-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-164-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-166-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB