Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:58
Static task
static1
Behavioral task
behavioral1
Sample
a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe
-
Size
906KB
-
MD5
a39b7b6d3387114bbfba279dfe94fd59
-
SHA1
8d8aa54719b7b9258184e1b5fdb962b26272d872
-
SHA256
deb290d1814ac220e75764aa0cb487a9e5e5b7d0704611b083f1e69b437e9131
-
SHA512
59cce852cb32040219dbe9b9f47aea969dea9ee656c5bb96e177c6b8a20bf1d7e3ab5ea71bf141ae61f523dd666a16be06d1fe8ffc2eb64a6f08b3bb31e90484
-
SSDEEP
24576:f2O/GlXajxQlqZHtl7VX2HTLlwmxhKbH3rUO46GEm4:I7Yl5X2zLlwmxUT3i/4
Malware Config
Extracted
nanocore
1.2.2.0
kgentle777.hopto.org:58887
kgentle77.duckdns.org:58887
a505bdab-59dd-476b-933f-8d85db4e0377
-
activate_away_mode
true
-
backup_connection_host
kgentle77.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-11-10T09:39:09.885360936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
58887
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a505bdab-59dd-476b-933f-8d85db4e0377
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kgentle777.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
ohg.exeohg.exepid process 2400 ohg.exe 4240 ohg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ohg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdatejboy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\74592994\\ohg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\74592994\\OMV_QB~1" ohg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ohg.exedescription pid process target process PID 4240 set thread context of 1596 4240 ohg.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ohg.exeRegSvcs.exepid process 2400 ohg.exe 2400 ohg.exe 1596 RegSvcs.exe 1596 RegSvcs.exe 1596 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1596 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1596 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exeohg.exeohg.exedescription pid process target process PID 1232 wrote to memory of 2400 1232 a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe ohg.exe PID 1232 wrote to memory of 2400 1232 a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe ohg.exe PID 1232 wrote to memory of 2400 1232 a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe ohg.exe PID 2400 wrote to memory of 4240 2400 ohg.exe ohg.exe PID 2400 wrote to memory of 4240 2400 ohg.exe ohg.exe PID 2400 wrote to memory of 4240 2400 ohg.exe ohg.exe PID 4240 wrote to memory of 1596 4240 ohg.exe RegSvcs.exe PID 4240 wrote to memory of 1596 4240 ohg.exe RegSvcs.exe PID 4240 wrote to memory of 1596 4240 ohg.exe RegSvcs.exe PID 4240 wrote to memory of 1596 4240 ohg.exe RegSvcs.exe PID 4240 wrote to memory of 1596 4240 ohg.exe RegSvcs.exe PID 4240 wrote to memory of 1596 4240 ohg.exe RegSvcs.exe PID 4240 wrote to memory of 1596 4240 ohg.exe RegSvcs.exe PID 4240 wrote to memory of 1596 4240 ohg.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\74592994\ohg.exe"C:\Users\Admin\AppData\Local\Temp\74592994\ohg.exe" omv=qba2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\74592994\ohg.exeC:\Users\Admin\AppData\Local\Temp\74592994\ohg.exe C:\Users\Admin\AppData\Local\Temp\74592994\XDARH3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\74592994\XDARHFilesize
87KB
MD589ed56a464b871eeef0028931fc3f206
SHA1eb25aeb2bf7447cc67546f01e839a63045952f24
SHA256ccb0d5870fba7d535546a13b146f0e9b19359efa52446a3d45694d2c62ab82f4
SHA5127279e162fe82852b0f1fb2cfb682a08408fb203c8c4ddc88c430040823d0157f6b0904d07c9c919a4c78dc38f848b6441977bf347a629fb1039aaee4925115d9
-
C:\Users\Admin\AppData\Local\Temp\74592994\bep.icoFilesize
562B
MD51db6ddfe8bd786b36f8248d591a3a560
SHA15603be35876e190d07ef9436a8e93492fc082adf
SHA2563a2224eaec92b11e906560d8b20f0937d56096fac4f830b9a95d8bd46fc277d6
SHA512820f0f0556acece16b3bd023fca816f87528a9a6a6c898abb9ba43ce9bf3d389c2ea313b089e773147f1588e82c76d61ce53071e69a6e8cf7abf9562870c286e
-
C:\Users\Admin\AppData\Local\Temp\74592994\cdp.txtFilesize
520B
MD5b48cf613b517c0d45a0e66363eca9f42
SHA19cc29de36980663e9d520b856c638f1136f78d54
SHA25694d6c42f546f8bf2d4ee3fb1b28189fddbcbb5c4f0568a26eac4f421f5363fb4
SHA51223d24c47b93f15703c5283c28b5fd591327f2f1998101a17a7379a2ddee08cee364f839aa6c52ee32c5c80f1d3be430c52e557e35450e5eb107f2189c21ec052
-
C:\Users\Admin\AppData\Local\Temp\74592994\cne.jpgFilesize
558B
MD51692adcf6824064c5abe6a3b3b37339f
SHA18e1c5703ee48b0dd4030c3a42031eb568c027372
SHA256134d983cd0678240566c8ef727aa52da9a4bc7ae88c9c6bd1697c8c07488a2db
SHA51290ba2dd4a18229a0b7c6894de998b7ec780d00d0ac29729a65506241df3761ac698cc0ff43c4060673720a115127b16257403330ff6c67c3cc95ce0476f76100
-
C:\Users\Admin\AppData\Local\Temp\74592994\cwe.icoFilesize
578B
MD5296d23be5787a26458798dbe4bb3be7c
SHA1997a1617d447c4c9ca9a39fdfbcfc0cf7ad5f251
SHA256ac0a2afe01110d530eddeab03b6246f9a183edc6236f235211543b22a7e4d3b8
SHA51288bc062b13bcbdc0b07501620b6439169609ce9aeea29309d9cf295915ad26b3b2b3fc1be56dd74762f3d548fbb73ca4a653a271549ec360d22ae60ed17d8ee8
-
C:\Users\Admin\AppData\Local\Temp\74592994\dul.docxFilesize
511B
MD5a5f6645fdef74c5ed65c65fcf2e6120e
SHA18c5984c5d9ff1f7b8ac1b7b6d4ac34f462753c9d
SHA25619acfaee2a6ce1abcbb6fcedd1f03baf7bd1ef4bf18f9e13585bbb2bc38d7f0e
SHA5129ebfcc17cf1ad0ab246398359e4163c724dc257eb558f19a4c74b6af05b8b5f92d8c34479bbdf34e47e029597cb802e900a02208d782873ac139d9fcb973d42f
-
C:\Users\Admin\AppData\Local\Temp\74592994\edc.icoFilesize
611B
MD5a17df93e09e413ed60a153f0fcfe9e78
SHA121497996e58588814c531267ffa24ca3c5b70c1b
SHA2561ada9d984862515dab74f5f41d659bf6ab76e34cd19c07f1a1d5816868c9d4d0
SHA512549cf16aecab4fbabe1c4c7fd97d46bbf00f0c90f71366900e6f896961e991a85866ed74e6a5d147be2d8f22033c334afee2a40091c7d5b1b99c64963b8bf3a4
-
C:\Users\Admin\AppData\Local\Temp\74592994\eds.jpgFilesize
633B
MD51d03c219a95a7c19291ada5a1717c294
SHA1c79ff79a3893f899ce04b69a6beba68fa6b327bd
SHA256d20c030d0cdee7fc6e24ffa30e051e44b6f0eefacc4d41d0584d8340a8247881
SHA51230958554fa83da13fc18dbc697aa340bbbe34d12b2b9dbd5f8941aeddb33ca3bd6179818e7b7326eaba38a43ef587b13875bf503f82248e1eadc0badc4595172
-
C:\Users\Admin\AppData\Local\Temp\74592994\edt.pptFilesize
627B
MD5e08354c648179c6a593c3a1b1de89b6b
SHA139f566a2380de19b4f1b899ac2deb55904109096
SHA256af896eacd178e138712469fd11b79f5c3f26858a8e299ab2496d30b92ce95fab
SHA5127c064b3cf39a470efee74afd538e3dc227cc1644c6d62ec3b7e138a007235b61a03f98f3544a23eafef370aac0f363529c6528c745bcaff722ada1b48b17aea5
-
C:\Users\Admin\AppData\Local\Temp\74592994\fph.datFilesize
636KB
MD57bf20141e73ad704594038737deabc3c
SHA18999bcd923566f7ff3def05c098d89c26249d5e3
SHA2569af4822c03689afd0b1b255aabab5cb0f65ed699c8262e10fb10088e64b1a3a1
SHA512d86217ffa67bd6d7239b6f465bbb4861d591b84af059eb1f434a0c4181657c4d37882effbee06edb66a2ad175e59cb2d8fb136616338df35b7f466715a8762f5
-
C:\Users\Admin\AppData\Local\Temp\74592994\frj.mp3Filesize
609B
MD552943644e37f117ba969b0881abfde82
SHA10fc2718e7231324ea7358bcf6b21bfdcd032a887
SHA256afbc8c00f19bbd36d5a2ef00f57cb6c0505d2a1bb2426406892a8fb462ebfe36
SHA51291ad91b68cb25c1fed1bf08947e76f0c13470c7c73dc41b550cd4ee4535084480b47bb46cf82edb2bef6cd12b079adeffefe6d17b27a518cbdeacde5bf2b5ce2
-
C:\Users\Admin\AppData\Local\Temp\74592994\fwn.xlFilesize
527B
MD5a9519038f5d875254c6b5d08e881a395
SHA11b911ea746d92fe82fe24dc4dd24351b039b6df8
SHA2568306fc606985697c753ee91b3ae0a4eaf1c84c17a138518d326315c628569a90
SHA512445f3aab364376a736fd117b8fbaebb566bddb8dd494996c4149de0543eb719641cce345240299e1d52fa274d0d2a4a6057157cb4ef2e4844ed7f2d7b622d0d7
-
C:\Users\Admin\AppData\Local\Temp\74592994\gag.jpgFilesize
509B
MD57da665cc150f190fcedd49d79212afa3
SHA1287996a53a38845a839567b996ede155c572e1a0
SHA2569801715e73b350e72c5d15044b1f4ca4aa5f2a0ae2d25e3473521585718660b5
SHA51281fb99a64f7be3a7d7cc6fc2d532a4bb9024109ae034fa444fe6e5ff37a332c12c43cfd7eeaaa2fe80e240cb4fb5345a121107c434f081d43d99c8565abdb8cc
-
C:\Users\Admin\AppData\Local\Temp\74592994\hgl.pdfFilesize
221B
MD55b42c662ea6ee77f480c2e76c119f7fa
SHA187bed71683d8d6e85a4c4b12bc820586154e07fc
SHA2569505ef56867fa21ef0b0fd023ac6a0a2c8fc120b2517f44ded1b0d3567d2824a
SHA5125c70585577ae29b25c7e43fbad3d08943d76972bd67b0865d9ef0c52e7aeb81b48eca39cf15c2599013d86f5bbf7342313d6e3f8a559c0c5867552c1297d9959
-
C:\Users\Admin\AppData\Local\Temp\74592994\hws.jpgFilesize
555B
MD5fdec2234c991a6e31a419dfff193f299
SHA12c7f2a5acd51ffb1466caa0301c188dada515509
SHA2565c1ea6a0331121d1b1aff182ff92033e8a95b20f976cfb1b80998918f2c764ec
SHA512c32438f0b21316e4e15e0a916afc6741c1d98d368f20ae33a1379490b7383e1a2f70e028d4909a1935ccc190d4e6fe8f8a352bcaca0aa3d49bf7beb7040e86af
-
C:\Users\Admin\AppData\Local\Temp\74592994\irp.pptFilesize
585B
MD578fd0fd603d100c231a4a4bdd285b66d
SHA1ce42b44b5c6b6b059ebf81ca35be30c22d5c79d4
SHA256f34b67a6a7f719c89af387f7b68fdd9c5b1b62b0fb169c9da5cfd5cdf51c7795
SHA512bb435745226210232a97290c88f3eb40983d0235c31b1084b5a89466cc1eb7a61e23aaa4422e31f63133f5d479c043bb94589f1ce81dd13f2742008a48020ab3
-
C:\Users\Admin\AppData\Local\Temp\74592994\isn.bmpFilesize
615B
MD589c696fec081e97f168e07f03c0e1273
SHA1409876c74c91c1b16bb6f4b11ee782f4dd0d3f4a
SHA25601cd72977cffa6b08634ec0e3e23c1d2f7fb7d6bc02e1a20b825857fad0288de
SHA5124855f9ca5679623ad6576565942addb1f3ba326d867d4f0d96a584cc3902d8135099a185a4f477f899558269fc832cd5140a4983ce383a114dd00124d8065d0d
-
C:\Users\Admin\AppData\Local\Temp\74592994\jpf.jpgFilesize
568B
MD5cb53651195389a28becc5e061b0f0065
SHA1c4ab7565a1d50d8d0fab504bd664b1f106ab3152
SHA2568f34fc2629e81f93f9d438363db317efccb80790dd8a49f7e758765f7202f1b1
SHA5120e9602d92266e2ebf9d36ffe5ab2741e58ff0f681b7fe3c164fb465e2f6471bcc6fc37bd2100033911821dc17508b1fcffd1735e6d55c10a8fc2294bc8e63b96
-
C:\Users\Admin\AppData\Local\Temp\74592994\jvj.xlFilesize
523B
MD509e0433488e1fdac81cb4bbf584a4d4f
SHA12c84382fb7c55698bdd1a66e889cccfbaf30907a
SHA2565d4b60dc3c0df307e649dab44e04c749f9203f5ccb2a0955be7494fe94f80638
SHA51226a0f7e20cd1566f0d9ead520f8d62ec803d9058c5d3b4fc06badc26937dab5099b712b72fc41928752e5fde0fff42cf4515bdb1d5fb60bea618221ab1627faf
-
C:\Users\Admin\AppData\Local\Temp\74592994\jwj.datFilesize
515B
MD52486b13733ed119e129e7e07383fd749
SHA1184523997605f500904576d8972befa0a6dd731f
SHA256b7be5d23f939321e7b5f6210fc5ee66d8a3a7448fae48a2ce73ba71c71125907
SHA5129c4bdfde484d00c71b55daa610a0f72c5f366602cdd2c90dae881a392465717e5725113bab0ff98cede629b6c71e2d9ac4ea2ab08a50debf0a32689494c07284
-
C:\Users\Admin\AppData\Local\Temp\74592994\khq.docxFilesize
612B
MD5b803c43a4fd2aa07c418d1d20b327811
SHA17c1261161791532a3a60a8dc578336144ae89098
SHA256908c9a43abd796c5ea85151592bcfca51acb75c23b33f53451871a9a6bf2e58c
SHA5125cc158538c648bbb58a81e10fc4288b32306c1ddea235889ea3bcaca1ae07bab93aa0f19ed31f7bfc79aa26bf36e9d46f071aae0d4e2d586fdcf1dba0eb15548
-
C:\Users\Admin\AppData\Local\Temp\74592994\kke.docxFilesize
546B
MD50c7e97cdc05515d6a42337f4f790db49
SHA1607dd10952a1fe2a37e46951c5cd6bd656df2ddf
SHA256ea9e92c6f576324fde7c2efaea1e7646b7d5a54d76b31d65dc397268891c1e25
SHA5123e3cf2a09670e4b307eb8806d77b926cf75f44a0b6f33d5f54ecdb6d30eb2e0c760d0b5f42a2b0a6806f91ab47464212de3beab30ff31f1c7022bfd1814874db
-
C:\Users\Admin\AppData\Local\Temp\74592994\lts.pdfFilesize
603B
MD50fc0a2dadb3563697d5643959e3090c5
SHA18b2a3a8d2157bbe5a1d193631c0f8eeb54a9a268
SHA2565731d9cd2e0711fecf2ce20cc9a93a2b55852a2f6d90fe15cd0f62226383b338
SHA5124e5d6698a312c791b8f3c83d97f226f34af511c089c8549b4e6f1660a63af12aba470597c30a70b38102e8a04c4502cedb67344a5dea6df452af846dfac6f405
-
C:\Users\Admin\AppData\Local\Temp\74592994\lua.pdfFilesize
551B
MD5a1186e9088d1663b83ddc6487512389c
SHA1ecd4d8850cf126c682574efdd395f242839d8461
SHA256cba3ae00ae8766c304f94508598427a024b4ebcf581416890f3b8fcd8cbc0b0e
SHA51256256804dbd25512132531e8614378aa685d9992b9fa9aff75461dbe79355520bec4918d56b1f24628abe3de75224bc7efa510c8dcbab4bf81decbf78c04b7e4
-
C:\Users\Admin\AppData\Local\Temp\74592994\meq.txtFilesize
514B
MD525e146e24a24c479545f5a81863f016b
SHA174ec45f270ac88635975cbc3d7f044abb839e3a0
SHA256ed52bcd622c23d33dceb57d4a540aa3904930d695d78fd03d28d8a5dca7102c5
SHA51266526e22b6eb76a0ff113571ec868f69fe61907c327dc25ffb7960786d6dbd08e16d479ddbf657017e5c2eef0573741bae32aaf21b32416ea9728481acfb3a6f
-
C:\Users\Admin\AppData\Local\Temp\74592994\mxd.icmFilesize
610B
MD53639296746e28d370f2022a8a9e2794f
SHA1bf457649f22a5ce18da8e03d9afdea59168f027c
SHA25685530594fb561c26fa05fe6b157eb17785eb765ee16aa3d7b1ea4a02a9e0ff9b
SHA51222efb661c08b04aed84d2928e53d77763049d4dbde6dd7879ff329ef0a0465e1940bdd9f4ffad773ee1fff1b8503247a6b44d2867b024edcbc9d6a0593efe1d8
-
C:\Users\Admin\AppData\Local\Temp\74592994\nqo.mp3Filesize
636B
MD5f8e467f63bf498e06ef407bbc71e10cc
SHA1aa6273b7480d71cc11c133706d9498052a3aa865
SHA256a78d3d1395a1dc06bcf18ebffcd8d34326cdbc3a09ac76324507668f2bcf2a67
SHA512eed5046897d3310725df09735272e6537bb80a43acbc7d399d12c75fca0c541e4454226e20a2fa3a4480cb9e7a65a42d94d20c6946082460abba6d8e3dfdb184
-
C:\Users\Admin\AppData\Local\Temp\74592994\ohg.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\74592994\omv=qbaFilesize
181KB
MD5ea4ea675d43a69dc1c4ac177d308c7b2
SHA1c24ef892c1f46b0c65816f6bd616e4256bf6a915
SHA25621337b6e9bc9b12ea27a6072311bee479b4610cb1e0e0c5dab2a57826d22fa15
SHA5126cfc12794b111fb95b3474bd22b325601533e69d9fb9951272b9743884739f05a1d8fcdbc142c5520558648fdd7ce22b472057aa67be5fc8ac8d23c367608887
-
C:\Users\Admin\AppData\Local\Temp\74592994\ows.pdfFilesize
546B
MD58366b15c134835c0e427e38001913f62
SHA1a90179c592106eede76c84edf38bb2669670732d
SHA256ea412cdb39d5497b74f207a2cd17fb511244de978e1b1b8e3c71e95655a51b06
SHA5123aeac67f0fc65961a9ff74ea6c46bb68eba91a05032ac5eb2eaf99c64b523e3c318668ea5805d711c406fa20148fb3c05d36cba0a93cb3c69901c6651094fed3
-
C:\Users\Admin\AppData\Local\Temp\74592994\pba.icmFilesize
581B
MD571bc9bd5b830a11d3d7544e5e8587f8c
SHA1466123a43c3c0e027c5f0589fed3c4f798893605
SHA256261311004d322b9b9c2ec7f22449a7bcf8b6a7d17a4e1e8a04847af42b2a0296
SHA512dcb252566aaf1df89c9e7903cc044da4eda6b2e4a79b4275230bbb9f7eb719ce1c4a8b87ac8b229e67becd64dad82f3dfc1a04174cb66c1ff5bc046699515abf
-
C:\Users\Admin\AppData\Local\Temp\74592994\pkr.docxFilesize
636B
MD56a265f8e878c2399e849bc21ecd3c2bb
SHA1cd455f8bd35f36f3e1d96c325094441eaf77be8b
SHA256a392679c1e87b968c7856029da3999f0d980c8dd3e480a6a7299bf607661541a
SHA5125d4d55a039b9270f50fb3cf2a7d426a814d22ccb131bc7d246a47a5a3eafb182dafcbcf8bf4eab2a785ab2a7eedc4975557f415ad0cb2f41685b753f610ae39b
-
C:\Users\Admin\AppData\Local\Temp\74592994\psb.mp4Filesize
561B
MD574e5fd4f0bb1d4fd41b654bea6cf28ba
SHA137572d3f943d7448875ef949f0bae792ab589681
SHA2566ddddb9305afe9caf460726e8e04ef5686b74883c481573f3c2b85c1141d03d5
SHA5122d6f7232bdfd85f309a5831ab123ade844e47d8a2aa0f34682220df42ffa4f6a5c1fd573b0364dddb01f4c4af0146cd052786c17525fe593730d70b065fb96b2
-
C:\Users\Admin\AppData\Local\Temp\74592994\pvd.mp4Filesize
519B
MD5b9c5308f4eb9671aaa12a09ee2206caa
SHA14b8b4723bf9a5cc5344ea3a5de8dc834ebbb62d0
SHA256e5f95a4a3a55de623bf63395d99f791c78d45e1a6a5eb571ec3e3a0c23065ebd
SHA5121e473f3388bfd1da228ff683bfda5016d03582476a4f77a012f54cb78b0842f25ee472bee662e6b941fbe8541c5de5dc28f5bc585b46bf2aaee7a5cf56079158
-
C:\Users\Admin\AppData\Local\Temp\74592994\qfa.datFilesize
506B
MD5172c541a0b18d5f9b4969ac06621dee6
SHA1ea31cb86f02e50c60541eb7da0b6ce1da2848063
SHA2560679cc3d62235478cc052dca32bd8623bdbcd919fa957ecaa33fd3de2354a522
SHA5123ac0414dc92d2167e8c4dc7b2bc94c6cefcb703849dbe3f86081dce265093a8317d6ab2dfde87d61a4a86f47d187f3c5a60f6ecf3b4ef6c834a888ca1a0648a0
-
C:\Users\Admin\AppData\Local\Temp\74592994\qqv.mp3Filesize
639B
MD5bdbdc634961aff895236caa74f686ef4
SHA148fee7b8700eef492c86e4097855764d42cf2915
SHA256928dc1ea9ddc28ed23f739a39b560e1d1ed696ef8cc2df080538a2b96a65fb22
SHA51256e3f74c1b71b3e86d793db2fae1c0785b2d18d85594903593c44348c5aef9e61fc96e978a32eb4e63a4d1378b7032f29aa017105cc584439a46a07b9dfa4612
-
C:\Users\Admin\AppData\Local\Temp\74592994\rhm.icmFilesize
555B
MD55ba9f2b7bd083f0f4f8495dda8151391
SHA1ed5dd668feee2a7852c7fc8e2272cd73e753c1aa
SHA256dc22002b4575e4750e8b8a2a357a5a235a68dfd6c05f980741fe24af4041abb2
SHA51238881b38c63e50176ceaec92aaa63cac59ac7b50031b5a6db17d8ce2a3894f22f2e482f2448fa865a3b78cd86985ce8b8b91be7806e36a0fa9ad19d01438a2bc
-
C:\Users\Admin\AppData\Local\Temp\74592994\shl.mp4Filesize
539B
MD5d6a5e719eade34eede4abea73e1e1477
SHA1438e9170585423b59474e2b409b32e2c42f2916a
SHA2564df54331b51cc2e534723977cbd49a078562ab0e237483bcf4d758a671d9d9c9
SHA512962b4509d002541f852600b8d14bc5e57cc40d4bc694f322f18c4e6bdf62f127ffddbaac4ab1ec86e583548737771860c5fdda9cbc5c7a19e43c359609bec762
-
C:\Users\Admin\AppData\Local\Temp\74592994\tkl.pptFilesize
542B
MD5654fbf4640cc6f5302a786de95a15daa
SHA190eb378b1a3f6f70377c98c866e3c5e5d046b9fc
SHA2569ba846339d7fbd07e3402ed6096f8121934fbf92fb54d455e078137373293541
SHA5124d67404ad484dc679332a5e84649b01e6fe1143faeb52ae1754a58b876a69ee4c44061b366d277bd958d0ef8a38721e59ecd5e7af084e4d16409585fc26487c8
-
C:\Users\Admin\AppData\Local\Temp\74592994\tlv.datFilesize
531B
MD50494bec16c0f4bb5db4a312adc749c84
SHA19af8a61e9ce450fc75c3d1b36bb4bb9203f28f7f
SHA256320015f7f00c8ef02fe81d52bac5a6df215153a6a4bbc9bfc5360bba1ecf27de
SHA512960a8ef7a1f84c11fd7e4215963a2ff3ea1196d46638eb12534e2fe8ce03ce530fac6cefb36ee710be02c36590a4236cbaf1139a418a3b6d09538d38bcf0ec20
-
C:\Users\Admin\AppData\Local\Temp\74592994\tuq.icmFilesize
562B
MD598a241f45ad93c87b73a79d83d7b2e9a
SHA110a767139dc69efc8c23d33d24d4667089faba48
SHA256b85179bbec5ea23fa43e0639a1e5f665b0dc1ebdb6b32df744cc237cf019f674
SHA51296fc83980bf2b429c5407049f56dbbfb1c3751f466fc4717497ba86e71e1a383d4e6cd7006208503bd89a6fa536a23f763af3e678b3da60f49c998d830b5e03f
-
C:\Users\Admin\AppData\Local\Temp\74592994\twn.icmFilesize
606B
MD527faac0b8c7fa35d2e607dd758516fa0
SHA1244b8151e042e4ab4358faa53f00ff1b695538e2
SHA2561989d3bfedb225f942c035f297ba07c1f210d5dcafa6413e71aaf0dfffd827f7
SHA512a5d692842f2307735a9b1a56a816615fc999475220b25569df88680268292b693b9ba68a636f5008543093172ead0d884cbccdcc311557166d909803292bf2d5
-
C:\Users\Admin\AppData\Local\Temp\74592994\uei.pdfFilesize
586B
MD5d356b34c7435f7fc36c2658ee2030cb6
SHA1fa80706fd6f5d57550baa72fa52c93817283ac8d
SHA25664a4b5d8f4b3717c92afaee54e994f3b24b85f68658d086cac11dc156f5674fe
SHA512027b0bc88aa111f02efe6561193b55f58077c0801f7b062c7e5064a397d0e3461baead638072b31d843a5268fb3a02d8cbbb730ae43e36e9030524852ad05f19
-
C:\Users\Admin\AppData\Local\Temp\74592994\vdk.pptFilesize
551B
MD5497a43d722a28326e33a195745678651
SHA103df2cf416842c24377f49c79f7a94b6f883b632
SHA256d60fb85e7f69d39d56119100b04728fbdccd27871557d2126ff34c5bbd7dcb76
SHA51258cdfe71e16a05e9e913440f64569e990bda8d0c95eb0a794014b378f745af8b67b88cbfab179a0f33b5eb02c961e02e792f3f123d274e9c02a920ad48a8c5df
-
C:\Users\Admin\AppData\Local\Temp\74592994\vrj.mp4Filesize
575B
MD5bf9dae464f20acd90203285ce776c882
SHA13b94e17875b33e8c3a5faeed85ea7e75b9010878
SHA256ef24d33ca7a707f4c7de0e4ea7615eccd30ac80da2840222bed40bb1fa028c69
SHA512c8629ff969b21263ab28558062312e5ef28bf6708920d8a2a755bfd21d8fe2b032bf029643476013cc7e8084c0f2292d43ecb0dc92cb9be51cebf7e2079066ad
-
C:\Users\Admin\AppData\Local\Temp\74592994\vua.bmpFilesize
514B
MD5868faee1e9f6f63910c6b2debd9c8594
SHA178cf93ecbeb70f90dacaf4388f113cf5f46a5047
SHA256ef3ac66a72ea3b55ef871a8a7a0938cd5572ccd230673785be81df24dae3deac
SHA51259e9a2af691174d89a543e2953f369fec3bc29ced9bfdd453e3db09d3e3cda9f631a8557ae0e012a3e2c0e45456c1a14ab86288157461a111d605578fbb9bf22
-
C:\Users\Admin\AppData\Local\Temp\74592994\wgu.txtFilesize
516B
MD569502471f3d35f549ce469de43eb6d8d
SHA16c5779cd2ec8d16e016e275c61765c12ca65745c
SHA256ebe047d44a58c5087870b0d1292ff1b35e0bf6bc7b9cec549d9b5138e2a1930f
SHA5125a73a45fc0e5fec6dd5a062e205d85ec8d35febdde0ec12e54bc64318d8f0748aad3df84500748eed523f1d0f2bf7eb9701cc13cc81c61bfbbe282f841724468
-
C:\Users\Admin\AppData\Local\Temp\74592994\wor.icmFilesize
251B
MD5d5634255b4a24ae3c1cd59452210f24a
SHA1af1ee1892ffd579ece1be74a7bf239de04b80b0e
SHA2564c427c51caaffd3ecfc828b3c98ecb9e63aab068b026f3491aedcb9b9744dedd
SHA5125705f842d6862fac94444b0d92246d56bf17fbd65d1929292cf11ce162b52441e16a0c6f98bd0ff0f0b4603a1dd1042d6065e75c9218351ec54cb478108fb5a1
-
C:\Users\Admin\AppData\Local\Temp\74592994\xqn.jpgFilesize
607B
MD50348698f750120cf5d571bdf4d74bc2d
SHA16072bbdb630969182f5a7ea4c14ed7abab1c74a1
SHA256b22819b64ecc23a18394b773022ea68b5adb4927c77f4af65c11e4c0dbf57c47
SHA51294d8b6ac7127b151d2008b24f2336bb288c3ffe666f6155e446266f57b87a62edcdcc95afaf18e3ce5bce110cb9b6a83780c38ef99a6813725497e3d0f3eb5c9
-
C:\Users\Admin\AppData\Local\Temp\74592994\xwe.mp3Filesize
504B
MD54e94b597cf17831860224d2a01bd8569
SHA1c05336878570e88dd76929f512cb73ff6b31383e
SHA2563a6815146626429bfe5fa065f81cdc3eb404b586499d87e179d963eba79ae0b0
SHA5127620371dfeea8cc36b9dfa8d19c4cf2610a7ce8b860c6685ef829953275984bbe819d6ba68559aa0b41a8b908ab43d90331661a26ae16e62ede4a00032a35441
-
memory/1596-165-0x0000000005410000-0x000000000541A000-memory.dmpFilesize
40KB
-
memory/1596-166-0x0000000005690000-0x00000000056AE000-memory.dmpFilesize
120KB
-
memory/1596-167-0x0000000005810000-0x000000000581A000-memory.dmpFilesize
40KB
-
memory/1596-163-0x00000000053C0000-0x00000000053CA000-memory.dmpFilesize
40KB
-
memory/1596-162-0x00000000054E0000-0x000000000557C000-memory.dmpFilesize
624KB
-
memory/1596-161-0x0000000005440000-0x00000000054D2000-memory.dmpFilesize
584KB
-
memory/1596-160-0x0000000005950000-0x0000000005EF4000-memory.dmpFilesize
5.6MB
-
memory/1596-159-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB