Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe
-
Size
634KB
-
MD5
02c4b6e40fc09f1b6f3f46f9ca3cfc54
-
SHA1
6813da903e8ee79d0c4f5bf7233f94a1f96823de
-
SHA256
306d7d3c607c8373dc7c2f009c2824341df681f53467f87321b58c239831b872
-
SHA512
f269f25b4e022bce481a219bb058fd014c4b1874df095b57637dcfc856651b08bf15d09440d1fb92b7df15d16700a58827c1d755989e6ad0df8fb9e87d45a740
-
SSDEEP
12288:Xfo/8q6XQur1qc8EspW8/iFBm0BXY2X1L3GYXmXK8+:Xf5yispxz0lPVGt+
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 22 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
Processes:
torwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exepid process 1936 torwin32.exe 308 torwin32.exe 2880 torwin32.exe 804 torwin32.exe 620 torwin32.exe 1628 torwin32.exe 264 torwin32.exe 772 torwin32.exe 872 torwin32.exe 1348 torwin32.exe -
Loads dropped DLL 20 IoCs
Processes:
02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exepid process 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe 1936 torwin32.exe 1936 torwin32.exe 308 torwin32.exe 308 torwin32.exe 2880 torwin32.exe 2880 torwin32.exe 804 torwin32.exe 804 torwin32.exe 620 torwin32.exe 620 torwin32.exe 1628 torwin32.exe 1628 torwin32.exe 264 torwin32.exe 264 torwin32.exe 772 torwin32.exe 772 torwin32.exe 872 torwin32.exe 872 torwin32.exe -
Drops file in System32 directory 22 IoCs
Processes:
torwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exe02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exetorwin32.exetorwin32.exetorwin32.exetorwin32.exedescription ioc process File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File created C:\Windows\SysWOW64\torwin32.exe 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe File opened for modification C:\Windows\SysWOW64\torwin32.exe torwin32.exe -
Runs .reg file with regedit 11 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exepid process 1664 regedit.exe 896 regedit.exe 1552 regedit.exe 2212 regedit.exe 1380 regedit.exe 2772 regedit.exe 788 regedit.exe 2780 regedit.exe 2184 regedit.exe 2764 regedit.exe 3068 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.execmd.exetorwin32.execmd.exetorwin32.execmd.exetorwin32.execmd.exetorwin32.execmd.exetorwin32.exedescription pid process target process PID 2964 wrote to memory of 2624 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2624 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2624 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2624 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 1936 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe torwin32.exe PID 2964 wrote to memory of 1936 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe torwin32.exe PID 2964 wrote to memory of 1936 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe torwin32.exe PID 2964 wrote to memory of 1936 2964 02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe torwin32.exe PID 2624 wrote to memory of 1664 2624 cmd.exe regedit.exe PID 2624 wrote to memory of 1664 2624 cmd.exe regedit.exe PID 2624 wrote to memory of 1664 2624 cmd.exe regedit.exe PID 2624 wrote to memory of 1664 2624 cmd.exe regedit.exe PID 1936 wrote to memory of 916 1936 torwin32.exe cmd.exe PID 1936 wrote to memory of 916 1936 torwin32.exe cmd.exe PID 1936 wrote to memory of 916 1936 torwin32.exe cmd.exe PID 1936 wrote to memory of 916 1936 torwin32.exe cmd.exe PID 916 wrote to memory of 1380 916 cmd.exe regedit.exe PID 916 wrote to memory of 1380 916 cmd.exe regedit.exe PID 916 wrote to memory of 1380 916 cmd.exe regedit.exe PID 916 wrote to memory of 1380 916 cmd.exe regedit.exe PID 1936 wrote to memory of 308 1936 torwin32.exe torwin32.exe PID 1936 wrote to memory of 308 1936 torwin32.exe torwin32.exe PID 1936 wrote to memory of 308 1936 torwin32.exe torwin32.exe PID 1936 wrote to memory of 308 1936 torwin32.exe torwin32.exe PID 308 wrote to memory of 2220 308 torwin32.exe cmd.exe PID 308 wrote to memory of 2220 308 torwin32.exe cmd.exe PID 308 wrote to memory of 2220 308 torwin32.exe cmd.exe PID 308 wrote to memory of 2220 308 torwin32.exe cmd.exe PID 2220 wrote to memory of 896 2220 cmd.exe regedit.exe PID 2220 wrote to memory of 896 2220 cmd.exe regedit.exe PID 2220 wrote to memory of 896 2220 cmd.exe regedit.exe PID 2220 wrote to memory of 896 2220 cmd.exe regedit.exe PID 308 wrote to memory of 2880 308 torwin32.exe torwin32.exe PID 308 wrote to memory of 2880 308 torwin32.exe torwin32.exe PID 308 wrote to memory of 2880 308 torwin32.exe torwin32.exe PID 308 wrote to memory of 2880 308 torwin32.exe torwin32.exe PID 2880 wrote to memory of 2524 2880 torwin32.exe cmd.exe PID 2880 wrote to memory of 2524 2880 torwin32.exe cmd.exe PID 2880 wrote to memory of 2524 2880 torwin32.exe cmd.exe PID 2880 wrote to memory of 2524 2880 torwin32.exe cmd.exe PID 2524 wrote to memory of 2772 2524 cmd.exe regedit.exe PID 2524 wrote to memory of 2772 2524 cmd.exe regedit.exe PID 2524 wrote to memory of 2772 2524 cmd.exe regedit.exe PID 2524 wrote to memory of 2772 2524 cmd.exe regedit.exe PID 2880 wrote to memory of 804 2880 torwin32.exe torwin32.exe PID 2880 wrote to memory of 804 2880 torwin32.exe torwin32.exe PID 2880 wrote to memory of 804 2880 torwin32.exe torwin32.exe PID 2880 wrote to memory of 804 2880 torwin32.exe torwin32.exe PID 804 wrote to memory of 1688 804 torwin32.exe cmd.exe PID 804 wrote to memory of 1688 804 torwin32.exe cmd.exe PID 804 wrote to memory of 1688 804 torwin32.exe cmd.exe PID 804 wrote to memory of 1688 804 torwin32.exe cmd.exe PID 1688 wrote to memory of 788 1688 cmd.exe regedit.exe PID 1688 wrote to memory of 788 1688 cmd.exe regedit.exe PID 1688 wrote to memory of 788 1688 cmd.exe regedit.exe PID 1688 wrote to memory of 788 1688 cmd.exe regedit.exe PID 804 wrote to memory of 620 804 torwin32.exe torwin32.exe PID 804 wrote to memory of 620 804 torwin32.exe torwin32.exe PID 804 wrote to memory of 620 804 torwin32.exe torwin32.exe PID 804 wrote to memory of 620 804 torwin32.exe torwin32.exe PID 620 wrote to memory of 2208 620 torwin32.exe cmd.exe PID 620 wrote to memory of 2208 620 torwin32.exe cmd.exe PID 620 wrote to memory of 2208 620 torwin32.exe cmd.exe PID 620 wrote to memory of 2208 620 torwin32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 672 "C:\Users\Admin\AppData\Local\Temp\02c4b6e40fc09f1b6f3f46f9ca3cfc54_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 700 "C:\Windows\SysWOW64\torwin32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 704 "C:\Windows\SysWOW64\torwin32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 696 "C:\Windows\SysWOW64\torwin32.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 712 "C:\Windows\SysWOW64\torwin32.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 692 "C:\Windows\SysWOW64\torwin32.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 720 "C:\Windows\SysWOW64\torwin32.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 708 "C:\Windows\SysWOW64\torwin32.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 728 "C:\Windows\SysWOW64\torwin32.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\torwin32.exeC:\Windows\system32\torwin32.exe 716 "C:\Windows\SysWOW64\torwin32.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1011B
MD55088b4be1b90717121e76c1fc33c033a
SHA1090676b012c30e6b0d6493ca1e9a31f3093cad6f
SHA256d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a
SHA5120cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD5e78a2688839aaee80b2bfdc4639329c5
SHA1818a0dd05493b075a9f2eaf063e64d5a653f470a
SHA256bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d
SHA5122821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
574B
MD55020988c301a6bf0c54a293ddf64837c
SHA15b65e689a2988b9a739d53565b2a847f20d70f09
SHA256a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d
SHA512921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD55b77620cb52220f4a82e3551ee0a53a6
SHA107d122b8e70ec5887bad4ef8f4d6209df18912d0
SHA25693ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579
SHA5129dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD52299014e9ce921b7045e958d39d83e74
SHA126ed64f84417eb05d1d9d48441342ca1363084da
SHA256ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57
SHA5120a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
2KB
MD5294976e85ad11a45853f99c1b208723f
SHA18d83101d69420b5af97ec517165d849d3ab498fc
SHA25604fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff
SHA512e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD5d085cde42c14e8ee2a5e8870d08aee42
SHA1c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
2KB
MD58c6aa92ac8ffdfb7a0fb3dafd14d65f1
SHA1cac3992d696a99a5dec2ab1c824c816117414b16
SHA256dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa
SHA512f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
2KB
MD5fa83299c5a0d8714939977af6bdafa92
SHA146a4abab9b803a7361ab89d0ca000a367550e23c
SHA256f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03
SHA51285e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599
-
C:\a.batFilesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
\Windows\SysWOW64\torwin32.exeFilesize
634KB
MD502c4b6e40fc09f1b6f3f46f9ca3cfc54
SHA16813da903e8ee79d0c4f5bf7233f94a1f96823de
SHA256306d7d3c607c8373dc7c2f009c2824341df681f53467f87321b58c239831b872
SHA512f269f25b4e022bce481a219bb058fd014c4b1874df095b57637dcfc856651b08bf15d09440d1fb92b7df15d16700a58827c1d755989e6ad0df8fb9e87d45a740
-
memory/264-997-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/264-957-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/308-357-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/308-361-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/620-780-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/620-717-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/772-1077-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/772-1081-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/804-597-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/804-601-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/872-1197-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/872-1209-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/1348-1317-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/1628-837-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/1628-841-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/1936-241-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/1936-236-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/1936-126-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/2880-595-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/2880-477-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB
-
memory/2964-1-0x0000000000401000-0x000000000041F000-memory.dmpFilesize
120KB
-
memory/2964-125-0x0000000000400000-0x00000000005A3000-memory.dmpFilesize
1.6MB