Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 07:30
Static task
static1
Behavioral task
behavioral1
Sample
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe
-
Size
115KB
-
MD5
040b4afe44ae7bb9ebe08445c2bed93a
-
SHA1
9e4ed8f203c42ee51432b61c45b8d53eb939c2b0
-
SHA256
1598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198
-
SHA512
a319c52ed39875b0337217954d9fc34c9d4aca705d8875e8cfc11020bc21114eda589b20c399c5dd92544bccf7b4ab42919b67673b6f7e3e1d8fb2b285f77205
-
SSDEEP
1536:+qoBQ+Utg3KQ0wxuWz00gzbqOMxpYb2f1AE39/UIf0E1+AQcyQ7u29qkbGNkjbQ2:+q6cmxu9QYgptQE1z9RykjbnKVn5+
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 20 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
Processes:
windeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exepid process 3396 windeft.exe 1412 windeft.exe 1636 windeft.exe 2916 windeft.exe 1264 windeft.exe 2352 windeft.exe 1100 windeft.exe 2896 windeft.exe 1072 windeft.exe 3792 windeft.exe -
Drops file in System32 directory 22 IoCs
Processes:
windeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exe040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exewindeft.exewindeft.exewindeft.exedescription ioc process File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe -
Runs .reg file with regedit 10 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exepid process 4736 regedit.exe 5068 regedit.exe 2984 regedit.exe 556 regedit.exe 4864 regedit.exe 3312 regedit.exe 3312 regedit.exe 2824 regedit.exe 4320 regedit.exe 2212 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exewindeft.execmd.exewindeft.execmd.exewindeft.execmd.exewindeft.execmd.exewindeft.execmd.exewindeft.execmd.exewindeft.execmd.exedescription pid process target process PID 4876 wrote to memory of 3964 4876 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe cmd.exe PID 4876 wrote to memory of 3964 4876 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe cmd.exe PID 4876 wrote to memory of 3964 4876 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe cmd.exe PID 4876 wrote to memory of 3396 4876 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe windeft.exe PID 4876 wrote to memory of 3396 4876 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe windeft.exe PID 4876 wrote to memory of 3396 4876 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe windeft.exe PID 3396 wrote to memory of 2700 3396 windeft.exe cmd.exe PID 3396 wrote to memory of 2700 3396 windeft.exe cmd.exe PID 3396 wrote to memory of 2700 3396 windeft.exe cmd.exe PID 3964 wrote to memory of 2212 3964 cmd.exe regedit.exe PID 3964 wrote to memory of 2212 3964 cmd.exe regedit.exe PID 3964 wrote to memory of 2212 3964 cmd.exe regedit.exe PID 3396 wrote to memory of 1412 3396 windeft.exe windeft.exe PID 3396 wrote to memory of 1412 3396 windeft.exe windeft.exe PID 3396 wrote to memory of 1412 3396 windeft.exe windeft.exe PID 1412 wrote to memory of 2632 1412 windeft.exe cmd.exe PID 1412 wrote to memory of 2632 1412 windeft.exe cmd.exe PID 1412 wrote to memory of 2632 1412 windeft.exe cmd.exe PID 2632 wrote to memory of 4864 2632 cmd.exe regedit.exe PID 2632 wrote to memory of 4864 2632 cmd.exe regedit.exe PID 2632 wrote to memory of 4864 2632 cmd.exe regedit.exe PID 1412 wrote to memory of 1636 1412 windeft.exe windeft.exe PID 1412 wrote to memory of 1636 1412 windeft.exe windeft.exe PID 1412 wrote to memory of 1636 1412 windeft.exe windeft.exe PID 1636 wrote to memory of 4440 1636 windeft.exe cmd.exe PID 1636 wrote to memory of 4440 1636 windeft.exe cmd.exe PID 1636 wrote to memory of 4440 1636 windeft.exe cmd.exe PID 4440 wrote to memory of 3312 4440 cmd.exe regedit.exe PID 4440 wrote to memory of 3312 4440 cmd.exe regedit.exe PID 4440 wrote to memory of 3312 4440 cmd.exe regedit.exe PID 1636 wrote to memory of 2916 1636 windeft.exe windeft.exe PID 1636 wrote to memory of 2916 1636 windeft.exe windeft.exe PID 1636 wrote to memory of 2916 1636 windeft.exe windeft.exe PID 2916 wrote to memory of 4320 2916 windeft.exe cmd.exe PID 2916 wrote to memory of 4320 2916 windeft.exe cmd.exe PID 2916 wrote to memory of 4320 2916 windeft.exe cmd.exe PID 4320 wrote to memory of 556 4320 cmd.exe regedit.exe PID 4320 wrote to memory of 556 4320 cmd.exe regedit.exe PID 4320 wrote to memory of 556 4320 cmd.exe regedit.exe PID 2916 wrote to memory of 1264 2916 windeft.exe windeft.exe PID 2916 wrote to memory of 1264 2916 windeft.exe windeft.exe PID 2916 wrote to memory of 1264 2916 windeft.exe windeft.exe PID 1264 wrote to memory of 4128 1264 windeft.exe cmd.exe PID 1264 wrote to memory of 4128 1264 windeft.exe cmd.exe PID 1264 wrote to memory of 4128 1264 windeft.exe cmd.exe PID 4128 wrote to memory of 3312 4128 cmd.exe regedit.exe PID 4128 wrote to memory of 3312 4128 cmd.exe regedit.exe PID 4128 wrote to memory of 3312 4128 cmd.exe regedit.exe PID 1264 wrote to memory of 2352 1264 windeft.exe windeft.exe PID 1264 wrote to memory of 2352 1264 windeft.exe windeft.exe PID 1264 wrote to memory of 2352 1264 windeft.exe windeft.exe PID 2352 wrote to memory of 1508 2352 windeft.exe cmd.exe PID 2352 wrote to memory of 1508 2352 windeft.exe cmd.exe PID 2352 wrote to memory of 1508 2352 windeft.exe cmd.exe PID 1508 wrote to memory of 4736 1508 cmd.exe regedit.exe PID 1508 wrote to memory of 4736 1508 cmd.exe regedit.exe PID 1508 wrote to memory of 4736 1508 cmd.exe regedit.exe PID 2352 wrote to memory of 1100 2352 windeft.exe windeft.exe PID 2352 wrote to memory of 1100 2352 windeft.exe windeft.exe PID 2352 wrote to memory of 1100 2352 windeft.exe windeft.exe PID 1100 wrote to memory of 2984 1100 windeft.exe cmd.exe PID 1100 wrote to memory of 2984 1100 windeft.exe cmd.exe PID 1100 wrote to memory of 2984 1100 windeft.exe cmd.exe PID 2984 wrote to memory of 5068 2984 cmd.exe regedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1048 "C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat3⤵
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1172 "C:\Windows\SysWOW64\windeft.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1140 "C:\Windows\SysWOW64\windeft.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1148 "C:\Windows\SysWOW64\windeft.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1144 "C:\Windows\SysWOW64\windeft.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1152 "C:\Windows\SysWOW64\windeft.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1156 "C:\Windows\SysWOW64\windeft.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1164 "C:\Windows\SysWOW64\windeft.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1168 "C:\Windows\SysWOW64\windeft.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat11⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 1160 "C:\Windows\SysWOW64\windeft.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD5872656500ddac1ddd91d10aba3a8df96
SHA1ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD55e073629d751540b3512a229a7c56baf
SHA18d384f06bf3fe00d178514990ae39fc54d4e3941
SHA2562039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e
SHA51284fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD52b307765b7465ef5e4935f0ed7307c01
SHA1c46a1947f8b2785114891f7905f663d9ae517f1b
SHA256a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85
SHA512fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
2KB
MD55da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1681788d5a3044eee8426d431bd786375cd32bf13
SHA2567f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA5126e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
431B
MD59fa547ff360b09f7e093593af0b5a13b
SHA19debc99bb7450f59a7b09f16c0393e5c7a955ba4
SHA2567ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705
SHA51230e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD55002319f56002f8d7ceacecf8672ce25
SHA13b26b6801be4768cc7582e29bc93facdf2a74be3
SHA256f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c
SHA5128eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD5c1e5f93e2bee9ca33872764d8889de23
SHA1167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA2568f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
784B
MD55a466127fedf6dbcd99adc917bd74581
SHA1a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA2568cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD5908860a865f8ed2e14085e35256578dd
SHA17ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD5748bce4dacebbbd388af154a1df22078
SHA10eeeb108678f819cd437d53b927feedf36aabc64
SHA2561585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a
SHA512d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
849B
MD5558ce6da965ba1758d112b22e15aa5a2
SHA1a365542609e4d1dc46be62928b08612fcabe2ede
SHA256c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA51237f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD5a57e37dfb6f88b2d04424936ed0b4afb
SHA135e2f81486b8420b88b7693ad3e92f846367cb12
SHA256411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d
SHA51241f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD5c8441ec8a2edf9b2f4f631fe930ea4d9
SHA12855ee21116b427d280fcaa2471c9bd3d2957f6f
SHA256dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184
SHA512b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7
-
C:\Windows\SysWOW64\windeft.exeFilesize
115KB
MD5040b4afe44ae7bb9ebe08445c2bed93a
SHA19e4ed8f203c42ee51432b61c45b8d53eb939c2b0
SHA2561598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198
SHA512a319c52ed39875b0337217954d9fc34c9d4aca705d8875e8cfc11020bc21114eda589b20c399c5dd92544bccf7b4ab42919b67673b6f7e3e1d8fb2b285f77205
-
\??\c:\a.batFilesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
memory/1072-1057-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1072-946-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1072-943-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1072-944-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1100-711-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1100-825-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1264-593-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1264-479-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1412-131-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1412-132-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1412-245-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1412-133-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1636-248-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1636-249-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1636-361-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1636-247-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2352-595-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2352-709-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2896-828-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2896-941-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2896-827-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2896-829-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2916-365-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2916-363-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2916-364-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2916-477-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3396-32-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/3396-13-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3396-129-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3396-12-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3396-31-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3792-1060-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3792-1061-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3792-1059-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3792-1173-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/4876-0-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/4876-5-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/4876-2-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/4876-1-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/4876-127-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB