Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 00:50
Static task
static1
Behavioral task
behavioral1
Sample
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
-
Size
428KB
-
MD5
0081117561dbbe476ca7c53d931272eb
-
SHA1
c63c2af8e87297fa66b6fdd8898b50b64a0c2e23
-
SHA256
69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42
-
SHA512
cee68886a6d82a16e992bd68e33453d23f71c615771a6ab38a3a4ce691d69d16b4e85fb0c0a2d15443f1920ee686e33d19a49ed87422648eba321fd907a27155
-
SSDEEP
6144:Ibt2jtf5kORPWBqrqcGSDTE8snxL6SmyOI/z4JK8MtoBhO/Ilu+uzZ:HjXkk+QWcGSDTE99lOIr4Jhh5nuz
Malware Config
Extracted
cybergate
2.6
vítima
127.0.0.1:81
fenerli1907.no-ip.biz:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
windows
-
install_file
system.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exevbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exesystem.exepid process 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 3696 system.exe -
Loads dropped DLL 6 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exevbc.exepid process 2116 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 2116 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 680 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/2556-37-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2556-35-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2556-43-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2556-41-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2556-46-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2556-45-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2556-47-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2556-44-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/2556-51-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/2556-972-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vbc.exe0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows\\system.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\rOaoWnZdErpjCyVqQVSdgvRSblgKZsMfaPuEFDIslsXkjzEGxX = "C:\\Users\\Admin\\AppData\\Local\\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe" 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windows\\system.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\windows\system.exe vbc.exe File opened for modification C:\Windows\SysWOW64\windows\system.exe vbc.exe File opened for modification C:\Windows\SysWOW64\windows\system.exe vbc.exe File opened for modification C:\Windows\SysWOW64\windows\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exedescription pid process target process PID 2964 set thread context of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
vbc.exevbc.exepid process 2556 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 680 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 680 vbc.exe Token: SeDebugPrivilege 680 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2556 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exevbc.exedescription pid process target process PID 2116 wrote to memory of 2964 2116 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe PID 2116 wrote to memory of 2964 2116 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe PID 2116 wrote to memory of 2964 2116 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe PID 2116 wrote to memory of 2964 2116 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe PID 2964 wrote to memory of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2964 wrote to memory of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2964 wrote to memory of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2964 wrote to memory of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2964 wrote to memory of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2964 wrote to memory of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2964 wrote to memory of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2964 wrote to memory of 2556 2964 0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe vbc.exe PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE PID 2556 wrote to memory of 1176 2556 vbc.exe Explorer.EXE
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1793508553-352905866-2062955186-5258329257991145025581625121570511284606176835"2⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-421556289-82603964123529799315784425791803808245186761579-1484572417-232962919"2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\windows\system.exe"C:\Windows\system32\windows\system.exe"6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
240KB
MD56e4f978fe3aec19ca9498551e93678d0
SHA1bd74f4186eb34a6ec0bafc64617968c872079bad
SHA25681e6cd1275a3df0184b02fcdb5bcb31d27bf56c8f22e7f62bd1d8a2bd1140308
SHA51257448df1f3f494c2f3f1d7840ac2ee766f0ba2295a5a10fafb9c5560f66a3c17646a6bc4e53b928b999d8a00b78a83cb9b09686cc04e0a9df336d036037797f9
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a3a2e3f09fa7ee0330ef356f5d00f5c8
SHA13d4a2a240bc7a85c5e648a7a10a823af8592a0ff
SHA2565df5bbb4ff3e4650ea86ffd53e20eac6be8b3bfad693f2db666a92da7fdccc0a
SHA51207bb2a186b8b548535e99cd91d0e5c05ead29e72732184f71045eb380b3c11a3256ed9686f3fb7fbcbaff1b7dab30fdc34a580c82fde0b44c7093be6ac71f352
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56513e10a5d26a4b9af1cc219379d3932
SHA157774645fe2d760d0759b885328d9572a6acf767
SHA25600d0d445b3534106abf6f2a2ce0f485f523035fa4585d0cc7922c6aec36e61c4
SHA512f5e5c5b66145fe3be3d1f03d8a51aa44a3716221c0ecdd596d19849c905be1a9b85359c017bb60d7f1e0aea054785de70929871f9bbb7c4cbc404229ea06956a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53605d3cacab0677c0cf4c8f712beae0d
SHA1ae1c8b4c5347f9a257ea88574251b169550ecd4a
SHA2563eff209ce8462413158b2d643d7daa17cd432d41923cb9fcce4a5201dc6c91bb
SHA512945ba0f6e57fd0dc92ded78bc1dadb6030e5c01f9b47c24de5382404e735f89eb55b7660d98b88818cd51f5fb60f83c3f9ca4e004df30019365786b846f69e6b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5394c4c99d33de21667a4362729ec6a45
SHA1ae14afaba223202f85f9c0ace3b8d495c2bf0c36
SHA256ba9d07f4b2ccbdb5dead4addb899792efbc85284af12d093c0c80a3666ab6aed
SHA512622c41b396058a655bf8f8399266b1caf15996b11ee948348b194dce5fff45f8f7286a43e3878dd8380e9cc6b6ca2a95a7115331768da7da066961706fde6415
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5abe16d92b9e6feb2098a22f95747028f
SHA1da99cbcc0cd0ac7acc5453234d77a00ed24ea7d3
SHA2564d5c5d4702f1347c2411260e9ce9ea43089316071a25545a9c0266cb405763ad
SHA512a82ea2a7be3a8bb41db8c90660f94e94e2953e762c429c2edacaad60d7ecbe3d6b2e93ce52116f9df887cd6d7e5006a15fc660ee26ba1d912a67e3ac0f6b89bf
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5b7e9b7c2773d1ba8848d001e6a51446e
SHA137195cdeb982a726582a212843a21e830a21d392
SHA256f207f7f2d5249cc1a1f79198fba39907592867d3dca334932bacf5744692f42f
SHA5127bd4e9ac9f2820407e4b522c403eb728c67a25d8cfcbee1e139457db60a0d53e080aa6f93396d9393a64c109b37bb1b48870b733f5e9009dee75797595da8dd3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c521edbff8ee66a2c4a13a9b9fd3bf7b
SHA15ee01bf076c6098db51a9eba89fc8d52493ebc54
SHA2567379331c883aacfdbdc436a0bbf37dd8dd4dd66f85e299ad987321d9a042e9fb
SHA512bf7e6f2460371b82d782a9050f457e7558ac9535fa69df93a6c6d52eea69b920f38e93c1ac3fd16c459ecb82b00048df765505fe47c5b99c6a158612e56f779a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD565a1af38189c50777abc38e95acd0141
SHA14ea2671bd0ee30647136232b5a3d8fc42a9d2b8b
SHA256fce96eb675da522eff8d078967bb45522c1dacea353cdc42ee13b934da50cbab
SHA512c7b891fab45e4e5763d53e35624868a84e5a570734d7177e158de02f913efbeddb1f50b9fd2aa893b236a7aa3f9730a4bf19f6e2fdfd83bcd65d3debd9301c07
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5dfd40db1a5ac4e47f785fee37d988f4b
SHA1f8e002e340f9ff96d58299deda2a8ee9ebf9d4b8
SHA25668f24c47110fd079e05f1a25f46e2b3445b868076892e0d9a2c6ddf6bad8652b
SHA512f89a000716aca411f77614b43dc579709870ff32bfde38638e1f255f8a01db211ed783306f1ac83e33f6a246823b5bd705de303e34c04c407c341f1247594264
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD552487f67988b549e9d67c87966c44ad3
SHA1d3847e3b32c9dbf4fdbbfbe1f8314680ae8f7faa
SHA25659f314dfa2dae8dd5fd3073bcacf2c86401d6ea192811ee1295e3c206d9f1c0c
SHA512485f29099743132f3e43a95c85bfb0d908cbb826b3ebdca00ff2e8cecca2d4170540835963d9bc035affc687d31a1f223db7547e221662b7e1f0edc8049489df
-
C:\Users\Admin\AppData\Local\Twain.dllFilesize
18KB
MD52153e2d85da316a0fe302227e0f9af88
SHA148b334c27d604ce7d89c9c825d211d26427176cf
SHA256645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0
SHA512647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
C:\Windows\SysWOW64\windows\system.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exeFilesize
428KB
MD50081117561dbbe476ca7c53d931272eb
SHA1c63c2af8e87297fa66b6fdd8898b50b64a0c2e23
SHA25669bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42
SHA512cee68886a6d82a16e992bd68e33453d23f71c615771a6ab38a3a4ce691d69d16b4e85fb0c0a2d15443f1920ee686e33d19a49ed87422648eba321fd907a27155
-
memory/1176-52-0x0000000002D00000-0x0000000002D01000-memory.dmpFilesize
4KB
-
memory/2116-0-0x0000000074371000-0x0000000074372000-memory.dmpFilesize
4KB
-
memory/2116-15-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/2116-2-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/2116-1-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/2556-33-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-46-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-37-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-972-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-44-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-47-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-45-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-51-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/2556-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2556-41-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-43-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2556-35-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2964-48-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/2964-16-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB
-
memory/2964-26-0x0000000074370000-0x000000007491B000-memory.dmpFilesize
5.7MB