Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 03:21
Static task
static1
Behavioral task
behavioral1
Sample
010eed353174269e5671afbc7a18210b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
010eed353174269e5671afbc7a18210b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
010eed353174269e5671afbc7a18210b_JaffaCakes118.exe
-
Size
304KB
-
MD5
010eed353174269e5671afbc7a18210b
-
SHA1
d77a920d0fedf7a974cbcc367094b95d2942d7f0
-
SHA256
5bc30db63db6b4957befabc80f89f1f253e681f3d87179fa2c3efd2199fe02c8
-
SHA512
ab41a4112e37e328822d9e06f18bc253c79cb4d8a35f285d768f2be5fde82ba544a9b0fbc87e97e3462739a313cefb6d02913718919bd054f0c42569dd608aa0
-
SSDEEP
6144:s6ioEQqmNE3YGV7gFaT6t/9kxIaLh48V/77HabJl1bVM0UD:ObPCrGZgkT6t/OIKhP/ncl1pM0U
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
file1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" file1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run file1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" file1.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run file1.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exefile1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH}\StubPath = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH} file1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH}\StubPath = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe Restart" file1.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH} explorer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
010eed353174269e5671afbc7a18210b_JaffaCakes118.exefile1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation file1.exe -
Executes dropped EXE 3 IoCs
Processes:
file1.exefile1.exe2.0.14699.0.exepid process 1976 file1.exe 2100 file1.exe 4060 2.0.14699.0.exe -
Processes:
resource yara_rule behavioral2/memory/1976-16-0x0000000024010000-0x000000002406F000-memory.dmp upx behavioral2/memory/1976-19-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral2/memory/1976-77-0x0000000024070000-0x00000000240CF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" file1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" file1.exe -
Drops file in System32 directory 4 IoCs
Processes:
file1.exefile1.exedescription ioc process File opened for modification C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe file1.exe File opened for modification C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe file1.exe File opened for modification C:\Windows\SysWOW64\dashboard\ file1.exe File created C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe file1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1856 4060 WerFault.exe 2.0.14699.0.exe -
Modifies registry class 1 IoCs
Processes:
file1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ file1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
file1.exepid process 1976 file1.exe 1976 file1.exe 1976 file1.exe 1976 file1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
file1.exepid process 2100 file1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file1.exedescription pid process Token: SeDebugPrivilege 2100 file1.exe Token: SeDebugPrivilege 2100 file1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
file1.exepid process 1976 file1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
010eed353174269e5671afbc7a18210b_JaffaCakes118.exefile1.exedescription pid process target process PID 4812 wrote to memory of 1976 4812 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe file1.exe PID 4812 wrote to memory of 1976 4812 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe file1.exe PID 4812 wrote to memory of 1976 4812 010eed353174269e5671afbc7a18210b_JaffaCakes118.exe file1.exe PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE PID 1976 wrote to memory of 3512 1976 file1.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file1.exe"C:\Users\Admin\AppData\Local\Temp\file1.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Users\Admin\AppData\Local\Temp\file1.exe"C:\Users\Admin\AppData\Local\Temp\file1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe"C:\Windows\system32\dashboard\2.0.14699.0.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 5646⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 40601⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4068,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
219KB
MD5f660b1b97987bf6df5b65f73ae5b207d
SHA1b7803c5b7354f9ec37234a4bca4a29b99fb09310
SHA25656effe538a98d2f6b199eb4b6c8f152934bc6cbff17ddae3835506858a45250a
SHA51239e6b93f996d3301c4d957a8fb4bb8c7ae502331680519e7457024f54048c0b03acb81feccffccc30a692106fb335f28002a649685d6bd116868db9a6012156d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5686f61cb9d5558afe0bca5dd37103847
SHA1ef9c71c4364f8a1ab5d4dee87b0e0dbdbb8473a7
SHA2563ebc07d6ba03a54f9e2c7661ac1a43cc85835a30f9329db703e3db0e4518e49a
SHA5123cff83a9573296ca8c092b6f99f02d4eadb63cdad8a5472f15e512a03a7aa20cfe97dfbdc351398a4d3d9c5bde543c20fd851d52484f73cd36cdb70753b740e0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD57f8c56649f2568b76bf8b7567857bf5f
SHA12dba119d99a3f2e4d2e2a3a09b69ec0e9ce8a0ca
SHA2566bdd57aaa6cc92c7f073bbfe71a8a614c69d1e5b4ca32ad51856bfe888badb63
SHA512748c6b3a05b12b23c203dff4277ff3e27b2342649017e242660997b61a242f804fb3c159f408d8802ecc1415db26b79999e70e19ad0e2c2c3a887429206b044d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5cf9de356f990d34476c04dee62743bfd
SHA1bca83fcc7bb39ed5481e1c40d0eea637c40c438b
SHA256b08dd4d310119b97183a650258d5b3a9a336625d84570110cf1b815f2adc34cd
SHA512d9e28d2e6c3e743cc46de1b65737886d9f99016f38b754862c8c057c17d39e798d959b926484baf9f86cc96a53d3276ebb9e217d856846daeb5f2cc7929320db
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f79c99a30e8ed2560b17345ab6140953
SHA101faef56001839dcf7416998206303838694c7a6
SHA256944c34552e2d2e4d20473e89e2e885ab9c45fbb5a7ca99222d2a886ba27bc8d3
SHA5125580fb90c8eb50ce7bb81543d17af27d925c31679075b927b937480dc05e22d84ea81c3d6b3a798e6de3fc9cbe69532e980e16806abc00b616c1c1c8084595d6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5fb43b1a720555e6977aaab5c78c0b018
SHA117f5f0db59020d6b07d509f641bdd952a6da7261
SHA2561893547dad8f07fbc8462538d93b4b4b09131891e19bbd5d0371858128d04dc5
SHA5126a48cf1538f3c7e49f8a7b2b9a86b4faebd8ef37d65f726e7b11e349b3ec10ec2800610f938bffb7786d0e63a492969a2908d4a370d594d076370d3e61b830cf
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5942b579d51ed5fb7d28659e716bb02b0
SHA1411a0a57c865525540c3225a8d8dd7096bafb231
SHA25654444326882a9ecde6e2312190e1c825ae9fb9e370af59dc0db386a5fb89fe3f
SHA512fc08ca9a612fbecf58228c678eecb81a752dabb507b2afb864842dc9a37416ff6c94920d82c55d72953f021470597b6aef12f626730da58a3c32ce4770615495
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ba74b92b6c84aca6f6afe41c73890c59
SHA1a5780ff3cf2fac790a8c3b49626a60a0d825a013
SHA2564affbdadc074644cfcbc8c12985eb9bf91781238b0c0a3b104d11f167bdd1cd8
SHA512bf45f47633b4cacba37db3cb79227bbeac50d919d2f2a0ffc53703c8e65db293bd515bda73b96e6abe74fc70766a72740f035e205f97ee4852745280028e3843
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56520286ac73c78088e631be748003784
SHA19eec3bdb175828e9d9f13525fe801e4211fec691
SHA25609212c15b3fc5871fdace3b1522cd3c96e0455d9943fd56ebaf106fdd45e4fb6
SHA51281d7943d6f9e2131a124676fed104970173649baaa20f1f9b9f741aaecede2381894a3aa3b7a9e41bb6d05a551d0cd42dd05b18fc8ab3dac8bdb9adfa5f79c4d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f79cc3a7573ae25f1e458da555b922ba
SHA19ab9379ba99fd7442db17e912d50c630e12d82ab
SHA256780480a8412e2bf1558d97ff759cb43371262e8ea057bec6bcb3118763bad18f
SHA5125baa8580281faf1aaac237acf17df335741e67c6b7456f70d84af96dfc8d41fee8f3441f189687a8ebb67d78a54fae0d9ffb69868b51f777d6e84614522cc54f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56ab184769ef96baebcf4e621689493ad
SHA1bcae751a2c89abd852d3098d7633a24f986ecab3
SHA256d28c3b08d139566d61754f2022d289b6e217ab45f141cb437ca87a8457effcf6
SHA512e44b25fbf8d9c40283489163da5f357ace3bdf01cc03edc8feee75a9ccc62902adf935a0a1fb04eba92a315135c1b402c1652b24c433cdbad9e65294074fe8df
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59900e1dd399cfb024ca19f9ad43f23ac
SHA1b98b70a308ceaf9c2521560953e0d513ade016ed
SHA25677165c060598db35e756919a8e7bdb8c5ce708ea18849d896a15dbbd60710e95
SHA5127416d20aff33252021b1064904b342b7c3cedd714586ba3d14855192d391dd94b153686a706f9d0127e602f7626dff176b70add618d7544c65359062fc1c9de2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD528db5a56e5396275a238d39130934c75
SHA1541a40e9228df2fb8bcf875d0751a7a28eb9f246
SHA256356f14a115db1e971fb779aa31d1c1face19fe72e23a5b108c25fce3ef1572ab
SHA512d5d9b26857e0876647e2e976897d44fda2266c24a7d61c5a46afe089e7206198ddb60e63ab4082f7dc567273cb3e6cd587f020480424bb9ce7b0b3e07841102d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f3875a8a14e755a2580803600ff2ed95
SHA130717780bc90105cec55d8e3ff975736ee50d513
SHA256701357b5db8dc42e5f753f9c7b9ae2e33963d4491235587fd4bcb41b6bb7dbef
SHA512c69733635521416170711b0abc21e01875f30e81643cabe47c6ed9ee1e813b5b03d40c7391707f359ac4aae22081977db04fee1770817aa533f849ec53c471a2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5988a0bed8f8723f423529f20202a5aef
SHA14c2cfbf36a6241501f7775061d874bf06c36787d
SHA25670a9a4e5bd0ab1d7a0fe2ef04b8a92ee45b15baf19d6e2b74afe6f6a5960ba72
SHA5124739b7dc27edbf08ab0d355e6280d36cd15660c57d3124501c42edc54bd39da3cd2f92a3ad289da866adcbdb677a8337f8c18b33e0f8fbbadf2a1932567b0d37
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD523bcf26e7e4e9f3b1d5eadfde1fda594
SHA1a8871182f943fc86732109d8762d047f9113d3f7
SHA2560f17af9ceda081ab1e719a163f0496995db9bd19622b7e65c324d49ffc79d3d3
SHA512701b0c37732739e97b11155c48eed29b60652a632852c093639504da98a784420e0864009f090ea4669cb5130dd1a487efd49c111b7cb53db14af37a2a39d3c0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD569d433d37a8795bbf0aba308ca72e04e
SHA1bc3be8c11eca640a11bdbf94c5acbba8a219d5f7
SHA2563d91b4bb1d7b7a527f0035c9a421967876740792cfe9b183960e5a79585bd677
SHA512d86804648b504911515fa48f2e54e9f160fc972b24843a44771daffd7350e329983067d91a98e01cf292406a18746659902d9b9292886f638956e1ead726c2f1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5dbf475eb8989ff11d105aaefbfa846f6
SHA1a32a3246f92fe9b22f3895fa1ecc1351a158cc0f
SHA256c7cd14dc83473469ebd146079ef6639c6a120c416867329f67d2c438ca9bf7d6
SHA5129bfd333b57acdf8d771721f437975d893ede5df4effa5c87d562a62bc566565c8bc99e94721dbf6bbd9b17a26727dd7f49c473bbe0fa8dfb60c93206d00a9116
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5babfb95ed56c23a785f5fb304b1037e0
SHA129ea78387eb55f4ab639149d4af4531785be416d
SHA25604a2b210ea3ec125797239d89624ea83512645ad52647fb533c98607e5fd34c8
SHA512b068f2a2e3edd86d09177a68097b624b1536baccad2f96f6b283105acd50fd24484149d93df3fbd7e03a31a384c3f6b9de99f9057915990b06c00effb99a1b58
-
C:\Users\Admin\AppData\Local\Temp\file1.exeFilesize
280KB
MD58bcae1ee41d559ccba43a52e2d556264
SHA1fa517415422ffe8180a1898dd9693e1d829dd207
SHA256188bc912de9ba7a40183e69dfe79c3261cbada4afaeb8ece3b37559f59c49e8e
SHA512ba800eef6e781ea95906cae47970b42100d8256210712fce958220bdc62bf566d650202b864b2a528558d88dc4f8e1f3181e0c3a51b3eeff24fe764b4156e751
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/1976-16-0x0000000024010000-0x000000002406F000-memory.dmpFilesize
380KB
-
memory/1976-77-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/1976-19-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/3092-49-0x0000000075460000-0x0000000075A68000-memory.dmpFilesize
6.0MB
-
memory/3092-20-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/3092-21-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/3092-80-0x00000000039C0000-0x00000000039C1000-memory.dmpFilesize
4KB
-
memory/3092-84-0x0000000075460000-0x0000000075A68000-memory.dmpFilesize
6.0MB
-
memory/4812-0-0x0000000075542000-0x0000000075543000-memory.dmpFilesize
4KB
-
memory/4812-12-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/4812-2-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/4812-1-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB