Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 04:48
Static task
static1
Behavioral task
behavioral1
Sample
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
-
Size
304KB
-
MD5
01559a3880b976ffbc703ed70949f2d2
-
SHA1
d52245e0a05faaedad8cb5413e17fe5d2f1b9ee5
-
SHA256
0403e90716cf3657a6ecdd798f9ef1b7e7cbff91901d692ec8affd3ebbc67206
-
SHA512
ee86c6b109319ef6fcd665f7f65cfcccf7e83ca306cc8d8fc6dd848f59cc367f840d1de388ce1f57a068705f944f8438001d671e4f925a199d6075f821e617cb
-
SSDEEP
6144:uBozIRslRTksH8mGfVEJ4W4sV4rgjL4/QHwJRQwn5j9KqX6nQ+Tac:bzrlJDH8Jf6r4s+rEMoQJRQw5j9T6R
Malware Config
Extracted
cybergate
2.7 Beta 02
ami,c:/ cws adbox 98.92.71.171,us dos-ms ip watch my hacker comunauter
windows1212.no-ip.biz:81
Windows Firewall
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft Corporation
-
install_file
Windows Update.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
Inisial System Operation
-
regkey_hklm
Microsoft Actualisation
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6M6YL612-1IN5-01C0-6DRY-I6VOA1DGD8IN} 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6M6YL612-1IN5-01C0-6DRY-I6VOA1DGD8IN}\StubPath = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe Restart" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6M6YL612-1IN5-01C0-6DRY-I6VOA1DGD8IN} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6M6YL612-1IN5-01C0-6DRY-I6VOA1DGD8IN}\StubPath = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1672 explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 324 Windows Update.exe 1828 Windows Update.exe -
Loads dropped DLL 8 IoCs
Processes:
explorer.exeWindows Update.exeWindows Update.exepid process 1672 explorer.exe 324 Windows Update.exe 324 Windows Update.exe 324 Windows Update.exe 324 Windows Update.exe 1828 Windows Update.exe 1828 Windows Update.exe 1828 Windows Update.exe -
Processes:
resource yara_rule behavioral1/memory/1276-5-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1276-11-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1276-14-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1276-8-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1276-15-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1276-17-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1276-18-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1276-16-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1276-21-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1276-865-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1828-906-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1828-909-0x0000000000400000-0x0000000000458000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Actualisation = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inisial System Operation = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini explorer.exe -
Drops file in System32 directory 5 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeexplorer.exeWindows Update.exedescription ioc process File created C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe explorer.exe File opened for modification C:\Windows\SysWOW64\Microsoft Corporation\ explorer.exe File opened for modification C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe Windows Update.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeWindows Update.exedescription pid process target process PID 2972 set thread context of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 324 set thread context of 1828 324 Windows Update.exe Windows Update.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exepid process 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 1672 explorer.exe Token: SeDebugPrivilege 1672 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeexplorer.exepid process 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 1672 explorer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
explorer.exepid process 1672 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeWindows Update.exepid process 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 324 Windows Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exedescription pid process target process PID 2972 wrote to memory of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 2972 wrote to memory of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 2972 wrote to memory of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 2972 wrote to memory of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 2972 wrote to memory of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 2972 wrote to memory of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 2972 wrote to memory of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 2972 wrote to memory of 1276 2972 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 1276 wrote to memory of 1208 1276 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Deletes itself
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"C:\Windows\system32\Microsoft Corporation\Windows Update.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
230KB
MD57f7eb51b27ebb721dccdc2cda543b550
SHA179984900bf5aa061fcb696c6ef62d6aec403a85a
SHA2560339ee24ab0b4108f2ba59ab2dbf6b134bb4c0256363b81b0876352fb06d58e7
SHA512c8f549d295997a4f6fca4f46755ce2869efc33480811c99d2157904dd88ab85cf0901c52b674d90f3b3b6845ed47c594b8d885f70500b280f219aa4d9e40c9f1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c99e4643f4c74a00aac44912412d245f
SHA147f99969a95c3cd93d977c28be3c0f2dcd1563e0
SHA25690c4c395d4db89e7243e34534f6f7b0f2e688300c4829860ce19e0e4dac46eb1
SHA5121007e9258ee981f36810453b29937c14b709ae88f4b2da9fe2f3cf92d08c057d78fa6c6c9b8ab2e065a070d69248ed6eb03d4b8eb2d9e4b12acb1f708d6a13c6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59084b818f5b9eeba95ef1c4ddf62c5ff
SHA1fbc7df4eb7401d7b94661b209d020007dbf8b725
SHA2560ff058d33fcf73ac3048ab69b7298dccfd1270af03f4698546f47fd0a9134d98
SHA5122598b665ceb0a716d21d036417a1c2c6f298a302f14ec35a7d0619a819264f24760ba6120eca7a5934d4d4c84461a603d74acd2baba1a36259cb5bd2a3d7469a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e157191c4dfb6235ff567f050e6c3834
SHA16d0dd6fc573115375de942e0c50739c22c805f3e
SHA2561295e466df26da4c62713777134e6af75f51aa8a520e7c6ba8886a955c419e8a
SHA512e2104f3ef741734eeb150e447ef710474fed49b6c2bddcd31929b92794b625717f90747279d7066e76e854dfbdf87e4ca0abb750769ebfd8082349742af31bc6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD581707723f665b7dd8b9719e887b44f10
SHA153a68096a25fef9d81123f3e67212ef982d3e929
SHA25617dd3d0af34e191207ce0ae3ceea5d93e8bfb1e638aff1619196c6d421537179
SHA5120d567d6206c4d70522959c664af2126258f9df60bd3153a66fd500ee2f94febd605a5160c09713fd0889e3989dbfe98183be643caaa0eab776a8554ebeeab10c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d00f1fc2655a11fe819a9b1e16f29e95
SHA17670c92c87c929f7b9af5e274fe40132b226194c
SHA2569ce02c8ddeaf830aa32594d24400fa9dc20c0d71ce9907a73b24a2e44388dd7e
SHA512cdd6c7eb8ba53f655164d94471e971a78690e499940019dfcf2f262ce25671696dec046fd59b32a8001efc963987bc60d68b83caeb846474a012ece8a9cb527d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a258a8e36b4caf616341326e7b95a854
SHA1e073f7307909561846efb6ad27b92d378b690453
SHA25601f2c0d519cf6fdbb9891db591cee0b99625e6a582a037f50c75ada58b3754be
SHA51226ea35192fbd0f388d83407778672a9d438cdedfc6f49534e5a956f5d1066e3e3790b0c0c8badbe0fa54b3a3278e0a069df7f5a9841b365b43b4f16d291a7960
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53e81a406535c290c9911b555cbffbc43
SHA1781541798053c699c7f6aba58420cbf8585d0fcc
SHA2563847ccc45659b12cadb59d4893344764c99735fa7453479aff97c2cea39eca15
SHA51291acfb58919fd66300a2ec0e21590e14e6ebc2f1b73ea52e5cfc6a8acfd0976d7489df64db81d7d65fde2000928dd2384823c8cdc3b99837191f44915acee99d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD573204860cecb5c0022b8b1b2d1b54212
SHA125dbff7ae940b8b3b166d23649600a173ad37920
SHA25622ab143ccd9e095a4a7a0849f6d63fff284e1b94d018afc5f0743e4d9fc78f7e
SHA5121f66a2dc5b12b1f30e56ea6bfa2303f83ad8ca860daf5c15e277ef7a10454999ea880e7d8a3632076fb412c87e9e3bf00ca788b67baf8ee64c5ea32d08260c24
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54295e728a491a01a51b11c952f6d13ca
SHA1b2f5db2e4ac672fe5e4a8d8e6f122f611cab2eed
SHA256830a835cb5b24051a815463067a30933b393f50d0a15b13cbcdf78ef436a5d3d
SHA5127e4bedd5e49a7d59ca7aa388cafce27db69d666a28ffae654d6dd4320673c16fc0c3cae6a9bd209b3da56e9036e202f34b5f8cf9b70ae243bbd9cfc2b0c5c31a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5933a02388bbadd241dcef856c1cfea0b
SHA17395e3c1f7c97c1fa32342255345892dc0ace286
SHA2562800cc89ab2142e2b10778ec30be530f2aeff5af1577832a40491e63721ff99e
SHA512ca33b31751b69efa455f7589b2ec9423cf627116e4ee5ebb34b18c02a9b7cba10a66b8514da3048bdfdfd3bd893e39c7a3b7de0bfb68689d1bffa13dd79834c5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d09cb909f55cdc4ef12b6b713d5b23ce
SHA16795b00505050a4d290b645078ec88702f48d90b
SHA2566fb9af5bb1615b410803b13980965128ba63ba0af6c9a349f6e355a92d7c381a
SHA5124f28eed9f1a1e1f8ca2f26d5fbc118be3e2c179f59e09a617af1610d43f348a1eff2901af489ea4d49d8c8cae8ca3c0959736347f6f501e28f714386e2faf297
-
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exeFilesize
304KB
MD501559a3880b976ffbc703ed70949f2d2
SHA1d52245e0a05faaedad8cb5413e17fe5d2f1b9ee5
SHA2560403e90716cf3657a6ecdd798f9ef1b7e7cbff91901d692ec8affd3ebbc67206
SHA512ee86c6b109319ef6fcd665f7f65cfcccf7e83ca306cc8d8fc6dd848f59cc367f840d1de388ce1f57a068705f944f8438001d671e4f925a199d6075f821e617cb
-
memory/324-885-0x0000000000020000-0x000000000002B000-memory.dmpFilesize
44KB
-
memory/324-902-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/324-881-0x0000000000020000-0x000000000002B000-memory.dmpFilesize
44KB
-
memory/776-343-0x0000000000400000-0x0000000000681000-memory.dmpFilesize
2.5MB
-
memory/1208-22-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/1276-17-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-4-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-865-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-21-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1276-5-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-11-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-14-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1276-16-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-18-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-8-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1276-15-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1672-877-0x0000000003EE0000-0x0000000003EEB000-memory.dmpFilesize
44KB
-
memory/1828-905-0x0000000000020000-0x000000000002B000-memory.dmpFilesize
44KB
-
memory/1828-909-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1828-903-0x0000000000020000-0x000000000002B000-memory.dmpFilesize
44KB
-
memory/1828-904-0x0000000000020000-0x000000000002B000-memory.dmpFilesize
44KB
-
memory/1828-906-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2972-13-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2972-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB