Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 04:48
Static task
static1
Behavioral task
behavioral1
Sample
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe
-
Size
304KB
-
MD5
01559a3880b976ffbc703ed70949f2d2
-
SHA1
d52245e0a05faaedad8cb5413e17fe5d2f1b9ee5
-
SHA256
0403e90716cf3657a6ecdd798f9ef1b7e7cbff91901d692ec8affd3ebbc67206
-
SHA512
ee86c6b109319ef6fcd665f7f65cfcccf7e83ca306cc8d8fc6dd848f59cc367f840d1de388ce1f57a068705f944f8438001d671e4f925a199d6075f821e617cb
-
SSDEEP
6144:uBozIRslRTksH8mGfVEJ4W4sV4rgjL4/QHwJRQwn5j9KqX6nQ+Tac:bzrlJDH8Jf6r4s+rEMoQJRQw5j9T6R
Malware Config
Extracted
cybergate
2.7 Beta 02
ami,c:/ cws adbox 98.92.71.171,us dos-ms ip watch my hacker comunauter
windows1212.no-ip.biz:81
Windows Firewall
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft Corporation
-
install_file
Windows Update.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
Inisial System Operation
-
regkey_hklm
Microsoft Actualisation
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6M6YL612-1IN5-01C0-6DRY-I6VOA1DGD8IN} 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6M6YL612-1IN5-01C0-6DRY-I6VOA1DGD8IN}\StubPath = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe Restart" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6M6YL612-1IN5-01C0-6DRY-I6VOA1DGD8IN} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6M6YL612-1IN5-01C0-6DRY-I6VOA1DGD8IN}\StubPath = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 5000 explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 2952 Windows Update.exe 1604 Windows Update.exe -
Processes:
resource yara_rule behavioral2/memory/4708-3-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4708-5-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4708-7-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4708-8-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4708-11-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4708-15-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/2072-77-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4708-144-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/5000-145-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/1604-163-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/1604-167-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/2072-497-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/5000-498-0x00000000240F0000-0x0000000024152000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Actualisation = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inisial System Operation = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe" 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe -
Drops file in System32 directory 5 IoCs
Processes:
explorer.exeWindows Update.exe01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe explorer.exe File opened for modification C:\Windows\SysWOW64\Microsoft Corporation\ explorer.exe File opened for modification C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe Windows Update.exe File created C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeWindows Update.exedescription pid process target process PID 228 set thread context of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 2952 set thread context of 1604 2952 Windows Update.exe Windows Update.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3972 1604 WerFault.exe Windows Update.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exepid process 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 5000 explorer.exe Token: SeDebugPrivilege 5000 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exepid process 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeWindows Update.exepid process 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 2952 Windows Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exedescription pid process target process PID 228 wrote to memory of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 228 wrote to memory of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 228 wrote to memory of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 228 wrote to memory of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 228 wrote to memory of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 228 wrote to memory of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 228 wrote to memory of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 228 wrote to memory of 4708 228 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE PID 4708 wrote to memory of 3440 4708 01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\01559a3880b976ffbc703ed70949f2d2_JaffaCakes118.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Deletes itself
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"C:\Windows\system32\Microsoft Corporation\Windows Update.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 5647⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1604 -ip 16041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
230KB
MD57f7eb51b27ebb721dccdc2cda543b550
SHA179984900bf5aa061fcb696c6ef62d6aec403a85a
SHA2560339ee24ab0b4108f2ba59ab2dbf6b134bb4c0256363b81b0876352fb06d58e7
SHA512c8f549d295997a4f6fca4f46755ce2869efc33480811c99d2157904dd88ab85cf0901c52b674d90f3b3b6845ed47c594b8d885f70500b280f219aa4d9e40c9f1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59084b818f5b9eeba95ef1c4ddf62c5ff
SHA1fbc7df4eb7401d7b94661b209d020007dbf8b725
SHA2560ff058d33fcf73ac3048ab69b7298dccfd1270af03f4698546f47fd0a9134d98
SHA5122598b665ceb0a716d21d036417a1c2c6f298a302f14ec35a7d0619a819264f24760ba6120eca7a5934d4d4c84461a603d74acd2baba1a36259cb5bd2a3d7469a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c99e4643f4c74a00aac44912412d245f
SHA147f99969a95c3cd93d977c28be3c0f2dcd1563e0
SHA25690c4c395d4db89e7243e34534f6f7b0f2e688300c4829860ce19e0e4dac46eb1
SHA5121007e9258ee981f36810453b29937c14b709ae88f4b2da9fe2f3cf92d08c057d78fa6c6c9b8ab2e065a070d69248ed6eb03d4b8eb2d9e4b12acb1f708d6a13c6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e157191c4dfb6235ff567f050e6c3834
SHA16d0dd6fc573115375de942e0c50739c22c805f3e
SHA2561295e466df26da4c62713777134e6af75f51aa8a520e7c6ba8886a955c419e8a
SHA512e2104f3ef741734eeb150e447ef710474fed49b6c2bddcd31929b92794b625717f90747279d7066e76e854dfbdf87e4ca0abb750769ebfd8082349742af31bc6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d00f1fc2655a11fe819a9b1e16f29e95
SHA17670c92c87c929f7b9af5e274fe40132b226194c
SHA2569ce02c8ddeaf830aa32594d24400fa9dc20c0d71ce9907a73b24a2e44388dd7e
SHA512cdd6c7eb8ba53f655164d94471e971a78690e499940019dfcf2f262ce25671696dec046fd59b32a8001efc963987bc60d68b83caeb846474a012ece8a9cb527d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD581707723f665b7dd8b9719e887b44f10
SHA153a68096a25fef9d81123f3e67212ef982d3e929
SHA25617dd3d0af34e191207ce0ae3ceea5d93e8bfb1e638aff1619196c6d421537179
SHA5120d567d6206c4d70522959c664af2126258f9df60bd3153a66fd500ee2f94febd605a5160c09713fd0889e3989dbfe98183be643caaa0eab776a8554ebeeab10c
-
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exeFilesize
304KB
MD501559a3880b976ffbc703ed70949f2d2
SHA1d52245e0a05faaedad8cb5413e17fe5d2f1b9ee5
SHA2560403e90716cf3657a6ecdd798f9ef1b7e7cbff91901d692ec8affd3ebbc67206
SHA512ee86c6b109319ef6fcd665f7f65cfcccf7e83ca306cc8d8fc6dd848f59cc367f840d1de388ce1f57a068705f944f8438001d671e4f925a199d6075f821e617cb
-
memory/228-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/228-6-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1604-167-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1604-163-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2072-497-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/2072-17-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/2072-77-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/2072-16-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2952-164-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4708-11-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/4708-8-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4708-7-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4708-144-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4708-5-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4708-3-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4708-15-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/5000-145-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/5000-498-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB