Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 08:52
Behavioral task
behavioral1
Sample
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe
-
Size
296KB
-
MD5
1562ea6ccbc11556a2fbc40aeaf1897d
-
SHA1
d3e9413c1ede49d83be13b118c861cbe41b3e6c2
-
SHA256
a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb
-
SHA512
44572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa
-
SSDEEP
6144:POpslFlqLhdBCkWYxuukP1pjSKSNVkq/MVJbR:PwslgTBd47GLRMTbR
Malware Config
Extracted
cybergate
v1.07.5
remote
etis.no-ip.biz:100
5J67372O7SI8C2
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
rafaella.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
The file you are searching for has been deleted.
-
message_box_title
Error
-
password
etis
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\rafaella.exe" 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W} 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ST752634-V1IQ-UP22-5600-C22Y1Q0K2H6W}\StubPath = "C:\\Windows\\system32\\WinDir\\rafaella.exe Restart" 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
rafaella.exerafaella.exepid process 2344 rafaella.exe 1596 rafaella.exe -
Loads dropped DLL 4 IoCs
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exepid process 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe 2012 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe 2012 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2236-6-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2236-2-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/2012-291-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2012-1108-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\rafaella.exe" 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\rafaella.exe" 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\rafaella.exe 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\rafaella.exe 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\rafaella.exe 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\ 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exerafaella.exepid process 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe 2344 rafaella.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exepid process 2012 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 2012 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe Token: SeRestorePrivilege 2012 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe Token: SeDebugPrivilege 2012 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe Token: SeDebugPrivilege 2012 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exedescription pid process target process PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe PID 2236 wrote to memory of 2568 2236 1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1562ea6ccbc11556a2fbc40aeaf1897d_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\rafaella.exe"C:\Windows\system32\WinDir\rafaella.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WinDir\rafaella.exe"C:\Windows\system32\WinDir\rafaella.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5fcdc2ec75169e8f15aa481a855d2d1ce
SHA1e175eb08f9c24ef111cb7a0691ef75e81ffc9f49
SHA256b9dcdb13419530c9b517e0ca3ee3f8c63ae59e970e8ad286a41a4b77addc3173
SHA51232310fa60f8d1d8c70517ab451034617407106aa5d1ecd80cbd47534952d3ad9fc73b391ff8f76f577b89d996ddf032e6cf46c13a4a45fa93d1e8ede183cdd51
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c6a57eb3bdbf10bab9ae050c5aa7a940
SHA10e34774ec9b27c8d61983433bb06fd608be3420a
SHA2563bb2419816762ec7537a1298a181a292ce2bb6d239d989ef3b28a69d39aeffbf
SHA512f98aede02d7dbb42ad87fef4377cbe26d26788846dae1c61364dbdaf77340378db208626120b82cdaab6191ee261d7c8d62b53a48b171258864f421a6f0777db
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fa16c17bd57ddac978987e3b4fe3a82c
SHA1b41cb944cef71aad508be364cd3dab9456cc7d4f
SHA2568e3749f8e6100d6fe75bc92c36f2d3e1b994fd33a2102d1a6cfca9822a344584
SHA51266d24575f7cf727d1119e9a8d5420d41fc03457066653ece67aad2330e8220a6a891566d2181a35cc7105b389c2dda9039047c0771085fc48e8b0ccc61ca8713
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e3316ef318e9322c29e840719d6e51b2
SHA1009d0fca6c0e01dd5c17c4738d07730940ce088c
SHA256356805e8dd89737f6ccbf88b2d84d33a8ec90c0f0f786b851ef8f68e603380cb
SHA51291498a051a14fce59053cd188a2b9859f6b5fef0565dee5d0b87a3b7645b701777e56bf16f3fb5367c16948e6d48a0e3d2b8abd269cab9698106969c68f8ee5b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d07f6d2486723e1a114f03d322adcf60
SHA169a64297b09c8d679e5dddf3c932a4ec1e44a587
SHA256dff24518646134ba890bd53823d88e7df5bb6e13e214f3ec870b2a39cf6bbcf0
SHA51233cfaa555b3783b2026196ea7e9a54d762a069526b1182875e55e8e56cae3adf256898a9d01d9b28f2d4df56a673fcac07e780ba5ed6e1c97600b2bfe503ff6a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a0bff030c7ea47144eb4f2740e45484b
SHA1c6102a3274de269d612bd7fbee212bc48bbed425
SHA256b1b3b1ec212ac5413326b8867d51ab28d851664225a85755301764165d05e990
SHA512d837006591fc7526b12c612dfa4eb4b10853fa90c3446290dadaa507d17b6023cef149c83d441566855116141e15fc55049ddf622146ae70c3dd00e9e084f005
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fa09d55b41bde0a2661420706c1f0f83
SHA1d60f54f56c5c1cf72428f7bbac382d9fa11579bd
SHA256971bbb6b2b91483c0e723509baf4163ca5d0f747af50635328febe8f15e1db3e
SHA51238972da3457a978f2adfa03838182255547926dde54015e8194328da2ab1cdc5c49fb72f141318205324ef44c57aa922f74ef4340ed58f8f526e6537aeceb5f3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD593803456c54e1da5c0bd17b59f999928
SHA1800b89889a229ff82396cf92e0ad1bd5b3b2f949
SHA256ea09f2be24eb678d6fcf66bdb26dc269eef1015d8d0d1d40b7d32245d8b8ae36
SHA512f968e9be79747477e054272edf32515827e32f95e49da212a14b0416bf169b0ed0424c131849e389ebc5ff53cd6c44a60d7ae938cc600688d432b945aabceadb
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58f4f70b06c422f6cd97922ce06a2b2b9
SHA1489f63af2f3b9c208b316dacfa0a2e9f8f82a7dd
SHA256730fa91d4c3769bd19ff5997b2b58fb6df5b549f70b1a73b1589e75224cd25e6
SHA51245193a5bfa883ed037634addca0982164097cbd8810cfbcb41e37c85a8ce07039539ae542f9fadef2214135315725a0efc2b7f3241d159ec116f0573094bcee9
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c55cf1aec52529c837ff94f94be1b9d2
SHA14486d318d0abebadea286c7a769f9140b4342eac
SHA2566d2361e1c45d6a8fbe14721a7e9b0089b07532e42b74d6888eddb75c93ff98fb
SHA512e1ec8dc70b8aa660ec6aea27dc1d48e0d28b1b933751d7d9c86418fa97f760caf2e89302958d0e660a5c4ede80c04ee7dc81281f2768eb264a8db8c9954f909d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5883c9d12b80e689ff3e01f4cc1687e5f
SHA12ffca5d1fa8e89610f02cfe11bbe214485abf5b9
SHA256cfda9af4e8409f913c3d265d20ad1e4f67b1b65e6b0b451682db0ef5cfa3432a
SHA51267de1cc8eda4079e43d0ab06e3e68e15aa6c511372f1e9127256886a306d24e51fba30e6e597c3bd3c5c2315b331f73583e829d3d498ebe0e3c50db2755d9a17
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52d82b86bdeb30177bece9cf0db3d258e
SHA1ca9da9148d626fec5724d6da353e73927c5dcdfe
SHA256c0703bce4a45b6cfeb6351c99671d8958094df50d7950ed39713dcb595a488fd
SHA5129ff8d19f2106ce98b4b377e8f8330632aea3ce7a63c064f2c0a7f2a5fee5ef332523ab3f237967a0742d823b6643fe26111bd29538f3bd81a39e0adfdd8089f1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54cd91252cc12842a05ea09668a10b3ab
SHA1a929214d1e1a2a78bf34ab52087945aa70fb564f
SHA256f98a14a42b5840cf17c304b9baf5b0c980cfb1393698764303499a861c5748ce
SHA512cf54f0030974b462ccbfd3b724dc1f0bf2ab84b741c882a2cd9be140cf5dbaf7f1521742014717a3714756a910edb693141cfec29c7ed2e8a9ca179e62828931
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50113a1eba293841d61461773d9969fd4
SHA17419b0ad990bb63c49d0f7624bd1afe0379da102
SHA256437b52e36fed243f9bdea95594abdad81a64d0e98bafe9cf35220e4d525f0e59
SHA51241d432987be623c19fce5e3520539d2c10b255135f17894c74ee6f8b54009b59c315c7319fbe0d1370e7a235c1f155327f2f98f071196a18c769121e5ed8b62e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f1cdde69d3881168f15c145c4c13034b
SHA1522edcb9c4065e636e6fc24bb55abab8cfd77f7d
SHA256b7f1817525eb2ef20a6c9840e9a910655385584cadff0705e5db26700f10627f
SHA51231df521c964eb6f6c25279f85908a4a3bd0782853cac34f2b4687673d81f3479d1b5ed9f493d30bf4ecd34a780f4f8cbe28648b674a74d273ef02d76c2ff987f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50702678a3c6be57a890bce6bd1982560
SHA1cb7742da8051dcba2456d35c3821aea598dc54ee
SHA256fa8b0dc96a4f26f7b20025f463b9b1559171df84b1d213d2bffbf5f7141de1c2
SHA512c6846aeb7f52d348fd62e2c28d20440f992dec6239e5e1c0fd3659ecc14dba67c6aab0f79fa17c7853aa3bb481d43c511921d378ff89612f908ee7dc6d9a58c5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56dbe59359ff5c498654c64d1510cfa52
SHA1f4ea5b6cedb75bc488d8953acc266fbb6a2884e2
SHA256503c37e7db2f8d4492489fc680c6774ecc2820b4c144cca015db15e8e69885c9
SHA512f18e13006488699d6b886d677e6b370a496040da408fcd347875592fc2e338ebfd0fe22de51a4b2840b878fbd57325d3b8702629a6551382bb4f120c6a95cc40
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fde4a074e2e25e2cbd1456cb9471089a
SHA12272f69121f682d451793ab888e2802134d55884
SHA2563516eee6156f4d4d6f0f69ab26a2867ff5824a7c360df90bd7db80b059b7d675
SHA51288c041c1297addad85c1d1b4c1cd8df3ec70960dc068f17f87a8b7ddd52a14d52de9e5e80ef47478fc4ffd611cfe08cb2cd39e18a0b97869ada79ff800361748
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD580aa87b3386be6662cb92ed5536a17c9
SHA18cd05f12f5b575e77bd48be5efc68bf7444c4553
SHA256a212a369fefb8f2790bb20cf370ccaa24eb0f7cb18e559a8255b4bdcb611a45e
SHA512dd49638bba7c5ccb11d6e535038e40c93840b04391e9131a355e2f19c491103f1dd338fc42a54e62aa66ef3a75edb4c28e22bb39ddac6776dbb5fd5c75bb5095
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\rafaella.exeFilesize
296KB
MD51562ea6ccbc11556a2fbc40aeaf1897d
SHA1d3e9413c1ede49d83be13b118c861cbe41b3e6c2
SHA256a0a68998aa0bfaf84e34c7ff5c339a82126887895a38f1d91bf07a9069cefceb
SHA51244572ee9589c46f1fe2d009f77b5b199343e506257613ccf8de524fc57e590ec04d102a760aade26bfb23fb4a16f81c242ae98e34ae28382aaa51568d10725aa
-
memory/2012-18-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2012-1108-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2012-7-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2012-13-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2012-291-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2236-6-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2236-2-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB