Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 15:17
Static task
static1
Behavioral task
behavioral1
Sample
167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
Resource
win10v2004-20240226-en
General
-
Target
167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
-
Size
452KB
-
MD5
167cc413faac757b6a7e57133ceedd0e
-
SHA1
1421d708f6eb6e08745172ea1d44f6af4857de0d
-
SHA256
32a820b30108102245b1c458b9237893e80a644fe1113dca3d4b2132a93f5db3
-
SHA512
61873a138588e461744bdcc1a8ad01968ccd549a9408a707acb09946aa1b2422a8771de831911149aa7233094b6583917347f0f8694138fc135018909ed16ccd
-
SSDEEP
6144:qEJK6g8ITN45qFqshyrwZdWYXPoPyl5FM13iyDFsDTAb/j8Fft6WEgrYvXmH3cpN:qEJKNUEvhRZIIR5M3ipprYAXyRNCj+
Malware Config
Extracted
nanocore
1.2.2.0
manifest.duckdns.org:61970
2004e655-d8f5-4f56-b1bd-1074cc528f1d
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-11-15T20:09:19.510421436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
61970
-
default_group
Monte Carlo
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2004e655-d8f5-4f56-b1bd-1074cc528f1d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
manifest.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
xTMUmRNSplXXLMhgma5.exeMSI8D82.tmpxTMUmRNSplXXLMhgma5.exeRegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe" xTMUmRNSplXXLMhgma5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" MSI8D82.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe" xTMUmRNSplXXLMhgma5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xTMUmRNSplXXLMhgma5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation xTMUmRNSplXXLMhgma5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xTMUmRNSplXXLMhgma5.exedescription pid process target process PID 3852 set thread context of 2932 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe RegAsm.exe File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe RegAsm.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8D82.tmp msiexec.exe File created C:\Windows\Installer\e5986ab.msi msiexec.exe File opened for modification C:\Windows\Installer\e5986ab.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI8BAC.tmp msiexec.exe -
Executes dropped EXE 3 IoCs
Processes:
MSI8D82.tmpxTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exepid process 892 MSI8D82.tmp 3852 xTMUmRNSplXXLMhgma5.exe 4232 xTMUmRNSplXXLMhgma5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3184 schtasks.exe 3324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exexTMUmRNSplXXLMhgma5.exepid process 4084 msiexec.exe 4084 msiexec.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2932 RegAsm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
xTMUmRNSplXXLMhgma5.exepid process 3852 xTMUmRNSplXXLMhgma5.exe 3852 xTMUmRNSplXXLMhgma5.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exexTMUmRNSplXXLMhgma5.exeRegAsm.exedescription pid process Token: SeShutdownPrivilege 3248 msiexec.exe Token: SeIncreaseQuotaPrivilege 3248 msiexec.exe Token: SeSecurityPrivilege 4084 msiexec.exe Token: SeCreateTokenPrivilege 3248 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3248 msiexec.exe Token: SeLockMemoryPrivilege 3248 msiexec.exe Token: SeIncreaseQuotaPrivilege 3248 msiexec.exe Token: SeMachineAccountPrivilege 3248 msiexec.exe Token: SeTcbPrivilege 3248 msiexec.exe Token: SeSecurityPrivilege 3248 msiexec.exe Token: SeTakeOwnershipPrivilege 3248 msiexec.exe Token: SeLoadDriverPrivilege 3248 msiexec.exe Token: SeSystemProfilePrivilege 3248 msiexec.exe Token: SeSystemtimePrivilege 3248 msiexec.exe Token: SeProfSingleProcessPrivilege 3248 msiexec.exe Token: SeIncBasePriorityPrivilege 3248 msiexec.exe Token: SeCreatePagefilePrivilege 3248 msiexec.exe Token: SeCreatePermanentPrivilege 3248 msiexec.exe Token: SeBackupPrivilege 3248 msiexec.exe Token: SeRestorePrivilege 3248 msiexec.exe Token: SeShutdownPrivilege 3248 msiexec.exe Token: SeDebugPrivilege 3248 msiexec.exe Token: SeAuditPrivilege 3248 msiexec.exe Token: SeSystemEnvironmentPrivilege 3248 msiexec.exe Token: SeChangeNotifyPrivilege 3248 msiexec.exe Token: SeRemoteShutdownPrivilege 3248 msiexec.exe Token: SeUndockPrivilege 3248 msiexec.exe Token: SeSyncAgentPrivilege 3248 msiexec.exe Token: SeEnableDelegationPrivilege 3248 msiexec.exe Token: SeManageVolumePrivilege 3248 msiexec.exe Token: SeImpersonatePrivilege 3248 msiexec.exe Token: SeCreateGlobalPrivilege 3248 msiexec.exe Token: SeBackupPrivilege 2896 vssvc.exe Token: SeRestorePrivilege 2896 vssvc.exe Token: SeAuditPrivilege 2896 vssvc.exe Token: SeBackupPrivilege 4084 msiexec.exe Token: SeRestorePrivilege 4084 msiexec.exe Token: SeRestorePrivilege 4084 msiexec.exe Token: SeTakeOwnershipPrivilege 4084 msiexec.exe Token: SeRestorePrivilege 4084 msiexec.exe Token: SeTakeOwnershipPrivilege 4084 msiexec.exe Token: SeRestorePrivilege 4084 msiexec.exe Token: SeTakeOwnershipPrivilege 4084 msiexec.exe Token: SeBackupPrivilege 1968 srtasks.exe Token: SeRestorePrivilege 1968 srtasks.exe Token: SeSecurityPrivilege 1968 srtasks.exe Token: SeTakeOwnershipPrivilege 1968 srtasks.exe Token: SeBackupPrivilege 1968 srtasks.exe Token: SeRestorePrivilege 1968 srtasks.exe Token: SeSecurityPrivilege 1968 srtasks.exe Token: SeTakeOwnershipPrivilege 1968 srtasks.exe Token: SeDebugPrivilege 3852 xTMUmRNSplXXLMhgma5.exe Token: SeDebugPrivilege 2932 RegAsm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3248 msiexec.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
msiexec.exeMSI8D82.tmpxTMUmRNSplXXLMhgma5.execsc.execsc.exexTMUmRNSplXXLMhgma5.exeRegAsm.execsc.execsc.exedescription pid process target process PID 4084 wrote to memory of 1968 4084 msiexec.exe srtasks.exe PID 4084 wrote to memory of 1968 4084 msiexec.exe srtasks.exe PID 4084 wrote to memory of 892 4084 msiexec.exe MSI8D82.tmp PID 4084 wrote to memory of 892 4084 msiexec.exe MSI8D82.tmp PID 4084 wrote to memory of 892 4084 msiexec.exe MSI8D82.tmp PID 892 wrote to memory of 3852 892 MSI8D82.tmp xTMUmRNSplXXLMhgma5.exe PID 892 wrote to memory of 3852 892 MSI8D82.tmp xTMUmRNSplXXLMhgma5.exe PID 892 wrote to memory of 3852 892 MSI8D82.tmp xTMUmRNSplXXLMhgma5.exe PID 3852 wrote to memory of 3460 3852 xTMUmRNSplXXLMhgma5.exe csc.exe PID 3852 wrote to memory of 3460 3852 xTMUmRNSplXXLMhgma5.exe csc.exe PID 3852 wrote to memory of 3460 3852 xTMUmRNSplXXLMhgma5.exe csc.exe PID 3460 wrote to memory of 4008 3460 csc.exe cvtres.exe PID 3460 wrote to memory of 4008 3460 csc.exe cvtres.exe PID 3460 wrote to memory of 4008 3460 csc.exe cvtres.exe PID 3852 wrote to memory of 4464 3852 xTMUmRNSplXXLMhgma5.exe csc.exe PID 3852 wrote to memory of 4464 3852 xTMUmRNSplXXLMhgma5.exe csc.exe PID 3852 wrote to memory of 4464 3852 xTMUmRNSplXXLMhgma5.exe csc.exe PID 4464 wrote to memory of 4412 4464 csc.exe cvtres.exe PID 4464 wrote to memory of 4412 4464 csc.exe cvtres.exe PID 4464 wrote to memory of 4412 4464 csc.exe cvtres.exe PID 3852 wrote to memory of 3804 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 3852 wrote to memory of 3804 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 3852 wrote to memory of 3804 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 3852 wrote to memory of 2932 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 3852 wrote to memory of 2932 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 3852 wrote to memory of 2932 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 3852 wrote to memory of 2932 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 3852 wrote to memory of 4232 3852 xTMUmRNSplXXLMhgma5.exe xTMUmRNSplXXLMhgma5.exe PID 3852 wrote to memory of 4232 3852 xTMUmRNSplXXLMhgma5.exe xTMUmRNSplXXLMhgma5.exe PID 3852 wrote to memory of 4232 3852 xTMUmRNSplXXLMhgma5.exe xTMUmRNSplXXLMhgma5.exe PID 4232 wrote to memory of 2348 4232 xTMUmRNSplXXLMhgma5.exe csc.exe PID 4232 wrote to memory of 2348 4232 xTMUmRNSplXXLMhgma5.exe csc.exe PID 4232 wrote to memory of 2348 4232 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2932 wrote to memory of 3184 2932 RegAsm.exe schtasks.exe PID 2932 wrote to memory of 3184 2932 RegAsm.exe schtasks.exe PID 2932 wrote to memory of 3184 2932 RegAsm.exe schtasks.exe PID 2348 wrote to memory of 376 2348 csc.exe cvtres.exe PID 2348 wrote to memory of 376 2348 csc.exe cvtres.exe PID 2348 wrote to memory of 376 2348 csc.exe cvtres.exe PID 4232 wrote to memory of 4056 4232 xTMUmRNSplXXLMhgma5.exe csc.exe PID 4232 wrote to memory of 4056 4232 xTMUmRNSplXXLMhgma5.exe csc.exe PID 4232 wrote to memory of 4056 4232 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2932 wrote to memory of 3324 2932 RegAsm.exe schtasks.exe PID 2932 wrote to memory of 3324 2932 RegAsm.exe schtasks.exe PID 2932 wrote to memory of 3324 2932 RegAsm.exe schtasks.exe PID 4056 wrote to memory of 5104 4056 csc.exe cvtres.exe PID 4056 wrote to memory of 5104 4056 csc.exe cvtres.exe PID 4056 wrote to memory of 5104 4056 csc.exe cvtres.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3248
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\Installer\MSI8D82.tmp"C:\Windows\Installer\MSI8D82.tmp"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe3⤵
- Adds Run key to start application
- Checks computer location settings
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C27.tmp" "c:\Users\Admin\AppData\Local\Temp\pgdau5lr\CSC41AD57B7170A4068A884627ACF34D3CA.TMP"5⤵PID:4008
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EA7.tmp" "c:\Users\Admin\AppData\Local\Temp\g3uu3iea\CSCA61695FBB97D4E4A97155E7A71A9822F.TMP"5⤵PID:4412
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3804
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FDB.tmp"5⤵
- Scheduled Task/Job: Scheduled Task
PID:3184 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp31B1.tmp"5⤵
- Scheduled Task/Job: Scheduled Task
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"4⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30B6.tmp" "c:\Users\Admin\AppData\Local\Temp\gssgse2b\CSC230F842BDF4E462890DE50E86E17ABE0.TMP"6⤵PID:376
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES327B.tmp" "c:\Users\Admin\AppData\Local\Temp\euza5w00\CSC21AC80ACE5BA4AD1BCA796329BBBFD4.TMP"6⤵PID:5104
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:2532
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5Filesize
946KB
MD5b73c6439a2302db41bb7737de87b8835
SHA1a3f1fb5fc06083f5e0adfe7e26ddb094883b7d6b
SHA2562f28247f05c070b5dd9c869b152e7b4084254d7b162a193a9a43b5c8b2419c1f
SHA51268e3f65502cbc32d4d2c1e699e9ca07a3493e554cecf058e632f82874ecec61a63367de56ad693db94ec069e076a44701ce3068deb8748b739c0d6dbcaa70991
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exeFilesize
113KB
MD5ac692fdb7dc25fdea0c0a82819b9ca05
SHA12b94177f0144e34dbd39b847e6bc3305ba7fe080
SHA256afdceace49e12768aa2500489c6102293a1f6e7cb9c844610a655fa741ce0cdb
SHA51204303b051c722d28d8e382acf62997766478cde0ef36473c85ba71c648001a4960f08417e3493d10fb582be5c6293be851eed459c063d6b36561defdc307e2ba
-
C:\Users\Admin\AppData\Local\Temp\RES30B6.tmpFilesize
1KB
MD5af4cf1330d8a44ca7b2391fdd160ab7d
SHA1cdc622524760912559f3bf3b612d895db0701378
SHA2564c7498a543055236bd47fe8f0b0e8796ad97790ff9ef07637e1a9a7442f98e24
SHA5129e7c74f505ef332c45888b56a789dbabe916a080399cc6b7892eb4b475061e9ace17737b918eab4bf5a2a33e0a5c0c3827db03cbd673b6186d559e925faa90f7
-
C:\Users\Admin\AppData\Local\Temp\RES327B.tmpFilesize
1KB
MD5e2108c198c1081d9cc3f293210a30b26
SHA1d318d98cd46020b36b44ef3f152eba55072f3606
SHA256801667d86d7394f40688091552ebf5665f10ba617800d791231b14fe04616cd4
SHA51228a968b76cbc47bb9f44a648ab8fcedb56be0c9357b442def75ef2720afb6d685e5889961e17472ee6f24252c0fece6cbc0ff914fe8d36cb48e7eaa11a00a02e
-
C:\Users\Admin\AppData\Local\Temp\RES9C27.tmpFilesize
1KB
MD588b1054906e974e53fdf6b645607ef75
SHA1fa7eefc1538bcd35c5bcf24ab9d5cf5efd41bfc1
SHA256efae90c28f6c89bd044457b0b2bb42bd96fed5f083d42ed19452a4b6492c2ede
SHA512f04b9e85f44f20e754a6e5ba45748519b218c412177d5e142e6427c63ef8a0823101be1e83c7b361b642a9b2dd671193ee65b8c0ba17ead0e4bd530c4cfa718e
-
C:\Users\Admin\AppData\Local\Temp\RES9EA7.tmpFilesize
1KB
MD5897163bb9b11f8d7c5521fec0bf2df90
SHA14da9b13bddc5d3ea9a40ed019ae3882f6d2048f4
SHA2566f902a0132035315a0523a06a8227e1fe48af17df40837d699e0c835f8639dcf
SHA512937ed305bc16922022e63b47cd23f12cee1ef3e2923c85ad7fc88c5f16b0b39c3a1ab530233fbbb1f501101705a6948c5d6d2303d6dfa35f4546006886caeff4
-
C:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.dllFilesize
634KB
MD537123fe217b5024ad55eb56b08bd0dd9
SHA15e0a65ba64379f5e0eed8dcc52dd160faadb510b
SHA256855f78b05dc33014027203e5c54b5a3051396d930e421042e51324944aa1752f
SHA512b3307db1cf4f5f18255009e4ca6faa74bf9e6ecd81f471b263f0f5693fbce1f554ed09fe1b89c601ea75b9919e14ac823b06d0b1235fc5dfbeb4c01d0afc3409
-
C:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.dllFilesize
634KB
MD5e65a84b05a013eaf8b961c460703ef08
SHA1a58e189f24f3cd8af9e1bc9285380df9dc35f0ae
SHA2562d288f6b2fb3adcbbbf3bf0d0f62ed9543d41812448f9be5328df975b8139dee
SHA512bf0cd8dfd2485bf6111c26922767b3925dab8b8eb45aee4eb6a7d99ab3da191e621c65cb0004eccd3de11d4b686cf02fcc3c4d1fb7fde37ed077146fead1a906
-
C:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.dllFilesize
634KB
MD5552d7717ddbc0f3a748fafd6f8bf6377
SHA12f6a69435938352135cdb1b2df7c1ccc65d7a079
SHA256e27caae87a6c48761a81821d6ea054c39da899386c5928bea78243af14dce353
SHA5121d1677e89d4b38a1231f552df62dc39983d8e78791ee68298ee69f03f0341a24131822be6a4c2c12f32f5f20744d4c8f2701ba2043b95e1b09d7ff0abe3bfb24
-
C:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.dllFilesize
634KB
MD50c492c980ddb428f872950f260632a79
SHA1507cd7344da40b9992633810df94cd65f2b3c863
SHA25662f5e559b6c5d65cdb3f60951b08891eb87f31b3b5ed1287e853af67f10c0670
SHA512227824c1c9b7e914fdb36e30e2883f0f50d0e6b8cadef77b72e1761ff85966e69ed43abae5275663e0f400229818e0deb8fbaff5a5c63e6f63b79fdfd700da72
-
C:\Users\Admin\AppData\Local\Temp\tmp2FDB.tmpFilesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
C:\Users\Admin\AppData\Local\Temp\tmp31B1.tmpFilesize
1KB
MD50339b45ef206f4becc88be0d65e24b9e
SHA16503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA2563d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551
-
C:\Windows\Installer\MSI8D82.tmpFilesize
425KB
MD57997a52983aa768553d9e039f011e9a8
SHA19b2955a38238fdc5c5511dbb8c578c63a9e19495
SHA2561ea29b91f3647b1cf4822cff87a2e5a7030f2ad92c88013381a6eb4a4088f4c0
SHA5122682afb87b6f860395d286df4ba4a519586b8c4a5fdaa5495ceb964eb2c2c35a7f08896a8c6d28ec691e87b2084c43afc5a7062f9369fbafcbec6c4881d3d083
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD5a67436841d3cc8087f817f9617a94991
SHA10108b407817dcc61ae7f645941ea962bafb5cef3
SHA256ad2b8737549a33a903b83532c62e12c7b46ef9ffdec82b7b19afd490d7072fec
SHA51221f635ef3f76acdad828e93e1c368d82f4d4c8b70b0a7478959ce784f37b3ba4a2fbd9961761f3ad3b9b0f6961dc9036e2c487a4b61db7c10c547adf5073b399
-
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{424f01d8-38b7-4964-9359-de78fed1d63a}_OnDiskSnapshotPropFilesize
6KB
MD55535ca3b838d7b7c4c8d534907c07586
SHA1510b4cea6def78d1366a01f5d38c8a0cf23d4eb4
SHA2567ef2dc7d320158979ee849b85b9a7c807e9775bcee92b156b193ac942b6d1080
SHA512c970b815e6da6fde6f4f0d4470d7c28ff2708c705a4f7fce0345dfbc4d4293991bd54602bdc7ea3388a78fbcf8cd72d00c6c2ba6691c7aae91344578c0b1bec5
-
\??\c:\Users\Admin\AppData\Local\Temp\euza5w00\CSC21AC80ACE5BA4AD1BCA796329BBBFD4.TMPFilesize
652B
MD5bf4e841fb044af93af010115e32e94ec
SHA1f3a40d11e7a1f21aa742134defce0c9e6c0a9157
SHA2561975377087a0961a6a5c039e73084a9b7b6493984d0065be7cb036a2244718db
SHA5127728951df5a1e271d90c68101bb77c109a552796e373141d7c53dd65c4bb832115d97d4e7823760cd8cbaf4b418588fbea7be5939c5f7772b005a92e848cfec4
-
\??\c:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.cmdlineFilesize
302B
MD521cb17ab6f72104c6f3a8f6c7cc570e1
SHA1952d90c9f3e5451677b6fb0d94408318ead9a7f5
SHA256624a77bac480091fd0f5d3202debf94ae9c31f611ea6c8be752a7341023d123f
SHA512576b3a674a70fc5fb759329b299b45bab6eee75c989c29a3de3500b5d1e58ba70d3eb064e3e5e3079670c19b59fdf311c9ef508fb1d76b5288df5f4acf08e1b7
-
\??\c:\Users\Admin\AppData\Local\Temp\g3uu3iea\CSCA61695FBB97D4E4A97155E7A71A9822F.TMPFilesize
652B
MD5dbbd4c9e25d1d62cc91e6a2b22e5206a
SHA1c6894b91256092d14466a23f8abae41db2a8ad4c
SHA256065a44fbde4ca4c150800b58f7905ef46d1199d81a65b1ed729029c03c54b9a8
SHA512cf64612881d006f0dd52a07c8f7f952ee696bbd3692738ce3b59218e1aec55b25ac0f2d31f8cafec6b4fed6a3aced38018d62b3879e5741c35864037268f7662
-
\??\c:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.cmdlineFilesize
302B
MD5c19a0fdeb33cbfba9aafd88d480b909d
SHA19283bc5cb8ce5fb20e9f17df165fae4162a87fd2
SHA25695819c24d969f9e6609c3b57d82c558ba7e3f194cef83761ae3e9f4b684838d0
SHA5124d5ae2e07bd8ed3bc4a83219d0b5019c0b9b1b047bf835853e9f06da258b60466443dadcf462acbcba53f50d012a1f5b20dde2431512804752be8a81746bef33
-
\??\c:\Users\Admin\AppData\Local\Temp\gssgse2b\CSC230F842BDF4E462890DE50E86E17ABE0.TMPFilesize
652B
MD5f7261ab3cceb63493c4f6c191830aea6
SHA1c352ad41fd0e434ff2b79e7f5c5743b1fe82b3e2
SHA256fae4270c31c739d0c19863a8979b8cf0b7e223bcb32d2b241e22e2299a828518
SHA5127642527a33d9456ae89b2dd4ef2b7af72c8e94245e9e1097d83c7ee25101b63f259716703a74968a2f9bc43fc255b2263db2c806c216054f1eb31b3c1285dfa7
-
\??\c:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.cmdlineFilesize
302B
MD5f0ea6027fbb2696f916d2751fc028d9f
SHA1e2e8e0af5b75f0f6582575ef2874d0b164b14878
SHA256e7d15be1932b9fa62938ee2e9c16d6c4921f5e60cbb387dffc86f491b9f38b32
SHA5120e2ebcaf5aaeb0c9a94d7d737aa5d2adf50ca23afc89aa3a34518625dd9e083e879d1c0da9122dc097682225ed88813351819ffb3c70bb0ae56122865ba25308
-
\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\CSC41AD57B7170A4068A884627ACF34D3CA.TMPFilesize
652B
MD500430f871f23c197e7d871a961eceb50
SHA152c3424fd44fd8841186bbbe830b9fee72ef05b4
SHA256202e0b06663ef699874324adafc35b611c9086ab8b480a6e47abad623332c6bb
SHA5122922742c6d0c6d4622cdba1c304ff0339886809a09fb61763b93b518ba301982530054b2a654c33a53399a704ad9aa90a215f7048eadc05116bf2b1ab4a10fb5
-
\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.0.csFilesize
946KB
MD5b5d745ad124400fe21ea0c07e7d0e8bc
SHA14e8cb83eb077c46240e9c0c372a3404763c6c132
SHA256a75d60a3aba62d7137461fd31761cba8d6f6c7f8db75cf9d491d1a53c254e95e
SHA512a9c96c2f56c8f4134cafd2bbc8599e57e7fc1c469afd151ce861e28667c27c6e89e0f35606c2fd6ea64c192f549bdabdc4fc20d7059179d935b94dd94f800e8b
-
\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.cmdlineFilesize
302B
MD56ed631aac772250a157f00a5c1cebbc6
SHA1c22b94d1263169a5e6cff6f28fd38c17d9134fe6
SHA256701c309daf9beabc6b6e78a6c821dfd87e575ef9a4fba143bb3ec8e3cb098bc2
SHA5124419b241a4dd708f3df124d6639a381fcf5862e7c41b4656d1945d0b46edc09f4a3aa797ee06f17d301fc2c26a8daa12f007eda8489030eacefde624299fb559
-
memory/2932-62-0x0000000005860000-0x000000000586A000-memory.dmpFilesize
40KB
-
memory/2932-61-0x0000000005920000-0x00000000059BC000-memory.dmpFilesize
624KB
-
memory/2932-60-0x00000000057B0000-0x0000000005842000-memory.dmpFilesize
584KB
-
memory/2932-59-0x0000000005E30000-0x00000000063D4000-memory.dmpFilesize
5.6MB
-
memory/2932-97-0x0000000005900000-0x000000000591E000-memory.dmpFilesize
120KB
-
memory/2932-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2932-101-0x0000000005E20000-0x0000000005E2A000-memory.dmpFilesize
40KB
-
memory/2932-92-0x00000000058F0000-0x00000000058FA000-memory.dmpFilesize
40KB
-
memory/3852-37-0x0000000004E00000-0x0000000004EA4000-memory.dmpFilesize
656KB
-
memory/3852-53-0x0000000004F40000-0x0000000004F82000-memory.dmpFilesize
264KB
-
memory/3852-51-0x0000000004EA0000-0x0000000004F44000-memory.dmpFilesize
656KB
-
memory/3852-23-0x0000000000510000-0x0000000000532000-memory.dmpFilesize
136KB
-
memory/4232-79-0x0000000004850000-0x00000000048F4000-memory.dmpFilesize
656KB
-
memory/4232-99-0x00000000048F0000-0x0000000004994000-memory.dmpFilesize
656KB