Analysis Overview
SHA256
113c36cccdb69a23e50d48c308608448ec2f909e2e49744625fddce58fea8455
Threat Level: Likely malicious
The file 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Deletes itself
Loads dropped DLL
Modifies file permissions
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 01:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 01:14
Reported
2024-08-13 01:16
Platform
win7-20240704-en
Max time kernel
47s
Max time network
40s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rasapi32.dll | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mshtml.dll | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsound.dll | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iphlpapi.dll | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ghiijk.llm | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ghiijk.llm | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\iphlpapi.dll && icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\iphlpapi.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\rasapi32.dll && icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\rasapi32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\mshtml.dll && icacls C:\Windows\system32\mshtml.dll /grant administrators:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshtml.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\mshtml.dll /grant administrators:F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\dsound.dll && icacls C:\Windows\system32\dsound.dll /grant administrators:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\dsound.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\dsound.dll /grant administrators:F
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
Network
| Country | Destination | Domain | Proto |
| CN | 183.60.201.90:555 | tcp | |
| CN | 183.60.201.90:555 | tcp |
Files
memory/2348-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\iphlpapi.dll
| MD5 | 8a457ae1a127147b55ee91e0034100f0 |
| SHA1 | 6bbbc53d47a0d21b89d889c43ae77ba75fbec6f1 |
| SHA256 | ff57070180ee742bb35de9b50383600ace5324c2f9a5ff618a2aa980802e1d7c |
| SHA512 | 51579009ee15ad3ac8c0abfaa0351099fe4d543c179c9173b14ffe0d5b8d508ee70aab7e95b0c1ccc3529656751ff408e1a79f4be0542d20f73873aae686bb07 |
memory/2348-37-0x00000000003D0000-0x00000000003FA000-memory.dmp
C:\Windows\SysWOW64\ghiijk.llm
| MD5 | 4d30266e518ae3012764d1c97d0a287f |
| SHA1 | 7cea399143a3f43e04bd2021841228064a402527 |
| SHA256 | 018e46e1ede9036708771d04db37ad5788578094d75e9d20da7fbda96ef6176d |
| SHA512 | cce640e6ecccc074490cf62c614368bb9b50d2689749d06dbc948c9c11bb305c835b52dcdbfc51f9c5fc3a41bf21fb212e811d64d2c03d15ecb10f4e47dffd3f |
memory/2348-34-0x0000000074C30000-0x0000000074C67000-memory.dmp
memory/2348-38-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2348-39-0x0000000074C30000-0x0000000074C67000-memory.dmp
memory/2348-40-0x00000000003D0000-0x00000000003FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
| MD5 | c6634e908ea33c8306bcdcea7034facf |
| SHA1 | 3faa0ca440109cba0977d7cce6cfff170dd3e946 |
| SHA256 | cad7af9ff1c5b00db307eaa957449524ef7e6ab38cfb243561e517ac940f10f8 |
| SHA512 | 93705fd052aa5fe411ca2733266a973283c9964195b511d3eaa76b0c9f52547abd40e557c4bb381ce96a2a4a74790799beb05760d2cf853a8790c1a79782032b |
memory/2348-50-0x00000000003D0000-0x00000000003FA000-memory.dmp
memory/2348-49-0x0000000074C30000-0x0000000074C67000-memory.dmp
memory/2348-48-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 01:14
Reported
2024-08-13 01:16
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
141s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\iphlpapi.dll | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\smvmbo.ltk | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\smvmbo.ltk | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rasapi32.dll | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mshtml.dll | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsound.dll | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\iphlpapi.dll && icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\iphlpapi.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\rasapi32.dll && icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\rasapi32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\mshtml.dll && icacls C:\Windows\system32\mshtml.dll /grant administrators:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshtml.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\mshtml.dll /grant administrators:F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\dsound.dll && icacls C:\Windows\system32\dsound.dll /grant administrators:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\dsound.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\dsound.dll /grant administrators:F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| CN | 183.60.201.90:555 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4604-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iphlpapi.dll.temp
| MD5 | c8dd51d765fb1b6a572e7d4848fcc011 |
| SHA1 | a78715ddbcbca8c15730ae3eda616239bdb68cea |
| SHA256 | 0956d05eaa85faeeea5a5a037d3de97cc313c3cdea8e70ff407c4eb6e575c671 |
| SHA512 | f25dbb5519f48efa0fee96bfd74bb8b3f3cd955d3bb5578c4ca0249e84b1709475eadeffbbe416f3036ec7a6da2d00aad7cb203a3a959578c0e6c73b125039f9 |
C:\Windows\SysWOW64\smvmbo.ltk
| MD5 | 992b98094551a2a35b2dda0c8119a23d |
| SHA1 | 245ec3e2cc043ac7e1d572eaac6e105658ba1890 |
| SHA256 | b85e1d8cac5023be9e495f1e10945f6970989c863dc6f3bf93378da9fdee18dd |
| SHA512 | 9bcc68d6f72430cf0bb83d070709fb317b7c15b5068e59a24fbd02dc0364a2b847632bf55c9bb0104b5d5f61f0c7f4905b08b77c9c57c15ad83e43876dfbb80b |
C:\Users\Admin\AppData\Local\Temp\rasapi32.dll.temp
| MD5 | 14776d9955ffd7d96178356c7710af0d |
| SHA1 | e9fb9c5921751bd5ef0783fda029af1c230544f8 |
| SHA256 | 29c559ae21dcab26ec9e5b1e488eed0cc81bf89b9f1dc6e839ec2ffb49c8ac98 |
| SHA512 | cf78617f8edbdaf7dcc6474b2f7efefe4b44d29571402203b1c51c65611da5b4ab48dbe00fcdabbfb9269efa0ada62fcf88e854617e4941af8bf9f9c3d1b5bc8 |
memory/4604-41-0x0000000002220000-0x000000000224A000-memory.dmp
memory/4604-40-0x0000000074340000-0x00000000743A2000-memory.dmp
memory/4604-42-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4604-46-0x0000000074340000-0x00000000743A2000-memory.dmp
memory/4604-47-0x0000000002220000-0x000000000224A000-memory.dmp
memory/4604-45-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
| MD5 | c6634e908ea33c8306bcdcea7034facf |
| SHA1 | 3faa0ca440109cba0977d7cce6cfff170dd3e946 |
| SHA256 | cad7af9ff1c5b00db307eaa957449524ef7e6ab38cfb243561e517ac940f10f8 |
| SHA512 | 93705fd052aa5fe411ca2733266a973283c9964195b511d3eaa76b0c9f52547abd40e557c4bb381ce96a2a4a74790799beb05760d2cf853a8790c1a79782032b |