Analysis
-
max time kernel
123s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 09:22
Static task
static1
Behavioral task
behavioral1
Sample
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
-
Size
50KB
-
MD5
1ac047159ae15480b88b41f69e8d3ee5
-
SHA1
8ccdee24418081f2dcd1429ce7c4d4dba0d7e42f
-
SHA256
0b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5
-
SHA512
d91ea298d8522f831281fdbf7c3da4189497acf0e859ad1a700c632590a9ee9604e11e8a92d11ea8ebb1898e4b206c3a81d92ff0a25c3aadad49a46fe7bebaea
-
SSDEEP
768:MkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:hkQJcqwmIfj+ECJG/kvO
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
Processes:
wmimgmt.exepid process 1320 wmimgmt.exe -
Loads dropped DLL 2 IoCs
Processes:
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exepid process 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wmimgmt.exedescription ioc process File opened (read-only) \??\F: wmimgmt.exe -
Discovers systems in the same network 1 TTPs 4 IoCs
Processes:
net.exenet.exenet.exenet.exepid process 868 net.exe 1560 net.exe 2832 net.exe 876 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXEipconfig.exepid process 688 NETSTAT.EXE 1480 NETSTAT.EXE 2792 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exetasklist.exeNETSTAT.EXEwmimgmt.exedescription pid process Token: SeBackupPrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeDebugPrivilege 2552 tasklist.exe Token: SeDebugPrivilege 688 NETSTAT.EXE Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeRestorePrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe Token: SeBackupPrivilege 1320 wmimgmt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exewmimgmt.execmd.exenet.exenet.exedescription pid process target process PID 840 wrote to memory of 1320 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe wmimgmt.exe PID 840 wrote to memory of 1320 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe wmimgmt.exe PID 840 wrote to memory of 1320 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe wmimgmt.exe PID 840 wrote to memory of 1320 840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe wmimgmt.exe PID 1320 wrote to memory of 2496 1320 wmimgmt.exe cmd.exe PID 1320 wrote to memory of 2496 1320 wmimgmt.exe cmd.exe PID 1320 wrote to memory of 2496 1320 wmimgmt.exe cmd.exe PID 1320 wrote to memory of 2496 1320 wmimgmt.exe cmd.exe PID 2496 wrote to memory of 2504 2496 cmd.exe findstr.exe PID 2496 wrote to memory of 2504 2496 cmd.exe findstr.exe PID 2496 wrote to memory of 2504 2496 cmd.exe findstr.exe PID 2496 wrote to memory of 2504 2496 cmd.exe findstr.exe PID 2496 wrote to memory of 2652 2496 cmd.exe chcp.com PID 2496 wrote to memory of 2652 2496 cmd.exe chcp.com PID 2496 wrote to memory of 2652 2496 cmd.exe chcp.com PID 2496 wrote to memory of 2652 2496 cmd.exe chcp.com PID 2496 wrote to memory of 2420 2496 cmd.exe net.exe PID 2496 wrote to memory of 2420 2496 cmd.exe net.exe PID 2496 wrote to memory of 2420 2496 cmd.exe net.exe PID 2496 wrote to memory of 2420 2496 cmd.exe net.exe PID 2420 wrote to memory of 2640 2420 net.exe net1.exe PID 2420 wrote to memory of 2640 2420 net.exe net1.exe PID 2420 wrote to memory of 2640 2420 net.exe net1.exe PID 2420 wrote to memory of 2640 2420 net.exe net1.exe PID 2496 wrote to memory of 2736 2496 cmd.exe net.exe PID 2496 wrote to memory of 2736 2496 cmd.exe net.exe PID 2496 wrote to memory of 2736 2496 cmd.exe net.exe PID 2496 wrote to memory of 2736 2496 cmd.exe net.exe PID 2736 wrote to memory of 2408 2736 net.exe net1.exe PID 2736 wrote to memory of 2408 2736 net.exe net1.exe PID 2736 wrote to memory of 2408 2736 net.exe net1.exe PID 2736 wrote to memory of 2408 2736 net.exe net1.exe PID 2496 wrote to memory of 2552 2496 cmd.exe tasklist.exe PID 2496 wrote to memory of 2552 2496 cmd.exe tasklist.exe PID 2496 wrote to memory of 2552 2496 cmd.exe tasklist.exe PID 2496 wrote to memory of 2552 2496 cmd.exe tasklist.exe PID 2496 wrote to memory of 2556 2496 cmd.exe systeminfo.exe PID 2496 wrote to memory of 2556 2496 cmd.exe systeminfo.exe PID 2496 wrote to memory of 2556 2496 cmd.exe systeminfo.exe PID 2496 wrote to memory of 2556 2496 cmd.exe systeminfo.exe PID 2496 wrote to memory of 2684 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2684 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2684 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2684 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2708 2496 cmd.exe find.exe PID 2496 wrote to memory of 2708 2496 cmd.exe find.exe PID 2496 wrote to memory of 2708 2496 cmd.exe find.exe PID 2496 wrote to memory of 2708 2496 cmd.exe find.exe PID 2496 wrote to memory of 2712 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2712 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2712 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2712 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2472 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2472 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2472 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2472 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2648 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2648 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2648 2496 cmd.exe reg.exe PID 2496 wrote to memory of 2648 2496 cmd.exe reg.exe PID 2496 wrote to memory of 1244 2496 cmd.exe reg.exe PID 2496 wrote to memory of 1244 2496 cmd.exe reg.exe PID 2496 wrote to memory of 1244 2496 cmd.exe reg.exe PID 2496 wrote to memory of 1244 2496 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
-
C:\Windows\SysWOW64\net.exenet group4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
C:\Windows\SysWOW64\net.exenet start4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
-
C:\Windows\SysWOW64\net.exenet use4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
-
C:\Windows\SysWOW64\net.exenet share4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
-
C:\Windows\SysWOW64\net.exenet view /domain:"WORKGROUP"4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "4⤵
-
C:\Windows\SysWOW64\find.exefind "\\"4⤵
-
C:\Windows\SysWOW64\net.exenet view \\BISMIZHX4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net.exenet view \\BISMIZHX4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\find.exefind "Disk"4⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 1 BISMIZHX4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Pinging Reply Request Unknown"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\INFO.TXTFilesize
24.9MB
MD561497f4481d92cf6dac446edff9a5b70
SHA161106b5a70c88eb2ad3d0620ae874b2d24573ebb
SHA2567435167e020c78cb45cbd2ddb67d9e44b46f96c42780bd7f86c1527e83d68f68
SHA51259511cad2ad3affc3f809050233889edf7c9a8ed504a72793082fb336aac51cf0b802994d85b1deb3e2370c0b7e44156775afc9c1cec479878683340e07b1795
-
C:\Users\Admin\AppData\Local\Temp\INFO.TXTFilesize
49B
MD53103966e5acefd242ce82692435208eb
SHA190a904725b2c6648e62b4f3fd0f86691bbfbce81
SHA2561cea98800818eea5d1759a287e9fd9a92748d8df57494e59e4ca816968f91ff5
SHA5126b12e75a27d700f1ce1e519d12712666f545ebfcb904daec694c9d937a4521d770a2723777651d6e50406e0509f799319df3b328475c52e012abdb2075da1656
-
C:\Users\Admin\AppData\Local\Temp\INFO.TXTFilesize
6KB
MD5b5f6f7bce10ae1725b81ec1ff4bd115e
SHA19e088d92dbe32181e8983432060265900deb5e53
SHA2566077c080dfeff57bf2969197f9a8037dc71a615a35d17fa9f011ad4d3a991689
SHA512848c43c910bc111483506f73f3f4b9c3d08e4cf9bd433fa98ca018cdc6fcc748dfe6b1d992fbc54050887aa3e2fb664a1ae2f5471ca6876b2732d488ce388b94
-
C:\Users\Admin\AppData\Local\Temp\drivers.pFilesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
C:\Users\Admin\AppData\Local\Temp\ghi.batFilesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
C:\Users\Admin\AppData\Local\Temp\ifd30E4.tmpFilesize
427B
MD5adcd7eca1c0a9cb88bb378ecfff7dc96
SHA174072ce3797e59d7b4726f22572d4cd7cb7a05e9
SHA256f59d2d3053eaecffa1a2db314d3f49b55cf198f8e8d547858abeab011cae311a
SHA51220875354bbb4aa31c62a62a05bd371151475d6a76c9008fb04c3c582b7fab6ed43e98f69bbcd21520dc94c2290a74ca09e836eb26a41bc8075f8633889ab5426
-
C:\Users\Admin\AppData\Local\Temp\s.logFilesize
153B
MD5b256c8a481b065860c2812e742f50250
SHA151ddf02764fb12d88822450e8a27f9deac85fe54
SHA256b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360
-
C:\Users\Admin\AppData\Local\Temp\s.logFilesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
C:\Users\Admin\AppData\Local\Temp\t.logFilesize
72B
MD559f2768506355d8bc50979f6d64ded26
SHA1b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA2567f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028
-
C:\Users\Admin\AppData\Local\Temp\workgrp.tmpFilesize
234B
MD539c3461c18f16f6d33a1f59b1366f46e
SHA187cb4392a0786097183655fb14ccbd444692706b
SHA256c487fc705469efcd45b67a72244d7daffed5bdf0145cab16797857c8e8fc0bd5
SHA512c0faa6906d34cfe0bb04ad428d6c7fb8923f920b9c04e975be567fedd66ac969c653ffd85221f3f702eb878b5a0128c6484dda7a6b3c22ef383071739e9b60de
-
C:\Users\Public\Documents\Media\03CB4D33.dbFilesize
3.6MB
MD505a10f96393665d6a36f4376ce85dd4d
SHA13e483ac8b29f6de6599da695170e23d72551e39a
SHA256c318e18d37c8c21b28c1b334715d3bcda51c35a83a9f82b2669f0c570cc5c049
SHA51245fb88e90551c6ccc0e7bc5b8ddad0041ac771f73ba9efd9578e87b0af1283bea2c281b4539a411f86a05003616b42599c5e85ec0588a9be0536928f13b06676
-
C:\Users\Public\Documents\Media\03CB4D33.dbFilesize
64B
MD59253a4a7dfce7928b94334cd625600e7
SHA1c0a5e46265d069026dd27db41c3808b32d86b224
SHA256d5b56b4788cbb952938c4bd23ce70ce8d0152e86fb59b0cc37fd9827f4cdd554
SHA5128b8f995af25c4956e82eb6e4ebafd7b2821309c4906fb4813591fadd95bdc64bf20998db1459cec02fa5035b3c6b1f0a0379d058d3d1da8e3438b2307fde4fa2
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\ProgramData\wmimgmt.exeFilesize
50KB
MD51ac047159ae15480b88b41f69e8d3ee5
SHA18ccdee24418081f2dcd1429ce7c4d4dba0d7e42f
SHA2560b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5
SHA512d91ea298d8522f831281fdbf7c3da4189497acf0e859ad1a700c632590a9ee9604e11e8a92d11ea8ebb1898e4b206c3a81d92ff0a25c3aadad49a46fe7bebaea
-
memory/840-0-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/840-10-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1320-11-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1320-141-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB