Analysis
-
max time kernel
124s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 09:22
Static task
static1
Behavioral task
behavioral1
Sample
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
-
Size
50KB
-
MD5
1ac047159ae15480b88b41f69e8d3ee5
-
SHA1
8ccdee24418081f2dcd1429ce7c4d4dba0d7e42f
-
SHA256
0b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5
-
SHA512
d91ea298d8522f831281fdbf7c3da4189497acf0e859ad1a700c632590a9ee9604e11e8a92d11ea8ebb1898e4b206c3a81d92ff0a25c3aadad49a46fe7bebaea
-
SSDEEP
768:MkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:hkQJcqwmIfj+ECJG/kvO
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
Processes:
wmimgmt.exepid process 60 wmimgmt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wmimgmt.exedescription ioc process File opened (read-only) \??\F: wmimgmt.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEipconfig.exeNETSTAT.EXEpid process 3792 NETSTAT.EXE 224 ipconfig.exe 4828 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exewmimgmt.exetasklist.exeNETSTAT.EXEdescription pid process Token: SeBackupPrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeRestorePrivilege 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeRestorePrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeDebugPrivilege 5112 tasklist.exe Token: SeDebugPrivilege 3792 NETSTAT.EXE Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeRestorePrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe Token: SeBackupPrivilege 60 wmimgmt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exewmimgmt.execmd.exenet.exenet.exedescription pid process target process PID 348 wrote to memory of 60 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe wmimgmt.exe PID 348 wrote to memory of 60 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe wmimgmt.exe PID 348 wrote to memory of 60 348 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe wmimgmt.exe PID 60 wrote to memory of 4488 60 wmimgmt.exe cmd.exe PID 60 wrote to memory of 4488 60 wmimgmt.exe cmd.exe PID 60 wrote to memory of 4488 60 wmimgmt.exe cmd.exe PID 4488 wrote to memory of 4920 4488 cmd.exe net.exe PID 4488 wrote to memory of 4920 4488 cmd.exe net.exe PID 4488 wrote to memory of 4920 4488 cmd.exe net.exe PID 4488 wrote to memory of 4792 4488 cmd.exe net1.exe PID 4488 wrote to memory of 4792 4488 cmd.exe net1.exe PID 4488 wrote to memory of 4792 4488 cmd.exe net1.exe PID 4488 wrote to memory of 1332 4488 cmd.exe net.exe PID 4488 wrote to memory of 1332 4488 cmd.exe net.exe PID 4488 wrote to memory of 1332 4488 cmd.exe net.exe PID 1332 wrote to memory of 1184 1332 net.exe cmd.exe PID 1332 wrote to memory of 1184 1332 net.exe cmd.exe PID 1332 wrote to memory of 1184 1332 net.exe cmd.exe PID 4488 wrote to memory of 2008 4488 cmd.exe net.exe PID 4488 wrote to memory of 2008 4488 cmd.exe net.exe PID 4488 wrote to memory of 2008 4488 cmd.exe net.exe PID 2008 wrote to memory of 4928 2008 net.exe net1.exe PID 2008 wrote to memory of 4928 2008 net.exe net1.exe PID 2008 wrote to memory of 4928 2008 net.exe net1.exe PID 4488 wrote to memory of 5112 4488 cmd.exe tasklist.exe PID 4488 wrote to memory of 5112 4488 cmd.exe tasklist.exe PID 4488 wrote to memory of 5112 4488 cmd.exe tasklist.exe PID 4488 wrote to memory of 4544 4488 cmd.exe systeminfo.exe PID 4488 wrote to memory of 4544 4488 cmd.exe systeminfo.exe PID 4488 wrote to memory of 4544 4488 cmd.exe systeminfo.exe PID 4488 wrote to memory of 4852 4488 cmd.exe reg.exe PID 4488 wrote to memory of 4852 4488 cmd.exe reg.exe PID 4488 wrote to memory of 4852 4488 cmd.exe reg.exe PID 4488 wrote to memory of 2508 4488 cmd.exe find.exe PID 4488 wrote to memory of 2508 4488 cmd.exe find.exe PID 4488 wrote to memory of 2508 4488 cmd.exe find.exe PID 4488 wrote to memory of 3732 4488 cmd.exe reg.exe PID 4488 wrote to memory of 3732 4488 cmd.exe reg.exe PID 4488 wrote to memory of 3732 4488 cmd.exe reg.exe PID 4488 wrote to memory of 3172 4488 cmd.exe reg.exe PID 4488 wrote to memory of 3172 4488 cmd.exe reg.exe PID 4488 wrote to memory of 3172 4488 cmd.exe reg.exe PID 4488 wrote to memory of 564 4488 cmd.exe reg.exe PID 4488 wrote to memory of 564 4488 cmd.exe reg.exe PID 4488 wrote to memory of 564 4488 cmd.exe reg.exe PID 4488 wrote to memory of 4456 4488 cmd.exe reg.exe PID 4488 wrote to memory of 4456 4488 cmd.exe reg.exe PID 4488 wrote to memory of 4456 4488 cmd.exe reg.exe PID 4488 wrote to memory of 1084 4488 cmd.exe reg.exe PID 4488 wrote to memory of 1084 4488 cmd.exe reg.exe PID 4488 wrote to memory of 1084 4488 cmd.exe reg.exe PID 4488 wrote to memory of 1808 4488 cmd.exe reg.exe PID 4488 wrote to memory of 1808 4488 cmd.exe reg.exe PID 4488 wrote to memory of 1808 4488 cmd.exe reg.exe PID 4488 wrote to memory of 464 4488 cmd.exe reg.exe PID 4488 wrote to memory of 464 4488 cmd.exe reg.exe PID 4488 wrote to memory of 464 4488 cmd.exe reg.exe PID 4488 wrote to memory of 3628 4488 cmd.exe reg.exe PID 4488 wrote to memory of 3628 4488 cmd.exe reg.exe PID 4488 wrote to memory of 3628 4488 cmd.exe reg.exe PID 4488 wrote to memory of 2360 4488 cmd.exe reg.exe PID 4488 wrote to memory of 2360 4488 cmd.exe reg.exe PID 4488 wrote to memory of 2360 4488 cmd.exe reg.exe PID 4488 wrote to memory of 1160 4488 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
-
C:\Windows\SysWOW64\net.exenet group4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
C:\Windows\SysWOW64\net.exenet start4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
-
C:\Windows\SysWOW64\net.exenet use4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
-
C:\Windows\SysWOW64\net.exenet share4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:81⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv a7vBfw4tfkCMdwsUnG2r0A.0.21⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Application Data\wmimgmt.exeFilesize
50KB
MD51ac047159ae15480b88b41f69e8d3ee5
SHA18ccdee24418081f2dcd1429ce7c4d4dba0d7e42f
SHA2560b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5
SHA512d91ea298d8522f831281fdbf7c3da4189497acf0e859ad1a700c632590a9ee9604e11e8a92d11ea8ebb1898e4b206c3a81d92ff0a25c3aadad49a46fe7bebaea
-
C:\Users\Admin\AppData\Local\Temp\INFO.TXTFilesize
49B
MD53103966e5acefd242ce82692435208eb
SHA190a904725b2c6648e62b4f3fd0f86691bbfbce81
SHA2561cea98800818eea5d1759a287e9fd9a92748d8df57494e59e4ca816968f91ff5
SHA5126b12e75a27d700f1ce1e519d12712666f545ebfcb904daec694c9d937a4521d770a2723777651d6e50406e0509f799319df3b328475c52e012abdb2075da1656
-
C:\Users\Admin\AppData\Local\Temp\INFO.TXTFilesize
12KB
MD53c336d6ce832f97a1da7141a451009c8
SHA13abaaa2bf5e707d64227aff18047f55cbd312df4
SHA256c3e65e4f869e8bd398145692827e49a9646fcc477a30309b6c1406936c9a5b0d
SHA5122ad575385099ca42d9702e40cd291b30de01fc8394f03e9f8b657540064f6e0907a8d039af70ae8a3efdeaf53fffb4543de73c3fab5f25411fca590603d8748f
-
C:\Users\Admin\AppData\Local\Temp\INFO.TXTFilesize
37.6MB
MD5d229ecd9fcc96c18043e0d411f60825c
SHA162b136044ac317c0ca62e764f1e27ae9792ac362
SHA25611d87ec78152ca2b5ab7e30584898a8c748e4a2b68c13a78a230c1c5b3eb5817
SHA5129cb7d1fe19a10bc4dadf247ff21a380719f8357847a0d2d301a72d55f1c388dd9f0ac330c24228de4427d6491da318a8e497e9b3fd68c5fa5bb36c3469c79f07
-
C:\Users\Admin\AppData\Local\Temp\L4SD\1D8E3D68.dbFilesize
231B
MD530ffa98235e39cef4e8e6a22a64f29a1
SHA1ce6d47a4ae6cd83eaaaee812f5708dc8c095479e
SHA25607d3abe9ae711dd6ea3305ab4d94867e6c5ae43edc8cad225d90ce4360b535cc
SHA512f4b83f3b30d5cc458424569ee0f747c207125c80b898bbb1704d4b1e8cab6cbe60d74cbdaf5b03b31a3a79610cad05ce33f3ebd7efde086d66ed184616ceacce
-
C:\Users\Admin\AppData\Local\Temp\drivers.pFilesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
C:\Users\Admin\AppData\Local\Temp\ghi.batFilesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
C:\Users\Public\Documents\Media\1D8E3D68.dbFilesize
64B
MD557e997b4250dd625b2046bba4e919a67
SHA1f269b9365c90aa0eed151af92f91efdf7f424af6
SHA25682020b595004adfc440998e78615fe683891ab2db5d46fde76c8a3dbe887ffea
SHA512ca48e8490ed62d7cc89a99f802987a5bf8b58903c51415c152d010ccf355a66c1198b028be321034529b5ea1eda666ccc22173c740e4464485593916eded281c
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/60-83-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/348-0-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/348-7-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB