Analysis
-
max time kernel
121s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 20:46
Static task
static1
Behavioral task
behavioral1
Sample
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe
-
Size
769KB
-
MD5
2626e3ceb0a5959eb1a4eafe724234ad
-
SHA1
60410283e2430c9667e2d3c58da0f94ed4dd9bb3
-
SHA256
7c3b108ec6887eea992b1883c8640a8f42aa5826eeceb3336982b879ed350077
-
SHA512
022434bdc0b4c039d4cdd11da7d8a14ad9612d13f22f4ded3e5191f0734421cb052e9c7f16434b229cacad6133b5ba397e6c5e08c1bb285f02e78c8327c20ac5
-
SSDEEP
12288:g72bnuJ2372bnuJ2K72bnuJ2372bnuJ24D:g72zV72zQ72zV72zO
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HKULBIBU = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HKULBIBU = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HKULBIBU = "W_X_C.bat" WScript.exe -
Executes dropped EXE 6 IoCs
Processes:
avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 2632 avscan.exe 2724 avscan.exe 2576 hosts.exe 2480 hosts.exe 1840 avscan.exe 2476 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
Processes:
REG.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe -
Loads dropped DLL 5 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exepid process 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe 2632 avscan.exe 2576 hosts.exe 2576 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exehosts.exedescription ioc process File opened for modification C:\Windows\hosts.exe 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe File created \??\c:\windows\W_X_C.bat 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exepid process 1540 REG.exe 2536 REG.exe 1920 REG.exe 2996 REG.exe 1252 REG.exe 2524 REG.exe 3000 REG.exe 976 REG.exe 2268 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
avscan.exehosts.exepid process 2632 avscan.exe 2576 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe 2632 avscan.exe 2724 avscan.exe 2576 hosts.exe 2480 hosts.exe 1840 avscan.exe 2476 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exeavscan.execmd.execmd.exehosts.execmd.exedescription pid process target process PID 2200 wrote to memory of 2524 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe REG.exe PID 2200 wrote to memory of 2524 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe REG.exe PID 2200 wrote to memory of 2524 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe REG.exe PID 2200 wrote to memory of 2524 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe REG.exe PID 2200 wrote to memory of 2632 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe avscan.exe PID 2200 wrote to memory of 2632 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe avscan.exe PID 2200 wrote to memory of 2632 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe avscan.exe PID 2200 wrote to memory of 2632 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe avscan.exe PID 2632 wrote to memory of 2724 2632 avscan.exe avscan.exe PID 2632 wrote to memory of 2724 2632 avscan.exe avscan.exe PID 2632 wrote to memory of 2724 2632 avscan.exe avscan.exe PID 2632 wrote to memory of 2724 2632 avscan.exe avscan.exe PID 2632 wrote to memory of 2556 2632 avscan.exe cmd.exe PID 2632 wrote to memory of 2556 2632 avscan.exe cmd.exe PID 2632 wrote to memory of 2556 2632 avscan.exe cmd.exe PID 2632 wrote to memory of 2556 2632 avscan.exe cmd.exe PID 2200 wrote to memory of 2472 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe cmd.exe PID 2200 wrote to memory of 2472 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe cmd.exe PID 2200 wrote to memory of 2472 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe cmd.exe PID 2200 wrote to memory of 2472 2200 2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe cmd.exe PID 2556 wrote to memory of 2576 2556 cmd.exe hosts.exe PID 2556 wrote to memory of 2576 2556 cmd.exe hosts.exe PID 2556 wrote to memory of 2576 2556 cmd.exe hosts.exe PID 2556 wrote to memory of 2576 2556 cmd.exe hosts.exe PID 2472 wrote to memory of 2480 2472 cmd.exe hosts.exe PID 2472 wrote to memory of 2480 2472 cmd.exe hosts.exe PID 2472 wrote to memory of 2480 2472 cmd.exe hosts.exe PID 2472 wrote to memory of 2480 2472 cmd.exe hosts.exe PID 2576 wrote to memory of 1840 2576 hosts.exe avscan.exe PID 2576 wrote to memory of 1840 2576 hosts.exe avscan.exe PID 2576 wrote to memory of 1840 2576 hosts.exe avscan.exe PID 2576 wrote to memory of 1840 2576 hosts.exe avscan.exe PID 2556 wrote to memory of 2708 2556 cmd.exe WScript.exe PID 2556 wrote to memory of 2708 2556 cmd.exe WScript.exe PID 2556 wrote to memory of 2708 2556 cmd.exe WScript.exe PID 2556 wrote to memory of 2708 2556 cmd.exe WScript.exe PID 2472 wrote to memory of 2672 2472 cmd.exe WScript.exe PID 2472 wrote to memory of 2672 2472 cmd.exe WScript.exe PID 2472 wrote to memory of 2672 2472 cmd.exe WScript.exe PID 2472 wrote to memory of 2672 2472 cmd.exe WScript.exe PID 2576 wrote to memory of 2800 2576 hosts.exe cmd.exe PID 2576 wrote to memory of 2800 2576 hosts.exe cmd.exe PID 2576 wrote to memory of 2800 2576 hosts.exe cmd.exe PID 2576 wrote to memory of 2800 2576 hosts.exe cmd.exe PID 2800 wrote to memory of 2476 2800 cmd.exe hosts.exe PID 2800 wrote to memory of 2476 2800 cmd.exe hosts.exe PID 2800 wrote to memory of 2476 2800 cmd.exe hosts.exe PID 2800 wrote to memory of 2476 2800 cmd.exe hosts.exe PID 2800 wrote to memory of 1216 2800 cmd.exe WScript.exe PID 2800 wrote to memory of 1216 2800 cmd.exe WScript.exe PID 2800 wrote to memory of 1216 2800 cmd.exe WScript.exe PID 2800 wrote to memory of 1216 2800 cmd.exe WScript.exe PID 2632 wrote to memory of 1540 2632 avscan.exe REG.exe PID 2632 wrote to memory of 1540 2632 avscan.exe REG.exe PID 2632 wrote to memory of 1540 2632 avscan.exe REG.exe PID 2632 wrote to memory of 1540 2632 avscan.exe REG.exe PID 2576 wrote to memory of 2536 2576 hosts.exe REG.exe PID 2576 wrote to memory of 2536 2576 hosts.exe REG.exe PID 2576 wrote to memory of 2536 2576 hosts.exe REG.exe PID 2576 wrote to memory of 2536 2576 hosts.exe REG.exe PID 2632 wrote to memory of 3000 2632 avscan.exe REG.exe PID 2632 wrote to memory of 3000 2632 avscan.exe REG.exe PID 2632 wrote to memory of 3000 2632 avscan.exe REG.exe PID 2632 wrote to memory of 3000 2632 avscan.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2626e3ceb0a5959eb1a4eafe724234ad_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
1.6MB
MD5b7a7d0f555c55e74ddb44eac81d5e5a9
SHA170fd7258d6186c8884d9fa6437f6d15ad24c7d24
SHA256cba8623b09b7c90e3ad2752e4de1f4d09e25a4fe63eec0022b7747024f232898
SHA512fd8c1c45f628f5d71006b1479f14c09821152ef904e388c185d4daad3cd088402d6dc94a3d9c375db5fb694954c881f601adca69dc39823ff2868f04758b8009
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
2.3MB
MD5c265a5dc808057c5398fd772f12392f1
SHA16268496d4de1586d2d47dd3c2999ca5bfd2d892a
SHA25608d6e4038bae984c8290aa8f5d40ed6323403ad0c68897f3d4cb4353218ef1de
SHA512c617a1382a0ca54841b562db0ed81a869838669ca0462229edd92f6b670254b27433076c79653f4489c2575429fb8bd743962c0d2d5bb00762cc15aef1e22b84
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
3.1MB
MD5141bf10dcdaea11997c446b808436bdc
SHA10f6aa92ba71ad63cb53b8d0252ce8aa377e391ae
SHA256488523eb9d70389b5a05abaa0531352ddf6887177d40cd601286281d170481b6
SHA512a3d3c03a65c7d543ae6f6661eb2afb68fefbc39e22f1760352dce925121b68490d1fa26d6e4b6d30fec4b26012eb30d3f340b5ccda87aae1cc2210f42f1757f4
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
3.8MB
MD5e2b1a2420956f221d32119c83a319ccd
SHA12cb52ea266e082d7109cc16332a3b0ea119fdd50
SHA2564b276c54925361908a2e9a684ff620910b51326bebef225af18a0563596f0d5e
SHA51211c392a13d643e36e752efa71846e297671eeab7948a5cbec815598d4e95c3bf7df35ecc9409aa3e6422253106bf144f8c5bb55ee78cefc3a85131b6448097d1
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
4.6MB
MD549e7d9606bd3685b03d8bb4beb6a49f7
SHA10780e5be07492e11d023bfca026dc265f1be55c4
SHA256cf0c9a2091a3b252dbf05af2869cb8b552e2ca3c322fd7c4616c4b102465cf44
SHA512a3de2dab84daadbb8b1914c27c4c5dbb4756b385d695a6034b2da3bf5f599c58a07af26e52bebcec43fcfb30437e58624a33a81f15686fed3f42a84248a38fb4
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
5.3MB
MD56567cd940d87f7ed0a703daacfdbf437
SHA1e488a0d21ff302d56ff3d63b39833a6e871445c3
SHA2566d6af6c7a8dd4c30805ef93ecc70b7c1408dc73b0f5f7517c4bd85c7a67a43b6
SHA512fcc4e4278f33a2b61d061a5a5bf8564b6356fc468c4193b15773c54c72ffd1a33f6951412d552ec24a2a3d1bde7629f913fc994a82620fc50f9f433a5c45798c
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
6.1MB
MD5c96abbf77dea18ef6dd17c638a9cf6ab
SHA1ce6460ddc4aef7fd4937ebd86907b280bb81ccbf
SHA2569eeeb6827b89ce118893990802a72b9e15fed82988344e5b634b787a2cb9d168
SHA51287eed286bd6b3736900d1de55d602d4d0466fd25367ba1ee3e9080568d3a10f5b93a02958b8d762a0192da3ea976ac9edfbb8085349c47ea4b3d5d4480e5020b
-
C:\Windows\W_X_C.vbsFilesize
195B
MD548be31f3b385b25234d50fee7d3cdc33
SHA1c66a6bd8c2b306dc128f837a91c4808cc64f5e9f
SHA2567b0f52e98dc92ff9a366d43d0140542d480cb44f5beccf0a97be1e871a98fb3c
SHA51207681e3171b98c67611c6ce7fe565eba5816647040d7f8449262a4f37d2b6ebcb5501a21144878776ec94aaae870d3d561ccceae22346003b7d8b23d57061b44
-
C:\Windows\hosts.exeFilesize
769KB
MD56373eb5df078e1adb896713041222464
SHA1fde5b4b5fc215b99ef841b9a5d9c5ac888f9aafc
SHA2569ff91d31e0097bb71f450557149899ef1de0b7f1c51c32cdaa808215b4517c8f
SHA5122c758183e3dfb1ac92853a79dcda06d25e205076bc23609f65bcda79622eda33cc50a2870291fd05341b3ec57c4f3b55f0e37acfd351e356a2657ef8991e7c27
-
\??\c:\windows\W_X_C.batFilesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
\Users\Admin\AppData\Local\Temp\avscan.exeFilesize
769KB
MD53c639b342efd2f23aa67e0fe793db550
SHA194e355b78618baebd32926c88672abd5a3ff3e35
SHA2561a4895e545c0e49b513a0a9051f587dcc09ce4e9396bb43ae1ab46bf9c71d61f
SHA512ebbc3be8534e88c2005480c328661497a6a379513ce3061280e89093e6d94652426616e41303bc45c5819621dd9b538c1cbf651f95b5c4a10f977d9ddef4d6f3
-
memory/2556-61-0x0000000002500000-0x0000000002600000-memory.dmpFilesize
1024KB