Analysis
-
max time kernel
21s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
Resource
win7-20220812-en
Errors
General
-
Target
1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
-
Size
1.0MB
-
MD5
14eddfae20b5b96a0fe968664e4153a7
-
SHA1
d98586ac233b15b7ab79014cf283ed600a73ca24
-
SHA256
1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0
-
SHA512
0fe016993d3c44a232447338810c91f155ee1d8baa0d8490592809a6d83abc9a0c79aeb179a85015e7b87f715656e43a5a70ebf9b9481cbc287bf1bd113adc10
-
SSDEEP
24576:98ZS4AgrKb/+t2JjVWrobBV1eF2M+EbjotgE3yo:98vAeq/iNEbBaFfotgE
Malware Config
Extracted
cybergate
v1.07.5
victime
aymano1.no-ip.biz:80
N7U2K68T58M6H2
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
explorer
-
install_file
explorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
29081992
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\explorer\\explorer.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\explorer\\explorer.exe" server.exe -
Executes dropped EXE 6 IoCs
Processes:
server.exeserver.exeserver.exeserver.exeexplorer.exePRIVAT~1.EXEpid process 1824 server.exe 2528 server.exe 2424 server.exe 2320 server.exe 4396 explorer.exe 3628 PRIVAT~1.EXE -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
server.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}\StubPath = "C:\\Windows\\system32\\explorer\\explorer.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}\StubPath = "C:\\Windows\\system32\\explorer\\explorer.exe" explorer.exe -
Processes:
resource yara_rule behavioral2/memory/2528-143-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/2528-148-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1932-151-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1932-154-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/2528-156-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral2/memory/2528-162-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/2424-165-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/2424-168-0x0000000010560000-0x00000000105C5000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE upx behavioral2/memory/3628-178-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral2/memory/2424-180-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
server.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation server.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exeserver.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\explorer\\explorer.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\explorer\\explorer.exe" server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe -
Drops file in System32 directory 4 IoCs
Processes:
server.exeserver.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer\explorer.exe server.exe File opened for modification C:\Windows\SysWOW64\explorer\ server.exe File created C:\Windows\SysWOW64\explorer\explorer.exe server.exe File opened for modification C:\Windows\SysWOW64\explorer\explorer.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4064 4396 WerFault.exe explorer.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
server.exeserver.exepid process 2528 server.exe 2528 server.exe 2320 server.exe 2320 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 2424 server.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
explorer.exeserver.exeserver.exedescription pid process Token: SeBackupPrivilege 1932 explorer.exe Token: SeRestorePrivilege 1932 explorer.exe Token: SeBackupPrivilege 2424 server.exe Token: SeRestorePrivilege 2424 server.exe Token: SeDebugPrivilege 2424 server.exe Token: SeDebugPrivilege 2424 server.exe Token: SeShutdownPrivilege 1824 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
server.exepid process 2528 server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2376 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exeserver.exeserver.exedescription pid process target process PID 544 wrote to memory of 1824 544 1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe server.exe PID 544 wrote to memory of 1824 544 1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe server.exe PID 544 wrote to memory of 1824 544 1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe server.exe PID 1824 wrote to memory of 2528 1824 server.exe server.exe PID 1824 wrote to memory of 2528 1824 server.exe server.exe PID 1824 wrote to memory of 2528 1824 server.exe server.exe PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE PID 2528 wrote to memory of 2692 2528 server.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe"C:\Users\Admin\AppData\Local\Temp\1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer\explorer.exe"C:\Windows\system32\explorer\explorer.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 5767⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4396 -ip 43961⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39d1055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD563ba459dd610a46b9aa84b83e5c5cbf5
SHA14bd1ee1ed890351f782f631a3ea462fa04b11d42
SHA2563fa78ab9a34ad2a5b8354f684efc96bf521c1effd0889825b9acd544f4bde24e
SHA512af876d79f159c777a0d015fe323e33ba3d999fa13a2aaebe88ca5687dbf3e41e8c85c2755f1764513a465e356c16eb9cb445b167b3966f07d39e020af86cd48f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXEFilesize
395KB
MD592625a93f83e119ccbedcd4dc7b00092
SHA15ec94dc7e8c984339a89cc9ad9bd3caa69a5a685
SHA2567f1ea4a91d7dd677cdaad38af306bfb0496996c2cc461fb436039bd2a19a0a02
SHA512151f236bc3942869c990b2b9d813a25d4df4570d83f480da02bcb05b53f6deafbc97846b62d58190a387b8f7d77ad396ddd35b6188c7abb0e5279119de33cd35
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXEFilesize
395KB
MD592625a93f83e119ccbedcd4dc7b00092
SHA15ec94dc7e8c984339a89cc9ad9bd3caa69a5a685
SHA2567f1ea4a91d7dd677cdaad38af306bfb0496996c2cc461fb436039bd2a19a0a02
SHA512151f236bc3942869c990b2b9d813a25d4df4570d83f480da02bcb05b53f6deafbc97846b62d58190a387b8f7d77ad396ddd35b6188c7abb0e5279119de33cd35
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
573KB
MD5f80f8a02e7741aad914729299b61f3e1
SHA13657c2dbeeee5350ce78283eff406dcdb4fc5b9a
SHA256ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d
SHA5128c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeFilesize
573KB
MD5f80f8a02e7741aad914729299b61f3e1
SHA13657c2dbeeee5350ce78283eff406dcdb4fc5b9a
SHA256ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d
SHA5128c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe-up.txtFilesize
12KB
MD54532e950ddd7dbdd75ab16b545e094b9
SHA1ca06319ca59d0ae17ebc2a5c09e7cc9d477a06eb
SHA256fb3209f22936748a4b1809fde0aa72c99bbe6fd636ad47f26d62fce157c30cb9
SHA5121b670e30bc8330036b646fb24276f8e8da29657ac73260825679ee08af7f9ab5e708047e9ce12dd56bba7904a330a43b26ca2add7d71cc086332031407bf7070
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exeFilesize
296KB
MD5b2b27a7f99822dc6277b57da71c9e9de
SHA1c696a83bc4a1bea6650305fd00583aca2b2ef529
SHA256f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf
SHA5128a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exeFilesize
296KB
MD5b2b27a7f99822dc6277b57da71c9e9de
SHA1c696a83bc4a1bea6650305fd00583aca2b2ef529
SHA256f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf
SHA5128a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exeFilesize
296KB
MD5b2b27a7f99822dc6277b57da71c9e9de
SHA1c696a83bc4a1bea6650305fd00583aca2b2ef529
SHA256f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf
SHA5128a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exeFilesize
296KB
MD5b2b27a7f99822dc6277b57da71c9e9de
SHA1c696a83bc4a1bea6650305fd00583aca2b2ef529
SHA256f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf
SHA5128a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed
-
C:\Windows\SysWOW64\explorer\explorer.exeFilesize
296KB
MD5b2b27a7f99822dc6277b57da71c9e9de
SHA1c696a83bc4a1bea6650305fd00583aca2b2ef529
SHA256f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf
SHA5128a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed
-
C:\Windows\SysWOW64\explorer\explorer.exeFilesize
296KB
MD5b2b27a7f99822dc6277b57da71c9e9de
SHA1c696a83bc4a1bea6650305fd00583aca2b2ef529
SHA256f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf
SHA5128a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed
-
memory/1824-171-0x0000000001000000-0x000000000108F000-memory.dmpFilesize
572KB
-
memory/1824-140-0x0000000000500000-0x0000000000504000-memory.dmpFilesize
16KB
-
memory/1824-135-0x0000000001000000-0x000000000108F000-memory.dmpFilesize
572KB
-
memory/1824-174-0x0000000000A00000-0x0000000000A39000-memory.dmpFilesize
228KB
-
memory/1824-173-0x0000000001000000-0x000000000108F000-memory.dmpFilesize
572KB
-
memory/1824-172-0x0000000000A00000-0x0000000000A39000-memory.dmpFilesize
228KB
-
memory/1824-139-0x0000000001000000-0x000000000108F000-memory.dmpFilesize
572KB
-
memory/1824-141-0x0000000000A00000-0x0000000000A39000-memory.dmpFilesize
228KB
-
memory/1824-132-0x0000000000000000-mapping.dmp
-
memory/1932-147-0x0000000000000000-mapping.dmp
-
memory/1932-154-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1932-151-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2320-166-0x0000000000000000-mapping.dmp
-
memory/2424-180-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2424-168-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2424-165-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2424-160-0x0000000000000000-mapping.dmp
-
memory/2528-162-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2528-143-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2528-156-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/2528-136-0x0000000000000000-mapping.dmp
-
memory/2528-148-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3628-175-0x0000000000000000-mapping.dmp
-
memory/3628-178-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/4396-169-0x0000000000000000-mapping.dmp