Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 07:24
Static task
static1
Behavioral task
behavioral1
Sample
ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe
-
Size
904KB
-
MD5
ea8c4603d1adfb55acdd4375d22d51c3
-
SHA1
a7fe6b585b5aabd9356bcdf0261a8d4899382622
-
SHA256
4f4bbd221400dfda9212f322c02953131d9fc3be871d5cc6b66a9b7d36e9ca26
-
SHA512
2bea7a53d2831dcc02c121194fe42d19f8763f24626702f8d15e0166d6c30253884e1b7d4132da6eb6d9fc6d2d61d69d1f89d69682b3215e7c7f9a7244231394
-
SSDEEP
12288:8iSC/HR9+JuJCyuclzQteK71R3ozUCrqhnilrVVRkC4GEzUjyfTEfrC1LZRel:FZ5xW3YBwyFknAyferC1L
Malware Config
Extracted
cybergate
v1.07.5
remote
piratiava.no-ip.biz:81
127.0.0.1:81
127.0.0.1:999
cybergatehacking.zapto.org:81
R8MVY7H646N8M8
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" server.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
server.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{LCQ80I27-R84C-4031-6GU3-3G73W170PCRT} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{LCQ80I27-R84C-4031-6GU3-3G73W170PCRT}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{LCQ80I27-R84C-4031-6GU3-3G73W170PCRT} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{LCQ80I27-R84C-4031-6GU3-3G73W170PCRT}\StubPath = "C:\\Windows\\system32\\install\\server.exe" explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
server.exeserver.exeFacebook Hack v1.0 - Hackersworld 2011.exeserver.exepid process 2220 server.exe 1188 server.exe 800 Facebook Hack v1.0 - Hackersworld 2011.exe 2420 server.exe -
Loads dropped DLL 5 IoCs
Processes:
server.exeserver.exepid process 2220 server.exe 1188 server.exe 1188 server.exe 1188 server.exe 1188 server.exe -
Processes:
resource yara_rule behavioral1/memory/2720-536-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1188-839-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/2720-873-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1188-2025-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" server.exe -
Drops file in System32 directory 4 IoCs
Processes:
server.exeserver.exedescription ioc process File created C:\Windows\SysWOW64\install\server.exe server.exe File opened for modification C:\Windows\SysWOW64\install\server.exe server.exe File opened for modification C:\Windows\SysWOW64\install\server.exe server.exe File opened for modification C:\Windows\SysWOW64\install\ server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
server.exepid process 2220 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1188 server.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exeserver.exedescription pid process Token: SeBackupPrivilege 2720 explorer.exe Token: SeRestorePrivilege 2720 explorer.exe Token: SeBackupPrivilege 1188 server.exe Token: SeRestorePrivilege 1188 server.exe Token: SeDebugPrivilege 1188 server.exe Token: SeDebugPrivilege 1188 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
server.exepid process 2220 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exeserver.exedescription pid process target process PID 2808 wrote to memory of 2220 2808 ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe server.exe PID 2808 wrote to memory of 2220 2808 ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe server.exe PID 2808 wrote to memory of 2220 2808 ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe server.exe PID 2808 wrote to memory of 2220 2808 ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe server.exe PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE PID 2220 wrote to memory of 1396 2220 server.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea8c4603d1adfb55acdd4375d22d51c3_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\Facebook Hack v1.0 - Hackersworld 2011.exe"C:\Users\Admin\AppData\Local\Temp\Facebook Hack v1.0 - Hackersworld 2011.exe"5⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
521KB
MD5b05681d52dd61e255b735ded4d0bd155
SHA133bb64fae2d5e0b90c0341504e731d9f24d035f8
SHA2563ac364f98ddb278debe624d2ae9dd3b83d0aef6e49a62db5a2ce43358571ce1f
SHA51289f9c2bbe69e4471a701a8b0ad67113b84d7724d97d3edfee7f90f4e8e78318d4ab4cda5cbae54cbaa70bfe7edb29ce3de2bcf996d39c5afdcd0afdf5b1068d3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56275c3f079c6085e3dfbaa1151ac2e64
SHA1a7370408ff3f2c4dfbfe462eade63022118ff798
SHA2567049eba4eb5f80d7c63f414b2278444075e1577d519782e131048e1f5b722270
SHA5126866911c664a8b93f284ea5f9fd26a6500f3c4c856149a0768e7febb489484757ddb1a8ad61cf1d471431d066fca611a5e86782f22f6de8a84a4e488d1ca8fc4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD59e2017215b0c40589c21f81223abae24
SHA1e6a2efa04d43e4d496b2ecb565746bd71402d92a
SHA25626d7583d6651a90049e13d97f44985502afb361e00d08ab7206f53724834feb8
SHA51271cb0b11bb67e3a3c51974fff1c5ce3caf5f783cbdc13669dbb2d22825c973931ee41b51c0ff87a6ecb523a11da7909f6153595c30edefa98e790a8a35a3dfde
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e05aadbbcb64304389e23a81a3249758
SHA1823cebdef388c88489b5cf6585181fc590fda922
SHA25648b4d27649282abc25a8030bfc291d1def6d31725a9da5dbd91b5aa12c079b2e
SHA5120179b79fdf8f31959077cc0dfb5aef4a2f12a798ec9341b47435184d818d9d6b8453888fbcab2114dc0fa02082c2210a1d3519a0d0987678f925ab4476f1e45a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c3fa070645b4047a9e293ebb3dcaa252
SHA160d519d493cd3827ab8a0c35b9d9bd36db111d2a
SHA256eb2907fbf189227b72887ca30ba3f8d08fa5ed2cfdd93db86cc0a4bd7bcb018f
SHA5122f64e611eeaaecfc919993cbe64c81a82d55129ff4befacec47e892191364bbdc1eea104b7585f5ec5fc906b13ae67f421863f63f77122f582c62157e4ce8c73
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52d222e8a51d95f4fb6e75e6069c213b5
SHA14d723fe8405b36f6baa8694f6804ec24ea05d9ca
SHA256af1523150926820ac03cadf95991dc7515db77e201154a91ed33c7ee0184f608
SHA512ea62f80f463adfd1f8c561ffacbb1d90a0145e0e0e9a2908a0362478b87942634a8b916da804c106cde1468d18c07042779bb37f313fd42f7cfb903138a59cc1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fb93a5cbe2c1cdd2a4942269d15684a1
SHA151463225775a7c04057a5f4f130f6ebf09d68de5
SHA2562dbad7849e3860d9b1924786be3f0313b7a9876d7a28d903501817a087a836eb
SHA5124fbba7cde652fac56e747b5aa5d93e61ad5f4ded341c9d1589a85c3ecf149e8d04d33b5d42d5c4ee3d0779ffbb7501152e23f9f824be2e97469349667160fe7d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50608b216a92ff815931e1bdd690a8a1b
SHA19eee1dbac01612791bde096d5861d99bc1ac5b78
SHA256bb9cdab74beaabe929278e4accd090c385ebb99d344a67f8f7993fdce0dc3116
SHA5127a08e368a1562bc30f43f139b188860f7c689653d5dbafb675e811bd1e57ed3458bb2b0bba990a5c1989d8d3dc1aac107d2c201834cc169ed23f54548d84eb83
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55c0fa3141f730cc9df5b2817102eb7a4
SHA1f988752105a39dbc190f853f37bb8a3fef2e202a
SHA2564e173ab00eda6762a949adab5d6b4caa699c6777357fc870e7f2671cedd1ea05
SHA512bad74ee5748fea222857c1a43e6a83c4ed290d0b8ec3a4364d02b54663ee20d78ecb210a41d6bb7d62dcf4ce161558ca12cb8403c98b6bf1e0251076c680efc2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5868bf8079f734cab4515025fc0d43904
SHA1db210b2bfa971ec4417369ddac306462991c3344
SHA256d5f1eb82e9383ac09944c3b9d82ff86f1d9a4ffd56232d436098652f5ac20b67
SHA5121206dbb2bb982d955e78a2353d602411e3f40a4fe94988894b056cc531a6d8deb295ceb160407e98e776ec46128b7c7d39947b10fc0edb143d3d12039de7b6c6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d9f78af83bce63606d35fd791f4fc208
SHA106bacebfb6a6dbb94a9c1bef1df5d9715bf0f21d
SHA256838ba387d7ab6cce5ea2a1c22d4aa8c21934cb8a75538d47d4f1d003dbb643ef
SHA512e53b8d61332e3ff5410bff645f6d31bfa3952228fb8c0b4686553f51adc0e61be4409101d248395d35c626e6bc9626dbce7e67868a838406f4bd4bd9cef4ab41
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e47b2b3d1a66de09dd14b392e695ddaf
SHA1cdd82a9ae42a27f50c5410c58cba81b4794ad78a
SHA2566ee223c14a248676ee7a469668f54e980027c22c27287fdb773770e967f97014
SHA5129ff39bdabd5ae9a1feadd3d96489e5c39047ca274f5b5b623a7dde9bfe08236199301f9259be254d3d2a65bf47ba317139b152bb429988939ecccce4ebb55ca5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD578ee129bfde5921e935aa36ce2973ffd
SHA1cc90827e6f24088285e699afc8a5d63e79eebf42
SHA256d41275b7156667c6c31d362ff95e72a698dc34a95a747e91ca17672fa1ffa7af
SHA51220195d3c078142bf85f387a4eeaccb4a023d9c171d219f9d1a88ef2b2f3c5a6ef07f00285445d2ec7e5783732037dbe3cf142e7dc7aee10151b8ac6ea2f948aa
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d7796804662c10d036a80db1942515f3
SHA1ecc958acb5c628e269400103267c58e669206e31
SHA2560dbe5c790c3552e4dc85e19ff1c328d7cd8d777176ae52a0502712fff50e7947
SHA5123e111d6964312359295181d9099d37055187423b8688ca715aadc89f83b5556975efa72ebf8ec0af6f4b6adc7b3816d68adb998787764e925765e13e3e573ecb
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5603cdfced8e3562d7c9a81d0d72828dd
SHA1b2c15b0ab6e14dff977dbc80610904f00163de6a
SHA25682a6200424d506d056912bf7729282aa476c8869f53e55602b40836c3a820b4f
SHA51268ad3e9663977ba21bc65773d104c7395dc3085ac7ae354029951f9fd41c3241880905e096643aa688e1c3da9b7bbfc8c901fbae0e95eb41bb866e6047dde5e7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b46f357310d6ae27c2d2de491b160ad3
SHA180117e3aac537a376a5737d20e44295d124f0610
SHA25651bac0a63bb2d5c7b2cff49859fd232f81eace84d9a56cb11ef8e3589333342d
SHA51238aacfe3ca66755a84a8fccf6ba7aea73c3e2fd4c0482b8ac038d648bb700264ed335131e5c173421d806d6192fd3983d0fe9040b4e74c3e56e174e165978ead
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54ceba4472af5636346fdd867dabc8dfe
SHA115f0beabeda6b7d9c79d0522b630925bd0b0327c
SHA25680dc8a77555a676b534a8410374c0d475050799c7e86c6f727136f22ef566c96
SHA5127be0fd9f33267aaff3d0495a91bca81e525b2dc6dd4dd4eb6bee943323a778664bebe52bf75000921edeb681e232c69f655c98dfde5e2ab4fdd5566bccead5af
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f95be58e9adb4fc4e1cf8e2bcf90ae21
SHA1caba2efafc4fd9e89cf16c09f24aebe0cf135ca6
SHA256bba518ac1e1a26dceddf005c408cf72d944c82148fe26a72f8c5f50eab71d107
SHA5129eccce44784736ef1e598f0e0b124b8d0eeadeffdd1f7f46eacb500187193d3fa7eea27c021f3a0995e45ae2013d7812daba7cb543081f63a65bfe9a31c64079
-
C:\Users\Admin\AppData\Local\Temp\Facebook Hack v1.0 - Hackersworld 2011.exeFilesize
296KB
MD564481ef51b2e4ef8b60ef509331c26e4
SHA164012a43b9f78509562ff587562b8c2f3764e545
SHA256c18093af5bffdf7216cb897a712644d3960ed166ee48c9235eb9053d21714235
SHA51247600ff236869efffffe5379afbcc757514039e4bd9961cd70c55f13a390e5a28e81a7db095baa0f6155fcda32ac7d400ac4f58de3091d21c486b5084d4f8013
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
593KB
MD5e897e941392b15de8a01a848aa24b7c3
SHA17dea6923f980f921674648a9b1f0ff667bdcc223
SHA2567e4176debfec3f1f3f0b3171c28c8a40eb20df242165e72abcb282f8656723d1
SHA5122318a5e3c1310e129a877b6e801913a1b3b2ae8a9805bf7345236a62d5220f4272c1fd4e8e75fbd5f0f6a6025bdfa8867580f2757f7d1f3fc3435419dcb07687
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/1188-839-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1188-2025-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1396-14-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB
-
memory/2720-536-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2720-259-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2720-261-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2720-873-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2808-8-0x00000000021F0000-0x0000000002270000-memory.dmpFilesize
512KB
-
memory/2808-9-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmpFilesize
9.6MB
-
memory/2808-3-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmpFilesize
9.6MB