Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 17:35
Static task
static1
Behavioral task
behavioral1
Sample
f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe
-
Size
530KB
-
MD5
f6502fe2f8d492436051cff7a249b961
-
SHA1
7d0ef66098f863ce44e277348e64938c5bbfefd6
-
SHA256
5623a900a9d242177a0b737deb794982eb2c37d09dc1c4c9f0af76b20a0657b9
-
SHA512
e9b2bf646f325a57f5d5ab026765b481baf56013f4591581d1d88bfd9dba709f128f80af07b276e42c87d0fb470627631a02350e42e117a40ba424b8f4b41c44
-
SSDEEP
12288:9X8PGfk+V8Lr47O8kZD3HTVARkgt0tAsCQLWGYLL:ZSj+W4hgLBARkgOCQML
Malware Config
Extracted
cybergate
v1.07.5
Cyber
proxpn12345.no-ip.org:81
VUSR8B1F522210
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Testing.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" Testing.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Testing.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" Testing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Testing.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
explorer.exeTesting.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} Testing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" Testing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4J2O667-TI35-4EG5-0I43-PX0N61H6ILIV} explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
Testing.exeTesting.exeserver.exepid process 2052 Testing.exe 980 Testing.exe 3004 server.exe -
Loads dropped DLL 5 IoCs
Processes:
f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exeTesting.exeTesting.exepid process 2168 f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe 2168 f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe 2052 Testing.exe 980 Testing.exe 980 Testing.exe -
Processes:
resource yara_rule behavioral1/memory/2944-539-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/980-848-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/2944-869-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/980-1650-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Testing.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" Testing.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" Testing.exe -
Drops file in System32 directory 4 IoCs
Processes:
Testing.exeTesting.exedescription ioc process File created C:\Windows\SysWOW64\install\server.exe Testing.exe File opened for modification C:\Windows\SysWOW64\install\server.exe Testing.exe File opened for modification C:\Windows\SysWOW64\install\server.exe Testing.exe File opened for modification C:\Windows\SysWOW64\install\ Testing.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Testing.exepid process 2052 Testing.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Testing.exepid process 980 Testing.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exeexplorer.exeTesting.exedescription pid process Token: SeDebugPrivilege 2168 f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe Token: SeBackupPrivilege 2944 explorer.exe Token: SeRestorePrivilege 2944 explorer.exe Token: SeBackupPrivilege 980 Testing.exe Token: SeRestorePrivilege 980 Testing.exe Token: SeDebugPrivilege 980 Testing.exe Token: SeDebugPrivilege 980 Testing.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Testing.exepid process 2052 Testing.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exeTesting.exedescription pid process target process PID 2168 wrote to memory of 2052 2168 f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe Testing.exe PID 2168 wrote to memory of 2052 2168 f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe Testing.exe PID 2168 wrote to memory of 2052 2168 f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe Testing.exe PID 2168 wrote to memory of 2052 2168 f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe Testing.exe PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE PID 2052 wrote to memory of 1176 2052 Testing.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6502fe2f8d492436051cff7a249b961_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Testing.exe"C:\Users\Admin\AppData\Local\Temp\Testing.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Testing.exe"C:\Users\Admin\AppData\Local\Temp\Testing.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5246a200ee8db2230455750e6becb3f2a
SHA1547ef76d3eeef614a8a37baf03e462af21129fe6
SHA256d719faea7ed8f1680e914b1ba2c5ed22962523ab3053f0bdc7a087d04c04d16d
SHA51270f3b7b4536fbfa5d40c904ebe40ac52ffad918301c0303afd5757d98a3c0a8133d36733136e6e883113cd3d10b75f536261368cc930ed62e2e05c19ff624136
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a932e66a9e3b430908bea627fa69d8a3
SHA1415fb98f398d7f8d2fd2283a91aee6054c3aed30
SHA2564e21765d18aab245aef29236c7b6e3a9e31a5d6aaa4864b033e97926669b610e
SHA5121be493d84bcc733fc91b20924ae62a75bebf6b12c572e1b45bceed0692514239d7527a802072947c57967d22274b779da481cbe922f4582abbf10fe2218805c4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD560e6b3d9586d7295b89e7e61c57d0497
SHA13b6bbf6db8a56fc9c51596a1a51cab95cb086782
SHA2564632860f639e9d4dc91c0555b5a0d0106e911a35ad10e36c3bc21ac9e5c1130a
SHA5128320ed70c399478cdab465677ec02566460e868219da0c1e2c27f7c4d344be6711770fa32481afef32682a63a3af69fc8eb519fc8e767a8e73b77515288b15c3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD540eaf928d0369e0f29092423510c29a9
SHA16d9e259b8f1c7b92a24ec24b1ee884fb53493019
SHA256b1af80668cd7aebc9bed8dbe590232fc7c89f733b0b73e8c62b4810de9e63663
SHA512d90f64dea676f994498ad9054539d3e3ce6ba49951f139cc4e245a44f403202af66b43cb8fcb9e5fc6120eb4376b41a6d13aa63f46c2c90da382b21271e3115f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ee0cc6eb4643a60c2367e4ed157a1a2d
SHA11a08792d51482751ed5c4c422059dcce70fc7c65
SHA256aaecad526247b5444f5baf7421fa611b47413d5c4ae28523e6cd2cdbbd42c62e
SHA512e599d305aafd7833ee67d5fdb4214d1d5706825a1f942e829b7ad540a64aa5c46a160ee7bb7f750b791675752b990f34a1d0b84be3f93c86a5d09a0db1ee216a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d7ea396d39fa7d9941f542dfa72b738e
SHA16adea0e35b6831b9bf16cc67ef90e6b57061c8fa
SHA2566d7a127e5b9789ebefce5470188b83cb977f2914306637efe077311625708a82
SHA512def6b1473b8883f7ffebdf60f669a6cc6737c5099b1fcbabe219221616af3cdd3d45181f0f42e7ef87cc2fac6227828225edbfa9302ba89b8cd77c016a86112e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5471ad42abf8c756e1acb3fee0fbcd915
SHA1bd3da7ec30399779d9f8bd3ac899d9000e4ab313
SHA25652d83c569a6dd0dc03b08de57d5adb48bd9411296b815ac792ee761e543d3a53
SHA51260cb9f3037a1c95edb30025d8a50af657dc3b283cceed6ac5e0fc0981e418e4840c075126dd1594f06905646615a37c9a873d6079b86a14c81ae6f76cb4687e9
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e63eb29dd2e3d73ef79256d3c4937cac
SHA1bfe62e9ada9ec19d6a2ff2c2d528e93ca0c6595a
SHA2569fd33fd0c2dc0476e8fdb94b7853433fcde0e27b8998e84eedb73bb549424f83
SHA5129d513ae48bea3e419ef3f14569f01a49369af4ec75198b295d933452387a73045a9e7ef38d2e07ecb303be331246a508d3eaadad88007e534ce286870a38b91a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51cf8aa6624b5234bb3916b0f8b4f0971
SHA19f4aeea3fed663a3ff678b6811d6f898eebffd87
SHA256b026255540770d8ec70fb7f85c736b49dd3efdede9aa6790bd104b74c20c80d5
SHA512541600641ccc139de8c1b24bb5aa75758aad82ad20354532b3997baf457f162ed6732f9e194c36281d28ffd13998ac1999ecb1b796ce2f94ae30c596191a2144
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55a9b5e1b6afd48e45a9daa96cf816580
SHA1d7bc516473b6d777dee841e8671f0d2a116b386c
SHA2564c908b07a2a36acb500de253d80dd70fa9d483266d698bd84e458c316d200dbf
SHA5129822da645112fc79cb4c03ca12fbbe58e55f11f56275496bb977cedbe02e38efd8631c881834f3b1dc4a0a0bf4f886a08211c4a06ef08150df6252b9dc708e68
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54be75c847a0488208738ddb1e17b6381
SHA1f79f3df86a6581b93891c9ed29b4360548a1199a
SHA2561dd6b93a12db99bdf685470e97f6b4f3d3e1638f7b71f35f2793315a55d499ba
SHA512094b4b37eb44fec1eaeb1e043beb9e5dd0db1fbf7e9fb98a5f0662a8d83bc92abba948ca0e71a3461d15ccc3dd02199d094eb3cb8bd54419515a6d0b0db93b3c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55f7b9675433fa983fd1baf5db5219ca2
SHA1d9f4e9b376a78c179b639ca595ec7d4314fa01b0
SHA25684093636a666012d803756375105e6e8f0b13fde779f4e12d5acc3a4f83adb56
SHA5127eca92416d2949dc47d06340e3a484fe0c68ec87db5d38180c6b99684bb6a6dc7897bdae25bdb799a38f076ffcc8f369cb99c09554ef38421385360a63ce93a4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58b06bc695616e6daa2f917a15f283151
SHA102372e1208fd332a94ed445d9cbffcde2da08f86
SHA256d1d598eafee3b9170270fae0bd9ceaaeef943b1f1c8a6e7fd62ba6806f45cbaa
SHA512bd35bfb9860e41192280a02c74734d8756f3a2f51a22795eb32f22e19e2f69c8abe919426c4fbff1049f5f22b3b62fb02499179db10d4bb75cd9329fb6e406a5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5be3b8886f20ea6a3175bd69b9577c6f6
SHA13f3ac37053eb310e4e79c0f7446d517a6b13f26d
SHA2560b615216435a5130666646ada3189640df623419ddbf10f5b1acddf3a139ff24
SHA512c0a451d993adf4d8b7e715531c947286fcc8463b74c8fa635d94fb80a3e00578ebe067729000ce7457985d6359a1123a77a6b4d9eea8979560f2788669d620ee
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b0838df9e181885aea7c6ed6d249f4cc
SHA1cfee3e54cc68f47928db5ad37b391ec8cf853b84
SHA2560c9b1d790b20cbb66298ba5c5252cf14759529f96f239195570c498b57bdd5d3
SHA512970c32f55b786d3e62941475290400d08b5fd2f00c4a7fa553252ada7ac987ae7d6da07985006d4794e7cc9f78762069d35e89e26d9ca89ceaed5f145fef6300
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5550fd4706d75cd367e4094e7a1331238
SHA1674f3b85a8bfd98d8f110dcb053b057f32a140f9
SHA256852dda9ce49dfb5c766a3e6d358010d97cd0578220c8d21efb0dd74c642ad925
SHA5122b68e806bbd732dc9658b239f7fa8d1515d9dc137118775e730d8021c61f72f4b945f61c8d0f4dbfe1d862ac7f9427d2d47cc23a03470a1667d201545b240e3e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50c27d3ced45a15f4bbf32d6c24e214fb
SHA1651e2f5329709e5710b1ae674986a589c8cc03c3
SHA2561c273c523e7a53e4c330f0bbb70045a7583f035726d5025df4ffbbe75ef1a7ca
SHA512d7b185229eea03e5261976c0e7adc74f520a5eef10b8532ec8ff5c20390d27ec16c33ce239303b0e0505c4fbaa2bce87190eb94712f934775db47565394b56c8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55c7d33786dede428557dd3a20489db0e
SHA176f4fd93f30267ba2262a38949087899b1acf98d
SHA256486f4d2af7199e48ac798a3ac529561b05fd69cd386e7540423d183bd82cffbe
SHA512574a9ff825a17e74ba4cc99e1b2c985c538f3ec00ee466acf0fec7531d945698bc155a0a85ac3941a33632c57bf9e415df590f42579532cbb1b7683eb1cd5a41
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5df0fd03ca9f53b507c2bff763abde1e1
SHA1fd0699b18727527758572caf154d3836299b046d
SHA2569f15b8ae0188d1bab7bfc51753d6d093272f934f9da1983f97b404e4a4ae529a
SHA51282522ea63a073474450438598cb9e74bb20edc559bb34c62125c1713f7e7037dd3e50dcdc81f24fc38907d6c8c429fa833772565d48bd9e83842c5eeeafe31d1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD59d2fcd98ad22fb36a64edbca41e7c2a9
SHA1e6cbe4b4a391a77c50e57dbe9fcf2ab65d8f8831
SHA2565b3364cc293542814b6f0a10ce92e5fd8d08b0e55a6c70600e29a831999eed14
SHA51233469bd42c0c15b85a3140c4fb6681ee52dc0283db80a0f885062f6f8758a9ed96e3d08f0672f7b58b5e176e882097a2b531335f0c294666b0df862a50db0006
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
\Users\Admin\AppData\Local\Temp\Testing.exeFilesize
296KB
MD5ee9b34767367aaa660049adb43c094de
SHA19884c5d7ef3eb03591515e6caac0ed70a62d7689
SHA25606d70401728ba068a54e4a1facf2a533f7b05530a433c4066175163094a29e8b
SHA512455e326f24a7b388f32b5e742c8eef1148fef0387e35c403cfbe920b1dd6bec8362f0c95a5c7e87898b648d051f097efb76e523eb9ccdb79c63f3c95c9272d82
-
memory/980-1650-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/980-848-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1176-16-0x0000000002D80000-0x0000000002D81000-memory.dmpFilesize
4KB
-
memory/2168-0-0x0000000074A00000-0x0000000074FAB000-memory.dmpFilesize
5.7MB
-
memory/2168-2-0x0000000074A00000-0x0000000074FAB000-memory.dmpFilesize
5.7MB
-
memory/2168-1-0x0000000000A30000-0x0000000000A70000-memory.dmpFilesize
256KB
-
memory/2168-603-0x0000000000A30000-0x0000000000A70000-memory.dmpFilesize
256KB
-
memory/2168-580-0x0000000074A00000-0x0000000074FAB000-memory.dmpFilesize
5.7MB
-
memory/2944-869-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2944-311-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/2944-539-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2944-310-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB