Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 05:09
Static task
static1
Behavioral task
behavioral1
Sample
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
-
Size
329KB
-
MD5
f753d0e1e3c5b7540a76a27c27b9765a
-
SHA1
73b6a4020d07f4d0a2a1352b504436bab24c990f
-
SHA256
66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a
-
SHA512
acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2
-
SSDEEP
6144:4jsS6+qPb4PC9smagEUOd2VugiJTR6HVbsOam2R29wQYLdQU2BYbvaXO:4jsX+eb4e9HEUaosd6HVbvam2I9JY2aB
Malware Config
Extracted
cybergate
v1.07.5
ragnar
127.0.0.1:999
192.168.1.248:81
192.168.1.248:8080
566ABROO13O35V
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
minijuego.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
coliseo
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\minijuego.exe" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\minijuego.exe" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3V5KY680-T4NG-B05C-866G-VUT51D453OY6} f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3V5KY680-T4NG-B05C-866G-VUT51D453OY6}\StubPath = "C:\\Windows\\system32\\install\\minijuego.exe Restart" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
Processes:
minijuego.exeminijuego.exeminijuego.exeminijuego.exepid process 608 minijuego.exe 1580 minijuego.exe 2696 minijuego.exe 2496 minijuego.exe -
Loads dropped DLL 6 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeminijuego.exef753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeminijuego.exepid process 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe 608 minijuego.exe 2304 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe 2304 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe 2696 minijuego.exe -
Processes:
resource yara_rule behavioral1/memory/2552-5-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2552-9-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2552-8-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2552-10-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2552-11-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2552-15-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/2304-325-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1580-364-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2552-361-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2304-386-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2496-387-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1580-390-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2496-393-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\minijuego.exe" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\minijuego.exe" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\install\minijuego.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\install\minijuego.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeminijuego.exeminijuego.exedescription pid process target process PID 2548 set thread context of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 608 set thread context of 1580 608 minijuego.exe minijuego.exe PID 2696 set thread context of 2496 2696 minijuego.exe minijuego.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeminijuego.exepid process 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe 1580 minijuego.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exepid process 2304 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 2304 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Token: SeRestorePrivilege 2304 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Token: SeDebugPrivilege 2304 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Token: SeDebugPrivilege 2304 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeminijuego.exeminijuego.exepid process 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe 608 minijuego.exe 2696 minijuego.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exef753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription pid process target process PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2548 wrote to memory of 2552 2548 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 2552 wrote to memory of 2156 2552 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\install\minijuego.exe"C:\Windows\system32\install\minijuego.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\install\minijuego.exeC:\Windows\SysWOW64\install\minijuego.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\install\minijuego.exe"C:\Windows\system32\install\minijuego.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\install\minijuego.exeC:\Windows\SysWOW64\install\minijuego.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\APISETSCHEMA.DLLFilesize
6KB
MD52f03490092c032392fb6ff635222b9b2
SHA177e86c4677b8670474bfb2dbc60a47e3b340a679
SHA256951e57ba594507058366321ae29dc117cde9d3801a0535a704db4c7762690c81
SHA512f2c0a9cf67ec21fa039f8930c260258dd93066a747c13e8a9d7f6fe947ac9b75d30c8184ff03fb87e23cf717c32d917bc05530763edd3dd645bf12c7b655f81b
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
225KB
MD51e6e103853f388b3f17e694463df6a7a
SHA15565bf1249914cc90a4175f9618b7347199554d9
SHA256e2d34973521f592e924b3039a23c787b5fc9befb60a999e72e444c66043e0852
SHA5125ec8c7d190a89137a54455951d48b4f97275c518bce1d2bdc794589320ff5ffbba233a6108f24f75b4d7be961fd483b3420b471a798d1bff5386223fcf776e96
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58651ea22eec86b2a0d876f2ff7e82486
SHA134927146e7b2c0ceed3a78b3ec5b06d1cd81c186
SHA2563eb18892ebce877b373b8b20e166a8d2b0372e87e4091d80aed6f15011906529
SHA512cfd114ac61c2604a22c6e4e4867784b05b05d480b213ad614d69e1224649f77a5c7324356491f032e87e2896662152c5473b7f0b3d365749c379b92bdd7e82a0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD546fddd811286e911c3852d98753e59f0
SHA17941a408cf6f0c4647d8e6c4d4564a7ba5079f2c
SHA256faeb7b9abc48c01f1d1680cd4dfab0a2669eac75b7083c236689a1528d7a00d3
SHA5126a1c2086b8e6c0216d35c9532279f03da4c7b73dc504cfc509722aca52e9321c1e8082acf6590c46e96fad7b973fe954299582bc2a5048491da9b44d80d013fc
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD584da39786084be457504a490dc731347
SHA1882f69dc3331339df4da101de2c11c3f6d50d07d
SHA256d0a22dee4b5672c5f37fe41b129bf091b54cfb975dd956ec26d35250a2076030
SHA512e84060a17a107ce0a285f2aedfe692531251b7dc1f6a8cce3856ee153c6a491b0f67c369d3ed54fcb6ad0bf2ad34f4fdc66b6f5587f4b84f6ac9acd454760ce9
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d1eec83ab34f4876f55cd23736f52f83
SHA1a561db8f74f3afa91fcbfc58ae1316d132615427
SHA256de0026b70bdbd5039dd30533b4060000c0858f0ba40331583ecb356e364c998d
SHA512268dece1f04b109436c08f2b4ba5a186f2fd6391a9250da917aa98790f58a603e43e1c062cb5d09c183da188eabe08663ddefafebc0f31d6c03f99869adb53ed
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50367302cbc2b15c9a6f15e80fb67145a
SHA11dfe39e67c817d30d20a04e139c98df8a453ed47
SHA25609333fd0a4f5ae01033a0a40020ddccb8945d5b677626332e9ba94901760da50
SHA5125820a22c600e3d7c83a6bfa5a06266b67b788ffc6dfe251f327ab19565540bb47a96d415a36a0ea993a3c32717d6aa323b675694e18a55e1796455475fff708d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55c11fbc41fd240fe5b681e7d0d40adda
SHA1733dce4772edabd61011acfeb47094c58a5ce22d
SHA256a1b96234467b833cae2b53f4b3b41b46bf2d82b87b6ac11adfed0d38a970a85b
SHA51242eba2c73bff630288491afa40a03be7ee9960a085d07124aace8c53105877fafa4cbc8b4f133a5fff6ecaa17c394813186d9c056dff2daddc68f334b75f3960
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55145bbaa726c65538a266a0683bd695c
SHA110fde0a45c7356d538be644cf64d2ccfab5d5134
SHA2568565af8445ff55420d05a68fbad41a321f34fcaab0bf11b9a956a10761b8f5b1
SHA51208772f8fa1254a5f45d4d60be613c8711215582498718b0c8207c29456fc757e38d50739c1ad06fc29b508631430794bd239067dfb043171462bb75d96affc8f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55a23f27ffbf53695978e91ee33220980
SHA10a55f2c011eec29c48847204c5dc916076a7b0bd
SHA2568dc61feba7fe0db9ae6b531a73507695b38c04a4a11c972038012ac15517edbf
SHA51266a6886208fb07c3b5b24d1cdb6651de1e51e8e995cd12999594fa7cea4f4830bbafadfd2b0b11f49509c27049392ed5ee7b2fd5dc880a124cd1ea5fc01453dc
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD521980d46d434ac697d188b4b2a8dea43
SHA1b20ed107c9b0d44b82b3268446b238be3faca93c
SHA25687840b94b29efd53e28b184cba12ecc481fa0ed58213c522e5eba6eff1729c94
SHA512b1ce10e8ca96b272aa804d23bc0b24267ac290f5cc77b769699a0a07b498c36c8c0ec4b3c2f85743cf29459db9253082e698dc57a0514cc45154fbfde61bc42c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51a78c0459f09f67500da5c247c008f8b
SHA142574550d16f268b3de0f4a0f6c60f4c776d4775
SHA25644302ff254833c7b66539ba226fa90d8c41825bd1ce2c2abe6a4be4bee5f810c
SHA512cedce245cf2261105e3a9649849c9de32a92c99bc751c46ee92ec9ebc07dca1b2416cbf899e11fbc75086ed83deb25778554b62fc337612cb0dfcd65e9829db6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5083105f437b6b182f445cffbbf384a13
SHA1cdadc187c0ea92a27d9dd771e272661369cd3590
SHA256c543008b3d28548a7aec14ec9915d2e475b8f22ef83b691591f93d45a7bf8c5f
SHA5129e433d33691e7f1db1e04381bc4f62b8c96e3acbb96fd95b4fc57902ab81445996864abd55660cee3df60d589e22cdac305c5abb4e7788e2e3ccd5d5f43e27aa
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c63f939231508fb607a8323649f55aeb
SHA136d864d521de89fa9a64f459f5c2fa9dbaa9544d
SHA2562385c3155f1623ec17c7dd0a73ee7b199b13355f02b79903358a043deaf3cdd3
SHA5129cb8ea0f50cef15dd3d34d41009d264935342a282684dbaa494a705a3d12b2012a88feb460c3497239ab5114f5acdb9ba433b388b1f9b76df9a82b8a00862821
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD535d69942f761a4b68a378e4dddfee15e
SHA19b7f4204a882dd63c7c0f3ca10f72950b7219923
SHA256eb236f030bb33c1c32c0fac5494000c6323f2bb3f708c61faf4a6774b37d4288
SHA51289a0ea8240b8effc3875169ee15dc70d12d0d6de9c20376fa32f3b3aaa3a3f24751a848a853766c620423f7d5b4d0d1860a77a52c6dae4eb7a34ea9447423c83
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50cde17ce7e84a0cf35a4518ee4fbbf63
SHA1569475596a7a0f14afe9688e1a06dc8e87054302
SHA256d0a378d488b23f510268a356c9f74840a4eea38c81c14761db04b86a996c1895
SHA51254329d18b77cadeb310e2631124f0c0cd92a6d74e81a109a2357f0a200f8e28252ca7524d3f39afdb7284dc023544d4930f8b949c7e889df8b9284d7d2ff5505
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f128a4619a125d459bad1c1a1ea275e1
SHA1df36cac439ab50d793b7a254afc12cb2e8eeb1b4
SHA256fed1a5efaade1591b15c4afe343eadc37aed47379b441b4a429f5ab1ac7e5002
SHA5124935302ca20273f42402d29e1a1b9f1cd291a9697737b2829a50524d7f84c66501a7179ade3de81dca49f5a3a3e59fcbd3f24403d80b2306e85b81b8d249c283
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5905da612e5934dadb5dd85724fdb8d6c
SHA1fa857eb43649a4f609e811fdda156a972f1810a6
SHA256e4bdab48bc44b44b193c16a5dbbc931062dd04d584d47f479325ff73460d09d2
SHA5124e526a6580dc9da1802b3dd4a9e9d99ad9ae3c1117ddb619a549ee31ffc558ec263e7ddbd3cbe8ea21cd726170d551f4e7795475557e846d62f785cec186570b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD546b4d6c91cb4256e40452c0f05cdd227
SHA1de20ffb510618536527b9f87f4f2136a3104c883
SHA2569d4fba4bf33282beeb41318c652c7def96b27c8ef4e6c0cecddaa79522e5716a
SHA51260f7f917403849c1ffc39a016034b1011c582be45358918a63dfbeb02a120d8fad58b9cdc3d5d1fa775f885f3f2047a198318b88ffa9e0de7085c48a279af702
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f366a273b4abfffe7ecb2d5f71c4aa52
SHA1ce9ff950184d853beda71eccc741c0e59ee779cd
SHA256867e04c04e7281a9948804f774e0868cbf935a3e66aeda911e245b7232963b26
SHA512862d4f1d95f835dcce7d9317f09c360fde1ba0f3b021351226ad1702452078e653cb77533edca24030a0c202244e0fc26843ba28d29acbf5dd4542dc9b711d79
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\install\minijuego.exeFilesize
329KB
MD5f753d0e1e3c5b7540a76a27c27b9765a
SHA173b6a4020d07f4d0a2a1352b504436bab24c990f
SHA25666b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a
SHA512acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2
-
memory/608-347-0x0000000000230000-0x0000000000240000-memory.dmpFilesize
64KB
-
memory/608-362-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/608-342-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1580-390-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1580-364-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2304-33-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/2304-386-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2304-372-0x0000000004960000-0x0000000004970000-memory.dmpFilesize
64KB
-
memory/2304-19-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2304-25-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2304-325-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2304-62-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2496-387-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2496-393-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2548-1-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2548-4-0x00000000003D0000-0x00000000003E0000-memory.dmpFilesize
64KB
-
memory/2548-7-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2552-338-0x0000000000710000-0x0000000000720000-memory.dmpFilesize
64KB
-
memory/2552-335-0x0000000000710000-0x0000000000720000-memory.dmpFilesize
64KB
-
memory/2552-26-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/2552-361-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2552-15-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2552-11-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2552-10-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2552-8-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2552-9-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2552-5-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2696-383-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2696-378-0x0000000000280000-0x0000000000290000-memory.dmpFilesize
64KB