Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 05:09
Static task
static1
Behavioral task
behavioral1
Sample
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
-
Size
329KB
-
MD5
f753d0e1e3c5b7540a76a27c27b9765a
-
SHA1
73b6a4020d07f4d0a2a1352b504436bab24c990f
-
SHA256
66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a
-
SHA512
acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2
-
SSDEEP
6144:4jsS6+qPb4PC9smagEUOd2VugiJTR6HVbsOam2R29wQYLdQU2BYbvaXO:4jsX+eb4e9HEUaosd6HVbvam2I9JY2aB
Malware Config
Extracted
cybergate
v1.07.5
ragnar
127.0.0.1:999
192.168.1.248:81
192.168.1.248:8080
566ABROO13O35V
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
minijuego.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
coliseo
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\minijuego.exe" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\minijuego.exe" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3V5KY680-T4NG-B05C-866G-VUT51D453OY6} f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3V5KY680-T4NG-B05C-866G-VUT51D453OY6}\StubPath = "C:\\Windows\\system32\\install\\minijuego.exe Restart" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exef753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
Processes:
minijuego.exeminijuego.exeminijuego.exeminijuego.exepid process 548 minijuego.exe 3320 minijuego.exe 2156 minijuego.exe 860 minijuego.exe -
Processes:
resource yara_rule behavioral2/memory/1064-4-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1064-7-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1064-8-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1064-9-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1064-13-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/5052-79-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1064-103-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2156-121-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2156-128-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/860-131-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5052-148-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\minijuego.exe" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\minijuego.exe" f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\install\minijuego.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\install\minijuego.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeminijuego.exeminijuego.exedescription pid process target process PID 1884 set thread context of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 548 set thread context of 2156 548 minijuego.exe minijuego.exe PID 3320 set thread context of 860 3320 minijuego.exe minijuego.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2836 860 WerFault.exe minijuego.exe 636 2156 WerFault.exe minijuego.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exepid process 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exepid process 5052 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 5052 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Token: SeRestorePrivilege 5052 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Token: SeDebugPrivilege 5052 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe Token: SeDebugPrivilege 5052 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeminijuego.exeminijuego.exepid process 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe 548 minijuego.exe 3320 minijuego.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exef753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exedescription pid process target process PID 1884 wrote to memory of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 1884 wrote to memory of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 1884 wrote to memory of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 1884 wrote to memory of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 1884 wrote to memory of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 1884 wrote to memory of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 1884 wrote to memory of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 1884 wrote to memory of 1064 1884 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe PID 1064 wrote to memory of 2340 1064 f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\install\minijuego.exe"C:\Windows\system32\install\minijuego.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\install\minijuego.exeC:\Windows\SysWOW64\install\minijuego.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 5486⤵
- Program crash
-
C:\Windows\SysWOW64\install\minijuego.exe"C:\Windows\system32\install\minijuego.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\install\minijuego.exeC:\Windows\SysWOW64\install\minijuego.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 5765⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2156 -ip 21561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 860 -ip 8601⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\APISETSCHEMA.DLLFilesize
6KB
MD52f03490092c032392fb6ff635222b9b2
SHA177e86c4677b8670474bfb2dbc60a47e3b340a679
SHA256951e57ba594507058366321ae29dc117cde9d3801a0535a704db4c7762690c81
SHA512f2c0a9cf67ec21fa039f8930c260258dd93066a747c13e8a9d7f6fe947ac9b75d30c8184ff03fb87e23cf717c32d917bc05530763edd3dd645bf12c7b655f81b
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
225KB
MD51e6e103853f388b3f17e694463df6a7a
SHA15565bf1249914cc90a4175f9618b7347199554d9
SHA256e2d34973521f592e924b3039a23c787b5fc9befb60a999e72e444c66043e0852
SHA5125ec8c7d190a89137a54455951d48b4f97275c518bce1d2bdc794589320ff5ffbba233a6108f24f75b4d7be961fd483b3420b471a798d1bff5386223fcf776e96
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55c11fbc41fd240fe5b681e7d0d40adda
SHA1733dce4772edabd61011acfeb47094c58a5ce22d
SHA256a1b96234467b833cae2b53f4b3b41b46bf2d82b87b6ac11adfed0d38a970a85b
SHA51242eba2c73bff630288491afa40a03be7ee9960a085d07124aace8c53105877fafa4cbc8b4f133a5fff6ecaa17c394813186d9c056dff2daddc68f334b75f3960
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55145bbaa726c65538a266a0683bd695c
SHA110fde0a45c7356d538be644cf64d2ccfab5d5134
SHA2568565af8445ff55420d05a68fbad41a321f34fcaab0bf11b9a956a10761b8f5b1
SHA51208772f8fa1254a5f45d4d60be613c8711215582498718b0c8207c29456fc757e38d50739c1ad06fc29b508631430794bd239067dfb043171462bb75d96affc8f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51b7c64bde8f2b22f1b84fc016be577eb
SHA1d40ea254b95e4c3f363592166bcc3c689d0ab331
SHA2568b496197420e5b25f9776944f51fa9650cec698c204f028e0aeb1e4bda981b8c
SHA512ef66f0648a0bae756827b8d89a673a18f800018a69f71793b8694b11f9f5a82d2ea750fde4157644d2f14b632d2fe2f4900a239541980677dafb79e971eb6e0f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD521980d46d434ac697d188b4b2a8dea43
SHA1b20ed107c9b0d44b82b3268446b238be3faca93c
SHA25687840b94b29efd53e28b184cba12ecc481fa0ed58213c522e5eba6eff1729c94
SHA512b1ce10e8ca96b272aa804d23bc0b24267ac290f5cc77b769699a0a07b498c36c8c0ec4b3c2f85743cf29459db9253082e698dc57a0514cc45154fbfde61bc42c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55a23f27ffbf53695978e91ee33220980
SHA10a55f2c011eec29c48847204c5dc916076a7b0bd
SHA2568dc61feba7fe0db9ae6b531a73507695b38c04a4a11c972038012ac15517edbf
SHA51266a6886208fb07c3b5b24d1cdb6651de1e51e8e995cd12999594fa7cea4f4830bbafadfd2b0b11f49509c27049392ed5ee7b2fd5dc880a124cd1ea5fc01453dc
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD592f76ff720d1b50a8b8b26ae8392ee35
SHA1e14de148fd1aca213674959dcfc772804f3221d9
SHA256a80a450479486a879a5223e55d771ac71ed3393400ee12021148f2a72e4705e5
SHA5129e74191396bed0e6021aee20e57863520501ae16d2753b6c50b581656e19f1549f6b6cb39e8fda85ce79550775c549744a5607fe90051a97b86bed54aee836b0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cce3b2a6a5c20054f7bed5f71bf3d347
SHA117910c673fcc4677cea57df1e5fecd575de055d2
SHA25667537c128cb65e7342a1590fdbccd8507f7ccdc8ebf212d8b2b603c65acaf437
SHA512d75ea609a0ab934211dd2d9a1291fc7a2a1cfc87eb92f13d94638c3bae30fc620498a3aa6b924e93d83687005919a23ee18f36260a2d388005e8348a54a86c46
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51a78c0459f09f67500da5c247c008f8b
SHA142574550d16f268b3de0f4a0f6c60f4c776d4775
SHA25644302ff254833c7b66539ba226fa90d8c41825bd1ce2c2abe6a4be4bee5f810c
SHA512cedce245cf2261105e3a9649849c9de32a92c99bc751c46ee92ec9ebc07dca1b2416cbf899e11fbc75086ed83deb25778554b62fc337612cb0dfcd65e9829db6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5083105f437b6b182f445cffbbf384a13
SHA1cdadc187c0ea92a27d9dd771e272661369cd3590
SHA256c543008b3d28548a7aec14ec9915d2e475b8f22ef83b691591f93d45a7bf8c5f
SHA5129e433d33691e7f1db1e04381bc4f62b8c96e3acbb96fd95b4fc57902ab81445996864abd55660cee3df60d589e22cdac305c5abb4e7788e2e3ccd5d5f43e27aa
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c63f939231508fb607a8323649f55aeb
SHA136d864d521de89fa9a64f459f5c2fa9dbaa9544d
SHA2562385c3155f1623ec17c7dd0a73ee7b199b13355f02b79903358a043deaf3cdd3
SHA5129cb8ea0f50cef15dd3d34d41009d264935342a282684dbaa494a705a3d12b2012a88feb460c3497239ab5114f5acdb9ba433b388b1f9b76df9a82b8a00862821
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD535d69942f761a4b68a378e4dddfee15e
SHA19b7f4204a882dd63c7c0f3ca10f72950b7219923
SHA256eb236f030bb33c1c32c0fac5494000c6323f2bb3f708c61faf4a6774b37d4288
SHA51289a0ea8240b8effc3875169ee15dc70d12d0d6de9c20376fa32f3b3aaa3a3f24751a848a853766c620423f7d5b4d0d1860a77a52c6dae4eb7a34ea9447423c83
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50cde17ce7e84a0cf35a4518ee4fbbf63
SHA1569475596a7a0f14afe9688e1a06dc8e87054302
SHA256d0a378d488b23f510268a356c9f74840a4eea38c81c14761db04b86a996c1895
SHA51254329d18b77cadeb310e2631124f0c0cd92a6d74e81a109a2357f0a200f8e28252ca7524d3f39afdb7284dc023544d4930f8b949c7e889df8b9284d7d2ff5505
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56a1262077ad83a7f4df16008d67a0d6b
SHA1575aa400c2efd7b2c5dea68ea635d32d7dea3cbe
SHA256054689aacc24bf5958a8524032c6c0ab31d1f1786ac67ea9faac77bd61e9b1a7
SHA512fd33c27099959e2dca7056551672cb6e9f36f6b91dfbd0fa91e01ddbda95d337b17a2018fbdab3b59a92f6ddbfd05700dc27b986afb3a0174a02787f49e77cc6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD556b58579e8940db03a2b425bc4699f32
SHA15d2952e370f395a51628986907eb340a1d621d96
SHA256b575c7bafc764031bd3fde47ea7f64152aad5430aa2d6ea37ed170782e83a746
SHA512b018a86189857cd4c3daf147e68c532beb1d90089451b17a83d621a27d392eab60ccd768b046bf3e2e2db7aed36aeb714c7c4abc88c16467e47ddc103d797a67
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f128a4619a125d459bad1c1a1ea275e1
SHA1df36cac439ab50d793b7a254afc12cb2e8eeb1b4
SHA256fed1a5efaade1591b15c4afe343eadc37aed47379b441b4a429f5ab1ac7e5002
SHA5124935302ca20273f42402d29e1a1b9f1cd291a9697737b2829a50524d7f84c66501a7179ade3de81dca49f5a3a3e59fcbd3f24403d80b2306e85b81b8d249c283
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5905da612e5934dadb5dd85724fdb8d6c
SHA1fa857eb43649a4f609e811fdda156a972f1810a6
SHA256e4bdab48bc44b44b193c16a5dbbc931062dd04d584d47f479325ff73460d09d2
SHA5124e526a6580dc9da1802b3dd4a9e9d99ad9ae3c1117ddb619a549ee31ffc558ec263e7ddbd3cbe8ea21cd726170d551f4e7795475557e846d62f785cec186570b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD546b4d6c91cb4256e40452c0f05cdd227
SHA1de20ffb510618536527b9f87f4f2136a3104c883
SHA2569d4fba4bf33282beeb41318c652c7def96b27c8ef4e6c0cecddaa79522e5716a
SHA51260f7f917403849c1ffc39a016034b1011c582be45358918a63dfbeb02a120d8fad58b9cdc3d5d1fa775f885f3f2047a198318b88ffa9e0de7085c48a279af702
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f366a273b4abfffe7ecb2d5f71c4aa52
SHA1ce9ff950184d853beda71eccc741c0e59ee779cd
SHA256867e04c04e7281a9948804f774e0868cbf935a3e66aeda911e245b7232963b26
SHA512862d4f1d95f835dcce7d9317f09c360fde1ba0f3b021351226ad1702452078e653cb77533edca24030a0c202244e0fc26843ba28d29acbf5dd4542dc9b711d79
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\install\minijuego.exeFilesize
329KB
MD5f753d0e1e3c5b7540a76a27c27b9765a
SHA173b6a4020d07f4d0a2a1352b504436bab24c990f
SHA25666b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a
SHA512acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2
-
memory/548-123-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/860-131-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1064-103-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1064-13-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1064-9-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1064-8-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1064-7-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1064-4-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1884-0-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1884-6-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2156-128-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2156-121-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3320-125-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3320-106-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/5052-148-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/5052-79-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/5052-18-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/5052-19-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/5052-17-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB