Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
010df753725191c555267e402257bef3_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
010df753725191c555267e402257bef3_JaffaCakes118.exe
-
Size
399KB
-
MD5
010df753725191c555267e402257bef3
-
SHA1
8ccc273f2e40c6b7395e9b196e47e67ba057c0c6
-
SHA256
a9b94db1ffd00e365827c47cf2627d12ebc02a6b0ab1305a0a7c139098c5ea6d
-
SHA512
d3ed8a3f818cd24e12f98cf9c8b76e85350f5f79f5fad0a71a1618067542c37e83c6ca435f43f0486eb7cc986452e965f1a0f1fe09bd5d4f3a5f0ac1c67faf52
-
SSDEEP
12288:Av/rOWedulF+opSZA7bk1zevXPh+r/Xd:MyWOuOoYZAMwvXPEr
Malware Config
Extracted
cybergate
v1.07.5
Cyber
phayzonstuff.no-ip.biz:100
7WO01W52GAFFM2
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Thank you for patching your webcam, it is successful!
-
message_box_title
Webcam Patch
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exevbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB56MFJ-FKBX-0ACF-3387-325A70J17Y6O}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB56MFJ-FKBX-0ACF-3387-325A70J17Y6O} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB56MFJ-FKBX-0ACF-3387-325A70J17Y6O}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB56MFJ-FKBX-0ACF-3387-325A70J17Y6O} explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
Svchost.exepid process 2072 Svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 1892 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/2432-5-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2432-7-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2432-11-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2432-14-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2432-18-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2432-16-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2432-15-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/648-557-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2432-889-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/648-1511-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
010df753725191c555267e402257bef3_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe" 010df753725191c555267e402257bef3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe File created C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
010df753725191c555267e402257bef3_JaffaCakes118.exedescription pid process target process PID 2104 set thread context of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2432 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 1892 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 648 explorer.exe Token: SeRestorePrivilege 648 explorer.exe Token: SeBackupPrivilege 1892 vbc.exe Token: SeRestorePrivilege 1892 vbc.exe Token: SeDebugPrivilege 1892 vbc.exe Token: SeDebugPrivilege 1892 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2432 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
010df753725191c555267e402257bef3_JaffaCakes118.exevbc.exedescription pid process target process PID 2104 wrote to memory of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe PID 2104 wrote to memory of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe PID 2104 wrote to memory of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe PID 2104 wrote to memory of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe PID 2104 wrote to memory of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe PID 2104 wrote to memory of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe PID 2104 wrote to memory of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe PID 2104 wrote to memory of 2432 2104 010df753725191c555267e402257bef3_JaffaCakes118.exe vbc.exe PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE PID 2432 wrote to memory of 1180 2432 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\010df753725191c555267e402257bef3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\010df753725191c555267e402257bef3_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD503fbd5eb2ad0b4967d89dee415664ea7
SHA1eb67fd63564c54b1b0b1aa14ac9426e2ab99ff15
SHA2569b1a9497928f4b35fbb640b6fc8fed36b11718a14ac38f9086aea95f8ab3793f
SHA51297070df4d94f1ebc347d470d1bda62675848e45db544351497896ea83f8759dc818d19d48dba9d2502bc074fc4da3ea6f79bd3725c1b4e054441e47c4cf2583b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ee9a44e309484c3c2fca10e7c6f967e7
SHA1c28b4bdec80867ed2e26120d6bdb1ba069115740
SHA25627516f226fa3266a1dc7181d8c5d795a0914c0c9bd0afc1c88569c751edf083e
SHA512683eab3223d92da98aaa4d9166b4925c9532af754123a10e06812c54abeea2a1c73257ba65932a9f13919e96c458c03418b09699d24dd30407ba225255fc21e5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5062ef3311d5029499e3173b1e5b57c06
SHA1dda124b5be30468520caae2fe157fda17a6c84af
SHA2565e70cd3a612aa1ced151b626cb7657806ffef391ef72df3921a3fef619c3cde0
SHA512edb676b281962210dff94e46584b6bfef87292de63cb5b3c808e4459a4bcb285ea43128ded0fd2d39edb4b1c2d4b747a3707ce37a9ec80a44d6c3352bbd16be7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58311adb53dac767c5321b9879b6d1a42
SHA18b258e37bbbbd7cbb24183aa3c356d9626d8e556
SHA256354c0cb22a53afac969f159454d62415417bea8617afef14761bbf1ec9551e54
SHA512e215a58c2ead5f27fd68bb6c3c6e1ffbafaa4368f7d971d195edaccd78d616e5253e602bfd795e6db934d086a27f861bba08e72c2d0f906d3b170556ba6c2238
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51a417e7082e646e7940e616494746a4e
SHA19f5ecbc7b61712dff761f02473a2b186f347d494
SHA2566d773241a93a14f3d540bfe6a270f70edda6bd80c6ea4a5933e8325268080f8c
SHA51284b0a6d531a74ce7441dcd9abe86fd8b52b629b1cd54becaa175870990d6800cb041ad9cfe378a1fa986d381735fb38c02f59fc6ee4a79cafa108c6fb98e7639
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5eba40f5545bc7ffb12ddcd3b62dd3de1
SHA12febd5a31d5a282d5d6ae8909833b7f162367053
SHA256503c33be54134e8eb61fb3cbcfe075a879a9fe24db16b0539ed09351cd51a7d5
SHA512a50362594cc0cf4e77b85974edcef172c0d56a88da65e9755b0f3bb0b0aabc3b425a6004b376a233a5f869e83786a58bf5460176241ada13a06b35dae7ce52c6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bbf2b5eb38af0ad296f43f9dfa982f1d
SHA123cd9fa4ba2be7f51680672b082f0effa01aa94e
SHA2568ae5866a47d4ae34f2a084eeb7a1c8e2b609084578d83897c28fb0094dfa69ab
SHA5123056498715959eeeeb9ff1a27362f969d322fa23fdb17bdadd62fc357571faa1a72daaa577b7b949726550b3f9e13b0edbf7517641578ecbf3f57daa59e6ebe3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD520f0a596d813ef567a1410a6b44a623b
SHA197edd092b67a48e16b505aec297c2bf260236c97
SHA256498b4a5d886ea6523f0f4a245a9d5b92a542bfcf232e52c72228fd30f6eb5e33
SHA512b60b14be8050060fb716c4e8781f176fb2d2a6b38295c24beeee4abb0d8e9f1bffda614f9bcb6cc963f765dff8f3080d578e8d7a573e5e75b449344c3eb4b7bc
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD562323cd8f2cf099947bb8e91f1240aee
SHA108671cc6dfc3057f1c1bf962f987a85e6ec0d11e
SHA2568e56bddafca1c27e1b9740cb0e3ec6905c5fcf75dbb564d4ebfc11a405e830f9
SHA512b105367c8bb6df106d48d8b55591663dcab3fdd889cb71846c38e14ba2c00e860b47ef4b60902abe220169d06c3900d7f8c3e5a496b3b67793830de5f56be345
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d26d496f536a775bb2d071c17477c532
SHA16a4d7f379b4eee4745818d8e7ecb52771f7234bd
SHA2569f75555aabd6414495c85d2a7c87d5dc7e16bca9ce7e08e427ed63ae373038aa
SHA512ca09db5757624cab5dd082df471b0592ea3e25e6753999ec866ec4b2ba9c6126992a4c985325dc45a791a3208cf91d73dbc3e524646d72f0a0af35fc7697ece8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53bff8b771eae2cdd3f35d162af4a6b72
SHA18fe9aa169733d00e88e41fe091df470700932b14
SHA256db94f8ce6e0b042044d359d5ee89e9f17299b81a8f1676b2c3ae2e77a048c893
SHA5127043fa6df1edbe8ed9573b31126fbbd206b14d7e388ec3e09127aace52916fee33c1f38fc3f322e5f67b659455f479cadc918c6beb23e692abd98ae2f48eadca
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD584d60bd9850e42f62309b22d3f96f85d
SHA1de8e1df7ad9040399916baf4c1cd5340e5ebc3e1
SHA2560e19fa95981f79953dd45b606f83a94682fe69e759ec33585a2ca3ded3f92167
SHA512d03e001e080567f3c3276727496b1bf4385c1b543c6d08868f53921a613c813570895ddcbfe0e8c0027609a02ff59cb1e63c1a48ec0949de79ef1aad8a202731
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51bb38b76c5132f2679f0126706629e2a
SHA121008d64144f1432f689d70845acfbb188c22970
SHA25660d6a761e277bb144420212c571eed1aed9e4889b7c5853168d378887691a2f9
SHA51210bea71c7eb5043662450168473406ed14261fcbccd2701737007dbe88ed994eee5d837b30e81e15152f868f411df5124a658801892fde2a4711fe305a9c2111
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a6cd066d476b8a7597ecfc46b900c2e4
SHA1ff8890cefd0548c598555ea436c169c0a58e5baf
SHA256511058eb9db6ddc0e01a4a72dc999ff3757aeaa58f5a95bf949aec21cdce423c
SHA51286148dff5b23a9380c96b242ea0465303bbb307b11aea1d72439b33f244f9b82bf9c38f17dab9d73d0afb3553f48b534aee4941abc4b84a49dc2d78970d852a6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD506aa6f56c7ef77b915e3fcbef5b81a5f
SHA114935a7d177e3ddc980bd232b469174a259f472a
SHA25661b9dc29d187f5862efda7033bde44669d4fa48f369bed2b970694cde9324478
SHA5123805397254fa59f9340c20919b249abec14b82d153b587e02362abfe2dd989858584f98a74275b87c5c01db9ec33f5a7c0c4ce6ae31631237428c8fe5b3a63bb
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD574edda6fd1fd6e214101896acd33898f
SHA18b10fe112b1aeddb244b32a05d38584f2fe709dc
SHA256f4fb4e88cefcc552b1dfa027467f3097c24fc0f0c887784b83d176c1cccc471e
SHA5126e991352b913d309e7f04329302d82907c41c6454329f5601cd1159ef992e146524766a94f4b19c370387771342d2d9c3f0c8d7462f1d5e46921604fad756e47
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5dba731376640fe5f2a90bb30ddb77f16
SHA1a52cf0f861e415245ae2844aad7a16bb78e9e724
SHA256a5af2afad03c29f5fef46229f59168f349ca23ce2956ab1f628ebaf621532c12
SHA5124d12748d49b12ee3042f826e7ab3e7e65d981b7a6512a8c18840881bc3579a8511e3f6dae355b5c4abd9622f1b0c9c06d24dae7a712687336f16978a8bb6fd4b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cfd6ccea6227fbb0ebde74b076e19cd6
SHA1c1beab81685dc0e620de30e3a0c7687707a78089
SHA256d1ad20d6b39e561849f6c0491e23823d4fe88335c4044011ee7dcd1b6da3aa8c
SHA512d3201999ad33951d00e2c6a9ca11f0c624e99c088545f5acd1b990f9c5afd52dc4c12cef5e3a190f0855fa042fb89beb487f341450986ef658a835946a6dcb82
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a763e1af067d21559890b3c6b57c36e2
SHA1e49c63ea18a744f50734bca2fd3d7873b8381ed2
SHA256498bb166fcebb26b8b1e978db949c1f0d009d463e88242706effd8ac7aab273c
SHA512346d9d7a9999404f8d6a58862d99b2fd9bde57a70d2d8c416df9b0ef4a487f53f9596a012fac6e24a994aa6a5e63d00ec4d08f3905d28ae95e4b50d20986cffe
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/648-1511-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/648-557-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/648-325-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/648-265-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1180-22-0x0000000002DF0000-0x0000000002DF1000-memory.dmpFilesize
4KB
-
memory/2104-17-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/2104-0-0x0000000074B41000-0x0000000074B42000-memory.dmpFilesize
4KB
-
memory/2104-1-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/2104-2-0x0000000074B40000-0x00000000750EB000-memory.dmpFilesize
5.7MB
-
memory/2432-11-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2432-14-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2432-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2432-15-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2432-889-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2432-7-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2432-5-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2432-3-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2432-18-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2432-16-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB