Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 06:00
Static task
static1
Behavioral task
behavioral1
Sample
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe
-
Size
453KB
-
MD5
14eb3587ab34bd7b0e4ce4dbea721c4a
-
SHA1
ae84d44580bab2b4ad071bf0d6e53c6d48a5f52e
-
SHA256
fc9113fd86ece98b2213489bf817d18ad744166e4f4701db339597998999b31e
-
SHA512
2564399d7013d89ba612d7285264c6d6ecaaf841a0f135c3fc8310f950516be35e6ca8638ca54b89bdef558d0a2a7edb82e956dbbf8bb1c72722e59f3ec9c25b
-
SSDEEP
12288:t29eFcZt+yejZfwFLWtF57RAV7udh0ToTFeII8ycicK:omDyoLX6GsoK
Malware Config
Extracted
cybergate
v1.03.0
remote
127.0.0.1:999
341INKA36V71IF
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{UEI2686U-61M0-V2R5-QS46-5W1FATPI13J7} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{UEI2686U-61M0-V2R5-QS46-5W1FATPI13J7}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" vbc.exe -
Executes dropped EXE 4 IoCs
Processes:
vbc.exevbc.exeserver.exeserver.exepid process 3000 vbc.exe 2652 vbc.exe 1592 server.exe 2636 server.exe -
Loads dropped DLL 4 IoCs
Processes:
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exevbc.exevbc.exepid process 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe 3000 vbc.exe 3000 vbc.exe 2652 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/3000-16-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3000-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3000-11-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3000-19-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3000-20-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3000-22-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3000-21-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3000-23-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3000-33-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral1/memory/3000-28-0x0000000024010000-0x0000000024071000-memory.dmp upx behavioral1/memory/3000-345-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe" 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exedescription pid process target process PID 2344 set thread context of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 3000 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 2652 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2652 vbc.exe Token: SeDebugPrivilege 2652 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 3000 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exevbc.exedescription pid process target process PID 2344 wrote to memory of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 2344 wrote to memory of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 2344 wrote to memory of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 2344 wrote to memory of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 2344 wrote to memory of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 2344 wrote to memory of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 2344 wrote to memory of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 2344 wrote to memory of 3000 2344 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe PID 3000 wrote to memory of 2592 3000 vbc.exe iexplore.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"5⤵
- Executes dropped EXE
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
221KB
MD538b6990afda72474367f9961de76fda9
SHA1b5b976de8466c71890cbc03dd61ac4f498b8da07
SHA256c842e676d2f3b16eea02868358d822bd00fc9c85b2bef73cf78df622307390c6
SHA5129b92467f71d2d3551198e9b3ec69b123e26b3bbed6e6552d5812535cd20d9e986d777979bf60971bee666a560d4058058fb0d8e04a45f809590e4a307e78fb2d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5dfa853de1e204696b99fb5c481534dfa
SHA1641b746a0d93c55ad2be664526a09f9ff828ac2b
SHA256f612145ec0c9ee8511e88c69ce06dda17b9db129ef8c53f024138e472f89a5f2
SHA5125f31d48f48fd2d9aea1c5a0fc07091f61dade789aa843d5d9abdafcd9fec8986d17c59f34c2ab4c0b9cc8ce2bbabc22d666a9c6203e7f9ac9631683b15b32508
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54062df860f09b3c987d2ad994c10ee63
SHA1a51a2f7c0aaa804b2a7fa2f9b78104900a9a2e72
SHA2565f2a1f903b4a641e8360cf1a70257d66a233d5549b95f2852687ce2a6951e698
SHA5121d55fd52aab20401699230702e2c6b18903ae757a0e8e68f407ac96a6d054d20d9b8f52e772f160f9b96063b655c1d91ae55c3c7f4877efda9e9d120322c6de3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50c2bc886404188ea28f227cdcfcd1c2c
SHA1debfa46b636979b1c1e8de1a603cb377d39e62d4
SHA256e2d7e4f8508382b810d865e267fca09f1d325383b484e336fb8f87b06bd481c0
SHA5123d825b1fdec71b560b91a16ba9ef284907952296fc05e020f792f10293dc3dccc87f8496bc69203520d84af6cd7ba7cc6f7cba41e2f2cb398a37b7a09f99247c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5474e01a4c46f4d0763d2fb4d7e410f20
SHA1aa0c0e715536dd19190ded41ce077411738266a7
SHA2568e67a063c81f42545e00d955d08249a8357a101218a5c8c672ad70975615fac7
SHA51213b2449b048fe97387a515f0287cb70e610686658b372ca93489c19e43af6261210c1e4a8c364e981c4a0fed1c176f841d098c5a925b9817fce5f097b129ca17
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD510b8323102282cc8a0d31cbcb0fb6dfd
SHA13e91e1be3d4560841e1f344936e567a51e5a8963
SHA256ff5bd76b81f44f2c93b7bda2c07301742b5842691563ffd4f2b22560a281f23a
SHA512885ebf37c4da28c072e63f48cf585b93d56b62fa5ea979d91a28dc9e08ebb4fed9bb42d705c4f2c640f83640655e4959504c4752ce200b64bb315df08b24342b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e136c817f06bf2a76fb20ec89e90a95e
SHA160efc9042832ddc8bea19ecd1c5d288e132f42f7
SHA256d6773ef3f923e729f1cb7ebd35197ec4588a00bb2acf9f1d7c42202a17b02454
SHA51239775e5e46d72ae70382ba0f30dbc07fa482c2e986de434b9ad502787ae0fdf5984068038f393d34b0d8f0cdae325401d25210e0506d399749ef97fe2fb003a2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52c85bcd1e5e845caccd62166119c6e69
SHA16375e6c3dd3423ea920f1a4def770f99b88fdff6
SHA25647f003c3c53b6098448d68eef7de4a3f0faab0ce233021efb125ff80d50a3ff7
SHA51277b95481f0b114ccd545f0f041bbae6e9c6372fcb242fe0aff73daaf44335d1ec9514d9ac53533253faae9926147b9b1d774c772b70adc57b186d6694ebffa4b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD557ebc44f9a11fb80f940a22747fed875
SHA12220cc49bed28d30f446b02a5295f4bd360f66c5
SHA256f98876b9d358150e20968efa85645ee2e9c53e68cd6e138b974450573651f7de
SHA512d66abf102d1779fcb7676ebe8111d2023d0d33ef946b0039cd4ff9dc894fe4c65533de9c70175816ff24f3f6adc05c5232f65dbeee5a84c5080c48472fb2739a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d92753db66236b0e8691cc597abfa95c
SHA100a6cfac8c25e714586f9fa3dd5b66b0cce4b724
SHA2563076f6021fd07a580291ca97b2a7a589859de8b033f837e634d871294fd4b342
SHA512ffaac0af760aa087b6b92592e2d50b0bf28cb862bb9ea0582af9d8e88f36a1038c8fb9d5c3e4ae7f081b4451c9a38a6b345cccc4ed2eee31eb479db84120f2a5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5158cd578fc01398f18aeec5e68b6ccc3
SHA1b7ecba5ff5c4c7193b30e438a055afb5dc360345
SHA25697ae35f307de6d38da397efd0787b13b935ede42b27658b3827968991f7e4c09
SHA51247c468993e75b791b2828483be74fc7ba5ddf4235e010b6403685c8b8af09f10b8c63a60cc129b9844762176fdbf49e294e24be19177c8007de3001216903380
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59127530e81307b57352f3567d1e84b91
SHA11e7f6d300af1b54903ef77d90dce9926ba9ceb21
SHA256190857ca9c7411b2caeb672ebf208f68e0961568077fbc492d4d23a4c77063b6
SHA512c3e3b07a33e27f5436a7f958842625c461b8e19d8c38961e5d455c38b468afadb32cc33c4f22c07cd5f552d26017a94272e633f211b8c9a4cad0c541b1ed3e6d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD531a83a6d67be272f3dc6e0655f3a1c06
SHA1fc64dc633617ae5500b6c8ccdccb3966af86f21f
SHA256d00f537af1fc7b7f1e30b14c5a06690be9ae070a63e6a2037816f7ffdb91117b
SHA512c427564dfe9116f630122e13125b5dc015ae31a4a6538ff84b1d8505ac97fba8f29f1cd8a6a942553fdcd2209f055ad7cdd6e42e1bd30ceab491bd1034633cfb
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f445b6310eca1b9cf04195bafec1ceb1
SHA1c6dc371885098b8e96cb3b2b4905f6ae2aa6dac9
SHA256f657d16d4c9f9df013cf5d691055ea3b7c28a3b771eb91aff71f3bb8bdc0050f
SHA5125e263b6c573b51c0ca1bb3c5437c45d1f6047f351763fa6d0b38b00731b7f1578db12004b3dfc9bc6dd29a4096d0f8abd19bf61c38ee08b168a146e5a7a541dc
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD58504a23223baaf2e35e10170ec754243
SHA1f8a2bf82a595033da53652c17d8e6ee3290ec824
SHA25678ecd5cf33cb63f2fd066903b93dfc31fd79196ff49fcc74c2d6a227aac01848
SHA512a94b0984ccbcdaf98afddfad3af608949bf163f138780f5cf92a5f8a3f984e20570aeeaa07a09ce2f3e8ae8edf884a3be39f042daacbdac9536c8de8ab24e553
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD58fc89ea0a009b7773a2c79fcf3a5f7b0
SHA189811abdaaa81500a39529e1342af5efa4455f49
SHA256aca917a07fa84af02ba8659ec79f51fda654481179cc311adc39828a29b49026
SHA51232452f9d8870016695b8a4bf895aad18c283099d9cfa4fbc1f8a418d3c1662ac0588522b68cdc31d112e4243c1647802ecda7e9f1c2db8b4e2764ffe4764e8d5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD506eeb9547693e8639e2c738fec0884ae
SHA1e4f96c9d306b4aae4f649e7dc9cc5accf2d4f9e5
SHA256a79fb5f1585344a86067b8f134db14dfa0cf94e7c15ef732744d72b2a62396c3
SHA512e1235eb79ff29ffebdf74fd064c6ebdc51d329409567b3b622a076b8b479204f06a0555a9d38d916629694f18a999134416020feaa7f130af8e18f8959ceb03f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD55731b3c19a6c3d8179ab921f810a3ae7
SHA13b1d05a8ce36ed54b8c132421610041b2cce0d9f
SHA256b74cf0ef1fb9c167842307c2f4ad7018d67edb502aaf0747c260bd77980fbcce
SHA512f6e748cdf0c8a6f777847de3c4c281504e278e11886ec2b791e8f849a311e2553a208c61fe4bc16488875247a76f5f22e6661feeaafdc4cf47bdac41a0ab30f3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD503e81d8f11b71b2c76b672671fe47d5f
SHA16c151390856d9024d746ff1d8310e1fd6d91ca45
SHA25671713cfa7a0077987dbc59d7ad89509afceed6a2b18872937ea516e588bd223f
SHA5125a45580e30a31817f9bb27d72c66d49a9c520bfb35fce49e1c19d48316886dd8b076b8ed77231486e71034fc7840e794faa5a32834a1faa5cac2e60222b6f8e2
-
C:\Users\Admin\AppData\Roaming\cglogs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/2344-24-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/2344-2-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/2344-0-0x00000000741A1000-0x00000000741A2000-memory.dmpFilesize
4KB
-
memory/2344-1-0x00000000741A0000-0x000000007474B000-memory.dmpFilesize
5.7MB
-
memory/2652-135-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/2652-34-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2652-46-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/2652-40-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3000-22-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-33-0x0000000024080000-0x00000000240E1000-memory.dmpFilesize
388KB
-
memory/3000-28-0x0000000024010000-0x0000000024071000-memory.dmpFilesize
388KB
-
memory/3000-23-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-21-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-345-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-20-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-19-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-11-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-13-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3000-16-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3000-10-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB