Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 06:00
Static task
static1
Behavioral task
behavioral1
Sample
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe
-
Size
453KB
-
MD5
14eb3587ab34bd7b0e4ce4dbea721c4a
-
SHA1
ae84d44580bab2b4ad071bf0d6e53c6d48a5f52e
-
SHA256
fc9113fd86ece98b2213489bf817d18ad744166e4f4701db339597998999b31e
-
SHA512
2564399d7013d89ba612d7285264c6d6ecaaf841a0f135c3fc8310f950516be35e6ca8638ca54b89bdef558d0a2a7edb82e956dbbf8bb1c72722e59f3ec9c25b
-
SSDEEP
12288:t29eFcZt+yejZfwFLWtF57RAV7udh0ToTFeII8ycicK:omDyoLX6GsoK
Malware Config
Extracted
cybergate
v1.03.0
remote
127.0.0.1:999
341INKA36V71IF
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{UEI2686U-61M0-V2R5-QS46-5W1FATPI13J7} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UEI2686U-61M0-V2R5-QS46-5W1FATPI13J7}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" vbc.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vbc.exevbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation vbc.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation vbc.exe -
Executes dropped EXE 3 IoCs
Processes:
vbc.exeserver.exeserver.exepid process 1492 vbc.exe 2584 server.exe 528 server.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 1504 vbc.exe -
Processes:
resource yara_rule behavioral2/memory/1492-12-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1492-15-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1492-13-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1492-7-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1492-22-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral2/memory/1492-19-0x0000000024010000-0x0000000024071000-memory.dmp upx behavioral2/memory/1492-116-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe" 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exedescription pid process target process PID 1164 set thread context of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1492 vbc.exe 1492 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 1504 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1504 vbc.exe Token: SeDebugPrivilege 1504 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 1492 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exevbc.exedescription pid process target process PID 1164 wrote to memory of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 1164 wrote to memory of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 1164 wrote to memory of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 1164 wrote to memory of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 1164 wrote to memory of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 1164 wrote to memory of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 1164 wrote to memory of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 1164 wrote to memory of 1492 1164 14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe vbc.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe PID 1492 wrote to memory of 4968 1492 vbc.exe iexplore.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14eb3587ab34bd7b0e4ce4dbea721c4a_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"5⤵
- Executes dropped EXE
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
221KB
MD538b6990afda72474367f9961de76fda9
SHA1b5b976de8466c71890cbc03dd61ac4f498b8da07
SHA256c842e676d2f3b16eea02868358d822bd00fc9c85b2bef73cf78df622307390c6
SHA5129b92467f71d2d3551198e9b3ec69b123e26b3bbed6e6552d5812535cd20d9e986d777979bf60971bee666a560d4058058fb0d8e04a45f809590e4a307e78fb2d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50c2bc886404188ea28f227cdcfcd1c2c
SHA1debfa46b636979b1c1e8de1a603cb377d39e62d4
SHA256e2d7e4f8508382b810d865e267fca09f1d325383b484e336fb8f87b06bd481c0
SHA5123d825b1fdec71b560b91a16ba9ef284907952296fc05e020f792f10293dc3dccc87f8496bc69203520d84af6cd7ba7cc6f7cba41e2f2cb398a37b7a09f99247c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5474e01a4c46f4d0763d2fb4d7e410f20
SHA1aa0c0e715536dd19190ded41ce077411738266a7
SHA2568e67a063c81f42545e00d955d08249a8357a101218a5c8c672ad70975615fac7
SHA51213b2449b048fe97387a515f0287cb70e610686658b372ca93489c19e43af6261210c1e4a8c364e981c4a0fed1c176f841d098c5a925b9817fce5f097b129ca17
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD510b8323102282cc8a0d31cbcb0fb6dfd
SHA13e91e1be3d4560841e1f344936e567a51e5a8963
SHA256ff5bd76b81f44f2c93b7bda2c07301742b5842691563ffd4f2b22560a281f23a
SHA512885ebf37c4da28c072e63f48cf585b93d56b62fa5ea979d91a28dc9e08ebb4fed9bb42d705c4f2c640f83640655e4959504c4752ce200b64bb315df08b24342b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e136c817f06bf2a76fb20ec89e90a95e
SHA160efc9042832ddc8bea19ecd1c5d288e132f42f7
SHA256d6773ef3f923e729f1cb7ebd35197ec4588a00bb2acf9f1d7c42202a17b02454
SHA51239775e5e46d72ae70382ba0f30dbc07fa482c2e986de434b9ad502787ae0fdf5984068038f393d34b0d8f0cdae325401d25210e0506d399749ef97fe2fb003a2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52c85bcd1e5e845caccd62166119c6e69
SHA16375e6c3dd3423ea920f1a4def770f99b88fdff6
SHA25647f003c3c53b6098448d68eef7de4a3f0faab0ce233021efb125ff80d50a3ff7
SHA51277b95481f0b114ccd545f0f041bbae6e9c6372fcb242fe0aff73daaf44335d1ec9514d9ac53533253faae9926147b9b1d774c772b70adc57b186d6694ebffa4b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD557ebc44f9a11fb80f940a22747fed875
SHA12220cc49bed28d30f446b02a5295f4bd360f66c5
SHA256f98876b9d358150e20968efa85645ee2e9c53e68cd6e138b974450573651f7de
SHA512d66abf102d1779fcb7676ebe8111d2023d0d33ef946b0039cd4ff9dc894fe4c65533de9c70175816ff24f3f6adc05c5232f65dbeee5a84c5080c48472fb2739a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d92753db66236b0e8691cc597abfa95c
SHA100a6cfac8c25e714586f9fa3dd5b66b0cce4b724
SHA2563076f6021fd07a580291ca97b2a7a589859de8b033f837e634d871294fd4b342
SHA512ffaac0af760aa087b6b92592e2d50b0bf28cb862bb9ea0582af9d8e88f36a1038c8fb9d5c3e4ae7f081b4451c9a38a6b345cccc4ed2eee31eb479db84120f2a5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5158cd578fc01398f18aeec5e68b6ccc3
SHA1b7ecba5ff5c4c7193b30e438a055afb5dc360345
SHA25697ae35f307de6d38da397efd0787b13b935ede42b27658b3827968991f7e4c09
SHA51247c468993e75b791b2828483be74fc7ba5ddf4235e010b6403685c8b8af09f10b8c63a60cc129b9844762176fdbf49e294e24be19177c8007de3001216903380
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59127530e81307b57352f3567d1e84b91
SHA11e7f6d300af1b54903ef77d90dce9926ba9ceb21
SHA256190857ca9c7411b2caeb672ebf208f68e0961568077fbc492d4d23a4c77063b6
SHA512c3e3b07a33e27f5436a7f958842625c461b8e19d8c38961e5d455c38b468afadb32cc33c4f22c07cd5f552d26017a94272e633f211b8c9a4cad0c541b1ed3e6d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f445b6310eca1b9cf04195bafec1ceb1
SHA1c6dc371885098b8e96cb3b2b4905f6ae2aa6dac9
SHA256f657d16d4c9f9df013cf5d691055ea3b7c28a3b771eb91aff71f3bb8bdc0050f
SHA5125e263b6c573b51c0ca1bb3c5437c45d1f6047f351763fa6d0b38b00731b7f1578db12004b3dfc9bc6dd29a4096d0f8abd19bf61c38ee08b168a146e5a7a541dc
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD531a83a6d67be272f3dc6e0655f3a1c06
SHA1fc64dc633617ae5500b6c8ccdccb3966af86f21f
SHA256d00f537af1fc7b7f1e30b14c5a06690be9ae070a63e6a2037816f7ffdb91117b
SHA512c427564dfe9116f630122e13125b5dc015ae31a4a6538ff84b1d8505ac97fba8f29f1cd8a6a942553fdcd2209f055ad7cdd6e42e1bd30ceab491bd1034633cfb
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD58504a23223baaf2e35e10170ec754243
SHA1f8a2bf82a595033da53652c17d8e6ee3290ec824
SHA25678ecd5cf33cb63f2fd066903b93dfc31fd79196ff49fcc74c2d6a227aac01848
SHA512a94b0984ccbcdaf98afddfad3af608949bf163f138780f5cf92a5f8a3f984e20570aeeaa07a09ce2f3e8ae8edf884a3be39f042daacbdac9536c8de8ab24e553
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD58fc89ea0a009b7773a2c79fcf3a5f7b0
SHA189811abdaaa81500a39529e1342af5efa4455f49
SHA256aca917a07fa84af02ba8659ec79f51fda654481179cc311adc39828a29b49026
SHA51232452f9d8870016695b8a4bf895aad18c283099d9cfa4fbc1f8a418d3c1662ac0588522b68cdc31d112e4243c1647802ecda7e9f1c2db8b4e2764ffe4764e8d5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD506eeb9547693e8639e2c738fec0884ae
SHA1e4f96c9d306b4aae4f649e7dc9cc5accf2d4f9e5
SHA256a79fb5f1585344a86067b8f134db14dfa0cf94e7c15ef732744d72b2a62396c3
SHA512e1235eb79ff29ffebdf74fd064c6ebdc51d329409567b3b622a076b8b479204f06a0555a9d38d916629694f18a999134416020feaa7f130af8e18f8959ceb03f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD55731b3c19a6c3d8179ab921f810a3ae7
SHA13b1d05a8ce36ed54b8c132421610041b2cce0d9f
SHA256b74cf0ef1fb9c167842307c2f4ad7018d67edb502aaf0747c260bd77980fbcce
SHA512f6e748cdf0c8a6f777847de3c4c281504e278e11886ec2b791e8f849a311e2553a208c61fe4bc16488875247a76f5f22e6661feeaafdc4cf47bdac41a0ab30f3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD503e81d8f11b71b2c76b672671fe47d5f
SHA16c151390856d9024d746ff1d8310e1fd6d91ca45
SHA25671713cfa7a0077987dbc59d7ad89509afceed6a2b18872937ea516e588bd223f
SHA5125a45580e30a31817f9bb27d72c66d49a9c520bfb35fce49e1c19d48316886dd8b076b8ed77231486e71034fc7840e794faa5a32834a1faa5cac2e60222b6f8e2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53d68239b213fdc7eb3077b52775628b7
SHA14fa48fd921b5d30024df4e02db7d6be39421bd50
SHA2563dcfa43821f95be024a6d4d6e99af63e54a57208a66aa9d755365c0754e3ad49
SHA512007bcdd40a5ee0949081750acfef4f8f7ff7d8fcbe583f2ff1b252089859a15b2c723650404d01106e0aa5d45134126e892582892369b28565c1cb4a8dfbf000
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD55d440f4642054adc189a33c02eeeb2fc
SHA1bd7875cc850dc85d0c3396fdec10c5fa0c1a66ba
SHA2563c1bbd874d83ae3eee82dbfe0e8669c7e66154a42e793c11bf5fa5122cc36f43
SHA512338399cfb5e5c81a8bf18f024ea71c26d95320245dd8a8bdc5166d4ce59895de64e11a9d1ec838837a642f6e4629463e70d0c778705fd8adb4a134b2bd53bd6e
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Roaming\cglogs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/1164-0-0x0000000075292000-0x0000000075293000-memory.dmpFilesize
4KB
-
memory/1164-14-0x0000000075290000-0x0000000075841000-memory.dmpFilesize
5.7MB
-
memory/1164-2-0x0000000075290000-0x0000000075841000-memory.dmpFilesize
5.7MB
-
memory/1164-1-0x0000000075290000-0x0000000075841000-memory.dmpFilesize
5.7MB
-
memory/1492-7-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1492-116-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1492-19-0x0000000024010000-0x0000000024071000-memory.dmpFilesize
388KB
-
memory/1492-22-0x0000000024080000-0x00000000240E1000-memory.dmpFilesize
388KB
-
memory/1492-13-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1492-15-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1492-12-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1504-43-0x0000000000400000-0x000000000051F000-memory.dmpFilesize
1.1MB
-
memory/1504-23-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1504-24-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB