Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 14:52
Static task
static1
Behavioral task
behavioral1
Sample
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe
-
Size
591KB
-
MD5
639ce84468b5b67681d9e3341b1446af
-
SHA1
e9ed555487307f27784b70fe0641950eb06c7f51
-
SHA256
52d84c8469d2288d1e072e39828caaf9b43911d5530a98d1af6bce4fa7addb8c
-
SHA512
3bb85fa2c2d80bde2003f8238e10be39776c68eded52cfccbb565cbeb3f2c597d6ff6b0339764967d61e4c70be9284ff2ad1015b479196cbb659c01dfca9458b
-
SSDEEP
12288:fukBmCK64RSGbBjtWEMm+ngXz9aO4bLlgOKT5LtQcuWrS7yf0F:GkSrjTXGitFcy
Malware Config
Extracted
cybergate
v1.07.5
Cyber
alcapone.zapto.org:30370
ID4E61KU7ACH05
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Windir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6}\StubPath = "c:\\directory\\CyberGate\\Windir\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6}\StubPath = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exeSvchost.exepid process 2012 vbc.exe 2584 vbc.exe 2764 Svchost.exe -
Loads dropped DLL 9 IoCs
Processes:
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exevbc.exevbc.exeSvchost.exepid process 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe 2012 vbc.exe 2012 vbc.exe 2012 vbc.exe 2584 vbc.exe 2584 vbc.exe 2584 vbc.exe 2764 Svchost.exe 2764 Svchost.exe -
Processes:
resource yara_rule behavioral1/memory/2012-53-0x0000000010410000-0x0000000010475000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
vbc.exe639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe" 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exedescription pid process target process PID 2052 set thread context of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2012 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 2584 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 1792 explorer.exe Token: SeRestorePrivilege 1792 explorer.exe Token: SeBackupPrivilege 2584 vbc.exe Token: SeRestorePrivilege 2584 vbc.exe Token: SeDebugPrivilege 2584 vbc.exe Token: SeDebugPrivilege 2584 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2012 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exevbc.exedescription pid process target process PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2052 wrote to memory of 2012 2052 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE PID 2012 wrote to memory of 1204 2012 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\directory\CyberGate\Windir\Svchost.exe"C:\directory\CyberGate\Windir\Svchost.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD57ac4d9688725365d6b888b8a36d593da
SHA15917e2b1ebde71eb2b22e94e969eccbe915dc8f6
SHA256693fd211a9ba5ecbe4041e9275e4aaf75e8fe1c30e46ac00564d22c0d9db53ea
SHA512065a1c1503597129117a2c19099b6d2f16be540eaf273fb5ddc38f0692ace1324be6068e73624d5f0c48d009866d8e6c0bb6d60c8f716cd56562ead3237413ea
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD573d8877056fa6c02f7dbc36a5c2fb755
SHA140dd80a171d0b3401870efed85bf579b0b68cddc
SHA256ce18491c84a7faf78d725e8253077e71fee3972a9f055f09500b285e7584ae7c
SHA5121283d7a8b9b2716a38ce2e94f22ddc8eab47c04c0b9323d4407e83530566e9579cb69624ece1343f13ba41e0001ee6203ccce76d6bf518817b59af1d5708ea67
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54b8ed7a89f2994cf5c431b2c8fd79e0a
SHA159c2928b947d921b5b9bd5346e652f879a0ddf05
SHA256fcb3a1f1dd9fc740326c6555f30517b23a8d4b5ba8686f97d9e3361e5f79ab25
SHA512208da970803c8de10c5e6d51c28551be7d11605bfa8291a6e934fae9a38ea83e804ca20f10fe70d16d2055fb65fb9d5dd69acb57bb9e0aee28c2004ff7657a11
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5488ab729c58706f62cdaad81596794c9
SHA17f8203c355a58ad8cdce555a70942edc341b51dd
SHA256b0cba3a22e522997592bd005e6eb075bb3906baa818469a009ce4245bbf3ab73
SHA512aa59c585898d99023144166e9d358f21be838f3966f6170d72a6acd6559a9deb32712356d39a50f77de2149cb097871b59243d5b76c219311db9e484ee35d5e1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50bb4a35619ae64f316f5fc0c963fc969
SHA195583356379219c2d57dfa6594d2b4bc1230ac8a
SHA256b1fec2e29c54ba36cff4eae099a227397496d14122dbed354a354f510a8d46df
SHA5126e53821b34abb563ae9bad795b7a9fa29382f4970f014d493e9eb5e95a68df7949361b80891ce6755bf1b644f34571715413161df5a56b0ae13d6e5237dc5617
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5202ac6731f99e0609425d3014eacfa31
SHA1b967772c1b7c9ecd9bcc8a9d1bdd1e8a3b159e7e
SHA256ffbfdcd80fea7a1690197f9659360c72a25ee81162c551419e22c4ac47375d44
SHA512e787abd9677e174f98f607206b9f7f051c5edd16e3aa2db1a35854de8225dde591f93b49ebe1dad15467c799d595311cb37a8137c413c9b37be20d34ba80e1a6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58a8eda76044871f48da80b999eda4e03
SHA17ecdcdd54d32fdb0ff914d9ebf4fa9a88674c965
SHA256ed6d535ef68434839e13f2a5a79a0fc2da132407ee2c11d7f2cce3dbed2db1bc
SHA5123994b00c9d599e4deae6d90e9903a5e1152129ab2d268762756f814c4958671ffb1d063b55f8a936abe55f44a5a4bfbb78077ac2bef0ad94ec1be5da50cac680
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bf7e308d3569b49ac4f4a80ef3aad483
SHA10fec73928ced39b8feda9d31974e2c1edd0fb67f
SHA2560790142fce5bd70fb5196c5fc39717231fd5e1af860d7451546b55908f95441a
SHA512a00fa41af4a5d7a1da847c8e70efb65a10b7e905c395a0f528835b3370f10292c8f41e5cf34e21329b174b95699d39f420a7bdc5ad5e8592e88258dcd8bf9c9c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f32ca196de348afb0443021a05dd18ea
SHA1111306149ac7905caa6a68a0c02d95fc0a071839
SHA25690f18b5831ca8080b029275a51ed5b66fb41f80d85b79272e2e1be755ccde2bd
SHA5125db8cdf342273d1eaef412cfec4cec90577d68f22e115c8ea0fb71b74ad6ac4c994fce6636f274b35ee85295b4bb3c868831187a9d3354432261bdd697dae600
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51daa1cb04df7515ceeaf96174d5c975b
SHA1d38504a2cb57cecf44aed6136276c5dc5c39bcc6
SHA256b6ffcf4aeec56e46f1349dc535e066eef75db15551ffdac46982ba585aa97bbb
SHA512330742ff951b3b378928c50f8bb7541e48e1cd059e79b56b8894cbaec514963508e48e4dcbebf4b17e53d866f8e3c57ccec064591571e76eec67d09eaf54c032
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD508b7a6cfafd78af4002296e30532544c
SHA118181e538cc4f73d5f2f5e158ea08b0b77770e20
SHA2561e92e25e15c31b7dd5bcbea1b039b90ee98414e0b00c411627cc80dc1591f002
SHA512ba6c85093b3bc7334b0071647644913557c725fcf2ae93428163fd376abd0e00d941c4f330c7397db3ab64dc3cf7c1f351ecebce8bb3f7dd7956af9dc75ca58e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5272ac3e46a143147fa6570d3a706e8ea
SHA161c171c48c652a10d266e2a59417d495e5a1d1fd
SHA2568c2d17aa4924bc3eb844ddf01970808b4ce733ab79870f878c41d5b63d41ad67
SHA5125b8d5f11375c9673cf45047ddbd605ec8e40927d6424fe59e0b95215226c548c27aca509eae6fa6a512d8146db6aa621c7c637251d589f7c88c3e5aca7cd50b7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52ea8269242ffaeefcfd04d59e55c4e98
SHA17c3093e66324be60a10cc9f046c61acf33b89e22
SHA2567a4676a2446a9bdbd64c630af715f61d0e870aa8621ff952985a86abaaaeb18a
SHA512b9563976f0943eda06bfad55f6aaf0be2312ef8885148355ffb30b2aa6e6378e9b7b06399d4efe2d1e9f61f445b1ded5bc4f8712882b8dc5c9b788c23c45d959
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57dce213baa964ba0c5f8b9e059d10fa4
SHA1fe3b76d0362fd20b35d326f0fcfa195f35314c32
SHA25611c39ca776c7986b72fae73f6bcb7c55983e0e39481bc7e8d548e686616dbfde
SHA51221e02a00bc0b25e25e05c77eecc54a79eaea7d3493aa4a73e1d635eb8959cd69e413067c3e78bc694026637d94dc4ebf654c13d43ddbd51cc281eaf3148d2ebd
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52db5de88d10659148417a46d7384d040
SHA1a0a04ebed6092a06fc144a4bf60e1e509e1aa387
SHA256aaf5db80ddc79ac2fcecb2160ae4f8766f261278d2278ba3b148d4749a8d531f
SHA512dbdc29406cc7173ca26eba1450151b4b268703652c105b57837e9bc9448c2b58ba3e45d29953db3832ea5901b680ee715f532f0761a7a2ae3550236d19413d22
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50350e45ee7aad9eb572a73b1ccb9a5e6
SHA1a23464a166977ebffb2ea5b3875338ec24787218
SHA25658879fd4888503b89c477ec0c8654210e76b4f381132f3194dccbc9ea5a1e1fe
SHA512a38506f83a56a179403d414c3e6feb4cff1512e871591b82c7742ec85dd6a685563688b513c4ecd3c42a72aae75293b4d8dfd0702228c95b4081f12103ea1230
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD585a65a70633ae98c97d9900526f01e05
SHA1735b50329e16f2bfe92fb1a7396fcfd7a91c4394
SHA25634bb399f3f712588826eaeab72cb80651de091ce0bd8e0de74a3daabfcaa8889
SHA512151fe1ee38eccd6628b3229a5a4447e20375a94b750dcc2712cd48272aaa0e2a74bb0693a449c0b6b3543f137d8ee3ae16aa5277a59539faf8812bc6753eb169
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d380f9f14cf43eb5ebb5f050e8dfdd9e
SHA11eb5d72249911d54668f86108bcaff31909b5b12
SHA2565e92fb020a75950695ae5da9d645fd46de53827b1951cdbb2023def347aa6d3b
SHA5129661ebba288548f2b3062106687e7a81db1c7f15b142e7b53fb38784da8b4452b46f6ffe610a023144ed993902dfd7e740046416662ad64652375ad5588b3009
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51869db0614db8a6a57b7500e41546c60
SHA16edfe2714cdf932a134ce47b01b93371596fd7e7
SHA256ed4b85b7474ac1aa26a48c97a3bb71a650b86e9f83b3a4717532085238b2d46d
SHA51202c46ed34554815d3d04afa91283a49dcb707554a842e1c9bedf7d6af5383da7377c0055c41c09ebc3eedfe1c1b90462d032924d6ab2679781972ddec1f8bb20
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58d874ca6e0c6e29799e6b2ab0fe122ad
SHA10907c829b00955ec11b2e4d788567f161e553095
SHA2564b60365a64b7741ed5bbe8ffd872f5073748dd50cf3994341a6b347c6cc32956
SHA512b4385c3907b5eb3b48d7333384d95dfa0e636e7d70f799aec8bc6e6a0614878a94b6482853c67c7ee54492d1665b6198f02b39afd5d5f38c94ca2bd3fd6932d2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56e09166e10fba4e8dd2b78b7947656d4
SHA16bcb882dace55d3fcee03d24dd4c1b55c3827845
SHA25698f8a09611912e74ee91c6cf92011e127e95dde499cd2fc245b45a43dfa299ba
SHA512e55b2bb557083b45d7e90bdf964469ef93649b5dfbce2625e21700428e39ad4296c6ebb4a235dbe872d6a4af4611fa0dd925be6e1deda000a65e879ec9bcd54d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD550c6fc433cb5ae0cda7fd79b7237626c
SHA1cd25fbfc9391554fd0fafcdb63ac71f6f26a0ac5
SHA2562c3993f184c8ec6f797e1ecbc26ab7ec02b062a945fc8cd4671c2236a125b44d
SHA5129ce389c75818b39f36953d4057981a674678524d118120055bc8871969f517d5d88ec8754b925ecc855e6057a4da374c9c521c5ed6b3fd85b35478ec32132fad
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/1204-54-0x0000000002EB0000-0x0000000002EB1000-memory.dmpFilesize
4KB
-
memory/2012-13-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-45-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-947-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-31-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-33-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-35-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-37-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-39-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-41-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-43-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-47-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-50-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-49-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-53-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2012-7-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-9-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-11-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-26-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-15-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-19-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2012-23-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-25-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2012-17-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2052-0-0x0000000074482000-0x0000000074484000-memory.dmpFilesize
8KB