Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 14:52
Static task
static1
Behavioral task
behavioral1
Sample
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe
-
Size
591KB
-
MD5
639ce84468b5b67681d9e3341b1446af
-
SHA1
e9ed555487307f27784b70fe0641950eb06c7f51
-
SHA256
52d84c8469d2288d1e072e39828caaf9b43911d5530a98d1af6bce4fa7addb8c
-
SHA512
3bb85fa2c2d80bde2003f8238e10be39776c68eded52cfccbb565cbeb3f2c597d6ff6b0339764967d61e4c70be9284ff2ad1015b479196cbb659c01dfca9458b
-
SSDEEP
12288:fukBmCK64RSGbBjtWEMm+ngXz9aO4bLlgOKT5LtQcuWrS7yf0F:GkSrjTXGitFcy
Malware Config
Extracted
cybergate
v1.07.5
Cyber
alcapone.zapto.org:30370
ID4E61KU7ACH05
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Windir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6}\StubPath = "c:\\directory\\CyberGate\\Windir\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6}\StubPath = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation vbc.exe -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exeSvchost.exepid process 3068 vbc.exe 908 vbc.exe 4992 Svchost.exe -
Processes:
resource yara_rule behavioral2/memory/3068-18-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3068-78-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1844-83-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/908-156-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/1844-994-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/908-1448-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe" 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exedescription pid process target process PID 1232 set thread context of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 3068 vbc.exe 3068 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 908 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 1844 explorer.exe Token: SeRestorePrivilege 1844 explorer.exe Token: SeBackupPrivilege 908 vbc.exe Token: SeRestorePrivilege 908 vbc.exe Token: SeDebugPrivilege 908 vbc.exe Token: SeDebugPrivilege 908 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 3068 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exevbc.exedescription pid process target process PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 1232 wrote to memory of 3068 1232 639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe vbc.exe PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE PID 3068 wrote to memory of 3372 3068 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\directory\CyberGate\Windir\Svchost.exe"C:\directory\CyberGate\Windir\Svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD57ac4d9688725365d6b888b8a36d593da
SHA15917e2b1ebde71eb2b22e94e969eccbe915dc8f6
SHA256693fd211a9ba5ecbe4041e9275e4aaf75e8fe1c30e46ac00564d22c0d9db53ea
SHA512065a1c1503597129117a2c19099b6d2f16be540eaf273fb5ddc38f0692ace1324be6068e73624d5f0c48d009866d8e6c0bb6d60c8f716cd56562ead3237413ea
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d33a8b708fa612254eea6624b944caf9
SHA16c52b690ce0dd59f5ec1a87187c4a261e80c471f
SHA256d8ce022cbd2bf222d3100b957469bc266bef6d077638ea5e94980af9d467cd7c
SHA512d5f9cc0a343b53c1dbb15547150052d0938152ce1a6293edad85c5654347e9c3389e0212dbf7dc98a07326ea976438ea90767057eb71ff28038baeaf7b2575e3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD578e6bbe02344122824490c13631e5ffe
SHA1b45279cc065bdb0b08331a75a415bf6b7a05f82a
SHA2568c30d4baabf4b58d9e5aab2fae716f6fc15d5c5e7e67d824b2ccae1bdcb15a57
SHA512a49d7b4a815ab3c759d9bfb6f8e6c31f8cc06c761fc158bf3008bd8e0b21eafa428b84791d9fd000e28e93b0c6d5626c2e8e136cf59272adcd0f3a0e345c14c0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5be900d6b9a1da6c88081b18fa13b13c9
SHA1a777f1980f37b675cfadfd4a9ee1633dc71de49b
SHA2568e884d883b7e938ca53b3b306746a39cd43d8653b1d872fb4b8f57a4ec5cda0b
SHA5127ca1efb3082deabf3ffdb377deaa09c53481dc7b4966b96800bf090010cb37ab00cf1bf8d5ee00b64506bd280390b0abcd802fb74da5204b5a0459c812821135
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58ea2cb89042822db6f2e54a8712641f3
SHA149b63bb1fee9e0e39e6bd5d7caf5891b9728012c
SHA256821bf557fee51d3665551b77f67fec99bd642a1b8a33d892909d3e3ab2e1fa1a
SHA512810d89b1c5df6a7c8ffe991a561e5a203e8656c7d0bdcfc875d0cad3032ad5429fb1add99a7c74ba5e89a93ec14ea83fa7085e56f02240b8f5494d04a3136fbf
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5097b1a5256653be9077f43a355e83d97
SHA16b6bda394cc59ad0ccaa92c7dd76a87b127e1329
SHA256d610c5a7489d5fc368469be86d99879187e60de26ef4b1adb6ee1db9aad05f81
SHA512dd7c381d90b8f338ee82cb721fedb3c35ad7c36e3d9888b24bd4da95c09376341b1e6aca742b4829cfdc24eeac10bf5559c3f85035f95605692e5ea0392a97f8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53fd8997d9d0ec5cf5a5fe0123bb112fa
SHA1b9045c229ad13aa2abf9d0588cbfaec1ca73ec19
SHA256006a58b64d807377bb373622bac66e9ed4bfae70f826359ce8f7530355d3fb94
SHA5124af5db0deeccd0fa9e377d8491bcdbb8dd3df38fea73102e5d86aff9aee3f2edf1c26c81e073cf871766de23b945a3d7b971fb68eb7bb85c6e5a6f21e96a1de8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53e9dfd370b6a1942e02cc7cb0d415743
SHA11df92d6ea83f103a95494248330cb80aca5538ad
SHA25666a5095f2cda950b6d68a946b8e12508421b060df02b1b95f9a53ead277fb312
SHA5124f4262b3d776a12571f2e8924c31f44a5abab47f85e6552572ea800d9170827211e9ac75edb5e41207b913f55f79508f704e1a17a851e49ebf3a3774d91a9cbe
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d3d038996f3ab99b2195323e51aa9149
SHA15e94ba756a1a2ab370451a8eb28bbb65e9bebf4a
SHA256d8215c76d2e1af91701c2b24b71f066e466f70b5657b7e9aa38299c5f9d158c1
SHA512cb0ee6f98980907546a87b59ab87035f16c36575eca6e9f98e1552df4810c0279d8c238036ce23e28133a4220d416cae329e823006a8e33aa0e4b4667beb9c8b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d0319f6a4be461d4e04fc3e76de43c64
SHA18c967550404a27d1df795ad36df29e686a3615fe
SHA256b163312dfefebbea0d71e305c1508d104663731b1c587cd10dcda71915a9d39e
SHA51221dd52e9276ac7f4f0eb0c3e4af4b3e1b1c47bf4e150a338dbc832388cd0752aa4c774f76b571b90d12b6937c7fa5e3f33810af6de2fb3b66fb9820c7d7c8a29
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53a06350f3aa7f469f1923ec45458e9c9
SHA1aa3b5e6abf0c92ca31b6a9fe8507136820ae1c35
SHA2562fd79ec91065317f3f9fc136f4c7b313291b202d6956f38d703f51015ae0a80a
SHA5129d349b93581539783cffa1ba9dd26aca5152af249bd441395668ba4c8259b0ff950177914f01fe79cb9a7ad1a1b344c65bd80e1650ddb13278bbe913d5973c67
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55832412353295ad33bddb87a78308958
SHA1c9df18a3b5c38842c1c89bac5c5d781cd30440fb
SHA256a559f8d55bf31d60277f523ce3ce22c35c4cae269fc99172b1ecf822f3bfdb4e
SHA5125f73d77bd4ef87ee29431947f349e1dc342dc921e06dbc450da7889e189ea620895cfb7f351753480064258b56f2942bf52e48465f3f1375aac0ae71b9b8fe01
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5882246894b3feeb57881bb15f02b4fa7
SHA14a8e1963eeeadaf0646cb312e99500a8937fe227
SHA256771661779734755f73849e7c95aab995c8ecdf98984249be8677345f55d92afc
SHA51268a297e70c38b04bc1b1aed2805c0d64ae30518d3c4796bd02b6f6e3467ea75b8fd3c9c68ce82f31faad9e8feb8b65e8c3ba0e053bc508a31916b82def54c494
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52eb1ee046602c3be0e6e4dc9910159ce
SHA184c17a60f8edfbd4ebd2a6ff02dc7f34f3abb0f0
SHA256fa3fd05a630997c60255494bbf378799bfd4572a31d7a05ae99d6be9486d76ad
SHA5128c5816c697bb2fdf494a5e59e268c72a0f02a891e81e0743348468fb7a6bc0c5ee25ceed88387652a47a3759b54371e0748d8cc11ca7d61b5fd6fb2638d28658
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52eea62f0655640a001605c30ae329301
SHA17058a686e80ddf7a29deffdfd80c3180fbdcd569
SHA2565858a8214b2f0404d2bd54d8a41d108f726fd783a44a7397d5b866fe963d3336
SHA512cfd531775d6f249363dbcc607254970c6f24f3310689c463e1c1854f0dd05ba6db16bbc5f638dcdeffa2808a8120d317f439b7c1c2b765483717aef11c92b00f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5386dfa2db01951cedb24cebfd2ada017
SHA158b8d05a6134c177ae574b9959097f2c3a89dd11
SHA2564dc7930d675efba611df76121dd1dc177eb27bd51909fb5b1a90f8dbca22c1d6
SHA5129f09535a025e4730078ed8777db0180b5e375620d0c7138b944995ef58e4852324f6e449cf9da2b3a4e5bb8f1d714234d187a742384032f7b4fea510cddcbeea
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cfab339d5296aa94dc36b5d107a73ea9
SHA13aba0607264ca52d5058bb11de8a5aa39461729f
SHA256bf3bf0f893ad42f9bf8027fec2eaa6e990565b0debd143fcc15a55ab47afb619
SHA512378cb314bd459679485d69b5e0a12f762494cc68385d1044a2b83d9603e25ee26e7fc0d55f6ff1f17c8b4789c7fc836e3773d25855030e7d462fecb4d960d14f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51bdb492ec54e03a36fcf07834d5c0d17
SHA11b55fbce3203e86bfbaba2511f06c717af36e329
SHA256ef5e195c29ba3f00e8b567da5acd7eeb760e2449a8d75942d4d92939ddbf7883
SHA5128352b09000615d2b0428a300a922bb976ef035fa86044d073b031a6b3065ba6a9c75ec80ac0f3dfe8f0621fe6017fe12fc914bb8d65e662015adef48e1d8a316
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5da971e9e739f9b18677c171b2461db17
SHA1b66dd3243ce828dfb9738bcf93100146c8ec1988
SHA256ce6604c4dc93710de45e191129dbddc1434bcab8f99fd823b0562c137252d056
SHA512e6cd02b6fd4a5f5ecd97723165abe0fb0c7bc0cc5d46c45e22f0485422794ec1f3a233222f62eb03980ddae6ca8c7fcbcb991430b772938cd62c15492b071ba6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD516252ca4713c1edbdf2b975ba97b1892
SHA1eefbe4956dde4dc66444a87f5bb0d2d533df71b6
SHA2568b7b2b501f616ab5380542978df9d31277f9a74b114c6636c37bbd0935ef7491
SHA51207a346df32c628f4fc32345c3ca36983312682c9959bd25e5d8ec5fcabc45898c29cc2b21690dfe263257bc65aaf7bdf1e0d339f7c590870bfa95cb45c7a4d51
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/908-1448-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/908-156-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1232-2-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/1232-13-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/1232-1-0x0000000075070000-0x0000000075621000-memory.dmpFilesize
5.7MB
-
memory/1232-0-0x0000000075072000-0x0000000075073000-memory.dmpFilesize
4KB
-
memory/1844-994-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1844-22-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/1844-23-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/1844-83-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3068-12-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3068-7-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3068-11-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3068-14-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3068-18-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/3068-78-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3068-155-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB