Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe
-
Size
766KB
-
MD5
64d4adbd2b34c0cbcdf01ecf62c3fa2d
-
SHA1
357c15c7c98baa23f2e13bcfb3e0509c9830a771
-
SHA256
33d1e3df5d208445164053583bc302842b65a192655ff115ead3890c5156eeb6
-
SHA512
537c93521f6ab18b6a2d2ac8e4fd67545bf849b815d2298b962ac103d1e7b16a64b40e759167b5d05868e85334280349a15df3435f879d971b3268678bc36e6d
-
SSDEEP
12288:HoaxRBxqjeRGm9IppnvVWHNJtkGhBWtiwkM2f95ByXJLR3aBA0cWonaNCfQF7G:Hoa0eVE1VWmGhBkh2F5IXP0c1agfQZG
Malware Config
Extracted
cybergate
v1.07.5
cyber
spliff.no-ip.biz:100
NA6S5AN2N33NYV
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
J1nsd0ntspeak
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{24DX367Y-K0B7-7481-N83T-72B6HN1S5J44} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24DX367Y-K0B7-7481-N83T-72B6HN1S5J44}\StubPath = "C:\\Windows\\system32\\WinDir\\svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{24DX367Y-K0B7-7481-N83T-72B6HN1S5J44} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24DX367Y-K0B7-7481-N83T-72B6HN1S5J44}\StubPath = "C:\\Windows\\system32\\WinDir\\svchost.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2672 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 2140 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe File created C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exedescription pid process target process PID 2976 set thread context of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2316 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 2140 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 1660 explorer.exe Token: SeRestorePrivilege 1660 explorer.exe Token: SeBackupPrivilege 2140 vbc.exe Token: SeRestorePrivilege 2140 vbc.exe Token: SeDebugPrivilege 2140 vbc.exe Token: SeDebugPrivilege 2140 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2316 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exevbc.exedescription pid process target process PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2976 wrote to memory of 2316 2976 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE PID 2316 wrote to memory of 1208 2316 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\svchost.exe"C:\Windows\system32\WinDir\svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD521b70ff91971ed271ea427f145e79bcd
SHA1fa109706e017169637330c599e44453ab6955435
SHA256b3fb948c9e8a2864ba1ccdd663c0246091da36cd6025d6204a730bced50b652c
SHA51203e0503b1cc6ccf41536da22acddd85ce34de5e7d1f2f1bcd3a79d9b76b7b64a9e53522f5d699a14c5fb1dd2ba646a4a8564a9a4fd2130ca7f9fb44dd25696b1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD587a51201222195209a9085eccfcf653f
SHA1ea4f16bb2b2bed4035be99dab2f869a0d5efbc15
SHA256454a8552f5a77e01701b256032a5ddf20d45e5f3aaf45dc56ebfc1562b67a8fb
SHA5128692d3c1b99264e6fb5859d1a1e4a723b4538dc4a93cdd8ff7ecf3cc77a187f9daf28cdf318d6e5179d718b5d8174e063622efd7a0dae0b8580bfc347c06ccf0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bde798da1c9b836bd4044faa758938cd
SHA101e7025445b36e532d3c5b483536e965587ee855
SHA256c395cbe66db8b424df2db956b707aa0eb10ef4774922baeda515a4ccfbd59c4c
SHA512ab3d0f0c0cf8e82fca065539f579c682e82981fa9e9bb756a45c14fd8418ed270ed298d96fd9056866c017a2c2a648d43afabea3ecf31e5aab87a9347b90e4d0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD509ca9bad05dd1e4ca85da573af37f4c9
SHA1f5e52b6ff39c56e64005c66470f68d7081be6a5d
SHA2561cea38e28d268356f6a06ddd3e4c45d193405edd00356820c6cd7854b2646ece
SHA5120d45e8598261ff7cc588ee408d5a073d784087fcd0ba89d3986e2dfbf38691a742a92d7efc0760b252c07890a3fac19f69738f6c26cb15c02aef87789457c664
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58e7b1b032cb8ca6681888e7a4a5b989a
SHA1f01b3dc6a139d750ce0503767bc6cc71f49b0379
SHA256bf0261554e8f497d5c9c98082d9243861672a0838e2bdac69f97468d89258823
SHA512938625413d3d839c5513ef9b118aa75443609980ed5b13a13da854a9d719d2ea5e4a3bd7a23151722e42d0045e3786ef5c671124fd664ad7a3427bdf9323b2ca
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5558965f3a26002fda11ef65b9fcec31b
SHA10780b1ce937d81a232360a8eeba303accf3b4f05
SHA2561adf63bdcc51d8140606079014c6dbbcebf794948e6f56f7b9fa8f1f28d37914
SHA512cd2c267523d23fed0f918fb7629e427e07c1e46f7336f8a99f264cf21a2a404f6618bd832d3f3191d9bffe101c86a8817aa0f004b7d5c2d4e6c65b3e93fa75b4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d3412a296dbaa91cdeb68b30ee15687d
SHA186615199c52cab6a40174ebdb3c593505766208b
SHA256d3ed829d50505e41d08f1cde8c3a4a50ecf3bbcd010bd97aff16f96761122770
SHA512708321b3bd7a2ae9d372af4f1247f9e98e030188a4bfdcba4717b7451fd20cdd77d88f80e8ddc5a0ae0dcc93aa4995e86639434d25ef675ead1878102ed3eb32
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56f4cc58573130ca6db3942c13e4c6a67
SHA10eaa55ac9a06c8f5c35791dcb9a2f433794bd60b
SHA256dedc3ca6ee299b73e769c3ade0f3255b0066df223d3bb1022f085644699185a7
SHA512980235b5e9dc1d9d06d53d824e0bc4a79850364390eb1b0e12fc14f588ed81911fc2ba2945f1a842ec45e7b91158e3ac42ff971ff3d683d6414d5b057c12018b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5132125ce1da9f40738fe3c595d5adbf3
SHA18b1aa437b301d8834ee9d329ac0407d5e023174b
SHA2566aa4dbe4db9a2ca3b97d4b402716901ca1827bf312673c5d4b3ef3a3e220dd99
SHA512e31077eb691104b9d65dcec017d461988faabe89ee5f9821ae93affaeada47fa853b3ae9e0d90231258cad40632eb2d9710e1b4f2dd279b33545ef79874b408b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD543eb145bacdeca45c6b90ad37493a487
SHA1ccfc4e7840e5e183a6647d7e44905e1ae780694f
SHA256b3e14d9f91b64027f59bce32e3805b4413fd6c24c9835d0a53f985484f8e66bd
SHA5129f7f196f31eff6d26228c947a6eaa6125dd31ea6fb21a0221e9a4e216bbbf5883f5f60e05716e1147ef1e8665d8b3f1b1fb9782c338a51f5cc695f5f0b40b944
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a81b23a0bf4b7bd9a9eb71030298a8cb
SHA1896d9a3b3549d85b30ea69a72401ec0b06e8e51c
SHA2569d862ea34abef2ad973bec75ceb0ba6a8925a8ad606214e9af5732069360f0fc
SHA5127d57aa2bc893ea8ab66a5af50373d56a6e85cef544067e415220f1a89025063ca7430ab667c15bdf5f523ab30017bb9ce33d5109c4da76048f2e7e9597dbd3aa
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5655f0795a2e858b75877d4f4c12a986e
SHA16405c03767b63520f17a6901f68e0f56581f9886
SHA256c19c193ac052f96b935a13b6d465ee5dfa733f4d776fd5e4437c1b2a97743c5c
SHA512afab06f56ede6113ac557e05f2557b5517da39a303e889ced00fd59037c6accfd7e036370dd1bb2d14a8297f8f3bd1954d19ea7ef2b99c9305225fbf4c8cd07e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5df49bbcf2aee2eced20620b52faac117
SHA1cd04d278208b12cd5081b776327cbc1c708609b1
SHA256579f4a5b3e32e7ac1d0bda8471e166f868899edb5aca8cf746c80d482f36cd87
SHA512968ac7ce4acb799982ea6d2b2af2160a65ae3893f5242159fa64739c6b2b1acad4f1fe5a0465eca5350424bd6a33a5be4f6e043c0af10d20357a9071424a2d35
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD505581d56f06b1fb3e63892f03410a05d
SHA1e210cb85d551583774e94407324af98d66226f43
SHA2566b281d4ff49c287ff35271f23f1e49d72c914ce22ae6de56c6c1f43d66c42925
SHA512db15e10ae681387e2ec997a2240a2ba976ade7a3d19345390258e0f70ad468e5e7cfbb15966a4b2978f7108dac1e248745c8a527dd4f86e3aabd51e9492540d2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b9d89ad9808246a7c8a7bd6d79255e46
SHA17719db3a2fee7f25b671f91fca43dd27006aedb9
SHA256fad8dd62b469a432fac34a53659e878c8f1c3c3299f6c5a9af5fa4513a8e2d85
SHA51269c51389144d9cd50f1bc57c91987a0b9d6b3fa816151a4276e13318b7c8f9eb98ce8342f8c3320becc2c9868f8e5b503694c64d7d159263795d1e95a6a6852c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c4393114dd3e51eeeb7978a406ab6b47
SHA1ee2180629d1030a4c630cf5ee2ff018652f52153
SHA2569b1d337263866d5bd7c9645c996af68bd986428ece4e8ad47cec9575c76ca2cd
SHA5124b9c32a5e105e352b464268785c961981e324d008d6f9747f2676abaa293a32ba76ad3109499aaafbf4604afe01fde66b811cbe8dde97a89cb0a9c643134444b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD543dd2449caffb2b374d57f5e1cf6fb55
SHA1b3a7664633b35591087c64310fbe5f70d5d3bd99
SHA256910fb941f6aef46ecb7754d52a830f30d0c9ccf21cc18fe18c493cdc671c3753
SHA512cf779adf8b934fe14e3ee64ee55e82d53614c3f112547bbc496f2283562fa5ceefc8af0ec499b4d51fd9affa919a0dae755ba828a557579019668289d4afba78
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53df1b9beaf63d7448861684726c94f5a
SHA1ed1221f644d068e2659f431e22dcd756d07c8807
SHA2565ddca14d3b2ea257d9b8987c687620c11e6b594dad14048bd989abaee18796a1
SHA51223f1c42f214bb29b7deabc121c5e0f4bb44df34170c20873c3813152afd530ab3172659e64ee8ca4c1ad1ac36d394380c37c7e20aabff676f3f8f207a16cb11b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53142fa1a281841974f08f362ecbee87c
SHA1f8c1033fc9a0f2a2f6471113991685466c87da95
SHA256d807bfefd8ca48f9ddee1cc02e203fe6c8cf0fcca89b7dfb6abd797e14a88270
SHA512cd7b0bda0071064e04106bc25784e66826c347acf4f5deeb4d25c863ddaad024bf90f7bf9139f71ede5c657335e024ed77dbf1ab7cf8290da82bbde35bc214ff
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\svchost.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/1208-20-0x0000000002DE0000-0x0000000002DE1000-memory.dmpFilesize
4KB
-
memory/1660-551-0x00000000002C0000-0x0000000000541000-memory.dmpFilesize
2.5MB
-
memory/2316-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-7-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-3-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-15-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-14-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-8-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-4-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-13-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-6-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-881-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-9-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2316-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2316-12-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2976-0-0x0000000074441000-0x0000000074442000-memory.dmpFilesize
4KB
-
memory/2976-16-0x0000000074440000-0x00000000749EB000-memory.dmpFilesize
5.7MB
-
memory/2976-2-0x0000000074440000-0x00000000749EB000-memory.dmpFilesize
5.7MB
-
memory/2976-1-0x0000000074440000-0x00000000749EB000-memory.dmpFilesize
5.7MB