Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe
-
Size
766KB
-
MD5
64d4adbd2b34c0cbcdf01ecf62c3fa2d
-
SHA1
357c15c7c98baa23f2e13bcfb3e0509c9830a771
-
SHA256
33d1e3df5d208445164053583bc302842b65a192655ff115ead3890c5156eeb6
-
SHA512
537c93521f6ab18b6a2d2ac8e4fd67545bf849b815d2298b962ac103d1e7b16a64b40e759167b5d05868e85334280349a15df3435f879d971b3268678bc36e6d
-
SSDEEP
12288:HoaxRBxqjeRGm9IppnvVWHNJtkGhBWtiwkM2f95ByXJLR3aBA0cWonaNCfQF7G:Hoa0eVE1VWmGhBkh2F5IXP0c1agfQZG
Malware Config
Extracted
cybergate
v1.07.5
cyber
spliff.no-ip.biz:100
NA6S5AN2N33NYV
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
J1nsd0ntspeak
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DX367Y-K0B7-7481-N83T-72B6HN1S5J44} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DX367Y-K0B7-7481-N83T-72B6HN1S5J44}\StubPath = "C:\\Windows\\system32\\WinDir\\svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DX367Y-K0B7-7481-N83T-72B6HN1S5J44} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DX367Y-K0B7-7481-N83T-72B6HN1S5J44}\StubPath = "C:\\Windows\\system32\\WinDir\\svchost.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4660 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1048-12-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1048-72-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3044-77-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3044-1340-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe File created C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exedescription pid process target process PID 3008 set thread context of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1048 vbc.exe 1048 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 4048 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 3044 explorer.exe Token: SeRestorePrivilege 3044 explorer.exe Token: SeBackupPrivilege 4048 vbc.exe Token: SeRestorePrivilege 4048 vbc.exe Token: SeDebugPrivilege 4048 vbc.exe Token: SeDebugPrivilege 4048 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 1048 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exevbc.exedescription pid process target process PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 3008 wrote to memory of 1048 3008 64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe vbc.exe PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE PID 1048 wrote to memory of 3420 1048 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64d4adbd2b34c0cbcdf01ecf62c3fa2d_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\svchost.exe"C:\Windows\system32\WinDir\svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD521b70ff91971ed271ea427f145e79bcd
SHA1fa109706e017169637330c599e44453ab6955435
SHA256b3fb948c9e8a2864ba1ccdd663c0246091da36cd6025d6204a730bced50b652c
SHA51203e0503b1cc6ccf41536da22acddd85ce34de5e7d1f2f1bcd3a79d9b76b7b64a9e53522f5d699a14c5fb1dd2ba646a4a8564a9a4fd2130ca7f9fb44dd25696b1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5655f0795a2e858b75877d4f4c12a986e
SHA16405c03767b63520f17a6901f68e0f56581f9886
SHA256c19c193ac052f96b935a13b6d465ee5dfa733f4d776fd5e4437c1b2a97743c5c
SHA512afab06f56ede6113ac557e05f2557b5517da39a303e889ced00fd59037c6accfd7e036370dd1bb2d14a8297f8f3bd1954d19ea7ef2b99c9305225fbf4c8cd07e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bb6082fbb308cdda84067a4acbbc5135
SHA1990ceb0ef2658cdfc99add1134629070a4c636ef
SHA256753c3dbbb97c997a255379ed23547fc5e5734a6c209b38d5c17be00629d59082
SHA512fb511bcf03cf6688507187ff3dad9297c4b8ecc5067e343fd59ad95f247b9159945cff3a5d7491e4bcd11cf036119f6cb53f3aa4601df03a7b5b4b9608c3f3f4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD531250135f369f90770d3607b3564f106
SHA1af1e732670fec78428547f6f6e3bb9c745f6bd33
SHA256402a5359ece204e5f35b65363349ac640b43b47368f3bca44f5130b73dfc8e59
SHA5122820b332db121e70a6cc84ee00f246567a1c56eef18eaefc40958cdd5ef8545445f418f67c0f8bb323ac7df817405a2a998c292f883c99455f4d02922dd79924
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f7dcb38ded5b849eb014627de67a5682
SHA17ffc5626e611f8e71531373d26c2ea8898718a8f
SHA256e29efef867e37c082959d95dfc291bdcc8571bc1906a7764796d1453cf6d5b58
SHA51288f9632e3ee57e51f618390600e491b35ab54f90eb3f8d7d0eefaee1b81817f1fbf446d76165bf773b2dec4750d60d5b3c84c5e42ec0d4c487c5f5c2ad59b49d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD509ca9bad05dd1e4ca85da573af37f4c9
SHA1f5e52b6ff39c56e64005c66470f68d7081be6a5d
SHA2561cea38e28d268356f6a06ddd3e4c45d193405edd00356820c6cd7854b2646ece
SHA5120d45e8598261ff7cc588ee408d5a073d784087fcd0ba89d3986e2dfbf38691a742a92d7efc0760b252c07890a3fac19f69738f6c26cb15c02aef87789457c664
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD540bb745234c730e6c52d5a62eb372877
SHA106f96b5ff7657a77174e57d2418d61cf2a5f864e
SHA256a7bb1dca3783fb3c2b7ca59617b57aaa2b5b7334d33f195ad80ebb0bf316abfe
SHA5125d3927640a3d87424d6d289e6fb85204c6bb4e41b08adfb80ab72c6bc67950da4332bb917f9958461c59aa9b68979c1cbea7bfe696f670b7b0fe33c3686897c8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55888fb324afdef9c2ee65f96ffd1fdf7
SHA1bf3d3159df08a97da7e40ab44da008f0aea13339
SHA256422ec02185ef93d3aded7943635b48bc112366655366c405469883e69dab2918
SHA5129edced1fc152ac07cf973e71a749958fe376b99f545ea63d5af852f2ac9678c159a9ae0d3febf667012531378c15e1cffb1949a9755e540622002481bd5d5e8e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d93c48b2ba66145848e2c2fb7cd1439d
SHA1b1c722fef50e0da472016c7571a5562842ef9935
SHA2565bfb0e0e86948b7ac3bf10d4135923baa2e82bd6747eeb4da66d07f781e82459
SHA51278749ecc78e33477d1b7b47929fc27a6e194e7128d757715e6e8dcd391732cddcdf541b088319c7f698573735f33092560e465a9959c70a45cbc3fea8f748cc4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD543eb145bacdeca45c6b90ad37493a487
SHA1ccfc4e7840e5e183a6647d7e44905e1ae780694f
SHA256b3e14d9f91b64027f59bce32e3805b4413fd6c24c9835d0a53f985484f8e66bd
SHA5129f7f196f31eff6d26228c947a6eaa6125dd31ea6fb21a0221e9a4e216bbbf5883f5f60e05716e1147ef1e8665d8b3f1b1fb9782c338a51f5cc695f5f0b40b944
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f77466f93ffdd8d3d2ad1ba27e4ed9c7
SHA158d91cd007551375fe8d1243a72512da989c0a70
SHA256fa0b05e30ccfa0e450b5d7724278d72abc61d91ecd00596bc02a5984eb2a15b1
SHA51245496b11ad0ae3f3e7e9394764e18fda151459360cf2210218126453bcea3bfa5a066f310e54c60e0d49928301645532b8673904e667ff7760486919d047f374
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50c5ebe18147429a6c5e2435ca319b155
SHA1fa1ddc609fb29f3c2819156b29839709f2419971
SHA256294e3349e850fe8adb749f27067a48be1c3299b55a6e9b67fa678b11646728ae
SHA5124b7f7064b874b0ace92d2ff733f7e97d7a8c951ff2f8b0c01303ab82f1b3281a6501c8d3875565d0de44a39387eef230174280cfe4358e0d82b49190c54dcdde
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5452509519286e62cc39615cdad05c1e4
SHA1b61dcbe04aff749d1ba25372c98205109ca730a4
SHA2568260017dcbd11ae88810fc783ce5fcfeaca171a6371d84f6e987071a24575ffb
SHA51221215236c1fffe513b16762d7e77bd8289363e91f07bc77bebaa43989fdc9482c40be24250cd14679e01c2288ad8e6cfd4feed5c0c9e0a0751577b31f57406ef
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD569f4848aa1aa50d9fb3d3d8cdb18101d
SHA1b7d084e92561e1efe2a3d008844fe17951e7668d
SHA2566811115320ea47b37ca7412237875bd1521845357be185cdb0cf6bf37753cbe7
SHA5123655b1a916d3e3dddb2a3733370729407658fefeadf482611313f238f14c29a6ebfbbee88955364f9952e5710c84f804757ab9af43d65a1712d9ea12038156d3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5abed6c9fe5622de3c3e2c30f7fe89d91
SHA126a4c0e19b903b3e0f8bf28f488bdd18c86db290
SHA256e67183d2cadf2d06f9fe3cf9518c63a3de9889f3c8699e6632d7295068599a32
SHA512b45e6049804c8ee0001c698f09b905b86143432395ddf503cce7e7692e7ab89ac093b9222bf8c9e47d74176acc05e4bbf1e41dfc5adb82350f9ebb64de6f3fc2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c5e3c9256f0e7b315e30ff06654fc3af
SHA1e009bc6b5caa173d43c6155e2d59054318e9f909
SHA2565e25eeddb6f1c5352c7240d74de5be6bf86bc173c9317bff2c764ce25f21e110
SHA5127d40c634c38fc658746952325b358db7060d9585ad1969c750641ae70b9f3979702125d25f8113afdcaca08da4e8f7b4c441e31eea54c96804ab7a47ff9810ac
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5497482a8a11845d9a64fc9ffb78ea0cc
SHA160690adebf6df3796316eacd6c2b9dcac38783a9
SHA256cd1acaa11f065383b385661790b181fc120cba48986a7504341580c080c38134
SHA5129a8f22761b08d9d60e501db3063f61b4f2029143f7e3ed1a9b6955967c2b1a3f29d454e5b99df935cde0612118efa91bc03a110795821fe3bd410b1c90605fce
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD587a51201222195209a9085eccfcf653f
SHA1ea4f16bb2b2bed4035be99dab2f869a0d5efbc15
SHA256454a8552f5a77e01701b256032a5ddf20d45e5f3aaf45dc56ebfc1562b67a8fb
SHA5128692d3c1b99264e6fb5859d1a1e4a723b4538dc4a93cdd8ff7ecf3cc77a187f9daf28cdf318d6e5179d718b5d8174e063622efd7a0dae0b8580bfc347c06ccf0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5558965f3a26002fda11ef65b9fcec31b
SHA10780b1ce937d81a232360a8eeba303accf3b4f05
SHA2561adf63bdcc51d8140606079014c6dbbcebf794948e6f56f7b9fa8f1f28d37914
SHA512cd2c267523d23fed0f918fb7629e427e07c1e46f7336f8a99f264cf21a2a404f6618bd832d3f3191d9bffe101c86a8817aa0f004b7d5c2d4e6c65b3e93fa75b4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56f4cc58573130ca6db3942c13e4c6a67
SHA10eaa55ac9a06c8f5c35791dcb9a2f433794bd60b
SHA256dedc3ca6ee299b73e769c3ade0f3255b0066df223d3bb1022f085644699185a7
SHA512980235b5e9dc1d9d06d53d824e0bc4a79850364390eb1b0e12fc14f588ed81911fc2ba2945f1a842ec45e7b91158e3ac42ff971ff3d683d6414d5b057c12018b
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\svchost.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/1048-4-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1048-12-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1048-7-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1048-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1048-3-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1048-148-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1048-72-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3008-8-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/3008-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmpFilesize
4KB
-
memory/3008-2-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/3008-1-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/3044-17-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/3044-1340-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3044-16-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/3044-77-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB