Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 20:52
Static task
static1
Behavioral task
behavioral1
Sample
64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe
-
Size
924KB
-
MD5
64c47fdc5b4d63fef7792d57a1dfd082
-
SHA1
a763fe7f2e293549d05d02108b70d46776147621
-
SHA256
f0f46eed0c64f5859af3b95bfafcbe559ac6ca27af868f32ba01927790f5f412
-
SHA512
26a170bc9b8aaae70006a2f334fdbbece10b3ecf7e2bc44296020fc41d935d52c21d10058adf29a14286405ce5755df014f9b0b8046b4dac67b7d1139103edc5
-
SSDEEP
12288:IfI3nYmw+UqNd7iaw56TLuKaC9LUoegw+Nqvl33zApr/q4rMaxULwA5qHPQNyYwF:ionc0eNNB9PEvRc
Malware Config
Extracted
cybergate
v1.01.8
cyber
kikiriki12.no-ip.biz:100
CyberGate1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{826W26LF-3I22-0745-NK35-3LLBSG122M83} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{826W26LF-3I22-0745-NK35-3LLBSG122M83}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{826W26LF-3I22-0745-NK35-3LLBSG122M83} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{826W26LF-3I22-0745-NK35-3LLBSG122M83}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
Svchost.exepid process 2508 Svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 1652 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/2704-19-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral1/memory/916-540-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral1/memory/1652-870-0x0000000024130000-0x0000000024190000-memory.dmp upx behavioral1/memory/916-1442-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral1/memory/1652-1563-0x0000000024130000-0x0000000024190000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe File created C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exedescription pid process target process PID 2760 set thread context of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2704 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 1652 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1652 vbc.exe Token: SeDebugPrivilege 1652 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2704 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exevbc.exedescription pid process target process PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2760 wrote to memory of 2704 2760 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE PID 2704 wrote to memory of 1180 2704 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
221KB
MD53f85d6ada96258b4203844a721a09cac
SHA167e3c8c732be978b4063afa58b1af1574be50b0c
SHA25642e052656e517d2332a499d5e39222ada138818f6aab55fb35634ed5bf98a444
SHA512a2cc0fb3ab5a16936bac7b3659a65bbe4731c16018928295edcf92de24399bdec03a4dc10831da31badf402ec89d038e196fb29660645dfc9aee6fdfa12ac9d9
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD57e5acce0d5e255186e1876595cb0d515
SHA163ca3bb092f7f8b9d5b0d82304535eb5be552f5e
SHA256308674b9b0c65fb3e403797c4b4c9009c4f47e549e01f883c439fe50b7a6e1f3
SHA512b396aa81f9b18f79040cbf236f5b4674421c5fd17759133fdd41d2a886679bbd830d5ebfe5a8a9bcd282eaaa33abbbc7eafdfd09811af20fd03f3221fc5679e1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5211fe23039865cc513d8733a07dd334a
SHA1f9c3713b490231b121c5da9a5b25dd0d205b5015
SHA256d243eb17242aa15ef1dbb112d3d5f49e9378bed334ecd1536fcc5d1ab59c6dfe
SHA512902abc454ad8dab226d203eada105028abf92637718bd34ac0b84d3be1722ead5a19f3ea42aeed624df2f5ee5bfa22ce92682e2745d3e6e01457f76ffdc1cd24
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5dbcd7ad5d61ac6124e79739fc3eab3a9
SHA1d9fa95d28e88d3b6f34fa9ecbda6911be5ba8719
SHA256d1b2595282f1a03dad544ced2ed2026cd83dd28005742d9b3babae3992d7ce22
SHA512ab30719485ac6cbbb1909b0ff19f5a9271ffffb4c8d8c54c772bb2b7792492ddae05a424cf9dd8fb98068d1311553c304ed5fe95348501d677473cd5322dfffd
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5bcbf156f289dbcc8381ccdb4321d43ff
SHA1e7986a9980dafed1d7547ccd129bd065c7616d90
SHA256ddbc4304cf5698fda60b87e394873bb4b37d3016477d355cb2d3cf9661351235
SHA5125b9029501a9f6a4ffda8d06c4eb4175f2fc6d33aa6936596863392a1b96a1bd53c1981197ec3b76a1c71585cccbac8eb3be4b3a592b90b88b1999b418fe56f24
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD577fc2b0e3e55bd701ce7ef4c55a26ae4
SHA1aaf89974e9a7a82b742bfef2217b84bffde0e735
SHA256c3c0be7bd9ab3f2ef6d05af8ed444b11fdc7c776e78c1379aafa8984c2facbd3
SHA512eb39932da095b9445a15e84b6ed30e94a4582484f1368aef241d5508ea5ae7799b2b60eaeb1111f33de72c330825af17756498e4e68c97394e5be9d148e5592f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d1da74f674b4f714895dfbdfcebf0b03
SHA1760980a8423603bf59b109ef21aadcd87b87cd37
SHA256c045cb1ca86c8bb2e82d377d0ddcd2aaf19b8622c45617f173449570bb3de1a6
SHA512e41a79d8a02f0b0192087e4db1dd9bd4e97d98e2e95535972858a529b005ab58fa0664b4dc2426911fdaed3e6c1c632e993b0d300bdeb69219c111441a605200
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5723943b2da59d382e8eb931528b88b6f
SHA11ff7b69d839a57e7da695a420a66243e73030d82
SHA2566e8731a1f18f24a5c3699e57db3510865722e832b5a37460abac2a68c6b686c4
SHA5120f42e16cf061faf659b18e12611f9984ee7fad84f65be768d330f4814b96c1c2418bfa710fe374641c6b1bc3249c40f0054d48398502ae5060c0b951a4ce24c2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5df6504320e7307a684816f5eac88f5ab
SHA1a0545ec66b44de03ae4f63541de652d52e84dae5
SHA2560731ad225746ce26b1b08c94b1a078bcf25fe09d0c4939853f331438ad767fac
SHA51241e5eb1ba335275552cea7d4d60e0840a29c9ec0370ba323c00739fefd28ff6727f68254a05af8e452373d19909f0db08cbca4b02cade7f60fe5002cd976ade6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56cdc3d3f2cd07377f130c5962930ec19
SHA180c3a30aa14d150851c3f2178b4f6d9ac9078865
SHA256e83897d0d33a37fa4b5604e5c47343208b4fdc82a1e601ccecb9924c4a0bfbab
SHA51207a82206a2f7db961c510cd1924f29bf4a05a2e6abad11158067bf15f7946ead80300c9af45b265708dd6b684a4f4e8348d3a65dd612b97d30e3f123580c4635
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5447ef357cda3bd64b873dfa23ba79bc5
SHA1f6ba16f4894a14e6f106d8a659f5a60508ac4060
SHA2565e9bc10433ccba6a777bec680bfba6a4a9868e50b82105f9ca0b5f8f8b75c41f
SHA5123d85220ce2a299a97fdfc1e8a799f38f47a10e0e137f609bf3ef230766aa7792e95763b6e8ec841d07df60804fdc3b6b8a092097bb8b1bf24e2c46c22308fbf5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d7071dfd2e9324aacdc9c58370c7f85e
SHA1c3950419475d0be1a1c4221ddaf3ad1fd18513af
SHA2560e1f9d7e940c1df01c5905f29c7b9fb69d56149b81b319e28b170bfb29b466fd
SHA512189248a01396466cf20ca91de018e57c22d9b69f714df6259cfbc0acc26ee0dff834d0c9d4c297078d3cd34ac64e579acad89fe001db904759a21e5a714dc67c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5df9baa422bf8e3a7a33a3d3902516bdd
SHA11a3b0dde67eb97380a29d4fb792e25d330a3dd8c
SHA256a40623c4d2aadd4e2d9229daa2cf03467dab931a45d94012498128437e54e3e4
SHA5129a2babab00a6f163572050d46bd954802ddb7d990dee6b16cd4d845fe3bd840723c9e3ae48806c006dab4d90f1c4cd72d349a409f69eda5083d247daebbaa192
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5de415240d664ca672c3b6b1c02598159
SHA1e27ed8ad06a0f7e82ef8a21e735a5d40fca878f2
SHA256df405d0f87228d23c19eaf71089117b87ba2a1d5cbb620d30e827e0e3bf342fd
SHA5126ab8a3b6d9c9930b6d736a7b1c0753c05fc00c2a4f205c3febecad345b67e7cd479ec69f05cd49c586639be6f439244929efaf8dedab1fab4a18446de751d015
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD589d2d6248f633836a049c9f44299c9af
SHA1d7217cc3d6184cbc0a36d19e6793048a6ab6ee74
SHA256bca5aeebb4d595a9b14ea6f23a75f98c15889b40d57399cc9d52ce18ea2ec384
SHA512cd3def98ec38a7276376622909de6651c523251e6832a1563167f02bc699e570fd762ccb1bb904316dee960ddb2f9a183ce31e08ca84c93b86066028c6096a67
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d897e51effe26e8ae35ab7fec09d6f8e
SHA13071cce8523269ffec8940097c7d722de488030b
SHA256e975c78c6c16f0d3231de30650e343e4582828556955c19b1d002b5671286be9
SHA51286de7bbea585c5240789a0ea6a8673c4fcfad7d091e92c645c3fd174d0c739bdef198dd539af35f0fe17564571371b76cf3803a2a1ea7af6214865cee9443645
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD531f1654a6f8982bde02d356538c390f3
SHA14b5da00d03f9d378527a2a6056317f92deeae6b3
SHA256238026f16dce56de4e77963d8083c18e9b3dc2c9fcba9a1ab4f6b41c3a8f3349
SHA51223baea7afd8b001b492674bdc421d3d15e05fabf5db54c4c5e9e174a524d1fcf6ea39070dd6c778232011ccd141a287e4627959e7e368fbecce1041d83e8f193
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ecc4873512b026f9db822e06023e21ad
SHA153c472b9e8f7691955fe1fa33c7c447772e57c65
SHA2564fd78119461b5a9d37c88dd5aa07d8b35bc0de90d17c3094e16ac3e718719327
SHA512b44c9419f833c4afa7095480a7c55abe5bf284159ab7ee418d0ba711ee96aea174592cb2d00039fa714b2fee9a1a2f49c20c7abad852842916ec7f1199e17a58
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5b5c135be264c92a6977720a75a227ff4
SHA13040fe52e26a52ec061e7625e03213d6b4a0239e
SHA2568c87d4215d662b542ed55996b5d0e36948af23638d8c56ae08760c248b8007db
SHA5126b2c453d239e316f410a4d5aff659b17bae4d9831266d17e0559ee92a7d5293ebeae3622439e266951de676c4e12da4eaeecc2f2faa331693ad6838c01baac68
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/916-540-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/916-312-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/916-300-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/916-1442-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/1180-20-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB
-
memory/1652-1563-0x0000000024130000-0x0000000024190000-memory.dmpFilesize
384KB
-
memory/1652-870-0x0000000024130000-0x0000000024190000-memory.dmpFilesize
384KB
-
memory/2704-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2704-7-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-2-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-3-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-6-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-4-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-16-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-11-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-14-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-19-0x0000000024010000-0x0000000024070000-memory.dmpFilesize
384KB
-
memory/2704-8-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-869-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-12-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2704-5-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2760-15-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/2760-13-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/2760-0-0x0000000074B81000-0x0000000074B82000-memory.dmpFilesize
4KB
-
memory/2760-1-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB