Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 20:52
Static task
static1
Behavioral task
behavioral1
Sample
64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe
-
Size
924KB
-
MD5
64c47fdc5b4d63fef7792d57a1dfd082
-
SHA1
a763fe7f2e293549d05d02108b70d46776147621
-
SHA256
f0f46eed0c64f5859af3b95bfafcbe559ac6ca27af868f32ba01927790f5f412
-
SHA512
26a170bc9b8aaae70006a2f334fdbbece10b3ecf7e2bc44296020fc41d935d52c21d10058adf29a14286405ce5755df014f9b0b8046b4dac67b7d1139103edc5
-
SSDEEP
12288:IfI3nYmw+UqNd7iaw56TLuKaC9LUoegw+Nqvl33zApr/q4rMaxULwA5qHPQNyYwF:ionc0eNNB9PEvRc
Malware Config
Extracted
cybergate
v1.01.8
cyber
kikiriki12.no-ip.biz:100
CyberGate1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exevbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{826W26LF-3I22-0745-NK35-3LLBSG122M83}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{826W26LF-3I22-0745-NK35-3LLBSG122M83} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{826W26LF-3I22-0745-NK35-3LLBSG122M83}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{826W26LF-3I22-0745-NK35-3LLBSG122M83} explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
Svchost.exepid process 4360 Svchost.exe -
Processes:
resource yara_rule behavioral2/memory/2480-13-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral2/memory/2480-15-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/2480-72-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/1460-77-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/3300-149-0x0000000024130000-0x0000000024190000-memory.dmp upx behavioral2/memory/1460-1017-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/3300-1453-0x0000000024130000-0x0000000024190000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe File created C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exedescription pid process target process PID 4532 set thread context of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 2480 vbc.exe 2480 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 3300 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 3300 vbc.exe Token: SeDebugPrivilege 3300 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2480 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exevbc.exedescription pid process target process PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 4532 wrote to memory of 2480 4532 64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe vbc.exe PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE PID 2480 wrote to memory of 3436 2480 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64c47fdc5b4d63fef7792d57a1dfd082_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
221KB
MD53f85d6ada96258b4203844a721a09cac
SHA167e3c8c732be978b4063afa58b1af1574be50b0c
SHA25642e052656e517d2332a499d5e39222ada138818f6aab55fb35634ed5bf98a444
SHA512a2cc0fb3ab5a16936bac7b3659a65bbe4731c16018928295edcf92de24399bdec03a4dc10831da31badf402ec89d038e196fb29660645dfc9aee6fdfa12ac9d9
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54baaaa32f668f756af1c1dc7446eb3aa
SHA1b63b17160d6287fd444b0df89b5f565378baecf1
SHA2562cddddaa45ff0478a6ac2b7fe5c0361bad160a22f933c29623a8d1c0706e920e
SHA5126ae585ee52e613517ef162c6e45e3a27b22356cd9d4bb3e984f68a45e82980804240b625defbab3e920226bb9f34e344293c732b6a9eca7a0891339f880fb8b0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD55bc9420e23e559eef94396977768796a
SHA1431c9695a6f254b7a1faacb05dc6bfe7e0b0a918
SHA2565af533b99f497c2096b4dc2abdd5ebb7fec015860ed4c7875abb5b6b1c47e98e
SHA5125704d9febac8475c1450698e712a3a4a677984900f213506f82357ad42e197fc01552336595f2fc51fc2152f24662c9b7aee619ab5cc1bbb6784358c97f9439f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD51fbc3ac0b29290615844239bc48b1e19
SHA1c1013395ccfa3d8a1925867f840822fd401d338b
SHA2560805a15e2a483cb22d167194a0dcb936ec9a7092f7c4f2d394cfa18b4370288f
SHA512eb4d03f93c8e0e1f7746ba6e4efb73019e9912fb6f99b2f16ad08e8e51bb2a6398222a5ecccc83675bbc13ed6dccbd444faeca1682ca58d9e978e0788eae8bf0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5793b5d6efb7c0319f9e06131ef61ff35
SHA19ed2cb87965658231eee03106a0fac3e4b9f5e6c
SHA2568e20a632dcf7f7fb0fe32e5a602d2373bb62979367c93842a12ce1063f0fc9d7
SHA5125ff85c9ec6d7d1be97bd699c0421165e4a328bc7cf7caf4ffbe302f86fcdbe91dbf16aa2916685c7d8d800ea21b7154f67516bdf07c9bff4b1549af35c6526d6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f9b05e65dfa5eab88deed43d1f82d478
SHA1d01571613b25dbf9d6b08fb0c640d779a541a938
SHA25694ce0c752efe7c0fd3fb2a26192847f3d3f62424a172040fd08445eff0fdc6ba
SHA512e8d653d4c62a6fda564eb4d0da328eb5817b5660dff66a1c02a0fe1b869424f824b67700e56d7defa1c3c76486cd9f56fa80e3b3b6f0d415d5f0266991a40ab8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53420e27847c7212dd01ded6620236c9e
SHA1e7f56df3d1328135cb5bc7f1a1ea6ad3b3ad6765
SHA25601f70ba735f4cf54b82c061ba3df13aec5dc1e00322f9fb61f5f726ab38b8125
SHA5127254aaea6b50acd84395f94a0495995207d3b26ed4245b406cb3f5f830c3f68aef9c6c4842ad543e51c04eec00cf57eccec45084b2ede748de02a6a083fd2ff7
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5598dad6b9267fc7b6685418515dc71e1
SHA164e7708dd0095b4c4bbc9f8fd976fc09e21d4ab1
SHA2563a627bd0547e30652546547a2bb0eea2f269c942a21369a54a2fbbe0bee91f0d
SHA512c5e903d657601bb5648e50740d1246d1833fbc0cb8cb4b0cfad3b61fae22170f9861c2c8ade7699f6c3283a67faf8153219749b6be72300e41302543afa8deff
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d8fe358def1210477f31a46638175e30
SHA103fdeef10f843b1711ddcba937e42348054c2f97
SHA256a915321a12ac79d1fa0b3171555e919495a05efbe53eadab96b4b5e7625e85ff
SHA512ebcbd2eaa993c681f47d1a523e4bca5eecd208dcdae8c9d89ffc4d54460185b110837e357a8ead0990b3d79df674f8d07b06821c4cef3d28193638e839b13ae8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD525eb1adba9723926d5b4fa5626c602e7
SHA10a8e521af3bd18fa6e45cf60775ac0bf3a0564e3
SHA256ca14d51285290133ed38b13285859a866c91b24a3f76ef5cdf2d53b3e27193f0
SHA5121b4096ab0739682dc7b6f0bcfa4ae7c52d43f5cce51748ce304b31c56390364b4b142d2758c28b8d50b69daaa81eb7772fb0544c807aaccac62438116a222082
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54b61dc342d68130356559d81fd99d48c
SHA184b205430b15cc241a032e19874ed737a77923aa
SHA25661c7f3aa13eb454c8d2478ccd2202814356cb4076d0c955997e30c8ff5d4adc6
SHA51261565363cbfecbbc8fe4eb03e433ba5e9379d188af11e16bc3235e6b8cfb168c7ff7f649bd7066d78016d68e1aa8eb60ab7f7bc2e2846254d3f321c29cde420b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d7a7402cf0c850e4d2a408ecd61c5091
SHA1e219536e37ffde60f2d379c247a0c95d414e6c41
SHA2567f4befe93931f3981312df5eb22f35e980977d06668b4883994023b2deee3a2b
SHA512daa913c63dd12fea9a6586432a91c4da2a0427831b18390f5691736098af55d197b3cbd8bc3955cfbacd23c74475b85d2e04c7e1c02ede3e36eebe00185be600
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5be792f73bc44efcb66d5de1ac07817cc
SHA153d7db3baa83d3f725ee2019c7418613f82dfb94
SHA25652646e6402337d3f1dc68812e898d0e68ae672913c6aa67532d1680ee6126eba
SHA5122a0211d3970136caa7c15f34480c6a627ef3f1a51bc0fd54450abe17d60ce42a98cc955ae8997c6562f30ca0dedd9a37cfa7d044ec7f67c0b7ad3af4eaccad3d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ab223117bfda5d1e33e97d1c55732ced
SHA1127f7ced6c0533c16136cfa120db62ac66b044a8
SHA256adc77a409c5a464f029b895605c51898e9e2a40d12c632cd84da913b82fa4a74
SHA5129149b2c8ee36339539580fa68a2c08082b6ed759035e867e5a1c7f6cc81dc69d3dfbe127ec8eeac4d48ec8d7b65f0092d5da9fad3002377da67541468848fde8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54fafce406b7b7b1f595a8544cf720631
SHA1a8070e3729216e578f4611134f86f756b734263d
SHA256d60f069aa8969e379d603840f1c900be13c6cbee6180f997e13813d0dc620817
SHA5127dd6f947a22b1c144389b16aa17c1b35afa27e580c65b67b6e3cd78fd6b228a175e27a377a14bfc7eeea22e758ab16ada52a38030f4b6cbb2751974c24033211
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5cbf553618491a6b89bee4ce8b24df012
SHA1bb31b646467b92a628dacb3636c470e83725529f
SHA256861dcf746e6699ccb746f988bf429ed9199defdafe864444ccc873972b85cfe3
SHA51236671bd8cd1ab42d43756ece49188d89af9f773c496742d8d50e631fb441ca5866947437da16fb23327140bb2b5fb9b092d6c7d1ab5069a6b6804f57f31b0419
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52c560d8af7e3caef423926e95e8f4554
SHA144425c978786dfcc6dbb7ba699136955d335edc9
SHA25694d1e0ce6087af9ab91c40f1a42d82c54dbc77d7e49e9330ab10eceb848360a8
SHA512cf43f00f061e50da5e3d4c67ded749717f8c64946da1e3a087183bc7855725f70e095c91d37a4c50b29b0fc5b65ced2e5dd291efd6bf1f7dd74092eee567e08c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD515166e4154067ed195356aa7e728f122
SHA10dc5bb26812331192ce98dbb9a1c95dcb1e640c4
SHA256eba4989d407f4bf940093712cb30478a0674cfc0c8aba54f45c8c3d7bf9da80b
SHA512ad44325d990200bb178ab16416208d16eb4a9945770245c48babc74f14606dd0eb867750baf0ca90a6e39277383e99be60ea06149e4aa82b3c213468014d0467
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD508dd70337a2a7b0015e98d8acc41eb0d
SHA172ec33b9e998f0c65affc23ac971e671887f7a8a
SHA256b2a005c408a999a36760d69ed4e88a0dee51ab0e6b61c95ca60a6ed784a1a2b0
SHA512d0824bc22adec6a66f44ac844ce314f594cb24a423a13d9fa80468c2fb96b36935b94f96e3b453b0c04e0749caaa6464cee1cbe2fdd22f2521ade338f20dee5b
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/1460-1017-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/1460-17-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1460-16-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/1460-77-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/2480-6-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2480-13-0x0000000024010000-0x0000000024070000-memory.dmpFilesize
384KB
-
memory/2480-72-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/2480-15-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/2480-4-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2480-3-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2480-148-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2480-7-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3300-149-0x0000000024130000-0x0000000024190000-memory.dmpFilesize
384KB
-
memory/3300-1453-0x0000000024130000-0x0000000024190000-memory.dmpFilesize
384KB
-
memory/4532-1-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4532-0-0x00000000747D2000-0x00000000747D3000-memory.dmpFilesize
4KB
-
memory/4532-2-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB
-
memory/4532-8-0x00000000747D0000-0x0000000074D81000-memory.dmpFilesize
5.7MB