Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 22:09
Behavioral task
behavioral1
Sample
6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
6cfa6163ab015c7716ba8bcc7017ca91
-
SHA1
6a48aa87c6cda963efb6a9d7bb386b7931ec2543
-
SHA256
a76fba3723f7ca56efbf3955854243ebc2a05e277726cdb96a727ef0822bae63
-
SHA512
38207df6143f0524412761942b4926aedc4a433bbdf02fec82b02d7ca1e811465974c9f745401e961f442f4a32f0ad4f50c8fb81f449e280226f4e4ed7236b4f
-
SSDEEP
24576:PwU/UwhWZH4KJsbh/Kc7KeZH8GnBDT4XZpSRSJo2xJiEUb/OoJFUde:PZU8WZHLJs758GBfKgSesix/OoJqY
Malware Config
Extracted
cybergate
v1.02.0
Cyber
trollfacelol.no-ip.biz:1604
GG436Q435DF3BF
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
ftp_password
hejsan1q
-
ftp_port
1604
-
ftp_server
ftp.drivehq.com
-
ftp_username
falken208
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Successfully loaded! You can now cheat everywhere! Dont forget to always start the undetecter before starting Bunnyflop.exe or you may be banned! Happy hacking!
-
message_box_title
Successfully undetected
-
password
qwerty
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" Server.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" Server.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Server.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" Server.exe -
Executes dropped EXE 4 IoCs
Processes:
7za.exeServer.exeServer.exeserver.exepid process 2340 7za.exe 2240 Server.exe 2756 Server.exe 2824 server.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exe6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exeServer.exepid process 2260 cmd.exe 2260 cmd.exe 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe 2756 Server.exe 2756 Server.exe -
Processes:
resource yara_rule behavioral1/memory/2544-0-0x0000000000400000-0x0000000000528000-memory.dmp upx behavioral1/memory/2240-22-0x0000000024010000-0x000000002406F000-memory.dmp upx behavioral1/memory/2240-26-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral1/memory/2756-322-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral1/memory/2544-351-0x0000000000400000-0x0000000000528000-memory.dmp upx behavioral1/memory/2756-915-0x0000000024070000-0x00000000240CF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" Server.exe -
Drops file in System32 directory 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\server.exe Server.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.execmd.exe7za.exeServer.exeServer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Server.exepid process 2240 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 2756 Server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 2756 Server.exe Token: SeDebugPrivilege 2756 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.execmd.exeServer.exedescription pid process target process PID 2544 wrote to memory of 2260 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe cmd.exe PID 2544 wrote to memory of 2260 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe cmd.exe PID 2544 wrote to memory of 2260 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe cmd.exe PID 2544 wrote to memory of 2260 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe cmd.exe PID 2260 wrote to memory of 2340 2260 cmd.exe 7za.exe PID 2260 wrote to memory of 2340 2260 cmd.exe 7za.exe PID 2260 wrote to memory of 2340 2260 cmd.exe 7za.exe PID 2260 wrote to memory of 2340 2260 cmd.exe 7za.exe PID 2544 wrote to memory of 2240 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Server.exe PID 2544 wrote to memory of 2240 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Server.exe PID 2544 wrote to memory of 2240 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Server.exe PID 2544 wrote to memory of 2240 2544 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Server.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe PID 2240 wrote to memory of 2808 2240 Server.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\7za.exe"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Server.exeC:\Users\Admin\AppData\Roaming\Server.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\server.exe"C:\Windows\system32\WinDir\server.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
219KB
MD59aa5ee67a5bd087e97dfa33ef6b43eb6
SHA124bb7733caeac3e295849a7f04b24ad148769d53
SHA2562bd8f39d14f17cdb6f318e3b1a3fe261a159a11591ff68876eaf11bd25bac5a7
SHA512fae4d7ccf3cf2bd0b314b7ccc75fefc37ba1cd62c762d2d6398e5cfdc4806d0ca0f86f61eb8d2eccf8d479d8e43ccc291ee9dc8d8d5e8fcf86b7178f5074c946
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD563ddf9ce9e89cf20ff8ef2a5e35c37fb
SHA195258782120c620cdd2f61d845fc16eda98809ad
SHA25672d0a5db4c540dd46a6d2644e4f5703d0e6af7d25ef6f9b51fae3d1b1ef4b8c5
SHA512e9384e39e9b9b93261e387ce2de0e3021547704bd8e17289e2407b5c98e4d414493ad5cc46418b01419c92280c729226fde0cd2e6aa0f76fc49bfd7464e1e4f1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59c4940df5fb176d2bfa101145ca043c3
SHA177016de684d868b49b995c517f5d6200b2ef9dd6
SHA2565010bfce59bef537b061aae670bc876f00ed224b0df6dd6ddb5176c67401e2d4
SHA5128ae977c822bcfbcaf8c7dc1f0e83c72fde6a7d24172a143bc9f10d1825ca6e28da1de5bba4cad05f613bf885adf8d71806c1a960363ee751e87a32864d5b29ef
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5fae7799711c543c319cd7f5326186d20
SHA125561311dd56c78af5ad6d3d52decfa79f0e66ec
SHA256ee391200a40340ad949745bb6289cd41bfef091f8ad94db8e6dea1d91b95f1b7
SHA5128e4d61e3a451f99ff6be919b76e1831138cb25f235d96794b1dbbb6322598d913c1abbe501b084e61f93a5807e2931472cdc9c8f37c75acf20526d8316dab5ac
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ead123d36eb9c26c81b5c5092d5d4c04
SHA1b6c0bb3a1177e4be3bd96a6bb5b3057917493c8a
SHA256bea4e7d31419bbc69d9471cc961cb7fa69c91b9d31bae814f55733b58aa5458e
SHA512832d793801338fa7f0a81bf36bae9a416dc12e851e1a329b7491e4aae4cbc0a65ddbec0eaf46c9f6644ebdd8f8c7b9e504d52a4926c760215b6acaf5ca32a6dc
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e3135f94e006e13fcb39ffea14fabe55
SHA14984a26108173ec50b604931654acc6943622110
SHA256a80132e9bcf515deab7ab919ee1c2ff6c14ee32fa65e42a65028b9399d763b24
SHA5121e33a4eb60170a7c76e0c5d2549553f241cff280e3bc0f0783854f4d0c871253a412e3ee26bd38040cbb1c5d23336c658eed1b0c9155d0ec8cbecc724e2c90c3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c43f7d24c5eafe6de317101b87a94220
SHA11fb7e37760e3513c8d2d09cf3a969bed28da929f
SHA256d679ee132d6319f599d4153a13bd673ac58827b4d80d3dc6b8103d54751fd1ad
SHA512703beef03cdc5db1cde1d91dde10b4b96f1f28f1e725de7c7833ab4eac6b20acb3a53cb391f6b6489222e2eac2af4663f761fec8956488dab847165b46f9a3d8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5b8455d1bc06c4c34ee8452fd02985537
SHA1e1fa585a706ffeaf8b6686b5ab230f7f57cb5b8e
SHA256408393a0b478d573f351e807ab4a135b0039de517275cbc55b3c38934e3acc87
SHA512a6f584be259b8c92b08bc3e160135e4a86d81922d3bf77f2c83cb7dd01e733d3f5fff33c1c83a7f30a4457f5637af05a2e3a57ccb0b7acad4475115691327b7b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5231befed527e967b3b4186f70e4fcdc7
SHA116e7932dd9bcdae8fb715fce535e2151d7e30379
SHA2568465f2023ecfcfc8644a7cb4aa51faeac815d8285aa54dd849709234445ee5e7
SHA51202adf730e4976152672fdea6809901f7b7572aaed8a1684e11db79048b6645a79b11e2a005871f624d1772ca472e69989f172566016a53cd707c3b9d35d527cf
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f94f584f878e710b2fa47040d99e06a9
SHA10db5b0302497aeafccd3f6692d413e2256732bf4
SHA256508d930064405e18e8b8cdc80683a21c888b3404503901ce7726d7be27f68565
SHA512020b85c333dc31a5c86750f607552af23c9fcc8083e72e53e249a8d4f368d265a285b53d6ec147c18a71e52c575ec1b51181840ae32a50b9d14106b345c6ce03
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD51e33b76c7765a702e1e3c23a561c0580
SHA1d7513a78964c5d6d1fe0e983fb8d91a01893a46f
SHA256f680c2c456f96b45822795bf236af77dfd031c70a74239f217dc6fcbe51de3cf
SHA5128f574eff11cd9b4145cbedf96aa39550f25f160e75b56afe1eedfeb63bfe7373358087c17a06af6dce7266969d96d64dc2d31fc334d016e98252ffba9d404c3f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50be95fd092ece4037b27ac5555f356ae
SHA1f2c75c0489d9480388444c370cbde17d791600de
SHA2561dc627d25b9b08d71e9647ce3f1bb1359d62241768cef733616d8e37c7234fb1
SHA512b1b5c8dd7b9b70a87e1c5143da7fcd056a68f4631a9c318a2c3335953fe1a3b90ac89997421b0348c2feffe3a7dd4775ccd1b02b0c9a1c719c15a0d7fe93c3b1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53e138d5fc1b36e4e5389dc4298bda9d1
SHA1e5be70d9304f00db65c122d8ba71bd8c88d5f343
SHA256d660cff6211c4e718227a68dae2f08e75d3bf9f1d86f9e8a65f608daf8ef5749
SHA512afd19e22a7e7777edd7f46cc21c67419bb225fe3a31ddf4fa3bbfff36217ff449537c328f2e879e6c562d4ad92b45c74aba1337e1b3f836420e6b6e7b85eb947
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c792eb5a216e3d36e9bb2285971a1f0a
SHA1d8ac2f1ee74c8bc3ada8dd0cd32b2d697e062c03
SHA256a8fda5da63e87ca2a4827926163e60d3f64753e2b7abdd2c4374e9eadf0419ff
SHA512a55a554d57e99c813c3bea448bfb86adb1e4a2239295ee7469e14f7288ee6c7a0c0f4314d88bbe21159de33b6ffc8766a8b69bf6c99b189e78d8e8f081fe7796
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD55a0eb696937c3984fdabde034788357d
SHA199f8736c0acec650dfcd3d1f86b3a79d87f9c387
SHA25642ef3ed12a188ed236522c4bb2d46598b036faee0105b8c6dd11ac6c9eb81c14
SHA512ec806d034ad6a09b0319a416d0a7a28965fe617f755c6dbce18b57bd1b42f4b20e6aa50f240d2f8082da664ebe15986397626379b9fa92ea7ab9849159159b52
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56ebbf6182cbd7d91ed9800249ed33360
SHA11d80dd2a9e6b6f1fd7972d9072474981ce34dae3
SHA2567c772850d305adde377ae81920db786a6c684b747ea5cba892531637c5fb2557
SHA51271873ad295ac98bbbba19268e8fad69ea6ca827b46a2d5d38a5907111ead384090014e0ddf6b4bdc72a2b71b8038036008e1a7d9872b2e29ca179daccc444da2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5daa0f98f17e4a0c751ad3f5273a7bfee
SHA1de81a9e218aabdeb1369c2f8ab184ae676cae82f
SHA256a3051ffdb62e3051069aa0dfea27036d5e65e253dc95a6f15a6ed3cf25c8b92f
SHA51244f2c6b187bb2537c9d7fba17d25404a007a112e152be8dc4571b8fe74ab913a7255d52b450aa6d1e40c1a9072c44a53106cce18f596623943f196e0d5fb90a8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5bf4edd9ad7e3271429a590f7b3baaec9
SHA12e02341512f8605afe1f066e004ddece58ddf9a1
SHA256d8c9c6269600e4437eb83e8b926f0d6f0b763e08cc237c5795acaf8673d6f810
SHA51259f154dff3f373a21b63595927458cd11d042b221b1a761f1fbf7dbfb6d31d708135ab627c375fc9ef0a4987d22cabd3d95f7e2ba8ca20b3d236bcfa0a99acf1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD508f55f464d5a899bff3e968e3b957aed
SHA1a0e31f17958e514017d7999b393ef0c9ebb85775
SHA256b9642cd8050c3ee223e9847071cf460f9c556a15790ac2d888b6e8bf7eef737d
SHA5123d20ea1ab7fb37d36f507b4176d18a20a5821b70ae2694c99b559f510aae4849763df37d245999037ebe4836123442d06a8afe4ec85c5ff6fa58feb91327ffd4
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50cd9e617178251efd49889ef660ef764
SHA1a388dc19e1d188574bacdc1e9eeaf401f45dcb69
SHA2560b073c67ee5b4b2e8a433e14fbc63e4bdf7de33b00d2687c1244f93cef5e308f
SHA5123e0faac7e7247157bd4e517e571726241758c3ee150aae33ebdfbedc28e4c4f43235dfb7a42fdff673ade045c71e41d1f95afb61a5af6f4218284b82e5002a0a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5573f45df392d4a00ac71ef3c2d845a97
SHA1d5546981c540480535fded947c5089f0046373ee
SHA25688996b7cd643b8bffaa12a3121d15f4fd263e30585a909dd2559cd97a74aed02
SHA5126b938cd9d3e445a790695f01b2914f73770d6612fc3e2e6a477255172f60f2b821fd90e58ebffe292eadf7b7286b4bbe97620ed521c1ac1747d366ceec1fcec9
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52928330f0ada0ec8f090c1cc413b1851
SHA17b8b668da85d0bac5ef670a8dfd12dd62307d4e6
SHA2567a6fb7fa0cde3e7c3fdbb1ca5ae64e0a836f2d3bebd808b9d3bf94e81cb3b16e
SHA51238735f985e0abe92b8615f393b09004eaf4a38ad5f675aa0e7d61062123685b1302ae7f10c1a938f4e94d0d048301a5e36a8d61a911d365604a65569bc311350
-
C:\Users\Admin\AppData\Roaming\Server.7zFilesize
237KB
MD5ddd9d0d3cdda3902a869f6a84ac2eef9
SHA16f069bc0105017aabf6e678946ac5e6d7a752e41
SHA25664086acbbb720217891d0cddc7b5b731dd51e2cb0aee4c4f46944469c176ca89
SHA51283c2ab68c2e836098f3db12be3db46043a811823269e2eb1e1d5ac3519c0ec92727e8865e7b5e00068fb8a33c92ef71039a96bd2671009bf083da12e8238bbc1
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
\Users\Admin\AppData\Roaming\Server.exeFilesize
558KB
MD5e3f31fe5eca07ec9ac1b76f5690583e2
SHA172c45c5377ca38ab978f7969eb9619d5b41176f5
SHA25664a956320b0bc4462dcdeeb326a151f3d1ba9f1f88b91db0c9df84d6f690d896
SHA5120091cdfaf07f19808e6991d8494d4548027c7852e620aeb4af2f9ec69b60e15e3969eae9dee1a6236ceaa5b518bbf353bd9fbb17a5c3fe1158f11bb00204d373
-
memory/2240-26-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/2240-22-0x0000000024010000-0x000000002406F000-memory.dmpFilesize
380KB
-
memory/2240-320-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2240-19-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2544-351-0x0000000000400000-0x0000000000528000-memory.dmpFilesize
1.2MB
-
memory/2544-0-0x0000000000400000-0x0000000000528000-memory.dmpFilesize
1.2MB
-
memory/2544-18-0x0000000002300000-0x0000000002394000-memory.dmpFilesize
592KB
-
memory/2544-15-0x0000000002300000-0x0000000002394000-memory.dmpFilesize
592KB
-
memory/2756-27-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2756-915-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/2756-1032-0x0000000005690000-0x0000000005724000-memory.dmpFilesize
592KB
-
memory/2756-1034-0x0000000005690000-0x0000000005724000-memory.dmpFilesize
592KB
-
memory/2756-345-0x0000000005690000-0x0000000005724000-memory.dmpFilesize
592KB
-
memory/2756-322-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/2756-33-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2756-39-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2756-47-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2824-348-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2824-346-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB