Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 22:09
Behavioral task
behavioral1
Sample
6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
6cfa6163ab015c7716ba8bcc7017ca91
-
SHA1
6a48aa87c6cda963efb6a9d7bb386b7931ec2543
-
SHA256
a76fba3723f7ca56efbf3955854243ebc2a05e277726cdb96a727ef0822bae63
-
SHA512
38207df6143f0524412761942b4926aedc4a433bbdf02fec82b02d7ca1e811465974c9f745401e961f442f4a32f0ad4f50c8fb81f449e280226f4e4ed7236b4f
-
SSDEEP
24576:PwU/UwhWZH4KJsbh/Kc7KeZH8GnBDT4XZpSRSJo2xJiEUb/OoJFUde:PZU8WZHLJs758GBfKgSesix/OoJqY
Malware Config
Extracted
cybergate
v1.02.0
Cyber
trollfacelol.no-ip.biz:1604
GG436Q435DF3BF
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
ftp_password
hejsan1q
-
ftp_port
1604
-
ftp_server
ftp.drivehq.com
-
ftp_username
falken208
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Successfully loaded! You can now cheat everywhere! Dont forget to always start the undetecter before starting Bunnyflop.exe or you may be banned! Happy hacking!
-
message_box_title
Successfully undetected
-
password
qwerty
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" Server.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" Server.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Server.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6} Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" Server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 4 IoCs
Processes:
7za.exeServer.exeServer.exeserver.exepid process 2348 7za.exe 4032 Server.exe 2904 Server.exe 2448 server.exe -
Processes:
resource yara_rule behavioral2/memory/5112-0-0x0000000000400000-0x0000000000528000-memory.dmp upx behavioral2/memory/4032-17-0x0000000024010000-0x000000002406F000-memory.dmp upx behavioral2/memory/4032-18-0x0000000024010000-0x000000002406F000-memory.dmp upx behavioral2/memory/4032-21-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral2/memory/4032-80-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral2/memory/2904-85-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral2/memory/5112-113-0x0000000000400000-0x0000000000528000-memory.dmp upx behavioral2/memory/2904-1208-0x0000000024070000-0x00000000240CF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" Server.exe -
Drops file in System32 directory 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\server.exe Server.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3644 2448 WerFault.exe server.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Server.exeServer.exeserver.exe6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.execmd.exe7za.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Server.exepid process 4032 Server.exe 4032 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 2904 Server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 2904 Server.exe Token: SeDebugPrivilege 2904 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.execmd.exeServer.exedescription pid process target process PID 5112 wrote to memory of 1736 5112 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe cmd.exe PID 5112 wrote to memory of 1736 5112 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe cmd.exe PID 5112 wrote to memory of 1736 5112 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe cmd.exe PID 1736 wrote to memory of 2348 1736 cmd.exe 7za.exe PID 1736 wrote to memory of 2348 1736 cmd.exe 7za.exe PID 1736 wrote to memory of 2348 1736 cmd.exe 7za.exe PID 5112 wrote to memory of 4032 5112 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Server.exe PID 5112 wrote to memory of 4032 5112 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Server.exe PID 5112 wrote to memory of 4032 5112 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe Server.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe PID 4032 wrote to memory of 2272 4032 Server.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\7za.exe"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Server.exeC:\Users\Admin\AppData\Roaming\Server.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\server.exe"C:\Windows\system32\WinDir\server.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 2285⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2448 -ip 24481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
558KB
MD5e3f31fe5eca07ec9ac1b76f5690583e2
SHA172c45c5377ca38ab978f7969eb9619d5b41176f5
SHA25664a956320b0bc4462dcdeeb326a151f3d1ba9f1f88b91db0c9df84d6f690d896
SHA5120091cdfaf07f19808e6991d8494d4548027c7852e620aeb4af2f9ec69b60e15e3969eae9dee1a6236ceaa5b518bbf353bd9fbb17a5c3fe1158f11bb00204d373
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
219KB
MD59aa5ee67a5bd087e97dfa33ef6b43eb6
SHA124bb7733caeac3e295849a7f04b24ad148769d53
SHA2562bd8f39d14f17cdb6f318e3b1a3fe261a159a11591ff68876eaf11bd25bac5a7
SHA512fae4d7ccf3cf2bd0b314b7ccc75fefc37ba1cd62c762d2d6398e5cfdc4806d0ca0f86f61eb8d2eccf8d479d8e43ccc291ee9dc8d8d5e8fcf86b7178f5074c946
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD57f88ac45f28613914a9f2c2e457ae878
SHA133dd7ba3f663c97d0b8c5db7db3181b9c5673e76
SHA2561b0e2e07f62e3f92d8c569ed366368ede72209a143495bb9ce78ba5eacf676a2
SHA5129203612e8e7dab70c25b08c849f8e057e2e10c872e0fcccdbd10a0a8722a139abbc6420b702059bc74ca7fc8a37c79771fcb0611f15c4bd8ab6b75fd5c8c57e0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD575d7509f1e0cc715e80b7873ceec5888
SHA10cefdfe34832a6090bf6475f01a2ecf875455520
SHA25686740633c5bf45d975343a2250498c2af95e8af1fe2e3b0487cc59edab2ff0f9
SHA512bf16c13334274239262931ef9f689a19ccc083a9694674ef56f01312b0f607b31ca034c1afb13f0935868a53f16567c3361fe75561394cc5a26a8ad8f85a0c47
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f58807ffb50ce6c9780f4c4a482d67bb
SHA1f3f774272fead0fb24298dadd674df273cca7e2b
SHA2567509a37a3d83850150d76197314326c8c0754b39987f2b3f8eb84e478a7c337c
SHA512216d4dc2a3affb5dfb970e93991407a86d649f1e54e8315d50774faf75a44e50b9fd23c655919feeedd0ee1ca2ab26fdb194b5d17323722ab0a3f4c76b53d158
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD596bc1c24d516b31e17d82329a9de096e
SHA12f9cdf85050a683820b2b74cf2d253c1fe241c9b
SHA2566ae8822ba0be486f7eb11705849293d6b33468694adc323d5169a2b1cfadc24f
SHA512ef98cc0a635faf5bfd4ff885d54dd40e8a1ba4a63fd681ba24965d2a2167a63296214abb713bbeb66fb53cd318e3a49339f5b1811329d045053b83d5cd5907af
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5966825d176946023299e76fb5cff4b9e
SHA100d7a47596744d061f7a2c295a3250e197b4ffd4
SHA25619d37cc4acb97e7cc98f68e044f4582b16783ced76e7baa1796081c14adf937b
SHA512b8962288ff52ebaa1bc5e24cc1b2e8d669dfb9339638cd423fcc8004c7c5cb552c81aebc1bac1bf8377bbc00fdf672a17433591a00b2d9fa7d53a8eb21c6a123
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52fd6d1624b5647dcc9148b36a4ffad97
SHA12c756dd35532d1f5a0b97834b1585edcd4862f2a
SHA256eef26019d6d4eabec531a2229551b63b6eb4b7f27494689e95769e94b2f67d94
SHA512c42fef88fc2c223108c78b42f7f500b7680349f0fe93bc3cf3d019762023ab48c90424aead43689b8f0d795dc8d7b1d8e3ce56020f4892d7844a15a34c6873d0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD535bb294671004e5833272d8eac18a7f9
SHA1fae7be769c0e4f95b28308cb653f5f5256568a32
SHA256d2579d21528624bfcb638056a7b817625f471e63bc94bf86143c02030948fc69
SHA5122d328d47ada3beeb4b15814d8a95ecad69210e952311895add7f0dc3d8a52c422cef3eb125f0c2ee7c0d59de6603ff924d6bc0522a034b05b35b2d6a64aec65d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5dcbee7cd4ff8e8f7f810650d42069f16
SHA150481f0e0bf659849f1f87c342910ef5ea12ee8e
SHA25673454e9434ad372f6cfaecdd767f32f10ec9433b64c68e7fe5287e06a2f38503
SHA512ce796b21a737d7731ca18a8de7ead76fa152bcd00a467361beaac6dc9e0f70e02a5b9f028e33fd23db370f2c5ed8ef55206afa2bf16ea6a61d3a986f670812b9
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56279087668580d62bbef1f383816235a
SHA16bb2d623bf654b548ca3802172cc7f294eb225c5
SHA256895e84d727df7fc9a7cf78622fa83a6076b25c530f29c62464e7973ddaa35761
SHA512f7696fcc87501d627fdbc3f6e4bc1fdb1dfb3aba09e9b1ce7a0a8226d6fe6c84bdea385444fafffea1edcbb36fd7e38ad653eb80f4c2626b38d71bd707bd9348
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5435c62a8517c51f6e8dd057a0e80de73
SHA18eb5746c624875f0da781ae1ae240f868aaed0c5
SHA2566c3e836fec4120e42f65de07a5165c074cf735cf8894d7f590b7689abfb32fed
SHA512cb140dc3088e45eacf63d4ff44aeabb4fb33f2ffe3fbaa487bec2b28861d2a2f3c23598f3b658fba9ffe58d83a221f39b70ac0287fbaeceff0a9918216f196aa
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD541d9a99c90261c0d30c3cbf5caa9e4ce
SHA144a1eed5d9bbcb5f7bf9081d1245ed9e5888703e
SHA2564ede988873d463b308c6d52c57e19065a42be29050286461ecb0b7a858db234e
SHA5125a203fe689617098b5474890ecba8517a94e955aec8b244522061e38b0c0f62f3fc7afa85704625d4c1ac350a192e0b421522ee9728732e6360a9f7628af9558
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD55f0c3676362633629f02b4b414a9e34b
SHA1d07282875053047ae3c009aacdc7ee03c67437c1
SHA256031e63096affebef908ca71d12f7875b75363c2e3dc21f1f7bc892c02fa33b0f
SHA5124d920e64ec2ba41f90a5edd733c1a72ba344222fc476501c52f088e8cc5c5580d5fd97be00a794595a7f0fb36525b9eac571a63121e6bfbf21f70075acca31c5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59aa383aa01ce55662f506be0108a85e6
SHA1a3d6023233d638749ff7179a48e554d8d4f492d8
SHA2565bdc7d76aa2ee70fc9f08d46ddc32100fa2fa6d5bb69e1bcd8421afdf17660b3
SHA512055f8760a11d5ddcb6de641ca1cf9604145b7f70c0b1d95da77293b5f95eb178496415ecddb00bbde85a64ef77978e9cffc2eee5424bb69ec7e9c707a89964fb
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ba7923603d3ebee02a253dca149ecc02
SHA1be9426cf6af4fc1a4d39beae5bdf99ccd83a94df
SHA256a09be3863d8a812d8e29abb354c3d594805969a3fe816c5f839cfa472c97ebbf
SHA51232328678db3c4ff9977460f163d8afb778d5334ae037d4e08bbe445bdb9ff75531f40ec1d60bbaf201d98b4ff7d7de46f36d1445e4d3269cf93b3dd41512faca
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d755107ec7d3df6e3c6b3da8e862ac08
SHA1b2bbf1b021b2da410dfd0d523297db6f5b0eb86c
SHA256e980dd3c7e53a0f19c4b05fd16c882b3ba8104526ea9a7533f5285b4ec294811
SHA512fa14bb02fc4f58fadcb9ee46ffd6d4393ff9f25eec9d66cac5a14f45d4705a5e4f1ca62c16c89510e0c52966b219b985fd4c8480d539023c6b0666b8717885c4
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d11e04fc70ecaad8c32a1119bf3b091d
SHA154ef883d52e4d9b6dacc6e6e4ffabd84e55e948d
SHA256484198319ecf16393c1277ca08efc582b431c7e27ab5663fc05967f4a43f88c4
SHA512405a5f15d2772b32b69a70dd959f11ebf57d5efa707a0070d2fe640655baa7e4e66e4b17ab5b3e9078086b229ba6a9bc132a95cabbae4ca8a20a3a686aa3fb66
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD51d1ff834cbfdf182a0242ce3a3b8afcb
SHA16a25d5b18911044f9bc4ae8828fa6d039f7dd2d1
SHA256681ed82925c2768f86596c74deddaaf55fdb4b960a362f27209213f43c475386
SHA5124a378aed7f0ae968c76c5ce2579888629a9ef30980eb86f89ddf934b4e77beb0592dcdead19e99f7d809b56fb686a48671b2f05954e2d1f90fdce558a622bf5c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5333525d4978783346d8f96b9c302ec13
SHA12519045d551c87442854aec57e1f84a39361d009
SHA2564383c1be0211d113ce638fbe496dbac2d6cf0d2e0a5e0a50aced1019d96ec352
SHA512ba5ceb912c31cbe2ee32bdf48c413678759d5773256955174a5b6038fe61db14e8067020e5593aadbaf0965980a70bbf95e8219ce4f5acad21d09954848b87aa
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f0c5956ad51ced48f9a3bfec2fc19c3b
SHA1afbc76b08f429c05710d65b1988c7503f95adc29
SHA256a5ae99421314a477d8136cd953045a348b7c742597d6eb25124850c4ced424d6
SHA512d61c33f4c59192d39176b3cb1f649d7414872406b02f6f78c0c8da33b479eea13f42ac01642f3989ce941bad02a1dd8fc539d70749273c3047349c3bcef7a87e
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD547ef7b6a240158c48a4d2bff1774ecef
SHA11d0e66da601ccf4345134b04fd7fffe56e71c594
SHA2568b52c9e210fc4354c364a204b8fe400e64f97b1d6434e757687dae61cc14bdf1
SHA512a4f38ab81f291ecf395b3b26be48c43c18b95b757fa0fe221816ce8a5b6d313a1bbd3b5ae99cd73f3e57ca627f833788f57e6e9f74d5d346341d8e8b13779b3c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5b7c956a45bd42a6a8666aac60ce2812b
SHA1c679886f139852935935e768b2796dcf9496edb2
SHA256ce2f09b6bbd62443f3aa08b363c8ad0fa25e5824a32f0605b4c7c5d4b712d292
SHA512f50ac1771c035d79ec2f309c2f7187242efb802ba8d7a81572ac5e6ca8d57f9ea20a053bc26445fb3bd001644f130e74466d2e3be8fae2237a0ae8b395dce228
-
C:\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\Server.7zFilesize
237KB
MD5ddd9d0d3cdda3902a869f6a84ac2eef9
SHA16f069bc0105017aabf6e678946ac5e6d7a752e41
SHA25664086acbbb720217891d0cddc7b5b731dd51e2cb0aee4c4f46944469c176ca89
SHA51283c2ab68c2e836098f3db12be3db46043a811823269e2eb1e1d5ac3519c0ec92727e8865e7b5e00068fb8a33c92ef71039a96bd2671009bf083da12e8238bbc1
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/2448-110-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2448-108-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2904-23-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/2904-27-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/2904-22-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2904-85-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/2904-1208-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/4032-80-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/4032-14-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/4032-17-0x0000000024010000-0x000000002406F000-memory.dmpFilesize
380KB
-
memory/4032-18-0x0000000024010000-0x000000002406F000-memory.dmpFilesize
380KB
-
memory/4032-21-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/4032-87-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/5112-0-0x0000000000400000-0x0000000000528000-memory.dmpFilesize
1.2MB
-
memory/5112-113-0x0000000000400000-0x0000000000528000-memory.dmpFilesize
1.2MB