Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
69c80f46768f499acf221361564493b0_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
69c80f46768f499acf221361564493b0_JaffaCakes118.exe
-
Size
518KB
-
MD5
69c80f46768f499acf221361564493b0
-
SHA1
201f1823b6f876f4d6ef821d82111db11864f188
-
SHA256
e102e23226e5f0a582eabae99bbc62eb10e9f419ca9e398b2a83ada385d85679
-
SHA512
ee74f920766fc2dcf1ff7ff05166217af8201678830eb52aaf884d13d8133669dc86f867930fe237a9e2737ebdcdd92352f11543e421ccb009c7e1eaaf60f32b
-
SSDEEP
12288:YYesk0wZpO69lHyIiSxPmBUgDFrikROUo6NobRIE6LoCu5gVKvXpvq:YQ/w/O5S0BRDNw15gMv
Malware Config
Extracted
cybergate
v1.07.5
Cyber
drivebyjava.No-ip.biz:100
71677562W4B0UI
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{HX7P0RVD-AE25-66F1-K0Y6-IWL2PC07W61V} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{HX7P0RVD-AE25-66F1-K0Y6-IWL2PC07W61V}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{HX7P0RVD-AE25-66F1-K0Y6-IWL2PC07W61V} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{HX7P0RVD-AE25-66F1-K0Y6-IWL2PC07W61V}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
Svchost.exepid process 2056 Svchost.exe -
Processes:
resource yara_rule behavioral2/memory/4560-12-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/4560-15-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4780-77-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4204-149-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/4780-996-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4204-1453-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
69c80f46768f499acf221361564493b0_JaffaCakes118.exedescription pid process target process PID 2056 set thread context of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
69c80f46768f499acf221361564493b0_JaffaCakes118.exevbc.exeexplorer.exevbc.exeSvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69c80f46768f499acf221361564493b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 4560 vbc.exe 4560 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 4204 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 4780 explorer.exe Token: SeRestorePrivilege 4780 explorer.exe Token: SeBackupPrivilege 4204 vbc.exe Token: SeRestorePrivilege 4204 vbc.exe Token: SeDebugPrivilege 4204 vbc.exe Token: SeDebugPrivilege 4204 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 4560 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
69c80f46768f499acf221361564493b0_JaffaCakes118.exevbc.exedescription pid process target process PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 2056 wrote to memory of 4560 2056 69c80f46768f499acf221361564493b0_JaffaCakes118.exe vbc.exe PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE PID 4560 wrote to memory of 3520 4560 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\69c80f46768f499acf221361564493b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69c80f46768f499acf221361564493b0_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5c9f582a627421801c7ed3c926bd9f65f
SHA1e4858193005a9619e90efd3d9eb64efa58c855ed
SHA25655ad41d15c4dbf6c287a43b10f4f0ff3ff0fbb53172ed9fe9b7291409617c2b2
SHA512ea527acbe1774e9227c42a880559eb383ddda2d84130f0802ffd90d959b89ea6d3957d479186a76a1b9af77f8000fcb0679863a2be19840395d6f4d2b1f7f601
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD550725cdf0d31685665a4331db008c0f3
SHA1d597ad190cb90f5b30c2557d98113a587da7d892
SHA2568ba92fe7955217679b102a87980e85277bb416a5876c7206468cd5d1b239710a
SHA512861f6d21895568fc844962124e1b3cc9ec2b96b181e2e48f6b807fc3197962ebc6f59302854998755c75eb25c7a099ab9fb24c1e9044b1cbca2b79deda2c779e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a44f20bcd7e51a50f4d4ceee877a4c62
SHA1021f59beb5534581eb28894c2c1efba35ca05319
SHA256357c9f2d464377909a1e3a72da87a20f87b5d6df76b4c6b4b0d56ac0ab7e58ff
SHA512a74fc00878ea5637d4ff8be41d6211c3d49166d6f198f2de1a937ebf51e5875b5313a816f3b1f9387079d7ff35f4055e881f6923ff3f4fa31942c77b7950cda6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD574bcd0a3a70b3bee654ee0a59c085e53
SHA1f5b6c25da6a2e2ca156e9234551eb25a59e437e8
SHA25661fe9e711a944245bd9504efb0eef0d244724d95eb4d5039769818020a715772
SHA512877bb2c26ee8d8b003836ab8179a97e9693b970fc0021ac669741aa911527abc137ea16967a9b2b37e480b4ecda26488bcadcbe5b9e1c6385938b58ad0760bdc
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54657201f348bc36e0b337dbb67f41afd
SHA100f94abae6a9067875c53e9019ef1fa2c9ff8d62
SHA256182e618087adfa5ff357290abb5f14b1b68b21cc2dee72e8c44edddbe42bf630
SHA5120a617390baf105fffae965256be97712d1ab3a8b9554cf663d06665e1e4e19a1930ba95eebb69277fabf1e9655bd1ee78942bc4cc1551044258c20a53827b432
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ca9e790500d3a402e7a1d618038df875
SHA15870e21330200bbaec43ec1e4758f647d1d2bf0e
SHA256ef2a9a4f0d8a9f9140641fdec7fc244903235f19c142c3fa72c0426d1c29be20
SHA5126897c1a8feb1e29e65c3ad93379c147b883256bc5f02dcd046c625dd4dabd078a171140b7559244b2199a6961f920e42746f416b6141ffa70678d3089227d49d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54e8c8870363d9f87b52091194f6982f0
SHA1c7b724e7b2e5ef183b6452dc167a753a64777e16
SHA25615e873b77ab17a25cd5e4d9531fe9deefed05074bff329cbab124dd7a9808c0f
SHA5125afa1647016b8089224f8c97c7e5bd7227f4d6187c298a6b8a519d4303f98f9a65948a7db50cbe52d6a92a66798107fdd89bd400700e53f24e575f049ffd90f8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bc73c7725e6a2081c8cd716cf24b41be
SHA132826c74e2424fe9d803e50f221c40d6184d1b4d
SHA2569310efefa792c85a926011667c38ed60e0d49363bc8e14b049c62b4ab8b0e754
SHA512a5f05e3fb7765d10a4576f50666901af4c987019674da5cd0104ddaac247dd309d6be7a613ef084279ecc0d4c680ad49aeaa13a6f867fd62ead79076e5fc8adf
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5578ebdf0fa8e2a1c5a13c86301a769c1
SHA1cb3ceb839d8926ba31d387025a6a693ef8aecf80
SHA256bf902e226a3dafcd6565d4d355a531c04904fcc9d87dee2f15fdb63bae5f689f
SHA5129f10e28df1b52697fa1e42bad8a9f41c28ce2ca9014bb621bcc1c4b5fd13711aa3c86ed70de3fd6760e654bdd2de0cc5f1187537ba8f9ba489f232cddc5616cf
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD502028a87e0ccfca03103866351717b93
SHA1cd7a0cc5e61a517a2ac1c2520411a02409e7e979
SHA256275c9af5d9089f74f5cbc0c63031ff9b2f0a8910ea79b4e76423c119d5583a22
SHA512378902bb709637666a4bb42942dc56e83f007cbbd0098992cffe0fe7adbf0094b43bc5fba3dedab4a09ebb00fc2a4f86598f1daceca92e9c8f511055c75f2c19
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57387a1c9c4bcacc81445b463a1b3139b
SHA1002a695dabf11818c3db597eea9b89babc403360
SHA25612750fe0e5a4bfe48575f044f7c1edc8893389a9221838943a429c26bb9ade95
SHA5129db740898591264a5afdfd7448d50c82cc42c72fc519a62ee3e61be6dc35c56ed248cbf404bde24251c0cd2fea480c34e9d0719f9afc7cf10723765344efc576
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57e8a2aff4101680a283746acfb53053e
SHA110f29c5432a8924ebef3a69a7f485d6f73aaf48d
SHA2568d3263071d8bf3ed3d1aea70a861c043b55468444008b08ce9bfaf3e0499e5a5
SHA512d92a61ef01134e024bc32afa7839a273781eb170de8ae9d29bf43b3454c16bd2cc62c654916d1ef602fae8e31532cbbc0f853eb3430050f5d104977339a5bc49
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54c9d1fbe40b324eb531c1f7bf2f6873a
SHA194a96a3d6c5db8a1fa4b1f8e75c2d784a9ca5cd9
SHA2561bb3c5300199f06db18a34aafcd3191a6722cea38ea23a8dd7c0134e620ec928
SHA5129b801675f7d8701546864d9b4ddf6105704795d67cd9d7c7b82d0aaf5672cf32f85dbf36793cc0cc275c555194b96a55beeabe9c56adc634b6b9e99c7ab1af54
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD504b19bbae9eaec699cffe2b0e19ae27d
SHA1f2d8f5239b5c00d7a4b90bbe9a087329bf2fadd7
SHA25657ae149b9a8a1247d9a7eabc63d3d2d888a52bd24217a0d6addb3bcb9982c073
SHA5121541f7bedeea7a9db88334e3297e83efbb75178d321b2a0156689eb35a0443c60233739bacc16f459e2535fe2a2e43f6708d0045fe5ea329bad1467b96bf9923
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54e1488c1560bdaa35835a42648fed6a4
SHA16c6c7ded2de0470248fd8d9682979a6a5ea8b398
SHA256a49845a9ba6c4c8de49b4ac50e1b0809a7653413026f13caf887d3414643d816
SHA512ed8e57bc894feb4fa7cbc509890ef21b3cb6e93da79e6633c1f6e93d57de66629c89e1b7645c8d8c5367d09b7a856afcf0ea2140fdf452a776128fda5d79fab5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b1ae362f8c8c5bc5f0ea64336c835143
SHA13e3559c002f002e87bcac74ebebc67aaae623589
SHA2566d45d72550451f3c999108c0a913c1d1e218b5d01c7510cd197e8f7537c1eedf
SHA512801f3d8b70306f75d68a3029c47976a9c7b828be9d30b3de26803736d89e5e75f958a411c94022fae84021bd89f6118168871c9e830f73bcf64827e5eca4e46c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bfac8dc6dcb68195c268f5dc703bd844
SHA1600b64a5f911924e167008cbaa83ae96c71a58fd
SHA256dd39e2d08cc3c8b16c37bb25d6e12be8582b5c77cc4d150d13c71114412216c1
SHA512b78a0f792f1b0e2ca32181b52bd2982577fe21c1ab3ae3ad76ffd00d5be2924bc5d897f6e60826d1eeab55e23e44660886aa420aa1db3616141d100d124b930d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5514eb0a7cd3091e4f6eaed68ecd66aad
SHA1d093790be27a368ac52c7409099ee4b8229c6aa3
SHA2561d2531a50f88c93196e9ba73cbec1ff6d6fa46e3857f8a840c0491a4f0ed3920
SHA512c2fd2f2b15a9f98ee95db792909ebb0425d9c6130bc7920c1f09ee85552c48f5c08cfbe074cb60c00ad8fd832e45cfb38ab072ee36c212af14d82264ff1bb0cb
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD511d9369676500e44601bbb73a8201f99
SHA11c0d702c8f3859895aaf5ac95eeedfeb407f6355
SHA256780af72aa299917ef717d5655e49616981d7ada357ffc806c5ef329772f10b0f
SHA5126753f5aa4bcc6eba630c568bc197ea462aa6b24cb98da7563fd0863db26fa497d90529d2516fa694907b9b724f14f2701639e3d4439de07649c007f355a5e58a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD543d85ce06a9786e0d691e9c5811fe88e
SHA108123455ff283a92c5b7dcf1779a5692166e5495
SHA25677b91d9d833570413d91d84074005c12a5008539cd33e503ec1a673c4913f1f0
SHA512ea79047d2ae7f807a6978155b689b4713aea139baba7f1cbe6643a53132c62a10061c75409bf8b262bd8bf89ede86ff419c1ef394feed1b71edd32b4640c799a
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/2056-1-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/2056-2-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/2056-8-0x0000000074FA0000-0x0000000075551000-memory.dmpFilesize
5.7MB
-
memory/2056-0-0x0000000074FA2000-0x0000000074FA3000-memory.dmpFilesize
4KB
-
memory/4204-1453-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4204-149-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4560-7-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4560-6-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4560-4-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4560-12-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/4560-3-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4560-15-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4560-148-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4780-996-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4780-17-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/4780-16-0x0000000001120000-0x0000000001121000-memory.dmpFilesize
4KB
-
memory/4780-77-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB