Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 21:53
Behavioral task
behavioral1
Sample
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
7162f99c0ceefc19c88816af9e8dde09
-
SHA1
8cefb5d035e2f31de72c227217d180356e1e9b55
-
SHA256
b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6
-
SHA512
ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703
-
SSDEEP
12288:LwslI7rGNrkty0fkhAlmv4TBd47GLRMTbA7rGNrkty0fkhA5ml:cslIErmyFAeWd474mfAErmyFAw
Malware Config
Extracted
cybergate
v1.07.5
cyber
prodigyera.no-ip.org:20
7PC66W54K7W42D
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2552 server.exe -
Loads dropped DLL 2 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exepid process 1348 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe 1348 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2312-0-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/2312-3-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/2784-534-0x0000000010480000-0x00000000104E5000-memory.dmp upx C:\Windows\SysWOW64\WinDir\server.exe upx behavioral1/memory/1348-559-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/2312-866-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/1348-886-0x0000000007100000-0x000000000722E000-memory.dmp upx behavioral1/memory/2552-890-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral1/memory/2784-1452-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\server.exe 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\ 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorer.exe7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exepid process 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exepid process 1348 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exe7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 2784 explorer.exe Token: SeRestorePrivilege 2784 explorer.exe Token: SeBackupPrivilege 1348 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Token: SeRestorePrivilege 1348 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Token: SeDebugPrivilege 1348 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Token: SeDebugPrivilege 1348 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exepid process 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription pid process target process PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 2312 wrote to memory of 1196 2312 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\server.exe"C:\Windows\system32\WinDir\server.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD56524fca5b80b5de75d75b92a1a092cc3
SHA195e3fdf049f8633a07d9f3f28d5b73ce2fd709dc
SHA2568c3713637e0f6671a910a4162de97fb2b4aa0b5c05690e42d45957fbfb4cb53e
SHA512467a8d5bb5e388c8b7d8a1c8fe8a32e9156b133859d40fc0d0ecfb92242d50239cf7db8dc78f19d22925d5873ae0de1728c93ce37c00d465501a9b48a58486a6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD540f506e7ce59ca438339bad7b5ce88f1
SHA1d5eb89da786448164a5addc9ae68ad850e18b87f
SHA2568f1958d84ee094b8616a530dc906190aef8593cc5ec06abe3892c2d32f631e7d
SHA51231a71daa9cffe7ee44d808deddd525b629ab2873c084f0cafad9a3d5dfe4bd22cbfcbe4786f6acc6ace924c04d2ee0be8887a7a1db2e96cf4c17fbf98fecc406
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5db458e4172f2b2ba19fcf2e1265e314b
SHA15fdf21ea18545649a57f33f5d2f9f0fa0691928a
SHA256da1f6041f96d43655538850ee9edaf09b633cb9e092d1644f7082d7926121f5d
SHA512a160aefa0082c822d42236d4e4cf6a41a8dba14005e99da0c8a914817a75412fb013cfa1090a34779fee7e5dd9121ed3932bea895d8a1320963082f34726102b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD544c7120057cef1c8abf2665833f55d9b
SHA1385f662a68a58cb47100a6c45c02038a9978a1b9
SHA256a126869c1d2e3a8da406417ce5a8c9648e46f30002442619c6feec026be95798
SHA5125a67f1cf758a5a0065af5c66becc7fa39350922aa40f4ca8d929f837e0edded4b55710f8ea2f3fb01f82bed4557bb1d2173544755649fc03e4bf5dccade22962
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f616a84e5c2a0e3fe52b6a6f7167a9f6
SHA14e8b65374bbb87a496817bbc584b6e54ac7b8461
SHA256c85d918dad4c7e664d44926ef2728e1c96197a7ba425e63761981615a2985c11
SHA512c460d6b0ca9f7f353f0f5ad7cb3e0f10384ab56f82fc39acb3f4eb81d2ef80e5c4c527ee252872e505980642c5f9d3d5d7e8cca431cbf2285efea09ce72b3f8c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bfd3ad42e1261e182d9316641b38c00b
SHA1f19312a2960b19380f98e2f072e7267846e650b6
SHA256c60b15513049ad49236598563d4a6795a9c8bf00e1b8f56b293811831e607ad4
SHA512df07780e70889927a89daa21f056580b950d0fb6c964be9152fb90f758f01c0cae661fddffe92ca722031a969ec249965f63e40928bcd71e375a9d3bbe420ca7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5838668465d21ab41bb7c7d1bb254c0e1
SHA17e7fce7f736a9771debc7e484d9443e10e7d5456
SHA256e05723a73dd0b741b71e866f277e0ff712f597c5acb8b1276c5a24e9f382a7b5
SHA51233fa4b1d2f83162b16826c4bd97bca32369aae84f3edcd0fb728921da7f50aa73c2a7079e8809a699a33c9838d419e88fed3d88bb43afb08855dd7605f1232b7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52ccb9597929ef690ec885522e78d7233
SHA123df45c074311f61570b432beb6e8839e14c5537
SHA2564a36f00676e25e4f67a8a65637d43241c34cdab0d115626232f234e4f9702c4c
SHA512b3083a5c2fbf52f6c7e6e70068495663c9a5baaf6ccf3669afe1a76b6c7c2a7a930e84c66cd1afe6e342cc4eee80133f7989442260afbde91074a6e627604c51
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD516d86ef1995919c5678f4e0f01fc2235
SHA1d327649643f7ec606c37125b6f57e8178eca52b9
SHA256605a21f244b900fa76d58af5bb045be4182a9692b4b7fd62ab6e32272f7d373a
SHA512d8cd8494edcfa7119ea4dc81b6534229d705d19ae7324b21c58f5c8906c2277d74ec26da756c70a6d9d3389e8f2c83de2c8fb9903cddddb855bb8f4226ec5737
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ec54e6f99ec3cdb86e6bcb71ae068b08
SHA110003b8499f0e6c69e6548fd81053dea7d57de45
SHA25656d3b3ac8bba1254ab75c19d4ea6869fbd4e73fca9d2fe0aacf9c262ebc4ced9
SHA512a2da045f4ce2e35588620b40db827f7d84c6a4b5dce5030f208a0e02070ec2542c104c5eebf77e21707c752ce6f87ad14fff6ee692ba1d2ccfaa1a93a7f8599c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5382f59def667d4ca86f9ae5057acacee
SHA131e95d034baa2bc5a6b79ff227a2ac93c42c0c08
SHA25610c24ce50e0bb56391be7267aaa025e3eaa921ae9b73651c08d3b632c10623b9
SHA512735ca899b605beeb99502b2b6250df8a006ff9032d534d007ed25d660eb04e2385f74ca60064a67c6822a553f08efadf70571c429646e8acca15c27040972a42
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50046745063100bd31bf915a9c0c3bc40
SHA1feb995853e106f298fa57c9bdd54f7bd145cbb1b
SHA25637aca4eb14b0debd9dfd5454191ca759e0fa6e5e8418ebd3dd46e943764231dc
SHA5126b6837c9b4e108b81e70b6d253006aede2b8529075d5892fa2e7a77fb30a1fc912b5cf3dcd092c8990a44a280132ccc21c9484e175b431e2c0d27c0cf7fd3777
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54a364a0523d9f3869e00902d860e598b
SHA176d7da1582b953b92340614f07dd19901869fa97
SHA256a3a9cbef0977cbb93c382e61da0011b0c1b20c05b01a596a8b9a543809108dd2
SHA512038b704b76c648aa485ca2d9f725bfb764b55fdea54c53f021c16970d50305488ae43503e018b83c4a4354c75009a41764a6f66ddb4c8957ddfae09bf4d165f4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD514b9f4e7cf9fa4024bf8d57c410db595
SHA1a7a8bf59e439ed83179e33ad3463c93d1f093f90
SHA2563e9fc31b3e977486665b40aa454c3fe3043a577eaffbb7d754a15d1cae83a0d8
SHA512b8ec84461317c9b52fe5e916e3934dc33a1c60ade806e086e2c3d65edb41aade04ecc2fa0112b3e778681a3bf4bed5d73613acc239f001d5453877de4c97be7a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d32978ca54948369ddcea653fcd183ca
SHA1bc5fcf4595b8ef8071a1be69abb5404437218f94
SHA256c2db9e9db96947f0b3fd4a447e1470abbd56ec163ee59c17c96a26cdec20f521
SHA5126f8a8ba957d6cc5ec9a4d38f9e3abaf908fd60ac623eceb23eae52da6b36a55b3e1b53266718dcb9b5094eb1e79d56ee100f98201728de103e8ad0675f61c998
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58908ad11a84cc33c9e0913c6560ebcc2
SHA1905eb6eacf19b4d1a6c1cf286c91103a31001c97
SHA2565600c12621a494b8d5728bb52bab2e59c7cad8284f77327f93c1304706dd25e1
SHA51278b6ce07a2125f5b7d517293bd14198401529f7049bb2a9b0bab470cf97fa450ffe199bfa6c3aefb4f4a4f0ea5a6b9fad9c9927edf1a06d1068e25febbb00214
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f8b6a6871b77727fa1a0d72f08b71cd4
SHA1aa5b5925180e4c68b8a63216a9c5033c07e2d1c5
SHA2560d948dca2f8affa24b9debd3a4d7377e93eda73caa0e94d77181212fb832baf9
SHA512f95f418372ff21e138cee22e3af8ae5c513599fbef727626fb4d9bd9cdc4fede46bdea90e43c963d721ee2203b073e9d907dd79c5052758cb1f971bbb6c490e7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5baf1f5e7a8663446b6da715d2312edea
SHA1842e3ff0c0b5ff356dc5a750e05a0eae03f02285
SHA256e72ed236c4aa947d400e69678e06f91fbba2172f11df4eb949dbca7eed2d77c2
SHA512ed0c7b1575cb5c7f1258cb0738f40f266ca9077c7ce6b7423352e9e9518ac6ba52442458a5049bb453d2c5b13d149cee004e8be306572baff2b7d00f1c5ad321
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e94d1b2383458caf3b4b31e0b62a7b26
SHA1a26c093e9276798f40255f68395746ce44502dab
SHA256fa3cc5e41d38fe7dcddb31951f05b4bf61587cc48c5d685f6f325575bb05bf15
SHA5126500b3796af9d8a5a4310af04a90a84ae951861487d3f01191845606dfe8c6af29d83c2a25c48a29256df348d7e90cdbbe530a6259518810a29ea0858147ab68
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50fe4dfcf31bbc0bc2e53a74d6270ef25
SHA127d41a031f37d5f202ce77c48f4f7e3ac8a498a1
SHA256d160b186213132d4b75441049eae69841cc7dbf2c6684697fd569e5fcbddd4a4
SHA5128d4f4454b00646239c271a9f9cbaa5893e504cb6dc9c44cc020fae6cf3b54ceb26efc37413fcafbe509e621742660345ee8de504df7845b591257d1cb44c5dc1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5771c5a17eb00ab5d591814e6db300a49
SHA136bd7487fcb12a9f18a9a9a5dabd3b7087b89f5d
SHA256cb8d91ffdf53a089fc893ff2270a3be3ed33a37dfcee1a8678ebc1044d4f59d5
SHA512ee948c440d3a2f3342f97fe0dcd459cc4a79de21f43e3f766c92209a4815e685fc34bcba3deac9fa495b55f0234bcfd6b98340bb976660d4ccbdf18480c1a598
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a22ffc3c84f98e28499783b78abe2703
SHA18cd37dd9f7ced78a9b2294d01e8cc5bade4e2f03
SHA2564fd9322a359b0aa25038f279ebc6cf79099e6295023d633834be4ce2feda4985
SHA51245cf07923ae0063a1aba2cb743c700be9121b3469c83baf37393c7faaf73b27e0babaf8b23384c85765a12a7b7827be06ce0114f47f102c6021819e8ff60b6b5
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\server.exeFilesize
1.2MB
MD57162f99c0ceefc19c88816af9e8dde09
SHA18cefb5d035e2f31de72c227217d180356e1e9b55
SHA256b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6
SHA512ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703
-
memory/1196-4-0x0000000002E20000-0x0000000002E21000-memory.dmpFilesize
4KB
-
memory/1348-889-0x0000000007100000-0x000000000722E000-memory.dmpFilesize
1.2MB
-
memory/1348-2026-0x0000000007100000-0x000000000722E000-memory.dmpFilesize
1.2MB
-
memory/1348-559-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/1348-886-0x0000000007100000-0x000000000722E000-memory.dmpFilesize
1.2MB
-
memory/2312-558-0x0000000001F00000-0x000000000202E000-memory.dmpFilesize
1.2MB
-
memory/2312-0-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2312-3-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2312-866-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2552-890-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2784-247-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2784-1452-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2784-260-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/2784-534-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB