Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 21:53
Behavioral task
behavioral1
Sample
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
7162f99c0ceefc19c88816af9e8dde09
-
SHA1
8cefb5d035e2f31de72c227217d180356e1e9b55
-
SHA256
b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6
-
SHA512
ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703
-
SSDEEP
12288:LwslI7rGNrkty0fkhAlmv4TBd47GLRMTbA7rGNrkty0fkhA5ml:cslIErmyFAeWd474mfAErmyFAw
Malware Config
Extracted
cybergate
v1.07.5
cyber
prodigyera.no-ip.org:20
7PC66W54K7W42D
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 336 server.exe -
Processes:
resource yara_rule behavioral2/memory/908-0-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral2/memory/908-3-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3584-69-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/908-64-0x0000000010480000-0x00000000104E5000-memory.dmp upx C:\Windows\SysWOW64\WinDir\server.exe upx behavioral2/memory/3132-90-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral2/memory/908-139-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral2/memory/3132-140-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/336-159-0x0000000000400000-0x000000000052E000-memory.dmp upx behavioral2/memory/3584-802-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3132-1256-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\server.exe 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\ 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2196 336 WerFault.exe server.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exeexplorer.exe7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exeserver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Modifies registry class 1 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exepid process 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exepid process 3132 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exe7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 3584 explorer.exe Token: SeRestorePrivilege 3584 explorer.exe Token: SeBackupPrivilege 3132 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Token: SeRestorePrivilege 3132 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Token: SeDebugPrivilege 3132 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Token: SeDebugPrivilege 3132 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exepid process 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exedescription pid process target process PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE PID 908 wrote to memory of 3444 908 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\server.exe"C:\Windows\system32\WinDir\server.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 5805⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 336 -ip 3361⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD56524fca5b80b5de75d75b92a1a092cc3
SHA195e3fdf049f8633a07d9f3f28d5b73ce2fd709dc
SHA2568c3713637e0f6671a910a4162de97fb2b4aa0b5c05690e42d45957fbfb4cb53e
SHA512467a8d5bb5e388c8b7d8a1c8fe8a32e9156b133859d40fc0d0ecfb92242d50239cf7db8dc78f19d22925d5873ae0de1728c93ce37c00d465501a9b48a58486a6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55f6e5734a7ddd91f0705dc0e83346e28
SHA10c50d08b8916124c049f4ca105a6973e3a144874
SHA2569bc6c1457e8709f6d7eb9f8bcd86165686d282b627b41d5c050814660d3506e5
SHA512ddceec376c17ba8fdc9a946a3c49a67444e3057e75642ba2c188eb8570d1f7c0803cac52205c18b2f8d0165b5710a8770987f083d21c63efe661884cb9bd658a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50c37b884998b4f2680618bb9e02b6e8c
SHA1f671f62189576ce2d23673e9464a38925647646f
SHA256c369b7fee9c4905fbb4e017fe37e61d8552f21464ccb2e143fed27fadd1a4ccb
SHA5122c6406fea40268e2340367de0df6b1cc96a76e7fd3305c87fe12ee2ed953bef19957890d687380c581ed9b40501fd40e536dc80f3040f6ae84fe5c73fcf1d17c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58f2b8f46959a0fc5a7409d7041c700bb
SHA17f37376a8ab0e522c846ee9603befb886957582a
SHA256b35324aa5cb112dcbc5feedb49101437f08f8501e8e78f705d316de95073c2e7
SHA51271e5073adcaa6c33872433413295a0d0bb306ed8abdb7d3b0176eae4f45659ebd63b5a2fefb83addbc7468b5d995a73dc851533a01c16c81352951725fda1a7d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53fe4dc1b01d3a515ee04e5840867c380
SHA14a0ebe4fbf737162870800514ce85f42630927e5
SHA25641b59bc94ceb900be9c925248dc50cf3112d1f1f9563abc1c856ee1674765c6a
SHA51267bd13c2ae79f1e68c909305954ef570102567c32cfc6a31328e924fe74850ca17e73a6e2ca0f8f53474a3223eb3ca155c8e79686d82b4bb1261268716b8d60d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58b3f49f4ed73809338ad084d8347573a
SHA129a6f2624e7924d13d44ced908e02659f937c470
SHA25667ac0f3addaef9a9a02d944a81dea35766c6d3349d26e08a00edf15df624e5f4
SHA5129b121de67559e97e596d9596265a2bb5c3acdfc00c82fbc97cc0224b933575dad7f08802c627e30d258be1210b588ad5e5e3ae8b685763fbfabbd72688aaba11
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fcd5f81ebd2680ee2fcadc3902ff52f6
SHA1fba7758ca010548a149fe7f21bd8fd1ef4360424
SHA256da15662bcc474eba53d66e10e3eb6b45fbf50b373d35de36b589d2b08a849ecf
SHA512c5fa2ab95ff78d7c58830cf8c9d4f0c6a01c3275541a376ae340a5b7043dfe33ad6bfa0361b5e23a6859a7b1469460855497dd70c1928f2b1c5a8249681768fa
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fb56e7595dbfb6522ccc0223103b5014
SHA13173e52033964c0dbb20dec2a7b46bbc7cdaf409
SHA256f05b6182964815ed8fb91f1dc1cc384074f5475ca9c17bd9e73f58acd4159474
SHA51262726206ef090bcaf792466fdccb34c3aa978373305316295dfed583b1fb6e22db0f1fd3be6deb79c90264516fc338803554c758fbb8c842006c9ed6918a48d3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54a4a966a0e796455ae8a4f68ea51fff8
SHA1b5de545a78005054ef82cf07215519cf8f241d2f
SHA2561ba82f4e30343e7c6169e46e868b9f88ab822ff4b0b38e53914bf3fea0d62667
SHA512eabe111b0bb1469716ebd66409c93dfe15a7f68995517a77a934b5b5d35469ddc630447075577b06e23d210280c35d88907f710437c3f9a68bc24d1705013ee9
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cfaf3499d220322bb2b98757fd465345
SHA1dac7520577e090a280ee02de4db27ecb3e4e5553
SHA256d2a0a2fe606e100b5b054a362ebe0afbc99f1d8523a398225633dc50f3b404f8
SHA5126e6cfdb3552011120bb3786bf0ab75ef2088f4f6d052b12bf5cb712f3590e54754a8d7532d94b855ce62b0ef5cec0be57d69b8429e9b4431a254976b85bd5f5d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5470df2065e75242b2f47860d24da4154
SHA18fff7f55dc75adfc57c4e55e50f2f0c628548702
SHA256b5598c201925e63b323d8341bf06ffa6d19f6fb0674c2bc294f4da743309a83e
SHA51270470d488d0f584f56d2b50549b868d0d62996283b4cf053d00b055f967b2560dcac4aabe01edb13ddace3734263a966c0d2eb4988c110690008d28e39bf3336
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a7b96efffff719e5071e85b841e59817
SHA1c2bf5fe32f5c8071ea698b8f45c1b977999faa93
SHA256e6d97f9fa3ab10fb6b487cc18805217dcf13267458cd79e8b7e3401295426ded
SHA512b3374de212b182c4bcfb923ba8a429af6070559e51ac0eed80775d679b9f5f2fcbdc847a41745d0627e11a0cc9f7eb8d3421df772973970d2dcd93110a4def18
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD500fa157213063c051d123991413fd266
SHA15607462969483b16af54931f3cb1e25d4c07ffd9
SHA2568cf244f9dd379d76659333b0311ae7c83455fad5de7b6da835d7fd6ab717f4f2
SHA512e152f5294715782a1be10f3acfd48fbf80f6009e7695aaab985745ee70e799416e1dd2ece011f2ea2ba13f9b233837f5bd0c25741de558b453dfaf673bc834ef
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55a7365d6492ff6a81e3b603a2bb38bdb
SHA11dbc141f3a3b56e6f75084407be88daa33c1dad9
SHA2568b59fcb1347e838e1d727e3fd88e0a4a01faab67ca6715fb423126a2e6bb7fb8
SHA5121361b743a3edc37889a41d5845aa1c3dd110212e1bddb3ece1311b9bc0ecbef4ad2d912cffb0eba486fe828708151cf68227e68437d26dff0e0e5e8026b5669f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b6ceae1698a04082f8f1128d07e45b8d
SHA184add7fb9afcb9f378c4885577d974ead4d468aa
SHA256062f402b1a06585ac49dc2fcd7451e511ccc57581f0c36ec7d7d09cbb9057998
SHA5125d9cb3767a13f3ea76465042c173f2c3fe9225973df0d095fdf3246fd865dbc9166dfa04ba92ab3850b80832bbdcfcad23af035a60165395316e88b8c840f8af
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ae40f691de87e781b1a342ff6d410ab4
SHA14adcd7a605fc681186f0058b15907069350facbd
SHA256231d2746b08abb99f4bb82f7993e3ca7ff29b7ac4d04692ac39fa67e2a8091ae
SHA512ef13b209a621c7f2cc66e45721ad180af6a5b35190e7f702bc8d29b301b5576270024325cd66ebd2740719dca67373cf4dc45448510547d87bb72a58f3a42125
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e5df670854fdf57fe8f36f545e98da30
SHA1e38acb2fd8eeddb7cc88f2db306c32de9596a12a
SHA25610e8fc2d7d0024d93069134577256b20b8521f4ca13ed97bc4f6da2ffbd26392
SHA512b81d78e6442afa7183ad16419b4ec0ae9d9bfafb70a7283d83cb97b37519e2fcbf3add3bf458e7d73a8e1852844b2e1f82120eba80ec37230831ab7f0dc28602
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b2b9b05a72d812925a09cdc9da51a04e
SHA161bf4e8ecfe5fb5f2d7971891abed41ea38f0770
SHA2563897791dd8e56b3b3c2875dbae24d8eb8779c1d00a49015ade4567ffe462ef4e
SHA512bfc95f6c29dcc9e640944cc22c237b2b08824bc148c874294b5c6bcf9cefe177e4a8c90535c867ad3c165df58d3355ac6dc816e9ba6a5280cc3eb4b5a21bba76
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f9ce5a5b87d55727edceca3c9c7a3185
SHA103c807473f28445a0ae1b6f97ba54f3789161f08
SHA25638eb3e5342b3278f95aeeccf70639ac3a948b0e5899de2cdb23700a0523ea4a1
SHA5121dc1165f222739982c095f9aa200f54e7e3b664e92dee677cd8f1356fe437a2ed910e65676ded9f91219ca1b28052b0e55e81563ae3c7e6507e28d5fe3d2cf41
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\server.exeFilesize
1.2MB
MD57162f99c0ceefc19c88816af9e8dde09
SHA18cefb5d035e2f31de72c227217d180356e1e9b55
SHA256b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6
SHA512ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703
-
memory/336-159-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/908-139-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/908-64-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/908-0-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/908-3-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/3132-1256-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/3132-90-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/3132-140-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/3584-8-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/3584-9-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/3584-802-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3584-69-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3584-67-0x0000000003840000-0x0000000003841000-memory.dmpFilesize
4KB