Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 10:33
Static task
static1
Behavioral task
behavioral1
Sample
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
-
Size
355KB
-
MD5
6f3836931b74da275c0da23ba896c234
-
SHA1
c92bb5b72e557d6da806321ec9b02adaa7fdad8f
-
SHA256
f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156
-
SHA512
abc5c087429f8872c889ceeb615e3df4439dfafd8a53b5c60d245aaf21692a5ec084d0836ffa4b067cf2993d0fe74ccfc016a6ecb9c2815d69f6c6f59d31da80
-
SSDEEP
6144:Ka+mOBCVId41u6S14lqG4JtzD2FuGgfbV2GQVnhXRuKk/OAn6l38kMVcCUge3Il0:CPBCVI+uPDGGguG+gbuKna1cCU93I7g+
Malware Config
Extracted
cybergate
v1.07.5
Cyber
rsvirtue.no-ip.biz:100
62P54T85F88414
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3} 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
Svchost.exeSvchost.exepid process 2272 Svchost.exe 2968 Svchost.exe -
Processes:
resource yara_rule behavioral2/memory/2816-7-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/2816-67-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/2200-72-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3632-142-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/2200-1007-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3632-1464-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe6f3836931b74da275c0da23ba896c234_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\Svchost.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinDir\ 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exeSvchost.exedescription pid process target process PID 1324 set thread context of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 2272 set thread context of 2968 2272 Svchost.exe Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exeSvchost.exeSvchost.exe6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe6f3836931b74da275c0da23ba896c234_JaffaCakes118.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies registry class 1 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exeSvchost.exepid process 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 2968 Svchost.exe 2968 Svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exepid process 3632 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exe6f3836931b74da275c0da23ba896c234_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 2200 explorer.exe Token: SeRestorePrivilege 2200 explorer.exe Token: SeBackupPrivilege 3632 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Token: SeRestorePrivilege 3632 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Token: SeDebugPrivilege 3632 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Token: SeDebugPrivilege 3632 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exepid process 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe6f3836931b74da275c0da23ba896c234_JaffaCakes118.exedescription pid process target process PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 1324 wrote to memory of 2816 1324 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE PID 2816 wrote to memory of 3468 2816 6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"4⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\SysWOW64\WinDir\Svchost.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD54ad25343faad756fedcbde96eb9e07bd
SHA16a0a20811193fbfda51e22a1f5c7419b05f9d336
SHA256bf9e5d321132f7544f0a078038a556255c30bc96e03f474d2c36ce781c439a8f
SHA5124bd8f0244c7d1bae3c5fbe65bb3225fd8a628a6dc96ad8bc9012245d1e5cbd66328967acdb23ed680bca61a35a6993d2437a7b04cc209c656226c642c4055e28
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD518b7f42e98f37b3a6cddacddf1536a95
SHA1aa57b695062605ac773fa7211174794fa1421049
SHA2563db76988244abdf9aea7df1e54627375723cc0d10e2675742cb1e7a6efb1f331
SHA512aaefdb5761b347cdf5a6901a000d3cb33a1f8fc1039af455035d4048a0d8bbb051b7bdcc7dc31cb63ade3dacdb948fd5a0e172ed39dac63fff1714fe46ba6750
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f87689c627359b9729898069ccdb34b0
SHA1fcdc34a99b7755b9ba4b4755122503276ecf1762
SHA2560908f8b44d468badaba014aca56ec1a98f5f96afd25149c58030d962e75188b6
SHA512de36b43aa0d7914afe152b81a0c297d6ece6818531b0c6698cc4c52e246bebedc870b9727fa5e41c3b4c50f12fba33feafec11a0ed63296bd76b241c27b51cfe
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5200d99b3439f620937b446f067e247ce
SHA1b265f5e6ccee538d1b1e12811275a485b851345a
SHA256f28b7aa05408485ff72a6840d35c62d052c3b2d25eee472e2fe5a6a48ae43932
SHA512f2512079394e262e663d7115e29eb671c8738fbca193eb7c009ea2e0e26dd07477b793a0183bea675e1609fad8992bb272a9424658693bc7a55844de2bd95185
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53772ea5b9fd4bd602fff440f00f146c3
SHA1bfd8f277175468d2c2366c0b8a3929d25c085a5f
SHA256602d16e820943123907f9fe83629f9a32b09db4952192899700c7cdf277d4b14
SHA51236201339a309023b80cef303765207c3a2a251a2ba42ad6cca2ad8a0ba8131c53dcc8cd67ecd058a0d32e8a07b505be5b0692f5986972e31e89fca04cc25fb6a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c3caccb28d55a5235f15762346dd8154
SHA153ff40868e0d9cc415f9af935feb287480c90bc6
SHA2562518b3d64da31c91f80f16ef5f48d304343c40d827bc0f97dc9a6e8c517764a8
SHA512d9d4cce069a1944a40649a8b1cccc02471fbfdeef349d75ab5bef5a02a6698d787fd1a998dd0e4a0c583e63cc3385c06a68832fb0b50030d15ceb05ec85dd45e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fe16f783aff60ed6941665f28e7478c6
SHA169fdb5bc3a32f75a5b3e484d69e27cb218180c63
SHA256aabe9f609eb335de67e543db351a71ac8f8dc0ef26cf1b295e31138d4213a5eb
SHA512b6a845d86698f85214a8a008ae967e9626ca7eb1e1e7ed848f3c57bf5196846c03a24e9db99ebd870e2a35c90e97f625ebc14cd8728a6b54f7c393a6c64c946e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5399749b3acf1ca110b6fc3eb815f19da
SHA1045bf6f6d833df0ee5d35314653ec9e00e620036
SHA256da843b07d962d1a212bdc5f2942ae93a1b7875a7a0643e8dcf18e8eba21e0354
SHA512db946d4b2a95516ae91d6d172eaee81ad4dcc9221e1b3ab71ab25a13e32a3805eed5f3752b45d8b88def88a67ca9ed360cca7bba141be143f0149f011fff1df2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bb3af1bdc428c106d87d3c68b1e3114d
SHA1fd88023734f75d3b86145df418ad12cfe1faafe5
SHA256966367de8358b40b7a92137dfeb3d86ab13127917efb78639ac9e86bdabefde7
SHA512bae928d9c746226acc3524c563568ceb5abf3b702ec97d393de6866668b587cac38718694464f644a8833bed74dade2c1227dd99bc3347e79579dd99f615fff3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b8648e44cc3c09f747edd0326b372715
SHA152c205b925b9f153398425fbb73781661bcb91c9
SHA25625c9854ea3bbcfe6104cf151e758527a50ebe37e1d80f4722ea601241105a25f
SHA512def326152b374154ca48d800e1b78edbd560343413f799001fec066fb7d5140c8c7c5a0b90470a739d2fcb21ab0087677eaba70e11012937c11b3b422e53a56d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD574a7a14333faef1fa8d4244eae6d2c25
SHA1d70bdbf6a95bd7b09f4b09676c569cf40a872b76
SHA256729dd58c858563c50eaf812e08f95760103bf74d5e14aef1cb73ad6f0e1a2187
SHA5124e2b314111a6d126b85376c036eb3953352e5f33947dd5bce67f74d9b6f7b5c7773db3f1ebb5b94127ba3791fc9fce578d81b23b91cdf73f9a7f4fcda8761d65
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c170086e536cbffd557ee85b37d9a357
SHA1ccf8ee4801bcd9d2a098378add785284c9ec3275
SHA256ae1e6f4e751137284e68aeaf3302339780127e7c8c48fd4209050aaf4b4f29b0
SHA51255e54feca07d5659c967894d60cec7b36d59c28ed346b03a28e3b6696fe7aad2062413d172ef9616e1459a9985379a617ff4318926547b6e5dd7af429ba2c4be
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52f66e88632041499549cf8cdc497c067
SHA1976088a57f70b1fb82d056dbe97bdb83fa2e0800
SHA256a395fcba7f9457ad739b0aecd72604bbfabc284bac610c99a7f080e000038d70
SHA51225694dc3392242c2e9157f44d8765efdae75951b397e231d4cd7d439d7b45097692c5f91a31e27c0dd7bb68b11a15b0350bd7c6e15c0be342a225290dec848ef
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ed91ed0c991a291e3fc22fbc68bca9e7
SHA19bec6b60749deeb77658c1ebb7a4b7cbd332da3a
SHA25670b97550ebe688938767182f1e1e74f62f70c36f43b22271d262521715f63ce9
SHA512ef91375f46200a26710984e3b75d3f6e1575f74e7d120d79405fe7a776cdfda9d75b1a04c84fc63a6ed8c3fc0c4063c0dc4a9a3ac753191343d8f8fbca6f13ed
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50cb6a74cde8a9d9a88aa838b082d30cf
SHA1cd947281aa6a273d918f92e85188d1a740b1118d
SHA2567798dbf2f0ae5d47e769ac63337fa32d6a15d08eb90657bbe039a493f1125e95
SHA512d363a6a2dcfd6ac3681f45a66aa73bcd8ed01721c79998ce4cb7fbbe9dd8eefc6d98cca00f050a08ebea81d9809bdd2727a0faf34139da883684e3c045d502a1
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD545914403cc303387f919f3ef255142e6
SHA12d90e0b0afded36ab6b814533b70b4eb6da17924
SHA25652eceba7991be47e636d3d3adfe030e0ec50a3df6b6b8f4919e928fdf8ad8cf4
SHA512267a96cecdba8b51279a007dff63bf69a9f8b1c8ba736707cf27af04175b84dfdbb7303a2590a6507baf62942aa59880788f0dffb1e662dc87e14e03da099ccf
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD545bc754a263581ff8c4ee99fa6c0a9f1
SHA1cd68423f0507b7d06ff35fd77abd913c7d38a093
SHA256953a8c1f33dcaa65e260b73b131ce48877b8adcc024bfadc1d26c16819928f23
SHA5123c69ac1b5ed4c40d7326c998c5744eae68e559a4490e1c6b96f57ca8b3d0897a80108e48e1c05691d169a9035983e6f3d577f67c0459eeea232aa51381cfc389
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5937e0d045f79c6ff540b9d41387ced77
SHA1c6b697171c9b1959b5df524cec78e1af3fab1171
SHA2564b7b57f2cb16d5a70ff5894e779beb3d1b2769835e6f6c002e2e4f1a28a43ca2
SHA512eeacd723ba180391406a5348095c88fc15b4bf119adb625d561e215c1af6c07f31cd25abfae6532cd839ab93af54b4bb4e7fa452d27a4d4d559c67f62b3d032f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD574b43dd320eac9d1c4ca725a4203cd9c
SHA11f519027f25556ce477a9f7f161eefc0bbf0286e
SHA256739aedaed13eb3d993f87225837c13b8dd9d6182377c57fd892300e03f3e01f8
SHA51223a2d706085db9dd2a381e5fe12c218556ea97258719f5923995c7accd533674b3fec33b4f87224f037af3943ef0f5c2d271b2842505c56f49498102591afe6a
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
355KB
MD56f3836931b74da275c0da23ba896c234
SHA1c92bb5b72e557d6da806321ec9b02adaa7fdad8f
SHA256f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156
SHA512abc5c087429f8872c889ceeb615e3df4439dfafd8a53b5c60d245aaf21692a5ec084d0836ffa4b067cf2993d0fe74ccfc016a6ecb9c2815d69f6c6f59d31da80
-
memory/2200-72-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2200-12-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/2200-11-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/2200-1007-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2816-0-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2816-7-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2816-3-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2816-67-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2816-141-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2816-2-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2816-1-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3632-1464-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/3632-142-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB