Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 15:14
Static task
static1
Behavioral task
behavioral1
Sample
701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe
-
Size
584KB
-
MD5
701f55b4d2e78196271782827d9337d4
-
SHA1
c573d45f4892aa8f1288da4d8d67f8eea16aa101
-
SHA256
90018ce8dbd4365fc0f100a6ccbffdf204ed8b7c559dc7403dccd39e19a45087
-
SHA512
c3d4e465a954c79a724eb04ea3c93c2da6aa15522635633cd73d8ad23f6795fb4afa38d98086a6d01129b654a56b372b648b873407cc134c4734a3d5a0f9d093
-
SSDEEP
12288:RIKulUuDo/WTx/iTr5fY23j6I5TBhOza27y:elKuDoeTY35fY2T6IFTD27y
Malware Config
Extracted
cybergate
v1.07.5
Cyber
boyscouts.no-ip.biz:100
20XNRX50YU5C8A
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Sychost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Game failed. Can't connect.
-
message_box_title
Error
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Sychost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Sychost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6SE2L6M4-D8S4-64WC-H1VF-2BQ32F5K77B3} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6SE2L6M4-D8S4-64WC-H1VF-2BQ32F5K77B3}\StubPath = "C:\\Windows\\system32\\WinDir\\Sychost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6SE2L6M4-D8S4-64WC-H1VF-2BQ32F5K77B3} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6SE2L6M4-D8S4-64WC-H1VF-2BQ32F5K77B3}\StubPath = "C:\\Windows\\system32\\WinDir\\Sychost.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
Sychost.exepid process 568 Sychost.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 2872 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/2000-561-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2000-1552-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Sychost.exe" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Sychost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\Sychost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Sychost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Sychost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
701f55b4d2e78196271782827d9337d4_JaffaCakes118.exedescription pid process target process PID 976 set thread context of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
701f55b4d2e78196271782827d9337d4_JaffaCakes118.exevbc.exeexplorer.exevbc.exeSychost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sychost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 2784 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 2872 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 2000 explorer.exe Token: SeRestorePrivilege 2000 explorer.exe Token: SeBackupPrivilege 2872 vbc.exe Token: SeRestorePrivilege 2872 vbc.exe Token: SeDebugPrivilege 2872 vbc.exe Token: SeDebugPrivilege 2872 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2784 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
701f55b4d2e78196271782827d9337d4_JaffaCakes118.exevbc.exedescription pid process target process PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 976 wrote to memory of 2784 976 701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe vbc.exe PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE PID 2784 wrote to memory of 1204 2784 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\701f55b4d2e78196271782827d9337d4_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Sychost.exe"C:\Windows\system32\WinDir\Sychost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD502b822fb535418da7f641af09d27e1a7
SHA18a42f48d4b9a8549856c340fc972f9c7abd16a56
SHA2561819372c78b2057a9ca455c46afbe11157c88953404b2788ba84befd1d7730ef
SHA5120c3821c4a5a90ad331b77fa8d6cb60b1ab47c67f491c05e11ea5f9317d657774d0a6bebc703e684c29f901cf3721430b316292a69c44089711044357b4897771
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55539db9d6933f1c53fcfc2492571fa5c
SHA1eced43e7883907a55cb147cc6aa10f7843c5eb70
SHA256640ffb2a394327e258ed669108c153d7d79c43b5aca2796e6244f286bef12cbf
SHA512191e1cb2b7a3c7a997593bcc0f37a1a7d76061b8106cce16969342739e09d2b3d3cbfa58f5d88b0788190b4a13e946505a96e3e7ec76213c682649b5c17a261c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD538a4a7345044be0a3e2284255c453aef
SHA10518a5a142b4e84dfbaf0d7cc44538608c66e89d
SHA256e4eb56bccef4cc76b5bf66baed23b259e7c9ce31f0eb0750319d5dfc42f12cae
SHA51240ad71f7966fc69319d2bf75f29d18bca5b320e709c048f57a2ed775ee7565844d7928b41086b2cb2bd4c7cd395642a39d9f98b153f6caaef6aef027c86a4e7d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD523704ae131884d599596b26dd7cba61c
SHA1cbc3461605da6856849862a47ec748b6e0bf2008
SHA25699cbd9f8d9816ad6bf19d26aa848fa980c6ab28f9df8c7e4176de4b4e3c62dbd
SHA512a909b94aa0c7ff7971431c68897843c54af55a964c2b462909a0c2d01eb6b5d0303743bf814cc8a29bd7490c731ef0d0da7935a6e2b124c56535693f00e20940
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cf792a9cebff3a0e7245b19dcfe4e0fc
SHA140f163e07db6cd8c556cb006ed67fabbb216d3d8
SHA256cc5fed2cd70fc94e5f32b8390bebcb606d4abad77479648d2c474a2f5475a69d
SHA5122ced7874504637b93591714edf453a7eaf059c451add95829b478c9fca1cd7bef0ca1de5c5a3f3ef555472ef5d722c381b4ab9ca2e25c521d879d8a98ed238d3
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD536684db9e60a3a61387d25c6d7c3b1c1
SHA1337e63df1fd96c97b20388078a7a878a21a060d9
SHA2561675863ba8eb65ac61c9238285c1a1cf91b6663bfc78ae3341bb9c241f1bf72f
SHA512d5472219cf93208cffff6c688826ea8abeb2aad82f5272e9a7177f2ecdf646e97a7baa55ca087542cae772402ff9d31bb78d92fc081148f05dde98af38d62efd
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5256d0b9644d2f5ea796f6a46b51c71ec
SHA169a4a01ba3d83d8f5374f7113ea617dfa4f78d19
SHA256f47818c3181bff3959f7f94dcf52a94f8c5ed4b1484eed04a19503684f99197a
SHA5122e02e9867b72e5f1a979ed8fd2bb75b3051f3bea74619b0f82c1f4dd6cbf498947800bc6c697a8de94b6b56935c8337238f16bc1d4c652f8a76eec5693323e90
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f9550307c3227c83e9d09d7cf16b84c3
SHA1f98963232380f78da14a4b1160fd1ce8652075cd
SHA256374cbfe5ada49979a5f7102ee740ca98bb6368ea3594744f2f481654f7c38936
SHA5127f6fd668de7f5bc6129195e5ab5134d8da5453c878db11827aa101df57aff6d99e9ff25cef624e7e7c5c492bd78700de3afa606423cd7462962acf3721213a29
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58f8602faca6be030dd30e38b3fcada5b
SHA19a7947f16da43c71a5d0943270baa67bf7cdf607
SHA25655fd9e50b5969f02c95b1e8ea3e1200bc7aa911517d956b7fe3584369d3e587f
SHA51289ddf8577f7b293b17a5b8f558be7fe6a12e6c84ffd9dfdb18333e150069befe27c6218f7c947b4459d6eeeb6627a061b0e86896d899e48e0fe7562e90ee1dbf
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56c03b2938300ce6f4003a03665296702
SHA169c1353ec4175eb5ce2dba1ed7e78c7466b2ba80
SHA256e7ce88a941f906cfbc1d393ccd589f6eaa882b71fe71b430e880aaf19e6bf13c
SHA5124161d5d36455e674c9b87573fca8391386ec5db5c52de331cbb264e5ea883c3f9396545b91cad5dcf03ca1e16f20d8d6f607e21b595c51d3dd2e26b73f7eecc0
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53ff0a4391c30c69ac835728ea547d48a
SHA143e1b3f85d90e6f8ca8e0ed480b059a2bb95cd33
SHA256aebf331a00193f5305a8e74b16901a2c465580051cd55bf0237648e162cc88ba
SHA512815413cbdc8874afa3513634dc2442c7f9edd8fbeedd4b6a6c5aa6e5ae78183c31306f91d81da925f4c339aaf67cb7230b925cf9a51b75a856eb7502d3fe59fd
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55622e8f437466cfe3f28e962ac6c7c40
SHA1c2388b4a009c151f328e4e24e7da77a6e5dbaf4a
SHA256881e2328e0fb763e788474ad9a0f54fb0bd70afbfc9beea1b9fc902d742ec9be
SHA512e5766a61e4cf28b6157588488479d6889239bf4539bd274c9ff335e3cdaee474734ae9c11724549738f8c014ae165bc7200dc17a0f3dadad4d473d4bd6ea15cf
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51b028e816a205f08ae798cae9bdeb3ba
SHA19184d77a4e91eb07b91406290efe610f66527011
SHA2564df91ee490c13ddf487c1c20ad445a336043dcf2f8d5bb1850ed00c84a3051b2
SHA512bd0fedb8fff3d18d2d20961edf980ddfeb8624ba5502334ddccaf4241ba2256da8a120a8c2cfa6bd1be09a9aa9ac5d0b47377810355b273146bc7328d6c6468f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f868a352660dc2b527debca6f9006e43
SHA11b9c4900ccd3f4e3a9ea775e5e9961697031ec68
SHA2564ae0fa4d03e472b4c4704a5c5514d17d630403a750c67adedf4d96cb1451797e
SHA5120b02d07c1107410db10297ee7de38b5bcba5049fe4505dc3b5173331607b0ba6766d67b8fcd0aeaceae0b84020ac0c699a3f918c45d2100622721cd41269de78
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5588fe1d132c40257fc592b43dd652b34
SHA1fbe07c7ff57520d78a9080e5c24cbf13b18fc944
SHA256f4c0ec5333d6587fcdd7a7b8d0f4411fe106cffccdcf8b90219e4e698da5f50e
SHA5123b1c984d8fa30ff82bf7f0174a3862ab79140f0d8e103ebe98414831042b4f2ff847e60318f3a0cf7da4230aa9984b4d134a6d477ead8cf4ff49a189d44c0098
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5752d065a1eea2584cd50dbe26e982447
SHA173a17c684fb8217efef9db08dd278f8a1995c5fb
SHA2569e0ddb47f59fd1759e8cc22196f365449a9a922d1de00d612a928ad63243628f
SHA512d4c38c9959299802d36322e502dd727fbade9ceb7fdec76d06545bb681d0a9f95f9002aff7f3426bf0bced639fe739e96e905d951fc1432826027de5261c31b6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD511bfd2d4040a3f8f903aea4f0c68451b
SHA1346f70c48dcf33e1fdb23a6696afada1a423e6b4
SHA2563edd78b0684492e75e0a0bfc41f7f84b792ccb9858e7637fb69458738b1bd908
SHA512b1a0e21efd450229fd78e7e46b5a050b7c98d5622f841e61527550568ec94d19108f54adb1b5068b82ccbea9a3c8dbbcb6fcdeb2adc5bc6d7c7a39099517d3cd
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ecdf68a337cf3c0653214f35cc07dee7
SHA17b13b981380084e09b0838e82c100081cb2402d8
SHA25664b5c7bbf322d8a1fad522aaf4afd8ddfe8ac0866d583962af4832f13dda4e4c
SHA5122bf5a4cb90c59feee4b8a2ce889285abf593e09a72e747e5c66ecfa653cfa774a6770856b749bfbd34bc26f8368ca45aa167caed6c46912b052cfd775ff54e1b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53f93f0a7d489136ec1cb98e46128de7c
SHA1ebfa3ea231ee6305d47c73d92caa4c7e053a1f71
SHA256ea2717262e4daf9dc65631d0e87ee213ab7cded01432535aae82afb5ceb058b7
SHA512834d5e6422e366ec7408f6794b67f5c24cbc0444da28ae138b4db61c6961e149f9d4dda91ba86f99941815fd69b5df1f9fbd3c95399a183327f7aa83aedd5606
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\Sychost.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/976-15-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/976-2-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/976-0-0x00000000747D1000-0x00000000747D2000-memory.dmpFilesize
4KB
-
memory/976-1-0x00000000747D0000-0x0000000074D7B000-memory.dmpFilesize
5.7MB
-
memory/1204-20-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB
-
memory/2000-320-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2000-561-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2000-263-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2000-1552-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2784-13-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-9-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-8-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-3-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-6-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-14-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-4-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-16-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-10-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2784-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB