Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe
-
Size
877KB
-
MD5
7240322cbe365e6b61cfcc3537a5f32c
-
SHA1
d30cfd5bf794f085dd8f57d1b938013eba252096
-
SHA256
9f3b85382a30458dd7a7bbefe8efa186d8814b49f574d32d1aa70b50245960f6
-
SHA512
dfeb7843c222ef88f359918332ec6acbc803b3457683cf1d3ad58e64af5f2ab97e311748ed6db9a7b0e5738d7371cc467d70841de4e08a6ca743e9b097352ed3
-
SSDEEP
12288:HXhANA7abIJDKGjvgQ4jtvj8KxNmM5f1ozmBupqYN3BUuQEoB1q:RRWTGMZSsB1/g0IR3QEK1q
Malware Config
Extracted
cybergate
v1.07.5
Cyber
192.168.0.52:443
T3X6745GUMWB80
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{NY3FV504-3S46-65O0-726Q-1C2BODCRC3QT} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{NY3FV504-3S46-65O0-726Q-1C2BODCRC3QT}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{NY3FV504-3S46-65O0-726Q-1C2BODCRC3QT} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{NY3FV504-3S46-65O0-726Q-1C2BODCRC3QT}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1372 server.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 1048 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\svchost.exe" 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDir\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe File created C:\Windows\SysWOW64\WinDir\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exedescription pid process target process PID 1868 set thread context of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
server.exe7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exevbc.exeexplorer.exevbc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exevbc.exepid process 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 2404 vbc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exeexplorer.exevbc.exedescription pid process Token: SeDebugPrivilege 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe Token: SeBackupPrivilege 1296 explorer.exe Token: SeRestorePrivilege 1296 explorer.exe Token: SeBackupPrivilege 1048 vbc.exe Token: SeRestorePrivilege 1048 vbc.exe Token: SeDebugPrivilege 1048 vbc.exe Token: SeDebugPrivilege 1048 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2404 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exevbc.exedescription pid process target process PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 1868 wrote to memory of 2404 1868 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE PID 2404 wrote to memory of 1240 2404 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\server.exe"C:\Windows\system32\WinDir\server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5307041b0e0904eff4fe15081310bbb5c
SHA1d545c782e7f5d6293dad78ebc14518400a27b13e
SHA2568da63fd6fd9b9b0a90e7c5fba7818d893437c38eea1805b0c432ae672e3604de
SHA512755ab2fceeb6b55e238f94f14715e08839244c800465cb0beb98b8f35499aa3ffcd5d586205c6827b6ab2ac510ed9bbcdc351e7f9bd16bf640f019cb5e63c619
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57585b58187957d4bddcbce641af2d10d
SHA1e4e9a4a879f1b8dc156a3423ef3a83fc23f320c0
SHA256017aab382cab500f0d3b885b68c8dd7ae7ad14b1c471fb7293ec21e204ca5188
SHA51281af53ff77c1733b9f8a2326baff62cf2bd74287f3a470315f78d8996e37ad311e9affdd6fb5465056f842b963ec8b036ed9f73f03b300c5ee604a6edaf3b232
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD515d511a21c97ff211926c1e5ee271092
SHA1302e23b4f845368561f372ef9ae60fd971b7a26a
SHA2565894eb4219d56d55f6157b3732864029528c9a5a85d6a17432172827e92d4bbb
SHA5123fe8def8a6e657c332d85302ff12ed8888c49c2bc8ce98f10881da0f110a19ee67a971bf86946bcdbd850c26a622de1bad49f806375eea8ef76c765795b87ee2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a96f5be81213af40630442d6b049d4d3
SHA1552e07b2b07fd784aec214767ece2253f78d9947
SHA25699d3eec315ef0c2af7f3b590efc1786ac99d7d548f78d726bd05a1911704c4c7
SHA5128695f5506718c00abcc70e81b6554ddc2193b7461cce734b98ac20993ba4c62466c5fefa684a7ba0f2386f1bb1029342f507ce82f8907cf673ed227ea9f9dce8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57d8c00299b5dfad7bb262801ffca0f7e
SHA111a35a6ed5aa2d010fb0654eda036fdef96920c3
SHA25669c5da62ffcc9610d80c6cc7089a8d9c7afad793b8e1ce207000c3130e244c00
SHA51211cbe24c85b11fbd2db1499b388a89de25ffa404767db5845848d6a9bb96238c1e6b74c0c47771befa249932727410e1ded3050b44c60a2942598939b148fba9
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58fac07fc50a00bbf97b7a2066faf39bf
SHA131c4e0486c47d3a0c92e7221b2255470a398be61
SHA256c1dc73222cce18f985dea0cf0ddbcc68c9aa0f1281e2cf0e07b3b839ac7b4567
SHA5128ecbce6dc8a4743498d2068b158074c78ae9370131871f122ae06f9f39456a9a04b5702847c1d572b1aade0a6880d762c0f1ad901812f1400fcaac4391763007
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e3488586a00c114593b8086c79f47145
SHA1eebb96565e79d05ce4bed0c84c412eaad0f5cf59
SHA25619858514580e473656c615d6aaf35e8655798aa6aaa9578c7eeb8c4abcbaf1ad
SHA512ee398462db0616fc8dc0017db3b5316f1be16c488dc5a6e67455d7ca73bcc0106a1a1c601f43f16e913962a4bcac484deb0aeea922f641d33851526e7fe59972
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b9d2507fac09fdfde97dd1e5a6f7044f
SHA11331282869ff12b9f81c8b764a8fd4ec10e8e119
SHA2566d809f82c26f899874b56bee8f5eb343deb9cdb2f9a78af0088142990859324b
SHA5128352f7e88152e4a907762fbe109a76b1bd2bdd005d1f90d212bd2fda973b65bc88935b121cc88ed785955c654847d7a204c72ee9a94cc929752d3f3379ac11f9
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD519a86076cb09fa2950739c3e9e16484f
SHA16b8f93ee280f2fec15bac4dd387708ad5fad1a34
SHA2561148c7221cd6ca508ff01e2a9c270d4761ce41dea0d99039302d386ea6c124f5
SHA512bbc7d2dc8691ae94c14a23cf1049426a377d4552ccaf5b3b694117ab2bcccdf29d5eb896fa228880e2a543c39b64c4a538c96367c6622ceaa78e915af4220950
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD531cbfc984090197b0a178e788ba8d47f
SHA14ca16d7b49137596e183ac971bb387006a51eb3a
SHA2567e57fafffb47be865e06d6fe944dd901d5bced7b37da63a77758bbe2322480dd
SHA51261ebe62779216e3e575def2789c51bb8a554d8d7af253a230a43207afda314a5f04f6209f67bc4d20e949a796bd53612a3094d8638d159f6e0b4f590d4a93a3f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD576719d10e0bd6671ed44ed075f6056d6
SHA108e8803adbbb1135dca867274be6199811acd280
SHA256eae7abf86047e8e4f42bd6bdb6d12153c90504490bb89163b3f6154b2a13d8fb
SHA512d2f875b5fb7a7043d6a286119cce653ab0c24a912d5658a59564681a516a027db33fc972f2d4c813ef53329ae075369178e97ec17b4f9be7c5bc641b091bbad7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5996be824a30180bab01f6b2274b5db4b
SHA1f6ed1d1c971331c3f7c17d16df261ade02e6053d
SHA256bbf66321646dc21a4193f4162b52099dd8a310a4b6506e5f842d2e8f84caeb61
SHA512affdcd6b2f30b02bdcd4959af62c122075dc62e6e4db59e61ddeb6084c7a80ee181b78a90590ec613a36a557e678743da09ffab1f6ad738e06e4548c5301563c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57a884f880a80bfc7f7538550925e7147
SHA1ded4dbae27a9ea1716652892978e4a9507c649e5
SHA25601d2d65b34ac7e311e52bfb5384805fb9297fabd1756b56069e6c25957319897
SHA512ede06668001a23c627ee978e6d71ecb378a0d17c51a74f6470fa2cc34e62e1a45763210d2ce1f22ee57c80efae7b85973a39d75a6a245315f1383e0976716618
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fdee61dfb3f814bce39103aca779b2ae
SHA18d4f1761de5099a1299435f04adc1dc4091f21f0
SHA25671f1eddc4de3da044ec78c9bca1149006c9a54370ad4797cbf9db50dc0b46970
SHA512ac7c024b0f39700743785d4fabf8700e37f7a216e5294e5577ececf323e831f6b5f19e55cb4600562629070ddafc0164c7b5b705d1d2b23d082fbd28f622e25d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53368067650c383e33be52d81210c7faf
SHA1d0cdf01fb4bbc893be1ef9b1c7bcf526a2724ff7
SHA2568fd7b1fc9ab794ba9d458010a36c2d00e3df537c8184fb885aea74768dee9e79
SHA5128ce2163dd27fdec2e1fe255b1d4a97543dcc33af1f52ad961e5a932206bc6efbc7c67cc1987b518cb1612a3690cafcf9ecc3d60f0148ef704d7181efba4ff211
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e2a9d1159b231b4ee0ccdee3059e288b
SHA1e5df463655dcabb8ddbe2bbccb6155c3316fd7b7
SHA25649af7257d1c2dfcf215678f482b155478797a6380d99f831fbdd6b1d55a6cf39
SHA5125fab949c80b176a0599a4523fd7f78cf080cc894fa809a9aca54f10668e7bd0d26c49ca049f476fd1e210291f7210f9a8085f6a7033f2b4cb6e5975151151169
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58548ca65b2bac695ac6b90f56fa93f07
SHA1af193aca07211e29d14b16f127057801d6aab59e
SHA256745fa96d9e8a765fde03bc3f379bcda11adae681c1b9ff9f5f220c76ee9d0889
SHA51254c1ade64fbfd8cc81aaff271156402053180d107fa1e1164b36414968a02e478fe70af96ebbc9e2568ae35cfc1763fc7822f6abb777a41fbbc39b820cb58598
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD524960189a7af4ba70d26c64a1223cf56
SHA1897747301899c5ad19d51f56a520e7c585d489dc
SHA25627bc457287b177073c8b3f694a6e902f9baac4d88ba99ea7034fd6ba40252906
SHA51250015baa68b503305be1822ec48fbc602916721272ee682becfe6d60342d0bd3fb59762aae87ceaf16969062fa97138c175a539ccf36c49fc57f9375b681e3ed
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5396d3182e89aa70df0a8bf142b94e786
SHA106c09b353b62476987de97d5a8a15b5511c49c88
SHA2563a0fffc1fcbc984dc792fdf74f5d7418327cc5a7bd1004fbee99f4b1f5f25c10
SHA512f1856f0af935fc670f558f0a85794c0ea49858510e5ff85064e93372fab95f10428a0234d791dfc6f0d50ea372dfed6eb29662897d8060941d1cdedfe0e67e07
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54c30e655375f6aa22181d1ff26597f16
SHA1fd5b15607091cece439970104af8c6496e8ce5c8
SHA256ca74eaf3bcbd3117109d966fdbf8fb056f7fdbbde36dfd4205052f4b397a73a3
SHA51281f6d9e7bd845408fed6f79f6f676fb28ba80c91f445b00a2a7e870d819de79d24ff010c500ab497eb856c9072779a47fe76326b08c7d69692688355289871e7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD588da58a83b2e84de3794b380bce91dfc
SHA1b458355570aecca624eacef34b4e4c35a7af2243
SHA256ea3a272f8f126fa1abf2fcddb79dfbc86819b1066fdd22e9340f7978c64121de
SHA51213d2605853ce1761bc5864c3880fadf59e45f3d0da9334358ef9923b91f4fff8607f9dca8c2591769bdc083703fe60cf6ec1c54ba112d6fb68140b455370b048
-
C:\Windows\SysWOW64\WinDir\server.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/1240-29-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/1296-334-0x0000000000310000-0x0000000000591000-memory.dmpFilesize
2.5MB
-
memory/1868-0-0x0000000074181000-0x0000000074182000-memory.dmpFilesize
4KB
-
memory/1868-23-0x0000000074180000-0x000000007472B000-memory.dmpFilesize
5.7MB
-
memory/1868-2-0x0000000074180000-0x000000007472B000-memory.dmpFilesize
5.7MB
-
memory/1868-1-0x0000000074180000-0x000000007472B000-memory.dmpFilesize
5.7MB
-
memory/2404-22-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-898-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-25-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-13-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-17-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-24-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2404-21-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-15-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-9-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-11-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-7-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2404-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB