Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe
-
Size
877KB
-
MD5
7240322cbe365e6b61cfcc3537a5f32c
-
SHA1
d30cfd5bf794f085dd8f57d1b938013eba252096
-
SHA256
9f3b85382a30458dd7a7bbefe8efa186d8814b49f574d32d1aa70b50245960f6
-
SHA512
dfeb7843c222ef88f359918332ec6acbc803b3457683cf1d3ad58e64af5f2ab97e311748ed6db9a7b0e5738d7371cc467d70841de4e08a6ca743e9b097352ed3
-
SSDEEP
12288:HXhANA7abIJDKGjvgQ4jtvj8KxNmM5f1ozmBupqYN3BUuQEoB1q:RRWTGMZSsB1/g0IR3QEK1q
Malware Config
Extracted
cybergate
v1.07.5
Cyber
192.168.0.52:443
T3X6745GUMWB80
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{NY3FV504-3S46-65O0-726Q-1C2BODCRC3QT}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{NY3FV504-3S46-65O0-726Q-1C2BODCRC3QT} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{NY3FV504-3S46-65O0-726Q-1C2BODCRC3QT}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{NY3FV504-3S46-65O0-726Q-1C2BODCRC3QT} vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4380 server.exe -
Processes:
resource yara_rule behavioral2/memory/640-14-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/640-17-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4720-79-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1576-151-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/4720-772-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1576-1460-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\svchost.exe" 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exedescription pid process target process PID 4652 set thread context of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exevbc.exeexplorer.exevbc.exeserver.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exevbc.exepid process 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe 640 vbc.exe 640 vbc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exeexplorer.exevbc.exedescription pid process Token: SeDebugPrivilege 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe Token: SeBackupPrivilege 4720 explorer.exe Token: SeRestorePrivilege 4720 explorer.exe Token: SeBackupPrivilege 1576 vbc.exe Token: SeRestorePrivilege 1576 vbc.exe Token: SeDebugPrivilege 1576 vbc.exe Token: SeDebugPrivilege 1576 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 640 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exevbc.exedescription pid process target process PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 4652 wrote to memory of 640 4652 7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe vbc.exe PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE PID 640 wrote to memory of 3424 640 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7240322cbe365e6b61cfcc3537a5f32c_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\server.exe"C:\Windows\system32\WinDir\server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5307041b0e0904eff4fe15081310bbb5c
SHA1d545c782e7f5d6293dad78ebc14518400a27b13e
SHA2568da63fd6fd9b9b0a90e7c5fba7818d893437c38eea1805b0c432ae672e3604de
SHA512755ab2fceeb6b55e238f94f14715e08839244c800465cb0beb98b8f35499aa3ffcd5d586205c6827b6ab2ac510ed9bbcdc351e7f9bd16bf640f019cb5e63c619
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54275ac515687a0dd28421dd16d6e9197
SHA163be0a30c8d5d3f1ddf20297fd1925b81792a9be
SHA256b754d4098184cebb73412ebb0cf79df00b13fa1171ed70f007ae165fdee4b6fd
SHA51232f78e6d32ae64d7cd0c2aa1bbf925fe8f05fe063ab680aa4cd4e141b41c6eec8b5f4599413db5351373190ac54d83bc5074756c1c76bf3f3fc637a3a3ef20bf
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57243fcb69ed3b6667e5206080163f233
SHA1a66383ffe989063d699ab4e718334d1cccbe2434
SHA256343d9ef295aa5255feecad772de786d5b2c44d45a79510d8c3a67dbdfc9b9ef3
SHA512bf8cb50912318e73397bcc5f46291b43e4e78e9434bf5479908cbb0a659bc4d1c1220720c83d6d071333c63a6a763b6be995f07893cc66f37e5ae85880008f54
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c23aec940144876cf4a76ec470fff090
SHA185530d187e3df653b59ae576fb0ff134eabe47b0
SHA25615fc4edccb7d9f0eaab4b5c0e22b655f897a61b38b6e2c97f9143d27ac33de71
SHA51203ceacc41fbb9160c71cfa8c196a7467294e31ad0aa9e199dbcf093f9f28408a55402555ca28754bfefe91efafca2962780ca263d86984ae58d13adb751788b8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58b5e9bd78c9aa438afd00812a2cc0093
SHA14fed7046ee6a90bf323c659bd54831e043c56c6d
SHA25655273c50114281123350452a4738324893e7cb89cdaf9df75089928f018935ba
SHA512130038a286f70d88fe406167fbf78e287dac7b46fb6eb3d6733d72cc2719f83d9895c6ed0f59349ed342d4656814b6a5fbaa69b92b6107bebe8921306965251d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bd5a2ea815b7206f3188bf87fc1b0dd5
SHA1d988958b9d8f36e4b618e189526e5cbc78f8e52d
SHA25618b13a912012aca6fd7f15052dfa141417645fac7b019a1be3259071ade7205d
SHA512c18b103e101ad948fc280fbfe626d8cba852807292c80f98b0f7ccc3dbcf16a471b3286a4aa06919e4b1f8773dc5fb29cf0cc741234eb487bc9b49ae0b4d8e75
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD572717f2a5b0e61157b6094ebcdc96c7e
SHA1038e8751f02928f3cfeec0dc5bc21e6a21e75813
SHA256b1a7fe550a272c8e5dc9f20ec4191bc0d4faa41b0af0426fb7e4836a9145c557
SHA512593abd6a7a4079b0565fc0d45c507cb8716e9f519220b528eff591590f2294a9ba8cf6aee44f874c63e5ea4b9e4dd3f136ea40d6c315b99b36f7ffb8b7024c66
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53a4fb200391a6aaddc898d5f4e5abe50
SHA12b01d76d669b7195bc695fc12a3e04019ced683e
SHA2561775173a5ac0a90a38dbd25ea3ec429c2647c7c8644f00a1cde504dbdefc5964
SHA512c3d418bf409d4dde31ee6e9cdf66397a3229df4482905705811165b909d3ec6ccea8ed5133f53f66e0eb1301811402da30f98d6ba47eec15dac27af32a837200
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD575a50b88f455d0e8746ae4e8e82e0462
SHA1c749524ccd7cdddc78acbb980113d396e160ba89
SHA2560ef04915a9814453b634918787bdfe7115686bfdca2754a009d7523f695789ac
SHA51205c3ee509067b7d28cc697bd81010ac037d69a9cb6c10ffac15495c0fce3c6760fa4b7afdcd485d4889dd71aab80a69b3d724d7da9e7b9156b0c71ada8dfcf68
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD59c638c0360c0561c565ee8978f755b40
SHA18ff3c7df592d83ba7b47586b2493ab68fdd85e91
SHA256faf0c2724ecd9fce9f01dacd809b53ace4223671b9bd767526a672b9d52fe42a
SHA5122046420f67ffe33677e7ee61b0d5ad8fd640ebbf066de9fe1b1101ace2be3397e448e4ae9dcf274cd1c3f6305bddd67f002f9426def755e020d38e96085dc653
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD565b6191e6b454123731cf94b7737c897
SHA10a2dd56d2a0613e3678a33f22b7df925468a8d99
SHA256eeeda6419879616e3b83b224b708330f5e3d0c2436bd874d0d2c39c714190bf3
SHA512df1fda319063fdefe035b773565286ee8df47f20b1cb32fff383f1fc52b2014717cfa7c91dd8e0e3a29ffac10c71178c676e14d1169e27042dbc797421800802
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5055f7f52dfc2543dcdd78e670daaf283
SHA14182aaaade0d473652396f28d1094b5091137888
SHA256766e9e8401d31a02c6bbfe8a18f98da37754f9150a697d2d6127b71b0ee1a984
SHA51253a702d94474a6745008e3de9353cc5cbea1b3eab6650fb3a0623210a15392616fa1e411ab4cc3380986dca8fb1a5b976d265dfb8620027d75f2dc31eab51c9d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57e639008e122ae73a78ef39da877c022
SHA1f62fd5324f032695e70e15165e79a355452f52d4
SHA25630cd3ddf54fd0a49b24ff4855118c874a31d8213b7b7c586d7171183e63ba464
SHA5121a2c0a010c116ad225fcf00a5ebb608191aa2279fe86bb4a5870b468cf7f2a7bc477c5275d5f62ba9bfc54a8a94a9ec3963228e73e6992fd9732e90ad7d9d05e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f338825558484d685ae83d3a0ef904f4
SHA1669413695f3ce5b609a1ef0a43bb3b5562cfeeb3
SHA256d2c5458253ab1ef361230aff45cea393273c65bd286a4d214f93fdc587592344
SHA5121abfaf535a740056aa4d920cd6b0c0c35ef880b98867a5e476af174c3007c143d3d07fbf5054a2e381b19623e9dee1cae15216ef14d66efb0b2e8e56af5dba42
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5acd950e7f44888f2a29df9fa9b4d3e0c
SHA181b77004139a5d91d460f08f7110773ab68cca5d
SHA25686678f11826bf1c04e3d71e120afe6c75d892453e203916b74e711b21c0ef7a7
SHA5128ce0d859d1fe3272e66eea0fd8b253deeadd426f12745e1d3d6399888ee715d0cd151e522a6136109266e451081d33e1b105107d02cc74c887c105cf12e920aa
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55a38a8d64836493a392608372730424d
SHA106dd0c35eb3676e0dba5eccd6b9d9266e9b401fe
SHA256f7d13963217c56838d12f9c3172dcaedfae2b235e630c84971565e590d55f9d0
SHA512067cd3e1262c4b089e4ccb587a8ad8376652c5b4ba70979a8fa3e725dc62a690480f1382aa1e33ede1ff33e120abdc3de8478214de955e4da01ce525ce44509c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bf45cca0483a91dd70fd8ee6ac1100df
SHA1788d8dec57a5724fc6ceb4d311e583952a9ed82f
SHA256e8c20c602d8b1bb36f037da905da0649c3884e11aefcefecb614dbb39b01f5e2
SHA5120098c383b3b0783d4d838f82c3f527a6c0c795349726c2c92b50ea1547d0169693b9180f5c28fdd0cfd2231f546f87c7c4ad958ad76861a8b7b90973f7a6e9ae
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d5ef0978c2b69c8f422393793ec9b067
SHA125729381bc57c144f2df1c08cd867a5fd0dea9b9
SHA256741c4b5ed1314f86518797661f6e836ff768205c802e74ca8f46d6aec3654c56
SHA5127ce5c30e0abac6e7b2314eb633d118b5e141a35672ee7759dc2e35a191a8435e9d23951042ea88f7f89b7a27521d7fe0c7061f5371f6a95f05ddb8c841106095
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5405b7a2caf3cdabf5f799058c1508d1b
SHA174458732954fcb0f46b35d84367dde38b6342fea
SHA25645bfb21cded3b8e8f44b398991ca292cce9613bbaefe9ec8657f1377ccd62ca2
SHA51235a8db85f013ea90fd3aa265583b49524bd1db703439bd6caa9951e4b6b40e64733f7778cb64a9dc72efee8237ddd62a3e7743b847e0d2de98230c03ef6ba3f8
-
C:\Windows\SysWOW64\WinDir\server.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/640-9-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/640-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/640-14-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/640-6-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/640-17-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/640-149-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/640-8-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1576-1460-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1576-151-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4652-0-0x0000000074D12000-0x0000000074D13000-memory.dmpFilesize
4KB
-
memory/4652-10-0x0000000074D10000-0x00000000752C1000-memory.dmpFilesize
5.7MB
-
memory/4652-2-0x0000000074D10000-0x00000000752C1000-memory.dmpFilesize
5.7MB
-
memory/4652-1-0x0000000074D10000-0x00000000752C1000-memory.dmpFilesize
5.7MB
-
memory/4720-772-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4720-18-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/4720-79-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4720-19-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB