Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 03:09
Static task
static1
Behavioral task
behavioral1
Sample
726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe
-
Size
816KB
-
MD5
726044aff9998f412c0545a66edeed7e
-
SHA1
bec7344cbecc0b48fb638abfee3812263c6b9b34
-
SHA256
84b792f95d0b24ec3b0b9274f9d5eac0f14b3af95ee67ab5a00339acc324940e
-
SHA512
6ca0843f29ff8b7732b58fccc8b06513377ec6a2afe17557ee69727aa6546da1421c8e64673dae4c87646adb170e825802e02f75c7bc23765b67dd201ed45dcc
-
SSDEEP
12288:yOghu29FDBQZeTLrc1E6JZuW/JkCVgxj1Vstf0KO/ctdRvpcHsUtEo+gPIxVfRt5:ezyltTvirSxVR5
Malware Config
Extracted
cybergate
v1.07.5
Cyber
vawireless.No-ip.biz:100
360G35X0T54I8R
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
60
-
ftp_password
pascal
-
ftp_port
21
-
ftp_server
parnjaca.110mb.com
-
ftp_username
parnjaca
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{N8XQBNGL-D00W-W0E5-57AQ-VM2MRLI058WI} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N8XQBNGL-D00W-W0E5-57AQ-VM2MRLI058WI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{N8XQBNGL-D00W-W0E5-57AQ-VM2MRLI058WI} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N8XQBNGL-D00W-W0E5-57AQ-VM2MRLI058WI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
Svchost.exepid process 4984 Svchost.exe -
Processes:
resource yara_rule behavioral2/memory/2080-11-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/2080-72-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4904-77-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4912-148-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/4904-753-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4912-1432-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
726044aff9998f412c0545a66edeed7e_JaffaCakes118.exedescription pid process target process PID 3504 set thread context of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vbc.exeexplorer.exevbc.exeSvchost.exe726044aff9998f412c0545a66edeed7e_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 2080 vbc.exe 2080 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 4912 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 4904 explorer.exe Token: SeRestorePrivilege 4904 explorer.exe Token: SeBackupPrivilege 4912 vbc.exe Token: SeRestorePrivilege 4912 vbc.exe Token: SeDebugPrivilege 4912 vbc.exe Token: SeDebugPrivilege 4912 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2080 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
726044aff9998f412c0545a66edeed7e_JaffaCakes118.exevbc.exedescription pid process target process PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 3504 wrote to memory of 2080 3504 726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe vbc.exe PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE PID 2080 wrote to memory of 3516 2080 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\726044aff9998f412c0545a66edeed7e_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD56202f7a0bc51b0b2ad72cf7a071cc419
SHA1aa961408a5ab2ef25d48fbfddf9524f4c524a788
SHA2566348c65ace9a2243ebc4caece3159e3b631402ebe3a8604057a95e78354076b8
SHA5125a4285c87b6f4527c301eba8807f4926250ad19d716410c0798a354557aab77cce0af09c2f8c5f9a6da42ce20408a31bb45f197337de8ac9976e3eb5be84e89d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54f2ad7c0891978b31a50fdff94b51f9e
SHA17394de12ef9719bbe5ddb927d2de9080082b1ac4
SHA256fb02d3507339a340d09ea5ab47477c10dd5e73e70c1200dc6364402bf3038303
SHA512ec26b8c3d11ab311e3b267341c48642bbf0822dfb72618459bac5877b3f752e18360d685cf530e9dbe0034b475e166627ca600afebe07af89d4d3118315e1e54
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD542fbfe4244411f69b486eb425487e3a4
SHA14994946a2b7f7dfebe2a7716b79746f9d66dfa15
SHA2566222fbe546758808bc66803de043537c3961332d005646dd86ea70b9dc00eafe
SHA5123b910b33b02168df542920db22825031c8ad0993e607ed30b595e674d8b99972b01157c3f0075c6f17f982fa7d56f31aa078f2a164753b7e9375e8b9153a4f52
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d44a47a83f6b9bf2823b0757185e57db
SHA1fca25e91038553ca0e3dab9c2a93445997e1ef19
SHA2562d005dab52c1c9319967517b0b9cec87519fb1c03d0e90293c8d51fd26b50ff1
SHA512c45aa3b71858031caa44d65559470c3c00ae1db5ab4984d3172fc5646cc3c03bfb8be2aa55ce6bc3cfbad96812c174c94594b06339fede622b3a03583f582c9e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5fdd4050d012591f146b887236c159e8a
SHA188e33d8099da2da24e8e685402291bdfd647685a
SHA2565784e49b3f109c1cdaafefc43aec149db71699c611c07b6310dbc8cd963c98d8
SHA512251ce8872c81755d7d4ec99bc5ee85a217a112350cd0583f7cdb6ccc7b328c8782cd929926b52ddf449dd777091c3f6714cfcbb5b629e5493861d0190c082391
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ea19f44b5d09cd1ca25a6cf231a9381b
SHA1152992c3b5baa6d9e6c672e86ea6181ce2eebb8b
SHA256e38ec81a81cc0cecf4f47a1d997f8ffee095cd128b9a80892513dd25c617ae41
SHA5120babed0257cfa36cafbe94f8efa3d0f16c700f593f7f6ad2d04041de981f5cae1bb065fd7d00939cba30ff1b78da33ee5946573d0a04883372e04a6cc9cddee4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5dc10077fdaf6d7d6fb8a62efe18ff5f3
SHA1968bad759642987004e325582da056f62f80ad79
SHA256c86802a859ff0546cfcaa4d06a6ca7f6c08dfe9f862bf1372ec52f53de5dae91
SHA512536f7245a30a4cfa091b3e0bacbe581c645e176163a8c1ccd3853a0710c3908a045bbffc19b3570a01cf924c8a2108254ecabaa32ca19a9f84179eac4c99a527
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57828fea121abd1223fdba1933c718438
SHA130bbb4a1e111f37d7cabd084bea74b137c89e16c
SHA256cd00b0afa3f5236dbcd31c2dc7a8c1908b63fa4eb467f8757a7486060947fd0e
SHA5122e0551d7b8bf0ef3b1682a922946d98acedfcc57c0f172b9a634eae1a94f265bf675734de3930e62d5f478cd55293d199e55076d2edcf5066d49e9c9c127e7db
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5585bc2b90aff53ad08363451eed4b857
SHA1e155742fd817a9790bbc74115489123fcd97268d
SHA256daa1b368a9195f77ab5a9f80f2ee2324341962e399e759810ab2591e4ad97698
SHA5120c8836a6cb650dc6d5877814255a1e782e0c5cca6655572985688211acf7abb0d48a73d707d5b7f4ded75d4f6d0ada963438bdd40e67dd34e909645d0b62b959
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58c5dc8f152c15191ebad712ab548bc8c
SHA1b06186af0e7dc13fb06c59ce89974b66f0abe31e
SHA256bd88d258e4720fbd71ad69020bc9a99584ac38b87a378fef734f619ecebd3d93
SHA512295a2e3ec2d481d1a96e1f73c7fc9168de54c9575c18ab3eaac21fcda593b67fb0ab7f96b87ed9ec4b75b9ce6ff4473d2e5298d7bd72aa4e9e9478b6884c91ba
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52c44bb65779358202ab1d712cf8f2e85
SHA18233cde06292142fbf6f1889b3fd0a0079e8a7a8
SHA2565b20197cf5186cce47c2492e3aa9142432716497b0b1adac1bf981897167fb16
SHA5125d36cc952dcc3525d7f201a69164b2c3f30ffd2b94da5c0f73520b4a6008d74f5c63d3c732b73be8d7eaf03efbd7fea1e8e13978760f7243da5417020a5140f5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD550c58f79d2a13888ce9a0d184fc461c6
SHA1cd9d89a68ca0e071b5d1cd6919eae0cf0bc57bc4
SHA25641ce176c7925369174b9476a2ac2bfa0057d7f2c2e4cf664679f07a57ec3eb7f
SHA512fdaabd7a2078c9534d6eeb5a7ceeacf6372a81c74019af3cc0a264cabfab3d27e8d6ad26db9d113655af47bc32b83fc3d28422dfd53a812acdfa50fb8bd95150
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD522505a031c97314c576996131b267c85
SHA1e0d13ff32ce25b48bc751f53b7b4b7f0f5001f2c
SHA2562d1205800b95b75b1ef95cdf6db2f39aab3b531a21267103689d0889ec0f1fa0
SHA512e185c9e72338193cb1cefb2fa2d6334cbaa32812785fcbee75e0642520f878f4007be9b5c862db5ccfc7f11d348ada3e773967d5107acee009989d492fd24c4d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57d1d0a09a534a71f3ba2db187ff3cdf9
SHA16cd8d0e20c0415ee25e65e4f9cb03b0bbdf7b707
SHA2565c50fd63ca9bb58af9181b7718cf0794090ff731288509b695e331a7281f9608
SHA512e3062dd48f8fec8c9286f68fa24bb3a3bb9ae880b0ac904dce98361671c1d825be68aefd888e55b1559120e85058f206e50659b2ec79596850634041aa396263
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD509fa72b11d35a18982af40e149f78ed5
SHA1295a94240956cf3dbf562bac811fc749c0d1814c
SHA2569f91e3aba04200c28f80df011289084b291396c96d955821867281749e0767a2
SHA512ba5654cb2dda12357f3f31f8d1c5636479931d3a1ea724b10ffb97f67d065b8df339a40341d148e1a674b1432722501bd0d6406e75ddd4b45020183f5fbd6412
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d3ff54717857e2edfa78c41ab6ca3e8a
SHA1cfadc2022ce1d828410db16c35807fd4cedf39d5
SHA25665a056b08a9742d2cfa83319a14f05d30b333dc7a2716a2bc3275969d456bee6
SHA5129ed8fd66fcc411845c7f9b978108d292933e8ddc16ac6ea05eebd653aadfbd52fb7db82147b9bdef0a36ed0e86902079bed6da973bae21c7d7ce0d823913f386
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bedc068db48e422d8448bd570139a913
SHA1c1962e095f461771f833e50d24e41a14e3f2afc3
SHA2569f16247f721e89c0110ed7d0428e64cfbef887c0a20a9e441be229f566f2acba
SHA5121796966037b8b512b0113bd762bdc44ad46290e5b09a374eee20f60c9af04f35427f97a7a5203d1c35d3d1fa62bff3731a505235cf068b14c8dc3e04549037c8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f85da90ecd73fb8c9d00cc0a63bc61af
SHA156b79604f81c57e316de4419c2d9f84bfb03cbed
SHA2560a92f89b4972e31903b462272fe4f40c4afe067662ee04bd0fc6d267e9a8b695
SHA51299097a6b002efc2791bf7c31cd90b7cd8a562a10be41ef75173490f18f79637cda45b2a1e6448fb7f7c7fc74ddb37819a75a49af7ff31158e22a55068456d383
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e34a220ed2441233f3522dd8f3ab1a38
SHA1b9d302781a6ea3bfb337b614be579831a44d8e2a
SHA256ff2605c9525dbbcbc2490628551c058ba86549742e28c25a69c880b22d8528ec
SHA512a03d92eccd84f74723c2d854b9bb0f8eab92b0b3951631fca9cf948d750cdc49eacee5e90bbcd632e0effb609dc7ef98900c35884f393ae8807ae932fb398c34
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/2080-8-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2080-3-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2080-4-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2080-11-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2080-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2080-147-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2080-72-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3504-0-0x00000000750D2000-0x00000000750D3000-memory.dmpFilesize
4KB
-
memory/3504-7-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/3504-2-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/3504-1-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/4904-77-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4904-753-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4904-16-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/4904-17-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/4912-148-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4912-1432-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB