Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 10:33
Static task
static1
Behavioral task
behavioral1
Sample
73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe
-
Size
982KB
-
MD5
73aedd41e459b29f23cc8d2fa37aa5ec
-
SHA1
7fb95ab8cbb422f0b2fb21cbc0f8e4b604320db2
-
SHA256
c22c1fa3026533b54721a281740553b94949bfc3f57e5d79baa87cb7b2aa7428
-
SHA512
375ca3fdd017252f5127cc5a2826031b7c3bb631f6c7a36c2004e9bd32f3d41c1f27c7494dda979b6a47febbddeb7a44188114549120f4d809d929db432f785f
-
SSDEEP
12288:55amkfRvlsVA/shLUPZqKwvkE/SNr/lLoykuaQDqkrxQEIxTcF1ANsQyG1rtTjDO:F3oxgCrxQEUCW1rJjDIF
Malware Config
Extracted
cybergate
v1.07.5
Cyber
kira5d.no-ip.biz:100
77I30S84RP0TSO
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Windir
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\svchost.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
vbc.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3}\StubPath = "C:\\Windows\\system32\\Windir\\svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3}\StubPath = "C:\\Windows\\system32\\Windir\\svchost.exe" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4076 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
explorer.exepid process 628 explorer.exe -
Processes:
resource yara_rule behavioral2/memory/3608-12-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3608-17-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/628-81-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4456-153-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/628-979-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4456-1433-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\"" 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\svchost.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\Windir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Windir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Windir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\Windir\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exedescription pid process target process PID 4888 set thread context of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vbc.exeexplorer.exevbc.exesvchost.exe73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 3608 vbc.exe 3608 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 4456 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 628 explorer.exe Token: SeRestorePrivilege 628 explorer.exe Token: SeBackupPrivilege 4456 vbc.exe Token: SeRestorePrivilege 4456 vbc.exe Token: SeDebugPrivilege 4456 vbc.exe Token: SeDebugPrivilege 4456 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 3608 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exevbc.exedescription pid process target process PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 4888 wrote to memory of 3608 4888 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe vbc.exe PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE PID 3608 wrote to memory of 3416 3608 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Windir\svchost.exe"C:\Windows\system32\Windir\svchost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD50796ecd84a279dd9736e29b468b06640
SHA1bdedfa9d8de20669beb6d77d45350a0b9ade33e0
SHA2561462060ec0e74ddc2f951921b1e7c22cba22cf5ea4721da856ea4dda40ef9e2d
SHA5120c0ce807a982f3b3dbf921f1c55f7bcbe141d873b4fa967addf10e89bcde85741e6d40c74210690de242eeb71eecbc06848b5edb9a1b0fe7f2d87535a456dabb
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD538463a623cfb4f0e57690fb3c7220912
SHA1ba981fdc7f5a11f581fb90613cb796c05a011a00
SHA2565f5cc8b1ae74a1d25503e5a49042511b744a4b0b16017fd773cdb4a1fa3c1763
SHA5126804e148607d970bf8bf33b41bc184c9be308de063076548c5d2b2ac14ece74a4d2a65551effacf3de4e32916eaeab288507af41b8122ee61c9dc5d5c955ed09
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bde3a94aea69e5611e163ad15f0cad02
SHA13413daa99b2b3e09ed532db6ebdea0bca1f1bceb
SHA256fab4e62c2978bb4d2f924d3e1147903d91f0b987a69c5995735aac3f3d39cffd
SHA51217a08d0bbb6daa8f05ec60c111e4488f4cb1260d281267744c98a7567e04705f7c6a23f6e4a3d0fc9a6e809694f7fcb3ebeb21d71fc26cdf1769c78015145454
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD565e95752951503add2ab198da010e80f
SHA16fa9171602959dca1ccd8c8c20ca87a8ad7e6063
SHA256923a71350676aecf74ac669ee0824d62d29925022b10724c19e80d67b8678ebc
SHA512874fb98e0d8c6460b52c799290d3d32f7ab11b7f5dac15fe084bcad3f46d865fae1bf3457b19af87f7248e1c71baabcde8048b15a506a8a0dd3a032abaef7c83
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e76e235488b7bcafa677e22b380694bb
SHA1233efb35b356047a33f0aba83abbf12a4ff80222
SHA256948f9d9a01778c82c6f8487f5cea1b7897f228f0f3c84a5ce862f9c46fee2a7d
SHA5123ce982c270d6abd22bef91e49efaea7b79e6d73d2a83ae8b24ec3c2979efa93ea54223327bd2d3182a4add211ba13463cbe3325b3d0365ba33c901bbdf8fb783
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f20f5f68dca6acc2f9ec7cc8631b72db
SHA171e8489c58406eddc3e297f631d5cb31ff2b8868
SHA2567ef5651b372b856d3d6dc9c5778885f8f823014ddfb2250948f3404ea1c13ac2
SHA512e4248e76b4e4641eb88779f76e848947b1c73a5d2ca38f0847016fc7585f2b47988bbf1596bd6b336665303ed191135a2d888ad1fc3b202eebe0b73ba6b0b5ea
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55c37b54c289f41ecdce61545f339514e
SHA11b6badf18ba557cb8782e6dd8a5c4a892af79e55
SHA256f465c870971cd67e7509635cdc11311896afdf54836ee760a30511932cc87f44
SHA512f5661cf34fd6b0f18d7f4a0785038919c0665f8c6c8ec582b50c20c5a09d9148befbdf3af5977468853a7c196c7696dded6819752db1c04109f99027863be9d7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD536df706d0576b429b1a99ff0b86fa3c2
SHA12518429e4c54e85a9677982cf6a0c98391c06e56
SHA256fc9c0fe705c764ce3df67ef18834c8884d2623efae6c558d8a98d2abd6770549
SHA512d22f3f94cf7d0512db94f4c400ee828b603f77f474fb1b941a166719889abb4153111e5b73e491cb13acf06b04bfeaa54994efcc11ffa5d61a2bd32d6cbf05b5
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53b4c5e93fecfde76f5549f77a058785d
SHA1fe4f3b130dfcbb14b3cabdce97625866c9df0ec3
SHA256a09e280c6ed5be31f747a8717b5e80bc88041fdf27564b96232bbf52bab851a0
SHA512a226338dabe94f564cf55a7a5a6e166ba4cd5fa6045cebcabe1d8f4d80b5e2889a4e05698ad182b00a91fc57c57dfd7381d3795a9d524f74e37c82d9c35c26a8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD594a06f2c637325779220a85adf824a6d
SHA11351f65f322da0cc9cbf2307bfa150ee7c30a350
SHA256c82550ffbab7f470738d793e198618a5fc0ecf546c3059d7c5d2dd4eb1adf7a6
SHA51205ace48fabe5ded80fb6417c7150bcf282195b9d88bd9e1832aaa2d3c69821f68156e37e2d5dfdcdd77f74d4c9586c6fc855b93e56e8a8c1b9bd6c5a6c560b9c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e0895176df31d3708e3856d84137b8f8
SHA1b6a0f8265a11a2e21fd12b5430ffdf12a31192f5
SHA2565d4a98dc98afb4f7f8ca506bea75c018ef71462f44c14c6d9db9bd798d1fb102
SHA512f46deba763980de0d048062d1f5ae70aa70d1b54f014b00f3357b3aceca05e56492a0839d80404afe2ae9a1bad9fcc1e5c33b7cfe7eb0e6246dbf85ef38607dc
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD584f0d8fe7a1f0705695365c5092fb278
SHA1753c8f9617c116a499271abdf0ed94114fc46f0f
SHA2564f7f7b4e73bb63d1cd4f414f74a9936b7dc9ca7373db11b8c1c835022656db0c
SHA512fdad2f23bbdecd522be507a34e52e51e6c79a8a0751259c40f57535b7d96cdadb6dbd908f37ae0193a8ebec9a60d7254520603820e2e05f140f369c266973996
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56780323fa1e94911d6dabbe560f98fd6
SHA15f99a28b3368d57d1594c61d4e384874b56f9e46
SHA2568ce56b5c034c94d2fdb831d862708606a4ac0ed94d8b8ccdb5fd5118bfaf4154
SHA5125a26ab57307aad4aea497af7b92a3b8e117d8fe9f1cee4e8247241d8c5044de97f1f78950887f2cbe570258e51bb1c4b97a5d329833ee229d8a177a667cf602c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f91614edff4ba3436d80be8ff70bc021
SHA16e477db4c7db54cf2b14f6651dec8e3d285da1c1
SHA25661f73d2683e05da23c52395dec85c96635df423f6dc1520fb225fae1a2979bcd
SHA5120a7c3b6cdca6c9285f88f5f1ed237e776fc67cafe53879d2e20319c0f05eaef025fbd7055366e336f43bb1a5e3bea00128bf86cc508df898a7e3416d04659907
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5661e0c00cf06c8e69c73b97b1b311dbf
SHA19f7520fc80323645b2687f3940727ff9f0fa0640
SHA256c99e6710a4c9fe12211765c2a0b612e02a924c09dd8cd9d80221ffcda343a3d5
SHA5124ce593ad33f2a10f7e2cbce7e0477b0ffa80e4cc023058dfd067a8735474c793f9563b9e81fe1b354911a86c5a74ed9fb93f53b34b5fa844c87f6ce58310c92b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD597cbc3f6d2f0787875f12e6310477571
SHA1d1ad0b2483b4d7896e545ab2fbbdc66ecefd29a0
SHA256c77fe6003c277da521af7db13dc3fb519a4dce7c9727c6dd51c0d61d90b8a44d
SHA5128cafc05254f1fc65361038e6667b2919eeeae960791b4a848b8f052d15230b1cbde0a00f68259b732451c0860f1265fe372e632baff7856dc84417f9b7d699a8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d404473349b33b0deed01c49f9757866
SHA104c545800a534e3fa6932ea88e444298351f9f72
SHA2569e3e2f13d355ef4f998e4d060165525017349610b5f604ead655ab7bb2f0a803
SHA512b3a6dd9d2087ca3bc5c0958598c92500d1ff94784ed6af2b8ab6e194092cb415a6c93f0a5d786ae6d6dcc3fa21b77d1f2491974a4f54e74239da4abd651fa249
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c58d222fe011dcf0c8c23ee3361dc327
SHA110a2c379d04012256d0d13732cad190eb1b4441c
SHA2566f6b3f48a935c405371e763abc84568b43101f64b0b36c04804818d25b454b9b
SHA5126753ab086d19e5648471995572a0c9cf2ae7333c85bc574ceaa96861e3e9bcbf4ae01cb97fd0000e158353570fd1df1db6e2f2c68825b0f840101ffadc949a74
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52d505e97058587ef2db0cb2caa1c4983
SHA162af549e9276702caa13a9d2961e85a6d14deaaf
SHA2565fdc33d5803d03a75be5e03ec2d06c8e40aa7d169e5a8513f5aed868ae8aee3e
SHA5123e1b45149d75b76480af20cae76e88f18732405772f9e1720180bb0e77972c178b262096c510860dc8e80ef6b51a02aefb4557e611ee00143132982c15c5a426
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ccb3ab5aaa3634e5976ab3d440e04519
SHA155eee6d065fd12f0f9d4e08041892b701541b0cb
SHA256d88f4c14ba8fc6b751d733c18f80ede82b9516e1318a53d1e1d00b24d9f7d4a1
SHA512f4111717e9db8a05caf42da744b04fc859f01950760d8d1610720df9f7c7c52e8871a64589b2f6433783bbc32bcc6aaa7ea68a9c363e2f061fa80b8986fb9ef3
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeFilesize
982KB
MD573aedd41e459b29f23cc8d2fa37aa5ec
SHA17fb95ab8cbb422f0b2fb21cbc0f8e4b604320db2
SHA256c22c1fa3026533b54721a281740553b94949bfc3f57e5d79baa87cb7b2aa7428
SHA512375ca3fdd017252f5127cc5a2826031b7c3bb631f6c7a36c2004e9bd32f3d41c1f27c7494dda979b6a47febbddeb7a44188114549120f4d809d929db432f785f
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\Windir\svchost.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/628-979-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/628-81-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/628-18-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/628-19-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/3608-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3608-151-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3608-8-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3608-12-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/3608-17-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3608-6-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3608-4-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4456-1433-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4456-153-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4888-0-0x00000000748D2000-0x00000000748D3000-memory.dmpFilesize
4KB
-
memory/4888-9-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/4888-2-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/4888-1-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB