Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe
-
Size
776KB
-
MD5
78e7f1563c25848c3762b61c2a49087c
-
SHA1
f41a87a66f64ae821109155af68e0d2c0b580c90
-
SHA256
52b15158cd920cb369a6e000be8e17206913fc5f06fdbb5e87403ab30f17e820
-
SHA512
369ab1ffa92c68056b5631fe776c032e0e8d117bfb31342939c0a6ae6fdc2dbed73dbbdc8aa2c5082e1ae52e00f4bda18d649daeedfb254280f5b763a1afe03a
-
SSDEEP
12288:Hm88dAkLtY3RehWUA7bxq1f+aRyVs1QXmFtG2LPm7Va2wWrXuGcSIOUHBhzCli5n:HQt5AUTL+96LzBef
Malware Config
Extracted
cybergate
v1.07.5
cyber
rotca.zapto.org:100
NAB4KV5S88U048
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
p4xati9600xt
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exevbc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IIJG4L86-7V87-IK6O-38JM-CF0M3IKTCR20} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IIJG4L86-7V87-IK6O-38JM-CF0M3IKTCR20}\StubPath = "C:\\Windows\\system32\\install\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IIJG4L86-7V87-IK6O-38JM-CF0M3IKTCR20} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IIJG4L86-7V87-IK6O-38JM-CF0M3IKTCR20}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2712 server.exe -
Processes:
resource yara_rule behavioral2/memory/4696-15-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/4696-18-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4696-76-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4660-152-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/4660-1452-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Testing = "C:\\ProgramData\\Svg64.exe" 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\install\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\server.exe vbc.exe File opened for modification C:\Windows\SysWOW64\install\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exedescription pid process target process PID 2908 set thread context of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorer.exevbc.exeserver.exe78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exevbc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 4696 vbc.exe 4696 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 4660 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevbc.exedescription pid process Token: SeBackupPrivilege 4036 explorer.exe Token: SeRestorePrivilege 4036 explorer.exe Token: SeBackupPrivilege 4660 vbc.exe Token: SeRestorePrivilege 4660 vbc.exe Token: SeDebugPrivilege 4660 vbc.exe Token: SeDebugPrivilege 4660 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 4696 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exevbc.exedescription pid process target process PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 2908 wrote to memory of 4696 2908 78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe vbc.exe PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE PID 4696 wrote to memory of 3580 4696 vbc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\78e7f1563c25848c3762b61c2a49087c_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5571fd566d9ad40e38a30a9ce89667aba
SHA1ad01a33387f6f17e1435a2dd1b353e5daa2f3e60
SHA256c42c0cf3a968cb0cf80f6f8c880e86c8e7609ca5cd24c158554178bab0f955f8
SHA51204bfe55441d98e4e2fc4a44cfc175e281ae04f4c07bf60412204730eb2f9cc7b77e3992b894a7b83d842c53c350d63eea1f6f0ad485617283e9d28708bda294f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a17f26a84a4be54b905adb84e620621f
SHA15f9d20c03faf53a803fc376e86c4cfd1c45dfff8
SHA25604c072b06c73c5aae69073aa1c35ee6edaf402afc41e2e90692be955573d5bbe
SHA512370315ad1e5ba6e92f780e1b31e48ec5e08fb3becc3a7e34cb8afe9e6169354dd94fa89eff59fd96e88c22e42663d2ce8d88a1a97b4496155d67931472bf017d
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a119d8f105fbd0754ee116743efe1370
SHA17fa67ec155099f68574f6014b2ee3986314f5c86
SHA2567ee116126210c85665e103eb7063271bc72bcb8c8615f8a90a9954c1d772f087
SHA512dd175e99e056b03211c4548d238cc22dc87400db9ac2fee0b4d7d527cac6780b75588e3ccb1dbdde35377b145861ce99e3ad98ccffcf47f312df19a6eb58b583
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5e83d35a766ac75a6ffa1628b6ebc86fc
SHA123a2995e54ae079ae85a8c8dd188e7649fd9791c
SHA256b5903372032112218a32d95ab18492200055c5f2c74ddbe69e1a2e475937aefb
SHA512333fa8e3d4a700bf0946f1d3d04659aae0267bb0a8446576733e3bd92eafca773276538d2b324e21329fc445b89985849f7011bed056b7eeedce6f837c8c9492
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c36a1dbd1002e8e928f6c2221e0ff9fb
SHA18bb27635f8acdb7610b3920ed9660d852f8feefd
SHA256ec076af02747a0a7049421aadc63bdda0bd8bdfd064739b8d6941a492e2c8555
SHA512fbd0f110983ef8d53a94101abf1aa1a619d485e92113398513a373e21a89ca19c9461733f640c89d0025daf9c9872dad9e63c43893c3f9064e80dfad9e3c5772
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ec5772e8dcb4b596e3857991785a3d0d
SHA1203fddd5e663fdf3c57fc6b9ad9c54b6c8a5a095
SHA256674bc95d0526a11f7c20ede1d2406901ce8c97ce91d385c2c2d82f4c810fb30f
SHA5122fc7f97bc5b379d1a836bc977307b308194385210ea55842cf12ed47d9605b110b20def545290bf259d3b20f545737e9c99e6e82945f89ac73db82fc4c0ef68c
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD54b742d91af69bbbda200001f3a5d3519
SHA1c10661f937c673545caab224748431cf3c76ee9d
SHA2563fef80aa1ec9c382802505d26232aa95642174e7f98e29fcf61a3be8cdefddcc
SHA5121af4088aea566d4914ae3d6a1b82d16d001e972d5acfba71ab59c33e2672892848e826d8499dac59f0567a6df7dec967fa426147bbe87e7143af7ab129df1f1f
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5db3ef8425c13bcd73aaf68ba362bfcda
SHA189d6bf4bcdf4dd5ee845dd12086937c4911668cf
SHA256edf5481cf4d890825a8d8bcd9b613a53f5dc0caa8d07379121a61c3bf07e7a2f
SHA512f95ff95e27ad7efbe34ebd1489aa43c6748d5f3e0fed8352e5c74d38dcd35504e1ef6286c3f9ed21e9b13377358c3ff466e1087624eedae7ac2fb674eaba9859
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD523689262392eb6deb4b3bfe2ef8cc503
SHA12cac931dfd8992cae512316beb108c0392ada89c
SHA2565910c3ed3702faf0f22753d086bb771d556a1645ff3175960a5a335018618949
SHA512e7f855416d82eb5a643cefc5ea93257e19c32a9f95e4c821fcbd6cf1647d75b70c24c82f39042085dc2ea653dcef15ccee9710d15b3b2804bb4369ba9a5c77cb
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5950a6f667be1b761de3ff27e885f32b6
SHA13e6cf132cd64f69e375886b1ca4d754d504eb4da
SHA2566e7f8c42fd4b808b1342692048db6af8b0bdf420fb016bd33cd63ba0781f75c2
SHA512ab06abe33f7333117f6ee948c443d23e5401b0767027047e74219ec7bfa69ce817c7d4ce24e490a0991bb8147cba6fcdf06e7bf654c0876ee0a3a9d85a90db35
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5175f09d8a0c94bc589bad5a8b57b1b80
SHA1b7bf57e2b1a3f9f731dd5d1487c19219d5d186f7
SHA2563c71299637785c570c6a241278195047916976bdd326f0888d855935f8efc5b8
SHA512cf5feed22e49634ad3287881c8e1904be383b74d2ca10951276cbbf65c1b550087733663d5978509f45fdc4254cfea2eff204195074da57e395502ca0c806d16
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bfc4b6a927614a88d6366d2a1b0c4a42
SHA177e2475d32fd8099560e5b730fec8f6067773889
SHA25636161f41bfaa0908b9a6a6522adfe892412ad08918e0e26d22c3a76212be8b0a
SHA51222ee9d292c03cc7c5cb2da680007f67192c1e4b541a54ee33af8638921330008f93291041484469f8ba4f159b1eacb6813f4de0787e3f7d44fb85a3225657727
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bff3753e30491ed42d4c8186c8829e9f
SHA19962094428099f79bffaa606ffff7beb75b44a97
SHA256721f0d1960830e3dc92fa6af97cb3b1db59064497b9ef0633982f9d18ee241f6
SHA512c7a4bba753285e09b8f69fe9ef135598c1b76c360c957b8fcb694d8cd8304b93a4d5b5b4081a1d21cf17b8eaf92aaa7fad123e289f54021082ae3de10c08d2eb
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD571c6eba6244773c7d1f63ffa4b1c844d
SHA12df253c0bb2af5d5a9f4f7c4fda08b9fca418329
SHA25673a68951e751699c133f97ae285809a87f6e504ecfbd5979cf0a9d162dcf7da7
SHA512c8f8454a583fbe1eda077fe8df54efd48f55a65bf799073dd0d503ed110a5c2880ddf0d05ae31a549903b6d9a3a60895420791f03acbce9b277db8bfa173a219
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5730a4b80816431dcd258f733cacde00e
SHA1cdd1d18bc5f5e103f1b15d9feb6b5bc5951784f5
SHA2563485b449b438ff48b4489d2d5cedeafb0f7b43c66380437108c6fa27c2cb9b46
SHA51278a78a41aa4014819d5e145dcb0888e234adafe40ce0244f2ec528508e77997aa04b7147733de7ca73877af14970a914d585bf61400f5c8bed13e4f1ac33c6d4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5283d76d2da9d9fd6e6f777dd8d04c0e5
SHA19e4ddb894b19b2f824806592dd81a13894723d74
SHA25663546e0c7f04cbeefc56978ab756263c26aaaf039fe848f727e73016973428c1
SHA512613890bb40f22c2f26f2609aee30634e9e90f5355eb499cae39da6f9a1df745b881fb43a4b5d49b837e667db231981a4982c47cfa05e45352c2516429baccaf8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD56743bcf0f0ff95db2bd6467f4457a287
SHA1b0eaf04ed64c59a822240f035ccc9252c4267265
SHA25675112b2744d91fd3f1f223671903d1957d7c3c412762a01ffafac3d5d1ab37e8
SHA512e92af7f7ae8e4ea6b5010c364708e3d57a04bf71f50949e346e70e114416e453b0d92215814b9fa2489f7de9199a6e7574d4fe2a697151e4a9d5effe41379ac4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5131e3290fc1fc76148e89c6b6bf9f7e8
SHA18610d515af05307faa27dbd12615f801a55d8546
SHA256982180a33c200372caba9a92c6203b405b15d5939a48e6db5e3631f61f620b41
SHA51277ccc635ec36e35347563ac70f78a3a89c834e0351f0530e2d7079a6181198a9577d110dac04d2a6811c583454059c401794729e295e3fc6a47ccd16a7cebafe
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD580491361033d99f0070dbbf1a578a6a6
SHA1491a85e123ae3bdd3dd700ec9bc41397168762fc
SHA2566745a12995e98672cf6e97654c86d378a0b6185d0281d3b2edcfc61f705d45fe
SHA5120144070ae5e57ba7b7b3a41db34600592a55bc63f56dd91e33e0b097d9edcf402dd3a8b905d3cf4e176840d8ee79b7094d4e2b0c17a0d1ecba8c7c2fb42d8314
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\install\server.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/2908-11-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/2908-1-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/2908-0-0x0000000074942000-0x0000000074943000-memory.dmpFilesize
4KB
-
memory/2908-2-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/4036-23-0x00000000000C0000-0x00000000004F3000-memory.dmpFilesize
4.2MB
-
memory/4036-19-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/4036-20-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/4660-152-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4660-1452-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/4696-76-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4696-5-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4696-7-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4696-15-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/4696-3-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4696-4-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4696-18-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4696-151-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB