cybergate | e76752214cb7545481b53565666025da357233e8d94dea3b40451f618f6a0fcb

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe
Size

497KB
MD5

3a2e879afde3064add0769df1f34c04b
SHA1

1c43b922786be576ea5923c8f5a58b866e73a70a
SHA256

e76752214cb7545481b53565666025da357233e8d94dea3b40451f618f6a0fcb
SHA512

66fe464466b3f1da8a9af99a55b7f78241b41037d7315b04ed57f2e0502c5bdb1846b916578d1e58bb241e0501c8f1c9742e92e9b757583dff5d504cfe377ade
SSDEEP

12288:LHeVQkTrvj4JcJabtrfFADM6eKUyww4IaziH:LKQkTf4+JaNfFADDdUywwiQ

Score

10^/10

cybergate cyber persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

gaberat.zapto.org:82

Mutex

A714UCFKB3YQJI

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\winlogon.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\winlogon.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U7LGV12W-36J8-27E7-7Q68-48U3GH57UQK4}\StubPath = "C:\\Windows\\system32\\WinDir\\winlogon.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U7LGV12W-36J8-27E7-7Q68-48U3GH57UQK4}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U7LGV12W-36J8-27E7-7Q68-48U3GH57UQK4}\StubPath = "C:\\Windows\\system32\\WinDir\\winlogon.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U7LGV12W-36J8-27E7-7Q68-48U3GH57UQK4}	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	winlogon.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\winlogon.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\winlogon.exe"	vbc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WinDir\winlogon.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	vbc.exe
File created	C:\Windows\SysWOW64\WinDir\winlogon.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\winlogon.exe	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2976 set thread context of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1968	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2524	vbc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe
Token: SeBackupPrivilege	2384	explorer.exe
Token: SeRestorePrivilege	2384	explorer.exe
Token: SeBackupPrivilege	2524	vbc.exe
Token: SeRestorePrivilege	2524	vbc.exe
Token: SeDebugPrivilege	2524	vbc.exe
Token: SeDebugPrivilege	2524	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1968	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 2976 wrote to memory of 1968	2976	3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe	30
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21
PID 1968 wrote to memory of 1208	1968	vbc.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3a2e879afde3064add0769df1f34c04b_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Suspicious use of AdjustPrivilegeToken
      PID:2384
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2524
    - - C:\Windows\SysWOW64\WinDir\winlogon.exe
        
        "C:\Windows\system32\WinDir\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
52d2a013fe5c7ab4fbdaf34d49fed165

SHA1
0a370633cc11593b901ccb126f6b186864e98041

SHA256
ea1d848e830424211480dbfc285657393a2cdccc4bce05abda9a4bb22e6b8011

SHA512
63e506fbe1a2228cd7ee0cceae1f0268c4d11144da3573e50b6fbc150b56f36ea31cb95a27eccb759085403be1a2ccb159a400849475a17a72b3212b5a81dc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2341e507847ea33bfed3d8c0c6e44bbf

SHA1
1e0f2b81c730f92189efe1b3159b39fbd6b2e36a

SHA256
9580061cbb278b03ab3033063773e51667b05073b0f352e068ab92a4dc0146bd

SHA512
f876fe171974495c17ab09e2fd4c13278973ab6395d7598d90d724338e0b88efaf0525c08800042e28e56d87c8f69fd4bf31f2b6785b98369e096eb8d6d2e8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5cbe6981da565480e1b49f243cbbed70

SHA1
adf7156c627d962b5b25e905175b6b4ec3a97758

SHA256
5d62740d666511b99bfaf86c7301ae5efc54d2cd37db1fa16e6def298684c190

SHA512
b57798c12588db10620dbb22105fd17ad99ae10e72f40f2346c3c6ed9770941562565b3351f5b19bf7ba298545f4265ecc0c4ef13c3a7e2ba355f5e69af3a3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
818ec1837f6e1dee83b7bd070f4613ed

SHA1
150f6e818236d28749fb737a089628ab35915187

SHA256
ae027e614ef965ccb3385ed08ba278fc644ae4f390be50b43ec026f363accc51

SHA512
94a7761d1dd55051637b88f66972521cf9f7bfbea9f00f8c66fad2840dcdc94f6d460d9a21c0b994a9504ecb1ff739c76b5dcc923c7e7b8fdd5f3ad4ce397fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e5c55e80eae535cc03ece26b261616cf

SHA1
ab4eb36d11c24f6649af63a246b47e11d6cc91e0

SHA256
bd1b1ee2a5d7d6a7da9cb5af5666a54743a05ca139aaa70c360e30f80a0b0c95

SHA512
39450160d379ce9e0dd14bc10ba9b859154f05538619abdd8b99329188861328db9f77cf9bf709c8726dfe07d7c7aa0e41511db93ae90af58a5f379e72c0a91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e3e8185f32b282d88c22cf050c32c737

SHA1
24482e8d8ee561ee5a3af515b67fa398e5a3436c

SHA256
dbbc204556edb14f0729a25019b67a45ff9210d59dc5d48a9bb46517ec873f1e

SHA512
3a0100d775b300e6358ea473171618c91110042a1fedf38f9a6e21bdd7928f3348bc3470aafe3c57a3587bba7e09010894e2f7ce99d1f1917c184a36169ca4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b21990522b2f23dc0ab584b991735a6a

SHA1
346b7b13f79bec163f53a0cb22fbfacf2d10ac06

SHA256
4142539953431f33547427e05910fb1eab64ead3b2e2d39cf890dee3747e9f2f

SHA512
4cc1c12a01a83895b6d5b4f1fec352b2373784e849aa3c250b7119627098d3f2c17b18131c2dcb80d89b9df4ecf07fe51bc0d288c663bf82230b7eefee852ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
271410838614574183cce9290d607903

SHA1
04e2c21b3a1fab8596cbae56b2be6b6bba954398

SHA256
95f03cbcd51b2ba53a110b2ae81b7ccb4ab6b82c1028f357531064bfd0c93fbf

SHA512
bc17b6839a648d056da84ffc206f1c0c008c0f821d6255e2c1fc824d1fda476d4573bce2ea8a139970332bdf010bbb620b4dec669ede1177cbf2df79eab37acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a303125daee46e7e56965b57865ff01e

SHA1
4039ba8416e950fde24d14982775af64d97297a0

SHA256
95b347ac08d3db0cf926d843b77bf606cad21045de6631cca99c2454f0916ccb

SHA512
a8c0fe7632ef80026672b07e2f2c19096dd3d4157bcf71bf57428aff9858f55a45aea1455627b8f20d958c894b06fda7b88e732f8c8d6617d8cd494bb03e3ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1ca0bc18ba0cda03b52219e1b21252f4

SHA1
aeae6e8b87443940b026ab664815c48dd82ff261

SHA256
c8f8d08f266d11d222f111af06d1b7e133b02cb9a403e12705b4e98affe3c758

SHA512
219529e952c4fc44fc704e13a6f4dfe2709d15b7c789f1b4490cfa2ee8f2e9af6afc3f324068251663a3d858eaeadedadf72e4e7af6a8060510f998b7fb9e773

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
36b845c0779bcfbe0b3dcdbc225f991a

SHA1
79b58041d5b9f5a0ee4cba11944dbf0066f3feab

SHA256
fe7bf5dac222f59563beda1ac1a28ab02b06589a272983ff5926594c36156a2d

SHA512
2982c6415829b092baac71b01863b802a70757d53248498347bde656cf5b6f6fe4d2a7a2e984194d61fccc577a360bf9ec5896a161b404e64e921f057db5de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5f384476a4ebd0839f631059dc7d29a8

SHA1
19d298094c978d9749c1c5acd18beffef1d0aaec

SHA256
b1775ad2d4d4d5e8b53bcfa740da81add8afd732a6f4c43221ce400881f87d15

SHA512
4e8bc93013d2e3a22bf29e4451789525efd17c5f02b3855dd371458b4387f254825954e49f418e25c6f2302435931e944e5dc74859219c1f9aa43eba550a1a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1915fbb8ff351c1f6c26b3cbcca3ebe3

SHA1
5f45854fc94e3c69321f2148b16c902a00d334cf

SHA256
3f14e73e458a7bf98ecadf4b4171635c43def8542066b2f3b0ee1247fcd508d7

SHA512
e6931797c7a8ea355adc1a94b34674fde25a43110affc5ebd7b010a2d197a838999c26f5b206ca54fa4c2993bcccc282afb6529f984594205585aafc219de9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
efc96d2ace4549c7ea774cbc49e04849

SHA1
9b6e4959f85bc0c968f3716c23fa80b17f8dc721

SHA256
0c07abfca721add1ff6fef983b49bb2091083a8684065a041803d0208460c180

SHA512
13abac1b79e4da318314adbc0f2e4dbe40a8c726bc641b95d8f4ecd6642101fc0f849fea0cbce48aef3d4a0eea77c7097dc05b51e17fad71a499a8534efb5bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d593e1f224e6695faddd8cdb86c84779

SHA1
db5b5e6ea2c3e696224fcbd05bd4575bedb6bf9c

SHA256
bdd93821ba263e33a9962f0b21c6858aac5d5a785592abf514479111dfd87090

SHA512
43f846e759e4339dc5bf7bf0eca728f98860f277f0a86a46e5fda6a3f6b53caa8d3b2567958918e3eb69d2e97f11ac3133f2b6c6ae17f768a183516174f0b916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2d4514c05f8f1754bc1c0f8319f7618a

SHA1
2d9ef4eb958151cda22659ebce302afb6a933c59

SHA256
5e38db628f04610518287a8148ba99203541fc10ea6338f43b43411286883c43

SHA512
1725e1f9133e17ce2f6d9f85ef1e07325ccd60b3ce29e08f0daa6a423f94cc7ea4361c875269ef982d4b0ad94bdc770617895228fbbb6cf58e98e1b0a9438f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b29fcd89898016b8a0d29468c8eef8c

SHA1
894ce5b7266a396804d46183480e13f029c3e48c

SHA256
cc131e692575867f52ae42466b32019408d11e5fb20b7918a6140c28094f07d5

SHA512
c176874fb8e9d636f72f321df85071ede20c9f8b0c0893e75d7607203f02311d4f05fc7799077dc93e5cb28fd25824e6e8d39173d37540382d884af9f17f9004

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f7df9b3cc6fc0e3b96af5e508d82fb08

SHA1
9e11bd6ccc7e5916d1d4ee9d9dc320887a2e76fc

SHA256
745306a34b025eef31bc67c64e0a6595d2dce8efbd5b8bf13b91f0343eb1a60e

SHA512
d64b5e200c2cf8a472e4bcd53e18804d4e38af025213555fc2f6f17ca95c819a17512291daa10c9f2e539dbbe51751b8615fcc12f2a283b3592d8f9c68d5f308

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b676c6c40f9f33fb892993aebd85e8e5

SHA1
55b525d270b2293c0d6cdc771f9ce0e55203fdad

SHA256
adc2a5bd54574ec345e8bff7a967f3d7c8280d566306bc51f1320dfa5b86162c

SHA512
91bb7efaa36cd2df9d25be530f3ed1a96643b38b19d30a0fe06475feb8a48e36882830ef7148d5b93d6bcf3b33203caa6a608649ece7b9fed549a34a3baf5108

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\WinDir\winlogon.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1208-72-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1968-64-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-52-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1968-58-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-941-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/1968-60-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-65-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-49-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-56-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-68-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/1968-66-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1968-50-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2384-609-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2384-315-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2384-376-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2384-375-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2384-374-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2384-1510-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2384-1691-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2976-67-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2976-40-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-47-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2976-41-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-22-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-23-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-25-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-26-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-35-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-36-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-24-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-27-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-28-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-29-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-30-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-37-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-38-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-31-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-39-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-0-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-42-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-43-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-44-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-33-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-21-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-20-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-19-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-32-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-18-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-17-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-16-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-34-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-15-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-14-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-13-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-12-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/2976-11-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2976-10-0x0000000075A10000-0x0000000075B20000-memory.dmp

Filesize
1.1MB

Download
memory/2976-9-0x0000000075A24000-0x0000000075A25000-memory.dmp

Filesize
4KB

Download