Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 18:55
Behavioral task
behavioral1
Sample
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
-
Size
341KB
-
MD5
79a62d9b25dd93ce3345c92e49e6a658
-
SHA1
89aeb299eaf63fc3e87d0bb41ccc4f995e92d6fd
-
SHA256
836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b
-
SHA512
f38f7a601b9c3901ed4678271da5cd4a20b0fb00cff4a4978d9388e25df90348599f0ea2ec01cdd1bc2f2eb1b4e618ddb9d300c0e63c0478fa49905df629fbbd
-
SSDEEP
6144:pOpslFlq9GHGFhdBCkWYxuukP1pjSKSNVkq/MVJbI:pwslOOiTBd47GLRMTbI
Malware Config
Extracted
cybergate
v1.07.5
Cyber
frisdrank.no-ip.org:82
46G44QW5AO0752
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Winlog
-
install_file
CyberGatev1.07.5.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8}\StubPath = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe Restart" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8}\StubPath = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8} 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
CyberGatev1.07.5.exepid process 592 CyberGatev1.07.5.exe -
Loads dropped DLL 2 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exepid process 1684 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe 1684 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2924-2-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/2224-534-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2224-1557-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Winlog\ 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe File created C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exepid process 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exepid process 1684 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exe79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 2224 explorer.exe Token: SeRestorePrivilege 2224 explorer.exe Token: SeBackupPrivilege 1684 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Token: SeRestorePrivilege 1684 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Token: SeDebugPrivilege 1684 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Token: SeDebugPrivilege 1684 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exepid process 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription pid process target process PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 2924 wrote to memory of 1220 2924 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe"C:\Windows\system32\Winlog\CyberGatev1.07.5.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5df5f7d3169da73bca487758bce36e122
SHA1c6e4a791d32084d7182eb97b5bceed64f7fb854b
SHA25669157368071dc7b854a17a661d646c0746744acda03b2c15382c3a51be22a9df
SHA512077f15897593b428b4fa85ebdde0d46436eee03791a75b62af9e8606487ef8967bca9d61e8588d1dc61d88c573d2731799585705024ec9541915133ae72654de
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5d41b0e8987e9edca230c7ac0f95ba3e1
SHA12cfb4c6688296d55a1c50bb8279a493413ec246b
SHA2561dabe30c88d906d172edd189878ec2d09992411158958df64d190d02359c7d3a
SHA51214f9404f0fc5e98967aaf9e70e68e484063da76b4e079659f3611df58cd4a6656135e3ea2651161c00f521104c3034e93d8df509d50082b28a6095bde4eca187
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5942d92c81ab1b83d1f48c6b919641bdb
SHA1dcc0782bda21bbd26e7f2ddea8b297e9b27dae5d
SHA256df130cc0b4d087a3f2a36f3986a199c2a7515bb96ed509bc4b22a103299d7a57
SHA512d968f8254702c4d66afc5a65283c54b3f402c000f3467edb533a9bb5005338fc301b1dcb62a17c0e1731425a1b6f8bf0958bd221858bd6f8efd263dd11bb6847
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD573b3fc4c7d24fa5ac26afc6ac1686d8f
SHA199cc8cdcac64850562d5f8c7aa608de589b0f68c
SHA2563a13c3fcf1baab5f43cfb02f2270bd19d199c4e155846a229fbc55105876d925
SHA5120399b59dd34a85f8cfdcdd9e2d48295945986f24ad9b74d255503342e89c0a03c2aea018557ff390d197717660a1af0e5f66ecac4c8aa47e54d4a3b54a16b399
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD532f2d42c91b42fbf89d09286cd136d6c
SHA1ea9b41b42667189227144ecb031d1ddc473e4241
SHA25600a28d5bb2c7b1b5f2e605fe199788b8ecb6fa440f867f031efeb66e811fec1f
SHA512d68d717fd918cfdb084384597dfeae6cceaa638eeb733b96e692bd69364f7db5bc0f38ea6319fd510743b855a33feb99fb81890b507f257c03075d5c58061800
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5de6e367997a25c50435cdbbf856a1e1e
SHA1e14cff84b3b0ccc69cd7f5af20564975d6f6ab5c
SHA256e5552cf8b02855dcf1059ae532276bda5225b1da3f8f43d37ae15dc8117ade5d
SHA51205b633a64d3f6a7efc6e9d7a263da310119b552dd698d285b20885488943f290e8e0d4a9702d9b5f6d17249a1aea8b81c71750fc4b692787181690f45ad00c58
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5a15555ad96987f9bc1b1f629dcb50776
SHA1663f2a23267d39401919b69812a20f5d046e8a8e
SHA256b5fbd515a82223a92139127f18fcf1ebd38c95aa2ee561cf3a4dc99bdc74e579
SHA512b8c58222c5702b87ba67dd14b8cf6cd2eb4939aeee798761a2fc6fcf3166508936b17151bcc98ae3400a8d07488b80beaf31600855235ba72124fd2048d61623
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD53450043a4d4cd144a878e9ee74bdca41
SHA15334e532bab77578a0ab2f51b43d7e58fa09032d
SHA256182d983f6747cc639ec6e29758fd0e50c493c466e98b4d451ff9d27816337ea4
SHA5126612720c900852ce7578c1d029be87faf93b22c4a01866379b6223e22377ab243b03a0d7e6d9d9f70230d73882fc181a7a1b919a9393201939aa55ab826abe85
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD51cdb0d34913549c29c816ece75b2ec03
SHA15bfe4b7f9aa1bdf0e7f4d61abdd2c8dcec986dfc
SHA256e69750fa17cbe6bd5dca6127289682ea233592e28439a6fbb432b242c7cf7cb1
SHA512880aa1ee91076a8d7d673d50efe2e9a012e6d390df238b753314d36460b70daf57782b58231c4eea8a42592164d9a9862c20211c79df445942a9c84db85e2b86
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD50e71640ca7a8c92e5f4e151313f5068c
SHA11d0a5c7cd8e2777d3286f8f0e09a504b9a0ec411
SHA25685ecd7c26efc1a08742bcb9fd2e6358e1ba81f532a0b121b9dd35c15126a3fcb
SHA5125090352087bc156bd322071a84922ee34ac17049050047429fc3ce3a9323970e8f5410d518e07b1a4a1cbef6cb9da1f0a1ab32b159692516606ebb3df684e9a9
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5362b9790b915824a8ecadfa3946dcecd
SHA18431695e95c636323090b16a86ce7a5eb705640c
SHA256fe0dbb91ceb7b9862fdc2ab7c8589890f3b3c203567eccbd384f161426bb748f
SHA512dda3a2d0279ecb2918d216383c43339333604b037cf6b0524dea820717ac0d3e38353ebad50021eb98e9554ec68d1fa7873d9fbd36c2bff884847a40f009d019
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cc1c03533ecaac60fc16c855c7991efe
SHA141775128cac5404909ddde5b2f1e6435e641dc46
SHA256e3154fcdc8ffa91708822b5f82a480e48c6a961d1e12d9c7a4ba2ba993679bb2
SHA512948beffd94513c48d0220caec2ac9658ebaa04dc78d59725beb8c91d9b5ca0c67d1ffcf681f89ed5eca76f97bd418899ed540d3bec3ed6207a975390b0622232
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5af4159b05c06a346c3f3e7084f8d026d
SHA188e52f9d828487573b907c11c83de3b01f9b7941
SHA256e5bf9481161ebf6309f38f3c618e28e670766562bfea04069d96890dcb93bf81
SHA5124441aaf69b0d0795e726e8fd75e03b3344f59a41406d703a018f529f7131766e3d4fd96a87a5f8c13c6cf69dda123d3222dd2ac5ab523610cacf62a5461c3ed2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b2d4ab1ccab63ab032cc482ff76133c6
SHA1cdfb97a09d86faacb5ee1305c8a6d4d620b86aaa
SHA256202bd750e40fa8723bde769b1695a34c39a44bb2bb33d4cd59ccf5b964ef7687
SHA512bb42f2c99150e5bc8bc5ff73d4d00f76d7ab9040f37578a1bd849866a0adca123f50b131cd97dd10c946031d0384edf2c627c1be93cc2d57b5ddd3a62ad670be
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD546c5c09c4fcc44fbfab0959e60daa74e
SHA1d5ddabde9f4e7924f418f397dcdb72c842568f7f
SHA2560ec2dbf625ca619338b48aeaa6637c2770d2d511bd00429239e0f4526db4c9f0
SHA5127eef42366e21d33d10678e21c7b8df7b4d4bf01cb2f90b0036c988eb86cd074eab653551bebdce27bd736e60915d7d33818d039be77d7fe62c9caaf4e05e38e4
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5cb5eca5739b54e0b04db2e333a5b32f7
SHA1654bbb66f2aa6fc1d6862d0233be678718967c3b
SHA25667d5a3f9f4e2a09c14943fc5402aa4d3255edfde91808ba81f452481bd4c6a23
SHA5120b5c28e1057e79e4b3da303fc7b5eaa4ef61b435a05c71028ccdbf551faa77790c5dd7eb75200377f3f1e3ae5f403053b33ec88ff7a52a7781afb09e449786f7
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ed5eb6a9ffdcdda2c855c58fd9898343
SHA19121a7e4d5961e50d896923f35d38c63054993c0
SHA256c9fcc489af99e0ac5bf21bb01433fec04337afd304d332575647acfa738f9ced
SHA512de71bf7f6edd4a0526e36d7519b4adff268d3e0c2d5bcf4d0ef8455b47a28bf23c83b2c13934867cfdea67748777732882fa4c07fad4b192f9977d9ca991fdfd
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD568c01df2de159934347ebb034e4e69ab
SHA18492a46372e5a0f507236400ce7e1b020a1f83be
SHA2565bcef2c9d9c2abd79b2eadc088fedaa6151edec525896800f618a3d34953bb53
SHA512a32a67461af1dbda73b57674d430bc45bf94c73b755064dd6dfe5d86e335da0650c7500f6e8dbbf6c53adb923ddd2fa3e922e47a677fab77b93d0121d21b3984
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD58b004d873817859b2602b0aa46f40549
SHA1d90d92b3fa3c2e1b4104c4388538fb438c081191
SHA256085a96aa8678e2823ebd652ff20e514e4256b5d637aa32ca9970c3d7b8a78dd9
SHA512700ecf0a29755490936b3d8650ace4af5559aa76f47f4515a36f2374f691a12a995e5fb490c610edd19f422d2adcad270201c58add17ec81a0331ab593724fec
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD57b6c80d2f72378f1d19d46003d8f78d5
SHA1ce4189f0fd2dd6f5ce8c83f0637f223c476eec4d
SHA2565bbc9d383f8f8c8a31c97f60e561a026754a1129a1eb7c63a98578eb3de7c71b
SHA5121a8ffada3d70a29c4a17bb1a24009b0c0e15bcf9759721edec6ea11f8fa6b6c2aa077cb0a26bbb05d56f1665ff44d84daec9f1b37d8adacc545c320fac0b3836
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exeFilesize
341KB
MD579a62d9b25dd93ce3345c92e49e6a658
SHA189aeb299eaf63fc3e87d0bb41ccc4f995e92d6fd
SHA256836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b
SHA512f38f7a601b9c3901ed4678271da5cd4a20b0fb00cff4a4978d9388e25df90348599f0ea2ec01cdd1bc2f2eb1b4e618ddb9d300c0e63c0478fa49905df629fbbd
-
memory/1220-3-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/2224-1557-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2224-534-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2224-272-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2224-246-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2924-2-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB