Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 18:55
Behavioral task
behavioral1
Sample
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
-
Size
341KB
-
MD5
79a62d9b25dd93ce3345c92e49e6a658
-
SHA1
89aeb299eaf63fc3e87d0bb41ccc4f995e92d6fd
-
SHA256
836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b
-
SHA512
f38f7a601b9c3901ed4678271da5cd4a20b0fb00cff4a4978d9388e25df90348599f0ea2ec01cdd1bc2f2eb1b4e618ddb9d300c0e63c0478fa49905df629fbbd
-
SSDEEP
6144:pOpslFlq9GHGFhdBCkWYxuukP1pjSKSNVkq/MVJbI:pwslOOiTBd47GLRMTbI
Malware Config
Extracted
cybergate
v1.07.5
Cyber
frisdrank.no-ip.org:82
46G44QW5AO0752
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Winlog
-
install_file
CyberGatev1.07.5.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8} 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8}\StubPath = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe Restart" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8}\StubPath = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
CyberGatev1.07.5.exepid process 3756 CyberGatev1.07.5.exe -
Processes:
resource yara_rule behavioral2/memory/4572-4-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/4572-6-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4572-63-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1820-68-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/440-138-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/1820-981-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/440-1436-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Winlog\ 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe File created C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2304 3756 WerFault.exe CyberGatev1.07.5.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
CyberGatev1.07.5.exe79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exeexplorer.exe79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CyberGatev1.07.5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exepid process 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exepid process 440 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exe79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 1820 explorer.exe Token: SeRestorePrivilege 1820 explorer.exe Token: SeBackupPrivilege 440 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Token: SeRestorePrivilege 440 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Token: SeDebugPrivilege 440 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Token: SeDebugPrivilege 440 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exepid process 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exedescription pid process target process PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE PID 4572 wrote to memory of 3444 4572 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe"C:\Windows\system32\Winlog\CyberGatev1.07.5.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 5805⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3756 -ip 37561⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5df5f7d3169da73bca487758bce36e122
SHA1c6e4a791d32084d7182eb97b5bceed64f7fb854b
SHA25669157368071dc7b854a17a661d646c0746744acda03b2c15382c3a51be22a9df
SHA512077f15897593b428b4fa85ebdde0d46436eee03791a75b62af9e8606487ef8967bca9d61e8588d1dc61d88c573d2731799585705024ec9541915133ae72654de
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD508d2d1ddffab4ecd1d85841b16bdf52a
SHA190857b1ce577ce9ed8ca3f5b3bf150574e6e2092
SHA2564afa7e5680b70c756c33b5f5932a3c4ee4429eb370b2796192e7543806c83a74
SHA5120a17b43e8723def2a682cb5b77fd983c60f3dd3cf0f5a9f92db4ef854011313e4c8d053a5bac44211c1cecf1fc4754543535de057384042622ce1928942ce4f8
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5878574bdf5d7e68856bcd7307cda4bab
SHA1a089d8bb2a4bfdcc6648d8cfbd863b9d671d5a54
SHA2565e494f2bfb8b8187032c17c084f5577bdf16c0d9f8a1541eecd4b97a176592ee
SHA512d4eea2514373e2c564e6d23c4f9e0bdf01f28a2dd1962338d1a8cfd50c6c36d2253464071701a135eefcdf38c7e27c8530858dac04041389e394039f5566591a
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5bc509463a3f1f077440181a681b626db
SHA10de48222a0c4ffc8e49cb40f785bb029c6ee98fb
SHA2567c8e1a9f2b456ed8156f36570eac58792151cae0068699596dc77514b5ddf7ba
SHA51266d3429ebb4b70e4a279bfdc24484e1e6dae5705a668464e9628d162007fce2dbd36f41d9f71b44d4063071d8d3043bebe80fe6cb82a87a6265e5c4975f66749
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5461fbbbb1dd8a3b6d487ba0619666542
SHA13456ff34ac587483a0c7f05466490239a645c3f1
SHA2565dd9c0b49ae63a9434c463c83a4bd4cc90665a7a7466a73afbec5fa825d66ddf
SHA512e68f0b0363a6ef0a1c1580847da0b816238e14e508f5f6dd34913fdd3f897a22aff4afcb6f38d8936cf3d891cc5afd2d3d0049c3eae39272e85e513bae6af1db
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55dfc3481ec27b6bc35d71a66cdf235e2
SHA15fe2a8d960a633c15b2288227a49247ed1ff7768
SHA256c68bbf7993193fb8fd1df54e184fd8d8abe0e9b2e492cf9a368e17da90b710a8
SHA51292b3d84a731c0f4e0a6d2eafdb2c6878063d5b6f4557d31c80fd14aead15d22c088cf1436139383cefbc8cbda71999f29e70d00e4e4ce8b08670fc49ad64b384
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD554d40568212ab6f63f65bc2ff7d86081
SHA161df6c8161d4a115e249348b9a18a60691035562
SHA256f42d061e9bb216ba808f32b4e6092142d9605b839c2a37a852feb7aebb340357
SHA512d9d3d8fbd8e18de2d33c6b160d642a0f89cf0a4d833587c211526778e9814d3128e6e4d77543c6964fd5dd232939965f676cf20bed606f64d297f26f42867bcf
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD544e255ade644d036e982dcea96e9db03
SHA1cf1595ef20bed983e8da9e00dac93a87d6b566c1
SHA25648d5ea596ef4287b986e82a8ef6833a0bce8dff6d6c93da8194bee526ce5c2d9
SHA5124e4442c91021a9efc71419c388ea5a8af4d8f60974dd43ee6a4214003851d670ebb9b1724e040826ed6b8bbd5ee305f71861cf636f2ebeff013a7cdfea324963
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD599bf0280c8e5555cf0c4a65c1202ade4
SHA106e1bb84bd9ccd10843b898f7c1bc47b7c1770b7
SHA256e91eb3ee0e2232d5135fade1a305c1a9a795d852d45b53457504449010206a72
SHA5124205a7345bd207ac5420a0e49731e12537035dad4365658f2841f3af1f236236eaa8c92bd0da4641d7a3975ce8601789a4938b7a223307c73796f9afc44bb50b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5854ac89f516164d3bc513f82998a912f
SHA16ce6ffaf1f5152caf594dc16bf95766da36bf079
SHA256493509bfa8468e679d2d9e413859a1fd90f9cad1623c659d9e20c0175c182df7
SHA51260549259ffc0a828ddef03be08c626950fb2be995c043984de720b824adec3fd82d84bd8270dcec6a141e19d241194ee58a80f67bb611efc795b5f9f59f92122
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5c3a5882859878c5f15258e46fa5e4060
SHA1cfb7e3e2f9c0e022888ac2958de5002010ddf101
SHA256b9b38e74c039b35e2ba858e5441a1fd18f8f289accce174069aeaff7f0048187
SHA512f727f29fc5e43058911f50c694c7920bf1e971a31ac1d49fd1088759a2b70d027f7cff53c5505b0b27d16ad79714425f7dadc9dfd95ea3bb7712a2658a901d8b
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5af084873c07b23353d58d80e9b324c21
SHA1b8681c40e18f78b42859d1f6647b9768131af610
SHA25690267f22e8dbe14cd9791aee7c15e184c9f0d7a1c8a9d0387f636c79023a045f
SHA512e8f0195205910f3c9a16c43a92e7a7cab9a61cc29ad3f29c2df1f196654fd3be3c6f1594c0dbbb430561e29abe4e6d38fbf14746daacffd1178ac22604124670
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f707de1c96fd772a8c33151c62ab8fd9
SHA10cef3b9c54cea7a8fec0a515621746188b0b2f1a
SHA256490c0340d265face0ab282482ee025fd8f1e7850245dd2734ec0438a2cacd4bf
SHA512ef5337e650550f6d95e35a792e8482d289b7249a30a9d499fc53b0b0f02c8de3a90a46e093c39cd5aee26b4359c90a9bc9c4c21082d3ed4ce8f5b4cb3bd3beb6
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD52bb7b6f8a6d79996ad5705bc6973de76
SHA14373a923f6435e28fb693bb6801d36a0f2e42882
SHA256c768e5338fd7c270cc0b00d57cce34c2d8af7e4297c825d12a6514191ed4edd7
SHA51272d88ea741c080bd42db02ff69759177f3803291bd123ee61756217fc723aa74fe6b1fd00c016a83b79329e688d511518cb1124e9cb9bc98e082df54c6c806ce
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5337ab9565da3b6eabcdc2dde71a8465a
SHA1c392967d1d976686903d786e6d43d617d705d4b0
SHA25609cdfb7a7a37b023a9463b63e3bcabb5869aa6ed02b9e8879487c5b9300fdd4d
SHA512a52741397ded0e4b060804f7cd93a5bccfceae0e7cf70089ce7cbc867cc2c2b248e710a7ae1daaffdac792b5e11658628fbcbf13eb6f7cd9be8cd9558e739454
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5ab0df17ab2a59b695fd8019a49b96dfb
SHA1fdf88fdfe88b9dcd9342878234614967f0f1e8fa
SHA25645c9f416f933343f7e34ce2dfbf07f20b1dba9afb225b96ab84db5accb163b35
SHA5126a33af61ee296812f62559770635f9b85825f83bd1daf893696d463a48c15193dd798bb339a85e2a4c6b917ecb0f8918bb2907ec47ddea5b49cf4e0ce43ca87e
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5b38228f17c06a4f0ce343c61c4e6d86f
SHA1bfaeb91979ff811691b2870487fa77c864639b74
SHA25686e775cf0efe195c39dfaa4a24d1064bdefe0c99af9388cd989cc3325397d2e1
SHA512b8cff81b23910062dddf9e410996c5a772f64ee8f5d4b678174f0581f5387b7db828ecd628ad0b1eaa2e7ffdc69df766debc9ee6fedc9af218ae0f2b2267f1d2
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD55437749b579a0d56e5b4ae303decb0b3
SHA13586a7735efeaa37ea71ce82a2c2a2942483fd54
SHA25654d935a4dd92004a8c78e8f92358d92723f02e3ee7af61addfb543febb84580f
SHA512e38e3a976072148a123dd7f1ef967cc6c6e9957b41d0aa87ebebd9a74d0fb6ce69de78e7cb22d8f14554ea84c5bccec768407456ecb2461b594657f1376db936
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD574b7be9bb7402adf6eb56054d6d7d2ee
SHA1a5606394cd2eacb07bf5b6b86596d87c238ffcf2
SHA256bcef319d1b1c18ab8c85194ee66221e1f016df39298754ab8f1069cae4a32f6d
SHA512305a62e2d165ad791ef01e1070fc0c839638b6b7caf65af190e833e8de737c1997933988075a6712a689d58d9b47b500c6d88d965b8a38507e0ce74fd3808a00
-
C:\Users\Admin\AppData\Local\Temp\Admin7Filesize
8B
MD5f85943e1f664aca285dff490056a5c4d
SHA106d22a9e0cefd72fbf36294f1799b3c7bf54d4c7
SHA256ecf5055cd8c1cee6216259fbe7819c17c33d985ee74b6d78b4f18d78f2d934d0
SHA51275160b8bdb9fbf4c65157f121177cec7e1c29a1fb51b69d3117d00da0f3945f371587a9d1c64e2ddd8be40f63c07b13da956aa7fca1bd5c6734b7f61f5941ff5
-
C:\Users\Admin\AppData\Roaming\Adminlog.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exeFilesize
341KB
MD579a62d9b25dd93ce3345c92e49e6a658
SHA189aeb299eaf63fc3e87d0bb41ccc4f995e92d6fd
SHA256836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b
SHA512f38f7a601b9c3901ed4678271da5cd4a20b0fb00cff4a4978d9388e25df90348599f0ea2ec01cdd1bc2f2eb1b4e618ddb9d300c0e63c0478fa49905df629fbbd
-
memory/440-138-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/440-1436-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1820-66-0x0000000003B40000-0x0000000003B41000-memory.dmpFilesize
4KB
-
memory/1820-8-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/1820-68-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1820-981-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1820-7-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/4572-4-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/4572-63-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4572-6-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB