cybergate | 0e6b47a2926a489b1d1e6ca6e1b21c33a71ffba0f93fdace68e012086b290e40

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe
Size

342KB
MD5

af4dcbd5da65066c6cceb7fabf9ac820
SHA1

0f304f2409127f0ca20a7085e2444fc48e3519c9
SHA256

0e6b47a2926a489b1d1e6ca6e1b21c33a71ffba0f93fdace68e012086b290e40
SHA512

f4b2b756a03bf39bdef08e81894cef50654342e7a29a53b2e001c41fd908a8de3e70c8f16aa6c20fe9f0c8d5fa438628b9ea3e28082ce586b8b2cf2966c1867a
SSDEEP

6144:RJVEe3SzFNd0w5aD/6JzzSJ2pAfznH9kgaRc14TMaPTIc0B6yCOhXHiHuS0o:RJVL34LK2aDyhpALdkgb4TMaP50AyCOr

Score

10^/10

cybergate hawkeye sevenx discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

sevenx

sevenx.zapto.org:100

Mutex

HU5BVJF6FE687K

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
ERROR 1032: incomplete image
message_box_title
Error
password
seven
regkey_hkcu
Windows update
regkey_hklm
Adobe Updater

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PH4C876M-8UTJ-0SMN-X52J-3U8B480EM0HY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PH4C876M-8UTJ-0SMN-X52J-3U8B480EM0HY}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PH4C876M-8UTJ-0SMN-X52J-3U8B480EM0HY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PH4C876M-8UTJ-0SMN-X52J-3U8B480EM0HY}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2204 explorer.exe
Executes dropped EXE 7 IoCs

Processes:

explorer.exeexplorer.exeadiadg.exewmiapsvrd.exeexplorer.exeexplorer.exeserver.exe

pid process

2204 explorer.exe
2792 explorer.exe
2764 adiadg.exe
2640 wmiapsvrd.exe
2440 explorer.exe
2752 explorer.exe
2132 server.exe

Loads dropped DLL 9 IoCs

Processes:

af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exeexplorer.exeadiadg.exewmiapsvrd.exeexplorer.exe

pid	process
1952	af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe
1952	af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe
2204	explorer.exe
2204	explorer.exe
2764	adiadg.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2752	explorer.exe
2752	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

adiadg.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\adiadg.exe"	adiadg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows update = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 4 IoCs

Processes:

explorer.exeexplorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\server.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\install\	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 2204 set thread context of 2792 2204 explorer.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2204 set thread context of 2792	2204	explorer.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

adiadg.exewmiapsvrd.exeexplorer.exeexplorer.exeexplorer.exeserver.exeaf4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiapsvrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeadiadg.exewmiapsvrd.exeexplorer.exeserver.exe

pid	process
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2792	explorer.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe
2764	adiadg.exe
2640	wmiapsvrd.exe
2132	server.exe
2204	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2752 explorer.exe

pid	process
2752	explorer.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exeexplorer.exeadiadg.exewmiapsvrd.exeexplorer.exeexplorer.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1952	af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe
Token: SeDebugPrivilege	2204	explorer.exe
Token: SeDebugPrivilege	2764	adiadg.exe
Token: SeDebugPrivilege	2640	wmiapsvrd.exe
Token: SeBackupPrivilege	2440	explorer.exe
Token: SeRestorePrivilege	2440	explorer.exe
Token: SeBackupPrivilege	2752	explorer.exe
Token: SeRestorePrivilege	2752	explorer.exe
Token: SeDebugPrivilege	2752	explorer.exe
Token: SeDebugPrivilege	2752	explorer.exe
Token: SeDebugPrivilege	2132	server.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

2792 explorer.exe
2752 explorer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

explorer.exe

pid process

2752 explorer.exe

pid	process
2792	explorer.exe
2752	explorer.exe

pid	process
2752	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exeexplorer.exeadiadg.exewmiapsvrd.exeexplorer.exe

description	pid	process	target process
PID 1952 wrote to memory of 2204	1952	af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe	explorer.exe
PID 1952 wrote to memory of 2204	1952	af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe	explorer.exe
PID 1952 wrote to memory of 2204	1952	af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe	explorer.exe
PID 1952 wrote to memory of 2204	1952	af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2792	2204	explorer.exe	explorer.exe
PID 2204 wrote to memory of 2764	2204	explorer.exe	adiadg.exe
PID 2204 wrote to memory of 2764	2204	explorer.exe	adiadg.exe
PID 2204 wrote to memory of 2764	2204	explorer.exe	adiadg.exe
PID 2204 wrote to memory of 2764	2204	explorer.exe	adiadg.exe
PID 2764 wrote to memory of 2640	2764	adiadg.exe	wmiapsvrd.exe
PID 2764 wrote to memory of 2640	2764	adiadg.exe	wmiapsvrd.exe
PID 2764 wrote to memory of 2640	2764	adiadg.exe	wmiapsvrd.exe
PID 2764 wrote to memory of 2640	2764	adiadg.exe	wmiapsvrd.exe
PID 2640 wrote to memory of 2876	2640	wmiapsvrd.exe	wmiapsvrd.exe
PID 2640 wrote to memory of 2876	2640	wmiapsvrd.exe	wmiapsvrd.exe
PID 2640 wrote to memory of 2876	2640	wmiapsvrd.exe	wmiapsvrd.exe
PID 2640 wrote to memory of 2876	2640	wmiapsvrd.exe	wmiapsvrd.exe
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE
PID 2792 wrote to memory of 1208	2792	explorer.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\af4dcbd5da65066c6cceb7fabf9ac820_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
        
        explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2752
      - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\SysWOW64\install\server.exe
        
        C:\Windows\SysWOW64\install\server.exe
        7⤵
        
        PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe
      "C:\Users\Admin\AppData\Local\Temp\System\adiadg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe
        6⤵
        
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
b6cc20cb75e269639fc0579cba480e22

SHA1
19187940bc839d3a50e48719dd41e32db6bda8c6

SHA256
70d97066378eec1f85b40c9bc63ab30b4557a6969f3d1f8c99c69363872e51a4

SHA512
3c5691bd6d1a266edca8159dc9031ec0168033e0a37cc827f65ba68a485eb177dd755e7a06674b98be43385ecc6fda10ae7fa0f5d7e4eb67a8d4328971498cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3ab66231414577a43077a567931bd2b8

SHA1
3de1510418e0146eaa14b4cc92280b3fff089843

SHA256
959c7ceb6e5b3c6f8c89cea7111e47d97635679ec1bae703a60635bc625ad0a5

SHA512
29f6041a01c86fbb1a3d0fd41966f788097374473861fef714a3304955bfe10978c10b4c0c07d60f39c1d3ed03a6f09f5891b05d2d1f6f6cf22b4b718d7bc2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d840e87ae6085c5089d357e5b6cfae9d

SHA1
e0bf04e60d2b9fca97755a19b4cd0aeb282b2540

SHA256
60d6e7041ddebbfc3c70a7c1ff0d5129d9739a91cfb83bd67ce5844609c8537b

SHA512
a2f3d19939331e270503d0cd07a3bacdcb00708f99e4ce6ba2d427a5cf6cd5929a7866975ae25c225b28148bfe1ef1bfe78a35efc5ab812a97ab3e741dd8562a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a6cdb69ed3892851e500b84834fac7f1

SHA1
f5765a5c0938678cfa446aaeb19f5d599987824f

SHA256
5c95bc81ae0f693ba98620396a4890214c8c3983d7a64fe392eac2f73550a1c6

SHA512
03044f4051ba22c746818560981c354625f4ea2ffc188b69df1d97818f71f604de35c6159d6611d6426834132204960c7f3f689bd7eb4e28953a380a7301dcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9df658751dd55be7356f7ed7d6316acd

SHA1
b3fbcfdebbbdfed6ef7fccfa5e6e04c49ef848a8

SHA256
8256cff828fc05a2750b31f550a0dd3deaa9b9a21852619bbaa9658d47426041

SHA512
de26722c9da28f640ca6b3a9b5eefe59c17faeb597d3279e6e8a1d7043d5e1243a2deb74518cfc4b86579708b3ff7dc00339990c8835084c94f83ada48346d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e69087f3fd7d79c98b6b292cb31531ea

SHA1
050ca22372ef10229fe38fef71c90c83301bdf31

SHA256
65a03377332c980f3d039dc8a9205725507cd41f9b9f52e57e520177aabc8274

SHA512
eb2d29e67f12f7112a15bf0b7363216abfc2acffd5024ee1df1a53e2ab7a56d30d55ac769efd71e1f0a0879401e769950270dbb237802640907c031a63a70434

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
af71dc922c2a54093d67ccc3dad24552

SHA1
76097da0838ed202252b5e223da86ebd66218fa0

SHA256
a309d6e5e54b1947c5a112ba46d02aa999f69f05aa1cc0af0a8265639b3da87e

SHA512
302055c54781befc9aa57126e699adb89263254995b048d2ec003fd5c0632d7cb6601314ddda46f80d7695317d55188f5c4d96314d8d6e92afc711433d780755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1b654e72025244ae3eeb0e5237d4ae41

SHA1
93de18c563ae46e02df1f6c3485d0593d707ead5

SHA256
89633d804004efd3b850e49a5f30ee84b3a53bf7e54bc3b456720170d87e22b9

SHA512
ce370884a0bbf512c6127f2bbf2abde78f77c5268879e33abb00246b83a8ffed09a6570d60351aa0c58e75ad794f1fe6c44dc21a9191d0eac9aa338e5b189069

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ffa238b225686954fdc47a384c1bb96d

SHA1
7e2d2343cdc6a68a3530d5115dfa01f64d432056

SHA256
c31c578b827d8aa7617010ccf9b6c96c59ea065802b62880196a85e448c8ef08

SHA512
70a26c10cdbdb729bbae954c22542c6badfbbe6db5ac941259e9ae8b4027ba162aa446f1fe1067ed96240f7698a8ab325e7a376d9ce00eb08ee1242b7c251890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
15ba3713d85de1f41ceb438953b0ff90

SHA1
6471858cc1084f09865e98e80c82a68984a5bb38

SHA256
6f9fb8795b7f476fc182054e843e3ccc0ed9047ec83aedd31e485da557a1592a

SHA512
595e7ffc19b91c1ae9fc60ea425cad56147c54f77135c25b402423fa1157225a97a391e49b38bdab02945b48b0a9d85d08a78ef2be6274f05eda63ff7bacb374

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c1b8451e5a1575e727e66d227afddfc0

SHA1
5c1470ea5eb9d2e7c1c0213e971595ff801fcb9a

SHA256
8e44406bb89eca2cfd350a4ffbf3b8c4072adc54da85da0d3a50fd36c1ed7cac

SHA512
603276eb3c7dbcebb330b748e81676a45b38164df593a166cb8e15a6165d2c4931c4f21b16bfdb704655a51989a0b486c1241e50a1ddbe492e021003a130d95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1a5861beca394c84f8806432be495fd1

SHA1
9b97a504c9548ed6f2d7d95022636144df2e2c45

SHA256
118a71a06ef50349e6ecf4a90c0f516e49de97aa4c0de52e0806c7a0879a511e

SHA512
a77ef09009e3f3f6e60a8f1ff89b5015454b2f5d9497039b5a8387196e2126e8825a9cac5a6e6b2bdce27b5be9d4460155e661dcb1d5acad065fbcdd06bcb848

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
57e3354ffe82c2afd52a5415e8d675de

SHA1
5893f264145e474ce46b33656c14c876f74eb257

SHA256
ffdc34625e2faea7dc12e322d390de69d3bb59286b7c47f464255cb0953404c8

SHA512
0d0bed6ff640f37b6209b7e42e6cf7aac18bdffd4c9196be381a98b2ce80b8e2a8d95239684724597421e4912900611af9fbec21b43cfea9d2c48a4d3dae1e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5f97162c0532e33d612bc926404f97ca

SHA1
d4c0e4ccf1d838d10639f87e25b5c9845533db78

SHA256
8e785f69c17acdcfc115ffdc627de39b42ab12ef396e341b0c2e4d1adea46770

SHA512
9b6c4e43baf0e1d1fd8b7c4a5d80ab9dd6c898e4bdc13cd92e539402e23974daf8dabe15f02a1db2b6581c2b6202161d8207084bc6a2d96e45677879eb639290

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8ef6c18858137ef1c116cec05f5c6277

SHA1
3a25a60bfb558b32b80e9ac8661bf163696c6c84

SHA256
687427675895f5b6d1a98c9c1b5a225ccfba10e4afef37eed23d606bf48425d0

SHA512
f1ff99aaa989cb53b6a67c653cfb14d87b1f9581dcb6158cbfe7b07c042c0b5f80c25dbb03f908c883f93b9f350a8bbd4472404112da60aeca30b2a72c9ef955

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b9b37a13b608390148088b282fada50

SHA1
3d20601148c9c4d321419932460ae746307f92ae

SHA256
e2e47176e53813b873a9246f7178b64c1e9bcdc5a484e02d31862d510230e8db

SHA512
f03e9eb37294f9f8a7ff4fe9d73898285cbd3e70bc19f3bed71c8447eaf5f25d6856e92cbffbaa8970693466447a4723bce977721a03a7adc514b4933b7f9f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
70b2be84d18ffbcf2c4faac9fde326fe

SHA1
ec92568cfdbe60dd89c2e6d8d162c943893b0afa

SHA256
b49dfe1d5df53b9120f5b3b2b5080ca4cd8f5f2297d754fc0c836d5e2b7e9c8f

SHA512
af367a14272b1f624c8201e7c69c36a9099cd2d38b77d918e0bd39d05ae9ceb208e0cc3995df3553303b3cfdc89ec858cfe5d8faf944e1cf7ef84a139ae3d6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
26516dd8b054c8bd3f6aa807a4852781

SHA1
357b566fe147d3903c37dbebc2270f8784f3db23

SHA256
60cc1f1de63738f418c385db15d228352f0852419652afb2a36bd7f08b518a16

SHA512
1aab24c2ee9fbf5274128ad2c138ea85519b1f4f97ec7105756f4592efeb0486dc8eab2bb02104ed53d4f4b1b0dd5be4dba861b6abe03bd786db80485ab40dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dcb57ae23a0d055e1bfec1b20ede55a6

SHA1
e5913356bb1cebdacdd83b12252825e74dd31e16

SHA256
aa2718d65f06bf3c048f44b4fc406281f800d536c876475e6c2a49012bc6c604

SHA512
574cf4697065f8d8a0d150204ed27eaccd2442916b95613672fe84ec09d665cbf7f9a9beeb55d29bf9edb026c0a9aa0e610135af57a82eaabdb2387f5f0629fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f80281c029d3073cc059f3a68e7d978f

SHA1
bde125e4fa92fad8fc1a6b8e68f000fdad505887

SHA256
ec693e2151ed2722f040fa9f6381c5f8daebbc96bed866820d527165309a1b61

SHA512
17d0855418dc3640aa65e65b19ea7a99fc8bca1679a21dd40d52edb2cea33da112a0dc993dc08433e77f9f3b4edff84c00c3aa7ffd5ac6a5f7245d6b2e19e19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fa4d4c4430a76abac48c3e0951ee53a8

SHA1
863174c6667d5464141a6483d63805cc42270d4b

SHA256
22db32f22bf8c6100081f4484cc16d61e8f3e6dad0feee1bfe0136cb88c4b08c

SHA512
39782d98b6e4c8d5ec10c37eed99efe99ae39f7a776120cd86daf124599df056218abe827eb8fc67ae09aa5ba657b6ca1dfaccb3c6d461abcf91c20ac9bd1323

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0fa2f0261fafe735fbad93f37221a9b7

SHA1
1f3a0a73d412aef81eb1bba9876f718a50aa26d7

SHA256
31a7f31b9851c8bcb721339806aab8ebeca1be738df8eabc17e189b37fc24ba2

SHA512
b28d085212a9a63749a87d00df2cc4f0f876a082f1536ec3bf1ad235d33d37baa9aef8d32b0555da5f958dd77a7eeae93c5e948ecd343f642edbe98168ab455f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
317a75e6207150815801a48432c598ea

SHA1
a98a091302830fb7fb75d789faab5ae370526405

SHA256
02396d0a19de2ae429527c24afa154f25d81a62a5f4996d14052e7df14964c8f

SHA512
337bfde9e1a48b3886e5c1f0b44b33430f8bf8639e76eadeaac9449c27b1af675ca4a53cef7cb9122774edf7d826186750309c25a6dee633110d7c0750c7d7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
54B

MD5
197138eba11836c718f96715f4805802

SHA1
abf8a6ecc08efbfa52265a9210273ff077987f68

SHA256
fe40ecb66fbd1552d113ccdf5fcaf086233600540ade8409b5a28543c25ba3e5

SHA512
3167e695318b22ec1c423c6ba5ab42745dc4bfe0757a6b6c9a76b193136292c480df86d56e01fc406bb902e008c9e0838c7995d7a4e6e09dd8f75b3892e616a6

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\Users\Admin\AppData\Local\Temp\System\adiadg.exe

Filesize
19KB

MD5
7557176df708545d6e3bcfe8163b9fac

SHA1
b0611f219736022ded02c0281a40874568c64ebe

SHA256
179b309599d34b6fe68022867e145682eabe751cd0df6930b1ca79e3e48d549e

SHA512
0c405f76c0b2795956e87aff4e4ed5d6addea872cf87098ca8ed892da9cf03e27932f1b3765e191c5b87b6970159dd6dc1498ee02533a454fd3b6faf889b5857

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
342KB

MD5
af4dcbd5da65066c6cceb7fabf9ac820

SHA1
0f304f2409127f0ca20a7085e2444fc48e3519c9

SHA256
0e6b47a2926a489b1d1e6ca6e1b21c33a71ffba0f93fdace68e012086b290e40

SHA512
f4b2b756a03bf39bdef08e81894cef50654342e7a29a53b2e001c41fd908a8de3e70c8f16aa6c20fe9f0c8d5fa438628b9ea3e28082ce586b8b2cf2966c1867a

Download Submit
memory/1208-59-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1952-0-0x0000000074DD1000-0x0000000074DD2000-memory.dmp

Filesize
4KB

Download
memory/1952-1-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-2-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-16-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-998-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-14-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-15-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-33-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-35-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-39-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-41-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-27-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-23-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-31-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-29-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-25-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-42-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-43-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-976-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download