cybergate | ea1b64729cb531c6a8bed9ef45e4d6ed40e04715a4f385224254f9f2b7449c75

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe
Size

1.2MB
MD5

9edbd70f469f38f0fcf5a1e9b6100189
SHA1

8948e087b4e0df3b15851f8f4f459f86015ee82e
SHA256

ea1b64729cb531c6a8bed9ef45e4d6ed40e04715a4f385224254f9f2b7449c75
SHA512

15a05ba6db95722fe1434ba7b8107d194cf59af959fa7804bcc937f254fff23345d7d8cefb99e3ed2249dfdf7a9c0282d37fec15927487bd7d49d08d44ca0f3d
SSDEEP

12288:+ckvkwUjD2xDvLCPFGakc8d0g5LQfsVRG8hoGvDUF8GGGHXDlxlI/A/EUdeocznQ:tO7k2A3vHnlIsAznuGAKoOqea9/aC

Score

10^/10

cybergate cyber discovery evasion persistence privilege_escalation stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

johntravolta.No-ip.biz:100

Mutex

0EC3NJB52F276Y

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	winlogon.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CR4RB3S-230I-UCWQ-828A-O5MGD5T5SSUE}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CR4RB3S-230I-UCWQ-828A-O5MGD5T5SSUE}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CR4RB3S-230I-UCWQ-828A-O5MGD5T5SSUE}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CR4RB3S-230I-UCWQ-828A-O5MGD5T5SSUE}	explorer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2052	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2348	winlogon.exe
1620	winlogon.exe
2768	server.exe

Loads dropped DLL 5 IoCs

pid	Process
1620	winlogon.exe
1620	winlogon.exe
2768	server.exe
2768	server.exe
2768	server.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\logon.exe\""	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	winlogon.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\install\	winlogon.exe
File created	C:\Windows\SysWOW64\install\server.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-57-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2348	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1620	winlogon.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1196	explorer.exe
Token: SeRestorePrivilege	1196	explorer.exe
Token: SeBackupPrivilege	1620	winlogon.exe
Token: SeRestorePrivilege	1620	winlogon.exe
Token: SeDebugPrivilege	1620	winlogon.exe
Token: SeDebugPrivilege	1620	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2348	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2052	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2052	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2052	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2052	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2052	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2052	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2052	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 1984 wrote to memory of 2348	1984	9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe	32
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21
PID 2348 wrote to memory of 1236	2348	winlogon.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9edbd70f469f38f0fcf5a1e9b6100189_JaffaCakes118.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\netsh.exe
    "netsh.exe" firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2052
- - C:\winlogon.exe
    C:\winlogon.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1996
  - - C:\winlogon.exe
      "C:\winlogon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1620
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
e219621110684e8c7370b96e031f1ea6

SHA1
b9a3164a972af0dd689bf934c662aa7deaa14a58

SHA256
1eb9fc2f6328c4c8a16d30e735b9b9f365a51141a23bc33c2b92244b4a451724

SHA512
b4438984530b2b5cb3a97b387e1219bf7d367d88c719fd7cee8788320cc68cb63250c20adc52395677988f8035f7c6991930080b37d790a40fa0a3f52ce1c9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
18545786d6551a43165d7ce89316a95a

SHA1
800176ad016d4277680c5d104f94d3159ae7c148

SHA256
7e7d744b07f8b5f9314dc574509e4aa5e12341daf624c3d89d6b34f8cea71949

SHA512
01dc49c87c9796e704fa3541f43f6356791df3bfcd1ff383618a21cc14178d6d45093a64630603b617fc941a464cb1b2c68429352ced3424e1140b14a6d7ef2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4af14196ecbef21ed40d7d7176d47db7

SHA1
5a13d5314a659e6e4d93705fcbd66082740e2a06

SHA256
3d7c0ef665bd8e74064cde4d9682300da22f8f00c44b5f992f2cc4bdb7982629

SHA512
dc96676b40c4374a0528b188ed2b27fb91eaf67baa10294413a3b0ddfa69f34376e1a0a1cc331612e559585f723cb5c42e111bb80abbd7488bdd29339afb5cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
05f6bf2bb2ca1f972ec72eca3af79b60

SHA1
df237b01477c9dc46c0cf6d2ac702eda871ada70

SHA256
81f41350bd9ec6207f6b3912766aafdd3ba7d117bd6aaedff4437c657fe474c0

SHA512
08881b3d35823386302321edc76253c60f5e1298155f0de87d608dc148311b7fbc541a4863de170510f7c6c222b6097218e55fd3fd4ab2c4361d883d55f81501

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
21ca3f45ee32813ca1775dd040102c36

SHA1
61de6dd0434b682dc96a8c0a224f21c217794e47

SHA256
a7c0f01b7762b212e893148383750320fcc8d0ed6790eb307152d26ea360852b

SHA512
7d0318dbec9026d3ecb26d68282592cdeb8b6e5f750a51732211ee41baf54d1b7f2b739788b2a66829da1a1d9abb8b785756aaa6eeae46956b3eaae8d905bcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
26c8b689214a327067b2ade5dc8d2f68

SHA1
f7b9cb43ca9257ad7266e651f52e68ff7109d1b1

SHA256
31a982c9c497292207aed317a299b80bf2115e40de7e8ebdd044d3d64cc3fca4

SHA512
ae93e182fc3a38c3e0c78f8fd0314cbf2b8839f80a2a3e0a232a60cce17ef30d23f74d091adf73d327dfaa379b228cb18c04e6aff3b6f3edc1b96d7784f3815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0a56508e3a7da04e688be7b8e26fcfab

SHA1
780b8f84e4b2e6c7ebaf9e6ef446db39db60b388

SHA256
bca0542c99b620f3aec9ce50bb7c96e0b428349a7b14b96206e6b22436945a17

SHA512
a1138a11d04d283fe41ba941dd90357ba547f248eb0af3f4bad4a491c83df4d0dd68ffa20cdc04372f81fda9234fa00f8e292968713d70f7ecf84fc16113e492

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
937b929d83fc61cafa137dd8fd40e1d9

SHA1
b1e4c3bbb91337b1eab3b3daf829cd7b6dddf06d

SHA256
a523db4e1ca5e6f0b01e1ab3d38b25f1d5ef1ec4ad18869f701f84c6f6936ec6

SHA512
b94923c6a136dcca9cddcfbd9a202f7f52b0d42f72c9d6195eeacbf220b93da853e4ace5124dedb86d9d2f2936dbb8cd64b196bae2b971b4ff262fd8bad986c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0ebe8be35938c7ac16d9c0ada9e0994b

SHA1
762aa28ff34b6c47ce7dfb7813fcab013630dbf7

SHA256
14cf74567fdba374a955dbcd965b9eba016092c076e26da91d73b222b553c774

SHA512
7924120b2f4a92c26ef7e0c8934d1c2652b0a43e7a12597db842e56680040defd827fe1d7231312f3ccdd748529de3805f7b92c5252cc375713ef42db5dd5698

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e58bfce1c39b6c98325dcf903f91ed90

SHA1
e837c8f2eb0fb83c61888bb19e5cbdd17af06ecd

SHA256
21ade4b9fd65ada1f9de8cd043fb21c1d54dee792b160ac5dc1584012d8cde23

SHA512
053c08f2e19b43b799791d97b22d94409cb38311465958a0f5e20b7dda799f2ea4e8add566bba272d4ee0de6549b99c4c8b8240019fc67c327c6292092d64803

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a2df744ae6485e0895672ff357dac517

SHA1
c66aa8221674071b127699f885013b5518252589

SHA256
b56a65c29acdc588f116481b6697abb956ae693e640115e9dafd966ead489ff3

SHA512
227ffc8298aff7235fe81289bfc804027c804c67d9e6171ad916acbdef8a807280f95224b651cf1265cd164b341679f8210b63e6f1f3543adb0c89948e990017

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
39b9cf964bd8b51c78547cb677d1ba34

SHA1
abb8c332fb74ee2c466bc37add04470e1910b3d1

SHA256
9f41eb1aebc49224bc75ceaa03f9e5caa17b10de08c23c7addf3e574cc89b707

SHA512
d5c75597ca118fbb64c2fabf6bc79e22c10bbfc018b8bed3ad3c1a20752d7e0a4ae03480e4ed00ebcb1de5dd277f7613eaaa64d2b95c8a225a0c762ed7208d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
abbdf6b3aeff33b3e3686b91133ac9d7

SHA1
0ff57728bdff99967e0f999592c1f4d011adccef

SHA256
a317b6c378307730b6ef887fd645f494461bfe8968dfc4cbaec4f498c1764f69

SHA512
ba76731353ab9b4b12a392ac97d8a14c2e5bd9d6c056523602ebe34748394bfa71f9a0b8591c8dc59eeefc69f2d9d6dbd9b0f42c6ff09a33e54185eab3009e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9fa79618e93dc19890ba505bace7ee6c

SHA1
ea974262b928438b0baf598377a9b79daa41f329

SHA256
217d1b79220c9281b265043c3e83f6e40db3b8159b4b546c29fb96d0c9fff387

SHA512
13d9ed48605536f89a1e6c3f42e0cbcba4a67af4c4fd5dd0d70a4687a87f6b3c733ed4ddbec63ee67875aa2720a291c6c372e211a1da9cb9fc0ccff40910190b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6eb8ac15b02647866fbde047fe745639

SHA1
ab519d9bc04b04371570074e88c9087bbfd03128

SHA256
13903301f171114c4904d9060669057e6943a5353ffa558dac81135b943ba619

SHA512
4747b9d4be95351cb4b8393abe8956fc23aba9a54f9d355ec892e90e09de8fe5fbb49934d7fb265425f42b88b70de984ba664a6acd76fa153815901d4cd75f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3e762c5463130cad8260e454bf4d839e

SHA1
2e306a80e76498b5dab958cbfef03a42efe05e52

SHA256
09e31489b5145b9427c77fc2ddcf112c87c97de5809168b2b8d2848b1f612019

SHA512
cd831e174667646b1f5fa4a6ab9ca17cadca1367aed5148d55992f404af5e4422b0097468a758c44e98bc62ecdee63ef22c5ad20ac7730805be549e2ff35195d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
09265dd4b5840d158348745f36fac8ed

SHA1
3b573856a7cebffea64e1523fa96e6346a114397

SHA256
9e49aaad977631c656a209618fb2f9153f251220ddc472efc71d2dc8d83b9a28

SHA512
0b240064d435f2ca07420299849349ca8d58a365e005f3257ada3e415e0b42288fe4d77d75b80a616551118dddec1a357f5215eec9e8a91cebe58ef2eeb00dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4c6562c9a575445939c724b06ac430c7

SHA1
d632fd984ad3ff9280df00986b7837d0c963deaa

SHA256
87319888b10d6aec4fe50d33b186d183a7493da776531a945ece255c3f7bf45c

SHA512
92d1732ae2c16b8d85226f2d155d01dc7259dcb867d57aa0f0e3de1db9bdd752e2ff64642a2d29d32db102861dfe4fe114703e79bc02660399fc51a34414552a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ed619fa331caa77fdecf915038db75d7

SHA1
510445d2d15d6dd567ee7b746d9fee9c68214050

SHA256
da828bdf8097c86a32ad9da5868b0d14ab0e8f4b481eedee2ade19cd3c8b78b1

SHA512
c9c771d45cbb427db9d1f0d7864daf1d6f3dac954658c4bd06bc3ce93e7d284c2b31d891576520c45d05179da574d1e42b7b0e78f39607b4a8852403ce394846

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e1a2a24ccc1683a1d8fac0f1a4524bcd

SHA1
42ff0d725748f069b30516897c9c57f0c78858a9

SHA256
7d0d5cb7f529040f1aedd657c3408bee6cc7c94d1bfd6b98f05994679d427964

SHA512
4fbe603761cbdf5ac66966ceeefed58273253ef80b1ccd6be2aa81522109f4b7fb8d1d7c98d7ee9625d550039890a2e36fdf24b8efdbb3c89946b3680436f7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
97929218139e8f9231e06df83b85b876

SHA1
ed8690fc62ae1485880a725ed5b9145a1577726d

SHA256
f76f209de337e6020535d0468efc1184225da96d63ba8c23c532bb0039988a80

SHA512
d89a0ba2eb87f0b634f83324e2a2405f5ed4e5ae8f0c9091978cb3df377877d215ceea66dc75941f534aaed57d2806eac03a45f48d3bed2f49caec3323382d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a4ddf03c19143ed85776ef96877ab15e

SHA1
b070f64e0c5b07c7127149fd4a6b70a4f199eec4

SHA256
0319955036156877461189d8430c53a740ed68f124b55a84a9410a4b52afa4f4

SHA512
b8cac940f9b4dbdb4bcda6ddbd75b95aa6bda484368b96df7821eeac5823f2e35a741c90cf9b3dcbab84181a99caf4c9accb0d7a1f2a7969f9e74c14e13e7ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\winlogon.exe

Filesize
2KB

MD5
4428c969f83fe0fb6bb2a635fe605bce

SHA1
15efa531bc399c5e92d72cf266f8e18b4ec78bb0

SHA256
458b17876c0ea9ce182b9966f97d7617600ac6cb95c363cc7f33aec420424151

SHA512
4896c3e06391a7caca83ae36fd2a093af81ad6165979ed23232fb35a4d85a7188ecbbc66e720c4cd3d86e4c5546848ce7b02e5d8e28cd02ca0c246b091e9d809

Download Submit
memory/1236-58-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1984-0-0x0000000074A02000-0x0000000074A04000-memory.dmp

Filesize
8KB

Download
memory/2348-37-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-57-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2348-11-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-979-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-53-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-23-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-35-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-39-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-42-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-50-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-26-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-29-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-31-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-43-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-51-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-47-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-13-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-25-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2348-15-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download