cybergate | c7a745f750e518e43b0ead5aa0f40b2c607e91152d3444d1b6e19301541c5184

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Size

281KB
MD5

a163d89dcd439f1334cdf76755e6a863
SHA1

3f2deefdc50663699db8083014235a25d499674c
SHA256

c7a745f750e518e43b0ead5aa0f40b2c607e91152d3444d1b6e19301541c5184
SHA512

84b12442fb8a8f1687ea6eb6b414187c6fcded5b73e5068110a02a67ec0e6195a546e34d694aec744e46fcd36dac7d594dd065463ea902cd3849e6331eb46d27
SSDEEP

6144:gScrL/4mp8D6WGc/YSlIipBReubLzeh7Yy0DMIdTXijX:xcIy78QSVnNyhsFMCTSjX

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

merabti01.no-ip.info:288

Mutex

X7777T320210SE

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
svchost.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2316S8A6-46LM-CQCO-M726-0F6E1F718E7M}	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2316S8A6-46LM-CQCO-M726-0F6E1F718E7M}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2316S8A6-46LM-CQCO-M726-0F6E1F718E7M}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2316S8A6-46LM-CQCO-M726-0F6E1F718E7M}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart"	server.exe

Executes dropped EXE 4 IoCs

pid	Process
408	server.exe
1468	server.exe
2764	server.exe
3012	server.exe

Loads dropped DLL 10 IoCs

pid	Process
2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
408	server.exe
408	server.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1620-529-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/2116-856-0x0000000010590000-0x0000000010602000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
1040	1620	WerFault.exe	30
2920	2116	WerFault.exe	33
1708	2440	WerFault.exe	36
2996	1468	WerFault.exe	39
1544	1920	WerFault.exe	42
2348	3012	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
408	server.exe
2764	server.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
408	server.exe
2764	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21
PID 2084 wrote to memory of 1160	2084	a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 264
      4⤵
      Program crash
      PID:1040
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a163d89dcd439f1334cdf76755e6a863_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 216
      4⤵
      Program crash
      PID:2920
- - C:\Windows\SysWOW64\install\server.exe
    "C:\Windows\system32\install\server.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:408
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 256
        5⤵
        Program crash
        
        PID:1708
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\SysWOW64\install\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 216
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2996
  - - C:\Users\Admin\AppData\Roaming\install\server.exe
      "C:\Users\Admin\AppData\Roaming\install\server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2764
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 256
        6⤵
        Program crash
        
        PID:1544
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2592
    - - C:\Users\Admin\AppData\Roaming\install\server.exe
        
        "C:\Users\Admin\AppData\Roaming\install\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 216
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
236KB

MD5
92418452a130319a6c4b1e03787ff166

SHA1
f8fe7fb39d2a01d94314e5f0e276e3be324ea00d

SHA256
3183d888eaacdef6f2dffa1e19f26a03f7a62aa9e0c3edd495faebd6342b678a

SHA512
81534c8b3a137a4eee6f1d75bc53f64928bf1f6b2d0297a6f58605b0ecae7b2da52a7d5bd2deb8690c8fb155f4388f3c375231926afbe6ea713eaebe7331a341

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
236KB

MD5
99ddfad9ab7293569f7351c51eb26e4e

SHA1
9d3f298830b0d72a791b5f178f5f212203034272

SHA256
0cdda49558f58a1285647227c6451c3636dfc3e36fefbd859d3af983e0f3392f

SHA512
13359ff486676a1a4be46d26083cc4d35bbec3cdfa7990d12ea9b4a7963857a3a427159cfc1dd2e85d32acc9a58a4a3aa1ec0aabd89b7e25f35b32f5d5a6e0d9

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
281KB

MD5
a163d89dcd439f1334cdf76755e6a863

SHA1
3f2deefdc50663699db8083014235a25d499674c

SHA256
c7a745f750e518e43b0ead5aa0f40b2c607e91152d3444d1b6e19301541c5184

SHA512
84b12442fb8a8f1687ea6eb6b414187c6fcded5b73e5068110a02a67ec0e6195a546e34d694aec744e46fcd36dac7d594dd065463ea902cd3849e6331eb46d27

Download Submit
memory/1160-3-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1620-247-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1620-249-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1620-529-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/2116-856-0x0000000010590000-0x0000000010602000-memory.dmp

Filesize
456KB

Download