cybergate | f3715fc56282125e665193ec95de45f2ed033a8f2d0f93f4f979116129731490

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Size

290KB
MD5

bbfd4a5dffd037c02622ded43f8d5bc7
SHA1

83f567e53358aa5ac6554c1840f9616ce714e01c
SHA256

f3715fc56282125e665193ec95de45f2ed033a8f2d0f93f4f979116129731490
SHA512

1956198f2ed1982df2eb120d31b50ba6783ec6c184f697716ae58284dd5d1276904acfb8056c61fa59b3c9523433a4b8366b4b40344017f33b363a134022098c
SSDEEP

6144:2OpslFlq1hdBCkWYxuukP1pjSKSNVkq/MVJbL:2wsl4TBd47GLRMTbL

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

botnett.no-ip.biz:99

Mutex

4KDJ430I7832TT

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
mslogn.exe
install_dir
mslogs
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
028144858a
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\mslogs\\server.exe"	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\mslogs\\server.exe"	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666}\StubPath = "C:\\Windows\\system32\\mslogs\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666}	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666}\StubPath = "C:\\Windows\\system32\\mslogs\\server.exe Restart"	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666}	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4564	server.exe
4108	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\mslogs\\server.exe"	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\mslogs\\server.exe"	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mslogs\server.exe	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mslogs\	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mslogs\server.exe	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mslogs\server.exe	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4980-3-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4980-63-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1788-67-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1788-68-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4036-137-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/1788-159-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4036-162-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
776	4564	WerFault.exe	87
1240	4108	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4036	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1788	explorer.exe
Token: SeRestorePrivilege	1788	explorer.exe
Token: SeBackupPrivilege	4036	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Token: SeRestorePrivilege	4036	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Token: SeDebugPrivilege	4036	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
Token: SeDebugPrivilege	4036	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56
PID 4980 wrote to memory of 3464	4980	bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4180
- - C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
  - - C:\Windows\SysWOW64\mslogs\server.exe
      "C:\Windows\system32\mslogs\server.exe"
      4⤵
      Executes dropped EXE
      PID:4108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 548
        5⤵
        Program crash
        
        PID:1240
- - C:\Windows\SysWOW64\mslogs\server.exe
    "C:\Windows\system32\mslogs\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 580
      4⤵
      Program crash
      PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4564 -ip 4564
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4108 -ip 4108
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
131693a5c66c159bcdf969ef75d907ad

SHA1
f8a5ecda1e72e6afd3f3cc7ff2e811a6775e3341

SHA256
8cd6b2b52155b8b12430806bf3725afa3dc64092da4584ce7a60fe7c5e374f53

SHA512
245b0624495a52b32383644f0c091926abc56e15d8ad93c0f5d00379f537d602dbedef9728dcfb1e38dd479010f0d5599ad216b67b4290bdebd1a64302e19276

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
03e2371611eb5af8882717eed42335b1

SHA1
e0063007ff63788414283261e75181067490b139

SHA256
02121ced81fbe66d788df5e63647d3f210a0ddeeb4b72f1df55382f12ce75584

SHA512
56341bd83eb3809412d6525a68f1b0115975e15f28d3420e6df176a547210e2cfe87037fb07ade3ef1c26fce0510a9826e2a9b299e5c5b845393ad29626b5258

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c710507d5fb4c9a337487fae283cfc0c

SHA1
124e5bcfe203fafa51b87a6323aef7d5d6938d35

SHA256
3d0f5dcbcc27ece1c0087bbd006083e6552868d243ff03dfbafb8f2bacdecde9

SHA512
5671eaa431fa11d99d04b42bc8d46bd10cb73010de958866db692286abcb696f9a94e159c7d0b06f0239e420c429c2705e9a5b321a982413aa857d48cf389934

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
53d1e2281189949ac203959f8757369d

SHA1
37840a89926cb0e5e44460fceae5ad724b8852f6

SHA256
b25b1f9d6e1b9606b28c4e5b36f70cd1c55d895231228c1b1f666c78165d8975

SHA512
cb91d9367fb296aab460d41cfaf66ec974cc662a8a42335e76ec241b5a25ab3c4afee22cfa419e2264e6d5c6c694cf9d94cdf7e4dbe693137475585395eb8b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b59f44bae99c1c9753ca4e04ce78eb52

SHA1
89969b2b163aeecf7a65348682a1a9f55105350e

SHA256
94a097a2b2343c416b5c9c50ed205ca5d6c31640d7f0edafbc3e68f19eff3a57

SHA512
6133e4a0be9351b7f428cffc22614c49ea74ab5f18ac6ab7867b4ffdd396b917a8ba3178da207cfca16df0534d2ee563a9b47116aa3a4fa7ad532d7af210a494

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
af649df6e05cd7f7a037440f7268fe48

SHA1
9dc132dd591664f2b7d158fbe92eb6948bf7ed25

SHA256
c4d3fcb396b46bdc9b649b49f6b8cd28bd7ece732563c3ce365522e56f25f553

SHA512
13d4f9ccc3093753232a11c0ffed6d0a48e0c73da998fec1cf3bb175953a737a1b97b8708b67437b80d25a71519d0fc75ac23533b3672f07ffa05da509ae612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ba7f73497f10710a4a4ad138e88eff7b

SHA1
2ee710ff17f43b50a616daeae6babd671b631baf

SHA256
de42e1c88a286a6cfe85e7a95fdeb5ec435881a9f3193bb0afffaa70a4048e9b

SHA512
50a2f27b0803ae95991a4e5b2d4ae99855934eb5050aa6012941e19ffdb5dac69d7b511e2c8af0db8518906d1fc8c9e0d2669547dd9748ce3f804256ec91ce39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2f3097dd37443a04e3ba0a892bc2f2c8

SHA1
6432b3f1af872d6837fc460ecdbaed34b51ccc47

SHA256
d1d23b125d47d4d74596e7176fac21fca943caa2619faa2004904962ff905617

SHA512
54a527767b7379e229b85b0907e9805c3c0962bda6ef908aca708ecfa3456dc7cc8f795bec587acec281c2b188aa7016be6bb57995bafa4f93dfacb6235b1bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a8c06a13047b938454b51d3cb99470d3

SHA1
e828cfb55769f8e2fd235ab05356e917194fbfdc

SHA256
c4de54f0f797897457e8afccf00c07c51c8d209861a78c9cccb60789d87db052

SHA512
f3e84185ec8015543a5795b01e549b904c11477939a801a176ab9cb6a489b2f8d8fe3bc34cb1d645e1e5d73fb2b065844b52f6595d910491c8603bb260c5c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
558463fa075309bcc3fa86ef03660590

SHA1
f31fb9303300015d1c277a8587c0569928529f45

SHA256
7a713f5115b1bd94f489863d71fe7f5cc4d9a05ee8ccb9a212222369f2ccdd30

SHA512
5d77dd02552607e831d52dfd0fbd423f038b9173fd8e16d14731c1abe098961ff8aef4c0c0bc001ddf19014e619deb6405b1ab193b97c8146f93b3859410fab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a95a102895b1751e23119e4d4b65a1be

SHA1
e522c473b358c50fa39a644c1440c8b7c0ffa265

SHA256
4e8474fc3d3afdd4791b02def8718a051f2cecd51c984f61be3161e6488fea8c

SHA512
80d57adbae01f83c6718a6c541fe26a265d4fa1d8c2a73f74acb08e0d4a2b58b89b1f026b742c1c89dfc2e6d9f53032128977337e02ad09f5c1ed88e90958fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
022f8080641cf2fa29d78e8416af2412

SHA1
d75a0606745e27e43a20bfb3f883870fa9af019f

SHA256
8ae7ae186a0eae62507a8dcbc2f82df258e91edb7f0ca323bc9310c869c2fabe

SHA512
2483c4acebb0c56828d1774108a9496812c82e314cbe3446cb3e8f31a4bc4c7a09e8ef79bb082e127ca89007a97a5213bd0328e5009e7a1e3feeb5e3d62e7d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5e129e664b2f459228b1dbe3edc8e2ce

SHA1
67c6595a651e3c58449887ddea306165a6d1f85f

SHA256
8c854cc906597a5e6f92f075c344120273c8a87ffaf2f231c0590468b6ff92ec

SHA512
d2fdff93bb422f67c335a71ba9e97e90f3a081543ba912cf1070793b584ac7262e57dcee151dab68a61c19b7cbbb97aadc3e09af9b36ed7834716d773a949832

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
32171ebaba30f259ef70e8e4154133a0

SHA1
16d42787e8582b3ad03cc2c637aae715ce32f114

SHA256
49bb187fbbfa232e98e4071144e0e6446a65883cde75681d9e0bfbf1664eb2f7

SHA512
f8f7f14a20574888eb35fada32e8906a394f23ce2b7a41d929183c8b6c352d91388bc20d06b9f8625baf0d8d16a0140e1a36e1bb3b56c1a0348ffefa6c7e877d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9a4f07808d4fb8e6c12319140b75af12

SHA1
10147145719b4f7055f2b36597b2b8e64dbf0fd6

SHA256
0f8d233289fdddf955aecd21c5284fee8ce780e842a98095f5bb9f7118ab668c

SHA512
2ea0717b39579176d12c242ea08f3ec8292e4b93fb8fa9ee08fbfe103f9aa761c2c4305e77240a956a3c94d7c36ff2ef05683fa1aefa0d9f569d6060da857c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c720434e2d2d7adbc7a5549a84665cee

SHA1
de57e41cc77b0b0e191513b0f6cd0da389742e2d

SHA256
d9090f18e39d7d76f982a18188a35be4cde8a749b3af7442ea90aee61cae9a94

SHA512
2fb8eda49ace5cd678ac750bedd83c0b7b7c79bba5cdbbd48b186640c521171f7b33177a96241e2c465c87a94021e77bff41ea1e2cf22b8744d3348bd5c5f4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1eae8e1cae4baa1ff0ed8fa6e8d6c750

SHA1
4666d9263cb6051be650f339cf79a66537b263ee

SHA256
37068d3fa6bf8264953e954964a5a64024042c96d1fa664cbd252f4f88d2eecb

SHA512
68c3d67dd61d8b18f87743dfb7c4fe2c5d654dfd6b3b46d22ac6cc74538ef9906b867776a53d0737ed1cd7aa4bd22f01316d712742169ed49b802df030fbd661

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f70b49d64524e4c9529b488e97fdf3f2

SHA1
c9760d995058fbaace1c55f14a0462a623f40906

SHA256
583da37e2f63e9a3111a09cf5fea083c76d97a93a7118590284fa67e689d972a

SHA512
77b2eb2d26eaaa192c38ebef22c7b66adbe48504e563f7a1ab255b408ea4303bce396c52e813d1e839c25a085e7c96a9202ada174328d041fc363e2a2aa82910

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e924ae08c326c43c598975320432d317

SHA1
97acc43c4ecf8876ffdb4627db881c051f17bc85

SHA256
471876471c79290cf863905615f0299482558074061814bbd0ffeef32fbdeeae

SHA512
77c0878a065dd7d87e6b24e816651b32752c518a6399543f3a68c960f7f1f64a9f266d31438e739bd42fbdb0c0e967de97476ec372738334603672be414f75d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a8a3b33c8f992b25327d77ecd0afef6b

SHA1
fdb307ef4de83b7413213e7a80cd1963f9012f89

SHA256
dc199dbe0b5cd0040c28cf9ce0f86f1f011c7a885e162489c67c42d3f3bc5266

SHA512
ba9de72beb4698b4387a76186cbac3194bd874cafcbb43b95688ffc83f0c8841511a9d49ec69603df067a3784ce86cde7165563b1261142a4a87aa855f6e68cc

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\mslogs\server.exe

Filesize
290KB

MD5
bbfd4a5dffd037c02622ded43f8d5bc7

SHA1
83f567e53358aa5ac6554c1840f9616ce714e01c

SHA256
f3715fc56282125e665193ec95de45f2ed033a8f2d0f93f4f979116129731490

SHA512
1956198f2ed1982df2eb120d31b50ba6783ec6c184f697716ae58284dd5d1276904acfb8056c61fa59b3c9523433a4b8366b4b40344017f33b363a134022098c

Download Submit
memory/1788-8-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/1788-66-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/1788-67-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1788-68-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1788-159-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1788-7-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/4036-162-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4036-137-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4980-63-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4980-3-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download