cybergate | 0c97cbd5fea6854445372b0c6bb3bad38c62cb39eacf26ccb05c9e91c9a1eb31

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe
Size

916KB
MD5

bf386eaf13614a52a48785127a706e30
SHA1

f0f53a184544ab5d6457b8f22055c5b37aa82a69
SHA256

0c97cbd5fea6854445372b0c6bb3bad38c62cb39eacf26ccb05c9e91c9a1eb31
SHA512

22d169bc2a27294d643f9880be94bd622eb0a8a8b8e7a628a5ed130989d77be274f9373165b7fb8bff5ad062bb32eb3371470c9d5ad6885fd44f94bc41e69875
SSDEEP

12288:4DdyI+7L1Ci/ogrKfKRG7bBXEEafi4xSeuvo60E3/Y+zFgQoLd9RC2uRCbA0QNCE:ZEUegx7U7Jhn

Score

10^/10

cybergate cyber discovery evasion persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

vawireless.No-ip.biz:100

Mutex

360G35X0T54I8R

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
60
ftp_password
pascal
ftp_port
21
ftp_server
parnjaca.110mb.com
ftp_username
parnjaca
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	moof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	moof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	moof32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	moof32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{N8XQBNGL-D00W-W0E5-57AQ-VM2MRLI058WI}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N8XQBNGL-D00W-W0E5-57AQ-VM2MRLI058WI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{N8XQBNGL-D00W-W0E5-57AQ-VM2MRLI058WI}	moof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N8XQBNGL-D00W-W0E5-57AQ-VM2MRLI058WI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	moof32.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
1912	moof32.exe
2420	moof32.exe
2680	Svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe
2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe
2420	moof32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	moof32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\1XEUBHaiXDyyxCng = "C:\\Users\\Admin\\AppData\\Roaming\\system32.exe"	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	moof32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	moof32.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	moof32.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	moof32.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	moof32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-585-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2504-939-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	moof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	moof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2516	REG.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1912	moof32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	moof32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2504	explorer.exe
Token: SeRestorePrivilege	2504	explorer.exe
Token: SeBackupPrivilege	2420	moof32.exe
Token: SeRestorePrivilege	2420	moof32.exe
Token: SeDebugPrivilege	2420	moof32.exe
Token: SeDebugPrivilege	2420	moof32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1912	moof32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2516	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	31
PID 2464 wrote to memory of 2516	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	31
PID 2464 wrote to memory of 2516	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	31
PID 2464 wrote to memory of 2516	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	31
PID 2464 wrote to memory of 2980	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2980	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2980	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2980	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2488	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	34
PID 2464 wrote to memory of 2488	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	34
PID 2464 wrote to memory of 2488	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	34
PID 2464 wrote to memory of 2488	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	34
PID 2464 wrote to memory of 2300	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	35
PID 2464 wrote to memory of 2300	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	35
PID 2464 wrote to memory of 2300	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	35
PID 2464 wrote to memory of 2300	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	35
PID 2464 wrote to memory of 828	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	39
PID 2464 wrote to memory of 828	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	39
PID 2464 wrote to memory of 828	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	39
PID 2464 wrote to memory of 828	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	39
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 2464 wrote to memory of 1912	2464	bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe	40
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21
PID 1912 wrote to memory of 1208	1912	moof32.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bf386eaf13614a52a48785127a706e30_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2516
- - C:\Windows\SysWOW64\REG.exe
    REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\REG.exe
    REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Windows\SysWOW64\REG.exe
    REG add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Windows\temp\moof32.exe
    C:\Windows\temp\moof32.exe
    3⤵
    PID:828
- - C:\Windows\temp\moof32.exe
    C:\Windows\temp\moof32.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2016
  - - C:\Windows\temp\moof32.exe
      "C:\Windows\temp\moof32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2420
    - - C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        "C:\Windows\system32\WinDir\Svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
4818824b297b801e767c88038ebef589

SHA1
52cad64b90f7c0fcaab6d0d61a13122c435d3058

SHA256
6ed133a0eab3ee482d9a861d6651eea7c24ded10f1c98c7a9ad81632d7081dc3

SHA512
9a18d89d630793f858602d8cc111984eb1e0b6305c6de27da4d2450aa0573cb98a6f06507071d238338590b7b592d80a95baa837b7c5ac4ec62757f895344775

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
711086eb81c43b7f6d027d6ab488c860

SHA1
43ae9fb54fca9af800189b8f58e5aee110899ff9

SHA256
6614928db7778c4b9b8bc7bf2d2213e7d50fec4df7fa253e40ea3854a471a951

SHA512
26a173de059ca3e212d60d6f13e73a0500af9fbc29d88abaaf8f02d78e8b8396cb84b551fe186e7b8aba9d0724f30baeab79bd824fbf16ec1b9979a6876c170d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e03fb636c32b6addff8e231534d0eb3b

SHA1
c5f8ecac21a7e103164a11d0a4b022da58d87da2

SHA256
e90b9ae25db9c1d3ce5589a4c40b03d7ba3bf29fb96e7997b3def1e54c9d9a12

SHA512
996acae9a492060437cd3a6a71ebc5d3d86bf2594c636a1ee2ec3a15a64028f3a78e7994306575975c371cfdf4a120e8281d905e295e99a7b1a63cfac61b07d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fb054f669995dbb0d62e9c5efd970a2c

SHA1
959b87b6b0b799e38ebdd00f2eeba9f12f5b0148

SHA256
a1673d666b34aaec287e54c4f96107b9511be9c7166a815eba86d79c5808c951

SHA512
2a85472f3d250a99f83be3cf6439524262ed7f78895992d7b281de76a63b758e5da2941ba7eead87b367182297e9cafd6cf7e9d11e4640d61be97775e046a7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b93b0b9e9980d44791759a5186d3fe77

SHA1
68dd1682129c9283d38c8039f9071a8bf9f24d69

SHA256
baa22d91b63bdf56241fe2bda827570675fc2b2c9a09da60a9e9ca8aed4c6b0d

SHA512
ddce7a503d890f542004c7aed68f618c74f639c9e941d6d144d6a51385799c55211b61d110836325244150c419ea6d4ae82abb9debdf77f4b3ace6fe5287eed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0d0815f16ef86f57e1748499567b27b2

SHA1
b1de1e65f9e68ea733553086daf3bbcd3d750403

SHA256
969ebd13dd11633d9b9c0ebe0914f43ebe3732623ad17ff6e997e6561f20776a

SHA512
aaebb2d47f779f4dd5a3d2630f4a69c53ff8af8c2fd2bc73ab951cb49d06b499430047437f933a79ace34d524389085222b8e859c2078f9740c132eae7bded23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3fd0ffeb2aee0e53828b85530b5dba66

SHA1
b488cb17d815fa6b8a2cb17137c5384adccb1697

SHA256
a7ab071a5e93067fe89ca4c200292c6a739c50356a65fe05f3c2cc79ed873527

SHA512
45aecad86bf8617b6903eac4a040c3be1b56e1d2e486dcebc98d7111c519368873697de15b2a70cde302ce66b409bd95419b58cd3eab2a1f5d6357b3ed728604

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cce9efbe5561c559c745f207d773b58a

SHA1
363dd8c1e15cce592b8950f1ebe9acf99fd34f43

SHA256
3555759bd716c9d7cabb0d910c76a0f1653f0d767201e8b4e71e5ad82d1fe43b

SHA512
39e515ad01cc0db3d61d874aadaef0ac41afff6285dbfa60370902cd2e145d1ad1ace80fc0b4587d0c0375f91cee3678b347160cca590be749e61f47161fbb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fa0a0ac7b2c76c01987127e72c75180b

SHA1
45074a12878137ec3bd60928e53094f5991e8506

SHA256
202eb4ba5eb610da618f0e5f4220740e95b0159202349ef829c80b91c8df97ff

SHA512
c23c084d410b3e6deca59dd8a05d51603dbf1f77b5f37efdc2a909ca68b4432621c5689a51eb14a892178123c2f49f264e348992c15bc86d7d11d2b72823be80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5aaeb444693fafe17ca335fabb55d4fc

SHA1
1128a2fe1a0ca59d8977803fc0afc6af37964eb4

SHA256
80eb02fc90a634fa42b536650362a8db59241a8dd1b1a418dfbd241e816c1778

SHA512
633e2cf3d15e049e2241fb7bfb65f5a558540414d963e2657633293aea401cf28c2c7fe31649d9bd09869e059c9f1cabd4da9100e154eb30bd20466286ccb56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a2c0a64f15dfda45862dab0f572deb21

SHA1
03ee0e02dc731349fb1bc77458604e94bf710b0e

SHA256
f93097262ab86f926855f2f318ad2325aaa87e208c37554cca36b7dd28afc193

SHA512
45d60453a1e5262e0e8caa4f402b3dfa01a10a9b0dbb4479c032cde8a398d8c6f5cce69a12851b42bc34c2a1d8f06db12144f5084e2b3f4a969231011ebb33f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f81c82178ece7811bdafe9fbe3b91bf6

SHA1
2c91228133d92bcaf000e55e23e442bc70c57732

SHA256
2bab7e3463083d3cb342a8e894e346838d301932bf8156e467271c3d27580a48

SHA512
4816319a04e8abc9e40479a83aed2c56c05696937027b59e5624cd3573ff1b5cc045778b31122d8ebcce025f1f0712cf3f3f2a8e4e15627ed124b3a30c07435d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
73451183e39eb697e3f9897648bdd577

SHA1
d2e8cee97d42fe5aa620660667126475340c59c6

SHA256
010e0a2b266dfa56cddda27df9ed2ccca964a29305cd9f3779a3f045dbc6359b

SHA512
83b741cf640a1631b3808aab10108bc68950e58c0023ffb9f88e7feb296663d6d43bf64666e2aadc1170b2407aeef706918deba4d246a275356bc4dfd34a2e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3ab67e2df9a24e0b526b387b95fbdd8c

SHA1
5699c62ba249ef0df2eca2499f6a3a9623a1904d

SHA256
0e9ff5ff0d7a062dbd22100895da773a7ba989e6cf6acac238ccf77a077e5992

SHA512
be7dacd1c08138927ff10ed16980249c387905243bbc8cb5ff4319501b94a62da398395af55f86b442ec15fb5ee6b21eb76be23615208f2de5f26ea3dc173cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
59dd89ed571bcdd3ede95a81770025b2

SHA1
b710a7f078fa443f8d3db959dbf1b97ad187f961

SHA256
171451c66205ee026f6a36aebceee81dedcb365f288b8fb5eaf10e80fbb42051

SHA512
fedb8483876569f946b548b296d5788f8e774dd28faae7e5d659ab43e821ed432a1dd10e5d25f2160038f6bcda4770666e8e653d848e9eb5739e5c21157f22db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8be03437155f2253f391dcdbf31be5e4

SHA1
19d7b7f92c2a9517df1126526b5865cc152027ce

SHA256
5bcca639f3916099bc8a53e8315d452e693e4a2686aa762bd47055b2eafbdb40

SHA512
0c766e5f7ed35049c2fbe61c55432581248b6b5d219b91977d1800f71267fd9c927e57785239b5ae83384c8187861ef490b8995b92a5678e3aba4701712a5633

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1ccdbcaa197e66d7879fbe0a8012fb86

SHA1
4541a5ead36172fe6d01137b39d22dba1b78ce79

SHA256
f0f5636b22f2f691eec201cfabd9755a606f180026251b994dc67c1ad2d03885

SHA512
e3d030f0e1454226b8da0004197fb31518e6f68c52de257ab24850bf3c4c5e32b7d9fd197e1af4d7cc0cac032eeda4f8ff27dc897b5069ee41ac39805e94ccfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
03573b1627730da35899cd56e17e9446

SHA1
42a822a1fa928eb083743fefbcc5266cae522254

SHA256
852e6e68e888488ffeac8dc88773c3bd7cd69c7d13ad9be4e2d4dc7d52f4718c

SHA512
51d8238293c633e67745bea3a6894098e914862ff7af29c9fd6c9b49b9efbf91b115fb38209ea93322c3248efaa25c4d70bc49da9c3d0146c67416709c9b0ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
deace1fca21ec08dd804031f0685a5b2

SHA1
abbed419c663edc8001d2d072a34a6f1a559f090

SHA256
59d604a0e3fa734b22c46f2cd7c6bec195a5f99f4a8b4a9fd6fbd46633e94cf7

SHA512
76f01bd0747aae3b73b14db6bd0b9933b007dd3ab167c3cffb92a1008a73de5f64ab22504ea2c453e878e5494456a41dcbaab123caf50ce81d5931a6ae13de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
efe306cdd286df56083d187b11a7cd82

SHA1
293e47cffc983cac1d89b4b52044f9d362bff6e0

SHA256
4746b6d1db20d61ca73eb343a195642aa22ab5b40ccc27637bae50474c141b61

SHA512
fb150026dc382b70300fa9ffd72ce30015bf764af85f57af25f6ef35df278662f2c728d2ea8c66e8a1c3ea2e0b7367314c0f6acd96547e3130a04d9ab0432434

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e2e819d29f28996b18f7d0f63cbaf90a

SHA1
2b0e39ea71db29b4cc36364d40e50b8c92d11bf9

SHA256
a71f0863ef77f53d69a386e88e028c0c45ac9e03bfa0329062bdee694537ab8f

SHA512
70e93f59aa8b5829ecc66a3ba7dcd70084f8963f7f4ee93c01cb6a3c00ee2524d22399ca017adcaf4ef001b765c28687558c4229999a728e39a47dfc77d6e3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0603c54eb75c5826738fc9bd81488899

SHA1
236cdf7accc37f22c1165c796791fc1eb9d8f51c

SHA256
b1657193688dffc25eaa45e8613259aea50ec124a87de8986a59fce578091319

SHA512
8d6c42337abaff938be0c01a946aaf0cd8ba33c9cbbabb8f8a6daa221fe7dea6762aeceb0da9e16af763d963d8b22063b8af9863786a00af7ba5d666c3c32083

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\Windows\Temp\moof32.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1208-34-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1912-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-21-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-917-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-12-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-14-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-26-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-29-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-27-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-16-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-18-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1912-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1912-20-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2464-28-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

Filesize
4KB

Download
memory/2464-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-939-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2504-277-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2504-281-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2504-585-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download