cybergate | 275778d4ed6e4798c4e523c35c6bf2bcf403a872a7dfc3e748191faf8e67ea79

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
Size

746KB
MD5

d1ec6694c9806c6a41898c60dd084030
SHA1

b620252f74a58803431f0430f9942d32ed96e7ee
SHA256

275778d4ed6e4798c4e523c35c6bf2bcf403a872a7dfc3e748191faf8e67ea79
SHA512

95de98f1260712136386399e3274e8e01f647d7611b7350e69c38ec5a717a9f98f27e2f4f16c83549f85b1a28e76c9665a9ecff1f36276fd85a6ac9cfcb9a032
SSDEEP

12288:3e5Pcc8f3JNzNwEhQYNk/TUQengaFs//Vgs6+VFjPAR8zJDEu577sAc7Hr1Fhr9F:3eSOM+VkuE7HBrYYZ4

Score

10^/10

cybergate 0 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

damassi.no-ip.biz:82

Mutex

3635M888S8FD70

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Core services
install_file
services.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Album cannot be opened
message_box_title
Album Error
password
qwe19
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Core services\\services.exe"	.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Core services\\services.exe"	.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3M4OXWLT-L2DB-E816-0U8A-1D785YIAB428}\StubPath = "C:\\Windows\\Core services\\services.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3M4OXWLT-L2DB-E816-0U8A-1D785YIAB428}	.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3M4OXWLT-L2DB-E816-0U8A-1D785YIAB428}\StubPath = "C:\\Windows\\Core services\\services.exe Restart"	.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3M4OXWLT-L2DB-E816-0U8A-1D785YIAB428}	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2760	.exe
1044	services.exe
2720	services.exe

Loads dropped DLL 3 IoCs

pid	Process
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2760	.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Core services\\services.exe"	.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Core services\\services.exe"	.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-13-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2760-19-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2760-22-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2760-15-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2760-26-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2760-27-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2760-25-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2760-24-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2116-583-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2760-931-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2116-934-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Core services\services.exe	.exe
File opened for modification	C:\Windows\Core services\services.exe	.exe
File opened for modification	C:\Windows\Core services\services.exe	explorer.exe
File opened for modification	C:\Windows\Core services\	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
2760	.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
448	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
Token: SeBackupPrivilege	2116	explorer.exe
Token: SeRestorePrivilege	2116	explorer.exe
Token: SeBackupPrivilege	448	explorer.exe
Token: SeRestorePrivilege	448	explorer.exe
Token: SeDebugPrivilege	448	explorer.exe
Token: SeDebugPrivilege	448	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2760	.exe
448	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
448	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2868	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2868	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2868	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2868	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2760	2508	d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe	32
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21
PID 2760 wrote to memory of 1388	2760	.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d1ec6694c9806c6a41898c60dd084030_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\winamp\.exe
    C:\Users\Admin\AppData\Local\Temp\\winamp\.exe
    3⤵
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\winamp\.exe
    C:\Users\Admin\AppData\Local\Temp\\winamp\.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2116
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops desktop.ini file(s)
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:448
    - - C:\Windows\Core services\services.exe
        
        "C:\Windows\Core services\services.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2720
  - - C:\Windows\Core services\services.exe
      "C:\Windows\Core services\services.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
574033fb0a37a48e0425b3b9d0894b84

SHA1
2c8d495139921f0eb107aa79700c4f10e8b4b1d8

SHA256
5038d41694c5d88fb4b6d10db7e2d40af18242762ea5e75e5533f7d6efc35091

SHA512
56a378915cd6c33becf7b40e4f0f4e1dfb4960e3cabb5a4358bbccea52f993951d6ed35fd3c4ef86efe13685647d3a6adf44486d6b319bad73552bc7722a7e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c2e49fb9ae5f379e3827b662ace674c1

SHA1
b37837a68ca493d7183dd66017b4a054102faf67

SHA256
22cae266df148acf46127a48cb4f2b0d32663a69f2b80ff5e1cab117712f04bc

SHA512
73b953152e46eccb07c481c91b1bfb3b1ba97d1d6deffdee267ace21f3d04acf325cd67d45d31f8992411b12c2fc0b203e846be446c540af257aaace8b72b433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e563747bab7e68488534dbf1cb153bad

SHA1
51cd943b9bbf7dffcbef080ec69dc41ca97c471a

SHA256
39ee357d0492cbd5536d8cf58cd3dc8026e77d3c2877cc819931d51c0500c431

SHA512
d3627fc7afd2e402753aa35bdcf2ab47d36b258aa23f70b42fd8c5878397a12e9955be91b523ce102689b2902fa06a29392ecb39d167feee510993c9f35d58cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
54706c165e8a504683896b6e76bf1f7c

SHA1
fdf7fc10da14a386278bf55314ca9dce0ad406fd

SHA256
734d4aeb7586c28bfb435b9eadac99c56bf8bbb74c1ed96bd263779aea673390

SHA512
e1d084275225dc8ad29337eb5df0dd56819831e56083980234c594d4c2d98b33c188cf921bdfa87fd3dd20786014b5c07e0493a7419d4dc3c7e903637ade715b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8d0254d4a12a80a32d89173f2a0a73b5

SHA1
fe2e3d8c936e4604eb02cbdfc10a13b4d40a34cc

SHA256
539dce1d61c49e6b771e83b1668679f68f5f4e9675a1bbf46621b88ed6e53403

SHA512
ea8e6c9889594730f2cc61c21d36129571904b90ce1edc46331bba8b2504e4b4a913237c63411f1de5c69a7775ad320632a3b0959758aa21a9549d17222d1a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
25fc08dd89fb4d5dd0ecf08f156a6ee0

SHA1
519cf9e65300bbeb5eb3b6876acba83437dfaf00

SHA256
304263be905d2157a972bdd923b3420c88ab6429bfb5dd67343943bacd2fd345

SHA512
b944c60d20b4401745e4083b40600afb5a13aaaddce6fe9df9f7dc663eb38005fc9ef88297707405a574f718f313ca68e6b373fd70c1fc942118ee40d78b54d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cfd0f8da8bb1a523a306bcdfe4ada3f8

SHA1
24e22e62fb470f24c857f9ecc81832128c7d5cb6

SHA256
3598e5f49da47210f9a633f580aa2edd55a1247d202193894aabf006be6ad182

SHA512
bc09ababf93ffb2cd9cc3439849bf6be478db929a178215a166c7769496d1ad41d0325ae93ff7c3d9d39dd495dcdfef4f7eae1a7d505cf42bac448281ffcd181

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
05c9b6931eb5cf36e38a5404bac0363e

SHA1
6b807c81535ed615f315945ffdf8f768c993d339

SHA256
6e1119c3a5e9a489e823fd730d7cade40536a295a174a8dc17623744235dd751

SHA512
949dd0173d0086c4caf2e33a5860d077fc5665b4ba0308dce71da3a9a314d748518661d24aa38ce86eaa73ddd3e88f38f30907289fb30a8076bdcd5a650f046d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aad84387aaff36954bc6c89c80a2eaec

SHA1
a4de8bf14fa7b5ff806960d5fbd1d11a1d7777b9

SHA256
f435b44e5b73bfb04aa802aaffd92cabb002f339a31767f13614a605d5022970

SHA512
066c6291aea95993fa6339e9f6594750925bf0fdc876a18e68fa559fb04266a60fa51c8530b0b4dcedad2b0a130f4fe1701eebb86e8574fe9dc3ce748b1fe371

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bc2ad281c94d1a05ebd9cee274260c36

SHA1
1f32abb29f950489b56b9e8dd109927dd133f48b

SHA256
197a2fd4a1e9a7bcafa4cee7e664169e3d7a481490fa2bfcb5c69f4059b9faf1

SHA512
e85e99cde0f9dc79a6626f2b5f76953aeaa626ad24af9399e3b5288204beb883668b5d77ea0333a3848562ad2b3345f0d380246b0dee9683653c43e76407401f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5b433a892f62c162a89b75172b9684a7

SHA1
ececaedbf05d4ca29f61f51043a52beef1d5da47

SHA256
73f8de5f8591e27aa2c4d177d59dd39c7a53bbb43121658f99f72fb2478f51a4

SHA512
59de0554a6f13ffff64516816168779e5a4320087bb6f043d6907f48d10b42cc24e78471550df140aa7e64fe4f24367fc92e65a09be72c357f8e1fcbdb716d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ad79c09b85450da9b8f48320746f015f

SHA1
2e8d2c2aaf8ec4bbe5fa4173d939ad947d12e1f7

SHA256
607f0f2f9604ecf2659d110cd79c6aa66f95056fd1c253eb9d2bedbf172fb849

SHA512
c232a20ff0cfd339115a070e7c6571bfa9eab7af293a989ad15f3d32b9b2ce7f457a954ef8097708fcedfca2704c590542e3a93b073af1aae7cf36cc6aaf571b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4953432f0d0022e10798aa67ce127e8a

SHA1
39444ceff34c7e62f54cf7413cd2beae777206b1

SHA256
4ecf29489848d225cbb11db2ed6b953b1fb3b63ae4a7c0ddeb5011349202607a

SHA512
f725b622653099ab7418c53fcbad51729b6a50375544ba959aba6993648e91ea98864ece64d94d4701b414dd882ece8001d7de1e5e003cf486f63fb236df6daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ca084e3c0b054724c64079d8c2c7aeab

SHA1
aad2a5f41fa68dcf6df85e832a9cd0dd62f62a77

SHA256
c2544ec76b5b49f66690eb7b3aeed18f3f7af7e6c9c28b113380404a10ea2608

SHA512
85f02a94ee5005185e1c18176e6e83f406ab183682ea45f8d823d42ad1e0de9a4e8d314b94a22b5455e9cd9e20669e2be97820f45ffad877eb6945df2f8d9a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
769eb5d7d319a62b2e047201d70d76d5

SHA1
198ccafd835727725da947c98e45a34d3de66a96

SHA256
c59ccf94f6a3072efc0c939215d926857745b24f3655b6959ea73497f15fa347

SHA512
4b83fef253c695d1b6b807cda8c86db752110488f0daf7d3a71edc815bdec484aebe2d46895597df11be9817c1e9b4742b2d31afa7356bccc29b722810a2c530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c6925ab9af203bcfc6115846736b968a

SHA1
7f90f0df1842363dcd9e5c8489b17d58e2b329be

SHA256
9ff67a6f541fc88648e9ebca708dcc5380d51a30e5aef5013a37a6de9a60a2aa

SHA512
3849d597c7adf88d0f2d172f3c8d28f0b13518e53434ea6109691a4af3d3c63b6926ffe7b809f8f070d9ee30d223b9e1a8af4273f446a7fb43011259e97ba5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2b6fbb1f1145b2133267fdf72a68730f

SHA1
26cf0839c993f06864b3010840ed0a6b8eb0a4ed

SHA256
b1476825a8328beb6a9a72842285e52e051bfd211daf27d9a714952674994b9f

SHA512
9d4f60b7928d9890c14dff24e7a420e0616c576d7036f9e2a22c7225b9535a6c3c0950269000191bb5bfc88d9809fc211ffd5d6585205e5025d31b66e44c459d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a4849e8ba60fd208b580bfc7cbdb2d96

SHA1
3b26ba2e08379a3d8a13ad578e15b5d46a22b3c7

SHA256
cc4086a326faa1c716f3acb93036c7dc783cf06dfe99207295f8d3e67eeea152

SHA512
b27bb81af9e086d54b5403e7bd45038e3c89ca2aa71968f47639dd0f69d870fc5833e74e1ba89ed2babce31be3482fb846530c9ef9eb886c5c907c578b2e8e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
48e0227ca07f85edb2446030a9039621

SHA1
00df8da0c3cd5c82137b44c9b544c90c80a583fd

SHA256
c4f4225ed1020832a6fb7734cdbc84340d9475f67c6cf9c7e8024bf33dfb0b5f

SHA512
8c338148a535fbcbf65e9777d0d9671ee81641ac3005777e089b3446bf0d028b927fdf3de426207f3595036dca18d5b22d50d9217db6e97433e17a33e4db54bc

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\Users\Admin\AppData\Local\Temp\winamp\.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1388-32-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2116-934-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2116-583-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2116-296-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2116-285-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2508-0-0x0000000074B21000-0x0000000074B22000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-23-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-2-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-19-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2760-931-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download