cybergate | 7619196e32e5989ff01cbf9b7afcba37f7af56057842d8ede9a8a5f3baa744e4

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe
Size

415KB
MD5

b05b41601b7a352e7e05225a7c42ec7d
SHA1

c3d228c8685cc89f0397765d0b360849a7d85c69
SHA256

7619196e32e5989ff01cbf9b7afcba37f7af56057842d8ede9a8a5f3baa744e4
SHA512

f7ba8caa5996dcf0b8861a3c8b5dc9f49d125f651bd8489f9699668a5924142b05fa2fc3e4d080bf4005099593eca95b74cb55d3568a23acfd85672db311580f
SSDEEP

6144:k6+UeEQ63daVhwbuu6uztXzA0ikgsPiPwUlmN+maAeJK849S4980cfefUv9:x+UeEvDaHeD2WuW+maWD9S4980PfUl

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

wastedyears.zapto.org:100

wastedyears.zapto.org:81

wastedyears.zapto.org:82

wastedyears.zapto.org:999

wastedyears.zapto.org:900

wastedyears.zapto.org:888

wastedyears.zapto.org:12345

Mutex

1S0P746HSU4G1V

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
try again
message_box_title
error
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y8PB4082-X77S-1X2C-0Y52-7LI3671QBW4I}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y8PB4082-X77S-1X2C-0Y52-7LI3671QBW4I}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y8PB4082-X77S-1X2C-0Y52-7LI3671QBW4I}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y8PB4082-X77S-1X2C-0Y52-7LI3671QBW4I}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	vbc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe

Executes dropped EXE 3 IoCs

pid	Process
2992	crypted.exe
5640	dc socket ver2.exe
1892	server.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	vbc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\	vbc.exe
File created	C:\Windows\SysWOW64\install\server.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 2452	2992	crypted.exe	88

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4980-0-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/4980-25-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral1/memory/2452-39-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/2452-43-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc socket ver2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2452	vbc.exe
2452	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4776	explorer.exe
Token: SeRestorePrivilege	4776	explorer.exe
Token: SeBackupPrivilege	1236	vbc.exe
Token: SeRestorePrivilege	1236	vbc.exe
Token: SeDebugPrivilege	1236	vbc.exe
Token: SeDebugPrivilege	1236	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2452	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2992	4980	JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe	86
PID 4980 wrote to memory of 2992	4980	JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe	86
PID 4980 wrote to memory of 2992	4980	JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe	86
PID 4980 wrote to memory of 5640	4980	JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe	87
PID 4980 wrote to memory of 5640	4980	JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe	87
PID 4980 wrote to memory of 5640	4980	JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe	87
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2992 wrote to memory of 2452	2992	crypted.exe	88
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56
PID 2452 wrote to memory of 3568	2452	vbc.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b05b41601b7a352e7e05225a7c42ec7d.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4444
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
      - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
- - C:\Users\Admin\AppData\Local\Temp\dc socket ver2.exe
    "C:\Users\Admin\AppData\Local\Temp\dc socket ver2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5640

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
d87f2610a7b45e0b680525f7ca6b727d

SHA1
4e832e8e71f1c7a80e95e802eb73a19ef4be948b

SHA256
5f18f56838d23db8fad5dc0b536690db3d4e9caa5bc76dd73a8205f202c9828b

SHA512
fcb9f917dff60caabe1fbf7526fddb60c603fffcf72da5d0d4a329a26d983649a55c9788d0ee70ddba05275d204ba1b0fb0efdad1692d07b9a1a6055c2132811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8e594249cc18b7f08ce6547ce575eb4c

SHA1
7de5cc8d2aec7557b1d913a03818acdb43a9d8b5

SHA256
30ccae9f84efd19122067b4bfb7ccacfa6bd2d3c5bb6c7ca7a12b5700d2b48f6

SHA512
c8e736b12cdd1aa4b2bac5930c60e7060007c2ee3b27808ea18c34fec9ffe1994820237ec7d5295da0658cb38212f4d4d92419d5203983120d718e95d2e91bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e02b02bbb8039fa530a3d97fbc3bcbc6

SHA1
adb09e22a5b56f8ed498559eb15281f1f3e1d153

SHA256
09a7fb07136f936969cfa22f9ec6519f8332b3f3ee4b2cf41e9281379c85bec0

SHA512
85267fc50fc47b5b145f75fd43b144a93d2b28415cfd262c7b544c20e98759309e073cc057cb414c4b40adb20557020c9bd907f596ef567c32dd08cd80acbd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
58ced628341118450c8ce661a9e6070f

SHA1
29eb875a720eeba5b15a64ea8d8f0ae29f218b0a

SHA256
03cbb8a095a843a9fdd1355d8bb5296e981cde3441748e411d786fde1a23e488

SHA512
157d9539b3d9a26a6d7a6a58827acd973a4a138b330e35870487d8b1cd3efa47fdd23e43bdb344101ac663b6de5a75b97bc745aa2f86983df508f83cf56d0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9956f555258dce85b7640589b893ab89

SHA1
13e6235b9cc6e1c6beeb3007afa5b3d18e3eb212

SHA256
478b784ddd16bb08ee34f2b29852261e95a86a60d5cf90dd965cb71603d05278

SHA512
2bf9d3bd6415e3a53e4a68dfa2be723e571fabcb0b25746d7d2d3888ef72fb2f0ddd68cae1371fc2f6755b8ca48950131d9ef79bea304abf468408d8806cf189

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dcf73462b4f0ff77d40271c73180962a

SHA1
8f0836acc0c6c0a45991616a13164b6c20c513e8

SHA256
f640e50c682bce0d42b8e294255ff896a03e8e72478f71e433041f6921f7abeb

SHA512
70f114cb57ff70e4b300b9b741d95582e9ababe471b74539aeadbf041a7a74fb9def63d8f04febed0ca01e0d7170c2e2b4a8c6697f8157c8ba728a28f222c15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b9d97a2a10b802881eadef3c5a9efdcb

SHA1
c0fb8e8ec056978da44ab93c907903c7038f61ef

SHA256
aa741f1c09394359bb2439662e38a65332fc24c946e8bd5bab5fa649d68dcf30

SHA512
aae4fa6dfd1ee257dab4cb68498ff4a4fd7c2e2c794c8c6668864bcf5e2806eec3a7577642018b920109a8a8f7947c712613115edfbce574da36caa18ac7cb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e4c3ffc7fc10a68a01f82a8fe1f5ca52

SHA1
dbf40a3f725ae7478ed6b3e6fb93050ef627b93f

SHA256
eb70ffd2ebf6b2acf36cd1ea3d30c7bd80568ffe9dc160013bec216ee3f51b78

SHA512
ec5fb058ab6b1fb2b3a0ffc7effb2ffd83b6c53a7c35474ea7992d28912868f7a983b3cfe2422c841f295b4e7f6b59dcce823aebf46f8b81cb017c013fbf3650

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
43e9d87e90799b90a35469b23f9b04e9

SHA1
c86636b437fbdd8e0f7e74d3a639532f2a10719a

SHA256
f0956dcf362190dee92b8f655849e746d2d148bac51a1025d0aaee1d66e38257

SHA512
216fc9b8dd68bc19effabdd414893eeadb1e6ee3bea8b99d8eef735f7f088f3157b594c34bd7e8b78e8b30e64b57ef460434e9d85e49813c0e9ddc300230aa5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a289e0a8308875c83cac0ad1aa253f16

SHA1
8ec6d6b7e4620cabd3e0da81aef61b9eb4f405d9

SHA256
613388f05919bc55a64499f800642c37fbddd5c424f91f7045fd5b0fc28f0111

SHA512
104f5cc7960b9543812640be367a408bb4f9302567581bb6a2eddacf2b00f22ca9c45e911985cf8f1124ce1ca8ea32942c47139fca471f47f0c85f4ddf0149ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1de80c494a1cc1a85dbf6c16f2731d98

SHA1
fefc21dc1a46e73a5cf9f930e7095dff6eded285

SHA256
f952c2b92a4e70e01512c99404ba90639c562dee65a8430ca60e0a82db3bcb53

SHA512
d5a659a8f2185964b0892293374a50a7a3585174c90286fb0000e0b4f60b58354cd22aeda315c5b4ade1142ff1a2b30065f621a880815abcd75af109ca9888f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
02056a04136b6b6f101df783dcf7b829

SHA1
bdc0d836eba3e7e911f6b1c1bf7c864e64b54d6c

SHA256
cde1df9ed556c1175bc8db3038bedb97ec277009b670e060bb57bac0ee5f65c9

SHA512
c23a1d88a8bdef499c43a5b98596a562d7f4f5f808fa965dda3f8fb77052f2f8c6d27fa29469bf8b3d18a63abc305292fbeb82c5555735afd1cec1c85fa25f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
99b22b5d702b9ffd63f8be35407de708

SHA1
0466d10184b990c9c7f1f66855231b5fcd54bf55

SHA256
5bd98a68d5e73722cd9391acc23790cde9c85eb9b869d8ff10dbbafe8ac76306

SHA512
76f7765cb70641a991ba9aef1b5e4167bc67c2e139232b093f02028dfbd095231bab669ec34a37b7a5e7366495cc536befe94d049daaa8ed79cec35119d44ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
56e8f9fd044c46ae74a2dab2c75c872d

SHA1
c1222024f800fc191ce3e4f78ab73228980f72cf

SHA256
789971f36980265f2a12fbf235f5b3e5f6c416127719294e4662f05df16a36bb

SHA512
87ecbf95e4891f6a45d3b0c4549584360905214b0bbc9e0a6eed6c7da8609b4e9f9623aa82ed813bf7e8e180621f82e0f25cc00749a3aa40cd4b1b39a481d91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1a39047075a83afac23bc79fd0f4405a

SHA1
c7fc94d37e1ef3235f7e99b423ef98232b16c711

SHA256
8893723788237efcab7f5be616e937262c39aa135cb56ed038782145a972ce6d

SHA512
ac0aee1e3b5328e303adb44b7544f3318ce1f5905cd3aaca15193438c5a459ba98e3ac7b6cf83cd824e6e641d3b41048987fd6f56667430ff8e7e8d99df84236

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
35944a27e1b831a6558aad9d7f99a937

SHA1
6132a7fdf9b53f3b90b93a797a8241cbd8722d7c

SHA256
754ae6521e311350b9a3f646dd59203310802abc1bfc70418ebd7205f30d2062

SHA512
7204dbfc4e9b81cdad4582dc71dddf04248610bda58efbbe85ce1cc2ffdbb91d7c2261c48ff7f0f37a039550b860545edfa520bcd901ebd4f31c471e388a73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6d164530671bc565abbd474ac99e32c0

SHA1
a13bcd670c0a42838dddefc3288c75d06d7bf3d4

SHA256
492b6c7c9587243f8abb566fb35a0d8d13d34e22d67f0bcc2166e4d2ba029265

SHA512
34990a8faabf553e91eb39d0b83cd9aad7d9fb45bb8fef65e09af9a61373fd985fe0dfb65583f0f0a0d3ae519389ee32304e61da7bbab1854469a96e7d9d98ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
409KB

MD5
a449a5e96e1765eee6a514c026331c01

SHA1
8672123cdbd8353b4b3443973d94ca5ba17c36cd

SHA256
810cc1a08463bdd2340b0e3f7b0f0dafe336475b3405888fb846681d100fa21b

SHA512
87442e2f53f67bd298cf13ff14d020bdf9e88d983737ece04e979cd8874a4fa79ec61c7b7079d9067113089ab7542988ea977fa84e78b6dd7c1acef23304387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc socket ver2.exe

Filesize
87KB

MD5
cfcbb579bd3b1cafc9297d87fdb470e2

SHA1
89b944b924e3a8ff126339735d53f20cbccc5b98

SHA256
22f29f9f74332839b5b934ae094f2d11e29984d719c3e9faa4692ff7779a4cd9

SHA512
d773785cbd5928152c1e7106a84520fdb5e70ab541726a6010d53fb0d4f1b848a57fb116f56fc949d741fa81d7b27cefcec10055f646d16103685b7b807fe856

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/2452-30-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2452-39-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2452-29-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2452-174-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2452-32-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2452-43-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2452-36-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2992-28-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/2992-31-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/2992-26-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/2992-35-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/4776-45-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4776-44-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4980-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4980-25-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5640-34-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/5640-198-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/5640-197-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/5640-196-0x0000000073D72000-0x0000000073D73000-memory.dmp

Filesize
4KB

Download
memory/5640-27-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/5640-23-0x0000000073D72000-0x0000000073D73000-memory.dmp

Filesize
4KB

Download