cybergate | 61fdd1038772d9bdb5d24ac458f25d1f503761bef935245569f780c6e784c08c

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe
Size

664KB
MD5

192b7e38dacf1d14c887b109a6d5d262
SHA1

1f1fa04d42264b763b6beca075cec24f603fa961
SHA256

61fdd1038772d9bdb5d24ac458f25d1f503761bef935245569f780c6e784c08c
SHA512

785ed00931808f273a7ab010219f533245620054925b6799bffae186ad21be1e24368a9177b9e5f371ba9b475cf58e219c35e151098f1299771cbe0930116338
SSDEEP

12288:nkabMod1JJ9/AHC5cM2Hu4cz2KMBB+vhDzsfdkx3JoLC4RRqEwAskg16quner:nVj5LV5cM2Hu07dn0E6zr

Score

10^/10

cybergate darkeic persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

DarkeiC

wolfieboy.sytes.net:100

Mutex

8S880G00F8POY1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
Windows Update.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
admin123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\Windows Update.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\Windows Update.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

vbc.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1JJK20P6-6227-I5NO-O0HW-JBB0EEEH7N4S}\StubPath = "C:\\Windows\\Microsoft\\Windows Update.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1JJK20P6-6227-I5NO-O0HW-JBB0EEEH7N4S}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1JJK20P6-6227-I5NO-O0HW-JBB0EEEH7N4S}\StubPath = "C:\\Windows\\Microsoft\\Windows Update.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1JJK20P6-6227-I5NO-O0HW-JBB0EEEH7N4S}	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

1100 Windows Update.exe
Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

1508 vbc.exe

pid	process
1100	Windows Update.exe

pid	process
1508	vbc.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2360-6-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2360-9-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2360-14-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2360-15-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2360-5-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2360-17-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2360-16-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2360-21-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/2568-549-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2360-881-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2568-1878-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\svchost.exe"	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Microsoft\\Windows Update.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Microsoft\\Windows Update.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe

description pid process target process

PID 3008 set thread context of 2360 3008 192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe vbc.exe

description	pid	process	target process
PID 3008 set thread context of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe

Drops file in Windows directory 4 IoCs

Processes:

vbc.exevbc.exe

description	ioc	process
File created	C:\Windows\Microsoft\Windows Update.exe	vbc.exe
File opened for modification	C:\Windows\Microsoft\Windows Update.exe	vbc.exe
File opened for modification	C:\Windows\Microsoft\Windows Update.exe	vbc.exe
File opened for modification	C:\Windows\Microsoft\	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

2360 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

1508 vbc.exe

pid	process
2360	vbc.exe

pid	process
1508	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exevbc.exe

description	pid	process
Token: SeBackupPrivilege	2568	explorer.exe
Token: SeRestorePrivilege	2568	explorer.exe
Token: SeBackupPrivilege	1508	vbc.exe
Token: SeRestorePrivilege	1508	vbc.exe
Token: SeDebugPrivilege	1508	vbc.exe
Token: SeDebugPrivilege	1508	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

2360 vbc.exe

pid	process
2360	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 3008 wrote to memory of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe
PID 3008 wrote to memory of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe
PID 3008 wrote to memory of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe
PID 3008 wrote to memory of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe
PID 3008 wrote to memory of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe
PID 3008 wrote to memory of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe
PID 3008 wrote to memory of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe
PID 3008 wrote to memory of 2360	3008	192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe	vbc.exe
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE
PID 2360 wrote to memory of 1360	2360	vbc.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\192b7e38dacf1d14c887b109a6d5d262_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft\Windows Update.exe
"C:\Windows\Microsoft\Windows Update.exe"
5⤵
- Executes dropped EXE
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
afeaa288a334c7fc5026a69430b96638

SHA1
9e04eb19ef4dbaef771fd9db8d17165395bca985

SHA256
3fa394587b3c211de933819ab1048924001df3060b3fc9b90b078a15066fac43

SHA512
f77203f64e8dfb4cf68d7cc1459c7403af0f7146749169798cef432e9736f6cece41f6305e9004b3be4eda3b3161a8cce202912fe46cea9320b2ee497cadf22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8ac0ae6621243c45fd17909cd11d310e

SHA1
288fa9caed838951225d7964f24f24a4f41174a2

SHA256
ed435ff46134801843e9e01a64078db2fb26b7b47c8061e58f323e6167fceda3

SHA512
e432830eece55b7bbfb92f16c9e86481516723d5609df01f429e26fa844a871c1c9647837404c33de890c969991781bc127502a1e15943f03aad470a3ac7597b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8f035f51e943cb30462336f723d5f319

SHA1
419126c0d5aed137508d5932f4e3303c4031bebc

SHA256
b3e00895cb40a9a6dc366cf545738c80351a0be228e4f7552645a472e2cf4959

SHA512
175bcb6ed9af738257c44c0dd0d3e39448de6e7a647c2fe8611df26dd5091e55ca96a38c9a4cfe5cfd1e2bcd7d11085abd9d4d13ed6cd35f73773c873062211f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
db5cf08132727f98d5a7dc8c1a9d19ac

SHA1
897623c4e6eb82b1de42a3cb1d47cabb0efb1400

SHA256
6a1c2a4befeab7eb057a4a73103c4c422ca22936fc22d4e1db9ab127a7653562

SHA512
420fe8a44b697b8d157fef3dcda3af0abd6a9a3ab08a4bdcf658ee52bb299f22ab129467ffe84894925a572ef4ad2ba5e7e3db60d314b8c7c937f572db2bdf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ff83af7ac74a6e491f755125006391a4

SHA1
4fdad4441348beda0ff2803490ed3fc20e7ca2bf

SHA256
c287bbb63a80e2385edd2753089821217c83f004a4d3a859d40be93c0396eeb7

SHA512
e012c2ae1846d090b614a1b76743b0925ed93d48c2838ddaf17e70fcab86d0266e7fe4036a71f998f450f25136471e58886c2c929ccce6c885e43ebed39ecf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
b7b32bdf0af63cd3b137cce904420aaf

SHA1
ff430941ac27301549a4b4b1321581364dac6e74

SHA256
71de3b6276e47495f002321759bb75573556950fd1d1571e6d793a38cd0931b8

SHA512
4fbcc08d319e164d10dcb8ddf6c28d257ccbad1366592ebc8704794a1df23bc661ac59cf764a3242d14b714cc15d15a1715d8d925a3e69fb58d2eaacb9a422b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
7dc795388ef88feb08e079112e53a2ca

SHA1
06cb0919a6a96fe9f4e6f9b3807aa7d79a6c199f

SHA256
1bf0d74fa60177e09ed4071b74c296086ace88e9ca59cc054624d56a8e279fba

SHA512
f937fe33da89f8a34eb8f7a122023fdd087f0a8c4c4e113d4c8b7923a4776755cf5043ea0dfb3e157519fd351a332e5bdfb4df0d5da7dd02c70a161ea74d5bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
b2c927cc42cff06f19400f50b9d79ec9

SHA1
f35a207c79b9a6d324113db7180b09cf552479a5

SHA256
a40e7878e22e122dafe9c75bf10972ba0032866889dae771233c63b1087ee101

SHA512
e3d3432e6ac7c811aa56f46faad2861e1924c6b476f3a27707d6c0c31a5ac8ede26f711b54f97858abd16556abeaaa5ddcd6b41ea9bf4a535fce683f12222a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
4a627f809dbd931d144bd97c4cba7dd0

SHA1
3d85ee054688e3971c6b273ac041d7a0b4df2996

SHA256
30e55af82add2b3afc35e30801fb546bcb918af5cec98fbcf2bd9aef6a2647ba

SHA512
1a7eed0461cf856520bfd05f1e4fbea6948f8433f1e4a77648fd34057ba843e55f77dc0afcfec4f5331edb83bc6c2f1765eb1e6e596783e964932aeed2481f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
c96d3ed3f411d483885034d88f6a4a05

SHA1
de7b031ee81423ae8ec102d9031b244e6e14e19a

SHA256
0479bc8dc2a0098b04d44ba9094eabfb144a4aa8f1fb8ac08f6e2cd646587991

SHA512
3441f0df599c00fa85dff17aa952c7cdeef402aaaeaba1923fd741ad91d761ccaff13007c3127b9388f0925f5af4330a0c28dc300d58eac732214506bfd58a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
d3199362e7f00b48589e199b838d37c1

SHA1
7f50a2249679eb78ac75b01bb821e5e9bf61b8e0

SHA256
7e9f16ff9a99703444cae45c029f2a371f4d2dd51a319eb788fcfe141f1abed4

SHA512
dae104fc3cbad516111d10ded65db255be6e80d731a3cb699f7d494efe707d6d827c33b0852602d5785900a49701efafb361730771feb1d2b27f31313e8452ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
99ff54a2a7e00898386769518574d390

SHA1
ea2eed7f42fd416b12fe28cd90919897c0d070e8

SHA256
a269ec9e157e3b1570e1e3b5b6a9e1613d486af3fac2a3306d6e38b5342474f9

SHA512
5c84e384657092b83b876fe995ef5659adac918caa704844217203923f2f96910947b50b5b7239048f153a3d26019d5ceba8b466ec5efe7c84b45b899a7c35c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
40c72a149f2b2938915cafe7c3e45770

SHA1
165edd0dc675c5c8bdbc30af9a21f791464f3d0d

SHA256
019689edae1191c403c8027ab95165a91694ee185764d40a91197fbb8f447358

SHA512
0a96ab8ae7f1f72c8682ec45a933b00b2b45de118d8f033b9c0842ff7d0db306ce1dacc3d2ec2777d02a7a9dfd78f936c67680629d061293dbbfe89c6eaa988f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
d8544174400f315d144888462568023b

SHA1
9b1124be65fc355fadaeeb62d8bc493a3749ccc3

SHA256
d8284f7bfe6c524cda79f5240c53f7441e942ed286826268c188756a59862de8

SHA512
91247f077a71652cc0439445d7a87300e5792c22bd1ea7365d85317843730da8de0f67cfd28e7d8b670f00c522f6a69e68980559bd2353dcf71a32ad2332ff75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
202dcb88b421af51c91f6841849b9474

SHA1
744a254127879e2e2821a2c2cb44b4a558668911

SHA256
c6826806e7a2a169d892ca1d17f124ffe528da78bdf7fc22e081fd0c11c7d436

SHA512
b196ada8739bdab7bdb9820cf33000a65365e3df471a8c39160b0bfe2aaec5f1671044f4c8c09301849b0f26aa776b7abc351f8b9b5b4cea454ef7e7b51bdd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
dcf18ae24dbc407e045999a588772d13

SHA1
3f4ff6a0dcb7b26b655c435fad9c05b698ef0b75

SHA256
afb1bed15cc0eea4c2d516f22667a39cbce66880c0507e0bb964fae80c23dd1a

SHA512
b6831457827513484307d66a3b3210aa4e23e3b19b040323eafe671c3b7ffcdb974b5a4dfd5829ced95a0df23f2d701f11f5ecc0b1ee2425eb2f483ffc231c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
d9da0afa41c3f47e34c0fa2a70b7a690

SHA1
fbbaa27376899b78eb9ce1d1d809c9d459c2dfc9

SHA256
b789305e1ea69126f397f02a896f77e88513b4724c24e299cc689cddae56f213

SHA512
42c444c62c28f4fdc6400702421370fb2b1f98e317d78ba990fbfc59acde87d02ffea5c21158ba1c06aa8ec25faa9800894940af552cc3bc72af775ecaf944d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
7f4b05b01f543ea82923fa7cfc09f673

SHA1
befb2b62f1bcd331e1ac4033561793c26a77751c

SHA256
ab9937c0e13cd219fdd0e8e3009e634292121ce6605958985f1205ed5c536129

SHA512
3bfbf24e50674886064e20b006e82945d2fea67a08c9363a3dde75541921ee77d42db34698b91d37cfb66433e8c7b08206eaec98bd522b0e0be010eeca367233

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
539c243bb252ecc91c0ac71d8d2e94a0

SHA1
62dcdbecc458050f104c2b7a1353aa96d3cce4b3

SHA256
9340f8772e9ec04b09e7569316b05ef4a9bdabffc453d0524ff4415ded5da202

SHA512
5efe48f582e898e9bea45f86325a956a6cb359095285943a248648e5092855e3feae8d520e435dbd38124c837d853420acd82cd2fc805b35dbba22cd6f2b7e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
f6c9f1838c0624e815b08a00a3184d4a

SHA1
97d0c8a9ea9ffb1a4677cb65e528d3ef0fefc976

SHA256
7949ff1c01e5c37779b45cf15dd5250069524565f30de6b1e259af8d8fadb439

SHA512
12b18aeccb5e3a2a10743dc53a1a776430f5f0da0a293ffef307f020a40d8abc3fcfdbf5a30978d56a45e715cb8ccbac852082d6675364c4273f896759a7220c

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat
Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\Microsoft\Windows Update.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1360-22-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2360-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-6-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-21-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2360-14-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-16-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-881-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2360-5-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2568-1878-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2568-266-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2568-265-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2568-549-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3008-0-0x0000000074861000-0x0000000074862000-memory.dmp

Filesize
4KB

Download
memory/3008-18-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-2-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/3008-1-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download