cybergate | af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb

Analysis

max time kernel
275s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
Size

360KB
MD5

adeb89e005317ed8ebd2210ffe3424b6
SHA1

ba7b12cd5163bf6b44c23494c1d1d17ebd6f007a
SHA256

af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb
SHA512

0d8f9ff28cb88128edd1a4e58037e9f67693478aa1097e0aff5935f871a43c806e363a31c715d6159f997ff33c215f415c5e3b110bf4598df896b22c253871e4
SSDEEP

6144:dXicc/18K2N++X/F/DZ363XvbTG+5IW8M2pRMJW/yEjzPKPyi40gcwHi2:dXicc/19+tl36nzH5ILMy6t40gjj

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

tamere.no-ip.org:1604

Mutex

O22677E3DY4N74

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
winlogon
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234
regkey_hklm
explorer.exe

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

MmcAspExt.exeShFusRes.exe

pid process

1392 MmcAspExt.exe
364 ShFusRes.exe

pid	process
1392	MmcAspExt.exe
364	ShFusRes.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AppLaunch.exeAppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{75X20L8N-HXV2-16G0-11VS-W348321O1GW7}	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75X20L8N-HXV2-16G0-11VS-W348321O1GW7}\StubPath = "C:\\Windows\\system32\\winlogon\\svchost.exe Restart"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{75X20L8N-HXV2-16G0-11VS-W348321O1GW7}	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75X20L8N-HXV2-16G0-11VS-W348321O1GW7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon\\svchost.exe Restart"	AppLaunch.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1564-107-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/920-114-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/920-121-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1012-122-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1536-127-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1536-128-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/920-132-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exeMmcAspExt.exe

pid process

1476 af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392 MmcAspExt.exe
1392 MmcAspExt.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AppLaunch.exeMmcAspExt.exeAppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon\\svchost.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\MmcAspExt.exe"	MmcAspExt.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Windows\\system32\\winlogon\\svchost.exe"	AppLaunch.exe

Drops file in System32 directory 4 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winlogon\svchost.exe	AppLaunch.exe
File opened for modification	C:\Windows\SysWOW64\winlogon\svchost.exe	AppLaunch.exe
File opened for modification	C:\Windows\SysWOW64\winlogon\svchost.exe	AppLaunch.exe
File created	C:\Windows\SysWOW64\winlogon\svchost.exe	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exeShFusRes.exe

description	pid	process	target process
PID 1476 set thread context of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 364 set thread context of 1012	364	ShFusRes.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exeMmcAspExt.exeShFusRes.exe

pid	process
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe
1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
1392	MmcAspExt.exe
364	ShFusRes.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AppLaunch.exe

pid process

920 AppLaunch.exe

pid	process
920	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exeMmcAspExt.exeShFusRes.exeAppLaunch.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
Token: SeDebugPrivilege	1392	MmcAspExt.exe
Token: SeDebugPrivilege	364	ShFusRes.exe
Token: SeBackupPrivilege	920	AppLaunch.exe
Token: SeRestorePrivilege	920	AppLaunch.exe
Token: SeDebugPrivilege	920	AppLaunch.exe
Token: SeDebugPrivilege	920	AppLaunch.exe
Token: SeBackupPrivilege	1536	AppLaunch.exe
Token: SeRestorePrivilege	1536	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exeMmcAspExt.exeShFusRes.exeAppLaunch.exe

description	pid	process	target process
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1564	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	AppLaunch.exe
PID 1476 wrote to memory of 1392	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	MmcAspExt.exe
PID 1476 wrote to memory of 1392	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	MmcAspExt.exe
PID 1476 wrote to memory of 1392	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	MmcAspExt.exe
PID 1476 wrote to memory of 1392	1476	af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe	MmcAspExt.exe
PID 1392 wrote to memory of 364	1392	MmcAspExt.exe	ShFusRes.exe
PID 1392 wrote to memory of 364	1392	MmcAspExt.exe	ShFusRes.exe
PID 1392 wrote to memory of 364	1392	MmcAspExt.exe	ShFusRes.exe
PID 1392 wrote to memory of 364	1392	MmcAspExt.exe	ShFusRes.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 364 wrote to memory of 1012	364	ShFusRes.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe
PID 1564 wrote to memory of 920	1564	AppLaunch.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
"C:\Users\Admin\AppData\Local\Temp\af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\ShFusRes.exe
"C:\Users\Admin\AppData\Local\Temp\ShFusRes.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
4⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
PID:1012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
b606e8f034811b068d53918a2718dfe4

SHA1
1a4f28af3b25f931689a695ebf14125c3cf9218b

SHA256
f7ba6e294ddf57ad2a7a99fdee3137682ede009a2d27f54c2dc48a0477e7202e

SHA512
28d94b17dbd523b5f599d78ac5a301787b2254aae79529c54c87fa38d63755638aa0680195a6dcf0c5e0588f8b5eeb283dbb5a68af3c3addb3f680816c15b62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
d668ccc3ed338f701c588733bffa4786

SHA1
e252970a15e4dac0db4b9c5dc66980f657345af1

SHA256
7ea66aeb5e361bb89c36a1590242ef61e5fc795caade2bf5fbd1f8f0c78f0330

SHA512
e4b7909e2ac00639eb360a528deb6f7519636b3c12fbe20565f28b90022052efa5e5e6a028d397068be6f5d99bd2ba471d28ec9320bd17400bda7ec87a16d79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShFusRes.exe
Filesize
360KB

MD5
adeb89e005317ed8ebd2210ffe3424b6

SHA1
ba7b12cd5163bf6b44c23494c1d1d17ebd6f007a

SHA256
af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb

SHA512
0d8f9ff28cb88128edd1a4e58037e9f67693478aa1097e0aff5935f871a43c806e363a31c715d6159f997ff33c215f415c5e3b110bf4598df896b22c253871e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShFusRes.exe
Filesize
360KB

MD5
adeb89e005317ed8ebd2210ffe3424b6

SHA1
ba7b12cd5163bf6b44c23494c1d1d17ebd6f007a

SHA256
af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb

SHA512
0d8f9ff28cb88128edd1a4e58037e9f67693478aa1097e0aff5935f871a43c806e363a31c715d6159f997ff33c215f415c5e3b110bf4598df896b22c253871e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe
Filesize
6KB

MD5
3852f794559e6af06d1fedf106b02bc2

SHA1
c2709b8a1cfe1dd2aa68857b4712f6dec9dd7619

SHA256
a00e02b52ce16b83f8797b195b22e39cfab5506ad6776d7c39d463cac6253548

SHA512
b6b583536ce9561883aa62d1e6cb2a3835f4d744aae4daa5fd10d002dccd58cea9eefd0ac0c8b2233889159f6b6b9c490e400b689238850fb3b4f4549010dce8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe
Filesize
6KB

MD5
3852f794559e6af06d1fedf106b02bc2

SHA1
c2709b8a1cfe1dd2aa68857b4712f6dec9dd7619

SHA256
a00e02b52ce16b83f8797b195b22e39cfab5506ad6776d7c39d463cac6253548

SHA512
b6b583536ce9561883aa62d1e6cb2a3835f4d744aae4daa5fd10d002dccd58cea9eefd0ac0c8b2233889159f6b6b9c490e400b689238850fb3b4f4549010dce8

Download Submit
C:\Windows\SysWOW64\winlogon\svchost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
\Users\Admin\AppData\Local\Temp\ShFusRes.exe
Filesize
360KB

MD5
adeb89e005317ed8ebd2210ffe3424b6

SHA1
ba7b12cd5163bf6b44c23494c1d1d17ebd6f007a

SHA256
af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb

SHA512
0d8f9ff28cb88128edd1a4e58037e9f67693478aa1097e0aff5935f871a43c806e363a31c715d6159f997ff33c215f415c5e3b110bf4598df896b22c253871e4

Download Submit
\Users\Admin\AppData\Local\Temp\ShFusRes.exe
Filesize
360KB

MD5
adeb89e005317ed8ebd2210ffe3424b6

SHA1
ba7b12cd5163bf6b44c23494c1d1d17ebd6f007a

SHA256
af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb

SHA512
0d8f9ff28cb88128edd1a4e58037e9f67693478aa1097e0aff5935f871a43c806e363a31c715d6159f997ff33c215f415c5e3b110bf4598df896b22c253871e4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe
Filesize
6KB

MD5
3852f794559e6af06d1fedf106b02bc2

SHA1
c2709b8a1cfe1dd2aa68857b4712f6dec9dd7619

SHA256
a00e02b52ce16b83f8797b195b22e39cfab5506ad6776d7c39d463cac6253548

SHA512
b6b583536ce9561883aa62d1e6cb2a3835f4d744aae4daa5fd10d002dccd58cea9eefd0ac0c8b2233889159f6b6b9c490e400b689238850fb3b4f4549010dce8

Download Submit
memory/364-83-0x0000000000000000-mapping.dmp

Download
memory/364-131-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/364-112-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/920-114-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/920-132-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/920-105-0x0000000000000000-mapping.dmp

Download
memory/920-121-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/920-111-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1012-96-0x000000000040E1A8-mapping.dmp

Download
memory/1012-122-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1392-75-0x0000000000000000-mapping.dmp

Download
memory/1392-79-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-130-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-67-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/1476-129-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1536-119-0x0000000000000000-mapping.dmp

Download
memory/1536-127-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1536-128-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1564-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-107-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1564-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-65-0x000000000040E1A8-mapping.dmp

Download
memory/1564-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-109-0x0000000000401000-0x000000000040F000-memory.dmp

Filesize
56KB

Download
memory/1564-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-73-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1564-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download