cybergate | f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f

Analysis

max time kernel
151s
max time network
71s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
Size

315KB
MD5

dcc256be852687239ff152f6d9a6e1b5
SHA1

c1944db712385819ebe9600739e3ccac7e031d30
SHA256

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f
SHA512

8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2
SSDEEP

6144:rz+W2anmpCY4A0863r6tZzpu+C8CKJVR05:rz+Kk3N6etZzpul8CKnO

Score

10^/10

cybergate 5 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

annonymous007.zapto.org:56120

Mutex

I42OOP770AO448

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
0123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

mvscavAP.exeSiaPort.exe

pid process

1920 mvscavAP.exe
1076 SiaPort.exe

pid	process
1920	mvscavAP.exe
1076	SiaPort.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1020-106-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/1020-116-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/820-126-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1308-128-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1080-133-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1080-137-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/820-138-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/820-142-0x0000000010480000-0x00000000104E1000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exemvscavAP.exe

pid	process
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1920	mvscavAP.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mvscavAP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exeSiaPort.exe

description	pid	process	target process
PID 1884 set thread context of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1076 set thread context of 1308	1076	SiaPort.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exemvscavAP.exeSiaPort.exe

pid	process
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1920	mvscavAP.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1076	SiaPort.exe
1920	mvscavAP.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1076	SiaPort.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1076	SiaPort.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1076	SiaPort.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
1920	mvscavAP.exe
1076	SiaPort.exe
1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exemvscavAP.exeSiaPort.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
Token: SeDebugPrivilege	1920	mvscavAP.exe
Token: SeDebugPrivilege	1076	SiaPort.exe
Token: SeDebugPrivilege	820	AppLaunch.exe
Token: SeDebugPrivilege	820	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exemvscavAP.exeSiaPort.exeAppLaunch.exe

description	pid	process	target process
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1020	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 1884 wrote to memory of 1920	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	mvscavAP.exe
PID 1884 wrote to memory of 1920	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	mvscavAP.exe
PID 1884 wrote to memory of 1920	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	mvscavAP.exe
PID 1884 wrote to memory of 1920	1884	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	mvscavAP.exe
PID 1920 wrote to memory of 1076	1920	mvscavAP.exe	SiaPort.exe
PID 1920 wrote to memory of 1076	1920	mvscavAP.exe	SiaPort.exe
PID 1920 wrote to memory of 1076	1920	mvscavAP.exe	SiaPort.exe
PID 1920 wrote to memory of 1076	1920	mvscavAP.exe	SiaPort.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1076 wrote to memory of 1308	1076	SiaPort.exe	AppLaunch.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe
PID 1020 wrote to memory of 1760	1020	AppLaunch.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
"C:\Users\Admin\AppData\Local\Temp\f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
"C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
4⤵
PID:1308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
Filesize
315KB

MD5
dcc256be852687239ff152f6d9a6e1b5

SHA1
c1944db712385819ebe9600739e3ccac7e031d30

SHA256
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f

SHA512
8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
Filesize
315KB

MD5
dcc256be852687239ff152f6d9a6e1b5

SHA1
c1944db712385819ebe9600739e3ccac7e031d30

SHA256
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f

SHA512
8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
Filesize
6KB

MD5
c203e138f460101f8af1314c0e817892

SHA1
13c2bc33e42e86e066d303b8596211d92a1a814e

SHA256
1d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454

SHA512
ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
Filesize
6KB

MD5
c203e138f460101f8af1314c0e817892

SHA1
13c2bc33e42e86e066d303b8596211d92a1a814e

SHA256
1d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454

SHA512
ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
222KB

MD5
37fcb6f30c7348187b8cba966a16f73b

SHA1
aa61d17dd87449ff657490965cadc965fc0d543d

SHA256
0d8a9a8fb8b84632f613b327e9aef424f7d3b8608dbf8f81a3d5c0036cf82858

SHA512
0744a1ed1f257dfc5df018bb67753aaad53811899b4da7147e6bc60c0b12bc5bdb78410c43314608bd95deda90b6b4defae4b00392b5001e889adfcc34d2e59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
222KB

MD5
37fcb6f30c7348187b8cba966a16f73b

SHA1
aa61d17dd87449ff657490965cadc965fc0d543d

SHA256
0d8a9a8fb8b84632f613b327e9aef424f7d3b8608dbf8f81a3d5c0036cf82858

SHA512
0744a1ed1f257dfc5df018bb67753aaad53811899b4da7147e6bc60c0b12bc5bdb78410c43314608bd95deda90b6b4defae4b00392b5001e889adfcc34d2e59d

Download Submit
\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
Filesize
315KB

MD5
dcc256be852687239ff152f6d9a6e1b5

SHA1
c1944db712385819ebe9600739e3ccac7e031d30

SHA256
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f

SHA512
8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2

Download Submit
\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
Filesize
315KB

MD5
dcc256be852687239ff152f6d9a6e1b5

SHA1
c1944db712385819ebe9600739e3ccac7e031d30

SHA256
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f

SHA512
8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2

Download Submit
\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
Filesize
6KB

MD5
c203e138f460101f8af1314c0e817892

SHA1
13c2bc33e42e86e066d303b8596211d92a1a814e

SHA256
1d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454

SHA512
ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c

Download Submit
\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
Filesize
6KB

MD5
c203e138f460101f8af1314c0e817892

SHA1
13c2bc33e42e86e066d303b8596211d92a1a814e

SHA256
1d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454

SHA512
ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c

Download Submit
memory/820-122-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/820-110-0x0000000000000000-mapping.dmp

Download
memory/820-126-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/820-138-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/820-142-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1020-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-77-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/1020-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-72-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-65-0x000000000040BBCC-mapping.dmp

Download
memory/1020-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-106-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/1020-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1020-116-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1076-113-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1076-141-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1076-84-0x0000000000000000-mapping.dmp

Download
memory/1080-133-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1080-125-0x0000000000000000-mapping.dmp

Download
memory/1080-137-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1308-97-0x000000000040BBCC-mapping.dmp

Download
memory/1308-128-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1548-135-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1884-139-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-74-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-76-0x0000000000000000-mapping.dmp

Download
memory/1920-140-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-112-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download