cybergate | e5cf0507595f0b88e092d709217f0b51aea46d30678644ebdc6705e1c9a63477

Analysis

max time kernel
163s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 15:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3eb98bcd758359e21ff3191cd3f6ef3a.exe
Size

780KB
MD5

3eb98bcd758359e21ff3191cd3f6ef3a
SHA1

2ecad9383cdeb82e9a2f48e581cbb71a454bb74a
SHA256

e5cf0507595f0b88e092d709217f0b51aea46d30678644ebdc6705e1c9a63477
SHA512

33647ec7fd29ae70ce031b115467b4fbe3694bb69f6fb0c41be673aff0f6888ec1251f63ba2907a4bfd2e434e175122517a4e15a71fdbdff47029bf1021c09b4
SSDEEP

12288:Cu17/xLgn40HRD/NwpBxnMa4OTunN78TLWpNXldfZ7OLrC8SJAPQEGBgMvUlKpFU:CuH0nxyKaBSYWTVdxgKtgTV5n

Score

10^/10

cybergate newtest persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

NewTest

mihajlovo.no-ip.biz:85

Mutex

lkhjbjhbgjkhbskbgruy87

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
System
install_file
OUTLO0K.EXE
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System\\OUTLO0K.EXE"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System\\OUTLO0K.EXE"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{8Y2G5NIX-IF24-743S-7440-C2B74575A2HB}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8Y2G5NIX-IF24-743S-7440-C2B74575A2HB}\StubPath = "C:\\Windows\\System\\OUTLO0K.EXE Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{8Y2G5NIX-IF24-743S-7440-C2B74575A2HB}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8Y2G5NIX-IF24-743S-7440-C2B74575A2HB}\StubPath = "C:\\Windows\\System\\OUTLO0K.EXE"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
3512	OUTLO0K.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4596-2-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4596-6-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4596-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4596-13-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4596-73-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2260-78-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/752-149-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4596-150-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2260-794-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/752-1278-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\System\\OUTLO0K.EXE"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\System\\OUTLO0K.EXE"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\OUTLO0K.EXE	vbc.exe
File opened for modification	C:\Windows\System\	vbc.exe
File created	C:\Windows\System\OUTLO0K.EXE	vbc.exe
File opened for modification	C:\Windows\System\OUTLO0K.EXE	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4596	vbc.exe
4596	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
752	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	vbc.exe
Token: SeDebugPrivilege	752	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4596	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90
PID 2492 wrote to memory of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90
PID 2492 wrote to memory of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90
PID 2492 wrote to memory of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90
PID 2492 wrote to memory of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90
PID 2492 wrote to memory of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90
PID 2492 wrote to memory of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90
PID 2492 wrote to memory of 4596	2492	3eb98bcd758359e21ff3191cd3f6ef3a.exe	90
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67
PID 4596 wrote to memory of 3344	4596	vbc.exe	67

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\3eb98bcd758359e21ff3191cd3f6ef3a.exe
  "C:\Users\Admin\AppData\Local\Temp\3eb98bcd758359e21ff3191cd3f6ef3a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.Net\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      PID:2260
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:760
  - - C:\Windows\Microsoft.Net\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.Net\Framework\v2.0.50727\vbc.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:752
    - - C:\Windows\System\OUTLO0K.EXE
        
        "C:\Windows\System\OUTLO0K.EXE"
        5⤵
        Executes dropped EXE
        
        PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
101KB

MD5
7993c08c7d1148a78e923d62f87ff0db

SHA1
101e979af88000017e54e0261e683521966554ef

SHA256
b16e32be5ea93a5d91991afeae135bbb1f3c37a45e51fe4c51e29cbb0032e5b0

SHA512
6e9b9e955ff15ad76e0741ffdb44775ef03010343dbb0e091a6b2d301bf3850f91f768aeb4e020a2ed6c35d2895eb2d903f84db1dce6392e8b9dc9990d554909

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1c53a419eb14812307de2050b72840f4

SHA1
9233823af232e97d2aaf4c8c175c9a2948751dd9

SHA256
5e4000087e3048179eeaa57a6f12fa566a06c3cb73cc8f6f5b7d97356d885980

SHA512
ec953a2d0befd91fdca74c331e6c27bda18988d94f570cd5ae176be2f99f47f6e40ee13cb84b2dea383ff1b7821f91bc1c5fa0465a0f8f028e489c039a82d714

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1869db0614db8a6a57b7500e41546c60

SHA1
6edfe2714cdf932a134ce47b01b93371596fd7e7

SHA256
ed4b85b7474ac1aa26a48c97a3bb71a650b86e9f83b3a4717532085238b2d46d

SHA512
02c46ed34554815d3d04afa91283a49dcb707554a842e1c9bedf7d6af5383da7377c0055c41c09ebc3eedfe1c1b90462d032924d6ab2679781972ddec1f8bb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
85a65a70633ae98c97d9900526f01e05

SHA1
735b50329e16f2bfe92fb1a7396fcfd7a91c4394

SHA256
34bb399f3f712588826eaeab72cb80651de091ce0bd8e0de74a3daabfcaa8889

SHA512
151fe1ee38eccd6628b3229a5a4447e20375a94b750dcc2712cd48272aaa0e2a74bb0693a449c0b6b3543f137d8ee3ae16aa5277a59539faf8812bc6753eb169

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d33a8b708fa612254eea6624b944caf9

SHA1
6c52b690ce0dd59f5ec1a87187c4a261e80c471f

SHA256
d8ce022cbd2bf222d3100b957469bc266bef6d077638ea5e94980af9d467cd7c

SHA512
d5f9cc0a343b53c1dbb15547150052d0938152ce1a6293edad85c5654347e9c3389e0212dbf7dc98a07326ea976438ea90767057eb71ff28038baeaf7b2575e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5832412353295ad33bddb87a78308958

SHA1
c9df18a3b5c38842c1c89bac5c5d781cd30440fb

SHA256
a559f8d55bf31d60277f523ce3ce22c35c4cae269fc99172b1ecf822f3bfdb4e

SHA512
5f73d77bd4ef87ee29431947f349e1dc342dc921e06dbc450da7889e189ea620895cfb7f351753480064258b56f2942bf52e48465f3f1375aac0ae71b9b8fe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d380f9f14cf43eb5ebb5f050e8dfdd9e

SHA1
1eb5d72249911d54668f86108bcaff31909b5b12

SHA256
5e92fb020a75950695ae5da9d645fd46de53827b1951cdbb2023def347aa6d3b

SHA512
9661ebba288548f2b3062106687e7a81db1c7f15b142e7b53fb38784da8b4452b46f6ffe610a023144ed993902dfd7e740046416662ad64652375ad5588b3009

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
be900d6b9a1da6c88081b18fa13b13c9

SHA1
a777f1980f37b675cfadfd4a9ee1633dc71de49b

SHA256
8e884d883b7e938ca53b3b306746a39cd43d8653b1d872fb4b8f57a4ec5cda0b

SHA512
7ca1efb3082deabf3ffdb377deaa09c53481dc7b4966b96800bf090010cb37ab00cf1bf8d5ee00b64506bd280390b0abcd802fb74da5204b5a0459c812821135

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8d874ca6e0c6e29799e6b2ab0fe122ad

SHA1
0907c829b00955ec11b2e4d788567f161e553095

SHA256
4b60365a64b7741ed5bbe8ffd872f5073748dd50cf3994341a6b347c6cc32956

SHA512
b4385c3907b5eb3b48d7333384d95dfa0e636e7d70f799aec8bc6e6a0614878a94b6482853c67c7ee54492d1665b6198f02b39afd5d5f38c94ca2bd3fd6932d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7130f0bb675062db079888471dfb141

SHA1
c5c83eb7ca398a2a5c4853e7134b45c60d4a7d81

SHA256
6d07996726f4122c04c989ab9e518f5f575dc22be05c29dd3f3bd895e16a5a13

SHA512
da18ec1d5d1c31190e0baea8f2ec58920894d22ae7f598a486ebed227a575de17c47df4a6d4e60a8f2a96f3a984446296194020846d710f80b2a229b118dedb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
882246894b3feeb57881bb15f02b4fa7

SHA1
4a8e1963eeeadaf0646cb312e99500a8937fe227

SHA256
771661779734755f73849e7c95aab995c8ecdf98984249be8677345f55d92afc

SHA512
68a297e70c38b04bc1b1aed2805c0d64ae30518d3c4796bd02b6f6e3467ea75b8fd3c9c68ce82f31faad9e8feb8b65e8c3ba0e053bc508a31916b82def54c494

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d0319f6a4be461d4e04fc3e76de43c64

SHA1
8c967550404a27d1df795ad36df29e686a3615fe

SHA256
b163312dfefebbea0d71e305c1508d104663731b1c587cd10dcda71915a9d39e

SHA512
21dd52e9276ac7f4f0eb0c3e4af4b3e1b1c47bf4e150a338dbc832388cd0752aa4c774f76b571b90d12b6937c7fa5e3f33810af6de2fb3b66fb9820c7d7c8a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bba713d0c7280348a4ec6011842c4580

SHA1
01059e0ed6bc5577320e0e2e954a3cf65e056e49

SHA256
67daca05c8358e552e2731d5acce2ff148afe69c96760978181409688b57dfe6

SHA512
b487bd4036def82913bbe10fe4dc8e866f8c72ec841e49a09c63765766bbf8d1bbb52d069168a655121355d3f46a1408269cb92dea0eda0ea02367c4061b3859

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6e09166e10fba4e8dd2b78b7947656d4

SHA1
6bcb882dace55d3fcee03d24dd4c1b55c3827845

SHA256
98f8a09611912e74ee91c6cf92011e127e95dde499cd2fc245b45a43dfa299ba

SHA512
e55b2bb557083b45d7e90bdf964469ef93649b5dfbce2625e21700428e39ad4296c6ebb4a235dbe872d6a4af4611fa0dd925be6e1deda000a65e879ec9bcd54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5dbf1fb4e9a753ae8ff7a5750b0c77ab

SHA1
cc75305764daa9f4cef4fdfd3c27639738de55c0

SHA256
fb583714e6d38f8aa3e96972113ef92d7a61cc2c29a1eea24664ef547801ef65

SHA512
8ccd32ff7be3612c736afacca89d53a435592ada2e05e07c6175a3aad5cd4976e1979273454c79d2510820ac917a3a0b0c972d8dbb60f9ce436880d3e36aef5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fb69da0e42a3ba3dd770c69690459419

SHA1
98c211b038dcd1a29ad4af27c89a596a5046e941

SHA256
f07a7a773334c185fb8be764a509041344b90c20b64836dcc46c6f5e4ef03e23

SHA512
d864e679738bfc4922c78ed33cedd139b0c4efdc7e9d93fe727e9c17317feec2be0055377583bc3500793e0fb401d4b3071d698f7159c799ec4db65cdb8e07ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
50c6fc433cb5ae0cda7fd79b7237626c

SHA1
cd25fbfc9391554fd0fafcdb63ac71f6f26a0ac5

SHA256
2c3993f184c8ec6f797e1ecbc26ab7ec02b062a945fc8cd4671c2236a125b44d

SHA512
9ce389c75818b39f36953d4057981a674678524d118120055bc8871969f517d5d88ec8754b925ecc855e6057a4da374c9c521c5ed6b3fd85b35478ec32132fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
525baf1000cbe818f2bddd0156d5c209

SHA1
5e0a2f11634fe29e1af0453e1aac211ed700ab1d

SHA256
7aebf868f31d6894f7028038ce3cccdeeaed6f5cf6b37efc84f2bc3a27307fe6

SHA512
265dc7b15a21f046b822e281b7be7def9d09003e087406729ec246629211cb0904cd588dd47d4690d21f4049623fced649be9de0d67650c33ee3c85ddf6ee237

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3db3cb233f5f863b5bda675b086eb885

SHA1
1cbc715b3461c4c275fe99240353de4ee1f3a056

SHA256
f6464cc38eea16cd50d10b22157b694d53bd8d3dc938c22309d6897a4b39d228

SHA512
0966d808f25796022ac7e6c76dec41a648d0e1857ebca2fe3295bc5ffd3107604df2f878062b58dec2269f6e4d95cc83aed4f2ddf1e50241e3035edb619ddc3c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\System\OUTLO0K.EXE

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\System\OUTLO0K.EXE

Filesize
92KB

MD5
b03f5fc8ea2c60eefda3696cfd1f7d8b

SHA1
6588e2fd73de5c6dd2d93e2c1083c1191028b8e0

SHA256
ed3196214af42c94e8a0a437344aa5e763b7eb818ce7bb3ec649d2e82496d40f

SHA512
cf3d608c413a76389dcefed3515b8fc2961fe6b902440f573b6800d20b1268a5e39911d39b6e0bdef7fb09104654a863fbade2719b4d97c77d7b9202077cba02

Download Submit
memory/752-1278-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/752-149-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2260-17-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2260-78-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2260-794-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2260-18-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2492-7-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/2492-0-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/2492-3-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2492-1-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-13-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4596-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4596-150-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4596-6-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4596-73-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4596-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download