cybergate | 802c938affddb13b2d150a7ee30444f89ecf76d15937376a589153ff75b3ecb6

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-01-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_57cb82b051febc9b951f50dc64aad273.exe
Size

1.1MB
MD5

57cb82b051febc9b951f50dc64aad273
SHA1

a550a69a0ab70d8474a88e3da83884aa14fe5d80
SHA256

802c938affddb13b2d150a7ee30444f89ecf76d15937376a589153ff75b3ecb6
SHA512

9aa5eec4ee72b95fb04c8c0cb1f6a275e2e1d57ffdf70e16b591a38aad84b2a03a11fb29b42e987109c3cb34ef01b96236f2a5aa39971acce40a90c5de52d1ab
SSDEEP

24576:x9eO3ttmSOQAfQ8RVfynHl1qAP/cw5/t8/2I:bks11t

Score

10^/10

cybergate cyber persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

mrelectrox.no-ip.biz:82

Mutex

10F0LQAB011466

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Detects binaries and memory artifacts referencing sandbox product IDs 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2688-24-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral1/memory/2688-22-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral1/memory/2688-25-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral1/memory/2688-26-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral1/memory/2688-336-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral1/memory/2568-365-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral1/memory/2348-370-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral1/memory/2348-373-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral1/memory/2568-376-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\YTBot.exe	UPX
behavioral1/memory/2388-14-0x0000000000400000-0x00000000004C1000-memory.dmp	UPX
behavioral1/memory/2688-30-0x0000000010410000-0x0000000010475000-memory.dmp	UPX
behavioral1/memory/2388-322-0x0000000000400000-0x00000000004C1000-memory.dmp	UPX
behavioral1/memory/2580-323-0x0000000010480000-0x00000000104E5000-memory.dmp	UPX
behavioral1/memory/2580-1071-0x0000000010480000-0x00000000104E5000-memory.dmp	UPX

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DEATH.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	DEATH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe"	DEATH.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	DEATH.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe"	DEATH.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DEATH.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6W3AG713-UG5H-1EMU-F6QH-03V5H0JBE245}	DEATH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6W3AG713-UG5H-1EMU-F6QH-03V5H0JBE245}\StubPath = "C:\\Windows\\system32\\WinDir\\svchost.exe Restart"	DEATH.exe

Executes dropped EXE 8 IoCs

Processes:

DEATH.exeYTBot.exeDEATH.exeDEATH.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2724 DEATH.exe
2388 YTBot.exe
2688 DEATH.exe
2580 DEATH.exe
1596 svchost.exe
2356 svchost.exe
2568 svchost.exe
2348 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

DEATH.exeDEATH.exeDEATH.exe

pid process

2724 DEATH.exe
2688 DEATH.exe
2688 DEATH.exe
2688 DEATH.exe
2580 DEATH.exe
2580 DEATH.exe

pid	process
2724	DEATH.exe
2388	YTBot.exe
2688	DEATH.exe
2580	DEATH.exe
1596	svchost.exe
2356	svchost.exe
2568	svchost.exe
2348	svchost.exe

pid	process
2724	DEATH.exe
2688	DEATH.exe
2688	DEATH.exe
2688	DEATH.exe
2580	DEATH.exe
2580	DEATH.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\YTBot.exe	upx
behavioral1/memory/2388-14-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2688-30-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/2388-322-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2580-323-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2580-1071-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DEATH.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\svchost.exe"	DEATH.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\svchost.exe"	DEATH.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2388-14-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe
behavioral1/memory/2388-322-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

DEATH.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WinDir\svchost.exe	DEATH.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\svchost.exe	DEATH.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DEATH.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2724 set thread context of 2688	2724	DEATH.exe	DEATH.exe
PID 1596 set thread context of 2568	1596	svchost.exe	svchost.exe
PID 2356 set thread context of 2348	2356	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DEATH.exesvchost.exe

pid process

2688 DEATH.exe
2348 svchost.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

YTBot.exeDEATH.exe

pid process

2388 YTBot.exe
2580 DEATH.exe

pid	process
2688	DEATH.exe
2348	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

DEATH.exe

description	pid	process
Token: SeBackupPrivilege	2580	DEATH.exe
Token: SeRestorePrivilege	2580	DEATH.exe
Token: SeDebugPrivilege	2580	DEATH.exe
Token: SeDebugPrivilege	2580	DEATH.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

YTBot.exe

pid	process
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

YTBot.exe

pid	process
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe
2388	YTBot.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

DEATH.exeYTBot.exesvchost.exesvchost.exe

pid process

2724 DEATH.exe
2388 YTBot.exe
2388 YTBot.exe
1596 svchost.exe
2356 svchost.exe

pid	process
2724	DEATH.exe
2388	YTBot.exe
2388	YTBot.exe
1596	svchost.exe
2356	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_57cb82b051febc9b951f50dc64aad273.exeDEATH.exeDEATH.exe

description	pid	process	target process
PID 2012 wrote to memory of 2724	2012	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	DEATH.exe
PID 2012 wrote to memory of 2724	2012	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	DEATH.exe
PID 2012 wrote to memory of 2724	2012	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	DEATH.exe
PID 2012 wrote to memory of 2724	2012	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	DEATH.exe
PID 2012 wrote to memory of 2388	2012	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	YTBot.exe
PID 2012 wrote to memory of 2388	2012	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	YTBot.exe
PID 2012 wrote to memory of 2388	2012	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	YTBot.exe
PID 2012 wrote to memory of 2388	2012	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	YTBot.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2724 wrote to memory of 2688	2724	DEATH.exe	DEATH.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe
PID 2688 wrote to memory of 2904	2688	DEATH.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_57cb82b051febc9b951f50dc64aad273.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_57cb82b051febc9b951f50dc64aad273.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\DEATH.exe
"C:\Users\Admin\AppData\Local\Temp\DEATH.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\DEATH.exe
C:\Users\Admin\AppData\Local\Temp\DEATH.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\DEATH.exe
"C:\Users\Admin\AppData\Local\Temp\DEATH.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\WinDir\svchost.exe
"C:\Windows\system32\WinDir\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\SysWOW64\WinDir\svchost.exe
C:\Windows\SysWOW64\WinDir\svchost.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\SysWOW64\WinDir\svchost.exe
"C:\Windows\system32\WinDir\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SysWOW64\WinDir\svchost.exe
C:\Windows\SysWOW64\WinDir\svchost.exe
5⤵
- Executes dropped EXE
PID:2568

C:\Users\Admin\AppData\Local\Temp\YTBot.exe
"C:\Users\Admin\AppData\Local\Temp\YTBot.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
a64b56de1a171535c4c30e3dd6261629

SHA1
963627c48fe251dd7d7817d2e0af5318f1d7a2e7

SHA256
56b94ca42000d578753bee56caa99bdc353c90c0b8df4880815cac869c827b13

SHA512
928a5898b1828c5f37232d9dea9592ece6e990146b81e2832de9d51dad2c369ac8ba78054eb26e1dc94082ca04e402de5ddab862649d79de91bda50ccb22dc80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
07247d77e088bd9f77d86783e5f08889

SHA1
816b5562ffe901e0fbc0f092b7cdd5c467942f8b

SHA256
72041391da524bed6727ca3b99f38c10a923a81e1e1f813207348b0fddf8183b

SHA512
0dda7d3b62fdfd29d8816f5b96eba5b96f48d39f9e99aae0e8c09d779454512a43e9e32c7edc2dd35d9b4c37b7cf2f1b143fea0107f635059fd870dec66db538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
e0d22cde262c2c0f60eb12b9f2a0bf2e

SHA1
88f04d71fe6272c7181de8553e3c79ff0cc4fbf1

SHA256
5a07a57c26d0bf4b7d5885400f5d40527bd8027a4e2dd43e31a05a1f88933cb8

SHA512
1b73eb9c9620b2631e31c4ee7c79549651301bb3725befbe77a1b6ccffea598b200868c32e4a78d7ecb5de99cfef4d07d0a1e4b989706faca710523c8285caa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
afb17f2f39c254193082c315e05e6ce0

SHA1
3aa83662833f648d54e4b3b553f721a63a897d36

SHA256
13be56e0aac3cd9d0864df8a5fbcc2bc3db522ad21c0e5cf605001823f20ce72

SHA512
db64e080b73776ec9c82c62cfd1c6e22ee1167f5f2cf9e1a32b17b2b66ad868f329de342eb31f42c2a00f649d1c6790aca52b2def53a7f3452dc7ed0039265f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
9be7243dbd6cdd10ef8163233f4323c4

SHA1
83a39e6798f9bb5ca036ce4d34cf949dd036ce01

SHA256
10f9cc635eb93291aa06100de1fab6383439e45d7ec62361b1ec70a2fce4747f

SHA512
325f00f86e9b92f3e19ea345ccfde7e1421a0a1b9ae1d791ad930001e7ead415011b1f4685df6ad395cc9b867566b67805dc688563a354fbd7b3d4d6e8069a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
d9aaa300ee5e3407e7d81d91aa789edd

SHA1
aa369aa5840cb00c476991a624d20d2f6cd80240

SHA256
a311e3520c1558b617a890a986ad20cfd13dacf61d974039bdeddbd6ae6dd3f7

SHA512
5009ba592873cb39ac0fbb5da16a10222c20a62d899197912982cb8bf2a5b68596d6412a0a082c0daa0a0d4028156bda09009fd06144ba7f5cacd16b8d633c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8d2f572a3b0f74d396e2a1afea5beae5

SHA1
a143ab20fddf3cde1af4e0700d5cb23c93af3c15

SHA256
658b36c7834d9897d71f238829d8988f194ac04ba2718185eff99faae31864d1

SHA512
201314eb71191b80f94944ac6b1096f7c78c5400efc0a7f474824b63388b3715179ff2507b07bf761378bab2c5f6b12e18227349d2a5acabc191a18a658909c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
68274e8fdfb1c650797ffc6bc46b6234

SHA1
d924a70531563ae482fc7196661592d8f739a270

SHA256
c037b3082e9797ebf446d3152f0e5ff81376ca97cb30134b956f94d305e679a9

SHA512
e0687c9c949fa3b2c8dc7e2a4cbb134803835add7715a2ba16fbad355f1d3ab597befac98eefa253f00d07e77ece0a3117de30837268333c198260d160fd0673

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2b97bb1b1d827526e450678eb0a822d8

SHA1
41e092ada7a39e6250af9a073695ec4d65f914da

SHA256
c8c1722697de291c771ed62a4ba555c0e37d28fdb5894b632af51979edf00e28

SHA512
eab9b4918fc769c95d522fc8ea5145cb636d576fe26000b3e46ac400fd7485eee73c09527d696ffe5832976106b37b6e6dd1d49dbc0e9798132973553fa37dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
58a50eefd29d08c8d0521fae7e395653

SHA1
2afe6538eb429a97c25088afe00b418e30d485c9

SHA256
5f037556728286a88f0dc43fb503b576707a6845571cdee24208ba01220c8bfe

SHA512
f61da75749b47ede99316f665cf7a6477e4291c8ca2fd48a27b11dccfc716fbc6be9fd8a0f2b268b491fb0e8fbfff021788a7f37d9e8c950e689ed52082132bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8e622497e3ad3e6148ac5de6c2dbd1e1

SHA1
96e035d6a4f32ca1ff53b36a3046a57a27257bf7

SHA256
9adabc13ba5f3ae3dba3cfc3ecc9cdc9fc9b4ed8c5dd205617f49ebd69bc006c

SHA512
cd2e681b5fd3cccd171364899a05ff07975d4c42812cb267aa8d9bf063660775a0f7f74466fbcbc5e82a2f51ca58a43dee2ba448fd57573d0d5dd6db85f6a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8f304723219a77ba8f7a2b93ff7b2237

SHA1
7cdc5fa7067e9f9998365eecade224ee295322f2

SHA256
62d8f97d1041faf0d3535e75cdcde5230d573ecec30cb7058a76dbf33229980a

SHA512
69651e9c35a4c5bd0acd75c106e9f569a6aab37dec9f98980c195e57db0987292f198ebe685c815022a7dba7a9b66ef3d6e47cd8f20553cc4de6bc49eca06002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
7c0165f71dbde1003a9774c530be98f2

SHA1
c4915835f88e1157557fc0b792ef579bbd96d7b7

SHA256
efedc853c22d1dae3319977221ccd7d1bc5a118fd2c0bf5bda0dbd2f976df1ed

SHA512
f04cd8788ea327acc084133b5c43c7e4b9d9ff53f24b1dc56eba4c7c43b5a77c87457d50d6459c73beb5e13f2eaf689db8d881798e8132a7635adcb1891dce72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
4992ba3f4a42724c20c9468a03c47f28

SHA1
b5d0f2625ec47b61331e0d93cb64a7cfe60351cd

SHA256
72935c17f8d1f330ce4bbb77de7543d2854bcffa98468686e508e8ba45cf4b7c

SHA512
33d902a5e87831cc54da1f991c5f3085ff9a282e8f9c05732b9a07ce73bd92d22374bcfff2b822fe84179d9c0180fc60a81c9179abd101ee36137fe5f0866d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
09044d3de3dc222a434d8eba40f97730

SHA1
0d8c7fc398447fbeac9632e33f3d194e88a2a6cf

SHA256
e589ffa1e6ea4bb991bc67144408d8bd7933e05c7eff00ceb30ee13254d6f986

SHA512
11c0db2455ab6065e0d5b5b1d4ab18cc8e1615a1739d33ce54072be6b372c3d8a263f0a55b94c0f6f19efe718e3fadeefc6592945d57b0f2a2702cebf5dbb23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
851e44cf5090db85b172cc4a7471796f

SHA1
9aea2cba9a14fe7e44222bc4c63aee26e170345b

SHA256
900817f7e038dcc44f491dfdc5121bef7e94af5d141631b63fdb839c5f2596c0

SHA512
d4143bf01452883c565df2b204c348d81e2416079bf6dd1b38a5714c2e69990b9a4adf2991ab8dad210a4fa495f7f27b0ca943671a31328e2fa183d34fcc88cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
bd5afe2e4cd8c5c15d1aa50b513ca718

SHA1
184859568a448b1719bffd40417ec037d85fa3fa

SHA256
6de34d1e6504216854350ddb546eea7fd426f6162e1bc209653a8114791efe67

SHA512
87e28e16f9b73800e0a05e95039b6b113b0937bc3e754e80b357b0991923c4d9c02fb92ab4eef70c46760ecd99fb8e37f5d3984ecd9d71441f90cc38c1e15217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
5e3c7e143b5dae966ce52b5e3f737011

SHA1
2ee48f6aaf123c22031535a4516cc928e59221c7

SHA256
8300b92875b4572ad5aaa5700b8588f94c34177bbad335e0a684d74cb06426ed

SHA512
60c9fa2d5f778f2d68da78a9b01483d2f37c96fafd203b11835954f9aac0509326174400cc28a2fb4e6fdd8bed332327f1caf09fdc08f7eee6560cb38497c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
a787a86d51d28cefab4adf5349557a45

SHA1
591a747dbd3b9744f59db18b957663cf4a701a42

SHA256
412bdf134619dd089be8eb3a7367bb0910a81a440afce8d2203c7c33d3c13d3d

SHA512
1f25904d29639253fed477b5dfa2083bc1dc2426217ba71c99c1b8405ffed4a98a821baade8ddf05c9f5e3f561007a0798f25ad07e63d788c1c1f746fefce1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
267c5df4fdff8b0deadafa26831eff34

SHA1
3b98a8ca7177714e61292506d036e865aac96d72

SHA256
b8d3672eaab86d74b5be5e3956603f588d0a365930a942547f6e30bac9c222b9

SHA512
6042850d6a9aec9cfcc7facf77b39612948b770759c53b1b742e05055d66fc55e8ba44c58dd5aead5d9168b6ec7aa015c182dc1d8a50aff525b33191e3c7c380

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEATH.exe
Filesize
420KB

MD5
4a94c16181fb048a62e3e2b6af772e46

SHA1
11b4fd7ebb9163e23a81148a1ba24e6aa8a0af07

SHA256
5d1d74ffa068e9eaf8bbf6ee0d4d50664019158815d5767563a37787f135fe03

SHA512
06a5f26c91b7ca93bea7ee7c51e5f2c31205003675e8f72b5331055c72d549adbcf0b57af14ac5ad27bbf18c8fb02194462f2621226b1611235cf33191e58598

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTBot.exe
Filesize
412KB

MD5
8cb70ccdbccd304321653b5bff63662b

SHA1
c75018d37f782c48fcc9289cc47f8567fa21eb1c

SHA256
bb9b18784a025e4164c33bb838b4484ebd86d131a30889662dbda7db451312d4

SHA512
a9509973886dd65eb382893567fcf8a0156548163cfd04576844da0c492255752da3c13e512317a64a8d6564f8c7d3707f12c57c40da9c7ea9472257cd1ff70f

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat
Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/2012-18-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-17-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-13-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/2012-10-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-373-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2348-370-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2388-322-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2388-14-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2568-365-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2568-376-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2580-41-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2580-47-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2580-1071-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2580-323-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2580-35-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2688-30-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2688-26-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2688-25-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2688-22-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2688-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2688-336-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download