cybergate | e5a5ddfd3726e56e9dd8671cffeb415f29e3c81b5dda36a8483d81659fd44d39

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe
Size

502KB
MD5

307376c3bc70be7e27a4da7c51ee1121
SHA1

cae0674af06a6b623d1cc66d3fdd4e8aafd8e258
SHA256

e5a5ddfd3726e56e9dd8671cffeb415f29e3c81b5dda36a8483d81659fd44d39
SHA512

d6f7afecacb88b1d82d1c323bf6f97b8c71382aaf7d80c4c7f7a1142dcdf24a6f836c38b6f4b166c28558ff4c80f55ac0d0a93b1f35d590ae68457686321481c
SSDEEP

12288:Pt4Rx/JDRFLswlO3J5R2PpIPavXF6CH6dm8xNr5GYto:Pt4j9R5JQXRWIPCHje9GYq

Score

10^/10

cybergate 0 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

spynet20.no-ip.info:83

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1231077r
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	97846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\97846.exe"	97846.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	97846.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\97846.exe"	97846.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}\StubPath = "C:\\Windows\\system32\\97846.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}	97846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}\StubPath = "C:\\Windows\\system32\\97846.exe Restart"	97846.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
1976	97846.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001600d-8.dat	upx
behavioral1/memory/1976-11-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/1976-9397-0x0000000000400000-0x00000000004AD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\97846.exe"	97846.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\97846.exe"	97846.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	explorer.exe
File created	C:\Windows\system32\97846.exe	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\97846.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\	explorer.exe
File created	C:\Windows\SysWOW64\97846.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\97846.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1976	97846.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6104	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	6104	explorer.exe
Token: SeDebugPrivilege	6104	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1976	97846.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1976	2416	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1976	2416	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1976	2416	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1976	2416	307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe	30
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21
PID 1976 wrote to memory of 1200	1976	97846.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\97846.exe
    "C:\Windows\system32\97846.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Drops file in System32 directory
      PID:11864
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
740b2adb0564c95335e4b9a4b116d434

SHA1
83f02ff99a2364c192faf4e283877cc3200f8602

SHA256
0c1519d3ffa6747856bcd5ae0671b2970e046d9727b82209ce0774066c1084f0

SHA512
71c3f6caac1346c85e7d5fa98b538d1c039741c6b99f00ada6d4b9472254a3e7c2f1447097d8e813908e514bd0db603c939c2c9022799b14ceb794c928d1c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2d96ea600b24851cafd2a8d226caa7f8

SHA1
aa0f2653db5c2802e250720b2cdfb7857433edea

SHA256
1753458c43bfd307f717abffe42960408365e2e6e7506a3c312e15caaea91468

SHA512
baacb1ee588b19afc9ad4940375cedda0c1e06e2a6980f416bb21f812a699f9d95eef4be69085bab3b60804c1c27d76f0c148214a97e11d98731d3fc9cec0a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e4ed398e215505cd7a8cad5e6e758af7

SHA1
7be50d64e7ec749ee6a1a6803c56bcff73a69d55

SHA256
5cbb4b3e837c75c2f73c52d8f61d75055f022b84832d326f764dc18fca566ffb

SHA512
a54c394ce947115fb0c012ec25c1d3a1a55513dd4c1911678c52feb552ec30b898d96568a953754e323a2f1c2616be8dc5e625505b0512deb4aae34d16939c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
13b0bcd0024ad90548fa3c6124118b84

SHA1
8adb6c669402f6b1e8c2e036767dae43c35522c6

SHA256
1b9dfe6f6eb3bf02c16ae83449e3e89564279ad4eb7e9d2f67bf9d9ae962e153

SHA512
6e3db60ae3c94bd56b6c338697aa082f242a0bfa71b7bb73f3e832e4dd4fe701fcfd7f28bcc9826e24c09802c102418c15990429719946f0078a00df9a7184e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bdca9fbcc4752c19f2e9b1dd43c4e7e2

SHA1
025115f990d135ccd13205a60357fa81868697d0

SHA256
56adf52f32c246432dc73361d71c9671e0c338ba4f2e2ace3d7478a709b2e792

SHA512
0c3648c3531e59686eff52ff2d60c22db2a35a4fb086df09321c73c720d17c6c9727ce5feec75c5a9a1a95e7ad2445f5da5c9fbc99432f2c66229379417460b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c9aad1b998dec6c0bcdd67a331fe826

SHA1
8ba533f98b217c579faa8c696716cbd7a780872a

SHA256
99f040853d109312e81e8ff997d818d244c77a7dee642043618badb515e82cf0

SHA512
b7d8129458fe4844c2bdc5a8ec6ff5961482d1f9c8c021cfcefcc105544f9d9d1999ec42203d9ff7174c8ca9dedadcd1d8e9f612f832eacb8ddacaeae744590c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ee1697bf94b3240cbd00834f36148c5e

SHA1
97cc1496b130c0168b1f356b33245f609785b456

SHA256
05a467b4247c0ff90a2fc7c53ee374aae271f78cfbf9d09b137307aea51f48dc

SHA512
c0239d0c8034751a4c258734e252d747944c01c258a5b6fd313683a907c4d34ee8ded8c53036288ff6008df1de40a649c2963ea9ab47fea7616ab9c2d1e5913a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
25f7b7ec5cb5da77f8693624de7a3130

SHA1
891b5f212cd41b210ea8be6228089f22f05acc8d

SHA256
05ec5f6a5bea5a6d8a545c962047f85d3b7f4063c1924fcc6f3c3843de6e78db

SHA512
6554f23848cd041f591bdf619f301b53dde358545978acdad20ffae4729404f60e29e90bf5cfc612438d860d7caf80afecb1b5466146b1a250b98e410436dd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f618079257d862543b6d4da1ea09f144

SHA1
7c4bb62a3155bfbc505189968fd07a5089da5858

SHA256
d5b71143f66398aa49d99edfc027b439122ce604d043b99f1eda8f5d1c712173

SHA512
d47141a9b0b8555a2fbb69305edccdba466e30ad3513fe699db668dead90ea1ee7558f24ac9f4300cdb7cdd77b5fb43967554460b963bcbbbcf2973fb28241e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5376b531b937e48f722e904ec1ec7a0b

SHA1
e69c5252e04e1570899a0ac983e30190b97a4411

SHA256
8a4e0549c8b235510eaa5ea3d2d9f9f8ff82f04d182051b8466e4e1bb68485e3

SHA512
790a0531353d2b73f9b763ec05ffb51559b27acbbee48cadb7b4f867521cf937a8bad941ed2c68a244826e088820e274df9269e53dc88fac281412e58f270c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1c4ab93d052fea1376c3aea68f9c6bde

SHA1
217ac335f291854e92ec56f923c2d0b9a8475f1c

SHA256
f3b638c0394246700dd51316e5e28262b2cbbb65f9ba3003960f72e32b0cce18

SHA512
9522debf748a52f15a0c4fcc5ec1af51ba4fe7f7a53daf66b4613dd248c27f37e00ae0d84be2c8e4bcb950f866fc83c54ea8fefb1fafbaa9ca87e5398e9c9aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8654526637d34edf301a01d32db91c0e

SHA1
08619ccc90876aaa6b5d1220f29d12c6a559c67c

SHA256
82c7111e028aa536a5163b57ca7e60f36729fea729f4ec15907ea80b4e236fc9

SHA512
16de4f4f8d245934bc0473e90d314e9a7800de71f584c173d8eb77a6adc869dacad21aba84987444095afe2deaf027b4acc47e68ed4016aed9540026e94d3dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3dac89bdd3851558579b9611c1e357e1

SHA1
8967f5ef7246109b0be7e89e2ea35277d23fbff4

SHA256
2ff8e18b49a12f92e5a973c196e40ce5109a0ec77b0f3379b5b662ca8c2297b9

SHA512
d9a3e509c7bdd24e4186ecb52af9cd6351baaad841c09b5770ad6f93624fa3747d72340527178a49a723eb44cce0725c51889b55e0e1732b849bba0d3653d2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
191e6fff552128f96bcf27fae140e190

SHA1
aaca0f160f15ad464cec7b77aff7dd7abc4646e6

SHA256
19f9605c9f5af7db827f54141d5607abcf207351ccf3a1241163575ce0289dda

SHA512
f1e7663a5200afd60fe656904bc6598b2b9b5b7ada65a0fdf3675e01bd40faa819a91af37673305770223ebb78dab029ecfeacf7849a9d8df5052d1093427705

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ee8dad671513c359ec7d21f3e029f06

SHA1
6fe44771cb397db40ea8a9fceac7f15f2aaa3297

SHA256
181aa625cec61188f171e2a4d7c105b9e4dce0597cd5f5b695504e115a6b8625

SHA512
1943191a2433f40e7a9b1eae135867f4582a48b96eecf51de3a68e763463e0129a62b66d5704a70c63c526533e1fabf167c1689bbb013450be5141523b78807c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3cf87c41feec102437b0376a6b03e640

SHA1
7ea31258de53743e5f94dac91b5e7fc66c8db8a5

SHA256
9be5a258511f3b45b54ae06230047af4de1653e687e8f195323c08b298f1f194

SHA512
b7c1e93efb4d759fc883db37da94024869c12b6ac57ef3a59e6ef9398a40e5b664fe124c4b46e72590c98e13ce400331121665c5e0f58bd9a009ef88c9f1dd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
06b3d5aa86c561a4c8f32e58fa532f19

SHA1
bccd64c781654008f46f6bdbfd050a64e9df286b

SHA256
f1752a330de80fa15b2ab3cfa65559ccc25c9db4af3244347f01988733458267

SHA512
5e14f002f29915e717f83134c4c752db87339f2f23b90acad686725ca31500845233777ae94bb487035c822bb5f0cf9b94761994499b1f8160aa9a3610049987

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4c78428dfdb53087216a61438ad0db4a

SHA1
1db0919e1f8fa0b7a478852a8e8ebc61df696b4e

SHA256
0d3570ed24b1ca997a4c8f0482caf04526b1a48d2d6da96d222c9fa85b6d1fd6

SHA512
a0a1ce36a9ef00eb4f1e6060e61d68fd61bdece1147474e1c6619a93e6f4d8d543017dc0e2ccaf75a0c2d9b62aab5333652f535b41604479b5470889ed65d98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f270d822dcd4ac1e2b810b47a26805b5

SHA1
bfec0e64adc6259407f3f9f1c2b0b778bbde831a

SHA256
a5caa41ff0ff9309a93d9346114b0e58226f72ab7a9d9ba8c11211954e956436

SHA512
2d21572c0faeb58ea4014c1d7495f5beb1d3017f666c58f55c59704c82836970a1fa528a2a4115ee38fee67d51acc1edf4c6c1ac594ca3c7708a6a30142cb8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0728af2071359d267595b7dd009a7f15

SHA1
90828d9ba31fc57d9c2f845b727becb22b090b51

SHA256
21e78d37ba5b1e06a29a196b178a14d0a79425e11f6af4b6d0f44364fc96268b

SHA512
24b7b0cd960e750387cb5e10498fc19f3a9adac69544c7e30bb5177b7c2924ff7eada0790272bcae719974b421e4f2b6fcc8d0281d6bad13ed1d3b7cbfebda5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fb52a5bda8184abe3c9dee78f547c7fb

SHA1
6bca10eedd97093ca22484f64ce7209594535fae

SHA256
1373765ed7f0f28d28ca39deffa576b9edb8a97a7620bcc4a9510524bc6cb45c

SHA512
0ce8a92c480baa2521d1b76794e71e3379b67c602afac673154ddb5f8cdd3513e08450232882cae34cccc3badb9dcbd6a37d3911abdaf8cd0cc9d9440c836199

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
510d41155131dcdfdab39612cca1096f

SHA1
308186e389a1ac9dc12227dd0866b3a27e8531db

SHA256
96c04a4a00315070fd1d247341c7b66b0d5883f365e13d7ec066ff015276b3a7

SHA512
89968079fdc8476019fe3b9748a91f702053e6b9a39686d60617c11a2e324498a2919a9e104becdb5a00030d2fc0aadf282c6664db3d7e80aa0cf8b33dd6adbb

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\System32\97846.exe

Filesize
472KB

MD5
fa810017376abe6ed9b0840f90e38fa7

SHA1
9f5d6696fd8d00b62afef9f3015ac0e41a11cb1d

SHA256
78c223eced9fb8fafb8c8f1267681096756c559b4a1f4bf051dc347dd50e4665

SHA512
9010003eaeb385db49b052c03b1321493f5ecf39f4407fab5b7dc2ebc6f28838b6a9925d02c857b4468890532a64558cd6dd9a934c9843f5f458a0571dfbec72

Download Submit
memory/1200-15-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1976-14-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/1976-11-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1976-9397-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2416-12-0x000007FEF6290000-0x000007FEF6C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-0-0x000007FEF654E000-0x000007FEF654F000-memory.dmp

Filesize
4KB

Download
memory/2416-3-0x000007FEF6290000-0x000007FEF6C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-2-0x000007FEF6290000-0x000007FEF6C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-1-0x000007FEF6290000-0x000007FEF6C2D000-memory.dmp

Filesize
9.6MB

Download
memory/11864-2695-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/11864-10001-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/11864-6029-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/11864-2697-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download