cybergate | 0848aa0b857e996ee9e366e93f3eb87d055c24de63c78cbd78fed5a06e45aab8

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe
Size

467KB
MD5

3fd0aeac885e911b04a4850865b00e54
SHA1

dc6a5a01a737d7c1d5e2f5049f27a77d37fc519c
SHA256

0848aa0b857e996ee9e366e93f3eb87d055c24de63c78cbd78fed5a06e45aab8
SHA512

7f02580c2638d13d7e9dc04cb0050053eda64b8822a29c76a7c87b80a6f77f9ad9e2eca99bec16c8fb87632964025da4459b74d54c9beede4fa616be77810718
SSDEEP

12288:HoW3FOfxyrwyTKQMnUe3Wv90tqP/Bljlgqg0j8hMngD:HoS3kWZRx

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

Cyber

kjfears1.no-ip.biz:100

Mutex

N0N6TP3M87823B

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
csrss.exe
install_dir
Windir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\Svchost.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{H0C73M4E-PHES-J747-6BT1-Q1XF5T5LMP7I}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H0C73M4E-PHES-J747-6BT1-Q1XF5T5LMP7I}\StubPath = "C:\\Windows\\system32\\Windir\\Svchost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{H0C73M4E-PHES-J747-6BT1-Q1XF5T5LMP7I}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H0C73M4E-PHES-J747-6BT1-Q1XF5T5LMP7I}\StubPath = "C:\\Windows\\system32\\Windir\\Svchost.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
1848	Svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Users\\Admin\\AppData\\Roaming\\L3G!T-Labs\\jdvs\\0.0.0.0\\Java Update.exe"	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\rundll32.exe"	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\Svchost.exe"	vbc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\Windir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\Windir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\Windir\	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3980 set thread context of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4544-14-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/4544-17-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/4544-75-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/2072-80-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/2072-170-0x0000000024070000-0x00000000240CF000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4544	vbc.exe
4544	vbc.exe
4544	vbc.exe
4544	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	vbc.exe
Token: SeDebugPrivilege	2756	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4544	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 3980 wrote to memory of 4544	3980	3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe	85
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56
PID 4544 wrote to memory of 3500	4544	vbc.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3fd0aeac885e911b04a4850865b00e54_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2072
  - - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2756
    - - C:\Windows\SysWOW64\Windir\Svchost.exe
        
        "C:\Windows\system32\Windir\Svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
7e6ba9aefc2361ea18b1225b79db0e35

SHA1
920033439080568808b195d6e3a35fe4995cf9d4

SHA256
169a82a001325cd9c5a1cc23a002fc4d7e053498efa371b3fdffe68174777b65

SHA512
faa2f0a3d26a37fde1cb2076359e0a99901cf7bec7fb937fc8ef97751ff28e08545e9abaedbf23fad80b058a06f8006c40fde9e3f4acca5a0d76edb56983a104

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0117a3785bb8d103b2fc46e2a136c844

SHA1
e7fa61a24717f6d8569f22ac31c08c4c799f3ab3

SHA256
b1c2acd6b9c070d83e1cd2d205700f59adf8fc195d57a545008979c0f6ea3ab2

SHA512
8fb29b4b5fb6756a174fe8fd16f436c1f49cfecfda0bde1fad58f43e63a6db170e23aa0dfb7e3cf2d9f267e20d31cbdb103fbf8c422b4533829fb44a798447a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f7ebef37c9d58464ac93f8daa3fb5b57

SHA1
c97896038c3d1fe8b39332fa8eaed514057f8b97

SHA256
ab8ba6aca83757a303399e89584e495deaf94c41440d9b3ab8a5b252321d9ff3

SHA512
01958b9f89644ade3f15d24ac8be6136cf82d71490996b4ad18d403a8be7a81a00d8bcfe81f0974d04ba1b3aa7b21c0c1da20719f06b5ce84b7131ce946ff4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bffc21ffe49080a429be93437e2ce80a

SHA1
6663c7a4ca35d70fc28d4e85b2bcb3c69047e408

SHA256
d8e37803b938b3255553179df43904b39f8087d6326a60622dcc68ca58d70dfb

SHA512
65e5d81997dd0a4693fd84379729aa8028c4b33f6245c1b25f05485d164045d4b9bc01c8f979afdb88d27e0f11ab71883d6a6e7032a2625a1eb7de67e4c04833

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e33ad302042dd71b62baaca3deacaa04

SHA1
4370c0358b44a6a35e2e9d2c5ac37781dc3dc181

SHA256
785062d12c9c6e969eb1ed819c0fc8a0c4ba61570a0dd2c47c888b4bbf1f279a

SHA512
ffbde652be047313cd1d8b4f25fc0b7c0242b7c063b2349ce6387bf74dc10678c76b9f8b646fc95bbff78a9c97ff3c1b05f3238b36a7f338304268cda8da22d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
14087ed7c1bca474aafbc6aa5c830279

SHA1
c7d133841fcba52c23556c190421e004f2b73b9f

SHA256
4a9f7acf9b9a76b2a466268b2cee41d92ed83696742926e3afb1d91d3c523a15

SHA512
6edad74c987df39c9a21593bc98d4ba9ea00f4e774ad02040da1cae3521c0dda3f2e5d1363aeaeb116e9989620fc40391ab66033d2a7e1aa480588cc24c67fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f86f93411e68ca8ab8c1dd50b25d1c36

SHA1
7153bb2430864bb4b0e59196915e051d770a768f

SHA256
d8d927666c58e9194e27169360ff9067bdd65ba218fdb605d456836e21e6c5dc

SHA512
53cdb5aa218860b6526fa17cf3fbde494de20369721cf81392d196eb27dd8793b1f861232c998c6b86a1129c05fdabce9615db1bdd34f2dcbcf8e8667f8a03cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c04391e4d6f8c487042cb6b95776b388

SHA1
0d9ae6f504a4ed5a05a67ec2dddd0f370670c54d

SHA256
e58442c062db64cd57157e4ec8e8475b277e40b81eb0a054f47df76015452738

SHA512
cd7bd18eae440dc6ae6d466c344988ffcc20e732506426183b74d824be4fc736ddcb03bf04c2e4fbabec45c94738770dff00cba4f26fc7637216b536ad046650

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e0b701a6955da888659533d4dd3630ec

SHA1
2afcfb7de4cbd5c6f42613793b18841459ec77b3

SHA256
9f3f4ce09412ca7f1159d0b085545203b9c3367ecfa380ffacf7bf6fdd7a0cc9

SHA512
d1d181548acf21d6abfe7a52c6f1f1f79cdfa93132f88fc0fd4d2ba42d79e96551896f0a52850e74f3c4290444c781a996eaeca512ac911ef96e3d099aaafcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1da3e90f0fe0bd91fcb5341fe1b958c6

SHA1
47d1ec4bda4728a8bdadbd7430693d47a4043462

SHA256
768ba92020184cb5ac7225eba5dcafc4a436466f5b5fed5203b3c9b1336e0cdf

SHA512
de842fc5e7229407390a89435a63ebcaa20578fd7ebe6da67c3f7b925ea536ab64c9348ae8b957321e154d56d9cb9019bb08dab7e2a6d568ca62794279ab84f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c6857fc8aa8b8c6a49e7151d09d9d4b2

SHA1
13933aa37c5ff338d33b98dd4ea31794966fb836

SHA256
6d6e1ee7d92a1bdf42cd083cf8ff56f091fdf50aa3c2281bbd2afb27dcbd506a

SHA512
8ee444f73fd4d908087f29f6f415debfbef6b84f6d80cb09d86017aea802ef39eddb10ef32bbde8132176cad5f86319dad1b2b1b846a9b7a70310b98aa9df3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dfed8654250d39e808add49320412acb

SHA1
95fa266549eba5142281d7ccf8d19a39946b0ce1

SHA256
1bc6a9d962bfdbb642e94bc0360398f52f46ea02c0cef0300d00cbd8bb4fb72e

SHA512
d40607b241c52af0b029317ccfee3de26a6232a3e98fb05df946278c3fcfb56e6290f8c5abcc30260fc08ffd7d62dc90a36229f97081673b37d5eb5915fdbd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cbbc714695ff4b2e397b623e4a141b4b

SHA1
38236e3df1d85a322ac56c9c0d419a4110fbc561

SHA256
d78743c432c8345211aa37eaa75cf570ce6b1b745a0c044a1d91a236f3337bc6

SHA512
d27f43ef17d587441970b58f9e0c2d5a1789aa50b793033fc39b0ecaf8a825c69a1d1772399f431abc85cf213080a3ee785c05bf7f06fb03d6f8b30ae58fa18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8101938cab095c2ef88821c7a8e40812

SHA1
3e8af3cc1dd5fed8db8ed3e3ef4abdf85f221db2

SHA256
6d4c830062dd4874962fef5c6802d0a3941157f098d518d9cc79f86f4c51feef

SHA512
ab82bc53baa8b27b4c1d94d3a002755ece3d10b9d38fd1d6f92ca387a5bb35a0c0e2fc8ed80184dfcadd281cdbcd62e129db0612a85daf481b90ec043ebe467d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e6dc7dd1385bee450be7a7a03af32099

SHA1
8d4962ab37ffa8b062e56b67657b0ba0e3b85c64

SHA256
1a60fa9a6116457614bf2f26bfff67269fcdf12173e5a6cab197e0deeb4a2852

SHA512
e936946b85ab5c0d6b1187f01e68dffac073f67a877f97a5d47de8731a62a25fa184334dd954ba1886fe08a8791df70c2e3cb231889e9573ef8087b712a9a63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c9ddeb774423d73d7f3a0942851eb01

SHA1
db61a6f7af7cbe92d3dce38123cbdf2f27452f66

SHA256
831092a380fb726a4b22784ac0c96876c3b8920565a5092958b9bac3b04d5b96

SHA512
2d2fb8fcb843f8689865e1274cfd05706d53b7987362bceb765bd4048589481fc5b843819021e4e9f7e23dd44352c8f804106d810ccece63d8efab0b46817c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a5e4a842554226bffec676f93bc48740

SHA1
352409277dcc7aedc71bec53b516f6e70d7f406f

SHA256
fad33c81551e95adb2199c223c4fcb14a850d970ce345d251358cbe9d45a2fb5

SHA512
fb3fcf63a8144e0008e9963280274d572b32bc6a79217643c244603eb90246e0ca995ad603ba796edc29a3a0915bef01767d1be532a21cc02e09f9cb8ff639a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9ab1eebf5271e655887687820a342bb

SHA1
f4da3d91c21403c2a00df3b8eed73eec457b2af2

SHA256
ff46c2b1fe3ca1591d0d052e3be2e80661e7d9420864fbb638d2b5d04c0b4330

SHA512
d031a0ff67a0bb2d5eb54d845e409bef21927faf573ee240fea66fd6ef5fcfe099491e299467017e10d68167de859d85f10a9917a4e3172402babc81f7d2b4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a30f785e7c4b1d7e9a2cb77ef3d2204a

SHA1
bd4e39b54d6fe22b937281232746396879d212fd

SHA256
6ab5cef37cb959c10dae213df4b142df4c710120a31997b7fb6c6ef4c813bf58

SHA512
5feaef274b2027cd87c2715cdd84fd9684dd64ab71ffdcb9bdb48636655d34437c30f8e97cc7c72e51a570a9734403bc3824024885412df0ef8279835f3d592a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
672133859b43ebdfa4012eaf90a1d4b6

SHA1
77efe3fbff95eb2a839278241618807107cf83bd

SHA256
40f03fe08f0c1d3a5e1aafc039949b7103d0940286f4b05fcb6898ea58d13eed

SHA512
8db5083bdff58bb137dddce6bc8d0d534dd0a1e283d00e6bf6813715fcaef88223a983a0064744c0d6fda3ec292550fd99379d8a1ca675f04e4625e5baf6c6ce

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\Windir\Svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/2072-18-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2072-19-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2072-80-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/2072-170-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/3980-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/3980-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3980-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3980-10-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4544-75-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4544-151-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4544-17-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4544-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4544-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4544-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4544-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4544-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4544-14-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download