cybergate | a5fb89b4bc428c4b950c654391d649ffd30f82c4e5f85af7b644487e070cac6d

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe
Size

760KB
MD5

c2a9c55f7bd0f97166f91601d24a3804
SHA1

f578ea8c8eebd2fe8864786ad3ea8e22c1e72f1b
SHA256

a5fb89b4bc428c4b950c654391d649ffd30f82c4e5f85af7b644487e070cac6d
SHA512

a69517b86b91719b3524ecb1187624002aa2d8b70c71f8e34cacc9eaaf5810a78dfc5347336f50ac6e0362ae0af945b4cd3a0a1f9b5b24ce657596ad75da2c38
SSDEEP

12288:YvFl/iJIMvaT3buu5Kf6WZXQAWT3r/v5R7zIHOPPnSWmMSaOS3hz2Uxt6djrZvmn:YvFw2EkwXgTrOSVIZ02b

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

41.226.37.129:81

127.0.0.1:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
ultras sahliano
message_box_title
warning
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe"	ZvuWE.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ZvuWE.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe"	ZvuWE.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ZvuWE.exe.exe

Executes dropped EXE 2 IoCs

pid	Process
2004	ZvuWE.exe.exe
960	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	explorer.exe
2980	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\install\\server.exe"	ZvuWE.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\install\\server.exe"	ZvuWE.exe.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012116-5.dat	upx
behavioral1/memory/2004-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2492-556-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2004-596-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2004-885-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2980-904-0x0000000004600000-0x0000000004657000-memory.dmp	upx
behavioral1/memory/960-909-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2492-910-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\install\server.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\install\	explorer.exe
File created	C:\Program Files (x86)\install\server.exe	ZvuWE.exe.exe
File opened for modification	C:\Program Files (x86)\install\server.exe	ZvuWE.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZvuWE.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	ZvuWE.exe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2980	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	explorer.exe
Token: SeDebugPrivilege	2980	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2004	ZvuWE.exe.exe
2980	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2980	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2004	2536	c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2004	2536	c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2004	2536	c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe	30
PID 2536 wrote to memory of 2004	2536	c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe	30
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20
PID 2004 wrote to memory of 1112	2004	ZvuWE.exe.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c2a9c55f7bd0f97166f91601d24a3804_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ZvuWE.exe.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ZvuWE.exe.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Loads dropped DLL
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2980
    - - C:\Program Files (x86)\install\server.exe
        
        "C:\Program Files (x86)\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
511578d597d539b93b0e95826909d999

SHA1
b8619f9ecb18d6f1a6877e1f4a092d8009912028

SHA256
bf54ad004be3eefb741e3285d3b37989bba48983aafcae26ecb810bda52e1970

SHA512
3549852d160854867af4e336cf311a3c2339f05d754498e0c4228bdefe227f610deb4ea903a014289e64930dbeecf6e217a1293fc4d8243385335c4dc865dbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a6713ed9557f03640cdb226765b14066

SHA1
e6cb62670400d6611601316d91b31ad00a17e101

SHA256
ffa7bd7a44d1c88c8c73e558e80922a32760db7e118dce4c1e8074d81ac2e8a0

SHA512
c6a24fc17f78e73541d9154d8f8bcedfa99bfb7abd087223ec5f02d4052b947de987441e382290f49c36e9b50cd8b32fc222413cdbfc1b3d2c71d7c16ac5e1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
930bd1778076e4ce6b8a17565526c7b3

SHA1
bf7681e651de6ec6e576dd77e09ea3d7700cd69e

SHA256
e13916349b17114df55ad757bf0a925f1988e02ea8a20c280a29298e66fe246a

SHA512
8a9d45b94bfafeb374c85f4a360107ee71d9c8878b1e0eb6f8366ae3ad44b70917d5e821c8ff806391c36e9be910faa291f9b5b48a4e10cf62a33afe636945c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
54f1554b1098424be9f2d343f5af03d1

SHA1
2bd20a424673a6f3c41fae338f3c3bec21de7a2d

SHA256
25ff6983c71adbc8d622386ede2c16cb11f7f9cdf9756733d87610ecf5be05fa

SHA512
733951d469cdb810f47f47f913b392213c64106d773427a95563420c3e9513c65dfb62b330f189ed5270dc5d9cb731e72de6083d91371f5c50246610cea5308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cf0c83a12a9286c58d63d1462a5ebdbc

SHA1
d1626e7cf34f44024ec88eb6776513d6c8a5c9cc

SHA256
e6df8b5532af6a0e1534d390cdbd702b05af9f42a2b418bebe7fc1edda0a982f

SHA512
a0d45530afae3b0b97f24ca5959b5dd3d614676c52bec308d6e81d36dff06364cbfe2fd5d2e831bff0f9ca544547062643cac5d807a1f254d4d5a7815b88ffb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e2ff52fb5cfa536938a711bfd95b666e

SHA1
2b00b51bc8ee0f35be11554795c9b64c7259ef11

SHA256
917db4bc6feb6635f8e57333329a7e01074a82e29228d0de1d8d049e97388815

SHA512
3827c1d158e0c3e6568a66de9d1d397c30542caacd00bc8d1a96de32314aec4d7d747087e038b839664a050de8e6f06c723c3afbe1589b88e7c45d0c3badbda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cc9b3ca74b05048ef1d0e5144fd03aa4

SHA1
d363ac6b6ac12347ad85e6e0c9589def25b22452

SHA256
a167add067343f49222e524e54b1f756d6e44a318d386d208c491f5a5d60f698

SHA512
98d3001e84fdda75f8d1be03d3b0298511c88b7db0d3be5d6640f0d5e7e00755f3b33c3f0088ada4f50057f3d6150913868a68a8dc7467649d7e9313663c4224

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5d7580aafdd807d1ad0f0344a61925db

SHA1
52e8b91c25396d4649bbecda488910d68317949c

SHA256
5479652c7375f344ecbf20e7ac43fa3777b87f26575521577a1d0a5e014b8e16

SHA512
2bc62fd6466e59a27faec8e82279facc1cc0ab4d1e10d9210be20f3aa7109eef9efbdc7d79981faf9e6c11b4202bfa52ae60ead87304565fe3f54b8a52090655

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b4a8d450e5aeae4adecf0911aad9dda3

SHA1
120c5d61060a2f769226f90e17ad74e1b9437b3a

SHA256
4e156a899797d73347b9fdb7cb4478bb4e48a3fb6c1406882c333ba99e7ff928

SHA512
cb037042243942acb600c06a53441d0f4ee4051b25e7210e5b639c70dbd963017e14d2cccceaa001cd0e899c772f19ae4100829fe20970e601a3036317c7d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
66efe534b50ba78cd7ad32073b21d6c9

SHA1
d7e8080a1ae470602b31779689de26859063b24e

SHA256
45f34ebbdaa2eee1e11748145840bc06f7fee7d556dc2be26fb397a7e04422ec

SHA512
76d18f24577cccfe1216a7ccb636678683359c82d32bdafe15e58d4c2777edd090beca50242b21651ccbbc4e841e0b6395b8ecee35bc020ac612c7ad79baca91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aaaad8b78024317978a40ac98a13dcd8

SHA1
a1bc188dc451f6a13e33c4c6812e5e382c05e6af

SHA256
36aea9f5e0757708abaa916460f65079621b02f9def381b7f44b4380ac075b29

SHA512
8547aa8319d824781c4752bf53f16333c5604803d618e570029f04dd395439bafac457bf895a0540864685d9743950004b9a0d4c882fc0459e5d0ebad8aed4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bced5936b6545d2e7f15ec9a261d371b

SHA1
67e0481b2b6bb1e5b136ba5c9e5d0725ed382459

SHA256
ac6f5cbb40588977cac0efe8e83e0e688100d18473a9d50f41a70831f3fbc7cf

SHA512
7cc5b5a013bbf08f56f0c966cfef2e4d31f5f4823ae2bcc81e5bd971b793c4cbc6531b06279518b44f3c33ce4d8cc8f688dc0ff34bec48ea5da073504762cc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
353b37b7aaeb460fdc43eda20bd4f04a

SHA1
95029bf4d100e45bfc8a4ffdbf5877988fc544dc

SHA256
2c106875540654611bc53646aa6b7d33f01a361aa75ae55ba5107601c2a58a3c

SHA512
de3621598108932ed9f919ae36e0089761db669a93dcc56cb52c4ef0e581aa37e6b87f33cbfa3dd9fa5c02e24be48b436495f275655a4bf34bf39d61e26d667d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8ab18b4ef571fff10d09700d3f7bb40c

SHA1
c4ef359b1fb9c091b87b2eb2951aae17d977c617

SHA256
24ac4f1ab49c3725474fb4ecc8f47a1936f81d54fcc93f980176bfdec1649e42

SHA512
45a30e2cbba6674a64cbb2681002744d152b8a2469ddad1e70505759aa1ed6bdef3c3d42b9ef57188c8f8d71a866dd897af35b8d51f4fbdf8321df1a40ee7d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7f63da1100844c3d329f4f403e660d7

SHA1
f85a677a45f8781656a5f45ae302467158eaa9d9

SHA256
1f39a61674cb6316f97dbedb67ea539ac5b31a967dbbfe3274e2b448905e819a

SHA512
2ee4f3efa7d301848e800b5e8090546c3bc0384fe3469ccf9085c8e00f5e4a97c6deaa38151dca0ad2ccf7d18b0b7cb8b8c7e16593edb1d9f273093873fdfb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
100d6c4051b85323dbf900126f49c680

SHA1
783d12dc06cec8aaabe2ea27ca1d81c3cefb43ae

SHA256
8547e6dee90f5c100278b54577795ddf419849a7a9ef30af0f973184932c4f1c

SHA512
fd632416fabc8837036c7516856aa6cbced1ec13601a656d1863d2a02c71a9e7034fa3dfd1af635a5c25bd399c434796e21d446a1347a7fccd006e40b7384426

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81902cc4be81722694855b8af8e14b3b

SHA1
4a2d0a378729bf8e3f9066895ed66d5a67b5eb48

SHA256
134270fefe06d18e6da9d95fd085dca2c06b3ab58a351a380bde4bfdd2115983

SHA512
9f833b8e25d0ff40cd02d68adacd2070b2afb1faab3af803a672a0d4fa98195d62f30c86eac0a777976e5c3a518df9dffc0f422f36c45f771c474001bb12666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
696ca536e046b999d667579c0d9ba69b

SHA1
2adfcb0f2bf009cf45d913228e85a3cf1cd05c9a

SHA256
1883da0dab12c13d886d702a175ffba08a8baf91fcc1db53a89bcbc924f50011

SHA512
a7934a25535041fe7258b98e9ff1bc59407b3e46303d019b70edc6f0b6410e58cdecf35a944dfb0b0b3c447148b3d9c0e18949eefb4022f8bb72a5d05a298996

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9ac6c9bebfaf4510da33beb9bbd98a92

SHA1
aac0110f59d0effc2bc1005fc3e48daa3faf35c2

SHA256
b751d5304424177ee891ab50692acac092b849bfc90bf98ddb121becfe5a32ec

SHA512
58c07a5c85ccef8679176594ce6f1a4eceab220644886a83ff4f7fe5a7f62c2dcab4ecb840a04d75bbf8656725bf22ac6e70ad37b65e27cbb3ca558b01f8f301

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
df6e60aa78a9fcd2188a22355ff2806a

SHA1
b522c219335878a491beb51b311057ea85219a52

SHA256
3d4e5e61fed7e8a03c8529599f1bcdee106ada401909aa57f043e8df078c1329

SHA512
6c6f0b2d74ae2324c27ddb89a1e52f7d4b5e341ac6dd5f10e5b3b000952431858058e16f0988271adfef209f4d4922d1c4b489b767ee1cd024069f61b14734dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ZvuWE.exe.exe

Filesize
276KB

MD5
a588d666202fc2126b0bf2bdb27f717a

SHA1
ea8f81a0d8f097fb7baff9e0578a67715150610c

SHA256
076e895ae1f7de698665111375851b4b1a4d7115865cf3c88ce0b85a1a3efb9b

SHA512
c9cad4218d3203f9bd579a3707ea7c1585f50086458c2219e06ed4bd54ad7adc462791a611629a600b625f23bcd75abaa61fa1aacbc4750147df7f73a437795c

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/960-909-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1112-14-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2004-885-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-596-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2492-257-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2492-259-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2492-556-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2492-910-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2536-8-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-0-0x000007FEF5CDE000-0x000007FEF5CDF000-memory.dmp

Filesize
4KB

Download
memory/2980-907-0x0000000004600000-0x0000000004657000-memory.dmp

Filesize
348KB

Download
memory/2980-911-0x0000000004600000-0x0000000004657000-memory.dmp

Filesize
348KB

Download
memory/2980-904-0x0000000004600000-0x0000000004657000-memory.dmp

Filesize
348KB

Download