cybergate | b3ad3ba020b1810a32789f9cc4f253f7b545a8cdb760ce590a1a89fe75933241

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
Size

321KB
MD5

e379f7e08b79fd151180d2fa8b543fca
SHA1

3778705117be9422d2536f432b4970b2c3955a46
SHA256

b3ad3ba020b1810a32789f9cc4f253f7b545a8cdb760ce590a1a89fe75933241
SHA512

b3978b13f3c1caa503c4dad751a9e871d165b1a530eccedec00c1f771c70e635c3708197fe0cba933b2302ffdafbdcbd8231736f5dbfbe8e539f182945dea901
SSDEEP

6144:698cmu95u34w3oV2WkvWk2Y1lU9+RqSEZdmEoAlK3rP32eA:69jp5OBooyk2YU9WqVK37JA

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

escalera512.dyndns.org:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchoist.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_title
Paypal Hack 2010
password
1
regkey_hkcu
Streight
regkey_hklm
Domain

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYP23Y32-DF34-5602-NIGQ-4PY4H22P3786}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AYP23Y32-DF34-5602-NIGQ-4PY4H22P3786}\StubPath = "C:\\Windows\\install\\server.exe Restart"	1.exe

Executes dropped EXE 3 IoCs

pid	Process
2156	1.exe
2324	1.exe
2016	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	1.exe
2324	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Domain = "C:\\Windows\\install\\server.exe"	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Streight = "C:\\Windows\\install\\server.exe"	1.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-5-0x0000000002F80000-0x0000000002FD7000-memory.dmp	upx
behavioral1/files/0x000c000000012266-7.dat	upx
behavioral1/memory/2156-16-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2156-24-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2156-21-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2156-111-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2156-328-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2324-330-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2324-332-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2324-354-0x00000000051D0000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/2324-356-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2016-358-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\install\server.exe	1.exe
File opened for modification	C:\Windows\install\server.exe	1.exe
File opened for modification	C:\Windows\install\server.exe	1.exe
File opened for modification	C:\Windows\install\	1.exe
File opened for modification	C:\Windows\1.exe	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
File opened for modification	C:\Windows\2.txt	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2496	1736	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2940	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2156	1.exe
2156	1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2324	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	1.exe
Token: SeDebugPrivilege	2324	1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1736	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2156	1736	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2156	1736	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2156	1736	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2156	1736	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31
PID 2156 wrote to memory of 2004	2156	1.exe	31

C:\Users\Admin\AppData\Local\Temp\e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\1.exe
  "C:\Windows\1.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2004
- - C:\Windows\1.exe
    "C:\Windows\1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
  - - C:\Windows\install\server.exe
      "C:\Windows\install\server.exe"
      4⤵
      Executes dropped EXE
      PID:2016
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\2.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 244
  2⤵
  - Program crash
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
837fde7b432937936d6210dfbb0627a8

SHA1
43d66486148868e92ffd92743c20357a771aa3f0

SHA256
cebb2cebc38df1371fcf43263f2d82e1400cbddea313bed1b785e8ba7cc23655

SHA512
c4914c86e093fc2ba9c5d48c63fece5a4f541d01649561eb1dccc0a7500defd86ccb869cdd09c897880e14284ca050d5451d3b382e87c3653285497ab1ffef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
36db1c586253e970b1f17f8d7099655b

SHA1
1baed594aff52d12beff4670b860870e47c2661f

SHA256
b51331f865a8cf8b9d38e20719da06d213edc3552cc1f34996ea8f49ccecb667

SHA512
6ea4046680b9dec44cd785c216392bf0ea8c9d1bea99953d29eabc6a36ad7f497bee361e040df1b2aba016d0ef1c3b6c82e160bb82c38b041c4a6bd89a9a5282

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
381202d2c5374043d99bc778c5fec1d9

SHA1
2a8bcaa59eec725dc1ba39aa72f2937d878357e5

SHA256
691f0366a9b027054da8348c41c5176eb4a5a2df2125dc16ccc08958a17ccac9

SHA512
10fceebea974070d352cd5a3efffb91c94d792a4baf9f937e4e4a06b3b599e48da3f3b30d1a62da3494278bd4c7e6bd41405cfb7ce66434c2c3ce44735e87661

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c0f3e36451e42184be5bcdb9034dd4ac

SHA1
79b3bf32ddf1986671af6327575b61598bab622a

SHA256
92c2f322c816ce89a75de313c908c976ffb57cf829457165b70eced141283b2e

SHA512
f40a9e9b4118dde4630d6dc4a9a7bbbe6a10d1a50f5e5f5af535769430e8790386794dcd2de4888eb5a0d49ed97a2e20755ef6a6bde00c095fcce3527991b8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b51676b11ffffc4737bed107d8617d5

SHA1
54d6a6cd60e63de5b966b486cd11c1517eec5403

SHA256
23ea3731a64d5b111ad78d7f409d650efa8c86b3202ae3451236acb6a9b10cc9

SHA512
8ca3db3438f04ca33338a7fa5c037b212b213bc3ddd137c5a2ca52b75a1157da1e83cdabe379eb2a93cc12e9eb011aed9c27acc10fef88582e2395379076bc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
325e5faad835315e38555ef126db5cd9

SHA1
3221a08bb1adb3695fe55e56683df7a01adb5904

SHA256
43d2bc8fe92c8b6c02e7a5a543b7f310e5e0aa40b4c3811d2a29c4b81f91b588

SHA512
fd171e279efb891f6051aeeb1e876a6f580b20e352d14a7519f6621a3ed531f6b2a1e6583ccae31d030fc6950579893280e5f2d60aa7bdd0209efddbd5126a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a6f139f1e536aec43d39f6e5dfc1c78d

SHA1
1f3b3856da7c597b61eab4cd66213a79ee69fe24

SHA256
0c408e1f738100cd186ab23a16257dd6cfeca5af8f9bcbc63c2e8924ad45dd56

SHA512
beb50da15d076c10a408714d5dd11abfa868671f3a093424b19e4192c3ab070ae5a644feb5bdfd6664e82193fec6b0f3c2a612a287b0904d8ff6877691c4e310

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e45968dbeb974105bca038e64b3b892

SHA1
ec05f5133ec1d0205aa48fe660adde78ac5a4852

SHA256
1a6fee960340479c8962980ad34874b6190f63a89f9c509f1fde303fc105cb68

SHA512
2ce886baeb8322e2c3f4ebf59e0e40a88800354f2422dd63e602e61edb72fb5b780f0c3142b8e77d4f5a688817587776249eb1c5af4eacf62db390268be9338c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dbe6e8d26804cd41f169f628949b4365

SHA1
640d8805627de07490d10796220f8d63042bd982

SHA256
39f10981a6e068d3ec14a08af4b83b456546335a4c8cbb1791446617d1ddc06d

SHA512
41180699e485050a0b8011f479863351688c247808650f65ca03dd593e72a78c5f2a2bd3b36f08d04ea8701d5e34c66f7c8331d2473afa8c7e04e596bdbb92a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
09a98c29a6b25095bf39e5a88c6a6ca2

SHA1
3b8237d2ea0da07c975874a93aa1b03627b799a6

SHA256
196dae521329afa0d854bfb85d4ef7528e5c96659e34836c313557d6cbee3eaa

SHA512
5e2fde26555417d9821c1c346d76f21f3a6d5f4417bd175f2332d44e9ce7c869d4f10233da4fb9f5ff28e442d01004cc5e073e8a4e0c2c3dcee1f069addbb35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ab46d973b1676ff0510bb0afee4d5b2

SHA1
e605c37de96044e1974f0a40ab1c124137a48b17

SHA256
6bf53832f5761e0e5330b713d5a32a9199595615d0acce2b1b00caa101a9f88b

SHA512
c48b61f0a3ebde2cf089ff99a673ed31c54bce8d418b788be3bc6531b8f33ccd4bb1c0c121feea874f58a9211fb5c4a8c9afbb00a9d83861600b569c131c869c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
319646d2725e566a2d659aac0bb31f08

SHA1
ab2a7ac0a30f0abf4a3ee859d02a8aa2ea27037e

SHA256
baf7d2966cd822a34126bb60df4ea468ec47fa4ab2ea888bf67af97c58136e55

SHA512
0c907ecc92c8df0dabcce0de233cb202a8b154d5ce8f1fc7e97c67184582536bfb3fa5edb4fa0745f162fc28f9de9404f80fa4c7bbe6c211ba341445d6866944

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e4200fc40338648ce09e8e196af39c25

SHA1
d9e7ee325becc24fcf477274cfb5dac088a29fba

SHA256
a9c2758125f43928cf09b6b0a86d3ffd70ccfd87e149cf38cecac175b31d34d9

SHA512
2ef15e7a70a47523cb4f9e8598dc22302ec7334a41033214e9a92ad458ca00ee0932f1518168292b2b3445ba1e21cbb2e582dd6b710b96a64c9262b7447e4278

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
69783a53ae1e17dbaf26ea95a3b8ef58

SHA1
ad87688a025f9a88a54d612a27733ca7aa2924a5

SHA256
0baf4fd3febebcd23eb9f37c94d8796c830a82191a8e8301eeef397edc0d3165

SHA512
225c60648c8296eb86bb777e736bfef4bafdd67046e2557391a633fb6c99bffa0ce6ae850ee48fdd986b82967e0b8739a2d3782aa9de715268c6e2e027cd2fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0008b624fd6d252a7a64947b883bc58c

SHA1
a7c12841d8dfecb15bdeae14fb46b00e1d09645e

SHA256
c1937f9f562156a6c8c103741099ed98dc8a0be5b637ed3895b0209d9dd3fa19

SHA512
3d7a29164f25b52aa9fed8ef939c17744ed14261656986171998602c9f2336be97d967e371d8cf8690c3ea33c2ff7eb2081ee1c68e1f7202af3215e5d0308cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2c8ad14714f48daef3d3536a5aabcd88

SHA1
eb3137641bd00f0d7472622341001fbbc0f7e530

SHA256
c15d43b05116e46081e3e18791eec398b3fcfc8bcfedb4fd6ef4b3bc72eb4d4a

SHA512
92c2817f287d147487438441d72a314cf39b07b2ffdc1133890920a6728bf3feb32175cc749cb07526df238289512dff71d36258797ee56b8ac5a5f825f69ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
96ee207233548856eaf2af74e95c7639

SHA1
74c377e51bb2a2d4121f7f16226f2c4fab54fcfc

SHA256
ecb5bce4a32d25058d506be3ec8ccd15be261f6d87221765aee13ffc6f578fc6

SHA512
f29c3ae96c84bb1266cb98b82c16488172db575c6dc5948bfe5e0d3e9d0d8c27b4e4a1f1e504519f69ba35f548b36c5577c11838c5db69623acb111659240427

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6fa91f7e9e464b6e2b9f2650000be57

SHA1
f70c1b235c318dd5056285d1943a7239ba39eb71

SHA256
0ce529cc66af4ff74f88a99859feaef1f90139573c0f47ad392f9696ef9a6f1f

SHA512
f55423f05a28f1b6b71eac9757a393fe66c09b5d283ce30140b6201692475557c9ae895f61fd466e062c654d290ed8933231753a056a2ad27a671fdc8f76282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b037c1444f5f7077ca4257e2cb98ebb5

SHA1
fe41c550bfb75e2c63195d4126dc723818bdf48d

SHA256
96c2cfc1f218a09090f2179dbeb3feffcb5a266b07cc42110f20b4df58ecb8be

SHA512
793dfa99d3afb3f9e43beed4def6bb3f40efe3ec5a6bfe18f5a158a5349994a5650ed395fee49c60129d8924f3b397f49a38ed81c8f8be2191db28a5be0f5096

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
594f609c9e03ee9305ae27873b252169

SHA1
795d63f4d3fa76e5849fd96abf658518f054bbc1

SHA256
81bd01ca40a133230a34b2207eb686b2784825f821a05386a8b601c4db2df38c

SHA512
8527b19c4d09f4f394ecd9077e309d33b438845592367cfc40eddeb5c150ce7516c3c4ac5badcf7490a4512efbbd6a2f99ccaa4d7dfbfc4d99dc432fccd622cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
54f0a5bd164879548dc4cc44c18e1802

SHA1
f941b715b0e141b53ebdfb7f98141dd63649d18e

SHA256
5237d079468e9e7f88f85051b4210658d4db17f40bae5ce9efb5a61a1731ab47

SHA512
1417e5165fb004d120aafa8e5d4576b7d0141c5c9ec03d432c72598780c2966566dd2a76dac2fc7c01362051bc1a469445d057518cf1e0ead389adc3efed058b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bc2999da9a332c8156591c8f31a69052

SHA1
a6ad7506ea21e038e92a831a33115fe06b7449fe

SHA256
b0337be06d6fc16bf81faf09905afc699991a79060a1978e539e0aa7557bbc4c

SHA512
51cddc1af98646a8c476411799b6fdd34b138e468d6c19b204dc65f63a80fc72a311e44529a879cf08e81062e16d15688b521d6622b6c228c5c438ccebcff8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d1393bbdac881cc474b4742caef0830c

SHA1
42863ce131f5fa8055f9df355f081cf5bdd2837a

SHA256
897bd4d2c8021becd9bf65f7ac12845d46d6e5682c5c6bed039f08f72de6f420

SHA512
f12db83065c73ff9d9e8376fcebf74a702a379f6ade190dfda2a630d78c28b3ec7e75ac291e34725787a8480858d1eba454e80179aa95d39d73191dd0a0f5c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dc83510b4515c7e793e63121af624211

SHA1
5ac6a53ef5d194f55bd17bff1ba48d33dd837ecf

SHA256
d7672157b68695873ce4f22bf2e7e1812e0b758ee923bc17a16d6b34c0d75306

SHA512
1d76d9165ea8dc5a9bf20a6ecbafdf71449f6388a1aecb5cace93033fd2ef45fd8aaaf1d8f770e5df8f22dbf1bca2664002bca8503a3f45af74f5d9206a9ea71

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9b29e52c8a0f12a52bbb6a3641a2a269

SHA1
c502f15d2259421c697b0c89f90bc02ab972fd81

SHA256
0c7e8647d411d754c158805041e969ee39fda4547be3c1561a147bb1858de6b3

SHA512
2c0ffb94b2814b6af7f5e85fad829f0d459f04aa3be65ecd97efd1bb4ecdce37c05b92d794677356b3d171084d472ad3d8f864e3710a8ec2f29bae9a29f31be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a9e63a44ed54c71d282253fe698bf76f

SHA1
115cd0493c71a326a3054e4ba658843cae69697b

SHA256
614058d348e0ad4b2dbd4bcf8f36d241dd02de7c60286c7a8fa03ec38d95b9cc

SHA512
3f2fea7c38ce8a7b71bba3563bf1d57edd97d236d9c15017606b2cb8fe6ce643208eddff1f0b3d31583076e42f244eedf8702edca3b37f791cc57111b7b93cee

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\1.exe

Filesize
44.0MB

MD5
320d8f923c864cb1c1323c07dad13c63

SHA1
f948e2e49a7b3177c9bfcb73f714642ffdfe53e1

SHA256
434540895dab5015a3bc8b9845394bf4feb3bda0f0a5e37acd0ffaf45f5ae3fa

SHA512
f2db945c6506e29651c97706e6fade0b55b69fa94decbe26f32f6cfd2450c746abd0744ace909ffe36d2cb7fff42fa6953005e446ea3c48457a509e0c5ab41c5

Download Submit
C:\Windows\2.txt

Filesize
43.6MB

MD5
bb630fc6a4f21159f864c736908cf9d5

SHA1
392389aafe1a105b531249df607de542b8b66c19

SHA256
0a200948d5ae59ed9fb9276d252f8f9a32c463cbe0b31defe1da2f2730912099

SHA512
af94e33bba4fa1764088abed9f3a92fab31b4ec189678dbbd6e2e2cb3acc0a05cdc796781f572eb1a71db182e5955db9d6cd5718aa52387dce37928fc1fb53b7

Download Submit
memory/1736-59-0x0000000002F80000-0x0000000002FD7000-memory.dmp

Filesize
348KB

Download
memory/1736-14-0x0000000002F80000-0x0000000002FD7000-memory.dmp

Filesize
348KB

Download
memory/1736-9-0x0000000002F80000-0x0000000002FD7000-memory.dmp

Filesize
348KB

Download
memory/1736-5-0x0000000002F80000-0x0000000002FD7000-memory.dmp

Filesize
348KB

Download
memory/2016-358-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2156-111-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2156-16-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2156-24-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2156-21-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2156-328-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2324-31-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2324-25-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2324-38-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2324-432-0x00000000051D0000-0x0000000005227000-memory.dmp

Filesize
348KB

Download
memory/2324-356-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2324-354-0x00000000051D0000-0x0000000005227000-memory.dmp

Filesize
348KB

Download
memory/2324-332-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2324-330-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download