cybergate | b3ad3ba020b1810a32789f9cc4f253f7b545a8cdb760ce590a1a89fe75933241

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
Size

321KB
MD5

e379f7e08b79fd151180d2fa8b543fca
SHA1

3778705117be9422d2536f432b4970b2c3955a46
SHA256

b3ad3ba020b1810a32789f9cc4f253f7b545a8cdb760ce590a1a89fe75933241
SHA512

b3978b13f3c1caa503c4dad751a9e871d165b1a530eccedec00c1f771c70e635c3708197fe0cba933b2302ffdafbdcbd8231736f5dbfbe8e539f182945dea901
SSDEEP

6144:698cmu95u34w3oV2WkvWk2Y1lU9+RqSEZdmEoAlK3rP32eA:69jp5OBooyk2YU9WqVK37JA

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

escalera512.dyndns.org:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchoist.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_title
Paypal Hack 2010
password
1
regkey_hkcu
Streight
regkey_hklm
Domain

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	1.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYP23Y32-DF34-5602-NIGQ-4PY4H22P3786}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYP23Y32-DF34-5602-NIGQ-4PY4H22P3786}\StubPath = "C:\\Windows\\install\\server.exe Restart"	1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 2 IoCs

pid	Process
4432	1.exe
3128	server.exe

Loads dropped DLL 1 IoCs

pid	Process
1560	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Streight = "C:\\Windows\\install\\server.exe"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Domain = "C:\\Windows\\install\\server.exe"	1.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023c9d-6.dat	upx
behavioral2/memory/4432-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4432-13-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1560-22-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4432-34-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4432-17-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4432-79-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1560-86-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4432-85-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3128-109-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1560-110-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\install\server.exe	1.exe
File opened for modification	C:\Windows\install\	1.exe
File opened for modification	C:\Windows\1.exe	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
File created	C:\Windows\install\server.exe	1.exe
File opened for modification	C:\Windows\install\server.exe	1.exe
File opened for modification	C:\Windows\2.txt	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3892	2508	WerFault.exe	81
4136	3128	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3700	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4432	1.exe
4432	1.exe
4432	1.exe
4432	1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1560	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	1.exe
Token: SeDebugPrivilege	1560	1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2508	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4432	2508	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe	82
PID 2508 wrote to memory of 4432	2508	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe	82
PID 2508 wrote to memory of 4432	2508	e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe	82
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84
PID 4432 wrote to memory of 4704	4432	1.exe	84

C:\Users\Admin\AppData\Local\Temp\e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e379f7e08b79fd151180d2fa8b543fca_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\1.exe
  "C:\Windows\1.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4704
- - C:\Windows\1.exe
    "C:\Windows\1.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
  - - C:\Windows\install\server.exe
      "C:\Windows\install\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 564
        5⤵
        Program crash
        
        PID:4136
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\2.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 880
  2⤵
  - Program crash
  PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2508 -ip 2508
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3128 -ip 3128
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
837fde7b432937936d6210dfbb0627a8

SHA1
43d66486148868e92ffd92743c20357a771aa3f0

SHA256
cebb2cebc38df1371fcf43263f2d82e1400cbddea313bed1b785e8ba7cc23655

SHA512
c4914c86e093fc2ba9c5d48c63fece5a4f541d01649561eb1dccc0a7500defd86ccb869cdd09c897880e14284ca050d5451d3b382e87c3653285497ab1ffef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
381202d2c5374043d99bc778c5fec1d9

SHA1
2a8bcaa59eec725dc1ba39aa72f2937d878357e5

SHA256
691f0366a9b027054da8348c41c5176eb4a5a2df2125dc16ccc08958a17ccac9

SHA512
10fceebea974070d352cd5a3efffb91c94d792a4baf9f937e4e4a06b3b599e48da3f3b30d1a62da3494278bd4c7e6bd41405cfb7ce66434c2c3ce44735e87661

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b51676b11ffffc4737bed107d8617d5

SHA1
54d6a6cd60e63de5b966b486cd11c1517eec5403

SHA256
23ea3731a64d5b111ad78d7f409d650efa8c86b3202ae3451236acb6a9b10cc9

SHA512
8ca3db3438f04ca33338a7fa5c037b212b213bc3ddd137c5a2ca52b75a1157da1e83cdabe379eb2a93cc12e9eb011aed9c27acc10fef88582e2395379076bc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77197ab078120ba8427dce28b05f7e74

SHA1
33afa133ff1fb332882d555f728437d571b94c1d

SHA256
93007f146c9a761b5cf17bd4cac84f7bbb9e4a049a3e9f49be1ba14b21dd9d5f

SHA512
ae871046d21aefe2f3bd4198f123fc994affd5596f82b71e46a61c45e4a715ecdc4f09ec9e37bcece4c4137d397603a737ad9895a61ef4c789a9781e6393eb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
977ed539e8d641bab8fc12c4ef9a4c94

SHA1
3d002668222249939bc005a83bc88a61a0f292d9

SHA256
3a16f1be3b307dd35f623b5fa0d4398b35da829d2113d4078daae59a5e170771

SHA512
d13357749b7c8316027a134b622dde68982effdf8ef9f9a773d5929d23c0614753fb5b445cc25bc9ddf502467e053e321a0de5c46e6fd728b6c0d5bd984bc2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
03ae47a016f125917261b650e0252608

SHA1
04a10401132f412f01c4b521749635afed177175

SHA256
9bb08e4a2d3955e203bf3ca3c23b055afb22e8fc6e5ce1ba3a8840bf5a6260ea

SHA512
f4131d2d2033b70ab93401714e98e72fe31a5935d0425de2ce0bf9ade1df524c8f6e820dfe2c3ed29db35bcedded26d08c644b302b3de775b3a517bb8b195213

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c0f3e36451e42184be5bcdb9034dd4ac

SHA1
79b3bf32ddf1986671af6327575b61598bab622a

SHA256
92c2f322c816ce89a75de313c908c976ffb57cf829457165b70eced141283b2e

SHA512
f40a9e9b4118dde4630d6dc4a9a7bbbe6a10d1a50f5e5f5af535769430e8790386794dcd2de4888eb5a0d49ed97a2e20755ef6a6bde00c095fcce3527991b8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
664e9216c3d5c43fb0bc488c5aca1e4c

SHA1
487e65cadde856f0dfe381a870092e7c0bcab60d

SHA256
8744ae86f85e5ac47215950cbcfbcbe79bf4e613972c9cab4659805238b5771b

SHA512
9f009db2053d145d3364308214529529546249a752a4a3993fcfa3b6f07f54c2dd814ca7da2a08789cb97bbba8882ec4fe5239aae5f5575384190934d3f396b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
af4aa6de271212a5bdb91cc392a4158d

SHA1
6f3742cbabd681ee2a1d83037799b99dab2bf927

SHA256
f4062a5831c20c7a6ce8aaaebf06068741bda32e411598fa5ed127544b1db675

SHA512
e4d95c88a0be2957b8bedaa1597e90b9251b5f0a902354960b835c852a7d2e2a55a812ba62b4a0d1b7fa225ac6777610e7e1cb68c2a77fc6410c1b96295ca927

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
488a51d0b58ebce40e34f75e66b6bad1

SHA1
1809eec08ae45d030106d2bbaea4816998bd4ed0

SHA256
622a2c9b1aa99879aa0f2ee1231432072a65bad33f6fbf97f1f8bab839552cb6

SHA512
2f41a9d36d9f2e3aed59f28faf6bdfe783c5aa9a5ed8f746e71a124e8b478fb697e7a94da457431df933e0269cae1fa338974f08eb1d0cf2707ebba6119ce8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7f0aab09facd1b265c11685978fac03c

SHA1
e1afdaa56a873483e1be9a48abf367993b63bfb7

SHA256
d3f0e69a49d14f55726db295debedae8fb78f20988bb1d730f1c00a0ddb00ac5

SHA512
f62f95e339c786e3e4e4fb2981c29a048647250716cc6a762c881f4b7a356aa527c72cfa2d25690852b7cbdb221d296db7184b1b4444c3851f55d9ebb396ed35

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9c7703c670da003a97a36b9970ffd4f

SHA1
37b6a0ec8832746030fae92abe0daa3127cea43e

SHA256
281ac1148f87198507f63a94b35d9207d1a5c35983e43d898a9ac71aa87ff3a9

SHA512
20b8306b192fa547ac711e7287c77e8734af78b1ea527bb0c2df77922987f7ecd67ef969b1b81c6ba50efa66c9a1888f55f111dd84078dd1709f0b78d3a0faed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bd85ec10eff9ebe0b5dd04b993699756

SHA1
a86d085a5766d6ccf7ac877597fc31befeb4c1ad

SHA256
6386301f3d8bafaa87f37bb6ef71730df29a6cd6ccb76d1b9d3b2acca3443858

SHA512
8fde265fe91558d508db4352d00f36efbd0ee9ccf749f9ef38c69dd2ddbb04c94a9a26bca1b742df12a2402a7b86276582382143550b705a1b2cea4ce4f49ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
22d6eddb3cf6354fd79eaa9f91f1ead0

SHA1
9ac7c1e5ecd9774dbec15bc53a391087da7dcc35

SHA256
b7510a239cbe6a7168f8a6fe7231fab9da1af545a5cf2d2735b480d9da5fdb6d

SHA512
3f46c8baf2e09efab221f92b902d6c6dfee5fbbc50b011d83da5b487c9226b3e34d9896359617ee12f2e0e605dc8c68256a38fc0289c830eea218827537f41aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fc9f8cdf8fe11cdfb8749ccad85e5ad9

SHA1
4399ddf0524b44dc63372281d4b84300adfde0e1

SHA256
c24c21ff4f805879b52fb4d3b81171717e4dd9d676d5bbf1cc04cbd67e793353

SHA512
0c080564c6fe82a6d00dd602258f1f61c1e681a68d8d23b7e2b00565b2508976774a87601158919ced92e0a549e50192f118f7eb98a34b58d1b4864b57a65447

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1a48c6bbacd425971b1f002bc5b790a7

SHA1
12aefa71b8115952bb137c115f1ff71ebb20a6bb

SHA256
c20de6617e234b991ff30634747fd90c179d06697354df7fc3beec4bd468ea98

SHA512
e100b4708e72550460d76cdbf1ed8ad502b2d577fe52c4e9d6f30ff80a7a8981417b7f5dab390d3057d9ff05a2425569dc12f9fe37e9f450f42cd104cbda4bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4290849bd5aa9ec36b8fc9bdf1ff9680

SHA1
c7f8e4c0a06147afecb53627c04c8b317d356b54

SHA256
880cbbdb0b06020f4df05b835b290ed9a5d1dd785a82a143e33f7abd8c6a2566

SHA512
06026d66b492720d8c95931579af0fd39c80d405efefad1811d5604f6ce27d041d26b3f6048b8f0dbd3c48b771b50da0687f85e0a581631a7c61d6a5d509ea9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
90ae675434990791a99ee26e1966f11d

SHA1
f00fab4b607df9305c4ed836a0fd2830d0673f9f

SHA256
6ef4db552e1ada541c704c262725f7d89c88838e78edf1c6556c7d39c88b5658

SHA512
3acb548634b83beb3d50d74ad1a1768500022e213133f16226bf5bc95b206367ef787e347daa0a7e7988cc98d952559d15684633f9b87757d133847063285e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
36db1c586253e970b1f17f8d7099655b

SHA1
1baed594aff52d12beff4670b860870e47c2661f

SHA256
b51331f865a8cf8b9d38e20719da06d213edc3552cc1f34996ea8f49ccecb667

SHA512
6ea4046680b9dec44cd785c216392bf0ea8c9d1bea99953d29eabc6a36ad7f497bee361e040df1b2aba016d0ef1c3b6c82e160bb82c38b041c4a6bd89a9a5282

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
316f99eb3951ca42dd29f77edf04756c

SHA1
930ec4a24289d3f85c17f005dc1a69cc739c5d10

SHA256
8cbac58704c99591044bc11db603c47a658c0dc7dddf148daef30513dd90d0a7

SHA512
97dfb199a2b72ca842026058ddfce0a80f3ed04d28a20723617764210770c86ea838a3531bfe94e21169de490805aa398356d5159935535232644b0549e89ad2

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\1.exe

Filesize
48.1MB

MD5
b1460e80995956f8f7e29d8652096329

SHA1
d7fef87a7b24a36256efd8c3c6b72cec1654dc9e

SHA256
cba62c5f192d291537f5dcd7ab03e9e4587716dab0bb326173c11064c25628bc

SHA512
bce9ac3d6a055d91249f6418c5ab462933d09bbdb94d71b829f70f5205333464f351129ff03484fcdae7e4de37f253c5d4fa0d1180744ab7548f63962cc3bb02

Download Submit
C:\Windows\2.txt

Filesize
47.9MB

MD5
62bee176367be2b13d83f707f71e27ee

SHA1
3146f4a918b9556d3650086cac670b76d6ebb273

SHA256
d98a58495811dab0760d83b49a8fdb1106d4e67bd9ca6c9243b0edb1f36c0937

SHA512
62444791a17720ea15c8914f376ec8dbc02c764c3cfedadc297271f889503ae3bef97f4b99640efdc9d2d92bc94e235fc7d94d4895f2873c6b9f7e77f0aa3dfe

Download Submit
memory/1560-110-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1560-19-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1560-86-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1560-22-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1560-18-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3128-109-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4432-17-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4432-34-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4432-85-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4432-79-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4432-13-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4432-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download