cybergate | c99f71c5e85d555aed7e4f7ac609e380948eabbda0bd9033445e11b864eebe81

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe
Size

304KB
MD5

e108eadfb1790190094dbd0684fca40a
SHA1

ccbae2f3e6d8a04b2fced045c00e4117e9a5ba1d
SHA256

c99f71c5e85d555aed7e4f7ac609e380948eabbda0bd9033445e11b864eebe81
SHA512

a0335cc7001a86987531daeb5ed2a13e49239f18ed14c6191063f7a4ce069a0c4bcafff756e4d33ec470f3982439f47fc5c81dea09348bcfa61967e5eb895928
SSDEEP

6144:cS/8ZEXdqWahAUkK+jqCv4tR0yQgYETWprYgcvHa83ivqhMOY7Y0Ud6RgKkW:38ZZWWA9KwhwR0yQgYZpPWHvLYPUAp

Score

10^/10

cybergate hish discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

hish

hish.no-ip.info:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windows_KBE47F3D
install_file
windows_up3863.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Cannot execute program.
message_box_title
Error
password
665733
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windows_KBE47F3D\\windows_up3863.exe"	service.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windows_KBE47F3D\\windows_up3863.exe"	service.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{KGK5Q0A1-26P2-6L47-DK12-44MCE254JN2O}	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{KGK5Q0A1-26P2-6L47-DK12-44MCE254JN2O}\StubPath = "C:\\Windows\\system32\\Windows_KBE47F3D\\windows_up3863.exe Restart"	service.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{KGK5Q0A1-26P2-6L47-DK12-44MCE254JN2O}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{KGK5Q0A1-26P2-6L47-DK12-44MCE254JN2O}\StubPath = "C:\\Windows\\system32\\Windows_KBE47F3D\\windows_up3863.exe"	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2916	service.exe
1372	service.exe
1804	windows_up3863.exe

Loads dropped DLL 5 IoCs

pid	Process
2196	e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe
2196	e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe
2916	service.exe
1372	service.exe
1372	service.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windows_KBE47F3D\\windows_up3863.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windows_KBE47F3D\\windows_up3863.exe"	service.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windows_KBE47F3D\	service.exe
File created	C:\Windows\SysWOW64\Windows_KBE47F3D\windows_up3863.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\Windows_KBE47F3D\windows_up3863.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\Windows_KBE47F3D\windows_up3863.exe	service.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120f9-3.dat	upx
behavioral1/memory/2196-5-0x00000000004F0000-0x0000000000547000-memory.dmp	upx
behavioral1/memory/2916-348-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1112-546-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1372-573-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2916-882-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1112-908-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1804-911-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1372-912-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2916	service.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1372	service.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	service.exe
Token: SeDebugPrivilege	1372	service.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2916	service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2196	e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2916	2196	e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2916	2196	e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2916	2196	e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2916	2196	e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe	30
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20
PID 2916 wrote to memory of 1132	2916	service.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e108eadfb1790190094dbd0684fca40a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\service.exe
    C:\Users\Admin\AppData\Local\Temp\service.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1112
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\service.exe
      "C:\Users\Admin\AppData\Local\Temp\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1372
    - - C:\Windows\SysWOW64\Windows_KBE47F3D\windows_up3863.exe
        
        "C:\Windows\system32\Windows_KBE47F3D\windows_up3863.exe"
        5⤵
        Executes dropped EXE
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
e78565e062590f7e61cd557019412031

SHA1
03ed19476205bcec4cc764b82b5f43413da95420

SHA256
18501522a2acf18825e008114aabea4b053a877501437285f792043daca34098

SHA512
86cce46a3c43ebba6ff911d9b08256d8986f0d23be422040a4495d62fb750a64bfdff3ab9b56957ce997b52a2d065658a7c7b8d6cf92c1db28badcb9bbad2783

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3d12cdbb37772309f0afecce1930fcce

SHA1
04fe0b54aaee5643902638509a6bb56a5e495f46

SHA256
079bd44862a934aa5097104223b64a7143386a0e6a79dba025875e76f5b7525e

SHA512
e79a7d4723a2f271cd3e608259da13670cebd96132c529bce69107e3e30abb8ae7c313d57817c3749f9e41a197e262021f56cec5a4801b1510e6c4d0375ff409

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5bfaa0a0aa49ea22432f5db0873ddeed

SHA1
e3c11d2ab996eb23b1d4c71766fc8771829d2ea7

SHA256
ed93113c5ada2c9d8136d1cc839a0614f2eacb8df0069b9206e637d7eb9847bd

SHA512
d4f768fa9290c447e653b0777516c305914abd9a5653b22d1524b4922c6ad06bdaa1ad18eab35ab3f31480e58152a1b77f6dfffe6aa7378287f20456f4c88aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4dd78e415a19cda29a12fd2d42330b8

SHA1
4644fdb0137d73102ab150ca32eef43a1b6ca9a5

SHA256
e59f1a6a794adc0ea7c41b7afa328fa7a51f2bcd74c6b2715b4a717190b1ee05

SHA512
91095db3266a852d5f4808665ef6bc5be6cecc7eef8f909c2cc359939da4c1e2580b54a624dfffef79db8a4c5b015db2a4cb7a0685f8a191ed02c375e12b86f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
df9c2d6f6c9f56c2b105e66d7055a8c4

SHA1
3ad33c1fced46d70eb65a6bff71c1316702c1772

SHA256
d3153df874691d5b1f1f62ddc40868a33acdc88127d00d1aab0e6909fc4fe1a8

SHA512
81d0a1746e58aedd29ad4437ee7de106e3552b67e9d410753e20a76e8f4477634f046a7af712c8df1622615f3104a0d26a38a1f2b0b35d35f2105ffcba92eb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3562e6d6ad1be2f39f5be4071483efa5

SHA1
52753f3b3147963c27a978e8205e3807e7ca001d

SHA256
751adcbc7e01025d984c1c1a648d83107cbbe5459c12a8425bc4dc5034942a6a

SHA512
2e8a45dbc47651c141d27541f021cfb11c1e151ef00a97b64b41366391f4747e7d2622e4b9e7c8443b4956b2a6b2c2733c10310acf8ce3a017e566dbfd197541

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3576be8b978789f3652b3e9a40a7120d

SHA1
38673009fb40b34f5099296c8213249f03ed6896

SHA256
5db053e5a45aa05eb0f0882db09409d0be0a53531dd517aa870f1e45c172ee7e

SHA512
1027187a447a217048e1c3f42a79dd6b94f977ffa03adc0a7a1d66bae7b8e38e63014ada03bd716e07ea6aac657a9f9435772980fa7ac5416cea51876f7e4f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7b97f644c44dba118d9918bc46def05c

SHA1
e99f05807bf84b2c6e4e18daa12c6b7b1bf70816

SHA256
9bbd929a02c44461db36164a98ccf2401ecb7d33a019637f1252e31e78352b09

SHA512
565d88055fe907ebbdd708c6583d63516f4b430f580cac347e3626303377d35e1bd644774649c3da858eea461a73e8184734eb861bed16f3a5ac7064a6321629

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
864d02aa90fb1ca206bb9a087aa422c7

SHA1
b6c05565aa9be4d338b1e3a9c01193eadf4f0159

SHA256
cfdda7f2a92609c67adf92cbeef2a28933d08b511dc2b4004984c09797f08476

SHA512
9597a120329b932d50f2ec00299b40eb9fe1995174e7f1f054c9a8f46bff7768d6907b596155a9c182a6678345ec4aaaee3a06569f12950ea3cae141a46b025e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2a23526cc40cfcfe6ec31735951440a1

SHA1
f0af58e7c10e8d54083cb02dba9cfcdc3c8abcad

SHA256
a0c0dc833f80ad9c49ea0358f7ff05288f65d020bbaf02fce163809dcebb1fa9

SHA512
1727d37f4de00882f5a0de5ab3b0d55e9918a70b9d4743646037fde8f8486769d985d730671e3aee10b2a09ed05c5129e749f059ad8ba2b52ee194ec7b6f2c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
093bdb6820a31ca2245f996395ecabd4

SHA1
22fa2a23ba207b93f92872161e77483efd08ea05

SHA256
ff5d37a1d36657845a065940484acb1a9e3d5d8776d5530c4f80883c143f0822

SHA512
58151ceb6d2fa46747403540a5aff06704cb05eca62f40e8d8ab76d7f024497077b1afc582b657bbda5bf081c4899b08767250795348e9a2c8d1fb64dc4250a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
35f0ae9ab3a9fec71b9547429f178f16

SHA1
e52ac7097c8846f004fe5e0b4c2b6bf10ac78ad2

SHA256
4b7e2b76b014636cdc29abc6cffecaac554bab9f057cd2ec4b00db39902500d1

SHA512
15a2cae2fe7562c08cefb5dceb29a8665a0eb3b4422b773f3c6086ac4438b1b2890d68d5c23cd69690de83b607eafff739073ceb96efdc7abe75bc1d24ccd370

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c6fb296a10acce27990f463cd2fec6ed

SHA1
0f01eb91323bbda4b487b7a4d2d21f74815a69fb

SHA256
acba82cc5cc89e974a1df6aa7e98a98038cfae4e2e9dd8eead1fcb24a7c3a3f4

SHA512
74b153876e9799e9b9654848dcaa59eeeef776bef5b9e0b95c5b669ad376981109e687c243442bee691d5633e3364d7ef8be99a5fcf37e759c6bb08b7cb10ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7617c51881ced2eaeef746da191fffb9

SHA1
f47e2338e619f5f1a4208c8bdbc0136c840f778c

SHA256
81959a73ac5a9eb1b63a9c7824dc1e712a41147f28a4672234bc56796311e86e

SHA512
b9a5e480939c20d322c8be20ab96b4dfeebb18fee35adf27d0c37f653139dac523e28a715a037597675f6cfa2b05c818b5007fa7b456f982a84b23e4759c7cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e38be8a402f1c7a613c28587021f6c70

SHA1
4df107591463ec1edc4efb1cfdbb7d9c89f13394

SHA256
298bf0732f59e72330044902c8e49377baf9afb945ac93f84780a5c471ee4dc2

SHA512
6b12a48fc8c6702198ce2d6318bd9e39a1dbb35bf49fa2ca258e2f5303e121c54fe1d3c86b1e8436b69359b3cbbf60a9c18d0f486be36ca74984bdef7d4a6726

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3fe56c5b8b67b7abb3231b1a9ec8fbf3

SHA1
60be2f0b33fea05f9060062a66b1a4bb626e4bc3

SHA256
9cb50e7e0e0d259daf669e506f59dc02db57c4ed0882035dcb6aeef1b8d89b2d

SHA512
fc0852009a260c32cf0b83dd791805fbaf64985352c97fa37699b3b896b8935d9cadce67c2f72cec67557a69a41a79c4f941956d221757aac60b84552bd84fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f03864550b55a85015d06dc38d47668f

SHA1
abb23a0529f27c67963520bf25f352c0af006806

SHA256
a89bc1795ed2e317d694a4b627650db92f3a04d730325899b3dbc13ab4ecf79c

SHA512
2052cc55b7f26abda46ae20e74140dbc218cbf6d68356fc8d12400016e2fb5323daf3d20b15484a408ca497aeaedf32dfacd3bd80cdedb2b421cc1c6e166746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
20deef5a6584096077a375cd264bd561

SHA1
87367287a677f3d3f2f7b47ff0587cd4f020eba8

SHA256
4036effb186498c01c8399a9d23de69dfa9a52dde3627e5390c4a47a8e3154c1

SHA512
02563b173513c17f8e998e3b7f09df459856a9f8874f68eef2a6ac727f738c84b967f69c1b509faab2054d0a57debe529b211a15c7b56a98ad7f5d6011391452

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
332c9250db92117e2e472108d106a1c3

SHA1
52972441850dff32b9b414832b3b77d89ad85bdf

SHA256
29b3e96c8851bdef17cfb56de31f93361e17776c95e207364773fc93d98d67de

SHA512
048247514c638fd9cd2722ba06e4f51f816fedbb563ef9239082c55608602a6dbf1766ccd4d9ad0e82bea730e2ccdcbeff519411ebb511a149f94c6905f0a0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f6d9f9fabfa9cf756f1173b5d97069cc

SHA1
272393bf1577d857fd5ed09af34cfb5d24f1d5e9

SHA256
8774d1f7fea16c23afe0dbf8a0e378b265a8971daaacbcdd02040a5d35117147

SHA512
8ed734d1ebfa6b80e5bf36ed33327dc4b969cbb3995a666983eeedee260119222b4010841f9a2706a6eca512a633ee646b16c59289c1212983f5844df811237b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3752c28cb6b068f0c0b403c33cfbc7a3

SHA1
0c6189a7c0915141c13a6ad822a4dd45e0ad6abf

SHA256
461c2939b94a49dc1cbdd99afb521bf2e6eb1a771a17e1b853070c2cb97f1767

SHA512
a0a95d66b6a057311f7d8f9242d9758541b695e73b7e5c5ce3bb69686f9ddef80c6d3ab7148d26656e7f5b6a66ad864e1fa1ed7301e586ef0314b4ef6aaf7e09

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\Users\Admin\AppData\Local\Temp\service.exe

Filesize
276KB

MD5
00494b37f731bc50a3ae6c55db31463d

SHA1
ee8360f0439de838b8111c0fb311b8b969b39950

SHA256
7d706bb4cba86eed7bfac1e48728468baca9cd7d5a52157ba6f2ab73702f5719

SHA512
265600ce462ede5ad5a66ac57c8044a25532ecda822b4c70bfac6a27c15d709177427d0a6db5fafad601e07790d0a1321345801f542588f416d27fb52195d297

Download Submit
memory/1112-259-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1112-908-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1112-316-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1112-546-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1132-15-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/1372-906-0x0000000006A10000-0x0000000006A67000-memory.dmp

Filesize
348KB

Download
memory/1372-573-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1372-913-0x0000000006A10000-0x0000000006A67000-memory.dmp

Filesize
348KB

Download
memory/1372-912-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1804-911-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2196-5-0x00000000004F0000-0x0000000000547000-memory.dmp

Filesize
348KB

Download
memory/2916-571-0x0000000000460000-0x00000000004B7000-memory.dmp

Filesize
348KB

Download
memory/2916-882-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2916-348-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download