cybergate | e18b61b508bc8bacfc43106544d440b0c19b9c6694d15556560c16e3c13c9994

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
Size

695KB
MD5

e4fb78d1e6885b5ea2cc06ba9ae1779d
SHA1

f9d1aafbf67f91bc90ee39603762843f1b95048a
SHA256

e18b61b508bc8bacfc43106544d440b0c19b9c6694d15556560c16e3c13c9994
SHA512

5fc90dec3c14033997ea9257f60fc10065698a44171acecb980f7f58b11c8094cb31b70ab1c69f5e888b98b8939774d220038dfcfe18159fd04f88fddff1a067
SSDEEP

12288:BgULK8K1euqZfKU2o8pet+O1HX1wUNlyNwyfANhD0Xs1n+J7wCHceW:GcK8K1nu1WpeMOdFiYNhDB5e

Score

10^/10

cybergate virus1 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

virus1

127.0.0.1:998

Mutex

D5EE4UX1EEDUUU

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
winxp
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
File 3843os29.ocx forbidden
message_box_title
No file found
password
1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Executes dropped EXE 29 IoCs

pid	Process
4900	server.exe
2608	server.exe
2196	server.exe
4680	server.exe
2660	server.exe
3608	server.exe
3524	server.exe
5052	server.exe
4976	server.exe
1640	server.exe
456	server.exe
3368	server.exe
1040	server.exe
4624	server.exe
4244	server.exe
4736	server.exe
1760	server.exe
1576	server.exe
4456	server.exe
1416	server.exe
4972	server.exe
3692	server.exe
2792	server.exe
1928	server.exe
3484	server.exe
4356	server.exe
5084	server.exe
1032	server.exe
4752	server.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\msconfig.exe"	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winxp\server.exe	vbc.exe
File created	C:\Windows\SysWOW64\winxp\server.exe	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4268-14-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4268-75-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4724-80-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4724-100-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1712-170-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/1712-172-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1492	4724	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
Token: SeBackupPrivilege	4724	explorer.exe
Token: SeRestorePrivilege	4724	explorer.exe
Token: SeBackupPrivilege	1712	vbc.exe
Token: SeRestorePrivilege	1712	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4268	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 2596 wrote to memory of 4268	2596	e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe	82
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56
PID 4268 wrote to memory of 3540	4268	vbc.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e4fb78d1e6885b5ea2cc06ba9ae1779d_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 84
        5⤵
        Program crash
        
        PID:1492
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1712
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4900
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3608
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3524
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5052
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4976
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1640
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3368
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1040
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4624
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1416
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4356
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5084
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
    - - C:\Windows\SysWOW64\winxp\server.exe
        
        "C:\Windows\system32\winxp\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4724 -ip 4724
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
6e35a45b1a5123fec1b20a21042903e9

SHA1
1f784ea41e6fb96f9a57864eae38db10427b9efb

SHA256
24583fb2d040126d100df00d26ef469cc9ddee626229e6cc146bd72e11312a21

SHA512
ec709615d88b4d825f2d2617a3267a648cf9c4c80c2e6b3eafec7be36d0cee5a9f83c9be8e8dfb166ace3a98b721e4eb4c3e08af5b1b9ec3c0c15078b49e7bda

Download Submit
C:\Windows\SysWOW64\winxp\server.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1712-172-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1712-170-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2596-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/2596-10-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4268-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4268-35-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4268-75-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4268-14-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4268-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4268-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4268-168-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4268-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4724-18-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4724-19-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/4724-80-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4724-100-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download