Overview

overview

10

Static

static

3

b6b4b6e829...82.exe

windows7-x64

10

b6b4b6e829...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6b4b6e8298cf20c5b3a4c601f81cc82.exe

  • Size

    328KB

  • MD5

    b6b4b6e8298cf20c5b3a4c601f81cc82

  • SHA1

    eba6e67d96dc5a6877d57edb3bcd5ccc752c87bd

  • SHA256

    7fa913754340287dd08a5c6e1623973daae180264bd25aa4bd4ee228943e2de6

  • SHA512

    84c1ee603b5c8d774bf8a955393384e1c83b469c02ae6eb02e52ab366b9e4c20a062fd16fb04ecc0ae8eb81d7d5ed59e565417e8eb78a000a4ec4f33eede1d3d

  • SSDEEP

    6144:dg8/U4hXgv5fEgPWkAqc0oeSikk6W35/zTBfIphJGyaXJcj+z:pHhmB+Yc0oeSikJ40JOcjc

Score
10/10
cybergatenaruto150493persistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

naruto150493

C2

cmere.no-ip.biz:8080

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Win32

  • install_file

    fotito.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    La imagen no p

  • message_box_title

    Imagen no valida

  • password

    sasuke93

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1396
      • C:\Users\Admin\AppData\Local\Temp\b6b4b6e8298cf20c5b3a4c601f81cc82.exe
        "C:\Users\Admin\AppData\Local\Temp\b6b4b6e8298cf20c5b3a4c601f81cc82.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Users\Admin\AppData\Local\Temp\b6b4b6e8298cf20c5b3a4c601f81cc82.exe
          C:\Users\Admin\AppData\Local\Temp\b6b4b6e8298cf20c5b3a4c601f81cc82.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Loads dropped DLL
            PID:1348
            • C:\Windows\Win32\fotito.exe
              "C:\Windows\Win32\fotito.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:1476
              • C:\Windows\Win32\fotito.exe
                C:\Windows\Win32\fotito.exe
                6⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                PID:1596
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  7⤵
                    PID:2632
                  • C:\Windows\Win32\fotito.exe
                    "C:\Windows\Win32\fotito.exe"
                    7⤵
                    • Executes dropped EXE
                    PID:1056
              • C:\Windows\Win32\fotito.exe
                "C:\Windows\Win32\fotito.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • Suspicious use of SetWindowsHookEx
                PID:780
                • C:\Windows\Win32\fotito.exe
                  C:\Windows\Win32\fotito.exe
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:824
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                      PID:2848
                    • C:\Windows\Win32\fotito.exe
                      "C:\Windows\Win32\fotito.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:2104
                • C:\Windows\Win32\fotito.exe
                  "C:\Windows\Win32\fotito.exe"
                  5⤵
                    PID:2604
                    • C:\Windows\Win32\fotito.exe
                      C:\Windows\Win32\fotito.exe
                      6⤵
                        PID:2804
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe"
                          7⤵
                            PID:2708
                          • C:\Windows\Win32\fotito.exe
                            "C:\Windows\Win32\fotito.exe"
                            7⤵
                              PID:800
                        • C:\Windows\Win32\fotito.exe
                          "C:\Windows\Win32\fotito.exe"
                          5⤵
                            PID:1612
                            • C:\Windows\Win32\fotito.exe
                              C:\Windows\Win32\fotito.exe
                              6⤵
                                PID:1604
                                • C:\Program Files\Internet Explorer\iexplore.exe
                                  "C:\Program Files\Internet Explorer\iexplore.exe"
                                  7⤵
                                    PID:1692
                                  • C:\Windows\Win32\fotito.exe
                                    "C:\Windows\Win32\fotito.exe"
                                    7⤵
                                      PID:2148
                                • C:\Windows\Win32\fotito.exe
                                  "C:\Windows\Win32\fotito.exe"
                                  5⤵
                                    PID:1636
                                    • C:\Windows\Win32\fotito.exe
                                      C:\Windows\Win32\fotito.exe
                                      6⤵
                                        PID:2556
                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                          7⤵
                                            PID:2452
                                          • C:\Windows\Win32\fotito.exe
                                            "C:\Windows\Win32\fotito.exe"
                                            7⤵
                                              PID:2568
                                        • C:\Windows\Win32\fotito.exe
                                          "C:\Windows\Win32\fotito.exe"
                                          5⤵
                                            PID:2040
                                            • C:\Windows\Win32\fotito.exe
                                              C:\Windows\Win32\fotito.exe
                                              6⤵
                                                PID:2004
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe"
                                                  7⤵
                                                    PID:2368
                                              • C:\Windows\Win32\fotito.exe
                                                "C:\Windows\Win32\fotito.exe"
                                                5⤵
                                                  PID:2304
                                                  • C:\Windows\Win32\fotito.exe
                                                    C:\Windows\Win32\fotito.exe
                                                    6⤵
                                                      PID:1968
                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                        7⤵
                                                          PID:2952
                                                        • C:\Windows\Win32\fotito.exe
                                                          "C:\Windows\Win32\fotito.exe"
                                                          7⤵
                                                            PID:2596
                                                      • C:\Windows\Win32\fotito.exe
                                                        "C:\Windows\Win32\fotito.exe"
                                                        5⤵
                                                          PID:2872
                                                          • C:\Windows\Win32\fotito.exe
                                                            C:\Windows\Win32\fotito.exe
                                                            6⤵
                                                              PID:1636
                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                7⤵
                                                                  PID:2264
                                                                • C:\Windows\Win32\fotito.exe
                                                                  "C:\Windows\Win32\fotito.exe"
                                                                  7⤵
                                                                    PID:2936
                                                              • C:\Windows\Win32\fotito.exe
                                                                "C:\Windows\Win32\fotito.exe"
                                                                5⤵
                                                                  PID:2760
                                                                  • C:\Windows\Win32\fotito.exe
                                                                    C:\Windows\Win32\fotito.exe
                                                                    6⤵
                                                                      PID:752
                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                        7⤵
                                                                          PID:2260
                                                                        • C:\Windows\Win32\fotito.exe
                                                                          "C:\Windows\Win32\fotito.exe"
                                                                          7⤵
                                                                            PID:3008
                                                                      • C:\Windows\Win32\fotito.exe
                                                                        "C:\Windows\Win32\fotito.exe"
                                                                        5⤵
                                                                          PID:1540
                                                                          • C:\Windows\Win32\fotito.exe
                                                                            C:\Windows\Win32\fotito.exe
                                                                            6⤵
                                                                              PID:584
                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                7⤵
                                                                                  PID:1516
                                                                                • C:\Windows\Win32\fotito.exe
                                                                                  "C:\Windows\Win32\fotito.exe"
                                                                                  7⤵
                                                                                    PID:664
                                                                              • C:\Windows\Win32\fotito.exe
                                                                                "C:\Windows\Win32\fotito.exe"
                                                                                5⤵
                                                                                  PID:2460
                                                                                  • C:\Windows\Win32\fotito.exe
                                                                                    C:\Windows\Win32\fotito.exe
                                                                                    6⤵
                                                                                      PID:924
                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                        7⤵
                                                                                          PID:3040
                                                                                        • C:\Windows\Win32\fotito.exe
                                                                                          "C:\Windows\Win32\fotito.exe"
                                                                                          7⤵
                                                                                            PID:2584
                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                        "C:\Windows\Win32\fotito.exe"
                                                                                        5⤵
                                                                                          PID:2940
                                                                                          • C:\Windows\Win32\fotito.exe
                                                                                            C:\Windows\Win32\fotito.exe
                                                                                            6⤵
                                                                                              PID:2716
                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                7⤵
                                                                                                  PID:1204
                                                                                                • C:\Windows\Win32\fotito.exe
                                                                                                  "C:\Windows\Win32\fotito.exe"
                                                                                                  7⤵
                                                                                                    PID:1640
                                                                                              • C:\Windows\Win32\fotito.exe
                                                                                                "C:\Windows\Win32\fotito.exe"
                                                                                                5⤵
                                                                                                  PID:960
                                                                                                  • C:\Windows\Win32\fotito.exe
                                                                                                    C:\Windows\Win32\fotito.exe
                                                                                                    6⤵
                                                                                                      PID:2864
                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                        7⤵
                                                                                                          PID:868
                                                                                                        • C:\Windows\Win32\fotito.exe
                                                                                                          "C:\Windows\Win32\fotito.exe"
                                                                                                          7⤵
                                                                                                            PID:1684
                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                        "C:\Windows\Win32\fotito.exe"
                                                                                                        5⤵
                                                                                                          PID:948
                                                                                                          • C:\Windows\Win32\fotito.exe
                                                                                                            C:\Windows\Win32\fotito.exe
                                                                                                            6⤵
                                                                                                              PID:528
                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                7⤵
                                                                                                                  PID:2184
                                                                                                                • C:\Windows\Win32\fotito.exe
                                                                                                                  "C:\Windows\Win32\fotito.exe"
                                                                                                                  7⤵
                                                                                                                    PID:2424
                                                                                                              • C:\Windows\Win32\fotito.exe
                                                                                                                "C:\Windows\Win32\fotito.exe"
                                                                                                                5⤵
                                                                                                                  PID:2060
                                                                                                                  • C:\Windows\Win32\fotito.exe
                                                                                                                    C:\Windows\Win32\fotito.exe
                                                                                                                    6⤵
                                                                                                                      PID:1004
                                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                        7⤵
                                                                                                                          PID:2052
                                                                                                                        • C:\Windows\Win32\fotito.exe
                                                                                                                          "C:\Windows\Win32\fotito.exe"
                                                                                                                          7⤵
                                                                                                                            PID:2840
                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                        "C:\Windows\Win32\fotito.exe"
                                                                                                                        5⤵
                                                                                                                          PID:1676
                                                                                                                          • C:\Windows\Win32\fotito.exe
                                                                                                                            C:\Windows\Win32\fotito.exe
                                                                                                                            6⤵
                                                                                                                              PID:2608
                                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                7⤵
                                                                                                                                  PID:1464
                                                                                                                                • C:\Windows\Win32\fotito.exe
                                                                                                                                  "C:\Windows\Win32\fotito.exe"
                                                                                                                                  7⤵
                                                                                                                                    PID:1532
                                                                                                                              • C:\Windows\Win32\fotito.exe
                                                                                                                                "C:\Windows\Win32\fotito.exe"
                                                                                                                                5⤵
                                                                                                                                  PID:1916
                                                                                                                                  • C:\Windows\Win32\fotito.exe
                                                                                                                                    C:\Windows\Win32\fotito.exe
                                                                                                                                    6⤵
                                                                                                                                      PID:2268
                                                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                        7⤵
                                                                                                                                          PID:2172
                                                                                                                                        • C:\Windows\Win32\fotito.exe
                                                                                                                                          "C:\Windows\Win32\fotito.exe"
                                                                                                                                          7⤵
                                                                                                                                            PID:1540
                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                        "C:\Windows\Win32\fotito.exe"
                                                                                                                                        5⤵
                                                                                                                                          PID:2160
                                                                                                                                          • C:\Windows\Win32\fotito.exe
                                                                                                                                            C:\Windows\Win32\fotito.exe
                                                                                                                                            6⤵
                                                                                                                                              PID:2844
                                                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                7⤵
                                                                                                                                                  PID:2488
                                                                                                                                                • C:\Windows\Win32\fotito.exe
                                                                                                                                                  "C:\Windows\Win32\fotito.exe"
                                                                                                                                                  7⤵
                                                                                                                                                    PID:3220
                                                                                                                                              • C:\Windows\Win32\fotito.exe
                                                                                                                                                "C:\Windows\Win32\fotito.exe"
                                                                                                                                                5⤵
                                                                                                                                                  PID:1680
                                                                                                                                                  • C:\Windows\Win32\fotito.exe
                                                                                                                                                    C:\Windows\Win32\fotito.exe
                                                                                                                                                    6⤵
                                                                                                                                                      PID:1472
                                                                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                        7⤵
                                                                                                                                                          PID:3484
                                                                                                                                                        • C:\Windows\Win32\fotito.exe
                                                                                                                                                          "C:\Windows\Win32\fotito.exe"
                                                                                                                                                          7⤵
                                                                                                                                                            PID:3676
                                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                                        "C:\Windows\Win32\fotito.exe"
                                                                                                                                                        5⤵
                                                                                                                                                          PID:3240
                                                                                                                                                          • C:\Windows\Win32\fotito.exe
                                                                                                                                                            C:\Windows\Win32\fotito.exe
                                                                                                                                                            6⤵
                                                                                                                                                              PID:3736
                                                                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                                7⤵
                                                                                                                                                                  PID:3176
                                                                                                                                                                • C:\Windows\Win32\fotito.exe
                                                                                                                                                                  "C:\Windows\Win32\fotito.exe"
                                                                                                                                                                  7⤵
                                                                                                                                                                    PID:3412
                                                                                                                                                              • C:\Windows\Win32\fotito.exe
                                                                                                                                                                "C:\Windows\Win32\fotito.exe"
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:3744
                                                                                                                                                                  • C:\Windows\Win32\fotito.exe
                                                                                                                                                                    C:\Windows\Win32\fotito.exe
                                                                                                                                                                    6⤵
                                                                                                                                                                      PID:3968
                                                                                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                                        7⤵
                                                                                                                                                                          PID:3436
                                                                                                                                                                        • C:\Windows\Win32\fotito.exe
                                                                                                                                                                          "C:\Windows\Win32\fotito.exe"
                                                                                                                                                                          7⤵
                                                                                                                                                                            PID:3688
                                                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                                                        "C:\Windows\Win32\fotito.exe"
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:3144
                                                                                                                                                                          • C:\Windows\Win32\fotito.exe
                                                                                                                                                                            C:\Windows\Win32\fotito.exe
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:3888
                                                                                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                                                7⤵
                                                                                                                                                                                  PID:3536
                                                                                                                                                                                • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                  "C:\Windows\Win32\fotito.exe"
                                                                                                                                                                                  7⤵
                                                                                                                                                                                    PID:3732
                                                                                                                                                                              • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                "C:\Windows\Win32\fotito.exe"
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:3864
                                                                                                                                                                                  • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                    C:\Windows\Win32\fotito.exe
                                                                                                                                                                                    6⤵
                                                                                                                                                                                      PID:2652
                                                                                                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                                                        7⤵
                                                                                                                                                                                          PID:3776
                                                                                                                                                                                        • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                          "C:\Windows\Win32\fotito.exe"
                                                                                                                                                                                          7⤵
                                                                                                                                                                                            PID:2164
                                                                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                        "C:\Windows\Win32\fotito.exe"
                                                                                                                                                                                        5⤵
                                                                                                                                                                                          PID:3844
                                                                                                                                                                                          • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                            C:\Windows\Win32\fotito.exe
                                                                                                                                                                                            6⤵
                                                                                                                                                                                              PID:3092
                                                                                                                                                                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:240
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\b6b4b6e8298cf20c5b3a4c601f81cc82.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\b6b4b6e8298cf20c5b3a4c601f81cc82.exe"
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:2752
                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 152
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                PID:936

                                                                                                                                                                                      Network

                                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                      Downloads

                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        240KB

                                                                                                                                                                                        MD5

                                                                                                                                                                                        172be4b989f16cc0de6d87c76505da97

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        c4ee460ac851460308be8cd7cfc4e3066db6dbaa

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        32eb0ca4ddd208bb116cd1a4ec40c3d80c0638d325f63767c6cdb7591e17d4cd

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        003917b9423cb3c4c853f316a3ce847eff96115a577a1bb1581e92cc2df1acbde9b88ab20dceb8035042182f72e091f6869b9f7c84206c867dcf0d2abc47a277

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        240KB

                                                                                                                                                                                        MD5

                                                                                                                                                                                        c9490be12e9052ef0e9124ae8d87b176

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        eb90599072f97a25b08d9c432f3b61f8749acdd9

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        80579250b4e781cb431e0aac119ea7103b6a83166e1937e9cd9076f1d5923ec3

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        86251fff67aa35a803f77e30443bde6a87c0312e1bd74dae35f01362e8765883e97a51645887e2c225252f39a1b616d5075961e27d64321486d63507e6e05b3c

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\logs.dat
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        15B

                                                                                                                                                                                        MD5

                                                                                                                                                                                        e21bd9604efe8ee9b59dc7605b927a2a

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        3240ecc5ee459214344a1baac5c2a74046491104

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        128KB

                                                                                                                                                                                        MD5

                                                                                                                                                                                        5f677b0e08b652eabea0ff1522321320

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        d7958d7431690b8ba227c31c9805fd4cd2d54a3d

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        afbb25b8c5f52934356ae8bf405cb2003d5a79388a6c5cf46e4d857beb79cd88

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        c8bff54052e813443ad7694301733d662be442e8bfc127f4dc1951a664967d62a5005019cd4a67905748450cc34b7ebd6dafd920655d65d3b0cf6469b1671677

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        256KB

                                                                                                                                                                                        MD5

                                                                                                                                                                                        611b3b222270e8557b591c903154619c

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        8157948e9ea8ad334abd4186714efecf37fa485c

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        76a226660cce85242958514e68abd7599258318855f0bc3da1e34ab4b458cbae

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        d567bf48f33538558b2fdeede9941f5c5646950acf3b35a7e477d6c9d15ff0b913f6a0454cc3877474f2bfd40d402297509e205522ec82f70b500ff3a30fb975

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        64KB

                                                                                                                                                                                        MD5

                                                                                                                                                                                        4514d184f917679dff85f0b469045bc2

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        6ccb4f4b2bc142f3ea46fb90c556d1d7ec8b6282

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        45ad7526c86a10cdbdfb8200a4d9f6f8f9d1a0894d93f447a37e9fc32132464f

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        3adf6314a0066cd943ade2bfb0b2acb61519afec2fae7b3e412efee212379cbe7d4d01fa95a1c4da0149f0ec8bc9cf587ac08b3a2e270c393aa9593747914126

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        328KB

                                                                                                                                                                                        MD5

                                                                                                                                                                                        b6b4b6e8298cf20c5b3a4c601f81cc82

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        eba6e67d96dc5a6877d57edb3bcd5ccc752c87bd

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        7fa913754340287dd08a5c6e1623973daae180264bd25aa4bd4ee228943e2de6

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        84c1ee603b5c8d774bf8a955393384e1c83b469c02ae6eb02e52ab366b9e4c20a062fd16fb04ecc0ae8eb81d7d5ed59e565417e8eb78a000a4ec4f33eede1d3d

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • C:\Windows\Win32\fotito.exe
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        320KB

                                                                                                                                                                                        MD5

                                                                                                                                                                                        a406f7a170de60adf3d52defc74f39f7

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        a7ee302e91d6e3a9f181481ab2fbb59eba59c574

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        37431d787a519a8ecca33c85c9a3ef5fba3016928520bd79974b89a68b499443

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        f061b1eed5aeaab0fa0b29d1968c9b377ef41a29c1b4d178bb957d1fa04b45e10c145609947fee5de2943bc747088d127834163235393a9c6c1cef13982cb965

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • \Windows\Win32\fotito.exe
                                                                                                                                                                                        Filesize

                                                                                                                                                                                        192KB

                                                                                                                                                                                        MD5

                                                                                                                                                                                        5b13f329334a5daa921952260a5f64c7

                                                                                                                                                                                        SHA1

                                                                                                                                                                                        d1b0d05c027790e524075adfa94464d7939a3a63

                                                                                                                                                                                        SHA256

                                                                                                                                                                                        bc2161fcff34cd089b2fd5714e5bb0406ba65407e079e79fdfcd79fd6d4501b3

                                                                                                                                                                                        SHA512

                                                                                                                                                                                        4b05c9f489148a31b3faa2ae18ad7527d53d405bb470d1c5b4b97d7b8b91e98d5114b02fcf5c8c2b771b737a4b5a8bffce2095966653bd54c8370ecc63cc4314

                                                                                                                                                                                        Download Submit

                                                                                                                                                                                      • memory/780-656-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/780-660-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/824-727-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/948-1812-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/960-1708-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-724-0x00000000035B0000-0x00000000035BF000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-538-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        392KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-646-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        392KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-653-0x00000000035B0000-0x00000000035BF000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-622-0x0000000003590000-0x000000000359F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-261-0x0000000000160000-0x0000000000161000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-263-0x0000000000120000-0x0000000000121000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-684-0x0000000003590000-0x000000000359F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-685-0x0000000003590000-0x000000000359F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1348-975-0x00000000035B0000-0x00000000035BF000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1396-12-0x0000000002640000-0x0000000002641000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        4KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1476-627-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1540-1470-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1596-631-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1596-693-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1612-869-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1636-997-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1680-2315-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/1916-2103-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2040-1061-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2060-1957-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2160-2257-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2556-2815-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2604-739-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2752-560-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2760-1284-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2804-848-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2860-5-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2860-0-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2872-1215-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/2940-1590-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3052-6-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3052-7-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3052-559-0x0000000000220000-0x000000000022F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3052-8-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3052-647-0x0000000000220000-0x000000000022F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3052-593-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3052-3-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        352KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3744-2527-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download

                                                                                                                                                                                      • memory/3864-2860-0x0000000000400000-0x000000000040F000-memory.dmp

                                                                                                                                                                                        Filesize

                                                                                                                                                                                        60KB

                                                                                                                                                                                        Download