Malware Analysis Report

2024-09-22 10:25

Sample ID 240312-h58qbsdd33
Target c2c6b9b2ec0b30df7e09ee60e254724b
SHA256 14f08cf65757ace423f6dee88b9e1cfbfb3cafe04c5ddfe7258c29a8b3bae140
Tags
upx cybergate sality remote backdoor evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14f08cf65757ace423f6dee88b9e1cfbfb3cafe04c5ddfe7258c29a8b3bae140

Threat Level: Known bad

The file c2c6b9b2ec0b30df7e09ee60e254724b was found to be: Known bad.

Malicious Activity Summary

upx cybergate sality remote backdoor evasion persistence stealer trojan

Windows security bypass

Modifies firewall policy service

Sality

UAC bypass

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Loads dropped DLL

Deletes itself

UPX packed file

Windows security modification

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-12 07:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 07:20

Reported

2024-03-12 07:22

Platform

win7-20240220-en

Max time kernel

121s

Max time network

119s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0J48W2EY-VB05-AVN0-0NC7-1N8GCSA55C0O} C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0J48W2EY-VB05-AVN0-0NC7-1N8GCSA55C0O}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1992 set thread context of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1992 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1992 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1992 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1992 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1992 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1992 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1992 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\DllHost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 2856 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\Dwm.exe
PID 2856 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhost.exe
PID 2856 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe

"C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe"

C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe

Network

N/A

Files

memory/1992-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2856-3-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-5-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-7-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2856-10-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1992-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2856-14-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-13-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-15-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-16-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-19-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-18-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-17-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-21-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/1064-22-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2856-23-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-26-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-28-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-31-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-35-0x0000000000280000-0x0000000000282000-memory.dmp

memory/2856-36-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2856-38-0x0000000000280000-0x0000000000282000-memory.dmp

memory/2856-41-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2856-39-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-42-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-46-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-50-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-51-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-52-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-53-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-54-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-56-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-57-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-58-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-60-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-68-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-73-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2856-74-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-76-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-106-0x0000000001DD0000-0x0000000002E5E000-memory.dmp

memory/2856-112-0x0000000000280000-0x0000000000282000-memory.dmp

C:\directory\CyberGate\install\server.exe

MD5 13fbcfd0e40181815fa50f0a80580cd7
SHA1 67dc1630572b25a272113f61b58b8747bdbbd389
SHA256 5a2c002e5f26a8d2e3d2e04e60fa32f6288871920c2b583fff929f0c052e5227
SHA512 5292dc4ac8850c807ef6dd4c4f598d909e254680444acba91eb3c9eddaa5d33c56d1a2af505a6f38b11fb2f6e1c0e21e2821d4f8aec427a5b45004e2ba965c4a

C:\jhegga.exe

MD5 4552d18fe67a668f48af97be53d83687
SHA1 621718cea9b686d527c473fc68f182126133e62d
SHA256 b2e20424ac9800971d5908befa0ac341e65f3863456ba601750100029a113b0c
SHA512 c7d5398be36b77d14c9608544ae03d849e3915b041a176548f387de651b47257f76ac823063423da2c8d51080712002a0bc4f5a4fea24253b7be2b2f2a6be415

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 07:20

Reported

2024-03-12 07:22

Platform

win10v2004-20240226-en

Max time kernel

17s

Max time network

148s

Command Line

"fontdrvhost.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\directory\CyberGate\install\server.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0J48W2EY-VB05-AVN0-0NC7-1N8GCSA55C0O} C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0J48W2EY-VB05-AVN0-0NC7-1N8GCSA55C0O}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\directory\CyberGate\install\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\directory\CyberGate\install\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\directory\CyberGate\install\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wmimgr32.dl_ C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File created C:\Windows\SysWOW64\wmimgr32.dll C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File created C:\Windows\SysWOW64\wmimgr32.dl_ C:\directory\CyberGate\install\server.exe N/A
File opened for modification C:\Windows\SysWOW64\wmimgr32.dll C:\directory\CyberGate\install\server.exe N/A
File created C:\Windows\SysWOW64\wmimgr32.dl_ C:\directory\CyberGate\install\server.exe N/A
File created C:\Windows\SysWOW64\wmimgr32.dll C:\directory\CyberGate\install\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\directory\CyberGate\install\server.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1204 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1204 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1204 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1204 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1204 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1204 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 1204 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
PID 3564 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\fontdrvhost.exe
PID 3564 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\fontdrvhost.exe
PID 3564 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\dwm.exe
PID 3564 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\sihost.exe
PID 3564 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\svchost.exe
PID 3564 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\taskhostw.exe
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\svchost.exe
PID 3564 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\DllHost.exe
PID 3564 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3564 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3564 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3564 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3564 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3564 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\System32\RuntimeBroker.exe
PID 3564 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3564 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3564 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE
PID 3564 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\directory\CyberGate\install\server.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe

"C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe"

C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\directory\CyberGate\install\server.exe

"C:\directory\CyberGate\install\server.exe"

C:\directory\CyberGate\install\server.exe

"C:\directory\CyberGate\install\server.exe"

C:\directory\CyberGate\install\server.exe

C:\directory\CyberGate\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp
US 8.8.8.8:53 ayoubass.no-ip.biz udp

Files

memory/1204-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3564-3-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3564-5-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1204-6-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3564-8-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Windows\SysWOW64\wmimgr32.dll

MD5 9ebb3e4fc0c32524ba4098e214a06150
SHA1 41d0964a70edc0875ff9a8091b6911e18684e1ed
SHA256 f183002d0c6412dc694b580e0b33194766921415e77f713d46cb29dac6ae196d
SHA512 d7338292e03fd374fec772787e7561a6d6e9ca0b108cf4b6e9f79647bf0f64960ec78979e986f8bfa9874d907ecacca81183faacdd350e890c0dab02ca50298a

memory/3564-14-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3564-15-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-16-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3564-18-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-21-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

memory/3564-19-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-20-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

memory/3564-23-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

memory/3564-24-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-25-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-26-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-27-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-28-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-32-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3564-33-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/4996-37-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/3564-38-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/4996-39-0x0000000001040000-0x0000000001041000-memory.dmp

memory/3564-40-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3564-64-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4996-102-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3564-101-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 6a1b4a3454a731f094b6e9578e0bf515
SHA1 04482dcfd5a5b25ae453575a3643489dabac2dce
SHA256 edebc6d0261a29052ce08a07cbfaf70c481fa71a168c6b07a6a2b8ec28fb35d6
SHA512 09253159e348cd5b2228109192527f8e49826ffbab2a6d525591ce813074219ed5dadb0e09b567675f183165904eb67d61c8308789943c8e2f1d9cb340d00086

C:\directory\CyberGate\install\server.exe

MD5 c2c6b9b2ec0b30df7e09ee60e254724b
SHA1 f8092391f8fc52f062e79ded88aaf700e5df5805
SHA256 14f08cf65757ace423f6dee88b9e1cfbfb3cafe04c5ddfe7258c29a8b3bae140
SHA512 1a3611188d1bc618d1cf6fccdaf2f451e82b507b9036c4fe625e692db4270c8a8601654ca876554a905453f56f9e483d3e65bd2046dfd19e1ff05f0c93a4ab86

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/3564-144-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/3116-146-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3564-145-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2576-164-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3116-169-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2576-170-0x0000000002830000-0x00000000038BE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 ac770d8fc933a8e4b6215b3c52d9ad20
SHA1 bd5fa4ba83e320a3cd9e7c57ee186e0d8d03c86c
SHA256 94f40e7cadae0ac3ba68d1d6993b6babe2dcecab055c63c16cc421bb6b9e3950
SHA512 255ee304eeb09822b616d328e73e8ed561f6adf94e15507743d3e3c9e16e30ed2de284b2778da8f6f078cb09e09f6327bdd6f7c54caa55f9319ccd8cd3308c16

C:\directory\CyberGate\install\server.exe

MD5 5695b44274358b0a05e1fd0ba4235052
SHA1 3c4ffd8d1931e50072b68e1744a9a9f842eeceb2
SHA256 44e44e4c4a5afac0a9c1745496730100ad4830781026558d3ad9a8884e1b4f59
SHA512 06dec36574d17f301ac8dd90250fb86e43e932f5cee2f7303c98a5e8cc03525c6fe8fcbc2472488a51c7eb05535736dc0897c5d4277258dda10dfb9287bc66a8

memory/3468-192-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\wmimgr32.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4996-191-0x0000000004670000-0x0000000004672000-memory.dmp

memory/3144-200-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2576-208-0x0000000005880000-0x0000000005881000-memory.dmp

C:\Windows\system.ini

MD5 0cfa6942aa613ed3b17f184f9200404d
SHA1 eb8d45f6a9b1117d498e43d78ab5713a66163733
SHA256 f2095e6ea73d63d922be9a446b744959c71fd5f107a56fa6c200cbd5332041a9
SHA512 04469d382587eccc04b54eab8ec98f576700739c49b6cd85d59257e18d19bf0d4ea67ce7ec42e20eb5e00aa14c8a0a7b1ba9c17e3cff7efa66e4d6bb7ef30259

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a1b309767fbc36d3fa96ea8c01b8c540
SHA1 4ee4161c34020fe06777b1a3be230304d638a592
SHA256 4664424d76dc425dee3fd76758b074f1693884aec83b36065c58cd99be26088a
SHA512 5ad6b6276b586713d14c8337d9c2a38f3022c624b3d446822e95bad73412df0a2e86df46d1239d3d027245c39840720ee3c4d6b7a5ea9028e90e608bbb5d1c82

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fc6ba8ce0004108db3d60232c1c5dcee
SHA1 cc6501518b33b4cac6fb22a70054faf1c4aa897e
SHA256 670e87616fd7adc86d6af41bd5a470ea739ca839421a5ae237fcfff9e6f87a37
SHA512 80aa6e8fc42a4ebe86c1fcd41c8193d0282c55a62aaecd5f59cb0d3772db12be36f6237b43e29b6c44a0753b57a2654723823bd1ef3c306ed0258d7f3536144c

memory/2576-248-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2576-247-0x0000000002830000-0x00000000038BE000-memory.dmp

memory/2576-233-0x0000000005500000-0x0000000005502000-memory.dmp

memory/3144-229-0x00000000009A0000-0x00000000009A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1cd5f468946035a813094bda3920f6a3
SHA1 1d2d18fa418069529d77e61d21b35f863d7d1f97
SHA256 8faf910fc12b6ab184969d1a2b30d2bece78b5532a9786e16f672c676a2863fa
SHA512 bea3e4da2f4db297c0ce34d782f5076260f9a3f7d17da34b047a7f2d0bd7a59aa191e321b8c012299721cebcb0bcd55fed9d31720c2147a300152f1a68853a9c

memory/4996-347-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3144-354-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4996-359-0x00000000048B0000-0x000000000593E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2a60a34ed408aa5fa813feb2a84f9fa2
SHA1 e6536c76d7d3c14dd4723379cb2fdc702c264f38
SHA256 4dc578338418057793ba7f3d01e77c7b629c0734900a9c1b944930b9cd872852
SHA512 fcd3ba19539e8713234193e0de035a49278cdca6599bde53414a36064c666b6782754a06e8723fb33373409967be95456c0776519b558a38a89ccdf990ae4f4c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4010a1584dae9516e1322b6b66d3a583
SHA1 6f5fdfa9f497caebf97e45b0cb262002ac5a54fc
SHA256 6a19c6b4f8fcdfc3bd090a281f5f5e4e7d52026c9cf14a62d65300834557696c
SHA512 9a0fb3aaaf9eb80e5540053741d00497474ec0cbe99479d7a17dcbd24da8ad53731fc910b5566fa672853d254a08ab2ac71a3159977a933bc8c3c7ceae6e7b84

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9ce442e57c81781ea6915b8f273edf3b
SHA1 8fe3dde84f019efee3797fd4363ffc89b1cbf908
SHA256 fcf864483eec3fa250510572766097b2f54c2dd59766bbf3160792f9efb1e15a
SHA512 94cbffcdc7415e9dab09213fb7233bb8c28d4b860aba040dac3c405dac54182fb30bd148a3bd0784697dc213793028c0a6627eeb91edbe497f4f349f51564a90

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a3e3e9f868eea6d14d2246b20e290dd3
SHA1 3537c603ff16017259e0dc956ed6091a6b96ef1c
SHA256 5f922076931b81e8598099a9cfeb0cc15b8e6add25fdb5b03fdf330d0d53c636
SHA512 6b0baff43d1b716775a3dc6d7d398710d92ed1bfc5815b7f9581c2334be2a8bc1408d4dae2091b6d6d90865f25b280b4edb5408ca7dfae76611c2127fdb601d5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c51f174335bbd9f26f30b83235a2ab30
SHA1 30e5781a4e15731fbe8f4bdb59313bcd4dadae69
SHA256 acb9593cf342d78fee23705a1ebaa18b98ce42032444ca6fd6a5b3c6efef78c6
SHA512 13378c7b42ecbd9bbf756ab0be034f01e52071819b4310d83d1af6fd0f8dc032f0da51a695792a32a698c25cf80d8d7c8312244d6cd29694323e8b39d468c0fb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 08d926f2d46bf1bea86a089aa6e52a6a
SHA1 5fe84f9996cc64df93045df3a99337cc1514b7fd
SHA256 33331df764a62a3f775dab3aa8ac9d0b27dd127115eef7e31288f682c00e4ffd
SHA512 7472187785074ee676ac5c0b86b6fb8f2e5d3367a4de18aac482aed2ea03c16340c1858f8b1ebc3bfb9d59d7c8b959f86d93057bf4774f49817efd1eb6484573

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0b91531d240f15f4f03e49cb39f7130
SHA1 efed502dac90fc42cf8fc8dcbe48b8c855ae3272
SHA256 00e5f116d4afb5cf7a8c12a9e90c3d24665b38c2e709a52b7353be718301c0cf
SHA512 abdef78d31b501d0f7b8d07d0c64cae8ab3dceb43b4477298de8246e7d82f8c9b4df962501e819deee09fe1ad82695831cdfc883dea95d17d957eb6fa3976de9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0bbb21e2c7ba97a5caf737ea67924472
SHA1 b82b9381ec0d10bea3c60df41735730d4ee56ecd
SHA256 9ed52fb806272174c12cf18e7b527259952cf86042a911a66decd3a5b71149c6
SHA512 1ef9c797211ba2e8b2870abcd3ac3ae1e778bfbeca83c636094266b061f9e3e5cec401ae839cede01a1eea106cc99b28366c8ec8c84bbbc92d568b120e74b793

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fd1bb8004ecb79ab522208dc62392802
SHA1 0f074cfaacfbc89481e42ee8067fa19922dbd7f8
SHA256 5494f9fea429eca007b2d750342c3e434c76dec37a57f82e47ade4e0854c8998
SHA512 f7344af477537bb872f415b48528a16c1968dc4cb511573eea188f29ca4b148cd0f8301b02400be378050b301060d80c61c40767de0245a90fe1ba445c0262b5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3e0bda603d8871af745dfd1e99cc4a42
SHA1 168038d47cada49cb0cf9227411d6bed9fbdbc64
SHA256 456ce69c8fb71f1f49639bab9751d343caba170cb89b9997127b072c48afc372
SHA512 88a3b874bb3bde4250fc37cca48bd33e0eef74cd7dd27ead23b839eacb5260e82ee5630672e6395fdcc3bff119ac5a0d7b0a0f300400203a64656077f6246f80

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3fd3e1885c331e760843f067d38f45ac
SHA1 b378688161ed7a774c13bbc1093b684d05316678
SHA256 68b7d8146301596dfcd0350733cd9dd224e4b085d07ffde74508078cf982cdbe
SHA512 986909523a0f40f2fdd50ba3e257519dd92fdc993482789c27ae729629a217787e5568a0ad614f39a3eaf40afd7520885446245f54561e13475bdd15517e2082

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ab6091a48aaa7dcbdb949acb2be19322
SHA1 7513cc7d11912d41a0a6ea23ccfbbdf4414322b1
SHA256 8f5a74945be33ceed81bd8bbd215d6a2752fd8e5e1488ac446a426ebe309202a
SHA512 f2b0c3cfefa7bfe2da28149c8c916814ceb3816549a3b0da3000c6a3dbc23512f6c74b594d6c86f1b53c9069909ddda2bd95e6652f12393a0d479d43b92e67dd

memory/4996-1289-0x0000000004670000-0x0000000004672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 33fff729e25de91c3e564fc3cc5b9cfe
SHA1 7323c11188ac0034f8d4cbc5d67ae0e25471d4c3
SHA256 4286d13df1c434eb514ee738e6cb9bfce782cb90fa3c13a86c84ab43642272a6
SHA512 b92aeb0df3af397592fee4a817af8e9ca1ed2e45eb247ee00993d21104146c6cb8b0e93928363b326aeedfc337256bb66b78fda01f2d3c77e22d8780cdd63901

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 90cc349fe6c53c7ada260fa4e373c89f
SHA1 7384edfcfd91c27f732d8ece664f7a18c14f0238
SHA256 508811ce1690d821ff341266796600c772474da7d020230e23e3a6a5dd0aee60
SHA512 ee97b013742e5f0466ea5262a3716b269aba35e8f98eac509a5b79712c7571c5dd491ae135eea08cd8ca8fbd17832278a5b82a30361003918d13fa0c6b69394f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c17adae9a367ab25051eb84f160c5e8c
SHA1 e42c9236d726785658a43c900a54ca05d6e8a5f9
SHA256 89513d6dae2e89a90149cec1eace9de33410a6d8eb04d5d428e5c41ee7c9533e
SHA512 1a378c23ac76f67b4164b66d405e20a6132301448dcc66b0cc0c8c7c8fe817e75e1154828a1e6d73c40bcbfbac2b4d248163170b3801b20d7657dbcb85432e94

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0da2bc88ac133a0990c0fff740b39a2c
SHA1 d159a14bae9e0fdfd31b2142574011dd0b76864c
SHA256 2e062f3f410c9931dd966a9f07622f741679ed1a193a2b5b4ba12a40d9e78680
SHA512 f75b966dd86716d1509e1346548baaa6ae5efa6658d88b333402bacdcd2deec2b1756b035bdb9f836fdfb9445cc3018bc66ed872d0b3420cebe014283222f8e2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7d87de03e84bbbda423ea36c910ad4b7
SHA1 104658e829e4406254bbecc5b05b1b15917c559d
SHA256 0875e1b55336cd182e26e255f01bd52889a166b562bcdd0e53967026c5f77dd7
SHA512 808de73a90e60b6fe5aa46a9ea9b1d3ac9af6a11536e275d51580cb5079aabfbf270f5a3e23398f9a525143e227b8ccc036eda1e16b05ac58619a38336ccb9dc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 77b64e5e4436636b245cfa409205e729
SHA1 f8ed1244db9069e62af94c5d7c4a04d7b9050bb5
SHA256 0587b5d4823aa82f3baaa9f4d5194ec6d4e4a015d4853cff7dde32b947b181db
SHA512 93e32b097019f54f8b18c0cb220f5be2b64ec9f2d9228128d64ce07b99df2f6e9127a83d132acbebc3f027c2278d351f2ec9c91d47a5b3d91652a89f181aed1b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 843f7923fade09cbdcc227085439c7fd
SHA1 0b343c75a0e24eb5a531ef78f2a2cf001889c3ff
SHA256 5968afdabd6c5c2d746ae20c74f9cf29528d63d0b53f2467c6b5f6f259174a3b
SHA512 864fc03d4d169d2111dfc05c197840589acaee6ba47c7d40bc0e7d5773fdb206a44594c5b7ff2487e44f7727a73a6c426675ca431775d40c5df4b81900b78b87

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 791af60e704cedc87e17fad56f11fad4
SHA1 6db042db24f8103a31989bbb27d506f226b49531
SHA256 52707d1569692539f58f7c8f0888cc43aa09c596c671fe1a42abd721bd0f2f04
SHA512 f1f92df431ebde70274baa874bbe3f2b115e4b5a0ad17c06e4f5a1aaaa1497b32c3bc562732d59f39d81165cffce9e3fd4b4b57e682f84ad20025170434e919e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 82d84c269bca13b983b7eab66bda09d5
SHA1 5bc9ce080a0c44d2e551330613c722b08a4c4d68
SHA256 ec974cb3a8e836756ad73cfb0700a1364ba0dc11b145faa62f33c2fbb89f7d71
SHA512 6cff36edcf7c3584b7d55a8b6ba21102bda8d6e55a75841518f13317525116870bfebd6a0a630f02e41cbb8f63377be1e94a98b07f66a717629053adf08a53bb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d32cbd157cc845a7431b7a799a3e1261
SHA1 dbc952f8f86c97ce34c643a6521f94fbbcc8124f
SHA256 08b05a49dd37894f5e4cbf28887004931de9a30b282e50ecb45401ac0b2f79e4
SHA512 ee6a5667e394e13d2a07a9bf48277a4887616eb8340eae2bce80bf4784e568eaa7ee459d02ee84297dc5903f6f30d004312fe12fab099dee00c91c33b8a5d66b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 abb252197e13a0f92e2516beffad9b7d
SHA1 3d33269a1c985681b3c9a1adb3fbc76783041c4c
SHA256 00b0ff4296b496cdb77dbf0303efae29eb136a59b43fa0ae835bfbffdf13ecf4
SHA512 b73b07d9fd3413573664c96564f087bf6b8034eb9e75770776959a158a4d7447d4f109ef8e188c5f514431d10a10552d4ae709af1e00daa96dd4408d8800c985

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2df372dd87ea8e1f54773f25f577f57a
SHA1 a74d031ee27a029d84a2f761a552e1f529c3db64
SHA256 d45fbb1dd6792bea2eaee2a3a6434ad30e58dd32556812d3b1b2a148f7489fc6
SHA512 4f2d143d2dfe490bc79cbe5389084685671aa88d49a59a0642fbed3474609b29c424b484b6614d106a6515e9e050d98cd6536d1de78e985e1f8d13925ec198a1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 50a26a74c255e5a94fe6a1bf95953a19
SHA1 52361d38c2de026a61158af175deaa887c8af011
SHA256 8ecfa296570eafc2979e0411747ffad12367c331a8562768d33a633950db350b
SHA512 b861d5892a9a49ff56f2b8624a66e6b77a1783fdd6d38a2d2d06270bf666cf14108a30c1b395280b912ada1f4a1151fb6567b94ca1ba021963787da0d85d0aae

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 80f81adb08dfa203d40757891b1b3624
SHA1 b7a117b98dbe9b75889d1e60f601807a9f9dd15d
SHA256 c7c28b3078128752fc3d76731cfd35ee2f4b8cad2632314297d258237b0fa649
SHA512 85220229e7b2d048188fe977edf21fd2ee01c082ee4036862f753ab3d537303df2d815f0d9aa6418b536c9334f2297602d1ea5a1f73252605e75b118752fc0c9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3d3870d2981e7f8ba240daedd72aa8ed
SHA1 11a4f7176e5d86e0e8354696f5cd06d3c9b253c1
SHA256 c077c87c67aa5b51d6691912eccd459cb3e198fce1268052ae27123cfe3ce2f6
SHA512 b7a9fb1489022b798ed5b53984a36ef5712ffbb6f2b259a7f4995103ad614e380d941119fa30cbd1a865ba1e6723aa790b8a4600d1f753939990c1dba3a2581d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e3bfbea683222b167cd047fcd81d6993
SHA1 3f9e1892ec2b1511ec6a2d280091dd0467387fb8
SHA256 5751a144bdd4614e77552862a2f86113bd7479fa77bef12de3f0097234d3a2f2
SHA512 2c618f81843b46de5ce7312170e795956a4b9a82988a08218451550bf8daf6df1f4d48aa169d204fa5dde2350481bc53d908ffc99f2139ea0cb7d31e51d98084

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6fa23d907365454d43b64c75e07fcdce
SHA1 bd4f27c64197f2bc996ee1e63847ea77fdea82c2
SHA256 aa827fbf8a4ad7953d54d3880f46b0961f328320e09f39a0517b10ecfa18e33e
SHA512 91e3a0fe90dcbde0d9e7d72daa26f18a220572f400be5f0598ac7103bcf59993169f84fbaf15226e32b11fa220fe35c3a683cc8f3c7a40f918339cb1172d5662

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 837c15813e9515b76351cbd910c949b0
SHA1 aa75d58453f07d1ec0f6b2815e1cc0b98495c1c9
SHA256 a3aa163d16830395ff0715ad05d90f359d3655b21a1d72e972ecbc0eb7b381cd
SHA512 1925e95671a05be1b6efaa6120d13a431bbecddd68ba5d6fab9bf87cde8335c985c8ec2e1f9eb9b1a9d5233715272ddc9a05441af976a72623764d7ea9fd97bf

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e42eecd3a31d52c47e9c0b3948ba03ee
SHA1 80028095b008412217b91029cf677d7b376474ae
SHA256 f05f431e515f5973ac7603c7072772162f757b8b46e3fa9b4737a2731b2921d8
SHA512 d48974252f1accbbb4203429ecbce55ed661c1641faca2662eec42bb3603376a5554e1fc886676897de9ca9d5ad20180aa61c8a68c2b4833446f2abd237cfe8b

C:\directory\CyberGate\install\server.exe

MD5 8569ab82ae8a415b2eb752e3af9dce0e
SHA1 50e43cf9bc74aef8c80e2baeb8d9e4ea37a8a41c
SHA256 a5eae107a9935938d6c0b4112c220c81c3d1fb0c056b4539def530821bc30472
SHA512 e10bbcf975e485395ac7b7d9d6c9232c1bbf064c482d7d8a0829d1cd63ca526339fbca7a88701a54782b89adea63f61aeb00c2b802dd95eb765fd74c2c0352a9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 56965e4956dfc7f293f680dd809f3fa2
SHA1 7f7f49f8979fbc40db78f6687db7d6c553d2102a
SHA256 5659796a0ef7dc63a9c475568bbc2f7d0cbd42b89ae7f9e528ff7c7133eff341
SHA512 6d0087ee0a5a88ec1ab25e35c82cdd03447f0279b8dcc5ae35ccdc4715cf60b6ffc3ee94f8e980f973a77852eff9b7f503bc6fc8bd15ed600bc4aa9d9a193a23

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 615ccc79eb054c232143bf9d3e2e4acc
SHA1 1d9b92ac3713cc5d38ea23c8027078776124a392
SHA256 95afe55dfcf748ee2d90341b0aedb49027bff12a70bd8f4e705245c53d3ec4e1
SHA512 1e2c8265e640f2b90210c79a3e56433b08cea77cb4087bd9714b49735e2a6b2477a199374e6ef3d585de2ff05291f952d3e329eb38db669a49014b2caf058d03

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fcb4c9c3dbec191bc6df7c24c723b5d2
SHA1 78210da43fca1d1ad51d5681d08e3fd638901bcf
SHA256 9132d24975e94725b594d43b242d6ca7b00b4e6da12dc3f7c3c73e139c6b4856
SHA512 f3dc2c98e690d9a8e0d4130c7b1a696d36b692d135eb8648eb14c3f5ba18e4ed307730c48fff2bbdffcb4e03554ce59fe8023085db5ac9fb2417447504f0cd86

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 67f8b225681aad6c44e99bbba2d5cccf
SHA1 f5ee94553ceafef5228302db446c6a591daaa553
SHA256 c0f6dea6590984dbcc6c411b546019243ad65b11936fc3e91ccf87685424054d
SHA512 6b1744efb7c0a38228ce6425ecff7389311b4fab16a7cfdd87c596bd5cf4f28e7fa5986ceb441a3479c8289203c9b32639cd3fd64bd3fce833492fec946a7583

memory/4996-2985-0x00000000048B0000-0x000000000593E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 27d741e0d2f8030d87bf78350ef3c92c
SHA1 169cd7826101dd0881543a9b7fa54e19ea9d6c65
SHA256 e3c3ba7bd86a2525586dcb57d498d212a60ceeff7c2030fa6ee17e32af6b77c1
SHA512 f0506780b55f3bb89ef89d85dfd5998cbcf3a34b168fb9d8d5e14a91829e9e96af1b721581a3864a3091fb3fc6727ad5ee87abc916ce0b899ce0c590874db7b4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d9df3530cfa7961a373d07c6a956a428
SHA1 0e1b9e1b37e1a97c862bf97f1159998b37adbd02
SHA256 533d7ecd8e91ca27709c4ac12f7c4ae3995d58ce2dfa12dc9bd21b29eb8716b5
SHA512 83030dec0fb6f00c53a1985a8f7cbc84416724563e5bad55bf25c4d2ce231bd73d181784b2c681d3d52c5325d78bab65349168c7c684f17898d33854011b8ae2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 33876bfd355f3d85210b044ddf906670
SHA1 2640f7b5bd70574777928c994587acc977603b59
SHA256 204da94115e62a29128123edb6fe0f2c14989be9000c3009bf89a1c190f88790
SHA512 cdcc56eb2c8d87197cfe77f4ce268f69fe9aaa5e116d730ad372c8fa9805cdd512cb0d53086dc3146c919d0d29d0945032ed8efa7654a42107e01212f051f369

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4c14093a9dbf41f7feaf3eeb8d1b71d4
SHA1 2f6eaa8b7142cfd7b678a190d81ff030a8d19dc7
SHA256 4d9a415ce36dacceedb0bd79ef5a453d0b4f2b6653ea1963ec68aa2babda84f3
SHA512 018546e5bd4f3b9aecb44fd5a796888fefe9098aee390ef563c792ba75170f64764b7a1561283f3fa7930b7f439a6d559bb3a7d0ed07e756140d2ecf2a2fc40f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ea572d1fbe9673b32d887d95bf35260b
SHA1 0b16d92b277bc466f028f978efcce4df023a9651
SHA256 a03b9d03f45d7d8958ae575190cbe6c7b8484981e020cd3c89e38e788d68f4dd
SHA512 8544b8c28f9f62026f3d142d9aeedc30f83acbb361a2d32930a8e9026e999b47481d91a07046834d82fea6e3ed2fee7d9fd809536213abb2d0823fcaffcf321d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 69147f13748c5011860d27424530d6a1
SHA1 9b81b60e7a3b338741444354e9899542d687dcd4
SHA256 f998f7dc75622dea5b5d4e8e7d0be61991b8396ec80046027bbc1bc4ec62daae
SHA512 f10733ad9a08f36fd810368f429c2d7b48f7661c6c8b791b503e09885a558c70ee56d6b9b88e0ba959853f1f9e2cbcd96a2b1a854f82ee45ea46d6f1c1362ac8

C:\dbij.exe

MD5 071d58bca6bc74ffe57329708282cec4
SHA1 1716ed7a3f5ae1be24fce1da12111c7d1c2a5ed0
SHA256 0c7951b30e6c46b3a5dad239ca704070d8e1d82502ab6e0d69c090b35733626d
SHA512 ee099fec8d9f93ad679bdd371395b1ea7731114caf56f9ae777e0cfbefbe316e1e119fbe89215e22d2561489cb3a97913bbc9a9e62bb27a6603460972d3ac636

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8263c07443730c0fdd71b3c27335764b
SHA1 a22587117639effb2b23b3f84a14406da485bc8c
SHA256 effb2b93133fe0435182b308f25f5384d42a8e05d2eff50e8948a280bd54c632
SHA512 c0e5c1963c5267b7acac726be952361ccc70cd26deb39fb19403356125d98eeec6a007696d2b9cb3b85b6c15e0237545f20cb8ffcd34df86db2086ae00c2372d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bbdc6017a623a7c10384af4c514a1a5e
SHA1 7ce57df745f1aed997730f7fbc57a511c5dddf68
SHA256 9702f1841ae244c440b90257d93f697f1c34303a541417d829149925ec0f1a46
SHA512 b04b4d5d8db63de15ae27865105ef3f227605150daa453ff37e772bae179492d359df42595d82f22c3842ede033c2fc6007264cdaba99efc301ddc650a489a2b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0b13d65baf2711f9d90815bcf3afd6aa
SHA1 42a381ae74cc993ee070a056c0a96ea8dda40fb4
SHA256 bd6e1c491245e60dfc96e2a7298a7255195e5d510f3523b8e4d2178f19deb0e9
SHA512 38c81d504c5f1e1427e9327678710a19f03191e4f467ff68a5f762d23818f9e33e5b5036bbe53975de8db5b0957b43a34f8c8e10d1fd90a7c05dd59862decbe3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b926bf8a7a76ab34f60c818812bc0b56
SHA1 57d0f20100ea4d4dbb406c947a7089d0cc034318
SHA256 4a5d3671453920ba181a5543f0549a271d4dbcc73cbb397da92edfee90c3afc7
SHA512 48961a9de1604123f1de25f4dd3929a873032eb81bfa784c095556254cf29a304fe2af85ee2bd50b96ccded3383a458b8173a3f7c9415d78cdccc0fdc374de44

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 def143cebb6c9b519664ce0d468a9882
SHA1 209efd3c1601fc0ffbfbd8e78789b5e7d0bcc811
SHA256 3a0c5dacc556ae77805df7d9b2f19900512e1cf73f988b34b12dae022e9ddad4
SHA512 ffa63410dbf7dfc192578b72dd7bf66c96e8ad09cebfa4e830f76646d0f0d40a63ba2c7bcca73008a03338a502915a0b1b4084e21453a2bf337c128089ddb618

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8758fa820769c1ac4bd7ef2daa2e4cf0
SHA1 82bd1f6f74b8ba1c7d271db6bc5c86adcb493120
SHA256 3e4b41e2c39565c7b73cf81f52fdac94175a045654a89e3258df3c873701a3f9
SHA512 2560729f21a60e1642648f9100e48680e65aa8ff4236d9ec5a27968f80dbd62a9a2b6197d2ad3c13e23e9cd60318ba879b2cc4b3e0132c61e80ac43d7e145d67

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 01928d1854cc26dbe13afea681fbdaa9
SHA1 2056e79e3c1aa9c9affd367e968c343623688ba4
SHA256 532315f47f5e95911a6896fd4afc867f18f8c6be2af63f2e648a63a4974a51ff
SHA512 6d68a2b02742c1fe5e28fda592f34e7c78b9e1cff1717bdb9ab9061a79ae0c6ed26afac7a51d98099eb119b771d60efb62204c74db614e00e60434b32ec2fd15

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6a7d3d968d9f63ec2db82321529d4f1f
SHA1 b5049b532c2e7aba037ebac839ab39a8f931f50c
SHA256 bdd7ace84b97e4f15898e8e0121c8ba80f26277416ec8375fbd698f31dbf8c49
SHA512 6b664a5aac13f806b5a425cb66156aa814049568e538e0b48abcbb55172c63ac041145bd6c37953bbaf1406505a960e2fe4b341fdcbc31e4dac53dcfd5bfd02c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f5fb5a27b3f51248c469353c0d4e357f
SHA1 728f647f3f4e3634701ee79cfe144f51e071bcc2
SHA256 28bcb62864ea610c90ccd35729fb0c074ffb90c6754d4b4eb5bc7dbe8c1e75e1
SHA512 8dfd7d29554e0177f64738d889f21ec77434bf89079f0461a7af8bef58a577308a351d4c994ffbbea8c54bdbe428cbd125e2cd12282b982ead634c7b1ce7995a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 90c65970b79cef62ffe66e033420d629
SHA1 a991549df279ca4a35239e11cf706ceb60a71a98
SHA256 e81c58176aebf7d9a73a44b30a1645c4fc3242efa0b1d1b3d26e5d84bd329aba
SHA512 e7ddaf2ed0f68486fc70bc5fd99f265c8010284adbc7e6267a1ff9bf65b4470b908965718c40c95efbe9884f8d762102cf2ce276af73c842334313e8025a8d65

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d01b5aeeb922f81b83f9b286620a46c8
SHA1 e86e4fb47cde19664949fd51d9d6cc1aa6d8da57
SHA256 1c62368b27278bbe256ed5b56e6e3def0d47a261b286c8d18f7f3893fe39df2b
SHA512 bde23c51d4d58cb73490c9e3b4767f0d756f38e28514bbfc552e6f1f9d0049b602253f0520c63ac81810fd87559c510fbaef15ec0e31294f756b5edced9cc040

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 849fc03dd9f68260dfe4de7ecd181253
SHA1 bc52380b707a7f4a79531c9a87765d5c01c94812
SHA256 a8d611114353174ee6b8c1d41c7af4783f47e20f9ded9d83dd50915a7c540d18
SHA512 d1a94305e0d3aee7e1f4f707dce327074031a553aeaa66187401a2394ef7630d88c1ecc0bf09d76b57d724f543e837a150c30d71e7f8f777e7dbd46975384264

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5922103c6a5b809c01a83edbeadb6518
SHA1 4008c91e6d354c52fb5dde601e413c83c462f2a2
SHA256 1a5e68edb366b107df004f6bdf6f3da264c88c7f1e4f79779de3cdc8375b97d4
SHA512 b636d1c793aff057127dfc975bc0e87eac7467c168de6db21a6a7a9a05664065259054380584bb58b88fe10291be0a0c0c1481bb9cb00f3d30f4719e07f3acbd

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ec005863eda8df3adabc31adcda7c3a9
SHA1 d1eb60f961dc0d9e8caf80c3f1a53b143b9cd9ba
SHA256 e1bd9d0f90e2377faa9e5259731ef5796fb5fe27f6d2e45f892abc9c7b39abfe
SHA512 ea7177f3241d8d11f347c2bb8bfc94fc8e2f31e6f3c667fe4c2ec99faf854b8cfc7c53be8f90b2c6c9e1a64e323c77f8bde2beb7092071421516b93e2ffb609d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d14e3b02f096bcf3cf6821ed51c4a4ad
SHA1 cceccd798a9337aee1623fd24fcc7201a7961a6e
SHA256 e8ad1df57c72a9a0afb94efef2d6b5b57b36799e1ef2302104dbf8bad80954a3
SHA512 113e4d58b4ac181c272eb48758776e37830c4e8f2067a344dec2911323ed45e9f185326077b420513d8237b260d6b2a68bbe91a4ee4f23b9d0821ca5dd6cb223

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7fac8c7b52668287d7139915325d02a4
SHA1 ec395b4a10b1e504ece2e1d593ff06aa3ddb0ec2
SHA256 000fdea0fb8a7d60ac4c4cbe7d20a8f264f60ef86d329044e97ef7fe1b8811f6
SHA512 9d9f933dbf98c31e7e49f938b75f016ce6afff7a4e148782708cbb9c275008732831d690b879d6bf11f99407855133f5a3a3f76efd19e43466a9313eafee3524

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0d0e973ca2b318ab1e9511aeff6a55a0
SHA1 9a1c036c57f241816aee1a536117c662b5edbf46
SHA256 8d86199b85aeb6e33ec5fda219426baf5bcc394849b151ff4afe71ee96f05f44
SHA512 f70ceafeaa7b1e0fd62bb88200518311f6ddb6a3434edd3d322193d5097e51ec2d10fcc1d758468180d2b51a7f7a40f18ac58d529df62aca11bbcfe8aac4be5f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9108c22d55398071aa5c66bb31656215
SHA1 2492423241969fd73e0314b2954aeadbf72571fa
SHA256 4d18bedb5fd2f0755923f9f623d4793b394f4ac41b0f6c466d04135f28c3df97
SHA512 9829f54df18284fd96f6d5a5026b646ac1100bc5217966cff47cd27b0319acd75bda49f4df796cf94dd69d81283b29360fd910104327b71facd063e9dc9a09e3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 45ec93fbcdd2554a89c5463494282e72
SHA1 eb406fc62254ff80402e0a1bd6e25d5f5232e095
SHA256 36bc62e4c9d52996cfa0c6667da9158e8ef3aedf047850832c44b098e847f378
SHA512 df0219f583715e723b7520271ba253803c86d199a4b52ac7df17fbe8f752ce232f69c0e8d7c83bf89da9ed32e08d6deae1129d890e80c038860de24cbe13f0ac

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3249c2b2915ec4f6fb1ff1e46a02495c
SHA1 8664a9a5566272b4c2ee951188a36c4cbd4493e8
SHA256 cbda9f761568e8e3224135de6120e26219b7c477c9a601392242b287e4b0b10c
SHA512 cfc28b12cfd4d6adfe31856e2fe91343f004fcb3b6cb94f27ef9e36deabab0546ef755b5333bee9a2edb62b72c64c49788789b16d4cd504540a7bc659178c082

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8714596ee0417e90602949b5e4f54333
SHA1 732dcae3ed32f05af195f921898dcb2bd885b66c
SHA256 7138b840ef0b6ec645254e31a009e587e37d3b76a5a42fb8199ce3f08a7be60b
SHA512 2edcb08bc7dd48f97e93afc80b549e4aec555d0c8db9b5b43bae52b1d4ecb36fc4fcdf174abbb1a8b3089e07bc112e10334b19a47780ce62906a0d6bf121523f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ab92a98bb02c96bdcdf4065872d3c3b7
SHA1 b765c6cbb745e61b6fe460175bffd2182ec47b2e
SHA256 ee7406ea8c31c3e8c138d61aba37c2e3796e8273e73a1775a5b18137e955dfbf
SHA512 29bd8d36a43d031bcf164ddb5fe3472da8ccf45de5197309321ed41e3c8da1d3b81aebc22174f7d882c9df3de562aaa855607c394cea9436df57d6c044952446

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ad7fd5b3b3640028004f139616762e3c
SHA1 4c678617aa1605a7b7a4d1f6f6e145044e24a96d
SHA256 ffcc72d7db7d7d874404b6a89b04a3526899440e173e2671397aa98509f3eedf
SHA512 6d5dc283bec407a4532b3db9a8366bea190903b357bb580ff412fc6d5cf69f54034ced0ca93e65b6ea53a3cdb99e808bc251165949581412c8ad1d78a6c9dbb7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b07deb02e5bece22c4cfacf333de8001
SHA1 341e0fd0e9beb09e0514d9210d15e5356aa77bbe
SHA256 2a5054a697b69a1b0aabde2bb104a4f3b48d3af21d9cc14d31bb9545531a4d51
SHA512 9aebd8bc2d52d2fa91c23e3293cf5ddab6151b0b19ee83b81471c0649f22fc75ea518f580065a0fc7c2ea5c2a50b0cecc27d83331a70a73c2383fe356b856811

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e05010b9403b2ba745ea6c62ce642956
SHA1 41015acfcaf9aed975580e682fa03da57475bf5f
SHA256 f12d11f3a70a12e677b56358c85ce9d851c3dd2b0339620b770a2206b185b45a
SHA512 d4abd0bc171db865c07b6850a9fa37c6a0fd30260ae43d421f5095df8ac4037e679a20265d1b869805406469ad1aeaab23005cfa62c042f8276c36c0505c486f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4186780a5305e6a66ab355245e528c0c
SHA1 e2ef3eeecf2c68b2c3a66634340e6f2eff67feca
SHA256 9e418b21d602b7f4ef6ebb80ed210efcce7845d8d446472fc1ae4c80574a7bb6
SHA512 232f861588b3b4351111435724cb7804cde132285f6628e0fbe2740c92afb4c76ef46a0643e5153fd8bfa5d60c7d489a6ea8e2703e76cab9e73d71569d6288c6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0154f5ddc93a059b2e10484d6f06de0
SHA1 a42b6a10678b9624776d690bf2bb214465ff3583
SHA256 383222925f9c3be37beae9ab6f3e22e791293cd85f55c21f344c7da640a64d1e
SHA512 5d5ded9ef5cf270534a3a6c4f4dd682dd85c9bef2d7495127404e437419fa44bf6d30cd6789de60a88b8a68e3cd608dc73b323e4f66c1c7eb57905aed5d70a9c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d7dc9838b3943f9eb6a3e613ee455890
SHA1 6336a97d48638a91b75e462a4e071a12ed646f90
SHA256 a62bce989592ad4e26761939038a494075dadfeb336a9500b426239e01744a3d
SHA512 0326a3836753c645a4de3efaf85cac69f6b0824b988cae03813d35144eb95c0aa9ff148e42e2e798eca66a5dc06ff07bb860c93053517ec07e87702aecfff9f7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 85bb30fa60238533c592ca16551efbe1
SHA1 36f4faaeb3a56eb68a490fba157dd65199d9ea44
SHA256 e361e504cc3c138fa33e465c2a0828771dd65de1f2afd029f5f55ce9be042e3d
SHA512 bfbcc4caafb1eb715255f7a0ca25cc7f05a5625ded7e5cbbb1d07fe0ae4318665e830641c5d9194bebda0254c6b88dc0e98f216fe7005a67fd95df8c1686ea3d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 551b92f389913ead7be7469bc2adf450
SHA1 5e2251932e9e41faea65986953364f31fb947026
SHA256 5ff5e401f8a96702f6b05b7136314773ab65ef62d4b3889198a0f6adb319036a
SHA512 188aea88dbe2a754b109eef3c445ffcd1bfa6ce38e9a819a01dd67fbf5eef6f7b1ffee044cbeb706f2b40465d6e155a10a3c189aa188fbe90d912bd5c7a4e5ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 061177837871a7af7beeed4a79f867a4
SHA1 5667895cf7d16b1302603b182f405fd078baba31
SHA256 d7252c87465da7e720ba8e813abb723d97b9b5d4408106b110998d7c0928cfc3
SHA512 a4fd027ace9c3be1e714b326c62f2fcf55575ad1b45a7df58e351390127b6d3c256640a5f244b4d0ed6cb768193914ec00d2645506cacb26ed4d9b46e0744dc4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4ede887b6e43fe56f7d096ea4030a8f9
SHA1 21eea11e072f64db30a8194df6718c3caeedc0a1
SHA256 15d88d85af20224b0cad4d31413f63bd37fe41a0138cee24fcdcdbfc170ae800
SHA512 12f1ea22ea88aabf8055c39d02bab599b01b2fc6097d64e7c2847a3db19015ed063c74bed9d885289c63a87b5f7309038147763d8bf3f6ec875e5dda0258ed28

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 aff3f3fc9b87ea0f50de7367e5eacfbc
SHA1 6638fb9ab790cfa9fe82570e116d76b2c409cc08
SHA256 c83b9643512c18cac76eee6ecd88f445a615c6c30613f45a975fb0098401c975
SHA512 1b223c47895e496009b4d303d7df97ff0a04836aa67913a17b1435dc3dfeb5ca43bb8f92ace312b563efaa2e70356982d31bce1fc7979921f97691e53020b2b6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6a0c0db140afe2d1ae5cf5f8ca5ff5ab
SHA1 e9a257f203ff2d63505386f2205b933ce67ff388
SHA256 22927c529c6dd449622d4a9f63029db888a96327636a6eecc3caed81a67135e5
SHA512 3b3dbf087a7c5c8fea4faa1f37dfcb49683b5cb4d961296ceeb27cf13061da15c823683a810650fa07a294c5d7bf6af46f9983d642a01de202bb01c4d963e3a9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e49b1f4e2345406dcaa5c92eef004834
SHA1 74ad16a27572498e0a40068280afa862b66f4f3c
SHA256 3d1fb96a0cea7d102cee35e759cb1c0dd4a2de648e8989f2965b3fc853534881
SHA512 9095a65d58044070b19da9f6f88feb94f0d3d2aceaa8ee414f4b8fe6cbc0afc5cb9cebd6b6238e3932a63c21a2aa84ba1a7538dcbf6c002651b9518848cb07f3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 16458517a55e9f1d3d7457e4365db3f6
SHA1 ad89895ee782e5f3111639d15d1c52fe99ecae2a
SHA256 79de4a79dec41cb6a096db7b291520c3f358dd5edbd34a0ae880afa304ffbfcc
SHA512 0c58e77921da18c9a073d49f9370288fb2b75ae3e57cb65b9473f80ab1ae82728a8a5989f2abbfcc68f1e78f5b6f6086b998f70f2da3eb34516be799892c337c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b68a97fdba08bccc3549348dec729882
SHA1 21e4269c3bf1efc3aa4b8482b1382f97e0f638b8
SHA256 802a33a5c685b55a339d3425910eccae5ab24d0c707a2281b071aea962f3f365
SHA512 f84c4b989100aef9ec58fbdbdd71840a122b91354ac1e799adb8b5f657e6c4be613fcc8d47b989f82c8a10bba43f58e90f74efa7781bd198bfa50e9dd8fe2146

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7bc845c26c7f512d43582a4cb3cb4c02
SHA1 73d36b86446f956d59aed415af2e82229ef82cf4
SHA256 eb587e86473775bfe926eadac29251ef52d111802945f63dca826e1eed2cf8b3
SHA512 2b93ebf0f02a28d8e081e11fc266182335eab37a2cacbdaa230ab5872283c24a2fc3679b97e048cfbd3c5641fd0c6bfdb4a00112738c3882d59e02d756857c9f

files/0x001400000001db8c-6386.dat

MD5 7d63d2d9bccfbdfb4f4c12cdd46260a0
SHA1 ef39897a6e59671f60485e687e0cecbe46c750d9
SHA256 9c32ffce81ddb84b9db36c86f1121a78dbe030d3a13284e05540f75dfee675f5
SHA512 992d82ee9f44135905d47b1083a55b6a58e09e5abc08e4a07fe2dd1f5d4c01cb0d4af7dd577be20c78f5ab975ba96aa72771a84ada45311a19a53963dbb2371e

files/0x002700000001db8c-6426.dat

MD5 b2cb03d0fa889c2fc4d2ba16887d0378
SHA1 5555dd19e2ad674df4560f613cd87e15b8ef2dcd
SHA256 ddbbe0dff37e43f4a9edc76c00ba525b75d7a7460dfd140353f7a0009a47dd32
SHA512 893cc4411738b31200fb25f4c1ac66f6ecd961575cd69c5ca98e18f925c11116003ab53d4e94a428ba96b3a729b475588b517a337fee7536f8245ab03629af4e

files/0x007100000001e595-6451.dat

MD5 07dda1ac37cf4ec715313516189d9caf
SHA1 56920f028a8ba0a12ea2c0c0217423ac236fd3c9
SHA256 2f92049f4d55dbe6c091a290f35f76c0f212495fe0977963348c1a9f1458f669
SHA512 8bc2ced96ef2912a562d1c99e4613e2f5fee7f75bcb99bb517007f500e8749fb15dd7cd0eaf15db7a11bf705577cfb9ef3b414004eb2a2d1cdf4fa70ead3c116

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 600e8c67bd93261c538bc482533c0a42
SHA1 e8c0d8347b7a8ae9a85047cdd18c32af58757dca
SHA256 9cfaf4ae47227bf46b5d10cc8bea1f8a1a65f4323778df40c666166d156c8e28
SHA512 ad0987d1d1c51c4698eda522fac09ca0fde387123462d17954402642254881ff0a4fc09e9333145f006ef1db7c4f10bfe131cc105f10387ed14135cd6df97042

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c9bbae9f791be316c55609d6c831b98f
SHA1 a9b50c74daf268ecfec9378526c8cc5196fc2f28
SHA256 f8fe2a95c21844ecefa7890065828684fb0468ac8a3d8f67424dac51de827683
SHA512 78ac1b8f4e85163ca33a45c7adb9b7769826876a0f255eb3d8e77cc80cb525d39aeab1f82018475ab792c0464f908555c7764be86e544a80432077e176509dd4

files/0x001800000001e59a-6635.dat

MD5 8845386ea71c24f9837f3eb858104fec
SHA1 de2ca34d0d9d42c637f098ba37d6c1ab4dae616a
SHA256 26b493e7ac34594b030f7e73de0701a7cdefc7b56a963cbd4c5f5d764c687be2
SHA512 e831f3e5453e9d72f6c8fde767768b351074b8712b63641ded8717ee1c45bfcb1c8d4ff6f704cbe2849ac3e8d6f62ed169f1718e6c14341f5f3f3217b449706d

files/0x002700000001e59a-6653.dat

MD5 9b45772a349b15a6072a5f847fb5f4ca
SHA1 a633b963b903823f404e92fd8a002f242541c6bf
SHA256 f447fb6b4d23cc3bd61f67347901a95250adba46965a963d5611df1e3ead08c9
SHA512 5bc2edefc5f4d6661aabc2bd10dae771d97aeff02384f0aba4a27bf22b4a208b35ed800267173cbdb7c5d9c1754b5ca2760908e36067137210690192568e7da6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c46ca7916a84eca5ba7f1691919e8bb2
SHA1 74f5d07cd92318b6814e0e3de02f33a30fc8feb3
SHA256 1a7ca9b6c3424a310575792a7ffd0f30778c517c608bb7711871db02ab11dff5
SHA512 ee1fee1929a3ff7d2e672b8a74e4315b02289eef9bb20320923de854a036a9e87757694941680184d33ba15804225d5b419f13315ce791ec713675b159d4fa91

files/0x002200000001e59d-6722.dat

MD5 1b9ed356ca1f20299daf4871ecaa8b65
SHA1 b1f4668a955e4ae880726202ac0f41c4ec35fbdd
SHA256 e844578eeaf8f9d3c55a352ebef74638a3e4b2ce0616a71fc0399e7ad222b2c5
SHA512 e6df965f70fe5cb3c61bccf28ccb5aff8eaf5e405f313f8413e688628e73509d511f1932b48160c3bb23a1e4eb8c307f5a0652eb603de88678feda919a630616

files/0x002700000001e59d-6754.dat

MD5 dd6e2b82bf54f290224637328e416387
SHA1 37d7c4d20b9f291ac41128cbfe0b9af5a811ca74
SHA256 8773e69ea8fd2ec6aff3e93d8ef89e2f159714081fd3aae44b2ec2cd29c0de84
SHA512 2c560a60e25952f31ef3ac9ceec6d34448d043eafd8c78a6d06b5a60d5032e2b606638bf1070be08bc54163e015cf887be488b6a7e2ddd024f1f1b73765712bd

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 525873691423988bfbfcc46cb061a62a
SHA1 66d5a5cd9f454bd30e76d7427b0ab0731f43b79c
SHA256 ef26bbdf66b03ae16550cd7e20654686b4ee423f68c7e41d346d1adbfc3a1c6c
SHA512 b62bd18d7fc426e57881d2bfbee3514be64de7f714322d2292ad0469994cf316c022408755ab4e3be1a83a6bac08f3bf6db085c3c7632afadd32467bfef09cb9

files/0x009f00000001e59a-6793.dat

MD5 3548eeeda4ba7500f19290a5f83022a7
SHA1 9b973d280195ace2557e98f672fb544bd12a1ffc
SHA256 f51593b9d3e51a63970582cb01fba678b916b4591c0eef14b92493403d166d44
SHA512 0bc6d11957beb5d68f0bf579fbb2dd1516a9e94265aff61ab54047242efe26805a950890de989aa196b1204dbc0778e6fd7b2f674fb9163ea7e18dda598a2788

files/0x00a800000001e59a-6810.dat

MD5 20dbc8068df35f462d5162ad11b5e493
SHA1 c12f53aafb2bc638bb7dab416f2f1313a3998e0e
SHA256 8543ecfa9bfaee625f1c441fe52dffb0ba58d55513a9d78fdef366e0957bdf56
SHA512 775a5250762965562a5e80233c9ba2bb4c6d30de8de0fbc0bf416ffdd6c60b347d24381450bc22f7aad52d274a2196c3b5e7e33e9b08490baa24a98182cf75d2

files/0x00b600000001e59a-6858.dat

MD5 c12368e64b63f683f4c6f1fdbd6b0d59
SHA1 114dafd53b0f5c8e346430da8cc11ea753b7c9b0
SHA256 954ef3bcc55c7f37e9e2b5e3dd57080a501bfea56c35c1743d3820d793429d69
SHA512 72c791d89efc30eb31ed649106ca0e36238ce9f1e2e6c99fdc970bbaa654724f4ff42687d8fb6552ddfe06fe2486dfa10168e42d3f5c81a2dd0836a9c4255f48

files/0x00c600000001e595-6956.dat

MD5 f20f84650452c854980e6903b9f5017e
SHA1 c7a34049ed61d34fc5fee31ba022288406f4483e
SHA256 1cf1580ba0afba8cd5d23fd233f1755407c30b72437045c0bc3c2025f2b43459
SHA512 8f715247addd36a8d4fc2d934c21c3ec47b8e6f4f0598d772879831248383ebef3f41fe1d42e463de3a5faa2a71a4e47b7ebfa06af443ccaf8c0f2249e29ad33

files/0x00f300000001e595-6977.dat

MD5 59c530d701436b909d10f2d57129fe24
SHA1 599982c78107b66f638e6b5e43aaf6f2fc88f872
SHA256 e860f755730cecb6fadf6a26491f7deec396fd689879f53192f101166f1a8cd6
SHA512 52026df6d7841194c3b273cddb9419a83ca780ed2496707c13a5e70cd5c109cf6775a5836b25406ffe372f230a38f3f70f781122ba577c04c13bc490333ba939

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6efe67ae4488bf6008f4a0fe04fe3907
SHA1 199fdd98c07f02c8764bf53e584ba7b90c7c54ef
SHA256 e70a99c9ad1b803803ff7eb0bfaffac0d33bb9373ec4e21e692b60f622eadab2
SHA512 e36b4a67783b18a4cde63d58eddd99bad7beda43aa153203ae3560434e2909e4ce81f5a9ad52119abe9ee51f4df8772b033f2f6f5b46535f2076b79d3bf8af0d

files/0x014a00000001e595-7026.dat

MD5 d3b23e3c93412b4d8eb6d84ddcbff2c1
SHA1 0c5ba5d0b7f8f41587b8bbba45cac896a7460213
SHA256 cd6b5c01cc16f643abb0feb9f186c553e7cc61664e50f1adef95f6df2c19fa58
SHA512 8a7b98111d34b92be452f685c26dd546d1fefc8b1cf30774e44042f2b425b839b963a566c0149a0680e4e4cf70a5077dee4fa5840d890a62b49740bd3afa94df

files/0x015b00000001e595-7037.dat

MD5 d7da881d1f677b9a4a899947c885301d
SHA1 57a26d50593293ba6551486db93b259bf13c4253
SHA256 2a6754f819b3097b2c13132be5c498559c2a841c469398e11066653ade1fe18b
SHA512 928b73ca06db2fd32e3df5921317f6954d35c9486eb5520c87766a7e4c589d64c19b8855ab26811eec953ccb2aafc69f5327c9410e76ce6bc710e877bb66a9c6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 79eb68accf5fb7d5dfe3edc178a0b9b7
SHA1 3e7000202c95e6fff2620f4d52bd03351459b8f1
SHA256 682411b12728481b61a57ea0bbec35809b6a3a83f8d5f9bb18fb1b1e5851de7d
SHA512 ab08fd91caacbec529ffebbc7ba1035c2139e614883f58d424a0e1ef6ba511c56a0b7e2aa4eb47dad188e9495250d0135743e0dfa4c7cb84590272b5198bf1db

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b824225159629cdbae49b830a9424920
SHA1 8e724d590e42b6b8fa8132b432a73941d2d91411
SHA256 f8078898fa9fc1668a704429c41fecc95600b222db97133d2a98f9395a5af5c9
SHA512 a13f8a2d904373b00094a08300829d7436162e7996b003811ae37c567e9f1d75311d1382c2de118d3ec8ffc7cb2bfd96a7d8624bf62920264f4f7052cc703358

files/0x018d00000001e595-7112.dat

MD5 2b413fad134590c55f6b2ef5b91bd698
SHA1 c7a6887bedfaa630f4349d485c404e74099973ad
SHA256 9d8446fc4160b43e51eacfbd586e73070c0c3581e20d6fba6cfa450cac32594e
SHA512 6891cf7a8a852066e134cf596994940164748f9d09b83eda3d2852e51b39b2f56d817f70fe3bc5504b2e1988b35b549b644adce97d115f30652c55e9a2250a1d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a7989f4e176a6f94ead6d6dc2649d25c
SHA1 2447158d8030ce073907aed42ce80f2c85e22e36
SHA256 9b0969b8cfb63973410f1889d26985d5476177df212a6192cf9063b9370cbe3a
SHA512 aa88f02cf24988a5e22478154cb203b8f34753c91d4f3c140de7548aa40607d2f81464e281ab2650a545a189f4695ebf2693b73fc29086f80a14bacb43274299

files/0x014800000001e59a-7190.dat

MD5 7ef3657eb0fa5184080b54578ba26a43
SHA1 0f65b049c803b81cdf602fb71a81a1a61a2bb1b7
SHA256 b4204cc8375a94ef36f825acdb880a95fe364314d0ab8104a3c3503e71041ecb
SHA512 e4f67969e8f92beeb18872b1dec32aa10220fc289a8461ccefa4a0960ef27cde35c9ea5a3a6e60fc3b1ede3828199ea35601e75cc30f5c2200939e4902d1d4e6

files/0x017700000001e59a-7216.dat

MD5 b7efc2d089d272a3ce22be3918493043
SHA1 6f9caf4b782eb86ec2ab7ff35819d012b2ab071d
SHA256 1f265b87428abb09279f83c8454da460a90be168a387ffdfd7f15f02ea0e9725
SHA512 bc37849d9037c1030821757113921f9d43f8bc94e8ddd9feb2605e8ad8307b37cfa20cb1e8ce361298237fd857e1e58d6e96e5d5236fda6bdc98977c8c0ce79f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 aadf3d6932b04ece6f684ae36e167bdf
SHA1 cc66411b07ccfd9b5483cc6b501b24170a60f99b
SHA256 a399ab907654726b8d79a814fdade3bf1768cd96cb5f80baa70cc6f7acc33a3d
SHA512 0b2eadb6f480d8092f88beacec2f7db5c952011522953f3ba7d92c2cefc1c89f08231217c89950afb2e8553081965c36beb6e83b996c23691053fa8fcac3b5f0

files/0x019700000001e59a-7329.dat

MD5 e5c39d513946c03feba6725831612379
SHA1 30e11dbd8f456fa346559909007177d06621190c
SHA256 b7a3440799b760be8428a37935e34d51d326bf001faa749367028fa16af55d16
SHA512 ee46a124cc61330998ce3c91a0033013f7f66852ac6d5c384f01444ceb69162a70263c4533d6c932a92986f866534972259d567d3cb6bd692619c2cd3dfe0b49