cybergate | ca4af4a40b2fa74b74ef776733a73e8400f9aa4e4ce1ea9b59e86177555cd546

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
Size

668KB
MD5

2fd5de6054dbfeb07c4ceb3a93dfe241
SHA1

02244540e0b9d80f4b120485cae57e0d9b4c0896
SHA256

ca4af4a40b2fa74b74ef776733a73e8400f9aa4e4ce1ea9b59e86177555cd546
SHA512

b59fc106f39452f93021327a9d11bc23c5cb91f91f68964fd1d1fc05022eb2aa8078a8ca330511c9d5e8760e703852197a920be2ed6ba2056cb3a4b6eca3a3f6
SSDEEP

12288:k1PO8MeQh81uhNmq+jhfgKBze6TVwTsr2BMWovIYRWIAPnV+4oRUJHfR:cPO8MeQS143+jhfjiYVwTsIMVvIYRWIm

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

yotshi.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
msnmsg
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hniya.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msnmsg\\server.exe"	hniya.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	hniya.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msnmsg\\server.exe"	hniya.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\msnmsg\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	hniya.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\msnmsg\\server.exe Restart"	hniya.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2744	hniya.exe
2624	hniya.exe
1672	hniya.exe
4816	server.exe
2220	server.exe

Loads dropped DLL 6 IoCs

pid	Process
2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
2744	hniya.exe
2624	hniya.exe
1672	hniya.exe
1672	hniya.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2696-17-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2624-30-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2624-34-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2624-26-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2624-24-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2624-35-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2624-36-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2624-37-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2624-38-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/872-575-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2624-601-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2624-912-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2220-3652-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2220-3878-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/872-4202-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\msnmsg\\server.exe"	hniya.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\msnmsg\\server.exe"	hniya.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2696-17-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msnmsg\server.exe	server.exe
File created	C:\Windows\SysWOW64\msnmsg\server.exe	hniya.exe
File opened for modification	C:\Windows\SysWOW64\msnmsg\server.exe	hniya.exe
File opened for modification	C:\Windows\SysWOW64\msnmsg\server.exe	hniya.exe
File opened for modification	C:\Windows\SysWOW64\msnmsg\	hniya.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 2624	2744	hniya.exe	31
PID 4816 set thread context of 2220	4816	server.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe
1672	hniya.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1672	hniya.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	hniya.exe
Token: SeDebugPrivilege	1672	hniya.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
2624	hniya.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2744	hniya.exe
4816	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2744	2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2744	2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2744	2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2744	2696	2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe	30
PID 2744 wrote to memory of 2624	2744	hniya.exe	31
PID 2744 wrote to memory of 2624	2744	hniya.exe	31
PID 2744 wrote to memory of 2624	2744	hniya.exe	31
PID 2744 wrote to memory of 2624	2744	hniya.exe	31
PID 2744 wrote to memory of 2624	2744	hniya.exe	31
PID 2744 wrote to memory of 2624	2744	hniya.exe	31
PID 2744 wrote to memory of 2624	2744	hniya.exe	31
PID 2744 wrote to memory of 2624	2744	hniya.exe	31
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21
PID 2624 wrote to memory of 1180	2624	hniya.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:392
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:884
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:316
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:1264
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:1948
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:3480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:804
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1152
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:832
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2736
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:956
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:276
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1060
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1104
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1600
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2184
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2560
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2fd5de6054dbfeb07c4ceb3a93dfe241_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\hniya.exe
    C:\Users\Admin\AppData\Local\Temp/hniya.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\hniya.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:872
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\hniya.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hniya.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
      - C:\Windows\SysWOW64\msnmsg\server.exe
        
        "C:\Windows\system32\msnmsg\server.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4816
        
        C:\Windows\SysWOW64\msnmsg\server.exe
        
        7⤵
        Executes dropped EXE
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
dbd21f063fa88e05ed2996e223827ca1

SHA1
a037e251669b81e36820edf92fc74a086e9020ac

SHA256
68d4ec41a7b3f5b7947d10b119b89b6c1b5b8ba8e2bad4a913dd9894c3dbc072

SHA512
fd7e92f565352737e74a6d65eb8fdd1ba17c3f43c35bbe91be0090299c08142c083cef7d7e0c8a8f54b7c3bb3e00535afa7c8959fce3568dd33cc183a3500c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e72dd9c25fe9df400df1ee5acd46f338

SHA1
2964ee99c90fb1e583d39bdc48750d966d6e47db

SHA256
fe2cc87388a8ac8f2d38e184422e75c586070878c8f9be3752f0dc69a15dcebf

SHA512
a32d201b1babeec0ad141d2fb958f7776e551fb2b6be33dabfa0cb646acad7e2db5682937043bc8cd2181c9072a5ee85fc2bed624db8167ef6aa052ffe6dc953

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
30de62f68ca8a987b1a0e6cff243c68f

SHA1
cc4a2331911b8daad79d3fba36a0a5a1bd962c72

SHA256
ace2e5644edac61acda4861b17999db3bb6ec4767944f014071010db7d970eb7

SHA512
a03d3ca6de868fa3be5e05d2783b6486b82e80c734dc310cb907d1f0d9ec9954f3fb8cca7b779f1087969ef1f3192877b3946e7decc05c9f53c15e801e41a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5dd3a983abd2a3727020f462474cfe5e

SHA1
478dfcb1d1114214f835aad9125daf39a9990be3

SHA256
510b38cbbdc737676cb935c149b4254beb10b0b1a5214d48089e0127307ed088

SHA512
d61f7a3c8eaf78a4e5337153e1ff145033cf5dcd5578a6a4c042d06ca8895a5a2bb5b23c5c659e538ecc617f2b8454e9b3a693933af03ae051de9344aca6164d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ee3948f0501a13d7afa7792413936de6

SHA1
2f10d2eb70a4e2dd81c9d8ed4daac2feba661f4f

SHA256
05783ae0937b7a38425b4b5413d13109fa3f3246285ad2fa028e4f9d67997679

SHA512
ae8283dca1d150ea7ee53a9f85c4dd1e0da42585168224c5ac7c36a8d452e6399c96b8413f8beaf12d85ed83bdb676ab04687f1abbb8ef97e088fb62f8f3db41

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19c5044864f660d0ad537237cc332d19

SHA1
c5fc4a86e62131cb9002cbac232a9e2b4c16096a

SHA256
a16a00517206bf8d1e006d58407c82718f72e0cfc960cffdfbfc6a26011d901d

SHA512
a488ae8d0b81d81757e14f4ee22ce9dbd2b79b4ad2f9e9dd341a463aafc3bf4148a29bac6506a83329fb282a29fe6c3ed7dd27fa9f49dad9b8c975d7bea83884

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f40764ce0d2ad189b11c4e9ef08ea062

SHA1
83fa85f0e18cef4c64bda3b19f8bbfc5cb9e7a4e

SHA256
b476423d39400b9cd5af71f52192b1eb1d82186a0197f2b6efecda3ea1fa0806

SHA512
f9bbadbe4fc0d3ddd299995735482d2c220e3b36be62b0ac8dce8308d3ef52e25a2e939d4e1d93636697280addedbbc3572c836e4f9d0875cc3aa9735632679c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
01a815d588d5040a796517c0647ee8db

SHA1
8a452eb08340f9337c09321cf026283b467422e4

SHA256
15f82345922c4611be50f640f7bf25521c5e52359674fb3bff04ef45a65ffdbb

SHA512
6b37550daed8967048df20df7176c719319b89e6a06e8280b495dd9f6abcf83e500c1acd3d002c7f687dc35ac03c65b86d63dfa84b3bee4417024c40b9784ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bcb5e1df08fa5839f490c655142943a9

SHA1
4be589ad7524c84c7ad46acb7b72f09fcdc2ac56

SHA256
839b5557f71bf970d428fb089ec1ef275dfcaef100d84a06199e9e66fdba3837

SHA512
b57bf3f0665bbfd2a60e8a707f7fa08263d41e2886179b1881a97f07def019396d668c5eb0d720b30230d25f85272cb4e9cc4d7333dc459192801017a67210f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5744ea4d454ff33eb068b200835a247b

SHA1
2b824cb46d9b4e602231f40516d89a93e3714e4d

SHA256
5564a22f3dcf031858e14e4b000bef0d8338bc4153d6f1a18e4622e55658bb65

SHA512
74fa82c494dffa4a5726fe2c759af50e0d0fa14a89a7752075dfecf142f0bcc95019dc6c7270f4531d3edf74be461ab57964a1147541d6dd900b1497c072c0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b8411d2237965b4c7d45071bd2067fc0

SHA1
722e9a81c32ba537264fb6fbc9a67a38bd028bb7

SHA256
a053575a23c8460da0371df2a800c46a498fcbfe0169d14a82b1bd3a71f67b92

SHA512
44db92ce40c642276a6c8aae586e147ead0610842905917b4c9895969e7232c6fa9b424740c89fe5a16dc1c3469b7089a9a120829be51603ba81eba429c0c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ed5d3f58337692da68ebe60d4eadf081

SHA1
9af8675dcf4dddb06b458c2aad64921533a2612c

SHA256
cba79fd437d21f1126650de1153e79473cf965171fc4a6ad9882c6e5e152cb3a

SHA512
b70d607e5991452a9fef1d7ecdcf7f6ab75cdea2ff33d9d190f076ebe2b2f6e96f6fe6a109b8a6ff576c09685092cb5290bad7b957466d3dd4b94d8e5d091aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f62308580c17faba97af278d6ff999ef

SHA1
b895c2e3443e79a11d18c2444f8df60fb9f5d42e

SHA256
1dcbf484926ac41e176e42cffa4f63e4984018dd5e8de5b354a670b94cdaa60c

SHA512
d7ebbc0854ee57b599c5a851b5cd11d0ea328767aad985978c3265e7bf246d3056464f1d60ee553421f3d20dd30e86c57272d894569cebd00e03de9c664f6d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b22db0b619fd79ecbc3415123d1a789d

SHA1
9e4da95baad2ed5fc976a3bbe2302e4f4c9db46b

SHA256
19042401fac21e6e3c79e2202902514f211370b73ad9ea93fc52128ae8f58942

SHA512
4cfa9b0a8389b18da048b45da81465d226ad8380dbb1b6dd3899d5ad1694e3a78ddac23ac5d692a39f58dc3051e96001e7192422ebdd938ea800caac9ba1a0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d387c142fbfb7d6ce69075d63536e3b7

SHA1
0ebecd5339d2d8c8a291d2e652dd2b47fdfbc90d

SHA256
a21756385e8982cfdd892082a98ef3cf0925766df18ef433a5f5126370573332

SHA512
10bb239f48c59d4252ef25fed0a1898a891671dd4b0456c2d061a685feb92b47655afac16cfb4c983d41101d1e11122d97d947ff96d766a6d70670f017149fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d46e108b9048dbab7903c8cf6c586d0

SHA1
18b822ad25f0c02f1f15f25adba64c1e5969f153

SHA256
ed49fb7005a8cd244a300395e1492057a994cd72d7879784535e261f1f56f78f

SHA512
a2cd756ed3c737b5a9a8986ed5d042b24c1a5b777f2816af5abae809e5d8654b4fe9ab28a2b4a675d39eb7296124bec8696baf4097c4585cfb1df8fe1701e779

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ee77ef120af046cf091e3c7f32a735fc

SHA1
669c6d548a6ccac686a08a1dd523ed6ef12676a6

SHA256
e8214c22ed32911b70bd7a9d7ef3699722c2c099c4239a1c9633c0004792e23d

SHA512
087254c2c82a142bf22fc3488c3cf5ca97ad2948a9dafdacf6fa1693377d6a96c4d5b0f186f93f6ff0aaad4226fdd24a8c8b5cb2cd67842d50932758f111e75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cc36814805f5ce988594e968e4050b27

SHA1
e06d77b6d9a65a214422389b06c9a21cc6e870bd

SHA256
2f6009b173497a5f75ea4e92fc74708fc42f8321888beb34516a632b48f59bf9

SHA512
e3e8bd995d421481125f4cab4ebd26eb9b6c57d503221bfa23081a1baa3cc7c9edd6ffa73165d4788b4cd8dcc349ffc2b87223ad9989a254fb15981e96516555

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
726ae58674bf27f06cc35638566f4d7d

SHA1
25fe0240fb2d7e933cd2d6d1109e641b9c2566ce

SHA256
9bdc5ab4e10269bb74e1766848cfbe3a4fff29bd0d15e0152794837dc772e128

SHA512
0fba6e28e4508399af7120ef38143cf24dbe17bd6bb863925a31bd1da5dec80c9527050913dd75175c3034552774e5833eeba1912814fdc739db0bd12d80f358

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6e41b1bfdf0d28eb8d5f12a10c28b2e

SHA1
d529b81564db647b10d861b1cc62de76ade1e3e1

SHA256
2f84a8d03a6da9c5e8628053559a7f4d59c1240ea6365a6c5d146821fea9804e

SHA512
6ab5ec61c8dd889b77fa02524d89495e72271229d89cb97ae2a042e949665292d2d64ad875d2e6f5f9dbb874eb6f36a84d86dcdd2cc4ce9890b7c8ab6f5ac65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hniya.exe

Filesize
314KB

MD5
540059223bcdc04def40eac2ca0ab8a9

SHA1
27b85f10b8d553f47de40b46c8ef6cdaddfedd1d

SHA256
bd89d9df6d315148033e6d8ca060fdf60e6734abbdf1c27084f5b61f3f4858b7

SHA512
11c39c5fe0fc1ab05d74fd1d7c1e627b0e846c3ff80864542a7de699cfdb9d24f1183b5aa3f43a728546f0a8fe379fd9bb6de32036af69cc88e812e2bd25dbd2

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/872-575-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/872-287-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/872-286-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/872-4202-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1180-42-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1672-3512-0x00000000061E0000-0x00000000061EB000-memory.dmp

Filesize
44KB

Download
memory/1672-603-0x0000000000400000-0x000000000040A001-memory.dmp

Filesize
40KB

Download
memory/1672-4752-0x00000000061E0000-0x00000000061EB000-memory.dmp

Filesize
44KB

Download
memory/2220-3652-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2220-3878-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-35-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-912-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-601-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-602-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2624-38-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-37-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-36-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-30-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-26-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-34-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2696-0-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2696-17-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2696-8-0x0000000000260000-0x000000000026B000-memory.dmp

Filesize
44KB

Download
memory/2744-33-0x0000000000400000-0x000000000040A001-memory.dmp

Filesize
40KB

Download
memory/2744-15-0x0000000000400000-0x000000000040A001-memory.dmp

Filesize
40KB

Download
memory/4816-3649-0x0000000000400000-0x000000000040A001-memory.dmp

Filesize
40KB

Download