cybergate | 16ffc1bd6c6c0f8521e4d99a544a0f35d9736e564d2e59fcdeceaa6e34f53d05

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Size

341KB
MD5

8803d50c9065603ee66a17e25c1212b0
SHA1

2ded053e1b2a5e854db51003c9cd9b827b85a825
SHA256

16ffc1bd6c6c0f8521e4d99a544a0f35d9736e564d2e59fcdeceaa6e34f53d05
SHA512

babcaf8cfd0361f869710ec4c4cc911e7e74898613009e61c004473b5010d1fa9a00e245030ba791f01286326c6fa827119ca10e278caefa330f44df2bbf0d60
SSDEEP

6144:ZOpslFlqOGHG0hdBCkWYxuukP1pjSKSNVkq/MVJb/:ZwsltOfTBd47GLRMTb/

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

pokemonpgm.no-ip.org:100

Mutex

T16P132D5H180T

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
KamasGenerator
install_flag
true
keylogger_enable_ftp
false
message_box_caption
FORMATAGE DU DISQUE DUR C: DANS 5 SECONDES ! 5... 4... 3... 2... 1... DISQUE DUR C: FORMATE !
message_box_title
FORMATAGE PC
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\KamasGenerator"	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\KamasGenerator"	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{247F87G8-0830-WN5J-886F-74F1P765440B}	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{247F87G8-0830-WN5J-886F-74F1P765440B}\StubPath = "C:\\Windows\\system32\\install\\KamasGenerator Restart"	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{247F87G8-0830-WN5J-886F-74F1P765440B}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{247F87G8-0830-WN5J-886F-74F1P765440B}\StubPath = "C:\\Windows\\system32\\install\\KamasGenerator"	explorer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/368-2-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/368-6-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/368-63-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1028-68-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1288-137-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/1028-735-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1288-1415-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\KamasGenerator"	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\KamasGenerator"	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\KamasGenerator	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\install\KamasGenerator	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\KamasGenerator	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1288	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1028	explorer.exe
Token: SeRestorePrivilege	1028	explorer.exe
Token: SeBackupPrivilege	1288	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Token: SeRestorePrivilege	1288	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Token: SeDebugPrivilege	1288	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
Token: SeDebugPrivilege	1288	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3604	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56
PID 368 wrote to memory of 3504	368	8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:560
- - C:\Users\Admin\AppData\Local\Temp\8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8803d50c9065603ee66a17e25c1212b0_JaffaCakes118.exe"
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
e2b86f1cf0b5ebbaf76ff98a0e3e3e76

SHA1
4b6ef021a9d001625803baac4081ba655aa8a36e

SHA256
20fd0ad543412ce2d65ce2609f04ef067434dc3165c0d4e9352a0a3db4af30a9

SHA512
872d862d5fa49b848fb9edf381a669dbdae1890c75cf3f1260bae87e47d2ae97202d3e2595cfe2261c2d59b12cf2508cc29773ff0173d143ea5a9b37464808d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6a2f5b255c5ff7832bf3e498bbdcc86b

SHA1
dad24adab0dfb10b49bf7382976b06b246bbf711

SHA256
278065bb7fa9154258a0caaf52c03c750f6c34dcb708ada13a6c729e5abda309

SHA512
cd1166daee91848d5129e8967f7ac261a5c2c55dc4403517e4e7784538f19b3d0612482113a778436f167e77c7b9f87f4591a5c097dddb20aec327370e2a686e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d3d20389e84b92fa0e0d93a48d8b3086

SHA1
2b8dfac2271a9501d455d9749ddbe209e5ccdd5d

SHA256
5abbebd2890e2f6a4a521b6b3eb9a185ed1970d8016fdc39cf38bc2ecdc53dfe

SHA512
5100392e2a3c22d4f0783ea0a39c673d1f0d6e86bc694c9204e6c6850205ad7decfc0ef172bd7b5b750d698da1df2de8c7e0b3e4d44abd5c18f56282f9f64fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7e0bcf85aef368c9dfbf1d159b30077b

SHA1
83c7cf5134145a9f07007913eb51ed9fff9be9c2

SHA256
116f4c945d43cf16315f5c8dc16d95d4c9a7ad7a9ad3d1df5d44187f1d2e1688

SHA512
b1a839b9a7d768d8767180dc75385bf4068c7498106edd81b62011547b7e911365965f59d8e15d380f3ce0c360ef07caf532fa117485f683873cdedcb24d75ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fd1c3af9edc9ca1e20d77594463536d2

SHA1
640b1702d3123bebb7ae3a2052b116fdfec331a7

SHA256
b711415e19b135ba3014014761af5a3e53b351dc233f13fe45021ff3d20e2686

SHA512
8791199394f10498a04ca71be8e4cf8a14a3c49d3b0e99409bf40d9ecee5158449adfb40749973fb7f25b672c71f6f4993ec5ae45febe347b894942a243bb584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5a9fd7bab0b98311faf79f9c5e6e239a

SHA1
02d199528d293d0889eba48b1afc92def6ad4ef9

SHA256
30bcfc3226ce29ee5617d3abf80948cba8bf5362990ebdb2e66b96163b450253

SHA512
27655b4ac5239239dd0fb1ed8e5e631e941a77ed27de8aff6543c8fc6cbc28141adf22a4bd198564e015bc44c7c2da2869e6eeaa0e4ad8f4b08774092791f33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
51fa9609d6cd429c7198c8fb15387ec1

SHA1
1a327cb83ef02bc716025b6ecc4d970b5c075b47

SHA256
b6b8c6d60e962ed14f5eb03c0a6bb63d1dbbc0cd10a3cb41ec1845df2f0c6c33

SHA512
f328696579fd17dbd61aab4022caba4183a8610c410dece0b4d50cd8fdecdefe2f30a87f4be6318aa5b40dd1130059450a666e2dfd05a6440017e10811f9098c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6b234ea806fc39a6507f7d98f8bacd98

SHA1
3223a39a863894d21baf7c35f8486529e0795b5b

SHA256
1e50c7ec262650dcd9292cbf4dc970607414891637de4c07d4abaf4330fb9711

SHA512
3824699058a3c7f25bde7192f5fe3d31f0a39b885e61ae778497cb8d47990faee0f42558d20e35bd3843ee710a7e3c56db63eb4c3ecc8ac9e29662b4f8cd4297

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d1f814140629ad25f3e9845ecaa60ab7

SHA1
bb6cf70c7647b7abc212f9f167875d5ede0047bf

SHA256
2c8031aefd2253211663b3a5ef5210d2d17845e0b5c41e6b652a9f12b1947740

SHA512
159685c802645eaa517b7fac8a728c2064170c801ae93004d73e50883b42089232a7d95badf9056295d10b21343ec64fc1f76222abe28d18ff2e1ab3aefdba24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
269a79bb3aaef07bc846551521fbeda7

SHA1
41ffcc7b43981dc812861757c799c49da80ca0f6

SHA256
2a446675c589d27d4e42f1f3e031ed4e81c45121a845c5fab77b6659da035d58

SHA512
0c56281ac2f761ff2c947bd99de7beb3ee061f2447995d993a8d00621a963bd68a15e44d6a6db54ff5c94c5c39db32e79976bee6416fb3322b8d5779b5d1cedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2df69b531075900e20f2289481c6dc1c

SHA1
0153387761c9716515c39ed47c7006245f92deb9

SHA256
2cb67eeca5d50954d0767f4a294f4b09d2ba0c049e8b370f3e4a63b46f467476

SHA512
c2d0baa561975461dcce59b13edd325db3580645077f53902fe993c322c2b7d43c1d71ab5036100c5daf1b00eb93a072634d0a4cc384d7fb486485d32b159b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
40f0acce7575caf481f4d70ae88f2f10

SHA1
a9d8d0468f89560bc3e823f9cb2fd42969a240e5

SHA256
695a11673fb599ae6fb470df0eaf8da86789f0cdb918daa71d9df9404bbd58a9

SHA512
22e55cbd01ca356676a40cb40607683e1c820b2bb4432d46885b99d949c2956d47a2addb21c3a8168bde14aa7f2c4c0d50db72897c84efee72b6cff5dc9023cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f94761379abc701027a4c6a90a417a54

SHA1
412e6c9b9c63ec43ecd09b4b754e358fb17a6ee0

SHA256
87213b4d5e5b311a60049bb655ac8b346862976af6e33bec6a825861d42213ef

SHA512
dbc1aceeabb2893b8d871ef9e6a8285ab17a9e21ca69b6fbde09329d683201746d3c8fd92e95d7e2e290ce18e69693f8c08316cc9a52be0cf1085485810e8418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dbbe47d8327c269631da0df3f2a70f56

SHA1
f8623b3f875dede73fce5969fd12d90f8ceefe29

SHA256
39885e66130787085de4de6a09c4682d04cc598428add103009b2fe4d955e520

SHA512
6f552decddd89b609935adb22673b4ea598d67c6be729870eaad9a60f629821cb18190ff74efc9961fc8e2ec8aa68040590aaf691ea6fe2ed50a24397daff705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e66dfc92e005b81eee55a542a79bbd6e

SHA1
174d1349923e28a07afbb583832f973417c6d255

SHA256
4653af02fb492b198bbc30eebdab37ad4180bccfe1f5a2dcac533264b0793853

SHA512
3feb5fb12b93c4302c90327b24c9ba736eed3d00639c4132e1fcb7bbabea75cb43e39018b019ac701c28b2f78b324b8e823c81a88d8f8148e5079156d508d3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3d8ceb8e866178459e7ff539447455e1

SHA1
4d73b44e4edfd49a3180de85290f74fc2303e939

SHA256
d08d89780331bdf6e2f15a1135f00849d3a369e797dc9993f166b116d500fec9

SHA512
707b3150b3c87d62f2fa9e4384457d1edb88e59c9bcc4f23ae961915cb9ced776c9401ac964105c0b2f8ccf6218b5a595145482dfc64b3ffc2782e92e65e9a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0b890b653594fc52503ca2ae41fc6030

SHA1
06443da9936385ac472a488aa45f47e873c7ed1a

SHA256
a123fd03b0fb19727db4f769a89d7aaa6d9eeaeca9cae83ba58f1cfd7a70f86e

SHA512
a644192938d188b79f17e3e3022762e2dcb296e574019d03f97c7cc3bd4c4b73cbf4107bf77670fc540ce68b61f26169b46ece0df6cb036387e6032b325334d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7d9fa718bbdf5d45e7527fd9fadc75a2

SHA1
797e0667a604b7330f087c0d3628a828557fa4b6

SHA256
b8288f113ee85ecb0edba94bdfa548f520513323ee96df3438cd518358b343b6

SHA512
017df2594671b6a1d3932a66b6e1ca75adda4f5d6837888473c61646ccbb5bf3d18ad2ca14e168c0442ab97bcdb0ffece5c24bb7f6b333d8089a95ba659d4f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
612d4eb5845ff11cda9ca29e435f5015

SHA1
38a14c6efe37743a08f4bb31e71f9398a39b3159

SHA256
bd8c24d1a8c85b8a4dedb5bb3f70bdbbe8fc1a75f0468652700b152d86b986b6

SHA512
d748c2cc5a93ff20b53e0e80bae4d37da8b3781091f1debe12a6c8fd2d707a233bfcfd39bb895f95c127b6653b16f217be56dc60932f57fab69fcb93e3ccc74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aba0b55c6a11a851a6c42d14ec62e908

SHA1
e5a8bd60b802a5b6f5bdad0e9c1780e35cb47a63

SHA256
4ba03f199beab800fb9047e17b497cb71d4dcf818fb1cfa4ce5881be3af57019

SHA512
1d70b5a1619a208124ae6d9d60f0be6e450d11a7eb55577ad3aff287f8b112b8a04af0bf54d7d4d6f9615a3e5cad6137f09ca9c7c3105f050276f3ed9b84075d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8f40f9339be49baf31528120c9213a2f

SHA1
1f2c8cc989b21221e0dfa97aa8e94a217d3a8d7c

SHA256
cf71b8e22129a7baf77bc0c5a07333b23d3cd8a69a5b7de1459c458ef76ee8f8

SHA512
baf635c6b6ca721f3f925f57892e4a43c2c0bd1ea7486e27cdaa55526ac949a4789ff50055dd566ac0427280d483539077fb9ed7a4b0d941e6309b9bb2cf9c2e

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\KamasGenerator

Filesize
341KB

MD5
8803d50c9065603ee66a17e25c1212b0

SHA1
2ded053e1b2a5e854db51003c9cd9b827b85a825

SHA256
16ffc1bd6c6c0f8521e4d99a544a0f35d9736e564d2e59fcdeceaa6e34f53d05

SHA512
babcaf8cfd0361f869710ec4c4cc911e7e74898613009e61c004473b5010d1fa9a00e245030ba791f01286326c6fa827119ca10e278caefa330f44df2bbf0d60

Download Submit
memory/368-2-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/368-63-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/368-6-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1028-7-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1028-68-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1028-735-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1028-8-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1288-1415-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1288-137-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download