cybergate | e147abd59fa9246cdeb230d65bd459eb9fb42f245aa9bc0e1ebacff1aa1c1fd8

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Size

335KB
MD5

2fe4ec8ee962f108c8bfa6a1b05781aa
SHA1

1a2b4068c77470ef545b0d55aaad54b67121d1a0
SHA256

e147abd59fa9246cdeb230d65bd459eb9fb42f245aa9bc0e1ebacff1aa1c1fd8
SHA512

cd5963bd66fad4a855084beb36a11ecc4d24562cf3249abee4d70b2a3d392668731ec72009ac9777422cfeea768f007501cf99f9ad0e485e9cbf888b3bfd041e
SSDEEP

6144:qBrYWb8+dTTGpfkZFGLe9yleqF3cqskQxQA/rXYcCFdIow52cYIlAIOWYey1Kva:qBrNQaTTZZWeotFNkzXYcQsqWYevy

Score

10^/10

cybergate victime discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victime

stenger.zapto.org:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
system.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
?????
message_box_title
error
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\system.exe"	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\system.exe"	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{715460W8-8LBD-335U-D0K3-4Q516FKG3EN3}	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{715460W8-8LBD-335U-D0K3-4Q516FKG3EN3}\StubPath = "c:\\dir\\install\\install\\system.exe Restart"	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{715460W8-8LBD-335U-D0K3-4Q516FKG3EN3}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{715460W8-8LBD-335U-D0K3-4Q516FKG3EN3}\StubPath = "c:\\dir\\install\\install\\system.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4788	system.exe
968	system.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\system.exe"	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\system.exe"	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 4788 set thread context of 968	4788	system.exe	91

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2776-2-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2776-3-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2776-1-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2776-8-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2776-11-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2776-10-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2776-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2776-14-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/2776-18-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2776-32-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2896-81-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4056-151-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/2776-152-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/968-183-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2896-185-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4056-187-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
220	968	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4056	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
Token: SeDebugPrivilege	4056	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 2112 wrote to memory of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 2112 wrote to memory of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 2112 wrote to memory of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 2112 wrote to memory of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 2112 wrote to memory of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 2112 wrote to memory of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 2112 wrote to memory of 2776	2112	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	86
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56
PID 2776 wrote to memory of 3452	2776	2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2896
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2fe4ec8ee962f108c8bfa6a1b05781aa_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4056
    - - C:\dir\install\install\system.exe
        
        "C:\dir\install\install\system.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4788
      - C:\dir\install\install\system.exe
        
        C:\dir\install\install\system.exe
        6⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 524
        7⤵
        Program crash
        
        PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 968 -ip 968
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
4f51a1640d51028087aea1680ef6bfed

SHA1
5b05a0569a133281db848d4557216fe24a15d6a5

SHA256
87e6b95b9de47ca68c1da00eef5fcc160ff244eb5af07a68e75cee6195451835

SHA512
5ab6a9fa1ebeba00241c71aa01c33669cd1d4df3e8db6bad9166ec7fc328c5c915af93b84207f74e6ef567723844f4e6aaaeb9693059132d684d39c8c080689a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e373f07330f57d4450a7b7833d7fe3b8

SHA1
9b8eaa2212d5829c1ff474d606d6436fc701146d

SHA256
ba0a6c69fabed801d5dfbd2a87150fdb3a38a3aa428541f4f538d4a5d1c8979d

SHA512
0f2af51f5b26c3a3eebe73622fe071e70bfd73b8d4a549e40c332087072cc2228eae6ef660874d18fbeb09f589e79711bae829b261cce4e582bd793fd636ce5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7407b35db1dc5e80f4e79971d709fc9e

SHA1
eecabffa50cb4f7f1dfa75d20cc16fb57f2aa1ec

SHA256
354d33d2ac1fe718a08453347f145d6c330972adba80f3ca159177d57668323c

SHA512
a10117eb9983e6693b9f9a73f12249e3b46d0c99235e20c7ab7fd784114a9bbed631a27626eb13731343c7349916e2d56a7f1f87f6ee1c63aa9b6136d632283b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dffa6168c69924da2c7ca2ad215c711f

SHA1
fa792868524d0a685b701e2926e3e1dffd2a5675

SHA256
e5a82f2ecc5418ed829c9e0acbd96a166eafe1cb163eb85e7e8e9775b2087ae3

SHA512
32309e5f44aa1d363d776b4bdb677c9f365d9af43943319aa730c25d961eb2b7cef0fd4ccc1a75ca7ddcb44680f251df959d27f268d5a1494f613b79ce886dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d671fd35ba6e154a5fd84bd66e8f4e6a

SHA1
6f37270d40ce650090a06ee90ed997d6546f90d7

SHA256
c54cdcc441bbb12fb56d555c58183ef5bc61d319a1f233a112cdf6fe11f7d637

SHA512
48eeafd2cea405b983a99669882829102f40a253212f1a9fa4b91fa87f5d287bd9f1f9f2bb88b7317017108b26304facc8bdaf47f9e34b38a4608a3996ebf00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d61065cdfe843400c7f1993cc8bfdf0b

SHA1
b378c99946d198d589bf7a8e00a24fc29459fb8e

SHA256
e100d976afd2e5554efe53c9fa756d276699ef9528d26361cb21139ba6ba67b1

SHA512
61a4a0581cd4b90f90997cd76e8361a5d380867c5996dce1dc6ce9d7c854909171b0ed527ebc3ac24b131c85eb1ec021490da344d39981bbc29d2357400e4170

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2a782bf5860b584c1eb1a707eeb7d593

SHA1
f28b99792f695902e0389d1ec658c44c92899ad3

SHA256
1b705c24b5364880db14ee71208165cf073496fd631b82b7ec24c7e1dcfa4020

SHA512
67e4718dd57f8f8396c825d03d927731800470ce210bd8568eefba25be6058139131f1eff6a810d182639a4111849303997f5e67cd37a8c676e94cf284b2f8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5fc981b142b0c0b8ac9111f9a0fd5520

SHA1
ea60f0c2c2cfb99b8862748e046ea88a1dd9e2bd

SHA256
6d53e7473435bcb3a10179f8ab90a848813a7d02648fc03b972984a9e3ea89a2

SHA512
85da84feaa41a894578d406d0e4ecab9cec38660c830d851053f9d1839e84a4e68554a1a2f9cbfd0d969fd901aa3c19b71008f0bad97fcee030dd56180b03b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
11d01aca5c74fba195c3c995795722c5

SHA1
328d89ce73659b830cc502d1cb1904637dc1ba93

SHA256
eb2cad2498049e5202c56963af539560169c4c7fb9954fe6d0580163ff33f08c

SHA512
78cd7b29a2403e7c7d19964a68889ab6727cb52b8da514529c3943794d2df9d124954c5208c56ec512a0c44f1c451fb246da221fdd10bf981fab96c19ab4e4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26a4449a5159abfd18ecab9222e74e47

SHA1
1fb35d99405113bcf987f927f81c8efe26ba1963

SHA256
078b739609e8a67ed1bc3909ebbd9d238fddde92feeebde8a566ff5d4ffdb18e

SHA512
2b508f3c30e8eb31be53cb7bcbc22fe49168702acc05122d9c0251ef8d11c4e915c2f7f391d6fdc37899e8e167503b6f625e986b5d9626e6816efa95eedc8b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b74d58ef91d01414a8f4e5ee0f6454a7

SHA1
9f6fe19157d74420cf7e982868c8c8ff0145470e

SHA256
719729895e72d416efffc0afa381e4e0373486f88ed1f7ca677b09e596317547

SHA512
6edb090d3ccb7b578b6551afa2866cbdb769128e7f799fa22f212dad6735a3e76dd09f77db3a4856b8a67ebb6301c951b1b13fb5739a7bacc4a3e47965537fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a655149283462ea608a264c16dcdaf8

SHA1
50cec65afc71db0921a18b8542f3989ef070c4c1

SHA256
b2eb8eb4d2598607ee112931b670a6af55c4786fb800eaa21eef5c4a2f5e1479

SHA512
c5af325015a0c6d2830b8ce95b4bb30cdd018fa35905f8e3dff7a20dee772986231169f94211b142a0bb17f55ccec7b6323fc981b621fdbc7bfda9e349e98d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
480246052a61082d3040e5eb65415b2f

SHA1
7c09a30e7445ab86deca2089d868f587aaa703cf

SHA256
7119bd5b012caed8f2a32a94c33f57375c1de9f5fef2867165b38424fc4f4faf

SHA512
48023adeb4ba4ceadcedc9ba37d727fe45ab99be066adf46013f0fe6fdeff5dee03b9eabac947cfe77e25b649f31aa835aea9b2908675680dd86956eb5bfded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
144d0a1787c95b3c7ec62dfc2907faee

SHA1
02778ac399c8c18c2e5842732592037a79a494f1

SHA256
2092e0d375d3c5ae0af88fbc4be14ad31d3ab03593f52d01976786d1b0816aa8

SHA512
f118d5c46c9739b1c7889d5030a2bd3c5bc8a0bad1f06cd3ba1c71350816499ec8b4ead62285b2c3e4866f0a20cdaec74f1108ee2ab27a13bf482387497dac45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3fff91af24fb867ad44057e30a7ea86c

SHA1
4566cf8b6b90005b1a111e6e640e5d0a856614c5

SHA256
28f2c7f464f851110ab67da6ff816585c0242ab1e65ffa0b0e33b1939ef513a0

SHA512
3a3b701ef6b0bc332f22a38d685a2f6c495bde34ced4590d89e50892b8a66d80a186f8dce4c42ca8f916f81b9d4ffa0f4ff34860427ca7692d3fb65e7097de2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
65987aa37ab0b79f9fdcae783a745b91

SHA1
bf4c746b8985670cf79eccf7cd7ddcf0369ee741

SHA256
a53a86369a86c71759dae554db42c49a240a0395d56fb68a00272e2aa1bedaca

SHA512
2db5c428695c3e016757e3fcfccada95a8d7e21a4cd8a711a1ec412e1f92d0b2d75264017fd48acefcf39e8949aa0872e4a8722750084159ca0b9b02ead90113

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6fbdeba266891e4640cc1eb0e629bd2f

SHA1
86913924482809a6fb600c7927e4ceacd8930b1a

SHA256
a74437c44f50abcb46743e60416cc2b8a464b4063efbe7053001227acb7cbd79

SHA512
b7e7eab5ccda3670308375d4e8d84c4939420b262913bb9398f34b364f606f420e07272378e728320feeba14b3399071cb9b61e83c68e604db20bf123f054318

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
21c0ae39223ad0f0b45b9c0027ee7fae

SHA1
7680b5205fccc345fb47ff1f5be39727c65d5ed6

SHA256
f7a620f4ae29f806a6a59142dff81646a179d0aaddd18a3953aeba1ed14d7f53

SHA512
c91c17ebe15ae7f4ace11a3303e05d90fe3ff79eafe54875d7be02d7d6937917ce377ca00e1fc6b83b5ce7cd163fd27e6cfdb966598ba06e88bc9ba99d2bdd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ffbf5d84cb0ebd86c503322929db7d26

SHA1
75d3516ad65be56b8ef90878ed8407b02377c811

SHA256
43704cc9f855b05d97680a223615635da774f84c91387fcaf7b01fe6f39d6880

SHA512
b1e956f62dec201b24a4af81d931087a8700aaf48b27b346065a0d1a22d9ff8d574dbe82674478ca00dc5c7a3ca85e4f211d65345d06eec7075f3109cf3f6e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9fee0b36e825c1729cfe7f6a32ee7cb8

SHA1
21338ad9332a7b3c731ca076ecf2dc74c9b51838

SHA256
a3a5dbbca8131eb5c5b559b511b1a80bdb74f19bdbcaba5856ed9fa713ccfe03

SHA512
22cd3a3a9f110ee5552d16c1aff202d69337213bf71fe85851bd72c0af0f11fa2ff1f329f58d96e938f669663fd726049013e72f80d0d3af820fc6151057d965

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\dir\install\install\system.exe

Filesize
335KB

MD5
2fe4ec8ee962f108c8bfa6a1b05781aa

SHA1
1a2b4068c77470ef545b0d55aaad54b67121d1a0

SHA256
e147abd59fa9246cdeb230d65bd459eb9fb42f245aa9bc0e1ebacff1aa1c1fd8

SHA512
cd5963bd66fad4a855084beb36a11ecc4d24562cf3249abee4d70b2a3d392668731ec72009ac9777422cfeea768f007501cf99f9ad0e485e9cbf888b3bfd041e

Download Submit
memory/968-183-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2112-7-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2112-0-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2776-14-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2776-152-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2776-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2776-18-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2776-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2776-10-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2776-11-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2776-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2776-1-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2776-3-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2776-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2896-19-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2896-185-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2896-81-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2896-20-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/4056-187-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4056-186-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4056-151-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4788-180-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download