cybergate | 70b410b9ac3ebc85357af51e5924850a7dc047964ef2da38a60efa206a40eccd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Size

312KB
MD5

f6f1e10a1f1ddf2dff91a465d3d64f4b
SHA1

fa5d4f0f33b8b9d55f7f4973d5134a924eeac1c7
SHA256

70b410b9ac3ebc85357af51e5924850a7dc047964ef2da38a60efa206a40eccd
SHA512

153830dedec882a94703ad4e240e9ad06fba39c0241df9ff0e0959cb19667b272f9d37740cca5d4bbd00ce252f2c7c2f4e466130dcf4fe264a1e5e5fcc5684c4
SSDEEP

6144:P3LZpzsxZZQttyCVxaWYSdMU/77hlruc6XmDoTbcI7CPPdP:vLzeAtpVxagMU/plruchDofAPR

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

remote

ninja666.no-ip.biz:82

Mutex

E01BJ03L5FAF4B

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
microsoft
install_file
ass.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
system error 128000.slide show can not be run.check device driver
message_box_title
ERROR!!!
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\microsoft\\ass.exe"	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\microsoft\\ass.exe"	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4748MJ43-EO7H-24DA-75RL-P2EDROEJ0113}\StubPath = "C:\\Program Files (x86)\\microsoft\\ass.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4748MJ43-EO7H-24DA-75RL-P2EDROEJ0113}	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4748MJ43-EO7H-24DA-75RL-P2EDROEJ0113}\StubPath = "C:\\Program Files (x86)\\microsoft\\ass.exe Restart"	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4748MJ43-EO7H-24DA-75RL-P2EDROEJ0113}	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2324	ass.exe
1828	ass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\microsoft\\ass.exe"	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\microsoft\\ass.exe"	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/868-3-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/868-2-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/868-6-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/868-63-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/4728-68-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/3172-137-0x0000000024130000-0x000000002418F000-memory.dmp	upx
behavioral2/memory/4728-167-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/3172-169-0x0000000024130000-0x000000002418F000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\microsoft\ass.exe	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\microsoft\ass.exe	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\microsoft\ass.exe	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\microsoft\	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4544	2324	WerFault.exe	87
4684	1828	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ass.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
Token: SeDebugPrivilege	3172	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56
PID 868 wrote to memory of 3508	868	f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:4728
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3528
- - C:\Users\Admin\AppData\Local\Temp\f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f6f1e10a1f1ddf2dff91a465d3d64f4b_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
  - - C:\Program Files (x86)\microsoft\ass.exe
      "C:\Program Files (x86)\microsoft\ass.exe"
      4⤵
      Executes dropped EXE
      PID:1828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 532
        5⤵
        Program crash
        
        PID:4684
- - C:\Program Files (x86)\microsoft\ass.exe
    "C:\Program Files (x86)\microsoft\ass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 572
      4⤵
      Program crash
      PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2324 -ip 2324
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1828 -ip 1828
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\microsoft\ass.exe

Filesize
312KB

MD5
f6f1e10a1f1ddf2dff91a465d3d64f4b

SHA1
fa5d4f0f33b8b9d55f7f4973d5134a924eeac1c7

SHA256
70b410b9ac3ebc85357af51e5924850a7dc047964ef2da38a60efa206a40eccd

SHA512
153830dedec882a94703ad4e240e9ad06fba39c0241df9ff0e0959cb19667b272f9d37740cca5d4bbd00ce252f2c7c2f4e466130dcf4fe264a1e5e5fcc5684c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
250KB

MD5
eefc49c6cebb577911d1ac88d44470ba

SHA1
0bee82f346be14872a84c5c77b7bab71e9b2d474

SHA256
fa116f49918867b92c2662cb903252facdfa90476f7ce8ae84364f227616d717

SHA512
6e06fc7f7ffdce2ac962932b51c670be4755fd37970945ea48760cb297dbc3d9f61f0fba5cc41c34fa9435a7bb808776bb7a85f882a79376c096d9e93300b085

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8140bcac55e584825668bb58244480a5

SHA1
13c300179a2445500cc89d646927b86004135817

SHA256
8f0c13f5a28263297db85211a34d32702a8945c26027eecadf71fd4bb2919bf5

SHA512
187388edfeb90993333e06572b15948f98248fce2566e9b96adef7b10bd0a5809019923b5232c3d620b7425a635bced92ed58f534c845dbcbe4fa0f8b4f96242

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a06da07d9b8f3a3677608c9561e26db

SHA1
c9a701fe293c75f2b94928ef9dff948bf472105c

SHA256
ab90148137401add5a9e2bd9cac6b8aaf2f8235e1d4452437463766efa963820

SHA512
474f38075b86418c338971a6b80e33a822eb43ecf5e9df281b6fc2db0c71a88da1ee72dd8b925a2546a902a4412a06656b8acb2de066b58bab4f9e3c5bf2da32

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a7c857f0fb6b29306ce3d0879fbc50f

SHA1
fed383018ad4096356a1c3c32c90b0ea758afc2f

SHA256
db2c03177f136d2e5bcd77383602fa4da940d9dc85b6518878b872d48d384381

SHA512
db1e6746971c32854c9cf0bb9dd9b5c54e8a183e31a2569bd61b4f0315bdebe859fb16fe5fa9509773c3fbb7b9f3788bc35f5f20002bfea7e204ea1c0b80d3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
34402e8237d6bf1a57b4479de2795ff3

SHA1
70378a40028a3e128639bb3913e6462dab0d8ee8

SHA256
bca943eb71f925f5ae28021cae8bf6b77ad1dc74469feed59c472144a59b0f12

SHA512
b493aa60cdf0dbbe074affeb56cdc70636d8db84975a97ef0bbb92a388a3afe0c38d210e103b5d9843c41483b14104eeceb047ec9ffb73cc85df1fb139a37841

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f3ad21ab7ff1000ccb899fcedeadd0d2

SHA1
53fa72091700f8099f15c21025abf8a0fe5c558e

SHA256
f037c0111e6c57e9b621a6e30c0bd89362025549e12a91300484faf90dca2ba6

SHA512
f7f8cca25b07748ff397a851907a57b22916e517213c39f7c7d282d9cb6cee799d959e039ff3fb4a806e031c13c33c7cc73086989f4675244a0476bffcaea029

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a06e41563358434d887426726c3548a1

SHA1
48c475524b047b527da3fae8ddc72a503d676598

SHA256
7aee31f1b8d36c16117943f776d39ac4b3be766422e8dd68d295e62d66c0ffc0

SHA512
d317f751bfb10c14e639fc44a7d56175f14af752c01aa0007430fc9faa308fc0199789d7569d4065013ef4f6d8e6c3d191d7805fba15028941e331b5c4d8bcc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
53cecb635902d7f3ab42f37351633d26

SHA1
fdca11a7f8df0b7b474c2d7986096ce48483baac

SHA256
74734800028724e2e7aa0452ebef24fc1134681c6be02debce8bfca28ce0ca74

SHA512
a7c2ed8e926aaf6b360e5759358c2441f8264c8203a8b6b4c4e53aa3ac9d2ed1bb792a121c58559085b09bfb7bc3708232036ab6d8f5e47644392b93aef129cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c0df200c30130a1017206220072a5f8d

SHA1
e3ff23db8b4f6c36f7f6aadb06c3554a72da2154

SHA256
86810a08f8f77c6787daee5d1efa7ff0f8788c8645e2c0b1677fe1d964e343f4

SHA512
ce6e0e90099cc5f0a6dcdf05f7e8631ef09f5c22be7f8cbf09a25e5aba4d1f004bc59a1cb76f9413f85e8f7a2801bdcb3b5d61e8fba954a26cb70e783e7eef57

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0d366fd7fb030086366f951c4003a834

SHA1
a935f4d6ec1bcde7774355f4196e2ac59d187518

SHA256
b7c877e3d5bc5e099b19c64ebf695f223cc01a07c8c2ee8265c20e7d6f5d6df3

SHA512
3b32bd8eff059b35928d5e922c96e80bdb9f940d3f306084d6cb246f619d1617556eb715a2a15adce94e8959183d10a208dc4e45727ad1339fafbbaba80eb85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81e9fde044b9d214612f447d7fbf3f4d

SHA1
7cd7d635841f7a8a904ef879e67d2718be23ba8f

SHA256
bd2b6bb9c336e95867ffacf3ff9984a26861606e123d6ae324f4d820a7ab1fc3

SHA512
613358929487332aaa2a4bd4e47ac76d78b0110b4ce018163bdd14b860c46cabd9bbb8003f7c6fce4584f1c59b3456eb3602a027c20366b00fd17b4c3f7c981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
86a1c7925300635a399b8a2e7df2c9ee

SHA1
13f8d5da0046400e1fb8bb2ef5706401757160e9

SHA256
23d7a28d1778f51167ef2f403fb96fbf2aef8a99ff73f1e301c3fb0f03736126

SHA512
cb9b7580184c3a99a916c3f089d819b011a31494c626cf79cceb0179a1bef06774f547761ee269c53e57ba3a9f735b724f58e3eb09ad29594d6f8a0550cc61b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f5039bbb0c9842e7e5d4270694ec93d3

SHA1
78d16d08c4568baa5e57a5a159ab7451dee02a14

SHA256
3d01cc8df5e927a43a4ccd7fec96cd487cd7b6296df1b5467ae9e183d616bb38

SHA512
f5ca9143f4db678714b25cf329a493cbbf7b2b0729e21e3b415b7176fd45c4b1fc6448138a5587e2b5e3fb7a5b9d545678c1a02fc46c5431bbc730f579d23f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e511afaf62fbfe72a05dffdc5eaa53ee

SHA1
0fbb32747f8a6e6dad99d7107fe5ca9ac4d51a4b

SHA256
dfb97d887fa4609c2cdccaf11f82095d11aeac6c2c352702ae93c3cb7348481a

SHA512
5afc0b768edf267b420850259e3ea3b87da6593a429626b371fe24d73b164208e5358ca9c1be7d5ece9ec748d0ba5bc4fed14de4c4b8251ace422fd77547c1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9fa3d3d5da2ffc74db4056e99a1e301

SHA1
5b114afd90f44b8bb1b1dfd84422322fd4bc932d

SHA256
86343287059bcc07e108b750685dac3f57be6e0eafe22866209d90b235863bad

SHA512
90a304be46e9d5953792a02e0178ce4350d1dbb03d98e9d68827edb39d297aabe1c636c7d3b78c2478a67efcd9b500792fa156ef9896b0aa5b68b505659624af

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
68940be889a18d81e8c7171a87044c82

SHA1
91706f00cada73dbc3598b69e351e13788547a74

SHA256
75cd9c806c6a59d729abf1b289fcde3c49bf32fdcf117e8f103bdebe3d974313

SHA512
90d87fc1299320ce9b2e8c51cbe58773139ffd43f0a81f72cef7e8f39edce91c46ad932a79dc4938ccc292f575f9299e24b1c19e1106cbf17140624833955cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
953d4a55583576fc65f3589741f73fd2

SHA1
d2d68d1f1850210eac0b9b851b78e2556f6994c7

SHA256
4c43c023e1a059a0e21fcea49f6c43fc108e17f521115345b754af3ed25fded2

SHA512
dc721e8118ba07f24e72649b1982f4898edd951fc8e96d5e76da696cad74557241c38d42581eed7794523cedd3171689ceff3258fc9052382ee88a5ead3f0954

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
264d6002086b69d11aee0b8ea88293cb

SHA1
bdaf1914d3e71ace4f089f7972dfceacfe3a4724

SHA256
265b6c411564acab44ef1f7819ea7f20e7979b0ebdd7977b611e4c00650b8667

SHA512
8a27dab33cbaf937d3a7a19f0555344e50f6b9d8eee1044d0347a76e6c2cbcf1f7e53856f232d085955599246e023fef2b097902571a92fd1e2d66305d4b8cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e6ce0a5a0f51866041facf961fbaf7f3

SHA1
d89f4df332ba86ae0a6679768d4541dcbae1cfca

SHA256
57cc6105dfb82e94dcd21234ad47feddde66b72e57fc02c27939daf781dbcbed

SHA512
0eae780ddd3b61894bff29abddaceb33c46a6621eef39d2c584c32a5bf45435bd1ce3def1bb4cc93f6ea3d058f1b34bb70ee35b07cb625f0ef206d3270c11053

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d22600c61787241c0a06b810f1c67df4

SHA1
13cfda6bd0d36d51b664954ebf1d233233736dc8

SHA256
206ebebc42de13cd76aa9f6a73bb09b321336179860e89454c2cc934e5425419

SHA512
1dcc38057b65193772fc3159c9f9b0d59f8322afa79fc724efdc3188f731be7f1f9d1fe31c44d431c8a4acc1acab7213a15eb81d3a0f64ecd1cfe34f4410778a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb7eb55728de631444d9adab71e5d02f

SHA1
8671f3c14ce44b3ad113b2ddbc81d61668c09831

SHA256
4c743ec67f76a179e49784eb501399e833857a6814c7bab5250e897b7c4f3865

SHA512
034edafb2a2a212ac4796edb74c56632ff11b95561853e8138e59e08bd7147fb1097c2257663d7be12d2cb9cc5bde4cc708c36869513e7cf65466797ded0cb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6af40d5e820b551c2c068a1bd4f6c5aa

SHA1
0ee34918fe6b6c1341acc3d4c8ae4a383340159f

SHA256
c5c9a0f31b43f96fcabaac2998e8da029aa26f9c74987f58bf16f0824938a775

SHA512
99044a376e38ea6d0920a9461186248d8517753d62b8a996ceca9150fa21225060a9babe065747ad55fefe0e8f1c0decb6b4803a297c96c00a08fc8385f456f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
43dd30ede73c35f8fea16264e36e1f2b

SHA1
24a743b23109a6582f947f4c770c7d4044eeaaeb

SHA256
90f5791082610b07fb6779991ba5d23e99aa46abe3af7b70137f038c5f021fe6

SHA512
0036b168c10e30d3cf26c6a5db434030e60bb1126e811d96af8813296ff22e734f64c99aafb00140444afa5a2626bed235d2bb70b217befcab1893b99f8fb289

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9338ea8edcb229475a59b05dda8ccd62

SHA1
7bf7b59b38ee52cdec87b44e3dbd5d8e3be84123

SHA256
df8c9a535ee341064c69436922feea7b03bb0cd41fbf8405bcb459d742723dff

SHA512
2fa68934b8c4c28932ab83870125135f1bab2e3dc04505a436eeef939029a812a46b8cb2c5c0e1fd8ef21f8405d5d03588ffaa6ef6ccbaf95668ddd9f8cadae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
15cd02367fa3a18233eb2b730037b00f

SHA1
01ffb4129231e8cff3a53a07cb626cfee06a331e

SHA256
6a26ee1bd2f2dca500ed8167fa57ec9d4c502dbc7e97dc5413a564a6b7306daa

SHA512
6c11b8a4719a9bdb5cd804375d65c81f93ff7613d71d1a1c275ebac833cd34310525fb635bdd4056d1131d5db02dc7a18b443b653e75c2835d9fbfac3e712434

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19b7a3aa1d730932224bff73f5988a1e

SHA1
775aeab335a74fb2d9d4f5a82652ebed1b8b2b34

SHA256
ebc6bdc21db315644062e00eb06a02154eb54c1bbd01b95ec6714449c9512153

SHA512
a01f1d099f424495dcb9ad324697f4c2e73e3e13cef1d4511cf3fe0512e82bf411133a0a9224b5d11ab250269cd14671bc95c1faafefd6d21589fd2dc4751d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5f8cf2d168fab27aa3414c8bb15abc1c

SHA1
0b71975e17bf25b8e60bf4e61f31ecf1bf407149

SHA256
807a98af7da510dba3bd5bddc4b7c3645c1bf8567593dfea99206fb65499ddc7

SHA512
001daa36f0f1beb4b3d10e938b360f2d7f7094514f034100e72eebf9966493f7d9935a575e8bd24106d76e30f579bd50b8b2e158c284689dc98b6ebd9d0bde67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4679f954d0adcb85c23a8b6707f75aeb

SHA1
dbcf1e4ee45ed22bbf0c229fab9a65f387bcdd9a

SHA256
de5433245394016309941ac8744e8d082c26cb4fe39b0ddaab9ade685f5de36a

SHA512
5feb7ad95191f62b1b8fc45826061f83cbaaee2bcc243da257af2bca56cb75fedb0d9a8e6549bce8dc62d67a5582d9bb24a61f32903a415525120b6c56b75f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e340fcebdb26cf15bc468eb83fb9b2e

SHA1
8efffb74416b7a7e8e7e91d5149abd35b3f58465

SHA256
62a57ce9cee07c760e7c148110e2ea81f1198b841dfc988532c8a73d5de96cac

SHA512
7ee8308a21c0825cbb8270a9e1bae67927e6e351645d027d18086bcc822f5ee2de5d8e5c025bd29a14ad4c952c3707439e240bfd6a51264b55846854ff055467

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f5a6364a744bdc2c4f75ad354a404b91

SHA1
0791c51463fa061b379909900add387874ab8239

SHA256
3cef0d0042b5ba71244c979a974901b6d7b47c3cfd1b1ede4925c0b660712c46

SHA512
0ceb429f8e0c5282946efe4a7d0cdfc28448b81ecb75409401b61cad9135986ba8c3ab9137d1fadb4bb79af1c213db2497f469c18b0486b19cdf00fcad349e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
585e89890161bda3bb2f6f637d73bc23

SHA1
eee6aa8e0246f2902f7bce272e7577b037b641a3

SHA256
bb185108d94c54ee1107f3f46b9735ccd8999f2e1244ef741f64efb64bc73d3c

SHA512
4b378c0253ed8f7f9ab8a4da403df6aaa2359fb613dac3161a3cf9106a713093ce49777a99ec61e367bbfa60c70d6f24c158986840ff4b01de6ed4d86e18a00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9f516d77115f84662f55ae32a16a01c9

SHA1
370e6359b1acef42c5587530098e8334a67c097e

SHA256
3bcf745ac1eb74a2eb773043e71585db1a41bf0994ff573b1067213755b6461f

SHA512
1b912c29f3b3ac8ad3596e6af5afb9c97f2b0c65ac28663ee470aaaf0fe356a3075fb8aed7792aecb26c0abe85c71186e594ece3a4873e047c8291de6ca53d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ed1c9fc8e418efd0e2bd5a278c28fc6

SHA1
63278844c2d952f02f5ed40bcaf2f81948d74fb1

SHA256
23e733fca2b919cd8c521032d26ab0d380c2c85f54d70d9baf559872caffae20

SHA512
0a3e9e2507095bd586a26abefaac82e8968d4692f2729acfaa62ccb9c9673ca6480d8605eec534463c187c65f4f74a009970b87a2799cd879821d80e7871bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8cf8058c0c08fe8b0d3b8e78eb16e5a0

SHA1
e3e0ae31d5aeb6b249b30111250f18820b2a8a48

SHA256
b8c62d9cd5a8dee6d8bb5782f602630e6c5ae04de70c555135a4c3beb9fc2805

SHA512
56234624ffa0c4ae9ad6607548ba3fe73b94ad5fff70391a0943d542c0930769bc22ab08554b5a3209568a6af0b4715d1e9449350157214b9ceeffe0fd06777f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
09f97d76072a35bbf88fc2b59b902648

SHA1
58350f1e154fac7adc94819f53f3589853305a5b

SHA256
af02759ca11d6d2aaa99039daf43afd88f38a2dd6a4e3cb4b53d1d13063a8956

SHA512
d41a2273a3ffec553e85f30301cdfe351b42fa8144d9fc10ae719ae5e664831f2468a7af414664247ff841af573b0d789e0b1b08195637d413cfe80ac551a461

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
baada5f8226a51be437b2aea2b3987ea

SHA1
6b890b63a8a36986c6f5b8b3d27d6ce3f1d14d53

SHA256
1fbce38d5b6b3cf83591bcca174831a30f88398b7bc884a136792052b4d263fc

SHA512
46c3e06497262f7afe7b6e72998f689c513aec954f3dacdb2ce7f55ccc8fc369b3425251c7417da423b655854248269bc1e75a6c456b4265d0dcb058419bd4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4b27d4e889fb4d72d535eec18ecc65d

SHA1
f856a97220b8c7684ff7298abbb1ab4c7f7b35ba

SHA256
e10139ab3ad4b3b7cfc099fdfb568863092f286aa50d2a4ad414b31bf073975e

SHA512
727db1cf4f1c7daca05ea5170ea0e545afea001438001be35e669e651bc84611d2c64f1fc35413529ac72ba7923eaf049fd07ee9ef742b4f513f3323288459ab

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/868-63-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/868-6-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/868-2-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/868-3-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/3172-137-0x0000000024130000-0x000000002418F000-memory.dmp

Filesize
380KB

Download
memory/3172-169-0x0000000024130000-0x000000002418F000-memory.dmp

Filesize
380KB

Download
memory/4728-8-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4728-167-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4728-68-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4728-7-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download