cybergate | a4ec4606a2715d0a1e94b1c9fff22366767edfee4fd83fb2887d180e9e2699eb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Size

260KB
MD5

fc0fe2af3d4e69e7a30838e6fc3c44d5
SHA1

f95574deb164a5366b654d336585d3a2bc7769b3
SHA256

a4ec4606a2715d0a1e94b1c9fff22366767edfee4fd83fb2887d180e9e2699eb
SHA512

76cdb973464017618af39a6eea6efb17fb515b131562156d8a866d0cd35199ae5dea6cbbb96db5d6ceca2212e2d09649dd121a79ea09e31b9ddef5a0fa877f42
SSDEEP

6144:pkkCl9IKTGtyofi1ybkWbTCkXy2K4ixdXUEmIQ:ukCgKTGtyrybkWXCk7Tivvm

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

remote

10.1.1.103:81

Mutex

update

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winlog
install_file
Winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GARO44W2-46M6-8C48-8VVO-30MI253677BH}	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GARO44W2-46M6-8C48-8VVO-30MI253677BH}\StubPath = "C:\\Windows\\system32\\Winlog\\Winlogon.exe Restart"	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GARO44W2-46M6-8C48-8VVO-30MI253677BH}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GARO44W2-46M6-8C48-8VVO-30MI253677BH}\StubPath = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3088	Winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4536-0-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4536-4-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/4536-7-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/4536-30-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4536-65-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/4828-70-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-72.dat	upx
behavioral2/memory/4884-139-0x0000000024130000-0x000000002418F000-memory.dmp	upx
behavioral2/memory/4536-141-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3088-161-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4828-162-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/4884-163-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4884-164-0x0000000024130000-0x000000002418F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
404	3088	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winlogon.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4884	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
Token: SeDebugPrivilege	4884	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56
PID 4536 wrote to memory of 3588	4536	fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:4828
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc0fe2af3d4e69e7a30838e6fc3c44d5_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
  - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
      "C:\Windows\system32\Winlog\Winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 568
        5⤵
        Program crash
        
        PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3088 -ip 3088
1⤵
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
f0c6d57de689d2c58779d71b6ad4e3d3

SHA1
4eb6b7b3a2f4d8f1718dc6c60898859e283358bb

SHA256
14271e6d7a0f2b34ac55e79750310670e23f7c74ffdd0abd71d24f7fd8f83f87

SHA512
1903ca910a4d60ab0ef41409c87e1a45b03db1789a9eeac598c63aa6406b6e45ab2e403642318156fbd028e6674026b2b0544342ef47d3f74fd55c8ce41d5d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
37456fb5f8a7569bba5cb92967cbf847

SHA1
0b911350f7c6d1a850bb1fa6838cc2536cd5bc76

SHA256
1c7f86d9505e0ce3e33bd5eeab54ca5c2a08c6c6f44a28b6a69d5263a8f8577a

SHA512
6c49a48e9e2e0011af32d5aaac678e06ba403c01c22fe677eb3c04a9e358244f3444bb034bfb1088c15ea9d9b14a0f9e03a8ec1ed8bbd784316883bc3160dd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
908f04ceafa3d732f1fdf016bca550e6

SHA1
99b5a602e51446a4ed3b165818bce3fee5e38a41

SHA256
491d80cb1bfcadfb7716d9389f4dafb3164f14d0b05c556c7f413583327faf32

SHA512
7354ad07ca949c417e95bb86560c0a5991109b8eb12ca419409b5f89190100ea3a3ca4cdf1c288ac260097383fc2570693de17201dc42c65effcd43d301fa040

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81b60c49e49994119d59dc3967371ab8

SHA1
26f37573045db7e019d4ebaf5316d643241c1c48

SHA256
1e07c1e801a8cb288dda44d5bb368b70f8cbe5cb37c9e3fd8cee8657b39c1e9f

SHA512
f666ad253a84dbde22b1dca0dc20dfdea082d1e8f78f2e66dc37975533169960c4c43ae08f2d6501f0548e51f206fbccce0bbc0071f3385abe9acfd55f4d73cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6097a5e9474ffe56c1674ba6b16b2e97

SHA1
3c0c0745a9eee45c3083c712bec514de335d2a0e

SHA256
0c8abe91d9c769ce423dbb6e5b4f7d951dabaafe815eb1bd69b9a7076d2de8e5

SHA512
d9ba8fe5fbb887c7c7a6b5cfafd5eb1a4340dac9955d77457491a69adb69cea62b7fcac549ae1e21b6cfc4248b167cfa79d72a43670b89ecec8823d06b2fe6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f801b82649e45f3010e77d58847f99e

SHA1
171296305de604b2152584b9bcf4ec70679aa127

SHA256
c739a199482bcc96eaf17fa988b9008a8df679619e0a5631f23fd7fcbefb4ce0

SHA512
3f0fbd49ad6289cf80d950ecd17d78eeb5434062e2d34a9777b007f5d896bc3f893522beac7d35964ace48d65993814ca5ce2af611653daf16b043ae0d5ae629

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
60f6c48bd9e237c40d62f96841121c00

SHA1
bc00d90f493b47ffd409e2bf48e17799ea15f029

SHA256
ca9803f9892825207225ac612def79e2619a16338944101257f5b9cf8cc43051

SHA512
aece07a31fe6fe6ea013da0b1acdf6ad5997023ca895ed94ee80ff9f0048e12bc8bbea161da9a8b30a5c78f5aaf5796039b36a426853aab21acb5516802aa651

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
61d5a429673fe1cc012d9e5597286541

SHA1
37151347f8b80fcfa6de460a31f2bd188e6e5058

SHA256
3fbf4977d25128bb51326c36b5f8bea2ddd454b94469eba7525d7df2b435cfb8

SHA512
c566f9ceb5a5f457566fdbc1346a77672859dc5be6559a13ded146ea15f33a50aa79d3257f1554c77b2824ae9e3435e151672a887f944e7f7155b3e855883d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f724ac23126f7177b5ff84cc2ecc8bc7

SHA1
39cb8c14dfd980af69da45316517df7a8bfeb1fa

SHA256
963fec67d0fcc5ee717bed20027c177bbfc2826ab810f8c6e74177a2756ce0fa

SHA512
263a98f41dca3a1b0e94094f36a7075ea280171937cabaaa5a2be4f19879a5d83bf29fc0d023a8ee8bd48c210e75084d86954df2b35c05aaa63e79879f34d128

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4f0be2ef295d93ef3f4e85d0c5284905

SHA1
0446dee7ba675d9aaeee2d9f06e437a16c0e3a91

SHA256
c4ce94d8e18f1f730e8e8c284e662340d2b5a53d6c3ad16f2dd0fad12b63c930

SHA512
bbe05129069f71b6f5103cd1b2c0b1a08f062fd374cdd91600d760e74f8c3ca3923474919a001d7cc3a7a420efe81a98542e461e8a4bb5eb7a5e1c7d3ef4c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ab2845baefb4b94dcc5e24c7eac26058

SHA1
af6bea57c960113975b309795c4c97ae51435d9e

SHA256
fd965556e82986266e45486be3375ceb93c8df36d584f85e4a0efdb494296e41

SHA512
7a94ce4ca3082a03e231b8e8c6b212270e968c7af5b35109712f9bc2519b14d042e58745f85130e469a010058f4b42386fcc10bea3927ece8f41ce3d8c61fbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
33261698ec6af5e9ddf2428d922ffbfe

SHA1
a5fab0839e9bc38c52b60c9fa82aac6fc082f088

SHA256
fe9bc8535743b932d3f7d1069a43238de8ac7a78f336d97f9b8a0c3c7c29ac06

SHA512
e540d8c61695eca36e6c6c11cb8a1d099d2ad5c2a674a66f104e8157bad8ebcd2a25d2dcfae3fc738dbd55bed89cf0175f940a93b8a4c4055c2764ce9a045f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77d483b954d567fdf52455ba959f6dcf

SHA1
9b102424fb0f8cd697594167de6b6b1753367f14

SHA256
af2af27ee6fd0ee0f22621e4e1a61aac1a62f1b5714cfc14b56666643b854ca1

SHA512
47b856060cd4161f045fe5dc1d813b16c87e44cdeeb3f3576835fb4b968462c85871a243774458e0810ee656d0b81c46b1c3bd8af04b934a0fcf4a2436dd5a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7bdd6600e0dba4c54faa30b003efc9d5

SHA1
e025adc0fca11cfc658245af0dcd50392bd10dce

SHA256
c1633b1950bcd0aae12a115be37ffd092a6c0412f8efc58ae0994e5c2b20e983

SHA512
da2055990cac45b2b7fc7123261921b003578ac55f1065d33b8b07abcb7d3b22f05389221ba9cae9cf55fc4c8048265ab902217bb1f7696a08ef4d09debf4dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7bca5a5a7af09851104c92792119f831

SHA1
6e70792bfa1fceebe2c591a305c30b73d5b3adf2

SHA256
dbb66324b9243a7e845436565513c8b72500f52f9ddc1d6e616d98512910dfd1

SHA512
d9f99adc478652424731c79811787645f57ca301ffc59874b2c39cec2d07dfd1f50f3ab2461f32ed76fc7b2f86e7ec65fe93e9ad7dcbe1193ceed47e661bfc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e71af49c75dc10e62c831201e76c1aed

SHA1
12cf835fe722f604fa37998abd9b1f99f2361a9d

SHA256
5ec5d862c9d47376b4456d015d5681c86c53471d5dad572c20a1c5f479167faa

SHA512
8bb284e0ff4b875da0f2143efc167f34c065f74511267a361b5d4dbb3487f1b8b7d10ba1e2f9942ad3bbe4d75898da5843dee80fceae6a3c850deae7210496b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e311ad485fe408bd23ab797805212e41

SHA1
d63f5bfe2abe21fee59641c5b169418da986fdf8

SHA256
f49d811b47bcad52749e33c12ae15675d1c4706a23e2b52160e02d91d1624bd1

SHA512
3c603e4f69ab63ad97820f287a95ca4cd89631778fe9b2496d366d92c7808588b7a3d03d11bd6578b223985f26b6cfb94d9f481955233dd129dfd3a9bbf765c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ead307e327cf287ea50eb9b5fc97faf

SHA1
a1320e7cc93622ab234e91b7cf47509cd7ebb7dc

SHA256
446bc0ca1708ca7c3edeacf22159d4d9eb350e5ec06f44dc2702d691aaffd961

SHA512
baf0d30981eb021f138695cabff398622a2eaae403fa02c96ba6a8e106eb3fe6e6a6cf20daa5be36d41460a9e5f9e4288f4cea806a978fd11de6299b73716e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
11f4ec18f11d1b1b3a4f4e4c9da846d6

SHA1
7fa2425569c2cad9da1b9b3198fdfb78d3dae651

SHA256
94200ab1c65937a4175497aa396f6adf6627d7245ecceb4612d590c428163597

SHA512
8a82ac317f8d5e1a04459286a73e9fd76dc3ffe694cdc69a60605d2b24c375ce45cd1ed14b58164eb47b8f293d1fdacd074b50565bbc95c43ae1f1e0bb421f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9c9eb15d0e81374bbc777bb2ba737e50

SHA1
ef2fff37d3c9cc9fc065309ff35c0e182127174b

SHA256
a96cd89be59df292dd8dbdd03f2943efc95eb5fd3f9eed6415f7a0224dd507cc

SHA512
9a21f1ccbf1b1fe5918fe3d59d2e2b4367a4b0ec181a70ee12706d78fd4b83d22669c3f3d90a6100ead5aa0da8592c9208a9effd46bf087348ea26ae66a74915

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e3afeac328f3b344a1291ff3f217adad

SHA1
07bb731eef843667fb47e28c1d8c6e04c8abdbfc

SHA256
d15552991ae4524583f8cf8edbadf82b7fd418e2f05a94bb7b2f58bc6af7b001

SHA512
fa2f731447b4e43d352f284f508082550c7680d9ba02379756d03440f3cbbc101ef90f990a34dd7d55e1904bcd5c5624c8aa578f8baea9398dfa1b415954cd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77d1d63ab614e6633aaf4c9eed5d0d67

SHA1
9321f3394c7ab72ae2489ecef515059d16badf85

SHA256
4a089114d10313b522a1b8601fe7ae3a115fff91b94bfbec175842fed2cfdc00

SHA512
33fe562023f3f70370fef1eec2735360104ede0ba95aab2855213c5456ec1baef775c8df9695ab0c97bb1efe4cde7afef0a940058795da9a2a67e49c39a900b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5b8a853fb216b6718b383322d85365a0

SHA1
8330ad49d5c3d7a5760cc859cbe55bab581d4b2f

SHA256
9b0ba39250e4d18a28e62a0e4c1d4c8899783f0e7b47466a8b9f28476b20275c

SHA512
c6b3d9a40121ecc758ca26df433107b5f92951e204be6a99fcf5384431574c3c0c01971958c4af290df3c8540a13db18d945e98103ceab13f3cde5ac62db8195

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
067f1910f2fc9ce467fcd8fc381039e5

SHA1
21a5a8bd07e35d3929c409739e6e6477f03ddeb2

SHA256
82c9119b97488c9f50b2f553ab20ef73ed8d0eb216b0feb6c81ff23c72c050db

SHA512
32e538574c439e07d702088b77933d7efe535b28e297c2df7f3b16cc435a70428babb621ffa677728b0955e0fb47d3cc1cdd41f2399b8acc382367a77d3a6c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e770b99f299beb299ac2e1a4ba52359

SHA1
8d1b7d67c374f460beaa1ec97b4b60140d4abcea

SHA256
82bcfb9feb26f025b1508d2448244855deccec55d933f11fed453567badb8129

SHA512
bc309c2229286b3d03634d48348b1fb7d4935b773dc1f08c32ff4f3cfa4eee0999f80a69302e1882d30ecfc9e028656270798868ddae0bb8ba9406973f71fc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d5f11abd469c963086da1f04a1657bd

SHA1
3045e24eb46eab1c2227619feef5e87ce98910b1

SHA256
0cba6988a3d8ac4b1599d7c38d298b9f2b1c93454a09af69be88f704ee3e1fa7

SHA512
81b14148f3fc75c51c5ee1b105c218f2517aa45314b9593102a334446c2dbf06553c59dc065f88d14dd1aae69ebe71880525e3a8344a05353de42fa4eb1a7d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bdc5389b002a3c04556e502138ed4e0b

SHA1
25c91a8d7cb8bccc749d54ee02db852c48398729

SHA256
5cf39387bccd780cfe09ab5d5e6d7303bb1c30536a0bf2dc24efd4ffbd74dd5a

SHA512
dad983657e1995c494e6dbaa75fe5a472eb198d865d9996bfdf9b0d133ed2eecbf2787fe4ab5ddda9c17d1323cd52c678e47e22c4fca7a5acc60d6b86cfec61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b91eec07ab6999b1731a7b2626966803

SHA1
e57686c124604281b5cd281a5993dc73b3cb1f6f

SHA256
4fd70bac61b55af3ed3ae3a1205e03652fb57cb686b722547872d792531a0e76

SHA512
b5a2f7e320301446251339ad3803d2d9239742b2a795970d3159e0487ab562530f7a4cab48b19de6808c3e1801305a24047d06d57134c53c8c8bf30ffae6b037

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
027ccc237f205b3191b14e2078be357d

SHA1
d1e7b5165709b9026cc40913cc089506d8bebfcb

SHA256
67b29dc3aca43b9802da20a69969e349c07c0c42254a3aae7ad903601a85a64c

SHA512
50275bb4a114b13f76d28442343878a44bc59f45ebfed61a7ad77f168e9427bd6b3fa35648c64dcfc1448c54e7f5561c20d98054209714eb49e38daa6f00b78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e8a65f75394ea800469cebcc073e9d4e

SHA1
ae66aef91cbfd56cc08962392d3635acdc7219e3

SHA256
03564043053c113954aa74455fa2fa0967cf7e72017a491b4d1d25b1ba6281ea

SHA512
9481687a2112b99e53b8a5265e2c98d0e93a46faa67ab81422e0c41d9a311416c0726a3a288d6619e550d443d996c55bbbe6c74be1c0ca5e35fca78cfa567203

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2deb69c5526f7f0d63b9c23e5cd2b15f

SHA1
5189e848db67db0e39d6d2ed500611bd945744f4

SHA256
f0b465d7db3f90ff7d4814eba6ea1829b094279010872a391f7c8c7d0c3ad904

SHA512
cc89227a91910993bbe5e2520308f3fe71df0bb1858196cac3e4486e84a5545571c5dd462c03d111c2bc4f87dca4c60196a4c29cd54f36b77eef81d70fc03742

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6e03fc69ba96ec8329a93431087b223a

SHA1
d4f697c43224f6a458797b9d116fdc71ed7f6f69

SHA256
fe62156bca0e653674d9652b5b1835caf1a73f1fcfbb2bf279efbc23034207c6

SHA512
7e2ada9adbd6f8b97af5aa58b003f85196b3e3dc833b7723db0a9b6a87a52662270f4c05af5bedb3a40382b6a319a8c30e2f57b25afa05f0dcb177a67ed6c2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1763318b26c7761bc5bfe377951c0938

SHA1
6b8cc27fa682afafcab121c9530fb5c0b608b9a5

SHA256
b5b4032cbd12805a1d12f7312d14c8eaa116ddf770c7bbb04277b3b0ccf40003

SHA512
783b7bd21049ddbd8161f6c9c988f5513e23af385cec12ad4845bfa2eae91862b53ab61aaae399b2a10463b1dc8407dac103b0c9a3ee8938f75947b84a7eeda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2087b744e70bff19b4c92570d1bbd258

SHA1
2f690f355614b8e438538b3769c610065a09ed78

SHA256
8f6a8165994e57ab1abccbc5d092324cc5e1a3ac5c8d2ef1ced864da30feaeef

SHA512
2a74218b5595863d9189b871c55b2004bc826b67e19760ba78bcfec77b1bc8bb55f9c2a13a41a9b6b72d3cae117338f3bb6a25d3781d2487fd8ec84a724d5586

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fd63b4f4fb647b268a1b939bef138e28

SHA1
cc2fd0a6031bb4d7cabda01f385a2178b2b84156

SHA256
9ad8f1f3dc608fd71eac23668d92f3a767b924edacb9d78b80ae090014b592f6

SHA512
7b7390521b9d04ac97f3e56e354eb03ef3b65b0dab70021c5f4716f5d62c41b2e4b42d7c0e0fe46ccef7c5a2fb3036918f03578be076bd18f5a1082dbc12030b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
400488c7f515392d43b688f025b31233

SHA1
08e261d3b0b2b55c253f12a90285a76fc08e27e3

SHA256
adce5326921eab4fe61a24d38c1cb59fcd78ea4da4d345e9ac98dd9a021e8b0a

SHA512
74fcdc49d677935457242a78f752c64d8b37cb2f596a7852830a6416b3aa3f9d49f952d9309e25b8479380bd616a622cdd98c5842483d33171c6af7ab6f7fb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6385afb81b9d95d8d8824f75503cb91c

SHA1
553e3e6fb135d2f3f4fb65b1804d78d4fb039256

SHA256
efcca018c981400d59c1752fe045e437db2196500b325c22a825d5bc5083dc34

SHA512
535c235820932859e78056876895753417f4abb67426260b55e268d74d5be02bf86773eb82b7030ea5cf678488ccdadc15eb7ac84211337fdc53d842f473511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5885eb2d1a9a428bc06f03fed196a148

SHA1
8c8b3cc45485f2512e3a624fa954a144f2f0058c

SHA256
10cfe7bcc2e25db4cf5810b235751cf7cc60c38c20758b7b4694a3c2e1742040

SHA512
b662098e40f17bcd01547e916fb387aaa208c58467ddb2f363b62742c20bce9760c45b250b1880822103b6183fd69e33fdb7c8a674ed8b7520eee24e89e23e4e

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\Winlog\Winlogon.exe

Filesize
260KB

MD5
fc0fe2af3d4e69e7a30838e6fc3c44d5

SHA1
f95574deb164a5366b654d336585d3a2bc7769b3

SHA256
a4ec4606a2715d0a1e94b1c9fff22366767edfee4fd83fb2887d180e9e2699eb

SHA512
76cdb973464017618af39a6eea6efb17fb515b131562156d8a866d0cd35199ae5dea6cbbb96db5d6ceca2212e2d09649dd121a79ea09e31b9ddef5a0fa877f42

Download Submit
memory/3088-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-4-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/4536-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-65-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4536-7-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4828-9-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/4828-68-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/4828-70-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4828-8-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/4828-162-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4884-163-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4884-164-0x0000000024130000-0x000000002418F000-memory.dmp

Filesize
380KB

Download
memory/4884-139-0x0000000024130000-0x000000002418F000-memory.dmp

Filesize
380KB

Download