Analysis Overview
SHA256
14f08cf65757ace423f6dee88b9e1cfbfb3cafe04c5ddfe7258c29a8b3bae140
Threat Level: Known bad
The file c2c6b9b2ec0b30df7e09ee60e254724b was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Modifies firewall policy service
Sality
UAC bypass
CyberGate, Rebhip
Modifies Installed Components in the registry
Adds policy Run key to start application
Loads dropped DLL
Deletes itself
UPX packed file
Windows security modification
Checks computer location settings
Executes dropped EXE
Enumerates connected drives
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-12 07:20
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 07:20
Reported
2024-03-12 07:22
Platform
win7-20240220-en
Max time kernel
121s
Max time network
119s
Command Line
Signatures
CyberGate, Rebhip
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0J48W2EY-VB05-AVN0-0NC7-1N8GCSA55C0O} | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0J48W2EY-VB05-AVN0-0NC7-1N8GCSA55C0O}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1992 set thread context of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7z.exe | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7zG.exe | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
"C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe"
C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
Network
Files
memory/1992-0-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2856-3-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-5-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-7-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2856-10-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1992-12-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2856-14-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-13-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-15-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-16-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-19-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-18-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-17-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-21-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/1064-22-0x00000000001B0000-0x00000000001B2000-memory.dmp
memory/2856-23-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-26-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-28-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-31-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-35-0x0000000000280000-0x0000000000282000-memory.dmp
memory/2856-36-0x0000000000360000-0x0000000000361000-memory.dmp
memory/2856-38-0x0000000000280000-0x0000000000282000-memory.dmp
memory/2856-41-0x0000000000360000-0x0000000000361000-memory.dmp
memory/2856-39-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-42-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-46-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-50-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-51-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-52-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-53-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-54-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-56-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-57-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-58-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-60-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-68-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-73-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2856-74-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-76-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-106-0x0000000001DD0000-0x0000000002E5E000-memory.dmp
memory/2856-112-0x0000000000280000-0x0000000000282000-memory.dmp
C:\directory\CyberGate\install\server.exe
| MD5 | 13fbcfd0e40181815fa50f0a80580cd7 |
| SHA1 | 67dc1630572b25a272113f61b58b8747bdbbd389 |
| SHA256 | 5a2c002e5f26a8d2e3d2e04e60fa32f6288871920c2b583fff929f0c052e5227 |
| SHA512 | 5292dc4ac8850c807ef6dd4c4f598d909e254680444acba91eb3c9eddaa5d33c56d1a2af505a6f38b11fb2f6e1c0e21e2821d4f8aec427a5b45004e2ba965c4a |
C:\jhegga.exe
| MD5 | 4552d18fe67a668f48af97be53d83687 |
| SHA1 | 621718cea9b686d527c473fc68f182126133e62d |
| SHA256 | b2e20424ac9800971d5908befa0ac341e65f3863456ba601750100029a113b0c |
| SHA512 | c7d5398be36b77d14c9608544ae03d849e3915b041a176548f387de651b47257f76ac823063423da2c8d51080712002a0bc4f5a4fea24253b7be2b2f2a6be415 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 07:20
Reported
2024-03-12 07:22
Platform
win10v2004-20240226-en
Max time kernel
17s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\directory\CyberGate\install\server.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0J48W2EY-VB05-AVN0-0NC7-1N8GCSA55C0O} | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0J48W2EY-VB05-AVN0-0NC7-1N8GCSA55C0O}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\directory\CyberGate\install\server.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\directory\CyberGate\install\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\directory\CyberGate\install\server.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wmimgr32.dl_ | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| File created | C:\Windows\SysWOW64\wmimgr32.dll | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| File created | C:\Windows\SysWOW64\wmimgr32.dl_ | C:\directory\CyberGate\install\server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmimgr32.dll | C:\directory\CyberGate\install\server.exe | N/A |
| File created | C:\Windows\SysWOW64\wmimgr32.dl_ | C:\directory\CyberGate\install\server.exe | N/A |
| File created | C:\Windows\SysWOW64\wmimgr32.dll | C:\directory\CyberGate\install\server.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1204 set thread context of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe |
| PID 3116 set thread context of 2576 | N/A | C:\directory\CyberGate\install\server.exe | C:\directory\CyberGate\install\server.exe |
| PID 3468 set thread context of 3144 | N/A | C:\directory\CyberGate\install\server.exe | C:\directory\CyberGate\install\server.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\directory\CyberGate\install\server.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\directory\CyberGate\install\server.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
"C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe"
C:\Users\Admin\AppData\Local\Temp\c2c6b9b2ec0b30df7e09ee60e254724b.exe
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
C:\directory\CyberGate\install\server.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
| US | 8.8.8.8:53 | ayoubass.no-ip.biz | udp |
Files
memory/1204-0-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3564-3-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3564-5-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1204-6-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3564-8-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Windows\SysWOW64\wmimgr32.dll
| MD5 | 9ebb3e4fc0c32524ba4098e214a06150 |
| SHA1 | 41d0964a70edc0875ff9a8091b6911e18684e1ed |
| SHA256 | f183002d0c6412dc694b580e0b33194766921415e77f713d46cb29dac6ae196d |
| SHA512 | d7338292e03fd374fec772787e7561a6d6e9ca0b108cf4b6e9f79647bf0f64960ec78979e986f8bfa9874d907ecacca81183faacdd350e890c0dab02ca50298a |
memory/3564-14-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3564-15-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-16-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3564-18-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-21-0x0000000003FF0000-0x0000000003FF1000-memory.dmp
memory/3564-19-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-20-0x0000000000AE0000-0x0000000000AE2000-memory.dmp
memory/3564-23-0x0000000000AE0000-0x0000000000AE2000-memory.dmp
memory/3564-24-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-25-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-26-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-27-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-28-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-32-0x0000000010410000-0x0000000010475000-memory.dmp
memory/3564-33-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/4996-37-0x0000000000D80000-0x0000000000D81000-memory.dmp
memory/3564-38-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/4996-39-0x0000000001040000-0x0000000001041000-memory.dmp
memory/3564-40-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3564-64-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4996-102-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/3564-101-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 6a1b4a3454a731f094b6e9578e0bf515 |
| SHA1 | 04482dcfd5a5b25ae453575a3643489dabac2dce |
| SHA256 | edebc6d0261a29052ce08a07cbfaf70c481fa71a168c6b07a6a2b8ec28fb35d6 |
| SHA512 | 09253159e348cd5b2228109192527f8e49826ffbab2a6d525591ce813074219ed5dadb0e09b567675f183165904eb67d61c8308789943c8e2f1d9cb340d00086 |
C:\directory\CyberGate\install\server.exe
| MD5 | c2c6b9b2ec0b30df7e09ee60e254724b |
| SHA1 | f8092391f8fc52f062e79ded88aaf700e5df5805 |
| SHA256 | 14f08cf65757ace423f6dee88b9e1cfbfb3cafe04c5ddfe7258c29a8b3bae140 |
| SHA512 | 1a3611188d1bc618d1cf6fccdaf2f451e82b507b9036c4fe625e692db4270c8a8601654ca876554a905453f56f9e483d3e65bd2046dfd19e1ff05f0c93a4ab86 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/3564-144-0x0000000002960000-0x00000000039EE000-memory.dmp
memory/3116-146-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3564-145-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2576-164-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3116-169-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2576-170-0x0000000002830000-0x00000000038BE000-memory.dmp
C:\Windows\SYSTEM.INI
| MD5 | ac770d8fc933a8e4b6215b3c52d9ad20 |
| SHA1 | bd5fa4ba83e320a3cd9e7c57ee186e0d8d03c86c |
| SHA256 | 94f40e7cadae0ac3ba68d1d6993b6babe2dcecab055c63c16cc421bb6b9e3950 |
| SHA512 | 255ee304eeb09822b616d328e73e8ed561f6adf94e15507743d3e3c9e16e30ed2de284b2778da8f6f078cb09e09f6327bdd6f7c54caa55f9319ccd8cd3308c16 |
C:\directory\CyberGate\install\server.exe
| MD5 | 5695b44274358b0a05e1fd0ba4235052 |
| SHA1 | 3c4ffd8d1931e50072b68e1744a9a9f842eeceb2 |
| SHA256 | 44e44e4c4a5afac0a9c1745496730100ad4830781026558d3ad9a8884e1b4f59 |
| SHA512 | 06dec36574d17f301ac8dd90250fb86e43e932f5cee2f7303c98a5e8cc03525c6fe8fcbc2472488a51c7eb05535736dc0897c5d4277258dda10dfb9287bc66a8 |
memory/3468-192-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\SysWOW64\wmimgr32.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4996-191-0x0000000004670000-0x0000000004672000-memory.dmp
memory/3144-200-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2576-208-0x0000000005880000-0x0000000005881000-memory.dmp
C:\Windows\system.ini
| MD5 | 0cfa6942aa613ed3b17f184f9200404d |
| SHA1 | eb8d45f6a9b1117d498e43d78ab5713a66163733 |
| SHA256 | f2095e6ea73d63d922be9a446b744959c71fd5f107a56fa6c200cbd5332041a9 |
| SHA512 | 04469d382587eccc04b54eab8ec98f576700739c49b6cd85d59257e18d19bf0d4ea67ce7ec42e20eb5e00aa14c8a0a7b1ba9c17e3cff7efa66e4d6bb7ef30259 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a1b309767fbc36d3fa96ea8c01b8c540 |
| SHA1 | 4ee4161c34020fe06777b1a3be230304d638a592 |
| SHA256 | 4664424d76dc425dee3fd76758b074f1693884aec83b36065c58cd99be26088a |
| SHA512 | 5ad6b6276b586713d14c8337d9c2a38f3022c624b3d446822e95bad73412df0a2e86df46d1239d3d027245c39840720ee3c4d6b7a5ea9028e90e608bbb5d1c82 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fc6ba8ce0004108db3d60232c1c5dcee |
| SHA1 | cc6501518b33b4cac6fb22a70054faf1c4aa897e |
| SHA256 | 670e87616fd7adc86d6af41bd5a470ea739ca839421a5ae237fcfff9e6f87a37 |
| SHA512 | 80aa6e8fc42a4ebe86c1fcd41c8193d0282c55a62aaecd5f59cb0d3772db12be36f6237b43e29b6c44a0753b57a2654723823bd1ef3c306ed0258d7f3536144c |
memory/2576-248-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2576-247-0x0000000002830000-0x00000000038BE000-memory.dmp
memory/2576-233-0x0000000005500000-0x0000000005502000-memory.dmp
memory/3144-229-0x00000000009A0000-0x00000000009A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1cd5f468946035a813094bda3920f6a3 |
| SHA1 | 1d2d18fa418069529d77e61d21b35f863d7d1f97 |
| SHA256 | 8faf910fc12b6ab184969d1a2b30d2bece78b5532a9786e16f672c676a2863fa |
| SHA512 | bea3e4da2f4db297c0ce34d782f5076260f9a3f7d17da34b047a7f2d0bd7a59aa191e321b8c012299721cebcb0bcd55fed9d31720c2147a300152f1a68853a9c |
memory/4996-347-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/3144-354-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4996-359-0x00000000048B0000-0x000000000593E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2a60a34ed408aa5fa813feb2a84f9fa2 |
| SHA1 | e6536c76d7d3c14dd4723379cb2fdc702c264f38 |
| SHA256 | 4dc578338418057793ba7f3d01e77c7b629c0734900a9c1b944930b9cd872852 |
| SHA512 | fcd3ba19539e8713234193e0de035a49278cdca6599bde53414a36064c666b6782754a06e8723fb33373409967be95456c0776519b558a38a89ccdf990ae4f4c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4010a1584dae9516e1322b6b66d3a583 |
| SHA1 | 6f5fdfa9f497caebf97e45b0cb262002ac5a54fc |
| SHA256 | 6a19c6b4f8fcdfc3bd090a281f5f5e4e7d52026c9cf14a62d65300834557696c |
| SHA512 | 9a0fb3aaaf9eb80e5540053741d00497474ec0cbe99479d7a17dcbd24da8ad53731fc910b5566fa672853d254a08ab2ac71a3159977a933bc8c3c7ceae6e7b84 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9ce442e57c81781ea6915b8f273edf3b |
| SHA1 | 8fe3dde84f019efee3797fd4363ffc89b1cbf908 |
| SHA256 | fcf864483eec3fa250510572766097b2f54c2dd59766bbf3160792f9efb1e15a |
| SHA512 | 94cbffcdc7415e9dab09213fb7233bb8c28d4b860aba040dac3c405dac54182fb30bd148a3bd0784697dc213793028c0a6627eeb91edbe497f4f349f51564a90 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a3e3e9f868eea6d14d2246b20e290dd3 |
| SHA1 | 3537c603ff16017259e0dc956ed6091a6b96ef1c |
| SHA256 | 5f922076931b81e8598099a9cfeb0cc15b8e6add25fdb5b03fdf330d0d53c636 |
| SHA512 | 6b0baff43d1b716775a3dc6d7d398710d92ed1bfc5815b7f9581c2334be2a8bc1408d4dae2091b6d6d90865f25b280b4edb5408ca7dfae76611c2127fdb601d5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c51f174335bbd9f26f30b83235a2ab30 |
| SHA1 | 30e5781a4e15731fbe8f4bdb59313bcd4dadae69 |
| SHA256 | acb9593cf342d78fee23705a1ebaa18b98ce42032444ca6fd6a5b3c6efef78c6 |
| SHA512 | 13378c7b42ecbd9bbf756ab0be034f01e52071819b4310d83d1af6fd0f8dc032f0da51a695792a32a698c25cf80d8d7c8312244d6cd29694323e8b39d468c0fb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 08d926f2d46bf1bea86a089aa6e52a6a |
| SHA1 | 5fe84f9996cc64df93045df3a99337cc1514b7fd |
| SHA256 | 33331df764a62a3f775dab3aa8ac9d0b27dd127115eef7e31288f682c00e4ffd |
| SHA512 | 7472187785074ee676ac5c0b86b6fb8f2e5d3367a4de18aac482aed2ea03c16340c1858f8b1ebc3bfb9d59d7c8b959f86d93057bf4774f49817efd1eb6484573 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e0b91531d240f15f4f03e49cb39f7130 |
| SHA1 | efed502dac90fc42cf8fc8dcbe48b8c855ae3272 |
| SHA256 | 00e5f116d4afb5cf7a8c12a9e90c3d24665b38c2e709a52b7353be718301c0cf |
| SHA512 | abdef78d31b501d0f7b8d07d0c64cae8ab3dceb43b4477298de8246e7d82f8c9b4df962501e819deee09fe1ad82695831cdfc883dea95d17d957eb6fa3976de9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0bbb21e2c7ba97a5caf737ea67924472 |
| SHA1 | b82b9381ec0d10bea3c60df41735730d4ee56ecd |
| SHA256 | 9ed52fb806272174c12cf18e7b527259952cf86042a911a66decd3a5b71149c6 |
| SHA512 | 1ef9c797211ba2e8b2870abcd3ac3ae1e778bfbeca83c636094266b061f9e3e5cec401ae839cede01a1eea106cc99b28366c8ec8c84bbbc92d568b120e74b793 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fd1bb8004ecb79ab522208dc62392802 |
| SHA1 | 0f074cfaacfbc89481e42ee8067fa19922dbd7f8 |
| SHA256 | 5494f9fea429eca007b2d750342c3e434c76dec37a57f82e47ade4e0854c8998 |
| SHA512 | f7344af477537bb872f415b48528a16c1968dc4cb511573eea188f29ca4b148cd0f8301b02400be378050b301060d80c61c40767de0245a90fe1ba445c0262b5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3e0bda603d8871af745dfd1e99cc4a42 |
| SHA1 | 168038d47cada49cb0cf9227411d6bed9fbdbc64 |
| SHA256 | 456ce69c8fb71f1f49639bab9751d343caba170cb89b9997127b072c48afc372 |
| SHA512 | 88a3b874bb3bde4250fc37cca48bd33e0eef74cd7dd27ead23b839eacb5260e82ee5630672e6395fdcc3bff119ac5a0d7b0a0f300400203a64656077f6246f80 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3fd3e1885c331e760843f067d38f45ac |
| SHA1 | b378688161ed7a774c13bbc1093b684d05316678 |
| SHA256 | 68b7d8146301596dfcd0350733cd9dd224e4b085d07ffde74508078cf982cdbe |
| SHA512 | 986909523a0f40f2fdd50ba3e257519dd92fdc993482789c27ae729629a217787e5568a0ad614f39a3eaf40afd7520885446245f54561e13475bdd15517e2082 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ab6091a48aaa7dcbdb949acb2be19322 |
| SHA1 | 7513cc7d11912d41a0a6ea23ccfbbdf4414322b1 |
| SHA256 | 8f5a74945be33ceed81bd8bbd215d6a2752fd8e5e1488ac446a426ebe309202a |
| SHA512 | f2b0c3cfefa7bfe2da28149c8c916814ceb3816549a3b0da3000c6a3dbc23512f6c74b594d6c86f1b53c9069909ddda2bd95e6652f12393a0d479d43b92e67dd |
memory/4996-1289-0x0000000004670000-0x0000000004672000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 33fff729e25de91c3e564fc3cc5b9cfe |
| SHA1 | 7323c11188ac0034f8d4cbc5d67ae0e25471d4c3 |
| SHA256 | 4286d13df1c434eb514ee738e6cb9bfce782cb90fa3c13a86c84ab43642272a6 |
| SHA512 | b92aeb0df3af397592fee4a817af8e9ca1ed2e45eb247ee00993d21104146c6cb8b0e93928363b326aeedfc337256bb66b78fda01f2d3c77e22d8780cdd63901 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 90cc349fe6c53c7ada260fa4e373c89f |
| SHA1 | 7384edfcfd91c27f732d8ece664f7a18c14f0238 |
| SHA256 | 508811ce1690d821ff341266796600c772474da7d020230e23e3a6a5dd0aee60 |
| SHA512 | ee97b013742e5f0466ea5262a3716b269aba35e8f98eac509a5b79712c7571c5dd491ae135eea08cd8ca8fbd17832278a5b82a30361003918d13fa0c6b69394f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c17adae9a367ab25051eb84f160c5e8c |
| SHA1 | e42c9236d726785658a43c900a54ca05d6e8a5f9 |
| SHA256 | 89513d6dae2e89a90149cec1eace9de33410a6d8eb04d5d428e5c41ee7c9533e |
| SHA512 | 1a378c23ac76f67b4164b66d405e20a6132301448dcc66b0cc0c8c7c8fe817e75e1154828a1e6d73c40bcbfbac2b4d248163170b3801b20d7657dbcb85432e94 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0da2bc88ac133a0990c0fff740b39a2c |
| SHA1 | d159a14bae9e0fdfd31b2142574011dd0b76864c |
| SHA256 | 2e062f3f410c9931dd966a9f07622f741679ed1a193a2b5b4ba12a40d9e78680 |
| SHA512 | f75b966dd86716d1509e1346548baaa6ae5efa6658d88b333402bacdcd2deec2b1756b035bdb9f836fdfb9445cc3018bc66ed872d0b3420cebe014283222f8e2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7d87de03e84bbbda423ea36c910ad4b7 |
| SHA1 | 104658e829e4406254bbecc5b05b1b15917c559d |
| SHA256 | 0875e1b55336cd182e26e255f01bd52889a166b562bcdd0e53967026c5f77dd7 |
| SHA512 | 808de73a90e60b6fe5aa46a9ea9b1d3ac9af6a11536e275d51580cb5079aabfbf270f5a3e23398f9a525143e227b8ccc036eda1e16b05ac58619a38336ccb9dc |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 77b64e5e4436636b245cfa409205e729 |
| SHA1 | f8ed1244db9069e62af94c5d7c4a04d7b9050bb5 |
| SHA256 | 0587b5d4823aa82f3baaa9f4d5194ec6d4e4a015d4853cff7dde32b947b181db |
| SHA512 | 93e32b097019f54f8b18c0cb220f5be2b64ec9f2d9228128d64ce07b99df2f6e9127a83d132acbebc3f027c2278d351f2ec9c91d47a5b3d91652a89f181aed1b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 843f7923fade09cbdcc227085439c7fd |
| SHA1 | 0b343c75a0e24eb5a531ef78f2a2cf001889c3ff |
| SHA256 | 5968afdabd6c5c2d746ae20c74f9cf29528d63d0b53f2467c6b5f6f259174a3b |
| SHA512 | 864fc03d4d169d2111dfc05c197840589acaee6ba47c7d40bc0e7d5773fdb206a44594c5b7ff2487e44f7727a73a6c426675ca431775d40c5df4b81900b78b87 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 791af60e704cedc87e17fad56f11fad4 |
| SHA1 | 6db042db24f8103a31989bbb27d506f226b49531 |
| SHA256 | 52707d1569692539f58f7c8f0888cc43aa09c596c671fe1a42abd721bd0f2f04 |
| SHA512 | f1f92df431ebde70274baa874bbe3f2b115e4b5a0ad17c06e4f5a1aaaa1497b32c3bc562732d59f39d81165cffce9e3fd4b4b57e682f84ad20025170434e919e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 82d84c269bca13b983b7eab66bda09d5 |
| SHA1 | 5bc9ce080a0c44d2e551330613c722b08a4c4d68 |
| SHA256 | ec974cb3a8e836756ad73cfb0700a1364ba0dc11b145faa62f33c2fbb89f7d71 |
| SHA512 | 6cff36edcf7c3584b7d55a8b6ba21102bda8d6e55a75841518f13317525116870bfebd6a0a630f02e41cbb8f63377be1e94a98b07f66a717629053adf08a53bb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d32cbd157cc845a7431b7a799a3e1261 |
| SHA1 | dbc952f8f86c97ce34c643a6521f94fbbcc8124f |
| SHA256 | 08b05a49dd37894f5e4cbf28887004931de9a30b282e50ecb45401ac0b2f79e4 |
| SHA512 | ee6a5667e394e13d2a07a9bf48277a4887616eb8340eae2bce80bf4784e568eaa7ee459d02ee84297dc5903f6f30d004312fe12fab099dee00c91c33b8a5d66b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | abb252197e13a0f92e2516beffad9b7d |
| SHA1 | 3d33269a1c985681b3c9a1adb3fbc76783041c4c |
| SHA256 | 00b0ff4296b496cdb77dbf0303efae29eb136a59b43fa0ae835bfbffdf13ecf4 |
| SHA512 | b73b07d9fd3413573664c96564f087bf6b8034eb9e75770776959a158a4d7447d4f109ef8e188c5f514431d10a10552d4ae709af1e00daa96dd4408d8800c985 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2df372dd87ea8e1f54773f25f577f57a |
| SHA1 | a74d031ee27a029d84a2f761a552e1f529c3db64 |
| SHA256 | d45fbb1dd6792bea2eaee2a3a6434ad30e58dd32556812d3b1b2a148f7489fc6 |
| SHA512 | 4f2d143d2dfe490bc79cbe5389084685671aa88d49a59a0642fbed3474609b29c424b484b6614d106a6515e9e050d98cd6536d1de78e985e1f8d13925ec198a1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 50a26a74c255e5a94fe6a1bf95953a19 |
| SHA1 | 52361d38c2de026a61158af175deaa887c8af011 |
| SHA256 | 8ecfa296570eafc2979e0411747ffad12367c331a8562768d33a633950db350b |
| SHA512 | b861d5892a9a49ff56f2b8624a66e6b77a1783fdd6d38a2d2d06270bf666cf14108a30c1b395280b912ada1f4a1151fb6567b94ca1ba021963787da0d85d0aae |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 80f81adb08dfa203d40757891b1b3624 |
| SHA1 | b7a117b98dbe9b75889d1e60f601807a9f9dd15d |
| SHA256 | c7c28b3078128752fc3d76731cfd35ee2f4b8cad2632314297d258237b0fa649 |
| SHA512 | 85220229e7b2d048188fe977edf21fd2ee01c082ee4036862f753ab3d537303df2d815f0d9aa6418b536c9334f2297602d1ea5a1f73252605e75b118752fc0c9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3d3870d2981e7f8ba240daedd72aa8ed |
| SHA1 | 11a4f7176e5d86e0e8354696f5cd06d3c9b253c1 |
| SHA256 | c077c87c67aa5b51d6691912eccd459cb3e198fce1268052ae27123cfe3ce2f6 |
| SHA512 | b7a9fb1489022b798ed5b53984a36ef5712ffbb6f2b259a7f4995103ad614e380d941119fa30cbd1a865ba1e6723aa790b8a4600d1f753939990c1dba3a2581d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e3bfbea683222b167cd047fcd81d6993 |
| SHA1 | 3f9e1892ec2b1511ec6a2d280091dd0467387fb8 |
| SHA256 | 5751a144bdd4614e77552862a2f86113bd7479fa77bef12de3f0097234d3a2f2 |
| SHA512 | 2c618f81843b46de5ce7312170e795956a4b9a82988a08218451550bf8daf6df1f4d48aa169d204fa5dde2350481bc53d908ffc99f2139ea0cb7d31e51d98084 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6fa23d907365454d43b64c75e07fcdce |
| SHA1 | bd4f27c64197f2bc996ee1e63847ea77fdea82c2 |
| SHA256 | aa827fbf8a4ad7953d54d3880f46b0961f328320e09f39a0517b10ecfa18e33e |
| SHA512 | 91e3a0fe90dcbde0d9e7d72daa26f18a220572f400be5f0598ac7103bcf59993169f84fbaf15226e32b11fa220fe35c3a683cc8f3c7a40f918339cb1172d5662 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 837c15813e9515b76351cbd910c949b0 |
| SHA1 | aa75d58453f07d1ec0f6b2815e1cc0b98495c1c9 |
| SHA256 | a3aa163d16830395ff0715ad05d90f359d3655b21a1d72e972ecbc0eb7b381cd |
| SHA512 | 1925e95671a05be1b6efaa6120d13a431bbecddd68ba5d6fab9bf87cde8335c985c8ec2e1f9eb9b1a9d5233715272ddc9a05441af976a72623764d7ea9fd97bf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e42eecd3a31d52c47e9c0b3948ba03ee |
| SHA1 | 80028095b008412217b91029cf677d7b376474ae |
| SHA256 | f05f431e515f5973ac7603c7072772162f757b8b46e3fa9b4737a2731b2921d8 |
| SHA512 | d48974252f1accbbb4203429ecbce55ed661c1641faca2662eec42bb3603376a5554e1fc886676897de9ca9d5ad20180aa61c8a68c2b4833446f2abd237cfe8b |
C:\directory\CyberGate\install\server.exe
| MD5 | 8569ab82ae8a415b2eb752e3af9dce0e |
| SHA1 | 50e43cf9bc74aef8c80e2baeb8d9e4ea37a8a41c |
| SHA256 | a5eae107a9935938d6c0b4112c220c81c3d1fb0c056b4539def530821bc30472 |
| SHA512 | e10bbcf975e485395ac7b7d9d6c9232c1bbf064c482d7d8a0829d1cd63ca526339fbca7a88701a54782b89adea63f61aeb00c2b802dd95eb765fd74c2c0352a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 56965e4956dfc7f293f680dd809f3fa2 |
| SHA1 | 7f7f49f8979fbc40db78f6687db7d6c553d2102a |
| SHA256 | 5659796a0ef7dc63a9c475568bbc2f7d0cbd42b89ae7f9e528ff7c7133eff341 |
| SHA512 | 6d0087ee0a5a88ec1ab25e35c82cdd03447f0279b8dcc5ae35ccdc4715cf60b6ffc3ee94f8e980f973a77852eff9b7f503bc6fc8bd15ed600bc4aa9d9a193a23 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 615ccc79eb054c232143bf9d3e2e4acc |
| SHA1 | 1d9b92ac3713cc5d38ea23c8027078776124a392 |
| SHA256 | 95afe55dfcf748ee2d90341b0aedb49027bff12a70bd8f4e705245c53d3ec4e1 |
| SHA512 | 1e2c8265e640f2b90210c79a3e56433b08cea77cb4087bd9714b49735e2a6b2477a199374e6ef3d585de2ff05291f952d3e329eb38db669a49014b2caf058d03 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fcb4c9c3dbec191bc6df7c24c723b5d2 |
| SHA1 | 78210da43fca1d1ad51d5681d08e3fd638901bcf |
| SHA256 | 9132d24975e94725b594d43b242d6ca7b00b4e6da12dc3f7c3c73e139c6b4856 |
| SHA512 | f3dc2c98e690d9a8e0d4130c7b1a696d36b692d135eb8648eb14c3f5ba18e4ed307730c48fff2bbdffcb4e03554ce59fe8023085db5ac9fb2417447504f0cd86 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 67f8b225681aad6c44e99bbba2d5cccf |
| SHA1 | f5ee94553ceafef5228302db446c6a591daaa553 |
| SHA256 | c0f6dea6590984dbcc6c411b546019243ad65b11936fc3e91ccf87685424054d |
| SHA512 | 6b1744efb7c0a38228ce6425ecff7389311b4fab16a7cfdd87c596bd5cf4f28e7fa5986ceb441a3479c8289203c9b32639cd3fd64bd3fce833492fec946a7583 |
memory/4996-2985-0x00000000048B0000-0x000000000593E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 27d741e0d2f8030d87bf78350ef3c92c |
| SHA1 | 169cd7826101dd0881543a9b7fa54e19ea9d6c65 |
| SHA256 | e3c3ba7bd86a2525586dcb57d498d212a60ceeff7c2030fa6ee17e32af6b77c1 |
| SHA512 | f0506780b55f3bb89ef89d85dfd5998cbcf3a34b168fb9d8d5e14a91829e9e96af1b721581a3864a3091fb3fc6727ad5ee87abc916ce0b899ce0c590874db7b4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d9df3530cfa7961a373d07c6a956a428 |
| SHA1 | 0e1b9e1b37e1a97c862bf97f1159998b37adbd02 |
| SHA256 | 533d7ecd8e91ca27709c4ac12f7c4ae3995d58ce2dfa12dc9bd21b29eb8716b5 |
| SHA512 | 83030dec0fb6f00c53a1985a8f7cbc84416724563e5bad55bf25c4d2ce231bd73d181784b2c681d3d52c5325d78bab65349168c7c684f17898d33854011b8ae2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 33876bfd355f3d85210b044ddf906670 |
| SHA1 | 2640f7b5bd70574777928c994587acc977603b59 |
| SHA256 | 204da94115e62a29128123edb6fe0f2c14989be9000c3009bf89a1c190f88790 |
| SHA512 | cdcc56eb2c8d87197cfe77f4ce268f69fe9aaa5e116d730ad372c8fa9805cdd512cb0d53086dc3146c919d0d29d0945032ed8efa7654a42107e01212f051f369 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4c14093a9dbf41f7feaf3eeb8d1b71d4 |
| SHA1 | 2f6eaa8b7142cfd7b678a190d81ff030a8d19dc7 |
| SHA256 | 4d9a415ce36dacceedb0bd79ef5a453d0b4f2b6653ea1963ec68aa2babda84f3 |
| SHA512 | 018546e5bd4f3b9aecb44fd5a796888fefe9098aee390ef563c792ba75170f64764b7a1561283f3fa7930b7f439a6d559bb3a7d0ed07e756140d2ecf2a2fc40f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ea572d1fbe9673b32d887d95bf35260b |
| SHA1 | 0b16d92b277bc466f028f978efcce4df023a9651 |
| SHA256 | a03b9d03f45d7d8958ae575190cbe6c7b8484981e020cd3c89e38e788d68f4dd |
| SHA512 | 8544b8c28f9f62026f3d142d9aeedc30f83acbb361a2d32930a8e9026e999b47481d91a07046834d82fea6e3ed2fee7d9fd809536213abb2d0823fcaffcf321d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 69147f13748c5011860d27424530d6a1 |
| SHA1 | 9b81b60e7a3b338741444354e9899542d687dcd4 |
| SHA256 | f998f7dc75622dea5b5d4e8e7d0be61991b8396ec80046027bbc1bc4ec62daae |
| SHA512 | f10733ad9a08f36fd810368f429c2d7b48f7661c6c8b791b503e09885a558c70ee56d6b9b88e0ba959853f1f9e2cbcd96a2b1a854f82ee45ea46d6f1c1362ac8 |
C:\dbij.exe
| MD5 | 071d58bca6bc74ffe57329708282cec4 |
| SHA1 | 1716ed7a3f5ae1be24fce1da12111c7d1c2a5ed0 |
| SHA256 | 0c7951b30e6c46b3a5dad239ca704070d8e1d82502ab6e0d69c090b35733626d |
| SHA512 | ee099fec8d9f93ad679bdd371395b1ea7731114caf56f9ae777e0cfbefbe316e1e119fbe89215e22d2561489cb3a97913bbc9a9e62bb27a6603460972d3ac636 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8263c07443730c0fdd71b3c27335764b |
| SHA1 | a22587117639effb2b23b3f84a14406da485bc8c |
| SHA256 | effb2b93133fe0435182b308f25f5384d42a8e05d2eff50e8948a280bd54c632 |
| SHA512 | c0e5c1963c5267b7acac726be952361ccc70cd26deb39fb19403356125d98eeec6a007696d2b9cb3b85b6c15e0237545f20cb8ffcd34df86db2086ae00c2372d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bbdc6017a623a7c10384af4c514a1a5e |
| SHA1 | 7ce57df745f1aed997730f7fbc57a511c5dddf68 |
| SHA256 | 9702f1841ae244c440b90257d93f697f1c34303a541417d829149925ec0f1a46 |
| SHA512 | b04b4d5d8db63de15ae27865105ef3f227605150daa453ff37e772bae179492d359df42595d82f22c3842ede033c2fc6007264cdaba99efc301ddc650a489a2b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0b13d65baf2711f9d90815bcf3afd6aa |
| SHA1 | 42a381ae74cc993ee070a056c0a96ea8dda40fb4 |
| SHA256 | bd6e1c491245e60dfc96e2a7298a7255195e5d510f3523b8e4d2178f19deb0e9 |
| SHA512 | 38c81d504c5f1e1427e9327678710a19f03191e4f467ff68a5f762d23818f9e33e5b5036bbe53975de8db5b0957b43a34f8c8e10d1fd90a7c05dd59862decbe3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b926bf8a7a76ab34f60c818812bc0b56 |
| SHA1 | 57d0f20100ea4d4dbb406c947a7089d0cc034318 |
| SHA256 | 4a5d3671453920ba181a5543f0549a271d4dbcc73cbb397da92edfee90c3afc7 |
| SHA512 | 48961a9de1604123f1de25f4dd3929a873032eb81bfa784c095556254cf29a304fe2af85ee2bd50b96ccded3383a458b8173a3f7c9415d78cdccc0fdc374de44 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | def143cebb6c9b519664ce0d468a9882 |
| SHA1 | 209efd3c1601fc0ffbfbd8e78789b5e7d0bcc811 |
| SHA256 | 3a0c5dacc556ae77805df7d9b2f19900512e1cf73f988b34b12dae022e9ddad4 |
| SHA512 | ffa63410dbf7dfc192578b72dd7bf66c96e8ad09cebfa4e830f76646d0f0d40a63ba2c7bcca73008a03338a502915a0b1b4084e21453a2bf337c128089ddb618 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8758fa820769c1ac4bd7ef2daa2e4cf0 |
| SHA1 | 82bd1f6f74b8ba1c7d271db6bc5c86adcb493120 |
| SHA256 | 3e4b41e2c39565c7b73cf81f52fdac94175a045654a89e3258df3c873701a3f9 |
| SHA512 | 2560729f21a60e1642648f9100e48680e65aa8ff4236d9ec5a27968f80dbd62a9a2b6197d2ad3c13e23e9cd60318ba879b2cc4b3e0132c61e80ac43d7e145d67 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 01928d1854cc26dbe13afea681fbdaa9 |
| SHA1 | 2056e79e3c1aa9c9affd367e968c343623688ba4 |
| SHA256 | 532315f47f5e95911a6896fd4afc867f18f8c6be2af63f2e648a63a4974a51ff |
| SHA512 | 6d68a2b02742c1fe5e28fda592f34e7c78b9e1cff1717bdb9ab9061a79ae0c6ed26afac7a51d98099eb119b771d60efb62204c74db614e00e60434b32ec2fd15 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6a7d3d968d9f63ec2db82321529d4f1f |
| SHA1 | b5049b532c2e7aba037ebac839ab39a8f931f50c |
| SHA256 | bdd7ace84b97e4f15898e8e0121c8ba80f26277416ec8375fbd698f31dbf8c49 |
| SHA512 | 6b664a5aac13f806b5a425cb66156aa814049568e538e0b48abcbb55172c63ac041145bd6c37953bbaf1406505a960e2fe4b341fdcbc31e4dac53dcfd5bfd02c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f5fb5a27b3f51248c469353c0d4e357f |
| SHA1 | 728f647f3f4e3634701ee79cfe144f51e071bcc2 |
| SHA256 | 28bcb62864ea610c90ccd35729fb0c074ffb90c6754d4b4eb5bc7dbe8c1e75e1 |
| SHA512 | 8dfd7d29554e0177f64738d889f21ec77434bf89079f0461a7af8bef58a577308a351d4c994ffbbea8c54bdbe428cbd125e2cd12282b982ead634c7b1ce7995a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 90c65970b79cef62ffe66e033420d629 |
| SHA1 | a991549df279ca4a35239e11cf706ceb60a71a98 |
| SHA256 | e81c58176aebf7d9a73a44b30a1645c4fc3242efa0b1d1b3d26e5d84bd329aba |
| SHA512 | e7ddaf2ed0f68486fc70bc5fd99f265c8010284adbc7e6267a1ff9bf65b4470b908965718c40c95efbe9884f8d762102cf2ce276af73c842334313e8025a8d65 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d01b5aeeb922f81b83f9b286620a46c8 |
| SHA1 | e86e4fb47cde19664949fd51d9d6cc1aa6d8da57 |
| SHA256 | 1c62368b27278bbe256ed5b56e6e3def0d47a261b286c8d18f7f3893fe39df2b |
| SHA512 | bde23c51d4d58cb73490c9e3b4767f0d756f38e28514bbfc552e6f1f9d0049b602253f0520c63ac81810fd87559c510fbaef15ec0e31294f756b5edced9cc040 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 849fc03dd9f68260dfe4de7ecd181253 |
| SHA1 | bc52380b707a7f4a79531c9a87765d5c01c94812 |
| SHA256 | a8d611114353174ee6b8c1d41c7af4783f47e20f9ded9d83dd50915a7c540d18 |
| SHA512 | d1a94305e0d3aee7e1f4f707dce327074031a553aeaa66187401a2394ef7630d88c1ecc0bf09d76b57d724f543e837a150c30d71e7f8f777e7dbd46975384264 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5922103c6a5b809c01a83edbeadb6518 |
| SHA1 | 4008c91e6d354c52fb5dde601e413c83c462f2a2 |
| SHA256 | 1a5e68edb366b107df004f6bdf6f3da264c88c7f1e4f79779de3cdc8375b97d4 |
| SHA512 | b636d1c793aff057127dfc975bc0e87eac7467c168de6db21a6a7a9a05664065259054380584bb58b88fe10291be0a0c0c1481bb9cb00f3d30f4719e07f3acbd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ec005863eda8df3adabc31adcda7c3a9 |
| SHA1 | d1eb60f961dc0d9e8caf80c3f1a53b143b9cd9ba |
| SHA256 | e1bd9d0f90e2377faa9e5259731ef5796fb5fe27f6d2e45f892abc9c7b39abfe |
| SHA512 | ea7177f3241d8d11f347c2bb8bfc94fc8e2f31e6f3c667fe4c2ec99faf854b8cfc7c53be8f90b2c6c9e1a64e323c77f8bde2beb7092071421516b93e2ffb609d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d14e3b02f096bcf3cf6821ed51c4a4ad |
| SHA1 | cceccd798a9337aee1623fd24fcc7201a7961a6e |
| SHA256 | e8ad1df57c72a9a0afb94efef2d6b5b57b36799e1ef2302104dbf8bad80954a3 |
| SHA512 | 113e4d58b4ac181c272eb48758776e37830c4e8f2067a344dec2911323ed45e9f185326077b420513d8237b260d6b2a68bbe91a4ee4f23b9d0821ca5dd6cb223 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7fac8c7b52668287d7139915325d02a4 |
| SHA1 | ec395b4a10b1e504ece2e1d593ff06aa3ddb0ec2 |
| SHA256 | 000fdea0fb8a7d60ac4c4cbe7d20a8f264f60ef86d329044e97ef7fe1b8811f6 |
| SHA512 | 9d9f933dbf98c31e7e49f938b75f016ce6afff7a4e148782708cbb9c275008732831d690b879d6bf11f99407855133f5a3a3f76efd19e43466a9313eafee3524 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0d0e973ca2b318ab1e9511aeff6a55a0 |
| SHA1 | 9a1c036c57f241816aee1a536117c662b5edbf46 |
| SHA256 | 8d86199b85aeb6e33ec5fda219426baf5bcc394849b151ff4afe71ee96f05f44 |
| SHA512 | f70ceafeaa7b1e0fd62bb88200518311f6ddb6a3434edd3d322193d5097e51ec2d10fcc1d758468180d2b51a7f7a40f18ac58d529df62aca11bbcfe8aac4be5f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9108c22d55398071aa5c66bb31656215 |
| SHA1 | 2492423241969fd73e0314b2954aeadbf72571fa |
| SHA256 | 4d18bedb5fd2f0755923f9f623d4793b394f4ac41b0f6c466d04135f28c3df97 |
| SHA512 | 9829f54df18284fd96f6d5a5026b646ac1100bc5217966cff47cd27b0319acd75bda49f4df796cf94dd69d81283b29360fd910104327b71facd063e9dc9a09e3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 45ec93fbcdd2554a89c5463494282e72 |
| SHA1 | eb406fc62254ff80402e0a1bd6e25d5f5232e095 |
| SHA256 | 36bc62e4c9d52996cfa0c6667da9158e8ef3aedf047850832c44b098e847f378 |
| SHA512 | df0219f583715e723b7520271ba253803c86d199a4b52ac7df17fbe8f752ce232f69c0e8d7c83bf89da9ed32e08d6deae1129d890e80c038860de24cbe13f0ac |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3249c2b2915ec4f6fb1ff1e46a02495c |
| SHA1 | 8664a9a5566272b4c2ee951188a36c4cbd4493e8 |
| SHA256 | cbda9f761568e8e3224135de6120e26219b7c477c9a601392242b287e4b0b10c |
| SHA512 | cfc28b12cfd4d6adfe31856e2fe91343f004fcb3b6cb94f27ef9e36deabab0546ef755b5333bee9a2edb62b72c64c49788789b16d4cd504540a7bc659178c082 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8714596ee0417e90602949b5e4f54333 |
| SHA1 | 732dcae3ed32f05af195f921898dcb2bd885b66c |
| SHA256 | 7138b840ef0b6ec645254e31a009e587e37d3b76a5a42fb8199ce3f08a7be60b |
| SHA512 | 2edcb08bc7dd48f97e93afc80b549e4aec555d0c8db9b5b43bae52b1d4ecb36fc4fcdf174abbb1a8b3089e07bc112e10334b19a47780ce62906a0d6bf121523f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ab92a98bb02c96bdcdf4065872d3c3b7 |
| SHA1 | b765c6cbb745e61b6fe460175bffd2182ec47b2e |
| SHA256 | ee7406ea8c31c3e8c138d61aba37c2e3796e8273e73a1775a5b18137e955dfbf |
| SHA512 | 29bd8d36a43d031bcf164ddb5fe3472da8ccf45de5197309321ed41e3c8da1d3b81aebc22174f7d882c9df3de562aaa855607c394cea9436df57d6c044952446 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ad7fd5b3b3640028004f139616762e3c |
| SHA1 | 4c678617aa1605a7b7a4d1f6f6e145044e24a96d |
| SHA256 | ffcc72d7db7d7d874404b6a89b04a3526899440e173e2671397aa98509f3eedf |
| SHA512 | 6d5dc283bec407a4532b3db9a8366bea190903b357bb580ff412fc6d5cf69f54034ced0ca93e65b6ea53a3cdb99e808bc251165949581412c8ad1d78a6c9dbb7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b07deb02e5bece22c4cfacf333de8001 |
| SHA1 | 341e0fd0e9beb09e0514d9210d15e5356aa77bbe |
| SHA256 | 2a5054a697b69a1b0aabde2bb104a4f3b48d3af21d9cc14d31bb9545531a4d51 |
| SHA512 | 9aebd8bc2d52d2fa91c23e3293cf5ddab6151b0b19ee83b81471c0649f22fc75ea518f580065a0fc7c2ea5c2a50b0cecc27d83331a70a73c2383fe356b856811 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e05010b9403b2ba745ea6c62ce642956 |
| SHA1 | 41015acfcaf9aed975580e682fa03da57475bf5f |
| SHA256 | f12d11f3a70a12e677b56358c85ce9d851c3dd2b0339620b770a2206b185b45a |
| SHA512 | d4abd0bc171db865c07b6850a9fa37c6a0fd30260ae43d421f5095df8ac4037e679a20265d1b869805406469ad1aeaab23005cfa62c042f8276c36c0505c486f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4186780a5305e6a66ab355245e528c0c |
| SHA1 | e2ef3eeecf2c68b2c3a66634340e6f2eff67feca |
| SHA256 | 9e418b21d602b7f4ef6ebb80ed210efcce7845d8d446472fc1ae4c80574a7bb6 |
| SHA512 | 232f861588b3b4351111435724cb7804cde132285f6628e0fbe2740c92afb4c76ef46a0643e5153fd8bfa5d60c7d489a6ea8e2703e76cab9e73d71569d6288c6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e0154f5ddc93a059b2e10484d6f06de0 |
| SHA1 | a42b6a10678b9624776d690bf2bb214465ff3583 |
| SHA256 | 383222925f9c3be37beae9ab6f3e22e791293cd85f55c21f344c7da640a64d1e |
| SHA512 | 5d5ded9ef5cf270534a3a6c4f4dd682dd85c9bef2d7495127404e437419fa44bf6d30cd6789de60a88b8a68e3cd608dc73b323e4f66c1c7eb57905aed5d70a9c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d7dc9838b3943f9eb6a3e613ee455890 |
| SHA1 | 6336a97d48638a91b75e462a4e071a12ed646f90 |
| SHA256 | a62bce989592ad4e26761939038a494075dadfeb336a9500b426239e01744a3d |
| SHA512 | 0326a3836753c645a4de3efaf85cac69f6b0824b988cae03813d35144eb95c0aa9ff148e42e2e798eca66a5dc06ff07bb860c93053517ec07e87702aecfff9f7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 85bb30fa60238533c592ca16551efbe1 |
| SHA1 | 36f4faaeb3a56eb68a490fba157dd65199d9ea44 |
| SHA256 | e361e504cc3c138fa33e465c2a0828771dd65de1f2afd029f5f55ce9be042e3d |
| SHA512 | bfbcc4caafb1eb715255f7a0ca25cc7f05a5625ded7e5cbbb1d07fe0ae4318665e830641c5d9194bebda0254c6b88dc0e98f216fe7005a67fd95df8c1686ea3d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 551b92f389913ead7be7469bc2adf450 |
| SHA1 | 5e2251932e9e41faea65986953364f31fb947026 |
| SHA256 | 5ff5e401f8a96702f6b05b7136314773ab65ef62d4b3889198a0f6adb319036a |
| SHA512 | 188aea88dbe2a754b109eef3c445ffcd1bfa6ce38e9a819a01dd67fbf5eef6f7b1ffee044cbeb706f2b40465d6e155a10a3c189aa188fbe90d912bd5c7a4e5ed |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 061177837871a7af7beeed4a79f867a4 |
| SHA1 | 5667895cf7d16b1302603b182f405fd078baba31 |
| SHA256 | d7252c87465da7e720ba8e813abb723d97b9b5d4408106b110998d7c0928cfc3 |
| SHA512 | a4fd027ace9c3be1e714b326c62f2fcf55575ad1b45a7df58e351390127b6d3c256640a5f244b4d0ed6cb768193914ec00d2645506cacb26ed4d9b46e0744dc4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4ede887b6e43fe56f7d096ea4030a8f9 |
| SHA1 | 21eea11e072f64db30a8194df6718c3caeedc0a1 |
| SHA256 | 15d88d85af20224b0cad4d31413f63bd37fe41a0138cee24fcdcdbfc170ae800 |
| SHA512 | 12f1ea22ea88aabf8055c39d02bab599b01b2fc6097d64e7c2847a3db19015ed063c74bed9d885289c63a87b5f7309038147763d8bf3f6ec875e5dda0258ed28 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | aff3f3fc9b87ea0f50de7367e5eacfbc |
| SHA1 | 6638fb9ab790cfa9fe82570e116d76b2c409cc08 |
| SHA256 | c83b9643512c18cac76eee6ecd88f445a615c6c30613f45a975fb0098401c975 |
| SHA512 | 1b223c47895e496009b4d303d7df97ff0a04836aa67913a17b1435dc3dfeb5ca43bb8f92ace312b563efaa2e70356982d31bce1fc7979921f97691e53020b2b6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6a0c0db140afe2d1ae5cf5f8ca5ff5ab |
| SHA1 | e9a257f203ff2d63505386f2205b933ce67ff388 |
| SHA256 | 22927c529c6dd449622d4a9f63029db888a96327636a6eecc3caed81a67135e5 |
| SHA512 | 3b3dbf087a7c5c8fea4faa1f37dfcb49683b5cb4d961296ceeb27cf13061da15c823683a810650fa07a294c5d7bf6af46f9983d642a01de202bb01c4d963e3a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e49b1f4e2345406dcaa5c92eef004834 |
| SHA1 | 74ad16a27572498e0a40068280afa862b66f4f3c |
| SHA256 | 3d1fb96a0cea7d102cee35e759cb1c0dd4a2de648e8989f2965b3fc853534881 |
| SHA512 | 9095a65d58044070b19da9f6f88feb94f0d3d2aceaa8ee414f4b8fe6cbc0afc5cb9cebd6b6238e3932a63c21a2aa84ba1a7538dcbf6c002651b9518848cb07f3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 16458517a55e9f1d3d7457e4365db3f6 |
| SHA1 | ad89895ee782e5f3111639d15d1c52fe99ecae2a |
| SHA256 | 79de4a79dec41cb6a096db7b291520c3f358dd5edbd34a0ae880afa304ffbfcc |
| SHA512 | 0c58e77921da18c9a073d49f9370288fb2b75ae3e57cb65b9473f80ab1ae82728a8a5989f2abbfcc68f1e78f5b6f6086b998f70f2da3eb34516be799892c337c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b68a97fdba08bccc3549348dec729882 |
| SHA1 | 21e4269c3bf1efc3aa4b8482b1382f97e0f638b8 |
| SHA256 | 802a33a5c685b55a339d3425910eccae5ab24d0c707a2281b071aea962f3f365 |
| SHA512 | f84c4b989100aef9ec58fbdbdd71840a122b91354ac1e799adb8b5f657e6c4be613fcc8d47b989f82c8a10bba43f58e90f74efa7781bd198bfa50e9dd8fe2146 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7bc845c26c7f512d43582a4cb3cb4c02 |
| SHA1 | 73d36b86446f956d59aed415af2e82229ef82cf4 |
| SHA256 | eb587e86473775bfe926eadac29251ef52d111802945f63dca826e1eed2cf8b3 |
| SHA512 | 2b93ebf0f02a28d8e081e11fc266182335eab37a2cacbdaa230ab5872283c24a2fc3679b97e048cfbd3c5641fd0c6bfdb4a00112738c3882d59e02d756857c9f |
files/0x001400000001db8c-6386.dat
| MD5 | 7d63d2d9bccfbdfb4f4c12cdd46260a0 |
| SHA1 | ef39897a6e59671f60485e687e0cecbe46c750d9 |
| SHA256 | 9c32ffce81ddb84b9db36c86f1121a78dbe030d3a13284e05540f75dfee675f5 |
| SHA512 | 992d82ee9f44135905d47b1083a55b6a58e09e5abc08e4a07fe2dd1f5d4c01cb0d4af7dd577be20c78f5ab975ba96aa72771a84ada45311a19a53963dbb2371e |
files/0x002700000001db8c-6426.dat
| MD5 | b2cb03d0fa889c2fc4d2ba16887d0378 |
| SHA1 | 5555dd19e2ad674df4560f613cd87e15b8ef2dcd |
| SHA256 | ddbbe0dff37e43f4a9edc76c00ba525b75d7a7460dfd140353f7a0009a47dd32 |
| SHA512 | 893cc4411738b31200fb25f4c1ac66f6ecd961575cd69c5ca98e18f925c11116003ab53d4e94a428ba96b3a729b475588b517a337fee7536f8245ab03629af4e |
files/0x007100000001e595-6451.dat
| MD5 | 07dda1ac37cf4ec715313516189d9caf |
| SHA1 | 56920f028a8ba0a12ea2c0c0217423ac236fd3c9 |
| SHA256 | 2f92049f4d55dbe6c091a290f35f76c0f212495fe0977963348c1a9f1458f669 |
| SHA512 | 8bc2ced96ef2912a562d1c99e4613e2f5fee7f75bcb99bb517007f500e8749fb15dd7cd0eaf15db7a11bf705577cfb9ef3b414004eb2a2d1cdf4fa70ead3c116 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 600e8c67bd93261c538bc482533c0a42 |
| SHA1 | e8c0d8347b7a8ae9a85047cdd18c32af58757dca |
| SHA256 | 9cfaf4ae47227bf46b5d10cc8bea1f8a1a65f4323778df40c666166d156c8e28 |
| SHA512 | ad0987d1d1c51c4698eda522fac09ca0fde387123462d17954402642254881ff0a4fc09e9333145f006ef1db7c4f10bfe131cc105f10387ed14135cd6df97042 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c9bbae9f791be316c55609d6c831b98f |
| SHA1 | a9b50c74daf268ecfec9378526c8cc5196fc2f28 |
| SHA256 | f8fe2a95c21844ecefa7890065828684fb0468ac8a3d8f67424dac51de827683 |
| SHA512 | 78ac1b8f4e85163ca33a45c7adb9b7769826876a0f255eb3d8e77cc80cb525d39aeab1f82018475ab792c0464f908555c7764be86e544a80432077e176509dd4 |
files/0x001800000001e59a-6635.dat
| MD5 | 8845386ea71c24f9837f3eb858104fec |
| SHA1 | de2ca34d0d9d42c637f098ba37d6c1ab4dae616a |
| SHA256 | 26b493e7ac34594b030f7e73de0701a7cdefc7b56a963cbd4c5f5d764c687be2 |
| SHA512 | e831f3e5453e9d72f6c8fde767768b351074b8712b63641ded8717ee1c45bfcb1c8d4ff6f704cbe2849ac3e8d6f62ed169f1718e6c14341f5f3f3217b449706d |
files/0x002700000001e59a-6653.dat
| MD5 | 9b45772a349b15a6072a5f847fb5f4ca |
| SHA1 | a633b963b903823f404e92fd8a002f242541c6bf |
| SHA256 | f447fb6b4d23cc3bd61f67347901a95250adba46965a963d5611df1e3ead08c9 |
| SHA512 | 5bc2edefc5f4d6661aabc2bd10dae771d97aeff02384f0aba4a27bf22b4a208b35ed800267173cbdb7c5d9c1754b5ca2760908e36067137210690192568e7da6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c46ca7916a84eca5ba7f1691919e8bb2 |
| SHA1 | 74f5d07cd92318b6814e0e3de02f33a30fc8feb3 |
| SHA256 | 1a7ca9b6c3424a310575792a7ffd0f30778c517c608bb7711871db02ab11dff5 |
| SHA512 | ee1fee1929a3ff7d2e672b8a74e4315b02289eef9bb20320923de854a036a9e87757694941680184d33ba15804225d5b419f13315ce791ec713675b159d4fa91 |
files/0x002200000001e59d-6722.dat
| MD5 | 1b9ed356ca1f20299daf4871ecaa8b65 |
| SHA1 | b1f4668a955e4ae880726202ac0f41c4ec35fbdd |
| SHA256 | e844578eeaf8f9d3c55a352ebef74638a3e4b2ce0616a71fc0399e7ad222b2c5 |
| SHA512 | e6df965f70fe5cb3c61bccf28ccb5aff8eaf5e405f313f8413e688628e73509d511f1932b48160c3bb23a1e4eb8c307f5a0652eb603de88678feda919a630616 |
files/0x002700000001e59d-6754.dat
| MD5 | dd6e2b82bf54f290224637328e416387 |
| SHA1 | 37d7c4d20b9f291ac41128cbfe0b9af5a811ca74 |
| SHA256 | 8773e69ea8fd2ec6aff3e93d8ef89e2f159714081fd3aae44b2ec2cd29c0de84 |
| SHA512 | 2c560a60e25952f31ef3ac9ceec6d34448d043eafd8c78a6d06b5a60d5032e2b606638bf1070be08bc54163e015cf887be488b6a7e2ddd024f1f1b73765712bd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 525873691423988bfbfcc46cb061a62a |
| SHA1 | 66d5a5cd9f454bd30e76d7427b0ab0731f43b79c |
| SHA256 | ef26bbdf66b03ae16550cd7e20654686b4ee423f68c7e41d346d1adbfc3a1c6c |
| SHA512 | b62bd18d7fc426e57881d2bfbee3514be64de7f714322d2292ad0469994cf316c022408755ab4e3be1a83a6bac08f3bf6db085c3c7632afadd32467bfef09cb9 |
files/0x009f00000001e59a-6793.dat
| MD5 | 3548eeeda4ba7500f19290a5f83022a7 |
| SHA1 | 9b973d280195ace2557e98f672fb544bd12a1ffc |
| SHA256 | f51593b9d3e51a63970582cb01fba678b916b4591c0eef14b92493403d166d44 |
| SHA512 | 0bc6d11957beb5d68f0bf579fbb2dd1516a9e94265aff61ab54047242efe26805a950890de989aa196b1204dbc0778e6fd7b2f674fb9163ea7e18dda598a2788 |
files/0x00a800000001e59a-6810.dat
| MD5 | 20dbc8068df35f462d5162ad11b5e493 |
| SHA1 | c12f53aafb2bc638bb7dab416f2f1313a3998e0e |
| SHA256 | 8543ecfa9bfaee625f1c441fe52dffb0ba58d55513a9d78fdef366e0957bdf56 |
| SHA512 | 775a5250762965562a5e80233c9ba2bb4c6d30de8de0fbc0bf416ffdd6c60b347d24381450bc22f7aad52d274a2196c3b5e7e33e9b08490baa24a98182cf75d2 |
files/0x00b600000001e59a-6858.dat
| MD5 | c12368e64b63f683f4c6f1fdbd6b0d59 |
| SHA1 | 114dafd53b0f5c8e346430da8cc11ea753b7c9b0 |
| SHA256 | 954ef3bcc55c7f37e9e2b5e3dd57080a501bfea56c35c1743d3820d793429d69 |
| SHA512 | 72c791d89efc30eb31ed649106ca0e36238ce9f1e2e6c99fdc970bbaa654724f4ff42687d8fb6552ddfe06fe2486dfa10168e42d3f5c81a2dd0836a9c4255f48 |
files/0x00c600000001e595-6956.dat
| MD5 | f20f84650452c854980e6903b9f5017e |
| SHA1 | c7a34049ed61d34fc5fee31ba022288406f4483e |
| SHA256 | 1cf1580ba0afba8cd5d23fd233f1755407c30b72437045c0bc3c2025f2b43459 |
| SHA512 | 8f715247addd36a8d4fc2d934c21c3ec47b8e6f4f0598d772879831248383ebef3f41fe1d42e463de3a5faa2a71a4e47b7ebfa06af443ccaf8c0f2249e29ad33 |
files/0x00f300000001e595-6977.dat
| MD5 | 59c530d701436b909d10f2d57129fe24 |
| SHA1 | 599982c78107b66f638e6b5e43aaf6f2fc88f872 |
| SHA256 | e860f755730cecb6fadf6a26491f7deec396fd689879f53192f101166f1a8cd6 |
| SHA512 | 52026df6d7841194c3b273cddb9419a83ca780ed2496707c13a5e70cd5c109cf6775a5836b25406ffe372f230a38f3f70f781122ba577c04c13bc490333ba939 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6efe67ae4488bf6008f4a0fe04fe3907 |
| SHA1 | 199fdd98c07f02c8764bf53e584ba7b90c7c54ef |
| SHA256 | e70a99c9ad1b803803ff7eb0bfaffac0d33bb9373ec4e21e692b60f622eadab2 |
| SHA512 | e36b4a67783b18a4cde63d58eddd99bad7beda43aa153203ae3560434e2909e4ce81f5a9ad52119abe9ee51f4df8772b033f2f6f5b46535f2076b79d3bf8af0d |
files/0x014a00000001e595-7026.dat
| MD5 | d3b23e3c93412b4d8eb6d84ddcbff2c1 |
| SHA1 | 0c5ba5d0b7f8f41587b8bbba45cac896a7460213 |
| SHA256 | cd6b5c01cc16f643abb0feb9f186c553e7cc61664e50f1adef95f6df2c19fa58 |
| SHA512 | 8a7b98111d34b92be452f685c26dd546d1fefc8b1cf30774e44042f2b425b839b963a566c0149a0680e4e4cf70a5077dee4fa5840d890a62b49740bd3afa94df |
files/0x015b00000001e595-7037.dat
| MD5 | d7da881d1f677b9a4a899947c885301d |
| SHA1 | 57a26d50593293ba6551486db93b259bf13c4253 |
| SHA256 | 2a6754f819b3097b2c13132be5c498559c2a841c469398e11066653ade1fe18b |
| SHA512 | 928b73ca06db2fd32e3df5921317f6954d35c9486eb5520c87766a7e4c589d64c19b8855ab26811eec953ccb2aafc69f5327c9410e76ce6bc710e877bb66a9c6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 79eb68accf5fb7d5dfe3edc178a0b9b7 |
| SHA1 | 3e7000202c95e6fff2620f4d52bd03351459b8f1 |
| SHA256 | 682411b12728481b61a57ea0bbec35809b6a3a83f8d5f9bb18fb1b1e5851de7d |
| SHA512 | ab08fd91caacbec529ffebbc7ba1035c2139e614883f58d424a0e1ef6ba511c56a0b7e2aa4eb47dad188e9495250d0135743e0dfa4c7cb84590272b5198bf1db |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b824225159629cdbae49b830a9424920 |
| SHA1 | 8e724d590e42b6b8fa8132b432a73941d2d91411 |
| SHA256 | f8078898fa9fc1668a704429c41fecc95600b222db97133d2a98f9395a5af5c9 |
| SHA512 | a13f8a2d904373b00094a08300829d7436162e7996b003811ae37c567e9f1d75311d1382c2de118d3ec8ffc7cb2bfd96a7d8624bf62920264f4f7052cc703358 |
files/0x018d00000001e595-7112.dat
| MD5 | 2b413fad134590c55f6b2ef5b91bd698 |
| SHA1 | c7a6887bedfaa630f4349d485c404e74099973ad |
| SHA256 | 9d8446fc4160b43e51eacfbd586e73070c0c3581e20d6fba6cfa450cac32594e |
| SHA512 | 6891cf7a8a852066e134cf596994940164748f9d09b83eda3d2852e51b39b2f56d817f70fe3bc5504b2e1988b35b549b644adce97d115f30652c55e9a2250a1d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a7989f4e176a6f94ead6d6dc2649d25c |
| SHA1 | 2447158d8030ce073907aed42ce80f2c85e22e36 |
| SHA256 | 9b0969b8cfb63973410f1889d26985d5476177df212a6192cf9063b9370cbe3a |
| SHA512 | aa88f02cf24988a5e22478154cb203b8f34753c91d4f3c140de7548aa40607d2f81464e281ab2650a545a189f4695ebf2693b73fc29086f80a14bacb43274299 |
files/0x014800000001e59a-7190.dat
| MD5 | 7ef3657eb0fa5184080b54578ba26a43 |
| SHA1 | 0f65b049c803b81cdf602fb71a81a1a61a2bb1b7 |
| SHA256 | b4204cc8375a94ef36f825acdb880a95fe364314d0ab8104a3c3503e71041ecb |
| SHA512 | e4f67969e8f92beeb18872b1dec32aa10220fc289a8461ccefa4a0960ef27cde35c9ea5a3a6e60fc3b1ede3828199ea35601e75cc30f5c2200939e4902d1d4e6 |
files/0x017700000001e59a-7216.dat
| MD5 | b7efc2d089d272a3ce22be3918493043 |
| SHA1 | 6f9caf4b782eb86ec2ab7ff35819d012b2ab071d |
| SHA256 | 1f265b87428abb09279f83c8454da460a90be168a387ffdfd7f15f02ea0e9725 |
| SHA512 | bc37849d9037c1030821757113921f9d43f8bc94e8ddd9feb2605e8ad8307b37cfa20cb1e8ce361298237fd857e1e58d6e96e5d5236fda6bdc98977c8c0ce79f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | aadf3d6932b04ece6f684ae36e167bdf |
| SHA1 | cc66411b07ccfd9b5483cc6b501b24170a60f99b |
| SHA256 | a399ab907654726b8d79a814fdade3bf1768cd96cb5f80baa70cc6f7acc33a3d |
| SHA512 | 0b2eadb6f480d8092f88beacec2f7db5c952011522953f3ba7d92c2cefc1c89f08231217c89950afb2e8553081965c36beb6e83b996c23691053fa8fcac3b5f0 |
files/0x019700000001e59a-7329.dat
| MD5 | e5c39d513946c03feba6725831612379 |
| SHA1 | 30e11dbd8f456fa346559909007177d06621190c |
| SHA256 | b7a3440799b760be8428a37935e34d51d326bf001faa749367028fa16af55d16 |
| SHA512 | ee46a124cc61330998ce3c91a0033013f7f66852ac6d5c384f01444ceb69162a70263c4533d6c932a92986f866534972259d567d3cb6bd692619c2cd3dfe0b49 |