cybergate | 380e855247fd8d3e995a6fcafef3e28c4ee88c6fdd32268c4e7c60361afe0952

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe
Size

972KB
MD5

6d5d878ff7c90bf233c875c171b26b27
SHA1

6e60198b2b5116b5a3c47fda1c36731714c3ac6f
SHA256

380e855247fd8d3e995a6fcafef3e28c4ee88c6fdd32268c4e7c60361afe0952
SHA512

8aa5d245f76e9a1dba9a369b5bba1f372c4c84ef94ace69bf3720e0645f538ca57ae1883ee7aa86fa1695737290cf5fe182a8936b0999ab0bd40fc857f6928a9
SSDEEP

12288:da2ghIns7Dsw1z60yeyKT3Kr/w3jcs5ET4D2WPuuEPBZMZ95fHr6ojUqZ5OLQVPB:dy6szWrIjwUD5y5WLwMRttg7EOOuY

Score

10^/10

cybergate wessel234 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

wessel234

wessel234.zapto.org:80

Mutex

5E0QG1FI732DK0

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
fcassend1
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C02F356-48CE-8T77-O7XA-42Q38K1FS46E}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C02F356-48CE-8T77-O7XA-42Q38K1FS46E}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C02F356-48CE-8T77-O7XA-42Q38K1FS46E}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C02F356-48CE-8T77-O7XA-42Q38K1FS46E}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
380	Svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1Hack = "C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe"	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe"	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3172-13-0x0000000024010000-0x0000000024071000-memory.dmp	upx
behavioral2/memory/3172-14-0x0000000024010000-0x0000000024071000-memory.dmp	upx
behavioral2/memory/3172-17-0x0000000024080000-0x00000000240E1000-memory.dmp	upx
behavioral2/memory/4544-80-0x0000000024080000-0x00000000240E1000-memory.dmp	upx
behavioral2/memory/1696-149-0x0000000024160000-0x00000000241C1000-memory.dmp	upx
behavioral2/memory/4544-171-0x0000000024080000-0x00000000240E1000-memory.dmp	upx
behavioral2/memory/1696-172-0x0000000024160000-0x00000000241C1000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe
3172	vbc.exe
3172	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1696	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe
Token: SeDebugPrivilege	1696	vbc.exe
Token: SeDebugPrivilege	1696	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3172	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 2112 wrote to memory of 3172	2112	JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe	83
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56
PID 3172 wrote to memory of 3440	3172	vbc.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d5d878ff7c90bf233c875c171b26b27.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4544
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1696
    - - C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        "C:\Windows\system32\WinDir\Svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
221KB

MD5
ac7486137d9ef94f7df92570e4be0327

SHA1
0b2dccf117d72f634f2ee8724e2669c1213b6533

SHA256
d96c44531b404044dfd74476c04772cb3fb6905b0f9381e657c6a3b851bc89a4

SHA512
5fe85f6c33eff058fbc07fa7a2f164b0f10a64911fab2f0dd8d4d9989806f12fd21dc3454aacc2ec7ae4a4a6aaafc9a857848dcc4d90449b7097f93990e84b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
42c39e14b6161d5d20732817993cb447

SHA1
babb4148bc6c249d7a8c6c7d368f0a4c983dc06f

SHA256
4e22991590f9b7f7b3c60f9a5d023e4383892a0078e044bcfedf2f9f673eeca6

SHA512
131c434c52aa71f1ccb14333a22ed0782719556964de353fab903b22af6846dd57b51094c029ca1298bf7d014ecd418d4d737d60726b5298241ef9dafc638bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4e952d6521369b242b95db60d8ef171

SHA1
c4545bcfab99bd14e6b56c705b90a129e38714a2

SHA256
d37db2694c480032a32d67862b82254da20968efae8f5377af2f34857ef09595

SHA512
5f4458b3d34c7c40945575e538f42ae992e3eb228ebde2cef4adcb5a510cdd71139c845a4adfc37cbf5630c06b38aa4484e7f6814fa3c1f16dbc642ad17e2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08deb698f8f3ac9d80e03f8b44104ff2

SHA1
f7e1c33f672e1d5aebb3568c1d7bee2cef6e42d4

SHA256
ce2d05d34dc2214204ff3d7808d875f95362638ab992bd1d4c82e1014f890cb1

SHA512
619e8f16519e20b7c3828bcac7abb392b4d619e60b7faa4e938fe412ecc962c08766292f2b233055eca0d5d8dc043b52f58fffd87699257ac1f10a3a12950d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4d42eeebbd3c070de24fb34cc183d826

SHA1
071cce7ecda5a1d51222ff5c9902484f166fe9cd

SHA256
0d7afe3b8cdd0415fb00c0a4583d892316aa4d81580e38338504218b8321ecad

SHA512
cd9d8514f5ee31b9ea45a6bfd0294fff4a6631b85ca3775666c71aa9790ed48d3c66b9457e476000f149b36d112d672c522e6104f98a69a0faa022bf9f518908

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
863ad547505bde5ab77d8b349879f387

SHA1
6def8e4865b6fa7d1f24da642b007f8592be77dc

SHA256
0a3640d2ec520d9904e6fedb5b3326425bc2ce62193c61010683f8847750d97b

SHA512
c0d9d46fda5dd5a07b0cd513962848f2f9921c6fd07995d841f790b0e4ff658f47d3947353337bd8cce2d4660c9e957865c9802f5f20c4c1941123c4efb4a04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
42baded9123e911a3d0d2fde4725c71b

SHA1
808f308917a2b29c3632ebe5135ccd16badcd695

SHA256
6cd2a93eb367eba5479b09e811676c79bff6794e51c842e8dccf6d597395fa70

SHA512
2a8a68046466c26e1f2b10689472deb5b17db697457fd4f199b57781270b90c583419c74f5eb4903b5e8163175b6262aab24ae0d09b3f404a6bdef1bd2adc905

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9c0eabd5fd0d34479c4cddcf1133727

SHA1
fab84dd1ab5629c43c6b98b062409b21ce99f4b9

SHA256
21b0ccd7198bc72c6459afe57f34f063fff73626eb0d88801e14e22dbf316e8c

SHA512
bdef0646dfea57fea11138daef80895eda7f1290516de9aced43c6d69fdb056063e097bfa4b2b0d842537ad11e02be8d127f01c931d4a42f6a877d6bb721a8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b065d3d8c5dd94ce1fe33ae0d7576f65

SHA1
b126f288e2ddff14b33e58357292afbc87cfb4d1

SHA256
6f6f54f630bb8ff5ad6e4e8e760d38bf277bf41dacbf98435f16482596f7ee47

SHA512
1c3f08472ead1aad2493dc617105e753f5f798daedc486ccb2802638215928bcc595599eead158577c2ca540552746092262a044bdded2f9f95b8336f11ef538

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c061845e4b7e15233391195a63c25334

SHA1
5faa8b53e6613b86b9807c2f03185683291e8e11

SHA256
c85e481a420d92e6c4e9674ab7e88508d783be38fa665b767a2f8c882f0c5e4f

SHA512
eba02aeb13d1fb77cc7f063c2c567371567526925a5bdd9454786b912d81413b7696a1b8d93fb105c396861bfa741c6df9260241f5321044b0f024aa7fa44b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d55c0332b05db124616a4edad36d42b4

SHA1
53c9524a55ab5d1f7f09d771a3e38a92dac87ae5

SHA256
8c36d44112903f2edb23afa70a51dba05bed28a47989ab98da568489d790b67e

SHA512
8fbfb5781a0a7e1af45e6f513dd52dae24faedfdfa8d0cba2d125d6cd02b7c92c5ea8a7767a1dcc9e6f93bbe19ac19c3ba09a179dcfb9d802d590c7e4ddf7954

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ddaba3e3a78080d08196b7417ff4e24

SHA1
d441c52c9d4258bdcc2dd17af88f37e0ab3dca6a

SHA256
28f7b0769657893fb6f9e8ce8f05f3d4537c2bc26dc585a1142f7d5a7ec5a222

SHA512
7d87db2b26e2f359c944c2ececbcad6ae92d5e1c747206df257e61a2fc60970b054deb2598e67da0e8289ad40819917833e942c16be8a2809e6df7babcb614fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a54c1d4565663b43d47287a382f48db

SHA1
7ba4dc711215a10abe6b09d99c088dee76be1f51

SHA256
e0b3907a03e0f00526f7f11ad4d82d6cdbbe64b3bd08e31958ac38b2845d5dd9

SHA512
fa4b3c4d49ae1a204f08b3d341ec32458963ce2d617dab0199481dc34cfcef3063f07d4818901a0fbe88aa38e8e7e6e327f93c75ede570ba4f6609176aa3e5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
12a7b6a1860bb7ab0902e31827e65eb3

SHA1
83e877a1f9fe6e30d42f67f99c11efeb0b57b5dd

SHA256
e36e94a1df4ee918c7830ddf0c193a00188b3c19f94100807042181d65a6cc75

SHA512
68075dd38ce1e7802fa0b55420cbbaf2b8f08ce2312242925b375defd35eaa7605871e5b9c6521645eb3436eea70dc9db494beff451a485be8eb4b2b94f609a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
062fa1a83f55070fd11c1048afdf7a5e

SHA1
fed94b5b852a4980d21d92c9f21a28e0eec5a82c

SHA256
62bf2e7d8251e44a46e14aaf4a25038344638c3e352819def91ed50920b7822e

SHA512
e6b81ba2fd75f860361e7d8306bbca04aed5d219cb96602620b90fb7216ccc377d156c54ba324bff41fa7dd4b9ad31e69a669ed7564d23c001b8ade4178426ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3df80a5205b39219275d971359076a69

SHA1
b12d60068fd32e4889a2287695d2ab324a7e7f65

SHA256
0bdc579ec369207deae723f904aadd96db3e75d0cb06dab15752e75415b5820c

SHA512
16a8258ea0d0652539b5ed6af695042cd97708e0e6a716db9913bedd1157065d9fbb29b68e3758292e0b12077453cc5dacb86bb302adfd010bea8233f36d5c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8c18b11e81429eee4270b55659abbb8b

SHA1
9f5591b65421254e170f765242860ffae62d27d3

SHA256
34f4b14e59a87e405e10196aa28eef11aad151a0a13c1076c7a54a18dbc926b5

SHA512
9bb78def1661f2b83f7a62a08164b95e88bcedb011ddceaa472ada84362865b62cb250131b45843b26d373ced424fc300fa9ed0f3d0cf4df88900e494b78c9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
646bc41102bbc8bccf7f6a1a681be2a8

SHA1
77fa3f3fe7afabfe4c40507503def0f78fef56b2

SHA256
fc68412111a65dd86d3f8cd0a2e2caad6fcad26e43d4ff32d98dfc1b98d4d9a9

SHA512
85d65a44d92da11b50b2deb251fb74dea4dcc5817300095e85578584f25f35a7e9cb0b881322e6b5b5d0036840114cf242508f9bfbd8f0548c93ab2ae8545b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3576eaa1591c6effc1d987405fd68062

SHA1
fcfc49e25c636eca0a45925f020ab24ef6c8eca1

SHA256
9eeb429d1fd3c549b68410f60299d9ea115a76556e0985880fbb45a9b56b8461

SHA512
bbab1530015c3999d8c128be598e1d9cb676f0a9866a901d27e5945a2da6b2ee939944c6bfbc98ab5d8a121aadbf4ebfd1f4c5097432f52519171272869b3f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5b295a101a87ddd049d3880f1ec2404c

SHA1
5e4be3bf2dbd8a7210d1c5c7276783f80267e38a

SHA256
c6a99be4286d6236175fbc7ec941e48958cf36d1b51653c5dd55e4379eb310b6

SHA512
556430b14b799bad92c3ac4a9a5f6ff5713e6c05b8f75cf47213d6e7c48b518778800477e937f0964922bb537fe354bad9f7313545f693f201a9901a7d5c16b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d411d004b077d09e2deaccb919ebdd9e

SHA1
8d695a803d285cef5c1045503e1791331625b8e9

SHA256
74d35c9e122018c8e66ddd899f1f91f2ea142ae6a463ce324c9ff2355d452723

SHA512
9d64a84793bca76acf966e06063162a335d5b6d40e78c6437491049443cf0406ebdac2559f97cac88ee41f2cf46b1a9036cc8f8a3a2494ff827923b9f2a12a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a30e0becfb2ffd2241de74086a3cd46

SHA1
f4f205401e242523310828b2869ed07d0beaef56

SHA256
8ad9f19d4335663f06e5efd7436fb228b4088c02eecf9c5ff47df1a96a19fd03

SHA512
5457e00c816f97bb418a73999deafbf9e0e94edbad05422e3ab053dc36781a19b1e9a7ccdba52d247ca5da4eae6e32cd15652216efc5fae87370b2c4419125b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
68cd566aec2119341a08361569a014a7

SHA1
d9c805387cca6aaddc63a43dcb0847feac0d736b

SHA256
35a816ce8934e1b120a4b65448f84f2fc36e26d7d9e72475a524fa16e69c4b83

SHA512
e458e948a462e1ca47fe5a0854b498ff92876071b86fdbe1d8a39c1b5f048bba6e8e26db60a7e5148341eef615b3718a1d41f29415469819e71a4377654942a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e5aa5ddac1c10c245bee34a73c3df8fb

SHA1
b805a08eff48cbe4713778f7575f33d73583fa43

SHA256
f8a54df7400629c23c553e2307123d7be1f8b426044a9ceb790d0d48552ba1b6

SHA512
3dfed71b4678b2d78b848b6b5f7adceef9083938fb09f18da10144f20d4e1f52b16a62492156d00987eaf53376a85f0f746abacfdfd01e72600e65e6a42aea3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1f82b6ce74839df13b42777dfbb98f73

SHA1
f1317100347ff43132f161ec2acdc64700dc0c7c

SHA256
4f56e7d702ba29f7138307a525336fd1da7d457f6fdf1ffaa83ccc797ad73fc9

SHA512
e93228e0d9fdd43c8c5584ec5bdf8c5912da285f87af75fdcf0b59058e5e9f404ae57b6312e544923adb423fc18ea5bd2d4b91a1236c92165d184495da9d1af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e4e073a2f1f6b139147aa6efc394b146

SHA1
e661cd939d0e9af64c56a8ce7566457df4b031a7

SHA256
a89c9808ab51262dde1a49124ab0dd66d8c27b8a3bef9c657a42bd5a299a80c1

SHA512
e1ee112206330f8772363243e879d96f14bd4fe980d64821a7f4fa80e5134cc656cf30b09ca3ad305e2c4f5eb991f07dbb35b4530cf89c999a983b11a0e975ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7244698e6dab554a89d412c46366b1a0

SHA1
5de673fb11517ce3ef31076bea4075e7bbfc3612

SHA256
2a7128e8b4007753a9ba5a02099eb3428a6d5a37ea9a61b6c72852d78514acc7

SHA512
728309f192447daff6f244d3781546fe9b19f7bcd04d32c7516067c32b53ae8e64d80eae44134c2249cb630902b914dd4c097e859b8bc9d45c35f94aa0781a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3c694ca22e5e56ac3747556a4cc9c373

SHA1
1830e8a0fc9f4a898734b9b3c8b3617cddd258e4

SHA256
0d3f37c7b292db3d834499428fcbbb6e1b728b382ca80225b308c1de5d600edc

SHA512
5b1903533af2ecb413086e91b43c5ecde01cc94b73abfe9e569eb007796706f6d20810f839cfa8d7fa48704bcf55a1334543fdb9f4b6d15e3b385380ca70d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a47fdbe2e28f5de0bf27e63c687663b4

SHA1
e6ad5d8c4649993b80e747110f98352b0a24ed48

SHA256
56caa4c9c09758045510ab2f342f3c861a15234746b96c336ddcc47ad5da079e

SHA512
2ed53fc5a3b71174034ad4e9072ac88097578bc517744587bbf7ee74dfc8af7902bc3759b00abf35a1b3f018c2dc08275fde8a965220c9119ae2d3a9756d1305

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e6701c1c75cf475b2cf54e6e5d4ed6e6

SHA1
1bfb7a21fd0f40fd34cf028eba1dd0a880486d3f

SHA256
0a53a2fba90ed41bb491362e69ec7b80b6dbb8aeaecdef7e104594333b3ba2da

SHA512
5f896fa035629dbdb0706e3d96a49a11948ea4f07b99ec3d1dcd7f55a913fe3285c7d9fca96ceff5926a6df7e4489130e99c31afd0c6c95ed49e2d8c7a45b513

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
46cb6d0c55bb117f5681ae3eae415d78

SHA1
81cb743f7b61ae66089cf056c88119878ae46d9e

SHA256
5efe692814885677bd0246053cbeac04f8c0349a7146ec54dd53e2f67dd27c69

SHA512
f29b2fd3f34c6c64ef2e23335f902f648fa5818346e1f59b1d0e57aca142f2ddc08e7dbcf465fe871dc4cbebc7436cbce3459fc912150d6ecd7d398ec160ad30

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
27f8b3a6c0590762745dcdaf45183727

SHA1
bd629a6659c9092bb5a05b6b0313d6fc8d935c0f

SHA256
d1e63cb2ba207581f03868c162dbbe765fde8a42cac0bab85093a2292cddcb70

SHA512
755a822515b13bb5b8a60d876bf11fd825475e8016d7160971036457730170e3b76e0ce0074e248cf4d6341cceeb9339adf2dcf2bb2bdf299adf722fb2423cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
549a986281c5edef7b79d0d7da4d121b

SHA1
19f9752efcff1bd49d03b9fb402a25e998ba787f

SHA256
a6ca2e213d0576707f6230d62df30229519398b1168830b795520ee8146d0eb4

SHA512
f0232001be8ed79f6305be6b493aba2c63e462962be9fe961f06bf1611d0baaee9084777a52ee609e9c27d51325b17b39ba94d0f9caf5d82f253530b999fe648

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8114f7dcab5fc590610b7ae37dd02429

SHA1
8cf31974705e9822753e8eb478de30faf779e7a5

SHA256
46d89f49e741f2cd3d11476e839d2a0aba05b5ae42d7081906e09ffe5ea57c0d

SHA512
0d8c62e1947215fedd9c9e125e9db4c261a92fecadf547de2785a36ab005fe7691a4f25140ab8176d538169fc7573a284813f66c7f8e653e599d95f33cb19c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2d3cb563ecb890093c7deaa45a0a593a

SHA1
cf3356455ec3acfbcaf7cfe520271c3c4350cf67

SHA256
9bd0123f5d302c4958471e25740280ed8167c5bea628487a70259bd5a30d13ed

SHA512
611a292fd1e12b79945cfcc6352e47a9a59b50e228a0139175910a33607b3db55a53ae9e4767b16d3b79c9cd67e0cd7a9f743399480ca856808fec5c817bf827

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2755d4db71abdad34ce909d483dddf3

SHA1
5bd8b783125e9d87f53b7d6981d1174a1bea51f7

SHA256
529c806ac1453d449f30644115eb115228805415bed90b35659fcb7317281d9b

SHA512
bc5a378c07c69387b03bec498c72bba91ebf692ef8d659d374356a098d2e207f3f864f3c089a5e72118d3f72fefa057179441e5f1299b7878d5307630b9a6360

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2dc7c4f400822a5a34c3eef28beb725d

SHA1
5309fd5b5a36fec28aad0f6d4f4affbd7c1cb3f5

SHA256
8656b448df40a834c7bd2290cf97b472d3a1fd2feca4c0156529e3a836b0146e

SHA512
9207a292447d6c7f46d9a2e4f4a5a1cd33cc7e165319d81a2db325fb137c0653ce6622751c748219a737bde23e7a157e6f7b53304e68c9991a291226ad91fbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
78e8568f2cb961352bfe18225d351719

SHA1
23ea9b2bf5aebe808703db3b43e45712c51724cf

SHA256
ba312dfbf6e23ed3b3c618e8dbe5d10661bb13c605e18c71f0139d542e688b0f

SHA512
fe9abe1485b4bd6be023c249e0e8d0935c7401a19518439a2d9cff8167906440891fc34a61eade758454743c4470d56c913689c62e3e3e3dd9508bf7da00fa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
530917564e0f3b0b914c1bfbf3d508a6

SHA1
ed28b5d7aefff30d8aa8d4e5288a03fa16ba461b

SHA256
6770ccc04e160fa143c3a29f36a51d07f3cbb2a5cceeb3536e163cfe35db4caa

SHA512
9ff0cde13412f91acb7faa8a0b85fe6898b7f89e1e32c71cfe07311802bc2a297af66788dcbcce12dca1a6e60d74e7e8e4003371be7406d801151c51591cc41e

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1696-172-0x0000000024160000-0x00000000241C1000-memory.dmp

Filesize
388KB

Download
memory/1696-149-0x0000000024160000-0x00000000241C1000-memory.dmp

Filesize
388KB

Download
memory/2112-10-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2112-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/2112-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2112-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3172-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3172-34-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3172-13-0x0000000024010000-0x0000000024071000-memory.dmp

Filesize
388KB

Download
memory/3172-152-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3172-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3172-8-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3172-6-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3172-17-0x0000000024080000-0x00000000240E1000-memory.dmp

Filesize
388KB

Download
memory/3172-14-0x0000000024010000-0x0000000024071000-memory.dmp

Filesize
388KB

Download
memory/4544-18-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/4544-80-0x0000000024080000-0x00000000240E1000-memory.dmp

Filesize
388KB

Download
memory/4544-19-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/4544-171-0x0000000024080000-0x00000000240E1000-memory.dmp

Filesize
388KB

Download