cybergate | 42dad031b697008f4395b0e4b2d52727bf6fe86004435b7a075d7d991fac789d

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe
Size

868KB
MD5

2ce0a2e5fbdf3bc5ffd28f09f5e2c171
SHA1

c3475a7e1bacbe14f6cf97dbccdf31b4dd623433
SHA256

42dad031b697008f4395b0e4b2d52727bf6fe86004435b7a075d7d991fac789d
SHA512

83e0c3a0aa40ac3e035dc5eed638faf83fc7d6d2219bf53a67e1a9a19a203e6d90d2f39e3a2dd5aafe4d3e41df543a5d6992881e44fe45f853cdde99fd84aea1
SSDEEP

24576:PKFOnnnnuYsInnnnnED+x1042CDbGuiJ5p4vf6KqHurTtzUkc8IxLLP:cMGPJ5jKqGqxLL

Score

10^/10

cybergate master discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

MASTER

torf.no-ip.biz:81

Mutex

01O6DUARRWNL1C

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinUpdate
install_file
vshost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Error loading
message_box_title
Error
password
halilai1
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\WinUpdate\\vshost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\WinUpdate\\vshost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R4E2OXBU-7VE8-DRW7-0438-Q6JR45V27873}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R4E2OXBU-7VE8-DRW7-0438-Q6JR45V27873}\StubPath = "c:\\directory\\CyberGate\\WinUpdate\\vshost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{R4E2OXBU-7VE8-DRW7-0438-Q6JR45V27873}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{R4E2OXBU-7VE8-DRW7-0438-Q6JR45V27873}\StubPath = "c:\\directory\\CyberGate\\WinUpdate\\vshost.exe"	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
1908	Sisi.exe
2548	PaySafeCard.v0.0.1.exe
2816	vbc.exe
3008	vbc.exe
2612	vshost.exe

Loads dropped DLL 3 IoCs

pid	Process
1908	Sisi.exe
2816	vbc.exe
3008	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\WinUpdate\\vshost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\WinUpdate\\vshost.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 2816	1908	Sisi.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sisi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaySafeCard.v0.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	vbc.exe
Token: SeDebugPrivilege	3008	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1908	1896	JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe	30
PID 1896 wrote to memory of 1908	1896	JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe	30
PID 1896 wrote to memory of 1908	1896	JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe	30
PID 1896 wrote to memory of 1908	1896	JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe	30
PID 1896 wrote to memory of 2548	1896	JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe	31
PID 1896 wrote to memory of 2548	1896	JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe	31
PID 1896 wrote to memory of 2548	1896	JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe	31
PID 1896 wrote to memory of 2548	1896	JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe	31
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 1908 wrote to memory of 2816	1908	Sisi.exe	32
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21
PID 2816 wrote to memory of 1264	2816	vbc.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ce0a2e5fbdf3bc5ffd28f09f5e2c171.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\Sisi.exe
    "C:\Users\Admin\AppData\Local\Temp\Sisi.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\vbc.exe
      C:\Users\Admin\AppData\Local\Temp\vbc.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2572
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\vbc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
      - C:\directory\CyberGate\WinUpdate\vshost.exe
        
        "C:\directory\CyberGate\WinUpdate\vshost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
- - C:\Users\Admin\AppData\Local\Temp\PaySafeCard.v0.0.1.exe
    "C:\Users\Admin\AppData\Local\Temp\PaySafeCard.v0.0.1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PaySafeCard.v0.0.1.exe

Filesize
146KB

MD5
1edc286496e466cdddd017a9e79dc0f8

SHA1
f451556d7ade2196e22814f8cedf37c256bef815

SHA256
e9913aa045cfbd737b8eb20078da93513b6ba7b58a54eb727d0bf8926d90bea0

SHA512
15aa7f15dd3ac9232ffad1a4ab29fc481082d27f9c1cf0956d7ae62fdfffba97711f4cffcf08a3ab807bb714fe4d3aee2b68d8ab7da54af36d38c36dee79bd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sisi.exe

Filesize
489KB

MD5
30e041629b42c4249b008e6fc33d2d24

SHA1
a87f61086403fd9ef930740d5e9e88d031488b48

SHA256
ddab59c8ab45d02a40d7d2bb17ca696ebf56faf85f586884afd1c0ac5fc045df

SHA512
fbf4662f27b2ce9fc2fb235774e468127fd4d018abb1f7e7538269f63fa2281cd807e6c4e25302cd0bfcaa159c9474b11cd88554778c6719788ee6357cf20897

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
221KB

MD5
eb98e006b3f3410daac4821db68c0f6e

SHA1
d840eb66c72e822c137a3f0209a532665d4bad23

SHA256
d868ebf1ef1f396bb1df4c053da8a3c5aeab309ea673dc21ca5cf2b53d317c0c

SHA512
b2531bf458a8824c0ec5e9065ca8f628d69accc0bcd3b9c7be45097ad24ec02eaeeac4fa0af728411bbdf86255e74393e036bd6ab956731e2945e39cf2ecbd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
145f4ee2415b06a7a278903a545540e1

SHA1
1745bb0967d448dd62ca4e9ce467d135fdcd6182

SHA256
7c01603ea17cb94791334b8759a2486e862d262c4bf73fd12a138fa0f089d7d3

SHA512
3e4f2dc1dbb3ff105e8671b4b91e15646ae57b49dc5ba371e6fb2c76d80e54069a44975240cc87ee7fe0f8399522e19d14d7fa2aa948968da4eb737442e31380

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
791b27b700f33f49c1278c32a0fad810

SHA1
95c93f6e31f2cc1d1a53c2db789e4d43e99ebdc6

SHA256
72273334373c0b11c65ff72249a999692b8a00e8318785141fdccf344706ddc8

SHA512
66c34dd0a47f62fc364f0197c9aa81e61da9c23e89875802d408871aaa16202fb89890f502cf4014f85b9a5f98609293587d22c5945782e167b872851e4051b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
13736355c51efc7b8d18c24d6639bad2

SHA1
6ac95d61a26111f3de439ef2a425bc685fdcf081

SHA256
9f5e019eb5735747714387cc61a64765fb84403d7e3ce415e18c248351cb5a22

SHA512
7bbde326f9d0005d10f30d4648616344e51b7f858401d9c82b55768492c5eaabf22f4aac19e9de9f98809b78eae32ac8ffac8dff6614592263c91d69877c2d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
317c818bd5f35535480fc90cce92d62a

SHA1
a2c2749c228c9e6801327e66bfc03d54478353ce

SHA256
df61a6f2e051df270d3d1a79c88677c800e5e4fa7c7eabc3b7558ad255990761

SHA512
6f3a79e831b9448fb15ab52471d24ebf991c9bb9df30bed88e6581abdfa15b94d1d3a3bce99248b3a318352448efbdf836d53dddf8e32e6d6d5f4873b58ba288

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4639045e17d98cae299211f5eed85b3b

SHA1
3e00dbeec06ab1c18e7092c42c5018a96451d4cc

SHA256
b2cb067d4525747f74005e6a46bf86d9d258a655a65859957925ee2f835a8d33

SHA512
9d06452fdfe2957e35a7e2a56610ee43f05e406ea1bce6ad82f1f9aa16b585bc7140d82b09927df2f6e1dc65716c5435a60b68c28afa3469ed77f8b4421a5dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8953959d93a22dda7a5fc46ca69df765

SHA1
08bd69be9155550432c6212cc2c84818c896bd38

SHA256
3807b6beb5129ee88ec92757ed66ec76d97409362cca1b7c7468de952fc6a68b

SHA512
d357400bfd887c0c1ad21099ee56b0c82bc323d260976812a5904068ce2c37177c7254d4883dccb5af7bf0e50cad751215d07e8329c035505bd42d9e6a40d73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
12bb25ea010166b1768a698ccdadc644

SHA1
136d1606d6a334c019795b02a46e6a41db9e6dbc

SHA256
9c2004dc0262445d4f276908a035ea894b121c4f3c307ad2dc83fa837995b29f

SHA512
73e6f034bd8bc6a1e647170c5cea267fa9c1c173b14666256d6a2990d3e9da3bc82a0cd14cdba7642d4a548cdedd10ce41ae33498b35137d2715110a0fd17a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c9146758b2d383d9ff4bd5986d3afe1d

SHA1
703d7e21e8306faea8275427edabae743e2adce2

SHA256
077f3a8c02b7025e7308a99660ffd4761c0174a70346ef7b6406eba5a9a3018f

SHA512
b4fbe8ed8c0e350b4909242c7ea7be62bcc8c5a44b352a27c4e0a774f7cb1f2fb2ee0b4dfef3cca412987348919744cd7e21fcca4acdfd6dd09f6fe80b0c997a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7c1e4f2eb8d77a5fe0803b1335ac09c

SHA1
3381b97b73b75cb6b335288954eb6e9dcc593929

SHA256
6f858d5796df4c07fedc88aa7f05f22b88118dfa4bc9b47c6b10c80302b75c10

SHA512
28176c918c6427dbde758145664627f41f8499780b9a134df3ec9e272e9ba0e098eddfa168b3559771188719fe6b6a0b1c06e80b8bcdd2ac875e0c43b284cd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0e22081fdb216bc5c92593b74d1c3a99

SHA1
12db8dd16ea333fba30dc6432fece270c0bb0876

SHA256
d56fcd7a9a677beb3bb3b44293f3d4ffa0ab730c25bac3e5dd6992c50b3022d6

SHA512
4f76c3bcea9e74e1dd8b9b13dfbecfaa0703ebbad5467e45aa0a830139ae05b09d5a3161b730439dfa408297c15fc9d71e8d6c04d53d7023be7b501b08fb181d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fab21dfb98d496e887de67a0f8eefb59

SHA1
58750c56f409e91dd02b3d2efb6173e6b602813c

SHA256
ab42637c94c9415dbe47c8f4aa1ce64a6a590f9a1ed750d83b9ed7565697f77f

SHA512
6c8d7bb98f4e71b3206a7d4e4a94dd6ae4d5b04f5ba76a64ad9d8fb308299100ee83fdfb19a057abe0d8dde36cf9bb71339eb5b056969e45a43e33f205d068fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
01065cb93ce97c76885eeeb9459470eb

SHA1
57bbc1d58e490b4dea929fec7e72c023dda802bc

SHA256
55fbee55c39bdf7d60548484dd9bc432fc41ea4fd24987435733352ab45e01a0

SHA512
fe58825a8a33032d9aebe0f5511e2ba954374bf68cc581e6a676ad9b8ad8b427a83f293fac55427ccaaa49b41120f4c39c362bd32c618ea41e3f006b62ac28c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
960f88aabe74ef5fd6971cec62c25944

SHA1
1fe8921ff502a490be1bc399f4adc54be35000ec

SHA256
37cc0549f8a4c067409fc15af5a6bdbb40da97ad42e4693d6e95d3ede3a7b0ca

SHA512
de21605fa0310fff75e807e729d40dfd955e77f37f70ce4ecd812d475260e6b2391f3c0aa05be691d76afa2bd3441ec4f3c313ce5700cdaf53321dd4a52b015c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
57ab223cc4c693b02c2e26befdf2532e

SHA1
8bc409f112b09b54dd9aea27c67414d0f4929298

SHA256
8f0125fcd0f4b91b4183b893b56eea8aeee2127c865ade05479633114bec07e7

SHA512
7bce04b6ecd910323a1af70482265ea35ebc93955b5d0a6cce6bcd604d03109a55d2ab93e2286f0aebde1b8f40d410f3fd2eb624dff3bc48b2acf3ba0a2e5ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4397b3c0237b04abe9cf3c19c5b914ad

SHA1
94b152732fcd9e0d155b80271aaf43e69b0cb991

SHA256
4fc59075e2ba46c1a4f10b59f12bc13324e0b751d085ce6d60d3b7d3727dd354

SHA512
c2d5f4a91a8f0f8cc9ba04fa1ec515825994d7c902461355726eceda9a9b17890ed8de0516d74013f57353805f47e84c16efc6a1be9c916772adc8ad9e543f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6cd12e93d05e24e5580a1b31d680a91e

SHA1
fc3ae118de5e877a960f3028cc26f556f54834ed

SHA256
9f18bb9f2188e4cfb01d81022f792a28b1357d4d48e8b524ecaab5c2589008aa

SHA512
aedad81aee9e7d6bde4563dfe650340ca6d7f87292a360fd4f5b38f2b670fa38a64cc0f659c8661d7a8cd8ebc8ff710103d68be3166c04adbf941a0f0eea2533

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
51e3fa63559a4e01955bfee0addf5c99

SHA1
ce9d9602fccd3cd28e166e01f879db0aa49ccc06

SHA256
b5c65a35cea345c7d39fa228a1fa5dc22addc37233883e7b66dcb2da7128d793

SHA512
156e878d19f0ae131d7410e50f4fa85077e0af9a3d10a460f54a8c6bee80915fda09b8e26571807d7458712a7e5b7ffda8daee13732fe16cc503c4dff5ecfdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b43427805be3c2a06a1f05646d8e854

SHA1
a28d291b111caa0a8afa70a9c7fc9af782deb1c1

SHA256
4a6762643b78173fdd4df737338adbf426d4b74d5c8fbd55438b4cce368241b8

SHA512
d3a28437c9558875fbbf4b8e3a994c4bc2c1687b4bd96bdaa813a1688e6ae8da0da2bcb31f40be41c96969def13ea03ad0cb7c9b42843b101ccdc3648214916c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
41d588077f2629802c60f41e87e60ccc

SHA1
4048229b155b893b17aa1feca5fa6edb5826fd4d

SHA256
0501ddba10b4b05d7efc0044cf8e8a60ae23fe3790e05d11dab2660cd57da052

SHA512
8c8b0c99f34986b914c50fe6b83c06149b4f397aca2885e930b611ab67218816cb1cc889c0b43bb1557a8723df107b670368e4bd7076687b7d905e880bf44c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71dcec7c1d153df77f122959f90d20c4

SHA1
bf60054ff0cb55649a2e5975bb744d88d5d4657f

SHA256
4f83b4872ec353dcf9fb8432761cc0a1808054679dd9e7fe27b188131611ae63

SHA512
f593aa27732885383627923e3634c162ebe860783d0eaf7f9a209cb6392ae34e9358762c4eb590d35ad67e38f742617f02627cee56ba82a35d78d21c977cc39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fab17e406773dec6b965d97e814d61ac

SHA1
ad91ad1b274bdcc3838ea918bb1ac322fe58c19c

SHA256
4d38915c3fcfc9bf8fc75f7612414913a6e194feccbc056923e126b37c64394d

SHA512
055cfa08bb57cb6ba341fc9c84c23b09b668ec423c2a65414ddba916763654ae32e58bc22bdd80405a2f602ed9f9fe7e3ea15e357a4c5102e10485d5a04bdbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2de8fa16f9bbef080a53c03a80a5ec00

SHA1
9e8a1ba1f56af8708694563ef2b22a36653f261c

SHA256
650aefaf98e1a21fc6c1a54334817089e7d8daeeb1d23fcd0cbf4bcf522a8758

SHA512
35e25aa74ccc14c77866dec4ed310abfa9c931738cf28af55df788225464fc98d587e24305ed058ad91ab79f9203675fd853481dfc84362f144674697fcce89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
85e9143227e0b2547bfbfbce42ad75d0

SHA1
6aaaa8e6faf2b86dcd93f51f9f99d89ab4645d54

SHA256
3d57a274aa8820575ac28c47581aa57c9dcbc650b5e431043fcb49941a42d5bf

SHA512
8eb4951dfd472fcad89d25b080532b11726e487bc397b9dad0f80dec558ce18b6d07f5949bdc0be2ecd4281764041957d2e046cbe2f6aa4fcb31b3cf3ec7112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1b33aa01737593f73ad45844b9f49a9c

SHA1
f8ee18b7ff4db756fadecd29e97e4b2326f5ca4e

SHA256
33417a0976c18108813aedfac48dbef271f095ce7dbf524d1d4d4ab8d88b5aa8

SHA512
fe9b5b640e200cc5273071c8429c478965ef441a90a131a6420a6f0d4b3d7cfd332def18ae1919dd8973a35b9e48e24d5330a4f48457b1d63c628a00bb71c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
080108e9bfc53b00bdbc6f24d1fc9f7d

SHA1
dc3f13918b9adcbbff6c1ffd3f760f8ce4c2e7ab

SHA256
de27c4f9efbc2161bedaf298803045b3671513f90f01a2121eb66e7eb3b88f21

SHA512
605f9ebd0ebb55a23c6ca29fbf04a9a0b140d800e67385cd613d0b940466136630e9ae9e390b02ac89773f81e8dde49ee6d8897906f88607de57b8e8a997e02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
78a1e1fd66ca26859cda201269006d91

SHA1
b9aefe4f7eacf8729142977dafe940ba3c3209cc

SHA256
796aeb26bb6922835fb658a607fd40853da878f27fd3ad4a06cdca6ed52abafc

SHA512
f5fef42e9ddb3a46cfd50eb0e8fa7a83d945c0c2eca7074d5739a0106f64f1db6c5faa746c62c320e0770c41a21980323a0fe05236121fdd0bad072f055e2aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0c50b0660784bbf16a0f40ba4bc48ff5

SHA1
b573774c1991c382733f9c013b6c5838742f239b

SHA256
58eb4c92beca93642ee9579a7b0bc026677bafd4ca63623784629c044daec8e9

SHA512
ee920d3ffdf6a79bfa80bb3d5f1b5c5e31109168b0d1133b19c65d39f17c793110cf72cb0b571a048cde6ab5b384f1dce5da12c16fc1d5e40a439054de1bb86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0a2e03d3e34c8529acc5245e062338f4

SHA1
4a69da0d8082d7840bd2f09cafd4a29866261b08

SHA256
42a611041b701376bf01866c7a2991da28afea57b231d8b3142f62daa7128eba

SHA512
ff98869f4e04c5f4985596297e8199736b2e28edcd6465342c4338052580f8dde1ce9a8172e8018d8615031f45a8a69085657dd75505eab5695857c463deffca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eff74c0dc5b33e7474cc5cfc180b584d

SHA1
164227beb56e34b71796e7930e83d1958690f490

SHA256
da2f2430c33d37cc46ee6dafa0e7f96947e8aa11b46295adff7b3434ac7979fd

SHA512
c1e91e404783513faed79ce1ee82561bfa1270472723af52b55c5642346c5a4bfb4a1445039512b5253ac30bddad0f33f64fbfb0865f8915616ad72852153daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8a4df0244e5bf1f4b7161f90db14eecd

SHA1
faa46d2863ac0f9efb804948fee357cb880bba5f

SHA256
7c35bc0ae0a8855dba60904c0f6160f197afd71d3e4cdcb9ee7a75576a8b4c1a

SHA512
737f599e1d23f90b5bea5a3183eb077592567a433ee5e6283f2669f9e6b9f8f3ff37f106f9feb0b72082a4be41865fe78b8023cd0b0dfff73a822ca2833b4cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1a4afb203d6c98e268f2a6480676b66f

SHA1
2180c634fd2ded375eef2f3d69100545fea8c500

SHA256
2b6b30fda53aacef803e12b098ee0fc3ce1f3858b2d94c7e240b22629161a507

SHA512
c977e6e1f0f6d77e81316c16c275db56aba849d253bae8f2ca93901f16a04ec5b20768605fe46c078a09f5a2b2a8b2197d703f0d5342bae47bf9b70bd312639a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
786f250e8b4cd7070085313493368c4a

SHA1
c870cf188013956a654ac77f1ac0a47dae83f338

SHA256
5faae2a2f7c713e25d423aba28beae418cf955727a0aae41d02b63abac68b797

SHA512
3061bd60f1ee96de63068501ced68d4da3325313e59fd854913da1f3f11a2a8f1fa06472894133c9a977766c7e88e3f2e77f8b79d26960b4e2210e0ea0e564f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d7c210fde5ea1d9b0df2892269a7263e

SHA1
748f1be98945a0ce19e300c7d8cfd1037e3bd768

SHA256
e3add8fd0afff2ab5cc36af13d26089b5566c8d591918a343de9044e3493daa1

SHA512
4c9d564c89d73c68eab4d627a656db9fcdae9f82b31e6e85365d860bfd8b9d96d1708a8e3e86a9c9edb1b1afbdbb4741557139d24818006c3c64ad36bc5afab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
37184eb14ea90c8c85e6838e08ade369

SHA1
9f7d6851b220a630a57f914e3a50c7cf0b763a0c

SHA256
07c9afc36d6259c84ca74ae52b9122e32f236aac33973838ef2ffc3870717f9d

SHA512
4511acdebc7fe9f32f87dff1378103dcacf062e039fa936a2ddc43d58badd104051ce8f6c7b1245e520f5113fdeda5535ffab417250b772bd2e4e0a75d0690cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6abb1d3cdc4fe5cf2c6b334db9743d8f

SHA1
083cb81c1a4733a32a7a17da41f187d6c7641ca2

SHA256
0157092623c2710930a48817354fd761389ffd98df0434a6e60aa6c0059d359a

SHA512
890929c37ab044c2bc6d07b932cf5dab1141dae1ecaada62db20db223fff2fd83facb0422c091ab072b671750d2d9ef665d4d5cb668b6268af7dab8450aa7e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a6c701823fc8184c903335e352602d9d

SHA1
3e625c57e34da31cb1b965f76f03eb067932c317

SHA256
1e17e8ec97876d2ee1caad9458fa05488f801ee42d2dd2ce6e707ace313bc816

SHA512
3b3499dad8da76cf373689b66c21d51b34a10b0f25a2857011103d7af0baae8257bc5b70cae473c26be1c14fa80695dd378a7dd315530ed598df504223a57f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
17795d16fa76df9456870e1e8c57eb08

SHA1
c33d4054302f01928d798c0fb8dfad7c6057f177

SHA256
647995132f9b287060aecb8b246af4e87892421b48a65dd51316a2d66f3471a2

SHA512
d5e26710050427220188d822058522b4254f43e1714abd2ab1f64b320bebe50632d8bbf4b09daeba28a73c93f78b794061250c8b383a966832e8f28e1f516ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f6070c429351c5bce8ceaee2365be5eb

SHA1
6623096effae813d1a3cd70c351149a0de822cd1

SHA256
6436416c5bc676c4564f60af1684314b3259ec76486276d5253cc62de976e4a3

SHA512
3c2142439e743c84cfe964d77b714a8991a3d93beff1b022d92576fb46444e1b6018b4c923cb79c79d6cc35cd109e581eadc3bdb2dadf894f1fcac4a2a22b5ba

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1264-48-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1896-15-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/1896-0-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

Filesize
4KB

Download
memory/1908-17-0x0000000074002000-0x0000000074004000-memory.dmp

Filesize
8KB

Download
memory/1908-16-0x0000000000960000-0x00000000009A0000-memory.dmp

Filesize
256KB

Download
memory/1908-19-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-43-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-992-0x0000000072C6E000-0x0000000072C6F000-memory.dmp

Filesize
4KB

Download
memory/2548-18-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2548-20-0x0000000072C6E000-0x0000000072C6F000-memory.dmp

Filesize
4KB

Download
memory/2816-25-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-29-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-42-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-31-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-40-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-37-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-27-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2816-33-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download