cybergate | 8a088ac147897ba4e9e4d6818e295a028e891b977eae23ca5e197c489d0ab50a

Analysis

max time kernel
147s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe
Size

722KB
MD5

b49a827e9886760f31ef4ef39b6b19e9
SHA1

17650182fdf804e5cb498851b2cdfa0a7bcffc4e
SHA256

8a088ac147897ba4e9e4d6818e295a028e891b977eae23ca5e197c489d0ab50a
SHA512

16a5ddfd1e545f314962ceb93247ee648d75c42c6a23259d9d11fd6c2ed80a7f3fdc38d519cce26ac98e1333630b7ece32bba9f7b4952605b2720ffe0ff78b13
SSDEEP

12288:fp+mrR9Ru3/RcIoEkQPk5rU2K/i0uYvkFcIsZC67tJ78sRAbxFyOGImYnjfxBP6+:Rog9cIA2oa1Lr

Score

10^/10

cybergate test discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

test

77.168.116.193:82

Mutex

4GO4V66FB8BA31

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windows
install_file
svhost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Please update your .NET FrameWork to 4.0!
message_box_title
Error
password
test
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\svhost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\svhost.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RSBS777E-L5X4-67MW-A270-MT8KDC18Y7XP}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RSBS777E-L5X4-67MW-A270-MT8KDC18Y7XP}\StubPath = "C:\\Windows\\svhost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RSBS777E-L5X4-67MW-A270-MT8KDC18Y7XP}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RSBS777E-L5X4-67MW-A270-MT8KDC18Y7XP}\StubPath = "C:\\Windows\\svhost.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	svhost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\svhost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\svhost.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 648 set thread context of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5660-5-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5660-8-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5660-9-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5660-10-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5660-15-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/5660-150-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svhost.exe	vbc.exe
File opened for modification	C:\Windows\svhost.exe	explorer.exe
File opened for modification	C:\Windows\	explorer.exe
File created	C:\Windows\svhost.exe	vbc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5660	vbc.exe
5660	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4444	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	explorer.exe
Token: SeDebugPrivilege	4444	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5660	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 2200	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	96
PID 648 wrote to memory of 2200	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	96
PID 648 wrote to memory of 2200	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	96
PID 648 wrote to memory of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97
PID 648 wrote to memory of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97
PID 648 wrote to memory of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97
PID 648 wrote to memory of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97
PID 648 wrote to memory of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97
PID 648 wrote to memory of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97
PID 648 wrote to memory of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97
PID 648 wrote to memory of 5660	648	JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe	97
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55
PID 5660 wrote to memory of 3416	5660	vbc.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b49a827e9886760f31ef4ef39b6b19e9.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:2200
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5660
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1840
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4444
    - - C:\Windows\svhost.exe
        
        "C:\Windows\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
df52c7f4f4d5294bdcb40de4a09d3d21

SHA1
99ce099aa18f76993a8075294798890bb95f89ee

SHA256
282180888e087857538ca39dbe1a5fec38cf1015733431a1363d2ebc3d138aee

SHA512
fa6f90db09be402b5d0a35aefe6d715016648389b97b8f22592f95db8d686a82863eff17f1bf6aa66df630cac41c0836b48b9f9ab98e0185cffdcd9f3a29c41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1373b6e71358f4e4abbf2d8d2fc558a5

SHA1
80e23d1beeece82ccff584f4e1a883cd267f46f0

SHA256
0072870491c1cf26336a38c5d4486abcba350f0bb6b57aaaf40a4161478bb66b

SHA512
60512bc5aab5e4e1ebc14d553c5052bb8fcb66b13e4aff1b3d80bbfcbae8f31d6de7b3af7191b8d5085d683f9df25d05d64d1e2ad81ad647922aa3f85684e081

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6effcc35fa499a3758a6006f9f719ef1

SHA1
a58cac269bc8d3d92477aea9d4133da3edf94b06

SHA256
fe79639307b49f95cad2c3d73451d9f53789e4fb6f147b6b5e8770cc6fa4a1d8

SHA512
685602b60b3283fe9350f2ce3407d54e7f0a956e955f861e2dcd89e042551dff00e7d7893cd85b8915a9fcaa98cf75e468f3dee76af3b659fe02efa51f55e0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8172ef3909fb4209ce757f1ceb5821ff

SHA1
f465c702916abd8ed035c83ffdb038e959dbb484

SHA256
43a3dbec382f0fe3513678640407995541e4c5831d46023e886365888f5bbba1

SHA512
eef1ccf5671bfede46401c208a51a7f75f2bea976ca0f83c1dcb91a393d97a7db9f145a5492515b10f87d90c083ba84b93c8907cceedce30b700f4bf30bc8a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
769452a55c693db339114ab18e8881c0

SHA1
e452f8dcfd6a1122698642913d06c9c684087aa0

SHA256
ffbca9d5c3392c86ffb48784d9431fb2fb3bb91d54c135fb6ea30ef7903709fd

SHA512
0e51bfacbd5bc303d294033b5ab9e54679f052030d6ffa1f65c588d482b6997fbed783c88c6b12c6901e7577e1863c971f01cf9a1bb01dbab9d1a2b7403452a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b173ebb9e8b0263f77ece61fca22df7

SHA1
c0151238c79f45562b38b777ba46bf2be144a7d3

SHA256
84b275ffb8db354513be345af76ab6bbfe002127549f725a29a605074e8c91e6

SHA512
8e6eae8e74976ef1dc2c6b0ca924dbc1b135a3ac1d7a79c0ff1ee8959f2dd4fea2aa5a4982253e50a247bcfa11f63eb98c745cfcc9ecf4e91a5157c55a18aff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
242de98ba194aa487c00962121f9d0d3

SHA1
69b2a0957de8e622330c89c9f882a8d851fa44a5

SHA256
e256ad0f32985366f1816382967e1731b20943e7d2e06ca55b5d824f75a7147c

SHA512
472981b28998120713165fdae2bfd09e32b2cf46447f935fed1ac8092b37a93b34f31eea6a9ad36b5bbae10c77af8860d2e8cd2be58b842a7e6a1e11b4fddb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6fbe51885f65988b162ea8447c097a9d

SHA1
4437e817ea8d9a83e1d5fb48096879a74db31564

SHA256
20b88f6713fbe13d8ff6a39381095ab8b099e64fe8cf0c02da01188e176ffe70

SHA512
b3febf95d9043219c9eda91df18eeb7fe1ee41f724bb823d84f64363bf8a6c9dc615ceac855a93b1782cd5ba03f9cf9d397ed18c9a2739a28c21df6bd0bd908e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9ad68973851c49bca93ecde2b2efbeb6

SHA1
8d78989d3cf9370175287e5133b281cba041730f

SHA256
a51f22c72383ee54a95f6d9cf554478f7df699ec32c55ad4c4a942d2474d11db

SHA512
3a883913fbf4bbbdc522aee01517b1f72efded9d7217ada53f26aaec683c89c729ad4eb601dd4a7eded46a19419ec007dbee344f5096e405c89c92e3a56acc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dbd0a3ebafaf5e69db750fcf6e1168c3

SHA1
9d0f982c9279e43867df73766d2b2f4b33ff42ab

SHA256
5a80f1c8772315577d9a07230d76dc19996547b78afe2243c4c5e6ab7f091952

SHA512
8c6e7fef6371400ae5c185dad75e9ac215ab7bcc9721b53fa8402bb66c566218c110bed3f38a8e20f6dc66f9ea0d62683d07f2662bb7161de55292dda548b793

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63f256be87a97abad6ab07554b46d54b

SHA1
45017fa512c084cf742ea930337af6796e8e6ed5

SHA256
13a498cbcfffe66029d4523dac9b56f57ab4692daae37a50e6b05649e3a480d9

SHA512
ee0778d13efc826de4e7b1ec1477fe7266ee577475fad0aac152e0c5e0a5b36908e158b4dda41898d5eaee7c4a2373bb12246c4ba15c9a382f70c5138e0eef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c807328b66ef7959d5c28603e77b928a

SHA1
c275ec995a76bb293a5d198df574022ddd1acbb2

SHA256
5ebc143ef38c10535d16af14cde39fe32e7868aedb11f009b59869ed94a0f174

SHA512
8c0759b29879250e351f2a52236d41d1a0b1d4e8eb74d4599c9fd3c4a37c0ad49bccbe72f98fce98d9bb12aaf1102d884fba1f14dba91a7ef53700a30f058516

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
06749dc82a80c650ba8ff42856527947

SHA1
f24e3e823ad2975c234587593add0c6dc2a32707

SHA256
c778de2739a2a3d23031d395396e235acfb3190a0a6f6a56064adbc5163ae3db

SHA512
bd6f0cfd598e7fcf0dfee3ff6ece9114716bd73edbd41d993cb559458aee624b042e93db4cd49da3f619b733d0a4bd7a8b764d62bb75ffff73da494c2107189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8c0dd58092ed17cf5c6490414b4709b3

SHA1
01b2b42fb18d036bb76284f47b9409cb7d83f72d

SHA256
966f3a1b1e2a070fbf4851e5579967a3ff871b4dd3945fe27f3169d0fa35987b

SHA512
af36c90d8f5b608065fe403673ecc5a7b5698163ae9648bb1ce532afb3aa14f9696f1c9e3de46c384b89f2d0b5ae542adb4f2eb8ab4fcafee7f8dea8c2aeddff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
43ca65f8f218477f940382fa844ec136

SHA1
184307784e8745ff810be5feee3663ada56e222c

SHA256
3132719ae44cb2a383a3712000bcb72e2a0fd662b925e76d2df35c7c28ec6074

SHA512
99fa22b828118df28f5f455b097e689e5a28e91d76bca00ab016c9247405bed545775118cd6160ff2a94fd4f48a2fbe18c1bd27b9b4d0491e69068cad6235934

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f2fb94921986ff35982f64c6941a870c

SHA1
c3bbd3d4734033f026ddbe5f65654a1e80bacac4

SHA256
357d8ea8783267fd0f552411f069b8268b6e491ba84276f630f51f250ae4c343

SHA512
c6c97efba56deac864e14a4903f9ffc99461d7e84f38bdefeab89d3799c401c0a1be1a430baafdc9b4d98d0499acf2ae03b067737491d6a23f4f9a17523698e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cdcecd7269ed8c738d13b38a3069a964

SHA1
c7d68c535261f99b3860db7ce73fd1fd76c77fd4

SHA256
c98f45c9247daf1e5399fa92b5172efa694f43acbeabd08126b74769ad116cee

SHA512
f7cd13377bdda44d236a1b7287a05bbc17b3873398e351260a74696018ac56685a70c4e0eba51cae320730aac76614a313360b75ad4d7e2d183ecdc8b5e77087

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cac786916706549f36b22ddc14590807

SHA1
0577cae6a904d61128edb183e76af8e258ce98f8

SHA256
469664f7b7a937633c262dcd7def7a26eef162f62ae75732b84a0f1658929bf5

SHA512
1b2078b99928c147ea11f6959168406720fcb68d1254581a8218aa31d60eebd55afd5b5b648b0a96c05de7106292f406d89d5dc369be8bc45ffbc6d25564502b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
28bb70e66fd5eca7c62afb5141979bc5

SHA1
1ab77d868b893bb7611593c05e5775d1cb3c1280

SHA256
dea1cf9ec6f4e1bd74f4278be0d412632c4f45d803578f2005c4cccc483c7696

SHA512
1fdee12d5072a248c9e4e73bb009b17da337a1bc15a58e0001662ee5d9b532421a721f7f408d689164350a74bb93b9bbe50d010e8e575188b3bdc00de00043d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6c381e8ace6c3299c72bc2538cedbb91

SHA1
963ebfe8cc57b34ce01869e01d39c822cca3910d

SHA256
7b063b9e6c42746bd9017a8b851edd042480c49d5f2ae35aba437804e14481c1

SHA512
1d12d023233e90449697f5c1c38d0e49f28878a3aca6f2ee9d625467509a1884648aecbeebc654c316ea387c13dd4e912e470800e64898b17ce9525f3f945337

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5ae09a50a3551c3a512b5ca301044ea4

SHA1
0610b2a190dcabcd72a8225bfafe994fb0ed9215

SHA256
df823da06f0d8df249e687d94193c560eb8532ffb4c0d9fd13609d53680359a5

SHA512
32ac182863d0b87f54fd3bacbb492abe62c3e7f2d21b99ec71e32dd458d12c9d28559b776f73a58f7bf1b95d2e92b3ccba32e125ca90ef8963865705bd2dc664

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
91e0e28340dddf4960cb0cf5285fc149

SHA1
ef4c932d24feaaa0b4ed06451d32aa3173f92216

SHA256
5bbf0616bde0862ff6600a520e5e3db23d87d1577e0274c0880efa4473de116d

SHA512
276099a4c029ed8c259cd7c225ccc8651ee418080145a97fe5050ed536c1bb6122bf95cbe620ba42fa9f63e53a11255db71a268c8f62330799b0c3d102b1600c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
56d4e1b12690995ebd388b39acb9ed6b

SHA1
3d051cee6ee091aa80464031f79bfac97cf0e17b

SHA256
395b1e0dc9c06e7b6da0cc502a2346218d37a63b47c49959cc635e75a0a77090

SHA512
b976895d4441f9093c7560ca11676eee30b25ca0a38c6e02f0083e51bf03caa818d454224f53935e259f896ad76c06030fed8ec309968c4373e49d0c17f3c28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f5c7b73e29b2755fa82b99edfa3633ef

SHA1
fe3b9451f7c3147dfa8946ad37aa9f78cff9ccd7

SHA256
0d45dbaed2154efc4b32691c42ed5f6b5fede492122b3699db1cd4d7f4644a0d

SHA512
e1f29b975078dd3c9fc2d98380d9d60d6aae25e71491634a8cdb5b0c18888e2e8604d79982071ba26b0e93c6ca89e2545e40fe4ac5c12f1bcbe923f63f082845

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
edc9dfaa7cbbb4a3c5459e0db2188326

SHA1
a5358796066232b93854381c9dc597964dcda2d1

SHA256
54299fcf939f4006a5d3d67a008093a10bbb3b1fb600a392fa5f814b1d310285

SHA512
7ce614341067718383ee92f50eee2705b6573cec62f2a3a326094757b5ee36cd35334022a94901503e520777d7a2ff91a35da882e4fc92c81b8ce6fecb691a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5861d966db3383201297e1918fd8b9d5

SHA1
491670b2fbe3cceb44409186f6e8f07493a537d1

SHA256
36c36fa8d67ee9b6fb20cf1f4d8694f7af395dc1cb69662bfb10f28d5426faaf

SHA512
5baf4f5d777f4c9efbdacf896508c4bb32b21add1d104cd2b63244d4b0d9f2ac023d9fba078c29021d81d8a8d7448920f2c8cc3e82634a26c01a9bb775114c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
59b080b3f1ff70a78bf70f0e6d4c14e2

SHA1
79ac2ac10db5f3ea1038a75d7367ec3873f75f57

SHA256
c8c5ef1ee0dae3bbe51f9027c709162b61186ef8045e1faca24213da8589f045

SHA512
058c770e2acc50dd633620c992064181e786d2195fc6babb5a9edad44fc963bbccecc5f75a00c9d83582977577de517545775dce2781e2ee221e69fa7927afcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
11852169d6695834b41216a2769e909d

SHA1
970b7434ac9ee14f46e2bcfef9da13ef365328f7

SHA256
a088745a61f8910a7f672969b00bfc271521f48216c0ac289735ae3723a7f4fe

SHA512
718cc164d7ba870a3ceaeb96f02ddf97c7dfd77b4b4147faf56d677dff869733a73957c9ea8dbb0284bc32e959428e1bee3a9605e4eb2fd74aab0330f9899e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
590547b5308b11d2030ea4a776c89323

SHA1
c9e4fe51ba742afbca5767c99f1fbe46c4fa8e05

SHA256
f2f87fb18440e0e67b0e8ed2f08859f32e39acc5dd113672728f21cc4c692964

SHA512
8fca10557f1cc271e40e849c0263b2921054fd9798ab91d9ece321d5c5c26263894f1f10e383321a56abe1326b1262233b05e054afa3f84f9f38f4d7097b9097

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9f0ce1ba233ecf13111974501222f886

SHA1
4879f60365423bfa156d3aa585b619702e83a632

SHA256
0e056e4830791659e0abb0d5f0fdb960eedf968096d4312b084d4b7a320b3edd

SHA512
eb173ab53b54592b9efc43ff0393109aec9e923ce988ec32d9abd18f61139d9e0137c18b7a13cb575b58d1c5bb70069a1f4a440d1eb07caeaf2e3aebe3c45af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a5d68e3bacdd44a5337a4ae9e0f8965

SHA1
3287455a837ef0a113cad69d633c771d139910ae

SHA256
e95de2032b24233b2d3cbcf420e57aa5f3cd24465c70e6f407923b5cd75d4f10

SHA512
1a429919d1de9040e3accfebaad49602fa3e365fd1cddc456198d17645e7cea6d654a774cc72df2a3c59a55b8aba189c8aa4d1dc21217e7078855d32604a9c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d276ce20bf76fa52903eba45223a9176

SHA1
e352ad6520103d4ba32a0f934e311b5eea744492

SHA256
f8088d24dcc3fd0f3251901a880ed710e4c5a8cdde11c09a11776f6055e6f389

SHA512
637c6d5633deff88de3640d360ee83970f84693413c43a7761696e00af2d71d719827bfb0b29481b20735a84d1b837c35b9abec0dda776a8e57a61f32564087a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
afb7c1ba98532ee30fbeaf5bfc7f6587

SHA1
8cdd87e81f1b93482b520d7f884a284ca41d12ed

SHA256
e5ada8478786210a8ee8a8715498cd381e170a590ab2001a8389c9d62affa4b3

SHA512
2f7ddb465199a864f8aa0511ae25f2fb1d1ef2b4f912e4ffd3b9e1638370a4f89a89c331edae1c3f678f319d5ef17e3006e1ff452b5d8065755ca80e6d29b4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4c0343bdac2c8f7c94f29de7926bb291

SHA1
903119bd831d35348bedfb5b8818eb93b9c6d037

SHA256
d55416935cccc37a2ac5728aa2a767c0b001fcbbcfe310a2fe396d84bfc7e55b

SHA512
f80866aa72e656bbb00584eeae6c1834afdd89d5c2bb2431a94b8c686c52012dc834b13cdcbbf717ad5e0a51c34b4c1a88b3ba7cdb251412d73862300fc93c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e0e0717cf67bd25c07c76b318104f4cf

SHA1
952bbb707871987856d6a6c5e6b0c6f82549a031

SHA256
5f1243fc560e817ef91e67f21d3a457199fcece8dd867c2af398020bbd88adbd

SHA512
f977b22acd36136aa1630508f3b378ae9755258636307d4e57c7c9a6a8a3d9d551c5be1076a96de20fef629a499e388da5df79e6c4c8bdd04869aeaffceaee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d02f4068a7ab3eb30c525cd87a3cd15d

SHA1
d920ff5e154017f2d1032ebd6545b54a3d6c50e2

SHA256
07ac064b3ab0fe55323cfebb11b16c9f26457a632ab4e9cf4277e7b30e5a5b29

SHA512
177946f48dd0eecf1bfb4557cbcb334ff32fe076579086b49bda98ce745ed4345dfc62173cfc6d54a89844abd723c813a12b2e80d4b31bfaec013d41777a1fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3eb8451134da220986eacedf3c2df026

SHA1
847fd79561d542e1c7e45a3076a4bda4a8c5a603

SHA256
e54061b6a3b4b2d4e1ee8e028a0f91fb529aa1858fad7a09b1da19d6f9bdff91

SHA512
a7c61b6b1d43463297e04084b972e2f679b8998284ee31d34a4da3c8a6225961f6adf1f9310d65970acf6cbb327eddd5e6455ecc45acc863adebc0d86103c638

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\svhost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/648-11-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/648-0-0x0000000074E72000-0x0000000074E73000-memory.dmp

Filesize
4KB

Download
memory/648-4-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/648-3-0x0000000074E72000-0x0000000074E73000-memory.dmp

Filesize
4KB

Download
memory/648-2-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/648-1-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/1840-83-0x0000000074E60000-0x0000000075468000-memory.dmp

Filesize
6.0MB

Download
memory/1840-19-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1840-20-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1840-75-0x0000000074E60000-0x0000000075468000-memory.dmp

Filesize
6.0MB

Download
memory/1840-84-0x0000000074E60000-0x0000000075468000-memory.dmp

Filesize
6.0MB

Download
memory/4444-169-0x0000000074E60000-0x0000000075468000-memory.dmp

Filesize
6.0MB

Download
memory/4444-130-0x0000000074E60000-0x0000000075468000-memory.dmp

Filesize
6.0MB

Download
memory/5660-5-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5660-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5660-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5660-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5660-15-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/5660-150-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download