cybergate | 32a96fdfd01b9eef1f32410fe4f0ebbcf51abb3f5f2c425f482857781b1bf9ba

Analysis

max time kernel
146s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2025, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
Size

283KB
MD5

6dbecef101a917c1264dde14096d3d32
SHA1

7df116888310de093f3c80d8fd4b8ef2088f109c
SHA256

32a96fdfd01b9eef1f32410fe4f0ebbcf51abb3f5f2c425f482857781b1bf9ba
SHA512

b14b804f4708d10414271fe9100f6b8973e3d2d2631049030f9e2e00194c8fa38de483f435732411ef7395b420da32c0960816b1c35c055fbba5a1407b3df5c5
SSDEEP

6144:r4ABF94xCpAuO/50BTnyZsSaXhh4XAS79hO9R0O91FG+A:kUqGLyWSKaAS79MEqfGh

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

remote

127.0.0.1:1453

cyberk.no-ip.org:1453

Mutex

V450G381KA455G

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
winstart
install_file
win32logon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cyberk
regkey_hkcu
HKCU

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\winstart\\win32logon.exe"	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\winstart\\win32logon.exe"	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ND6OXT5-5EHF-4C5N-6MT3-118SB0N7J58P}	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ND6OXT5-5EHF-4C5N-6MT3-118SB0N7J58P}\StubPath = "C:\\Windows\\winstart\\win32logon.exe Restart"	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	win32logon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\winstart\\win32logon.exe"	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2800-2-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral2/memory/2800-6-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/2800-63-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/2912-68-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/2912-92-0x0000000010480000-0x00000000104E1000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winstart\win32logon.exe	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
File opened for modification	C:\Windows\winstart\win32logon.exe	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
File opened for modification	C:\Windows\winstart\	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
File created	C:\Windows\winstart\win32logon.exe	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3292	2176	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32logon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2912	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
Token: SeDebugPrivilege	2912	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89
PID 2800 wrote to memory of 4600	2800	JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dbecef101a917c1264dde14096d3d32.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- - C:\Windows\winstart\win32logon.exe
    "C:\Windows\winstart\win32logon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 564
      4⤵
      Program crash
      PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2176 -ip 2176
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
5bc5cf131c0dcf82663901db5a189790

SHA1
9cc74a9a1d58dc32aeae31886fd0148a0ade0b36

SHA256
8541dd271d4da9897a8cb30632cd303fe021a0bef8525898a3490559de02b240

SHA512
9675649c551cf3211e4f0f7ce09f395b4c9e4e8eb9e67ee1b4565be719b28c0d7a1adc8d186227a3548025219f94a809943a9a90b063a4d16e33847dd501a8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
99d2bdaeaa8d3e338b9ad83532c86e3b

SHA1
6ef7f53ffdcaa4f89480812edb0a8857aa93c46a

SHA256
e9c45c68dcc0fe87cc7a6fb2d9f4801c14dbde3bbbd445677c3f3ed5822efd96

SHA512
d1efafe09210d747e048d73c98276b43016c5ab91ccc029047ba6e25674c7969be4dbaecbf683c5db03894a6ff954f55797619fa201538eb86dcf22674607780

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a5530481ee2b421e697f9b1be2f0e74

SHA1
c7e0d2839cff993a67bea3cf0647fa1e7a5851fa

SHA256
f2c9f50161c6d9f4219b8726cc28300313c707754c752f540f346615db2d632a

SHA512
69593a182cfecc90cbfc40a9dee3e4b055b71087c7f44669ed78f5a85e9be4044520dcfe083595717e20f55c8170fe276cf3b8b9d120093e0dec2e075a7adf7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cd0701e5536fba8829bcf39fff771947

SHA1
374e891a1d163546102bfa1c3dd31e94bbbd7b2a

SHA256
2b1d903581b08c6e882cd597020ac1e8ca4f9a4296174dd61bcee67b1081ffa5

SHA512
eafd56d289c6159442bdd7a2bc2f221585ebc579320a7948cfae2ae1826d07b9eb99fb4227fa30fc88d25074492bcc0e7acb311407d4cc3d83f169dc5c61c926

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ee9165bd5c9d28b97aa14a4845a28560

SHA1
9cc7e4374bad325ed7d1b7b9b8f87446952eed5a

SHA256
563248e4211705043b88c5954086759e408aade7e4aa7f878b4a1381fb4cbf9f

SHA512
91a141dfad8c59b91e9bc5a8bd72fdf654476092740b4737b22073b31f9222ba791a431f388088022db814c605f3dacff2077b52c907bddb86a3160174822c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bc4614ae10fd50cd614283809faab1d0

SHA1
d346dbc40a55fc66ae20d751d0ba1e703a7b199c

SHA256
684a80eeef8c2bd7ddb816ad69f739cbc6e6cf4299a26e957d1eb73b4ffa43d9

SHA512
c8243c7523379c21c9214c7eaf5ef60c87e213ea29cdab3c62fdbe27320f6e8201bb10497e828bb4301f430520a8bc1c3d25bf19dd68068f9a1925a8228a7edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7c3cdcc50ca06a30545657868dd8d34

SHA1
ca5cbfa660059c1e4af7dc96d61a203c2f342d35

SHA256
5832281a8607ce726a16b04dbf70cb19c3bdd682d48c5fe2b388aea5b8bd447d

SHA512
b68f85e793745c876235fee9511f5e876a2b0ea0d6dd178a526c8306cb21b453fd70d877a0b444c9ba6c5a264dbb44ea4760f2dbd6bc0466598707eb53c1344f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e80c8a392e611bafcef547b078b1c246

SHA1
5fa7389868378527eb3cb208d2974f382d378fc1

SHA256
bbbf3eb7799bdeeac43961cf479a2acbe82dfbcbe44f0d66a520762b9f1a290e

SHA512
4b532953ae55f2cc11de410e78c22037f8c7f1cc6ac96cf542df842c9248f03ed77a891c62fc6f64c99214b06f376b2812cc1863a4274752f65be1b90fdebc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
06729f0473c141db8f5f8ba8938c82c2

SHA1
1784be3caf7608d9ffb054365808434c04224f4c

SHA256
380f0d53dec3d35089f387f1b04fc854471983cb4e9bcc3a213e76b9391244fb

SHA512
b8f70b75939c47a4519c9c9ac3adb2869aaaeebaba3d0f26fe6ca9e1aff4e0b718dda88c58fa2e9d208ddb7dba720628074d06cc65a36955aa549273458628f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c7f32e12a7e08a2028d4b0fa68c8b7f

SHA1
9a7dbaebfc09c723dcad02ded7f02d64b2754f77

SHA256
b4bef3e01a70437c9d036f8eae1422ba760409e78d7cf1d7ecfab35a4d23f67c

SHA512
62e81f15639bcd65407373deff156b7242495d9ac2fb6e7f9f74532cb202859fd85a73f5f65dd81c418628358022cd6723e1fe2792eb66bd0c8ff299c1cfe98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ebf303cc462e83a429184d2535ad7113

SHA1
18f0dd9adada623abc776b2e4205a87d49d39afe

SHA256
1974e542816a6c355ca9be63d832dce527f11d32d8a891f1ff3e4ceae3163979

SHA512
c31f4bbc31ac6a40e7e778e9265dae61677078e89886a8378e03f96a8003fca639f6a4ca72abf7d7dc81429ad8a2fc0bd5b118a1341b5a8c5691e941b3020d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0bcb82f77db2f9b27dbcc75fc8050e72

SHA1
c919fbb41a2a51e90e06f7d34d958337f65f9de3

SHA256
033e333899d6015480d82c0b2638289cc33423e6892d10b16ed27c768c437c34

SHA512
94a1b795b9a5ec4e8d86f85b4118dc92b5527024b3aac850ca2cc1cd78124b0e958d74a8de54f0ebb89085cc1cd28dcfd74c8dabf2bb980371a475c6ce432ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
12837a65212fe32c99e4853348c4d49a

SHA1
9bc4a15c60db17ef0dcbff452d56af57819d11e1

SHA256
7c75f08dccf6073cdc73429d9aab1f06b226afe799ce4c29bb92700347afde9f

SHA512
ec6f4088d97099b12ca83d286fd690942e6aaa557c7f27b008d63bbb77901087ddaac7cbcde070720a4e1935e2f5f9f4efadf76cb9633e62ca04cbd6e42b6b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
225f2a9d4e7fa5e8eb2115c068eb1d31

SHA1
c162de94e52a979f81eda1e7a1852cc5a0f8f471

SHA256
c64277caae95920273b7a7c913ca564d8fc0bacb5593fd847ef19a610fd3d394

SHA512
3adb835fa0eb83dc7dbdd67079a7e1f1bdbedaba38e3791280206995d48da61cc3bdbf742b0876ef3e5179a606c2d382906f0f08046f174eadb0fcecf618c486

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2130d4e57749a8fac9df8c92fd8b328f

SHA1
a76812a36c4e034ffe966cc036abce62aab98df6

SHA256
f1b764986c9d1a44e8414a30e0016a5df0788a73ab6ddf92ba1523b3a59fac4f

SHA512
b3f7804ccd6df1551309a5bd44a7070eec8e91b0c34d58923e90af7ec83c9490bf8c1df199b227d49839ea0d120363f617aec18b52910ef4195d058982854e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
212defb0606816be0be768df98cd76c8

SHA1
a563766f6091051112f08a4894ba8f453f15f571

SHA256
789d514879c7d2548d2104621eaff005adf5bb2f0df8b4745f3baef380f8583e

SHA512
fd4c1421c88f61563418a9942f77fb5d5eee3fabac4ebfd0feba50dc86f9f6e4733302cbb7269b74d9b80080c9b5bb7c35b72ba49b563f75aa3d4075bb105278

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0c223b97b20cb9c464bceb6fabe8f6af

SHA1
7b8534dd107a24fda06d541a0c3be291ce050255

SHA256
add89d67c57fd305023d4428ed0aef6bfbbff50ebadac7ba59d866d2279776d9

SHA512
28ab6dc205ecb27deea9ea7ab899397a6143311aa0dcb0fc60e39a590529b4012bd8a9766b6dc2e31fb0d28d804dc66d611a3fb952d935d02c910e209ba85d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c90f47a1ffc9b965a907926fad0ebafb

SHA1
fef2362ca501723d24f8508236df6287a5027f64

SHA256
25269089077c8210d3f0e139464af3d10196aa580d1020856733cf87dd616cf0

SHA512
7d6a7eb950a5310449717488bc75136d04219c0efbb0f9d2b4f0dea68716cd8931ac07fdc13039a520c9736e0bc86ebff850e606502e85a01ab7518061198133

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1e449b2ba67a295eced0ee3397a936b6

SHA1
99e14775a14e9beb08979dce1c2a0fa89074bf24

SHA256
802768cb19e81077b78d46daf1b2aa204e1492f1a6e72671e9135769620a279d

SHA512
f74bab83844f65617f412c84a1bcd4e8593e9a0a94b34b54eedf917f085a47578d12bf4a685be6b29b8e9097e32bc125dc0667646bede352428ef5cc0aabaa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9d69efba1bb27b68e8e43b48c307f30

SHA1
754da80f32ec852adcd0a6161263d677f7509cf0

SHA256
00092d95dc10fc8bb0507b51601d74cc203b2ea0202ddf87ba9c281052d7ba55

SHA512
cb2c7f291163778712491adbedacda4a0604cd557b7e02f16da1f5b25ea8c2d2836bdd814d0c35c9a4a674c4d3a3b44538b7a19678819d20c2e496d215847313

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d9e0d74f9f55c6e9a3ab1e9a65b70a2

SHA1
d405098a1825fe49af2f8be877230024ff01672d

SHA256
1106e2816a3cc349046f7a6c0c007e20a807417b176d814d9441d7e8857d4c37

SHA512
3ba8da0825111ba5899fb27ec3d1e89557aede470dc605682fb4700f09128ee070931d8c435d0810a9ec7cf6e36d4e40bdafcbcc5e0c65bad710af612259263d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
09f25d4294574772cd2b1be5d8379e75

SHA1
91e6e97610da128c112cc0ce591225e385ab37fd

SHA256
e45bb448e8799025ff101157ff5a35573f5996cc5c26620f3f80c738f2bf5de2

SHA512
70381fbcef251b2473b0ae3071c94b08c5e59dbd09e3a4715b0859c88342062a305707238b76a694abb21308dc28bee00fb6c69adff457a7ff95d395acee512f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7cf280930c940c460aa048ac12e165ae

SHA1
4b7166fac72e9e6ca40e93bb288a5a5027c73abc

SHA256
56f5dd3f8426834b98bb3d0a9c6bafa05d7cf9e38ee45982c8c84c6f1b39fbde

SHA512
ba082a0e3b7b696209b332a322f3268548190a2e9d719db446411c030b85b5747bbd98c76aff5aaefe344e3d069f97626be06136089020d7e2fa797bd3192818

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
52c98120d7962a403cd1092e1ff55f1c

SHA1
0235c824f9375bcad8666626365efeb5d0940f24

SHA256
6878b11c1d9eb3f33c6d8fca79454993f58c2f38a774ca3d9b946c6cb68d1b33

SHA512
07cb196866341b5179f9512f17293ac040810fa44f3a829f96fd09ed781207d796240c569dd10dc0e0fd8eb29528fd2c375df747cbe7a55339420a16740af88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6244bb403e785b2726bee3f7112b935

SHA1
86229f50064ba81c5ce1aa95515a00504564fe19

SHA256
3f9d07adee997861e85e5817773db57441a7e5a781cf89456376cad1e87de547

SHA512
e07adf78b94a3f4a2cc23132cdea1f12cf364b5001a0c4531b002c663449cda3e0f1afc4e9b9255b3ec581ab8428e83abd6393782163b4a06923f65dba4ec696

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1dd3a6dfbf958b2901ed55baeb09d659

SHA1
6fa9be819fa8e27feb522083859a820c2aa57210

SHA256
69594eeb2fceb676911356a0ae098e07c219a85830d7b3c1a60b22d624606173

SHA512
02a9311823f8b69f86976603a15a6c78a90369efce53bf4cbd61518583c27e2d092f8bae05d095e9a2cde361511fa4cba249beb888f710afd340f46a31d9ef1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cf07e1999285dae5c1fda46bc4885ea9

SHA1
c62ed4b0f8f444937364298c0447db8740be3fe6

SHA256
37ded97a29eac9faf7ebb805641a6c0bdde257ae5d689be9acf09abb933ec30d

SHA512
00e26afd15428207bc29bd8a06de64370eb463073429681a7e1960a8a52100a60543933a3e751b4ad16bafe98b2c252f6d184c391acd8cba3e492322a69b2f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
94a4833b33a7d0a5e1006a895b1362ce

SHA1
d56f2cad6b544f8161220f38f85ab1434b304925

SHA256
8b9e22d9c235336708003a554da5597b82b5d638fe8c94f0eb2b29390444a8e2

SHA512
298c56caa5b1d0256a7eff26fdd5c27e661926f83da630ba522598c826e30829e378895dd2cc907920edd24a8a1008658328aa4edb383754af67868d179e74e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c86790b141b9394fa7ca4ef53f06e391

SHA1
17c3341c7e015e622e86a7be185624f5d8bfc15a

SHA256
5a9b296df8a2a93eea1b4aa5bd315b0f0bb7d290d3d3429604e5efa237aa36dd

SHA512
5911e9ee86259949de43195d799562dabe9a90011a9c61342a72e362b2f7ce091fc541770d78cf9da854b6b1a451ece3ab6e69e9080d998c91bfcbcd91b8a38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ac13d87482b07ed3ef83cf6c2d397c92

SHA1
3d6563455f21e6640c4ac8611a71570554aef985

SHA256
4632449f87e7a74b5a2870885157fd90426fdc77f95cdd46eb609435e8a196a8

SHA512
89ae7c557d30b18f3929913ef4bb224dc482bbe424d83f70b017471113da7d9fee1510508d5825c569eba0121065119ef2be53f7d056ddbdd21bd15bbdabbc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c4f495de565fc7fd3049b2ad349af5e2

SHA1
accc7afe96434ba24a112c8e48b25016c88a0293

SHA256
5d26421b3d8f4a078329397d1b0a47fc0adb2d7e8ce2410959f02954ca86f1df

SHA512
7e6277b6d0bf402b7fa5e28037b38ec9c51551ccd59ffcad6a20b0d995386d224466977bbf254185a31d721146a3dfbb67587cfe98a02b907e9147900d1568e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5a0fc1d79d5ea58ebc74c3f335acdd21

SHA1
e1be1a918d9e757bde4a606e20a821ac4fbe733d

SHA256
86e938606d7f2389c7cbb1a4b089122c2f807bce3b49d98bd985a4388296bbb7

SHA512
79ea125f7c121f3695c73bb93dc4a46ca60183d2afc6c30f8825bec75d56c9eb62648d167e2681c8479bd41b75c442e090ab6e1e5d39bc21e1fc20464be129ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f54d793114017b93f7ba5afee2e07c63

SHA1
21c968f29810e7655811256815219da3aea2f664

SHA256
e015d46b7ca4625eea132058489a95ac0233908e2abaea35d707ae04906a8609

SHA512
9f4dbc0870c7aa80e1a7cfb7cb642d0873f2df9a96a875cc878d41d28c634c523157f9a18cb6bbd6ecdfad54faa9572a77add8eea5cc742639fd7bddcf7b78b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
138c72a3eca36f712e289d4f1e8bb2cb

SHA1
ef3c8d3caa54408aa997bd0bd95c113eff22a936

SHA256
b6ce68134b99c148c9d55da749b3044b95c988cc5bebd4bab3d0486556401eb4

SHA512
687309af6ab4a197908b63e84fae9ec3ab8ac40c2cc2c923a828b6f3f461eb62d5b579b4e0272a19940a6e60be19e258ffbbaaa1c944393b74d76fe62b0aa239

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e2d0559ed590597042f95f62f9887af

SHA1
092447184f896ac7a55c5b77540d21cbd751927b

SHA256
23e13c0eda8e3659b8c9651d77c6972f4907c7862f80fbd254f59ca4ef3b9c58

SHA512
2fc3571dcc1b8f0abe61eda80a3dbda212a8b0830d96544166a16e43beb0f75285fc0a39f7d09ad7378ab07d8809e198b0289bcfe75e1f16b6e95d1feebda190

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
038783c5d42d0e6ea72ab4e535bcdaac

SHA1
29f78dda1e6908fad56fdc3f3eef91d542fec1b6

SHA256
8da373800c0e53b416650c0a355f950cf8134af4309f00786097fdb88977e3c6

SHA512
dc6d305824e256c02eb7d8259616b8c4b3566020bc8f0cbf96d548dd70ffa8d71d41600de9d12a19e12d566eb66af27cc510b26adfa18f534e1a0d3bdb814368

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b79460db10ea6b5c93e87a7beff186b

SHA1
87e200579a80a745faf37573fdf18eaa78b132d9

SHA256
c71a7699af771cf3efa5d2f201d5406b44694942f3d28fa2070c29173ed3cfdf

SHA512
d933e284aac311fae3740fc700568de579a47f0c85196a0fa8c5416393b1c6dcbf15ec26717a3eef060b9c2fbe3cb197b9f0c83b89e912b4d692e9d40e3ee3bc

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\winstart\win32logon.exe

Filesize
283KB

MD5
6dbecef101a917c1264dde14096d3d32

SHA1
7df116888310de093f3c80d8fd4b8ef2088f109c

SHA256
32a96fdfd01b9eef1f32410fe4f0ebbcf51abb3f5f2c425f482857781b1bf9ba

SHA512
b14b804f4708d10414271fe9100f6b8973e3d2d2631049030f9e2e00194c8fa38de483f435732411ef7395b420da32c0960816b1c35c055fbba5a1407b3df5c5

Download Submit
memory/2800-2-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/2800-6-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2800-63-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2912-8-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2912-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2912-68-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2912-92-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download