cybergate | 6a6f511ecc3212b06a48d0ed7b7dd1b041e5e8b6bae1c7b4d6c77565162889ca

Analysis

max time kernel
148s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2025, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe
Size

754KB
MD5

74b689b53ba631d667bc87f389b4921c
SHA1

8c9bb41a258373dda0e580a6b96b6b0188cf476a
SHA256

6a6f511ecc3212b06a48d0ed7b7dd1b041e5e8b6bae1c7b4d6c77565162889ca
SHA512

228743136f243922e215ef0b5856d3d554cea79fa9136392715be8f2cbe46a6af3b01a6b1a486bb368b982327257192b7a634bc6327c836595edd13db41789b7
SSDEEP

12288:R4dMRU/UP4heFjLDFtooS2UXZRY49SA7GI/p7a6o2Mhi9v6FAqGr8iZnkNvEMCQF:awU/UwhWvwXZpSRSJo2xvWGQiZkNvEMz

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

streetking.no-ip.org:82

Mutex

537RGYD5J13KXJ

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\winlogon.exe"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\winlogon.exe"	Server.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L3FGNL63-B0FE-U537-3LS1-B605O14O3528}\StubPath = "C:\\Windows\\system32\\install\\winlogon.exe Restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{L3FGNL63-B0FE-U537-3LS1-B605O14O3528}	Server.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 4 IoCs

pid	Process
2344	7za.exe
5612	Server.exe
4880	winlogon.exe
4916	winlogon.exe

Loads dropped DLL 1 IoCs

pid	Process
5696	Server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\winlogon.exe"	Server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\winlogon.exe	Server.exe
File created	C:\Windows\SysWOW64\install\winlogon.exe	Server.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2940-0-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/5612-16-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/5612-17-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/5612-20-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2940-36-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/5612-79-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/5696-84-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2940-113-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/5696-115-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3808	4880	WerFault.exe	91
4572	4916	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5612	Server.exe
5612	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5696	Server.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	5696	Server.exe
Token: SeRestorePrivilege	5696	Server.exe
Token: SeDebugPrivilege	5696	Server.exe
Token: SeDebugPrivilege	5696	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1252	2940	JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe	85
PID 2940 wrote to memory of 1252	2940	JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe	85
PID 2940 wrote to memory of 1252	2940	JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe	85
PID 1252 wrote to memory of 2344	1252	cmd.exe	87
PID 1252 wrote to memory of 2344	1252	cmd.exe	87
PID 1252 wrote to memory of 2344	1252	cmd.exe	87
PID 2940 wrote to memory of 5612	2940	JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe	88
PID 2940 wrote to memory of 5612	2940	JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe	88
PID 2940 wrote to memory of 5612	2940	JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe	88
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89
PID 5612 wrote to memory of 5180	5612	Server.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74b689b53ba631d667bc87f389b4921c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Roaming\7za.exe
    "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2344
- C:\Users\Admin\AppData\Roaming\Server.exe
  C:\Users\Admin\AppData\Roaming\Server.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5612
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:5180
- - C:\Users\Admin\AppData\Roaming\Server.exe
    "C:\Users\Admin\AppData\Roaming\Server.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5696
  - - C:\Windows\SysWOW64\install\winlogon.exe
      "C:\Windows\system32\install\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 556
        5⤵
        Program crash
        
        PID:4572
- - C:\Windows\SysWOW64\install\winlogon.exe
    "C:\Windows\system32\install\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 580
      4⤵
      Program crash
      PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4916 -ip 4916
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4880 -ip 4880
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
5a0dcf6e81f0c46c6a2baba8df710a13

SHA1
9432bcd8e601bba91d1793968b86ed8264a89c33

SHA256
960ca69dd914be928659298c52ae01e1aa7e11b6686c8742de7017703455eb16

SHA512
1bcb1c4d769004c2936a7a5f0db93ee960f14e055d057f809e3e3244c04edafd2d1e3e9986b6afd087f5c6b28936e8ac742d2ea8541d583edd5bde92c8fb31c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
410f5e96160cf69b6213c5aae44002ea

SHA1
078beccb82da03793b1d6f9c75d21a4c21545724

SHA256
6bd413985b6042525eff9a2ee4501cdd8f6a9565910b94bd0a5099b3e9f1fa59

SHA512
628d0845cb4b72def8ee1617d98e81f66ed9a06d7bb1f2807f94baad99322b96c99f041c00b37a1853e70f2e5448f9e2fcff4b75adc55b63516be89423406a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d22296684a8df8b1f9d3730295079eba

SHA1
0227e0d4c1a92a0fec66d901f981e5798a46d062

SHA256
75db337b7d9d85662bf8e1e2cfae9cc746cb594abcf3b975b671f5c7f294e0a1

SHA512
6d2625224cb884e5f3d5a619dacf1a3a62d6e733a7cce6d2d749f2b4a3bdb9a76a4d8792bc03d38a4838097c5ddecbc7947293ccf1b427542f175e7f27979dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
64559f0c73f63839278d1f2ced51b1c7

SHA1
9ad42be8ebb17a9eaaefef21795e391d2a6ff35c

SHA256
657b18a9309c2586c775a98a65783e18f93988e57f24c30c1b8fc214bb74200a

SHA512
b543639f79d8fe5e1fbe606800944bf8642bf2410063003aa4ec1700b882ed243b6ad202c0d52e579453613c510375561ce1981184fe981f269a6d503949dcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4e3851b3f31d614ddd00b04d13fa816e

SHA1
22676fc3618bce38cd0515a8e10e2ecdca965453

SHA256
f57191c966ebcff5949e2031add4f3865871967d8da54c8c84e503e48ab84b78

SHA512
984c2e4c7c32d1474f9bdb4fcdba22d1cd259890244e2440e1f04fb4002540f346c8de87484d8250da8501130fdf3d628ff1fe298fba1651fd7b0f40b60621bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6951734c56445c9d8ec280e9d7f65666

SHA1
9feb24fc85cb83cbc30513be7759baab43761277

SHA256
33aada251bdb1ce83038263b3811e2842a76675e546adc379cf469ce3aa0b6da

SHA512
c31ba3b4a38ffa436774cd17265f903385277fa6a011db13c07bb34b2ab5467eff22850cc4f87b00f72f231e066593c6741d717a342845fb75ca3f51a4b8df35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ac0cd705bf0f2acb50d10d46a7a3ad8a

SHA1
cad7c2258d6dcf3be3fdd962b9392d1decff087b

SHA256
ec302518fd80c59aaa05e2fc0dd3e32d07121691114dbd4f0b231a55eb3c84d8

SHA512
ecbcaae1281d47691b6c17e273e4177873a4bc0254f3beb66975a9e3f0327841e0e3a597cb90876ec7bc8e7a354474f13e79f4a7b8f2c0db37ac30bd32798b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3414bd9f0921f4998adae3e460d05f5b

SHA1
38bf7d57dcdc5cd7e2d0d93bd222dc0461c9f443

SHA256
665683fffed30429313ffebbfbb20e868c84da038adc91dfb5faf57fe910a940

SHA512
446fb397007d0d7b753c8d4d0d20da3581e71b3581022bb9b81dd5d347ede5420c645de6de1ada057a8507c93598ab9a3f577f7302a0cfa599b84a12f5f1516d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3599acc0416775ac158e174a84954f75

SHA1
eafece055b79af72104ce398ee43511d92c56aa0

SHA256
2ec960ea87c39ec94e7623bbd04f8bfd9e8a1402750ee59ba3dc8a2fb9ae2d73

SHA512
07e9a8ffa687ca4daeaac884e9c185d64e903a18241b9fd193e73d857a25285f787e3236620de6ed7a2b5e18546814966459cbcd83bb99dd1202695ff8d1f14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e77af7d7e3db825a003f0f5a99075692

SHA1
4d782d4adfe19d3c752ac732b9f640e3b3f3f1ea

SHA256
0afd3e0f1d7905937e07c7ac65ab5a0c1d959c055000f36f91a7c5334b1e9f02

SHA512
3b89de9ca5073bed05257f35580f0c03c40f2b2d8a4dee3978d4524ae32c7708a171753bb8219272113ab9a51ffc08d8ba6f28ebb25ce8994e59abe60262fec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7bb81a5e1d2996d3a6049764651d1d33

SHA1
e8adc0d91f05a98b13fd182bb47e8b2ab0e5950e

SHA256
c2a2bcbde436669145bca0c845e5f825be4f55ae20a263547d4eda7f1ec34a94

SHA512
124410e720db77fdb0630a5c725a5ff86c2b961d238f0108c5e1a20ae2a2c5c30bdb3163cee9008465c65137904c9f45b5a4137c3f0f7840519390acb43d7899

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6ab01d5f2eddddf23c405f5c83135fe1

SHA1
bfe13527e11d0c7f4e603e466b6d120818a32f84

SHA256
23a3a1df08922605ddc9d873032ccb82fa198ca7e71866ed72dc45778020216f

SHA512
4cd1093f8a41c54d1ef39ec35e7dd41f04f0b167e2ca86b796e27609e06da3c295c6eddbd0773dbe2092d778088fcfc54417ef9df95933db87aeb79dd82bc3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b38ddc6e1fe3ef55b99aacbfbc54196

SHA1
d1f73e651718c345abd2792b46af194628ad78e2

SHA256
8cca8a7d7c9d5ffc893c5ee58de921a581fa542dcf23618d774aaddce8698686

SHA512
8d5fa0773891bee1b2e24d829b47543514684bc1e7d104e982f32111a909c3a3ead098c9cff32275fd35d15bea749eaebde20c56beba9e7fd27c13ac5daeb695

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c6155761ff873fa518912682f6da4c03

SHA1
4fdc55e9657fe4389217a42480ae2abc9fd2b50b

SHA256
9f3b76a0f433476769e8596387fffc60b6a38c571af031b66dbdc097b073fcca

SHA512
ce78876f58b664a6d1471a84ad7ab8413b970c9f49fc98c342baa626e1294ec4fb3f2351f769b8f94f27d1c415bfb62943fa93144fdc294c739e0e1d230964ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
77a2e80c29fc7cb93f54d18c8eee94c3

SHA1
96318e8cdc5ca725837cccca6a09a192947f773f

SHA256
3c91001807ab5bed653b3b75f549427a743da43892e96d4ed3fef2a21de51459

SHA512
9cd84f2abb2c9bc862dd625a4eea176dd0d5a13d0dc14f365fdc1ded7029d399c83a5607df2641c86e055e83a072d21bac38341f097c1a71cc51819c9816a2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
08d43c94d69aba703f7c630e759e6980

SHA1
fa6e61b03d6da89d5bca09ebdfd50a1adb92f355

SHA256
8c6eef2b40f6b3a0b90ce6f842563fec7f4d6b5dbd7200aab969109e41915e09

SHA512
b9e2c2bca76524499d0f955507980b2a033f613cc406f88dd35c1435cb9e1589f8dc4ba2826fcf40c2f53612529c11ec76ec8e02655c6036fa0e77e3a93add4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3f355285213592263a79e51964f98e79

SHA1
f473c6bea16ba59f8d5c34ae340393596f92ffbf

SHA256
a8736c2032d21b1e1620673b063cd98c14c1cf27e542b8be09265c5c77210f97

SHA512
6a2402a795161575f8befe05316587f2195968f99db83655934b307134b115483f813859598f88b9e5c32f203a45c358d3b066ad22b157fd364191195ff78163

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f04fccd5109403a370ad8ac21daed149

SHA1
432c6f382deb400b1eb9777707d55d5b06c345a0

SHA256
f931701811789ff786b590f2878bc45c74c8966d8310d39c943eaf9c249550ac

SHA512
828940133715face29befd3462c69b8946f18416fc93e8b70df53eaa1709eacb6d2828b3ac697ff0ab4958d895cad3c5f5a476787568c8d31d910799e8ab114c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1403ed4332959f46c91936e0fd18b0a1

SHA1
e084070431369525891b611adcac4671ef5a25d2

SHA256
d5891feb5f8f3f253befa98bd81afda33d90677aedef352cc98bfc6e7dcb0dce

SHA512
2dd5187ff0bbf7a7a931ee8cd73f17b2fa3bf420ed9655aac4c6ebc659a85c274644b16d44b1debc85aeb2506f426e525bcd871c11c072a84bf6b526c468ac2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
54ffaaa05aa9376bc0d265a1a5e70536

SHA1
178f878738cf34562d5ecce9c30602a816a3b217

SHA256
85b14b4dd93f022ee687416511a1702a2c6e0dca6e9682861d5cb250e93f2c31

SHA512
6b874b147b8e815c9dcf90076538e9eac5d8542bb794cdcc7b0180c85751a2e2896e83b87482bd43bdca7663939413a0f69ef3f275ce6f13876014dff84d19f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
538d0eacb888bcee79ca8c80b5b6a5c8

SHA1
7a29c32266e3e50cd0a1c73aa61a6fa62cf09154

SHA256
63ee36a17d4611f3720d1c0e301069504137efa740f9c5976ab70f1cf490f6e2

SHA512
81fa7bd514496e7e99590270e7f7236dddf7738dfdd879a1321009c7b9194378bc94cf8135350d03d5757cf2aaeddab12611338d5124aaf623983539c3586ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
58dede0b42860f5cf46a5a3ad57aa9eb

SHA1
0d155c3e158ae2810a95d674a72b2ba88c253bb9

SHA256
4814ca08dabf927a3d7bee565bedf238264e68082ec26947f85483d3fe1bb340

SHA512
b2be80bc6eb9cf4c77f8453867561104f275a167816cee63f82389765c4528e3d960349eb0c66dc576037f8c7491c6e658c742806c65be21fef2a3ebd172eb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
92191940395ebcfadce6efd6c485744b

SHA1
c9197fbe27adb9f63b6032aedf93ba828019484c

SHA256
65e1530a3b5786e0f3116b5cb670a31993b2a7b15e15da0bf47c5d1936396943

SHA512
7d153e95f002e7a51684b5748dbf0a4c3c56176e02867d0d3d4aa48e1eb8947515eebeeefe9bd350480f0b150317004beb9eb999aa6db069252e027fa7ec61d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a99a114d34b4ef69e6d669e4dde07e9a

SHA1
9ee668dba2b972cc66f2280712e344eccb0d72ca

SHA256
d07cc42f90c54b3858177dfb9ef7becf9cb2e5af3a57d4babb37101ec1b49cd2

SHA512
d8c0fe860408c1fd44c1481d80c287da4ac9e350366b7fe0ade4e10e67c56f00a6afaa68f8b2d6ec373320fe1721477a576393b9269dc9f8f1fea0b7b202b734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8b021df52c681f6cd4e9a2b5ed684fb1

SHA1
77cfeca568b4fcda142f4def8c4b3d6e63e3049d

SHA256
79e2a62bf6397f0af3bb1552de8d3c22cec282bc708b85a8fcafc84d51b0495a

SHA512
23cb19fc21d3db915da24115d6f97e2e1227ced52394fa34a78687f5b387ba5962eac4a0708be6812c57b373d015550ef5040ad2e745f35fd4a8d4a32e48ed59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bd6e60652c810aeaa3c1563df3bfa0bb

SHA1
803dea2d58d0c430c20c2e9cda4fe81b6079bf2f

SHA256
189e50d8a7c4b639929077c8adc9c55db8673d1536e9ca8295844d93de3561b4

SHA512
4afda39fd6172fd18967cc212bba2e7d00adf2e97057b96a883102781bfb21294ef932d212d5d45ed6133d3d3c1ff75e4bf5bcefefe8b6e47c228e17ef72a8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
23546d2fc28245aa54f5fde9ea527652

SHA1
5b074dd9186025139c064229e4e0d5c0a46d585e

SHA256
30e75feb6bc728c726df29871b80a0af8de2799e5e01c0ae826bc5439b8e7b9c

SHA512
1a61bc468ccec967f71c8c2556cdb2c9bb092383cbcb6abc06cfaab17cf868a0196ad4f080b286eb2d6c7510c98ac4a293621f06327f97f02a509c38747d4ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c13b291957871305322035ff7e1a13bc

SHA1
589765823d1f757c841508a54a0c95157d1e1682

SHA256
501d3e03581f73b3aeae3068649ea770a1f29186d252796f688be2b72a1b6373

SHA512
87d49bf841b5a5b420eb06b2a41c2e25326a60319d73db38a58f346f7e063723689ceb58010201b75f01806ad7ec39e08567cbc2dcd411b44fa0b64efca5e77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
06cf966af79c249b67a218a6d5a16f05

SHA1
796382997be1811dee92f599cca9e5dac5a674dc

SHA256
2910ff7e57159ad34c3e1d597de96c49300f89ae77038162544bfd67812d7d96

SHA512
96e2fe1101b3be79657fef4e3b97eec153c6ab60103fb2ce8aeccc2967e45cdbecc0f2da71b97e739fdccc0d72b2e182227f23d220ba9eff5c38f3b82004ffc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9b43f5a21ddf4e126c53580274f6d735

SHA1
9b3a70a42b7d1ab1375aad44e4644233371d18b4

SHA256
cc664f3a9d9ba3a27c7c1018c487872da0720583bcb9793c9838e3d3052daa8e

SHA512
7d45ecd91b67950752340ccffea52a694f0e660134b42ef726995fe48f862af6426c244ca06cea8df5bd11fac3188768ee516947a605216c1cf58c2364e1f9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e1edab14f1de86dcbc5a589ab79b6246

SHA1
0690dcca3c9d4f7888d5d714ac867938d68ab87b

SHA256
472d79994203fdd93f2c2bfff4a5654fe165b78727e2dad6e0c57a206b11fc7a

SHA512
0cdd941a622476894547361dbeaeee874e19cea3eeab27ef23c0d74cd0eb2003a8275ec55ea2c6943da4f81e8052b99aca36f371825153bbd688b38cb1237791

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0b84ed2152f8fef8c4f3abb3de23fc30

SHA1
43b901e89b38c6cb6771cbda36f7717d09fba0ac

SHA256
1f03de9f91682117453c23cd178efc9ff8cda67f3bed1cd2744fd15ccdcc20e0

SHA512
4d0fa0c4b2083fd965d6e7a2eba5c3ece31a8fb8135e128d761fc69888a83a796b987a6dc16eddc64d5038f7c46438e4c91ef60f8b8efd53dd5b4deb2c9bc28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8944a9328bca6cd7233d015220165a5e

SHA1
6faa46a3da8203d60d7f07d0e4a14279b33cfd01

SHA256
0698237a6292557efdf892e609f54a585e7ac9d1748503c312e2e90840e3e963

SHA512
f92afd482172edb4331824fc82dc67ab92a2dc3e070408247e48bd53a746032e483e691e5e13ed78aa262c258628130478812955bc94b20dedbeda69c900ce90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ae71397a840a06460957ce13cbc55222

SHA1
7c200310f92e6434ef88db00b5f119a8d3eb5bd3

SHA256
f7a9017c3cc5c5a3207220d3a1b81c8b8a4a2d97e93205734d3bec70f3b600e8

SHA512
473c0fecb066dc3ec660ed0f9db52e771b100a9028eae838e439df7dd0d5a9444aeaa6db40f049e01358568bed05a643d0a596fcd307e56ddbdfdb1da7810d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
52a93e2d53cd995a7f788c75fa3f2bf7

SHA1
67b5ae07c3c01fa7436029eca95581e818a47868

SHA256
176b50befc3827a2fa48757e033c440fb835df09f0ffcce75142268d4e3921c1

SHA512
73d527536a83f8792c2b6412444f39944a8d6785abadb69fe4116533e74e56c9cca6fa675bb427984496165292b163a50bcab9dee8bbb9a742f1936975485599

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
87a8833e763ba9acb9f913dcf5d07f1c

SHA1
89830b1ff91143cf3616aba9021ee5defd131dcb

SHA256
5a8dfeca2c19a3a024bf042c986c4e0638dea91584fe98882572ec4b25f84872

SHA512
4c69f64febbe9ce1d4ba3f727e1070808329bdc726c8242df05c4cd3a4d1c0daf0d00cd3b2e954a6b9e0caca3259d1ad53bca0eaa393f3033c02c41a359d9d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
eb2049a807011c841dd406b7bce8c764

SHA1
aa4a265839e11a5e738e107fd919c175eaea0710

SHA256
b205b7f0714102cdee64dcdb45372ed0cbb4821f6d89b3c0b9deef5189b82053

SHA512
aca0baad20a543376c956eceed5890b3c38d6f87666f0cd4c65888956d695312b2b40f7984880998b0c61ea9864110f424330b3e9bc9f053223e255c89dbb0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
290KB

MD5
c234728dd6a68fee1fe12ce0bfde8e33

SHA1
9ec02b1950257befaabc009245d238717ea3ce9f

SHA256
e65fe073cb0883affcdefe2394f63b21e777ebd147a91d87c7d3092b6fa97a7a

SHA512
a2a14ac393b1143667b8e18df7fddd6e9c8c1839b8dc103dc4073669b9eb0da85adca14c48e6122f5e3f292454803f35d17d2c3dd508a0caef93b0f8bc3a93aa

Download Submit
C:\Users\Admin\AppData\Roaming\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\Server.7z

Filesize
247KB

MD5
d538fccf9ac2c5c6f5d0f36bb16c5a21

SHA1
94c984f0c506ba119cf90e3c9efcac4de369f1fe

SHA256
751cbff71dbeedd157cabc3ea754e88004f6d87e50822bb5d04b0180ad8fb33f

SHA512
d10d13c1d91b02282f787e5c36d9f6023a04cbd2d6ce80ffcead66cf45a168b2232822f3c86d191581019b8e909bf4cb50f82b0eca2dc1f7e22252d0233f346d

Download Submit
memory/2940-113-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2940-36-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2940-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5612-79-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5612-20-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5612-17-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/5612-16-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/5696-84-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5696-115-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5696-22-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/5696-21-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download