cybergate | 9c2e4a11035905d0f5be22bd312cc604d0d95a4dfa234a185b76e252fae3487b

Analysis

max time kernel
149s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe
Size

508KB
MD5

b7d17f5d144d4ffdc50395660a0a1934
SHA1

38f4faaa96ec860ae68b1d5e84224b3a36f49dff
SHA256

9c2e4a11035905d0f5be22bd312cc604d0d95a4dfa234a185b76e252fae3487b
SHA512

bc1e82a9def73c69564495542493b334e419cadfc6e0e1969ed7cd7bed23f86d559fa87a3d04a3bc908204e85fa4fa7f28a8270b13d13eadff556646883a02a7
SSDEEP

12288:VRmUv9M4mb1se0y5nxtOH9Q+6mK/rj/e99E7nLN493wF:VRmKMh0yRxIa7/Xo9unx

Score

10^/10

cybergate 0 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

dragonworleds2.no-ip.biz:81

Mutex

7020Y821XRL31X

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	systemj.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	systemj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	systemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	systemj.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1F2YO3W-Q2Q1-X526-Q654-R3D418MT8MV4}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	systemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1F2YO3W-Q2Q1-X526-Q654-R3D418MT8MV4}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1F2YO3W-Q2Q1-X526-Q654-R3D418MT8MV4}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1F2YO3W-Q2Q1-X526-Q654-R3D418MT8MV4}	systemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1F2YO3W-Q2Q1-X526-Q654-R3D418MT8MV4}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	systemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1F2YO3W-Q2Q1-X526-Q654-R3D418MT8MV4}	systemj.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation	systemj.exe

Executes dropped EXE 5 IoCs

pid	Process
1588	systemj.exe
452	upda74.exe
3428	systemj.exe
4876	server.exe
2280	systemj.exe

Loads dropped DLL 1 IoCs

pid	Process
1188	systemj.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upda66 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\upda74.exe\""	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	systemj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	systemj.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	systemj.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	systemj.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	systemj.exe
File created	C:\Windows\SysWOW64\install\server.exe	systemj.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	systemj.exe
File opened for modification	C:\Windows\SysWOW64\install\	systemj.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 452 set thread context of 3428	452	upda74.exe	94

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1588-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1588-10-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1588-11-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1588-9-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1588-25-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/3428-32-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1588-35-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/208-97-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1588-171-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3428-264-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/208-266-0x0000000010480000-0x00000000104E1000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3448	2280	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upda74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systemj.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1588	systemj.exe
1588	systemj.exe
3428	systemj.exe
3428	systemj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1188	systemj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	systemj.exe
Token: SeDebugPrivilege	1188	systemj.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1588	systemj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 4016 wrote to memory of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 4016 wrote to memory of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 4016 wrote to memory of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 4016 wrote to memory of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 4016 wrote to memory of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 4016 wrote to memory of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 4016 wrote to memory of 1588	4016	JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe	89
PID 2876 wrote to memory of 452	2876	cmd.exe	93
PID 2876 wrote to memory of 452	2876	cmd.exe	93
PID 2876 wrote to memory of 452	2876	cmd.exe	93
PID 452 wrote to memory of 3428	452	upda74.exe	94
PID 452 wrote to memory of 3428	452	upda74.exe	94
PID 452 wrote to memory of 3428	452	upda74.exe	94
PID 452 wrote to memory of 3428	452	upda74.exe	94
PID 452 wrote to memory of 3428	452	upda74.exe	94
PID 452 wrote to memory of 3428	452	upda74.exe	94
PID 452 wrote to memory of 3428	452	upda74.exe	94
PID 452 wrote to memory of 3428	452	upda74.exe	94
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55
PID 1588 wrote to memory of 3356	1588	systemj.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3356
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7d17f5d144d4ffdc50395660a0a1934.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\systemj.exe
    C:\Users\Admin\AppData\Local\Temp\systemj.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:208
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\systemj.exe
      "C:\Users\Admin\AppData\Local\Temp\systemj.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1188
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\upda74.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\upda74.exe
    C:\Users\Admin\AppData\Local\Temp\upda74.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\systemj.exe
      C:\Users\Admin\AppData\Local\Temp\systemj.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3428
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\systemj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\systemj.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 944
        6⤵
        Program crash
        
        PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2280 -ip 2280
1⤵
PID:5076

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
289KB

MD5
f061557306047e16af729d3ccbc200fe

SHA1
3dd64c3fe936e8b1400d6b12a947d3cb8e7ebab5

SHA256
a3742b283f439ef2873ad885ec8be8fbc79446414dcbc54f6a2171ec7fc8973b

SHA512
b1377d30c4a49764ea003911753a7d0304faea3b24989049016dc46cd14189d61c05dbb6d6745a63586f1d82f1a6e737ca1eafa0d82f36dbbdb0db60771b68a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7b67e47655524750e45e1b9d1ce14d2e

SHA1
c5d7dd7e3565af5ce5bbea0040032777f69411db

SHA256
4d94975a8a96a3e5a3864d52a539d3abd4d4cfc20b4585054f6bd5000a165d3c

SHA512
c958a004a5b852a9c9ad98b19a0f84aa4542e96775b323dfdb25f73173f1af4992620f7a0370107c91261de357af8d8d16fba2fdcd646bd48da7bc26c9dcc027

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cc296f7573fe15e675d3405468285d2f

SHA1
aabd81fa0bec2cbfe1ba8a3c589f9c2e73a22a16

SHA256
7ffa7cb67cbf1da75a4aa380326b7aa57953cda2063bcdd00c71a2a658557493

SHA512
d3528350bbdc45bd5e52a29d160f2409f666372ba0919585bbb8817aff275297a6ec344dd7b99b39fcc12c8e3f6a78d9400f88676878df78d539ff68f32df0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b75c3d9c9f896071f1e824e551729115

SHA1
fd71a040db4a175008a1485e46095b34716967e5

SHA256
6641050c76ab2520ab7b33ae1e18bf8e477411211300a0bae4992d0ced15d1c7

SHA512
593faf05505973f9f50a5965bb6122a1c0b29418b7fae3c0b72f6719522d7b290f3dac881ce49b98c5bea1d640887c3b6d45d13f4b920d95d77226d50f035ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ff369400ae68f97f9dbb8cdf12b4e55

SHA1
9ff3f8fdba19e2a8ada5ed7aae03efa5916de81f

SHA256
2ae873b763cf3b85d3c5413cf79754d417436425e8e9c4c5728067b5e8e652c0

SHA512
605510dbde4e28d9f366e3bffcc61b9d8999268c6f3bc2e26b82afdc238738c2a96ac948a4e831cb671839438dcbd61328bdb566d2479839da69cd7acde2b537

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6f87d1eac4a77f9f85d861355634cf64

SHA1
40db83feeebb1b1870a30b21bcf41651611ef1d7

SHA256
340038a4e1d403d2c29152496f87b4ddddc830fdf27a2043f44a6d458f4d4607

SHA512
e41bbd3e31ff2f1b81c567ced078e0f3f9a787702ef03105241821b3d34d1000ee74321c2efefaa1c7a4c40070ce4971eb8a0e7f3fa44cc540c02a47b9de81ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
97e5dd40a59ffcdfc93d085ef11ce29b

SHA1
23ca0a4f9a031a572013a28da0ebe86c30b913cc

SHA256
ada805f033fef51345f9935f6899f0ae45b2595b845cec6c1b408957e822c372

SHA512
a0b584de3e310f789e0bd3dd356ced7efca7d0800996a936808eab306200c41bd3cab685faddf0e22f13423a5a89632aa19bc6335da7b952eeee3311874682da

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4aa7afff6c28cfdc5b279d87272dd3e5

SHA1
7652b527d2667809e59be25105fa346b94dfe0e0

SHA256
3759a6c189cca905c1c6a9e00435fdfbf9588feb613882781029ab5edb7d76b3

SHA512
4885f167d38599a5777915077e84dbfd63af369bec6b959eeed4103c652832df2baa38529e834fdac016beadcce9b7f595b16d4631e4bfb517366e6407cad158

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
45627bb0548c03a285ff0ac2ba465180

SHA1
b18040a7d868d41892a379bd42ff44284a2539af

SHA256
a85ff8014a44d6d42eaa4aef798966eafe16abc1c4b82e80211289afd2d2fedc

SHA512
841584ed43efa0412ab612613a8bb29f23df8e3c3c94472aac9892b5566456a2a06346d702ed0b8565a6d5948cdb39920b70d31618dec751a195b3734e6f0a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b39c20249ecfea80c8c09cdbc1553448

SHA1
65eea7e69af2b844c76af3e25ed3591306b61cac

SHA256
023ee8a4399b912b38a6e90dad92f289c08e1b0e1b47d4c18477a696600d25ad

SHA512
e95c97d4efbac7df00771f421fd0d4f3abc713d631740f9be22d4539610cb6bd3e72f5ced7e1f8ae97cab3bd95ed9d768821a3cc22a14ba0417c403a1975849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
be23463c2564197cadd34dbdcd4a4423

SHA1
21c1360a16aa8bd6d984a213ed79116e7cefd37c

SHA256
e5ff53ffccffc79c169b472fe71b7ba1bd21c31ef886919c1a3e2d019fb40ae2

SHA512
37c1cf9e60333cdaee4a57856658d86a758d96939ce1022bdcabcd4b96617133ea32b82c5138d1d884c64b8c3da8d6463c7429452a1befbf074ebab10d12fe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d204ab7fecbb2b96d2aa7799b09f6d5b

SHA1
35276bdac9fa0c7cf61ecaf510a8b525783a5b23

SHA256
637690edf178410d43b854ea7cf908ad7ee9a177a9a6c85c51474e48a0fc3ec1

SHA512
2aaa8dfe04747b128c67ec24464da5f3b85baf2f8d39e93052fdd176303f104e0c484b180c052a5e92ce42963a978741fbcf58792e37344f4308ba475222d12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f3e0715760a72b267e94c2ed587c99bd

SHA1
67ee858948deb6f7b2b8f6bca953ca1fafbe2eb8

SHA256
5e5a12ac5658774e767eb338cc0f49a144b63bf8d71e5ae39092a7e276ba23d9

SHA512
a44ef57f2bde885204df87cbc4413977a711b05b720d5d1dfcc81a4d2d0f7c5c758334f308f15a39f2b4f0a77a9e90d6fc6cfad1c168a1c5ef7b167a7639fe0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
652693cd7a1e9adc92b2c41de14a96b8

SHA1
8770951f4ad67c41f7681d22f8e40f89274c4874

SHA256
4e4f3c752809e4f88233d4bdd4cc20b7908b0c91681ef47c6bef3eb711593aad

SHA512
2e5c7ad1e8057fece6354bd9694362d943e13ffff81f5436821894208d1798f55503f24522594201593b045202fdfd02745bbc1cf89b2ec8a6b0278dee845d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
23bfcbb21197dc4ea1782a7aab4bc724

SHA1
14305c5d0b347cb9a6e49b4ffa30fc22e175595a

SHA256
ae3333a48dae8996d3c136cb4fe60b506978d4bd70356fe0cd66962774dc88b9

SHA512
64f2bc16de36cbd85fefe8e01441f58cacb3a96e1a7f8b79883bd73f2d2e6e02208923e23d5d00e40e6ae147a5204138c53424c6bcd4fe6701c3f60f10f21e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
11dcf307a18340a655e320b82d9f7f24

SHA1
be4fa8a11fbffaf58ce3a7bf5e25c532a767f8fd

SHA256
81e67f3c6bd93d37ec07077f7e30984f150134eb46026b3542d20a3f0e0fd47a

SHA512
5837a0e51726a1b54815a66077a74cceb99e7142663bd7119cf156eaac28423fe36ca76e39614c21c1795ad7b9648c2d4369baa9fc9231f29bc836ceb08f4699

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f587369b071a2447953be9e9c5c1fb3f

SHA1
c66febd9b4a5f7ebda005367cf80ac7764ce3379

SHA256
3e6e8f87215920b69248eb099013cc10926636651ce48f23d341f8acf53e99f3

SHA512
cf19dd7fa7de05d2af0c052a4104ef944bb8405e4d371f6c73a616efa9635480d11840a1ba08713929abc54edaf147857f448cf0ffa54c8e8caad6c8bf20cbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6466563afb463da330cbddce285e9424

SHA1
6b557644b71bb0aa97719d6b4a7b7a75affd7be6

SHA256
9c4a49d2bf552295d8b41725af5abb952d57011c493b510d2710bed384ebb9ff

SHA512
7886aecbf930a9db3dc4b1ab7534e32c15b9c111fad73f89248629b5cc1bf113e29ea4173dd3c8c59307a87db093e29454bbf92638fad3a59ed8dab680c1e4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9c219916e692e63d1e40b2ed2908693c

SHA1
12ae37202f244b001a0444dd04760141f34f0232

SHA256
5988eec13b87771c89fc1b9049c6b36e8740640d57b3007299849d2136a68cc3

SHA512
5a87f38176441c9121995c32571056faca8413d30e6f2658241e540f4978b0a1901b1a321dbfc00b6f22272a72553c574c69ecdb39f6ab0a021b0362cdcea2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
827239a9f4ad5d73a60c646aedf7f0cf

SHA1
69283dd86b26f1db9052cc7a16563265d10d920c

SHA256
96014900737f1c7c2db31de4c6dde7fc6664cb789063c9813e52fe34b1d0f73f

SHA512
80a72476927059733d94c9e3483d1fc606a4d62743f772c1d22e361dac5b569e5a2516110ba492a09a3ba5168cba782bf152d134846ab3acdb9467d44ef34506

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bbd952604cfa949fa46ff7dcece1534a

SHA1
0efa474f55da37025267e5ae111716d20a836a84

SHA256
61943f7d9a23e92fd55f9bd99d676570e9c1a61e2b87d047566dfd00309272a7

SHA512
4ade8544137b1acef1fa94a85c232d1d21d8c4e442d9cb726c152591673d1efe1c460b25e43d642f51465bbfa338d4919050fb803126bab1ce375de36b656f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1e5c7cd337e27a0a85295d73781db154

SHA1
1f599acc0f870a6baf4fe614a07a2d886c522e11

SHA256
d4a0c298b4d7a23163b4bb7dcc7febf5bbd79e2d9f9e90b9634294cf6e4f227b

SHA512
ed88a7a7b5555b41ab8b142d86989c1a860ecbde369a25646086c79168c26bd9fd58a93fc3b3a87df9e2502059352cfbf43b3488fd6e35f9b20fa2c562356e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0831b7781be0763a4959c6ec672794fd

SHA1
dd99e7c867161016b5bbeeba5628381afc6fe77d

SHA256
910935f8873b90023214c731572553ff2925ad064278d261958b6a023fcb1faf

SHA512
262437e08a0696bb0ff0e2f2d9ca21266dc418c71e177c8b7d1faaee030ef749ba7441ea052d0d6b6aeb7658814dc6a3f71dc787c64aa6f55e584c1af67d7432

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0496a5432a0cfc7276d2206a6953d0c9

SHA1
7d806c1ee2ff4de419109ca0be5634a9ded5ff5c

SHA256
ff8178aee655f3f46e6ffb4dc3942aebbd6114392beac809b711573fff9c39f1

SHA512
e762a9e4af76314fb21dfddbe7899fbd664888f5662cf46ae8a18e5edc07d4c18bb8442beb289c82b78c6c9d5d1fa4969e6bd5373ae6ed4cfd5b566426138dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb0f972f12422bccedaf3840ec129925

SHA1
380593ae3bb6de7f6bb39d793f046a0f17ec683a

SHA256
0c738b974a7c7d78d1806a62666c29cf7a69917d6e9e1f8828e9942bdd4adbbe

SHA512
dacfe5666c71d960fdacea8a59f94f3840892ac57dd8bad36d29796fe966eb5624c6bfdc6b18971da502db97198db67e83e16122f32fc3138e377be9bef7f14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fea2e186dd8d0c01c852ad63e907a0da

SHA1
9f4e23a0f807f6c5926b3c9b7b565bc1a26e1191

SHA256
713636d077ece51a08894a44289daf52cd328794f58169f33c64ec776ff9338c

SHA512
aaf1e17ca331459cfa0043460fbb90bcb5ede5492d23b618c87a6f6059c15b2232b21fcc353f55ee48a6220bd1ba15d902c32293f3be7c34f88acf970b478718

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81061e95809d40bf14b493fd633a3039

SHA1
73fb56862bf730dd6c3f2e2a097c20989ec1369f

SHA256
fa5c9b4f6f9a5de381c4d2fb33aaed25b437a183172b8a71bd4d9c8eef8066f7

SHA512
e9f091d5c3b0beef6ac4f17887eaeb200fea1d8c0dd7182e990aa5abe87d1668ff5be97bbfb87de2208c0e2686db50eb504d8d35f01d03ce3ec5e90496bf510e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bae838abdfc4f1bb4d623ebe2dd6c9a9

SHA1
e557bb96ad3b398c2d7529507123bd951f6392c1

SHA256
0e11fcf760c0264f92905a1fd020c75223b6f507f71c61b207d7a9f7a0a1f7fc

SHA512
b160524e0a17afb2b1603f1693a185e179f4e29dfb9bb21fe1aad2ab13096e3b4bdf6b401284bb96b9615d06f1047392944f71a910c4b59dc1430d64e44a1a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1d2a2145a3f66e088edaa6566fa54c2a

SHA1
5a5a4968cd7e3a249aac857855c0de2090a367fc

SHA256
72bb10acc3796c88e47c5d007b80855231aad6e5a481c8c1eebe1cccea037159

SHA512
5e30f721aeca0e8444ac5c86dd405e1674849823d6b7538642a93ae5b7967467ca9217bc2b192538d10397cf9e9e3d7f1fd0159893e041f7b7f2d7e67173703b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
315ebea45ff58079cdae83a258a081a3

SHA1
aebb1fa27ab34d3c111649283f4d096f53a75eda

SHA256
f67c2040fd57a881e3e5be91f59823420670f0de680f9b379212b32ecb15f629

SHA512
81c35487f4e769b3f462b6954c1ac8a852902d930b8768a4635ff4f5824ea31c686bc4899a1e17993c5ec4c433b9499de191b94d98780ba0d1b20113088fa626

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5f2fa719ae5825168883d26d4a1f1cec

SHA1
3e04467e67760601094618e3f9da442106e3fc27

SHA256
36c0179c6d60e56fe65d7cc3feec703f0a2015696747459ff1ef981a0f1a3dfb

SHA512
d549f9cd7d2c5274ed4ad7428cd06fe122185f40a449480c3375a1b2d2a55e85cfcd71fcf272df716745e1f7c6c3ee3785c251eebaf1aed454e7b3472b4fb569

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f680dac07bc2ed7cd7f36b17615f00e3

SHA1
85639418fcce36aa90bda434a9fee28106e7d6c5

SHA256
6ca4409015387f5e089d0206497171cdeee9a5d4ac0d434fca01a54a5a605151

SHA512
44b0be3bb734d07b278192a0dccbce37667c2dd0311f08296cb1a495399839db3261915f1658aeb975a61f6746e515a55b6a6addef68fe3e1aa215a1fb5cc757

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e0f6863ca686d081beb6eec898c806c7

SHA1
816130b9b7fefd8576bfd709454334f11c5f4be7

SHA256
a9f424d9a785550f72cee87c0f6ac39228ef79df105ee46566c750a8e05b68f5

SHA512
2649edeb61a29ea964b9c08976ca4d4503176cfc37175e0004f6b3374fe2e4f0c06aba7cab41b6decc069047f7c16f637a17d4f4b5c6698e5d0f4a449dfc04f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f94551df74b963b74405cc6f78db7d71

SHA1
f860f5a520890a3cd237d3d99417825126aa7380

SHA256
305cda863cfe0d33f231947cbb74745cf5d17654d149b9308760e95241edfca2

SHA512
2de84ae6e471998a1729cc4f52eafad6626b2d30764c3031d2407e25bad879d9bbc3a199f1cc0238975e774291247e7a3d9e272a0d80bb73b12117deea7ac565

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ebd205efff06c67848a8950661286d5

SHA1
59595b6f40eab0a00f8b098953a424e88910d974

SHA256
1b33e99dad90eb5f4d195db6ed7dda711580369843a738b4e448f2b1c7690b86

SHA512
e690d8d6e78a7a4bda2e0da0dd582f568088943a0e3abe7c54d3b74192dc49266f30f582fd2204871ca58f319d742c08b76853ebd8b3231b18789197b49e3bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fdcaa8a31ceb26833f59580ffc41dc09

SHA1
3e95367a88e709092281964d317f8fe09eb38e84

SHA256
687aa68b06cf51e4bdd65bf9223b26fd2364e75e00bf94514d4aabfecfe8ce2b

SHA512
e4ff6dc34529f6706cb13fb6c17540b8e2e6070985c4fcfa5955e52509c17fa39290b25911d8ee3a7d6d0ffef388c2661eaba34ff1d8b3a0a0855d3cafbab259

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
086efe2d74cb196b6b437b2bc5b038b4

SHA1
b56bac33653768bc5b0afe0b35ac4244a5e9c781

SHA256
8e43f298363e66a14479b588403234ac4b73fb78500987669bbda3e735a0ec7a

SHA512
980c0676585587a0ecf12d0ce224d5f3b738f71f095e77af80c60a1a5ec7e0b7de5b4145d2a6fb40b3bf9b40f204a996016d64db88493f354b9ac6445bea19d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
59ed627cbe830c8f8af29f2fe1265bd8

SHA1
1534a1f2efb74c269e2373bfbde28380fbc1d120

SHA256
96c2d4852fa169d5896fc94bb31c735d2d4a4c00026ae41bdd49c0025cc77be9

SHA512
7c2dfa3a20f88688c6337cc87c56889e2508978ab1043cdb0fff115a1dc10b67f736463ebe53500536b732ae390504040dfbab4edcc9033762d596789b365786

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemj.exe

Filesize
7KB

MD5
d79efb472a22ad75d501317b21e66b5e

SHA1
24512f54884d3dda2d803457bbd3dcd513356196

SHA256
7255b1d1f001b9d9a5177e1f8063bcc824effe3570e6c19508babe12bb73c7d6

SHA512
7c5a2f516a727ddeb05f9a7c6565375debb05709ac9b95212fc748cba37a2ab81b7d727636141096e4511679ce140b07b37fdf36cfb47d8d1c8accdd24163ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\upda74.exe

Filesize
508KB

MD5
b7d17f5d144d4ffdc50395660a0a1934

SHA1
38f4faaa96ec860ae68b1d5e84224b3a36f49dff

SHA256
9c2e4a11035905d0f5be22bd312cc604d0d95a4dfa234a185b76e252fae3487b

SHA512
bc1e82a9def73c69564495542493b334e419cadfc6e0e1969ed7cd7bed23f86d559fa87a3d04a3bc908204e85fa4fa7f28a8270b13d13eadff556646883a02a7

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/208-97-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/208-266-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/208-37-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/208-36-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/452-18-0x0000000074ED2000-0x0000000074ED3000-memory.dmp

Filesize
4KB

Download
memory/452-20-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/452-34-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/452-19-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/1588-171-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1588-10-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1588-35-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1588-25-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/1588-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1588-11-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1588-9-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3428-32-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3428-264-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4016-0-0x0000000074ED2000-0x0000000074ED3000-memory.dmp

Filesize
4KB

Download
memory/4016-2-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/4016-1-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/4016-14-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download