cybergate | dd3f0f5032af7b040be60f280e4f195e121b2d233d80e5ffe3e2c853d58fcf45

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe
Size

448KB
MD5

e2b3966059c67a1f50a3e8b85fd80de9
SHA1

93505a2e3667b69f585c1b8b8e3fe96d100c245c
SHA256

dd3f0f5032af7b040be60f280e4f195e121b2d233d80e5ffe3e2c853d58fcf45
SHA512

556f40c6f26b24a968105dcb98500981a7a6bd24d3ad1cdb0a208c24c9f3a692dc64a6a3b19a0a03621f74da2a14664990c0375c78be7c11f3620ed653f67f83
SSDEEP

12288:AmSuqRe0UaAI9oeNkfKrJF6B/NhOwT7opKY:AmSZJx9oeSmJM/lTML

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

hysoka.zapto.org:82

Mutex

64DVHC52VF381L

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1989
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sxeD941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	sxeD941.tmp
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	sxeD941.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	sxeD941.tmp

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8DRHYU8-IU08-V12J-46U2-XNI15MC8UBJ5}	sxeD941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8DRHYU8-IU08-V12J-46U2-XNI15MC8UBJ5}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	sxeD941.tmp

Executes dropped EXE 11 IoCs

pid	Process
1736	sxeD70F.tmp
2396	22222.exe
2760	sxeD819.tmp
2696	sxeD819.tmp
2572	sxeD941.tmp
2776	sxeD941.tmp
2936	server.exe
3032	22222.exe
1700	sxeB78.tmp
1900	sxeB78.tmp
3008	sxeC62.tmp

Loads dropped DLL 47 IoCs

pid	Process
2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe
2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe
2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe
1736	sxeD70F.tmp
1736	sxeD70F.tmp
2396	22222.exe
2396	22222.exe
2396	22222.exe
2396	22222.exe
2396	22222.exe
2396	22222.exe
2760	sxeD819.tmp
2696	sxeD819.tmp
2696	sxeD819.tmp
2696	sxeD819.tmp
2572	sxeD941.tmp
2776	sxeD941.tmp
2776	sxeD941.tmp
2936	server.exe
2936	server.exe
2936	server.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
1736	sxeD70F.tmp
1736	sxeD70F.tmp
3032	22222.exe
3032	22222.exe
3032	22222.exe
3032	22222.exe
3032	22222.exe
3032	22222.exe
1700	sxeB78.tmp
1900	sxeB78.tmp
1900	sxeB78.tmp
1900	sxeB78.tmp
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	sxeD70F.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe"	sxeD941.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe"	sxeD941.tmp

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2696	2760	sxeD819.tmp	34
PID 1700 set thread context of 1900	1700	sxeB78.tmp	42

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2572-78-0x0000000010410000-0x0000000010471000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2084	2396	WerFault.exe	32
1500	3032	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeD941.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeB78.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeD70F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeD819.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeC62.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeD819.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeD941.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeB78.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	sxeD941.tmp
3008	sxeC62.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	sxeD941.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	sxeD941.tmp
Token: SeDebugPrivilege	2776	sxeD941.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1736	2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe	31
PID 2128 wrote to memory of 1736	2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe	31
PID 2128 wrote to memory of 1736	2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe	31
PID 2128 wrote to memory of 1736	2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe	31
PID 2128 wrote to memory of 1736	2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe	31
PID 2128 wrote to memory of 1736	2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe	31
PID 2128 wrote to memory of 1736	2128	e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe	31
PID 1736 wrote to memory of 2396	1736	sxeD70F.tmp	32
PID 1736 wrote to memory of 2396	1736	sxeD70F.tmp	32
PID 1736 wrote to memory of 2396	1736	sxeD70F.tmp	32
PID 1736 wrote to memory of 2396	1736	sxeD70F.tmp	32
PID 1736 wrote to memory of 2396	1736	sxeD70F.tmp	32
PID 1736 wrote to memory of 2396	1736	sxeD70F.tmp	32
PID 1736 wrote to memory of 2396	1736	sxeD70F.tmp	32
PID 2396 wrote to memory of 2760	2396	22222.exe	33
PID 2396 wrote to memory of 2760	2396	22222.exe	33
PID 2396 wrote to memory of 2760	2396	22222.exe	33
PID 2396 wrote to memory of 2760	2396	22222.exe	33
PID 2396 wrote to memory of 2760	2396	22222.exe	33
PID 2396 wrote to memory of 2760	2396	22222.exe	33
PID 2396 wrote to memory of 2760	2396	22222.exe	33
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2760 wrote to memory of 2696	2760	sxeD819.tmp	34
PID 2696 wrote to memory of 2572	2696	sxeD819.tmp	35
PID 2696 wrote to memory of 2572	2696	sxeD819.tmp	35
PID 2696 wrote to memory of 2572	2696	sxeD819.tmp	35
PID 2696 wrote to memory of 2572	2696	sxeD819.tmp	35
PID 2696 wrote to memory of 2572	2696	sxeD819.tmp	35
PID 2696 wrote to memory of 2572	2696	sxeD819.tmp	35
PID 2696 wrote to memory of 2572	2696	sxeD819.tmp	35
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36
PID 2572 wrote to memory of 2776	2572	sxeD941.tmp	36

C:\Users\Admin\AppData\Local\Temp\e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2b3966059c67a1f50a3e8b85fd80de9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\sxeD70F.tmp
  "C:\Users\Admin\AppData\Local\Temp\sxeD70F.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\22222.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\22222.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD819.tmp
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD819.tmp"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD819.tmp
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD819.tmp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD941.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD941.tmp"
        6⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD941.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD941.tmp"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\directory\CyberGate\install\server.exe
        
        "C:\directory\CyberGate\install\server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 284
      4⤵
      Loads dropped DLL
      Program crash
      PID:2084
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\22222.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\22222.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeB78.tmp
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeB78.tmp"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeB78.tmp
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeB78.tmp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1900
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeC62.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeC62.tmp"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 284
      4⤵
      Loads dropped DLL
      Program crash
      PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD819.tmp

Filesize
283KB

MD5
b495d5b9db9269794972cb3416adf316

SHA1
927a9c9190ce46170274ed0768f4e8ae032bb78e

SHA256
895f7c777e081939f7461f75a04a37f9ef6c19485a6bb03dadee6fcb1266203d

SHA512
d3e5087a8d779acdc99130f2c100be2f8e7ec7acf33be850c9fab918123c4f89c5894dda68983e086f4c02cf1dc754837a84099faa199ff4d67bfd56a3045e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD940.tmp

Filesize
8KB

MD5
782ab495c935ae51084bc51e464e1993

SHA1
8ca116dc491c5f0ae00b2c20f6d199b37232f7b6

SHA256
3e2e95f164bf17c8c966412a1604367a36710d75c2a5686555936bf6fdba5373

SHA512
5c07465fa7829e6296accddfe3c9f1ffcda43634410d3343352132d97ea4f8bd550f888aff46550925fb8f5ead9512f545590e1d4b0c6e3c401f9236f38088d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
43fec291a27bd6460a9cd99e6e3dfed8

SHA1
6aec1a2b353c923a000be1a64dbba9e69ac0e9fa

SHA256
c4c56219e8db12feefa7a56d42c095b2b0491342898401f195f2bbf0f8466c4a

SHA512
b26a85d7b3440ca3d8fb5ed7afa448d1685ed8eeff6a389339924fff6ad3946b35965aeee3e92de176ef140044165023c7a9d15f56bf9e2ee9c2547ae3cd0c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f75ac73ded0966ad6d8a9c0b87762242

SHA1
cf8fa763117e5bfedf3e2817496bdcd17e63b4a3

SHA256
964dd6b3656219fbbb18a56a530cff183c9430f953064627f370408e875b18ae

SHA512
6f522271ce8569ffdf8f950da55147bdc0022f64a049595d6041eafa50a703a62e9c99a1ab86724331c9d9b7ac6cd806905d9ea514e69ad96fa8b54ba9dbf4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2a2475c2e91aab1fd39b1a7cb12559d0

SHA1
e6792576b3f67fef259e9109a19c7025965ffa83

SHA256
7c2a32f473dc99d55d19f83008451cd5298645fd2d1c313774282f324419d155

SHA512
03fb9579f9876ac678d15f783160de382a26fb7d5a217e0643b12f42ae15c6bc0370d4f4a77d5f0d5098fcc956d9fe64189da642e19bff61af4920195b021bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a395e90ab726d9803848002adc4a4a42

SHA1
20921ffbe5574eb1a5f822746a30ad8456f8a2ff

SHA256
8d7504de901c26a39325256c4ea50e902cec63d4975385ea6ffb0a6f182cd94c

SHA512
eefa652e421f183b757c103b950a99ef9bfb9bc57f7cb6893d9656dfd297776c57a33d1220de8dccb70dc7470b9ce8a7281d83977b0110c913d6c84a4eca0835

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1775e6ae2535c4b6a3932e6569c9c7cd

SHA1
abc924ec39618acd54b748ee685c4a012a7fdaae

SHA256
8c1d44013389fcd5a055979dd8e304a4aed98168d7e4b22ffbfec94fb412a0ab

SHA512
814cb48c2ae0e69fb216d92a732e37a51efc5d27045d641365be999ccb6119c9859ac12c608fbc72b17b73a2d74b17dc8a4d877da2a63ea4e133c6b1f2941f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6cd2afcc6c59cdc976e383409b12e6fa

SHA1
7dcf32e1be55b1d6f5072c2f29a3aaccd0bf6bb0

SHA256
80c3ec843709fb170e2ae5b722b62a31209db088becf0ceee6e072ff140f1fb0

SHA512
397ff215a4c4db600f2813f54c7a4fb1e525534311f465b1f40ae453b3ac67d94e6fe8138fd77f32e22b21ed8c6a919edf632b97d8b0b91596a8f8a029b1bf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
37101620d29c46e60af1f252e6854073

SHA1
4f59e908fe3769ed23295687495f00238541fb18

SHA256
5074c32451c7f212b5b03a067bf77ba2f71a7bdfc04b1bd39d3690580f9b1b78

SHA512
795a034a90049f33d66a74a66b99787fb32e9b18752f9f09ba908d3b0d4cedd5a5ad39412bfc751f769b223f6ee2944ea798f5473618c983cebd5ed261a57f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b90d8b3e279743b3685dcc0472fd642d

SHA1
58356ae410c650d585e4b9e438bcf2876bb25644

SHA256
ab351287fae1a08662b68e20d91e2bba04e1afd3f5a9bc913fbf41508747d422

SHA512
d031690e2b66e3e1083de3e27d1d4863fa6de6051073db543ff137d88bc808a8898ed7d30ce6fd04b5d37157fd406cec3a902db9bba1eb35445d87878fa5f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4904a5ba39e74b2046610d2c3b36845

SHA1
07fff0a158dfc0cd7e5c4f815aff25dfe99b500b

SHA256
fb854c0131e3c5343aac627c2e773bbf201d3bcacfa3942f504eacdbdb05fcf7

SHA512
78318cdf04cba6b354475e3cc43ab86b30e86e2f6c88d65a98aed76490e9ac3be962b330543b70c78d56ccdd0fed5d2cbc43349e413097268718daafb2d9e827

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b8daca9c529bdd4506a7677cf3af05a6

SHA1
96d5b2627576b6f1fb16bfcb5edd25c32ca34056

SHA256
0596f03e9e38ddd7aac08763bff9ff4bd1a73ab6a5a0df4735b90dda7adc2c0b

SHA512
8bb0b2d1e612a488542dc370522428853b91789e241e4da4e45b08acbd1e1713a571bd6563f17ee3284358f94050ebfd1fa23cc6639459a1c26cd0e83f880088

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1264b0c48433a9ddfc4c80e6b34c9e57

SHA1
1e97a7485cccbd2e3f5a9acea011c9ad7a75c259

SHA256
0a24df9d1e01fe773ad835af7df89ffea2d684ac4b7f8f2da8fcce012fb2d4f8

SHA512
e2f2acf479d734d8bebdcb43d354dff2bf54ae5c2f7ff1d2a30188210460a464ad901fa6c555f55386d5750fbcdabadb842d537ebb08e70741b54787178682e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2a74c8d185f129ac583d3c909de79094

SHA1
a79f06afee2a8350618591a7f425233423e725b2

SHA256
e5f347d39b526146aad5b62009dc83bc210f453495da25648261821e923360a6

SHA512
3ca7bb2deae2fd82a12caa3dc4c66de377bf5a4f95affeec6497f0e2703cec6f19bb7c534d690776fb63d6baee51b502767160eebe2a241020de84123d3e9903

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
414bc5e7a6b7751e5b1a7d3431bd9b06

SHA1
9092efb706054e665f5f0422898d692cc32dbdeb

SHA256
7d3abd5b553cf502c876d88a47b00e6b854344d96cac84b69ac73ecc7c4d64ec

SHA512
5783d1bf3a0896b260514a22576ad3c6c8ccd2e5ecefecb19df708aabe9c75679f97b3c6bad9ffd7167567f3fa409d8e993e6f2a64878646e51e42dc0e55fd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1f659ba95feba3ec17f5cb18b91868e9

SHA1
677061955281a3263ba8f4c6c7afa7bcf7e8af40

SHA256
e7dd86a69dbbc94f16455191c3c451badd7ce880ae1adf9bb90cdd28cded0ad1

SHA512
df9ec02443b761aa985a77df3527074ce896004e73d594a022429aa74c962a0d7df62b78306bd162df13249713a2d34178da48821c904bdf15ceb2f9e1f05028

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3bc376004014da65ff574994a1d59305

SHA1
81729e31409129e33d5a45d9e0606f9bc0ee4f04

SHA256
58af1a270f0510394edbd150aebcd57f2d62a02375bd56603cbfe6f4b7ff16b1

SHA512
09e86c1d90eea4086a0b19fba07d8cb5c292f5542e3b396e204966b1e88fc74e0de95caa211a6661ceeda77a0edc0c49d2fb2bbec93d91b9df3770a779d0cc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
432ce45cd2e49fa2e01dc2444fc9fe0d

SHA1
d088821b58e63bb0c137691857f738cd6ce338fd

SHA256
979243877ae9f4a17311a62d9aa455d3f0a76b0671dd99210befdb922f823801

SHA512
60b3cd12e5c243b0bdfb4955fbd80da4c79a1f9c6c9a868aac36c88e0dbe7ffffd61848d6f17f2e5a8d936650a0e5099ab9509028d071302dc0bea6044d8efa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
148439be9900907740510034877d47c2

SHA1
f5fdeeaacf2fa45cc24b98a5bd979e2ec66b0b2a

SHA256
5c47280cf61fcd36e05bb71998d184d800cc80b845c3019f3f87cecc3091143c

SHA512
e5d9dca66dbcf95d1bc2be470614e55e04c6ce5f770d0dd970129a225bd0e28a39136c60f4695b00fe5119019f6731b86335e9ba0a4ac89bafe0b2e63c462e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a2ba859f296ca50da9c3f28504df09ca

SHA1
ce20a5da5f8d0ec732bf93fec4eda9deaa4d8145

SHA256
151a59a8d336d46bf07161ddc30c4ea8dc0c4932c2f0ef4e7dfedd9b0848ea0e

SHA512
9cdc225407b5bb2a9559d149189c669c55436d1fdfaae92deb09ba172ac33f4438ab64d2e14a89097b9baedc1950ff8fad568ec71c8ef39ef3c12537ddb886b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8c30c82a3c9270277fa1ae70833b1765

SHA1
876b7f9ecaad9f3d1afbd7d5eae876ce51062bb0

SHA256
5baca08dcc81f19ab0892459cd123aac8684ea84888079aef888fdcfdf393a10

SHA512
6b41b8035db7ec53817e009d636553d0fe4fb19262da3af8069323838a9d0745ed3d892c293a3350be2ca9b093df7f10d97e8f034e7c830ca525201a83b3bfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
79fe8d893739203d1969fb4a8ed6c2d5

SHA1
1fe1ecb991ed44a632140ef9af87d40c9bf91671

SHA256
d4453effd0f8dcf922ee09350f48872fd01addc36dab27358110653d671d5736

SHA512
84b3bba52040f05a61884e81ec38c886989c9a2ad49d4c8c94090d15d4fb98edf8e67aeaceb5767c57f7c271663b875f8f4488117170f0e589136cd3a358f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77b2e4344d499d705857a86c5b271714

SHA1
e2ce2502a9596af7f3116982c7ddd6c495fcaf81

SHA256
4d2494fee3f76714b1488b955bd44ac725ee1aaa344424341eb83adc7a2a84ca

SHA512
7b6b9427658ba105c750fdbaa102e30eda8d3b03843d1004daa23c1cefc312c2cdeee6777a225134c7b0f4fe19dae443645424cf3f968f05340adc2ca967ea22

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
69cc7cb40a2c99020989a9bcce9a74a1

SHA1
26db668dbbb99b4de6aa458be1364d417fa02aea

SHA256
e14283cb4f78ebef62a7df42dc7e469c69d0a483c226cb4d73afcf46b6296bd4

SHA512
f4f62988d3c440455090b73ee947bae81e2991ab3c338d8addc5bd3676287aeac46b9d6b10368161cf3b89e03ce46ed6dd2b5aaa4e20aaeb605368e9d9c9300c

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\22222.exe

Filesize
412KB

MD5
11bdd312144f447f61987763b909e8dd

SHA1
301ba2de77c33659e6cd2dbb3ddab8c2a0f28ef3

SHA256
a983f14f23bedb35ded2763f431f114f197d74333ddf5411c6e629d04f9cb3ad

SHA512
6998d4a576a9e2ff79e1fa1c7311f5500677b15ffad54428f1f4c8c080bc826846db5ba66183ac1cfcc543b328081f09de4fc4c4ed1810efd31f69bbc5c4079c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\sxeD941.tmp

Filesize
276KB

MD5
bc0946366412819d16c620194356d7d5

SHA1
3442fdc483e7db06b5ffb359f7d42a1fa8e47caf

SHA256
ff77d5e1286d5e40c8fc67c0434e3a4f98c4dc8c83bec1a15db6f3d6f3ae25f5

SHA512
70a8a4934482b76c0024ea831b9b702dd52c91c1c62e39ff3d2c21f0402885c9ad3c57e401c3039fa2f15b1c83a877adf58973f0086b9299407fbd892dc197f4

Download Submit
\Users\Admin\AppData\Local\Temp\sxeD70D.tmp

Filesize
15KB

MD5
bd815b61f9948f93aface4033fbb4423

SHA1
b5391484009b39053fc8b1bba63d444969bafcfa

SHA256
b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

SHA512
a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

Download Submit
\Users\Admin\AppData\Local\Temp\sxeD70F.tmp

Filesize
470KB

MD5
767da38862a459d6126bc068b15a6969

SHA1
2143df03d535320bbcfa3f11d6ce1928098ee9d4

SHA256
3017686cfbda4958448253d626f7e838aa5b382a55518533776dcaa633c2f27e

SHA512
03dacad98b091ec56941787c93784d62fe86363f8da287dae270029285598987bb45785c271282824a233a3ebd8363ecdf40355b1faadf3261ad0ed96e759575

Download Submit
memory/2396-432-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2396-430-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2396-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2396-30-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2396-28-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2572-78-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/2696-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-50-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-94-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2776-85-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2776-79-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download