cybergate | 36bd6a1fff57ba9da35f565479f615accc534d0aab500817e9c153c127cb3b55

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
Size

384KB
MD5

78f6c1b49e95ed4d2a4c21af41aaf6ca
SHA1

532c74407ab699d5b838590254d386d2287526c8
SHA256

36bd6a1fff57ba9da35f565479f615accc534d0aab500817e9c153c127cb3b55
SHA512

479b83a2c1075ffa598c1d906fcfe414cdc4a33947c2acdb02cfc4c7d516d4378b5ed76d1f6d6f4ca8971732283e422c0f6eb9502128a72513e632918ab89cc2
SSDEEP

6144:cN2rUm3PojWv++JYJpO9c4KHEdMyO/x6qaSj8loKcPK1dKN1THx/gm8SP8dAk5:cdjw++6lj0O56q4tK39N8S3k5

Score

10^/10

cybergate remote discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

entha-zmank.no-ip.biz:81

Mutex

70101UEI0Y6O1T

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q77Y31IP-Y5KK-Q7VD-5776-SW615511WFHW}	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q77Y31IP-Y5KK-Q7VD-5776-SW615511WFHW}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q77Y31IP-Y5KK-Q7VD-5776-SW615511WFHW}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q77Y31IP-Y5KK-Q7VD-5776-SW615511WFHW}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Deletes itself 1 IoCs

pid	Process
2348	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
324	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2348	explorer.exe
2348	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\install\	explorer.exe
File created	C:\Windows\SysWOW64\install\server.exe-up.txt	server.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2348	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	explorer.exe
Token: SeDebugPrivilege	2348	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
2348	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2348	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21
PID 2492 wrote to memory of 1188	2492	JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78f6c1b49e95ed4d2a4c21af41aaf6ca.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2348
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
b4fbd68e7d81ab2acf6ce85449eea437

SHA1
0b32a3bcfe8cc3e8393b66ee000d7e973b41d4fa

SHA256
109622caf3e42c68ef7eab88b75cc508e290d8e70d377cc438b1af4ac47c4771

SHA512
175718048dc623d5dbda077dc252494201a210560073865048aac645f63b72e7fda1b6ff46f5804419a628f78f9ef0354794ceabf23fa6089ae89fca3011b9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ab27246803fd7b601a1fa981bf2da52f

SHA1
3530806882ff9b4f8458ca7ceb023fce43816b9a

SHA256
32a054dbaf25f792f49516b765f020fb5fed9ddfaa0708d146c957408655dc7a

SHA512
20cb39fa1c8dd340c10b56a470038cc8e43c69e4b017afe7dea30a754ed9a2f7381919fc8ed7708525e3d8a0010a6edc97f4c1a37fac1ad995c8abf5a49a8716

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
68f38838cf92519e50438aedf222d01a

SHA1
764fa217d5a20f2aa7baab11a60ca8ce0db627fb

SHA256
952ef0477f1d551bf99469659b9d99e8282bf5d384bb6be7e5fe5be0eb9f893c

SHA512
a2f73371090397ca8df5256d97ca506feecb05112bfe7ceae1c534758f26b5353f2715256a3b4d776ddd5e46a5574268350b12dbf474950dc4354baf8204c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f461c0512ad6b9e6fb9bac77a836b1dd

SHA1
4ae5e22808551924f160cbbbf931417805549279

SHA256
68eb2aeed655d66a0ed2a9c403ba88f0ad7ef932a69fe9911adb0c4c269d3910

SHA512
de2a836552a5bfec85e030ad7a0803dd251fa131d86eebe323213aa822e5f4875182994a562a2a2345cee87400f0a131204754f45d623c65841b23120dc668fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1b37d546fa65fb53ea9e51bc4d3211d4

SHA1
130d9de8747e4f830fb5a06dc5bea3a126696d11

SHA256
66c7eafce3c03e603c5106bf8a49fbb1e81ead8ffeb3ea2c7e470a7302759c05

SHA512
95746cf2900dcd34374aedf937d02d74d7a374e82e5815e46a32e06a3645a618e9b58bb8d98dcc026c0eacb2692be934244f673d173d99d637dcfca3208c98d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63ad1ff0897b58eda613d356e0ac5135

SHA1
ef75f76262d83d42c92110e2cf60a9bdb75f33d5

SHA256
e523f29dc4b1814b3c44bb40e2ffd0c4aef46c0f4d6a669f6b78f4974a30199c

SHA512
89d7b5e0c7851bd3e80b84bd4121766c08b2bcc040a201740a8f2874853c00d9818a5d816c1ce7f8b1709560aeec611d3d857ae07b0fa88aebda9474c2aeb1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
85a925575712dfc230cdc260813a6b5d

SHA1
cce7c92a1279d6bc482689733971d1b201ab9ef5

SHA256
2d90b70ef6e2e9331c66f51b9630bab6cd7a91262c4191cd3dbc4663d2e18de3

SHA512
ac8d852507e240dc0a08d41a31233b0cc06ea011af3e4ce6aa0bdade2c6cefa50fb2dc98283120ef6de1cb18c0eb821adf9f90b1a5f7f23ac2123c4ea6a99e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a9124bac6d17260d7c14e29f2835ceae

SHA1
9dc637480b25b5303410dc32ba37be57c2756280

SHA256
ad3ce361d3fa1fded22841f4353f5481b954e482c631f2bbcc565f28b2529790

SHA512
6dbcd526843b1512e1b3fac843e01f70e4ea2a21a7be0a413ab96e3530af3f62dc3ee4a6fe97875a0e74eaedf0ec32421ff572073bc3e454da8100fa7c6a1f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
da23764c0cd9d001967fec85ac258bed

SHA1
f0eccef7254ff73ba06f1800c2ebf72a973de594

SHA256
5b7b165676226253ac425de97635ef874574a0a96475ed3b10487d12bfcc2412

SHA512
ad779293d13244f0b996e0af9fccb73b9138e6f3d957c4c58d66bacb1916a8108ba6d0252fcbddaaf8411d85228e1bf5ede467992975ad7e3bf37063ed3f7627

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4bb5d489f19be2ac80b50010d6c38e12

SHA1
df60ba7d52b4369ae987c38ca4181b6add76dd30

SHA256
756a2c96233f2fbd84a91a25f856e51a15f6b6e8abc44c3510830ee04dc4a5c2

SHA512
821277f5a1bf44a68f35ea00230a5e8de7feb07296fef8e01cacd90018bbc7e949c6e9cb8befe57bd9b2325fa05cf86b5c42f51a7984787de43135eb2ff29e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f81ef73b1c1f16eeb3139aedd8f8ec64

SHA1
750b5b5c0bbffef1deffe92b16a16975ef441065

SHA256
51d872d25a216b6246babdb7a22d7bfba6e22c2989146c60c422cce4ead44aff

SHA512
b0c54c73fa6e3071e0ff136ece932d3f1a1c5fe7a460a9337976c5f8417225f533c6d42d96ce3c80c8a6e8f917d0d60548f9d92dafcb094f4a2c729bdd39197a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
56a125aeb0c4337f30996daa9e32979f

SHA1
4a2a69208f750b79bee3b5617f4d9d92576fa5dc

SHA256
d8bdfca03f61793363b6209d2ac4ff7f1a4cb71dc4ae202b82fb04783e32960c

SHA512
08c0e2651e91c709e5fd9b007213f0dcbe60cdeddc5162e938d96112d90648fe176aec987b7be6a39c7010fc7b2a2ee2349bce46b304d7ced077b0f0c50b4428

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c1359f4da069f160a850a3618ab6ead4

SHA1
2a3feabb39315cc232b5f3b1d9e4a9d9873949be

SHA256
50e5ffc6f1755939cb82f099d4cabf95f7aaa65c79867e096488e023c16cb394

SHA512
96dec13f0d48701efa8cd695d1c3f88aff0521a9e936eba5ccb4fd5bf9476c8ccb3cc85f9708a06b49c200a5c607cdd53bb123f3183017726954f197094401b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
95d1691e1d4a8a4c15b355a46b319c97

SHA1
3e8527506dcd02896739b3309c5a14958bdb86eb

SHA256
fce70763d4b47db64302d87475ab3453b3f5d6c0fbfaba7b3c0060df4b9e93b6

SHA512
d86f82207ae5e402d5dae766f24cfa274af976bb4fcd9a2625432eb3b9c6f7273c0f1f06abdb5198b8b0b9a72caba5f7d31293522c61a767fadf2b9cfaa1466c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
913bc75704e189b42f4496536c161ef7

SHA1
95ca86e750b6cdc409ef391e689b6c1f9fb650eb

SHA256
8617481762ab9fe6eddd0150455ff382a1215db43da7f5ee4d18f986de1f2f6c

SHA512
606f3ead9c65b7822787f4f3410f5e084d33ccba59d69baa06fdf64c481cc74c842592fc281757b85d00b5a88b74b68665dedd7340756dd74866501ec9d00a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb074f9fa9dab99d9f39dd21eadba3b1

SHA1
3f9a77b838c5d227a2af5ff9295aa6cbd576a020

SHA256
7eac3c4f140f550274c1af5ec83333bbe6ec0a03b1f81b0909c210fdf1c45679

SHA512
0e9f8f55737a440a14fd7da098cab9cbd27b2488c4f840a1c7d55f58adfe5415ac1d84dbc8e67e5b786bced885d87d7a2706eeb8063d5fd5d6454532ca6f2a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a879a6a1b6325b5af4819bf8f5d60d85

SHA1
0771dc3e4880b320263808a66c501cc2299892ad

SHA256
a6d8cf0cd09beed5245922dde823dafd1a97bc08e78170a6ede52350ebfe5edf

SHA512
6c3119a74058073a479dc2bd87d32caee3d5f8886a689de71f8fdc908a9df21fe2c4ce7313ea20456ad879802bfc48129516b50efdf777e7a9149e48798ab33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4c97672be7bf6c6372baece8b4633c79

SHA1
cc69398b23ed3f1e905084d65a8c30008a9353fc

SHA256
21450ca7e42116ce7b7b8784edb5b687ea54a83cbdb9cb183ede3228439a1834

SHA512
18a668b76ef7475c995e7f6ec25187e6e5a8002a5d7a80d5dd97ff6e96d1b995043b4ab64d01fadb2c46536f511c1e6c992c49cd4b305b8f72f5766397d15349

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
89cd3e3741fe3d61892854db75227cbd

SHA1
c9b46049b19d7759efe2e1f677e6e3e2627d26f5

SHA256
0363bbbc26090edf5432ae818ed0f43e4bfaa3a727a52fcb7f0ea163cd613a36

SHA512
374e39fd5aa4566689932dcf838f24a02472394b4a9215cadd2127eea7a194618fbe76b6a2cefdd7253704aaa4df7e6062316577565eba74bcff5b2733543ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
442566102ea31632890dd41607cfcb35

SHA1
e05ef6d3bfa0d2008afbe1e5c237df1e1d4f2044

SHA256
e2902a81dad7b5c856d92374ba11572ef0269d1a2ca49025d1d7a5725b16c2e3

SHA512
ed8e4c83b0967a03fd22234f583c1085583da3009a7d05e6dc594f90c0022763d4e2ed0108a5ea31ec71033c41dd0ae28a7d9ffb160eb33e8eb48ebf9e888ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81617066b9f0eaa129761db17b0cdd19

SHA1
f2ef0101388dd330a395e9974b51e390301f6854

SHA256
7af9d0b32ec6b00e8fc144490abf20057bbf1e3ee7550a46c6d648de615affa3

SHA512
f926d97edb9409b45ad9eddf05675c10ddf4fdaf8a942ad5a90f2f15f0720be76b3e938368297f26e88b4602e96ff8d3da6614abe97946806c5d6dc57fbef827

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
10f2151df1d5dc12b712155d66ca5283

SHA1
4c252085fd4efd5950635f5485ef1b051f441bb3

SHA256
d206e9f0bfa2e645442e186e8efd5f5634fb0cffbd018ec7de708a112fc591b7

SHA512
947439bb8f06219147a23154e171d4761e11f597e33381cdb58bdb3499aa09973ab4a7396f38ea580d473bcea7c33b030b8bc8787c16e401f6e09b8ee257f856

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
194f66a472218da489a73b4770fda54c

SHA1
dda01d59eab8e6786974934d69eb2ac0a9944e69

SHA256
74d16e05861102f5faa8ba356a510d04b9ac1cd1c7c59c968e0ec5a823d804a6

SHA512
63fa470a1c39f279fe08e0d7e6fbefe304898a8c187253d9a8d5262213058cf3f2ef70086cb6d1c1697c69dd688864f219eb26edfc014912b882a7734e7f4284

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
809d2549c79ed2c98f4850b05819e010

SHA1
1c68c84e41848609fc03fc7eda3e6d67ee8d9a1a

SHA256
117ddd88dad0f50571980fb892db2e31c09a6f3eab45e68dbdbedbdc2d1e5569

SHA512
3a7ad2281900fa5ea491f6ba126b3bdffec7a6a0ad6fabd66014b98b420afc5fca0cc623d08b4106e21cf08d192387e12c73c01f17e8c5d742b908913df643ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e63cd776e549399b53fedf1135f9c5f1

SHA1
5e04f5b6e6f91c64e27845ee72a404fa0e614aa7

SHA256
0e78dd504b7f3285b8ad9ffecdd5b0a092104a6c5b289ae178b5abbf91bf835b

SHA512
12b067e1c8943c3bd80e98db072a3d1a2ab7da88c522596c22570ae7c245c89dfbde23f7d52d2a4102f51f66909ac95b8c73fae9d1b4f0c0d3516e208cabef6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6b2154d931826821d3e4c7c3ba829002

SHA1
bf7fb5f21ea88ae0ff8938a9827ce37b09a61dc6

SHA256
6d4e949fa744e98d95a346c0c76fb78ffa43b5e1dd325b442a55f6622108be13

SHA512
008866ddc4628a024474d9148a2e177c35cab8205502fd3731b3b250f050a4ff997578eabf37fe1c6775627047a863bb3fb8927b0ad431cbab8c6094263b216f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
91aa9f5e2467e5a11b9a7506b66b40ee

SHA1
0972afbf2b3469b1bfe0c4bf385ab389d0e51ea8

SHA256
e40224546aaa8c1880f3ab1a6e1cba51fa83a9db24aeaa0d754fd6a435830e87

SHA512
7938665d4cabbbc4d03e138e2492be26707ef13a7aae992b4995b38b6f44c26b363bd9ee7af12c935323804134ac93d2f7c59dcff4fa37f14193d09f196fd38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
30e6eca17266f23a7678c4d4358ddf8c

SHA1
d96e8ff4dae1233e98f4523d49731c99306bc4e3

SHA256
e90af9282fc23e159c810d4ff778f68bbce2c897e59cddd2479934bb14ce2f60

SHA512
efed3e73fb51d2949db711beaa7c775c3b30ddcf44bc831ede26c7f9aab0e23c7f36d1b4ef9187e3d91cd1ac61870ea538fb49e19facd3aa315c736c90665c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a45a25aae41b63fee7ad029f2cb171f

SHA1
2819e55acf095f243b513f0d9a2acc297e3f4cef

SHA256
bd2c1b0e865bc0d6bb43f16a84e24fa2bc15799f1331ba998fd9b6426496264f

SHA512
2ab7ab640744120ae3bf09daac1ef927a2997824d20ac53351f76f2236b6b33a01ad39cea1ab0e8ff491f7987ba8f76faa32749e237050b3e82fc6edf94af48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ff3fca56184384c8c7e2c61c696c34f

SHA1
63952723ee89dca23d798d71277e3e0eca8b5730

SHA256
75aec2270135acf3c7791ae518bc6869d273a627b90ee8ce893c2dc7a36abfce

SHA512
c5fbeb6c60cb9b61589334257c5951e545b3f0879c1490bdabea014c8173a94e08d34f23a4cd7888f3d307971a624039760b0ab2fc8d6ad4e54e46d53ca25451

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1b22b6746c921d25783f34d0fce0e9a0

SHA1
1217860627971ae0e31a2e06e53e223e415e0187

SHA256
1c61cd20b2e7af2d188c0c7c091a7b18c5d611f4b0a7b550cab3c279f9427ae5

SHA512
b2d2fd0bb9d84ae64a3aea7fd9ec16c93c2b24b3bb4646061242948fa453b1e01eb223d05d0e0067eaaeff8f66643a72217b1b17faeb440d16448bf34feb63af

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e61e83c230d94d3cdf5c4c5c9e2f2662

SHA1
567192c76435f84d39523fb7f6de4653ce53300b

SHA256
1cf882e7524fc58baba44f9bff39c70c05362f64a5363387e241ec8a3e55cd31

SHA512
6881824e877c925cdaa6dc9cb8870ee59d43fe77cae9134564771c57420dc534345c5c9d60fdc946edda08a517d52bbbc5ee27a756a05e4f1346afafba65fe19

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bef530cb98a8ecd5b25c28faa22961b0

SHA1
4c3a7c2fa062b81c3ff220af7c1f8b77e6bee222

SHA256
28ff60c764fc738cdbef1d1bd20dbfda48bd8cd4ce7a488113557438046c2977

SHA512
ddb7b5523dfa33c21466fe12ebdcf5a22f19254c795883fbef20cb132f7e55f745f6d35b440d3986c4bbd4890391a3432824a31ec03f4aa4e815d9537fc710ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
05e721ccbf8a671dd1825ac00d076d98

SHA1
9e572032d424f2c7ba28e334228aac74595366a3

SHA256
5887899629b48753ab3d34cb4decf50b35dfaabb3cff95875a55896af723af54

SHA512
23ea9394032382598d5663976c55bbe3469612ce7ae828eed129b0c14af31d2d7c6040b067ffa800dbc85f4500afddd5f1273bb706f1f1dceec9a61b9067b5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fd62c4c143fc7391c38a8bb2b640c9b9

SHA1
78b835b84950e6225443c6fde6be039fb0414bcc

SHA256
32c375fd149551eb4bd1371f6aebf776d4362e41a2bbe6bbaa6af448b1d99031

SHA512
f51debc8fe22904d12f1ff39ac97b907c87b83c93348cc87fd4bee07aba7cf9b5f2d5f845e1e18ac620c070a0d4b0e5365c5d44aaf187ecc0213f3a35ebcda94

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a0a2824ec68188065615e867d582cbb4

SHA1
008ebcc8b61d0097301f5ff661c79e7de94048dc

SHA256
b076f71e0c971a4b5a056ac0a1ea3fd1b951f87f0155775f0a6d3bffed046a13

SHA512
0d13ab94f2554074cd0ab3cf8780dc6c9a37b0b0d7c05834e1df467c51dce610020475f9b0a96068e64b58c6d855afba84e8c9743531ba08a4c7afae3030eb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7121a42b4aefb027dbc5078f5e32b617

SHA1
1c3c7721d98afcdd0c157b23f678ab55a0ce3019

SHA256
7e89f865079daacd420c42b196be624e33a8194d0f4cbf4e1c46b8227de6acc1

SHA512
f172854024571d54a4562cff057b16454f670ca61f168391fc32cbed8f86560c1cab2ca8c70b10affe2755d17db76d799b715bb49c6dffe269b4fc7bf0eaa543

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
88839a647b9557f74083de45b835ccf3

SHA1
db84b907fe6e8df0558d8491be054ea5cafb42ac

SHA256
5680c458ace3f5b9978e5de23bc537219e1ac8c281464a48a562ce7fca2b5be7

SHA512
70826291d63d6bfc2ec644ff552b2833b67914bc6a215e205820519042e66b4d0f271b057b2c0bcddc606e316d6622bd3bd8bddb575d09b30e3f4ce70d0ceddb

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
78f6c1b49e95ed4d2a4c21af41aaf6ca

SHA1
532c74407ab699d5b838590254d386d2287526c8

SHA256
36bd6a1fff57ba9da35f565479f615accc534d0aab500817e9c153c127cb3b55

SHA512
479b83a2c1075ffa598c1d906fcfe414cdc4a33947c2acdb02cfc4c7d516d4378b5ed76d1f6d6f4ca8971732283e422c0f6eb9502128a72513e632918ab89cc2

Download Submit
memory/1188-11-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2192-560-0x00000000001C0000-0x0000000000441000-memory.dmp

Filesize
2.5MB

Download
memory/2492-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2492-1-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-2-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-4-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-5-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-271-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2492-561-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2492-890-0x0000000077EA8000-0x0000000077EA9000-memory.dmp

Filesize
4KB

Download
memory/2492-889-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download