cybergate | f436718e43088aebeb760f9fc661e40d0b926089088ceb9fc43f0efba5428ba0

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Size

400KB
MD5

1b419d4159ded45f22772b603edcab81
SHA1

df285c990d0a1628fe033a819b633ad22c1d20a3
SHA256

f436718e43088aebeb760f9fc661e40d0b926089088ceb9fc43f0efba5428ba0
SHA512

e65f7426d6d67a1dbec80f0b0084557547646eb96a31fc43cd1cae9791e812ad8f2782ddd5f159e2c1320836c8067f368229b1f494359908efe0661dbb9c19b1
SSDEEP

6144:d1gnI8BLd0GBGp+ULcEC+/wbHM4zy0Tvm5vRaz7obN1kuYt/C3rWQGSELb30FXpi:8I8BLRBmnAEC+/wOUIbN67cEbupcWYey

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

hysoka.zapto.org:82

Mutex

A1U2GK8U0778S8

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1989
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe"	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe"	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4OU34PS7-GGBC-278W-4488-J6M760TQ2R62}	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4OU34PS7-GGBC-278W-4488-J6M760TQ2R62}\StubPath = "C:\\install\\server.exe Restart"	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe

Executes dropped EXE 2 IoCs

pid	Process
2012	server.exe
1944	server.exe

Loads dropped DLL 3 IoCs

pid	Process
888	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
888	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
2012	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe"	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe"	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 2012 set thread context of 1944	2012	server.exe	33

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-28-0x0000000010410000-0x0000000010471000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
888	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
Token: SeDebugPrivilege	888	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 1920 wrote to memory of 3036	1920	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	30
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31
PID 3036 wrote to memory of 888	3036	JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1b419d4159ded45f22772b603edcab81.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:888
  - - C:\install\server.exe
      "C:\install\server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2012
    - - C:\install\server.exe
        
        C:\install\server.exe
        5⤵
        Executes dropped EXE
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
43d026cea46bc844b703d7dee8918e50

SHA1
cee1a5f2851389538e8838cc903ad597eb8d8251

SHA256
b4a8a5b71895ca501c9d68be45abcb9cd65a12d679350333d8ee382de8e190ee

SHA512
fe15d518a39d43100a732dde986410a51577bfa4a6b859f64ad33b07a12ddc47875868e8fa62340d8e0e6e32cd691f0a454ad588964bdecf926b304db98a0095

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6248b3a23599cac04c176e2333f5be2d

SHA1
958ddd85695f7357be74c72b20e0c3d4de0f1335

SHA256
629e32ae0afd2b56883e825c2a288d0e4373ca263f19d911c276154f42a6be16

SHA512
b682ff82dfd56fa82f07834e1d6ad108d4a0b85ed45ffc9694369393eaeaea0e56e4bdd59fc1e45ca859176841043a837411e81702b177fa4c505e46c630ee08

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0d86c23d8e1bcc0e121a2c21d87d1213

SHA1
52043e94c8abaa74639b859c87f6d7ee73199f53

SHA256
ea81d0a1fe671b38a1429c6b1033c3afa0d815d012e6f8eaca7e834540e5e9dc

SHA512
0ef98808e76767bbc179eeb81e2f813de2148c932780c8cf6c3f7d329f15cbe25d3724a9b7418c4409e957fbc3008abb6c7c3a6cc55b45259de9fe420544e204

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
67f86683786c69766212386ba27ce989

SHA1
95075c1caad8e6b183e2cf01a2d69b92f9ac80fe

SHA256
f495942d06981b647c010d02ffc09eb7a700d203fca9a90cf426764d47849c0f

SHA512
ee351cf47fa9ef17fae7cfd4f5b11b57a91b5188076f15ff72c989a873133d0bf7a0a7a26115239d6b6a6b26a57cc7d48fa592af03d18e8fa8dcee02d92a0de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9aaa513d4a7c46adfb872643907b3ff

SHA1
0fcca10f2b9efb1e98d0b27d48ff5c7023f1ec84

SHA256
b325650067d0046a124b1866da0a1238bf9316abbb94a738b2737a4bc058f78f

SHA512
5ba389363cdbbec29cc2923552e1eb3cef43ad670c509dc20f31ad76cc7d8af9d708e48a888c4fef260c17f85283377c13b6a412013ca40b6fa35a3afee32173

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81e6344c731dcdf9b3cdd5d9197f7160

SHA1
785f0d68c10bb74c37243b8b35eed4cf3cae3c60

SHA256
9840d439cdf4efd0e17fd691075f218878ead2d351a9cbac88444a88b2f74800

SHA512
1285c7cc1c96ce496b294ec0ee8574281417855378302c12c3a746afa9dfccb896c0d4d1d3cb2ebfc8d4ba615bfc1c15cb62eb0e3cbfe66dbb5c3ad42da8fa69

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9b7db1439073beddb6dde0904ec14d3b

SHA1
5610a16954710e43c6abd09e00ace788d590139f

SHA256
0b1762e7918ccfc6996b2620c2cc94b5f73d7a484647ea616a1e2a5b8f8a7e80

SHA512
6b5f09d2b2fb66398203ca41109273558d1576d0f185b08ed4ce14cdc4d57b19b8a7f2a357aa25c85eee8182ed48df323804d9da90d43879194a305f420b550b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9b2071987d3f35fdd8b19fc3f4e23a71

SHA1
dc60569942c81d5b5f45415e7e8a5bc893fe6732

SHA256
c760cf46abfce5c4fc0dc98bcb4e24d8cfd1a8f1ef8b87d35a9201125faf9771

SHA512
e20ba9b5e6a195a384950507cf4761c2b1a2ac66c3a72727c6683ad54195835759740ebce1bcf001f12ba0d83b48c8f794c62e88ba6f1dd1de882037ba82007f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6718a26b2695a5629d3cf81f32100068

SHA1
0728edc839f94c29256c6018e1d69e91c6691591

SHA256
5528999365d976f01b33339a4076d56756092756ae141796e91659387cf72c4d

SHA512
4ab94f60a6e379e7010046d6e5533a60096f6f2b6db4d1bd58c38012fbe2101ccba278d0556b446b0581fea92247baa4c1562ed639622b6fd2b8f6087e37f771

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bd9be936765dde9a8094092824f6bddb

SHA1
49aa6ddbf29657a9fa061843afb0c7a3a44f01b8

SHA256
d963d09c7eac5cc5e8dd206005b17be79ca76352ea8bbffdd198acb81c22b107

SHA512
54f5bda0fd5d46b532be5d5473e1ad4c165ccb80c46d727a00382e4933c4d9da890a3b713ed7c3179b305a3ece4f6b5279e88b67d6286a16ee6a80d1f088e1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
30f0cb7432aaa13de8fc8aeed9f5b5d0

SHA1
1c69828b106a7b0fbf3ce500b77febf263783181

SHA256
df057dbbf7a4d2fbec03469d475c9d4433e0eca0f1dcd2aae4c190990ff4de44

SHA512
1ebad5e5f4406505bc64b0923b5fa17f8e3220f7b09e004708a3adbdfe39e616c4de1c885d7d6f17b98a715d2778eeda0356bb8ca03373c962e8b8ba3edd3c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c4528929fc64fe8ae1251116bdf69e9b

SHA1
9b9f82372060425496c556e3634ca81855ef6d25

SHA256
7b0b4f059a19621dba4685c61612f1f01e080d93527f51ddaad2564cfb307fcb

SHA512
87d34dd4cd78bae06cc787fc75cac86a25b0f3d742372d8d26ec0032e8f7b38a1a86cf379a9adfbefa2e183584ac0fafac22990f23f4e8b26bbed7423ae079e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08b27d631c8a37bb2bd9a4d04e9c64ca

SHA1
5c1112a1152bfaaa19ea96df87af97c29bef5b00

SHA256
f55bf08a567dfd895ade91d70c17e129a46790165b24b6700a991c382fc574b8

SHA512
caa1a78b02a843bf1653977afbbce619237f3bbe81862bceb268720fbf53915ad2a74a24ef4a5e598db3ded7917e0f808b7c042e8110d75d438e49c9ab6a823d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8ce338b01fff6612fe097ba576ba59af

SHA1
7db0d8ed7573023bbe2643cf0854d846ace7c99d

SHA256
eb5bc4f895d73c3de43095c31f3e763b59b5dd3b7a53e665e0932a9ce67a5537

SHA512
fdf9c61c73f9e0f8fca1682ac808db367bdd334cd6b4ab918b958300843545edc3debed4bda69418f8a0816c134502252ed95017069934ed652f7b7e8ca24e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6d0d8c055aa2958ae5a203acf7a00c93

SHA1
67c6253bae791dbf5930d307e8f5d994495ebf73

SHA256
46395032c20e577be947ae714816db1a95c7d1cf10ab5983a8d8fa6b3b9cc909

SHA512
2cada61903fd648627970bb7b5d612e140a728c253d778f3a0c36e4b2b4a8531e5034fa3aea91944d61be19746ed637f2c5d0fd4387251712c13fa80dc8c3b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9d7b3f9ee48b797d4a7f42fca33ecc5f

SHA1
fbd389e832ea13adf8732ecb15b6a202ed4c604c

SHA256
75689ce9bf9738d93892cef732fedb8764cc8747d41d4bb69acc9bbc6e3a187f

SHA512
cc613486a69ad2e286ec27a69932e8513a8580ec4015caac62fec3955715354da2f1206f059a8dcdf6c62d1958d06df4a5c3db1ab8c438d77d7be84415db79fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
124f726428d4009ed9c34bc151ef5f6c

SHA1
d509e4e6cf9b47e1cb5da4a2332281b515f48362

SHA256
7ab641fac90c7c3d5c1c04d2639bbd462bfe28ee3ba6877854a1afd12ce34b22

SHA512
90a34a944b82523a083286f58952e9646fb134b7c4b39994e6d456ccc8bef56019393aa3cff84d3f1058afc5142e160bd8149b532066461f00ecb24074a1a9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cf40b4e74661511142fd4d0f9478551e

SHA1
ec6c7e26bc0fdfffca05357c86ee9f436444f84e

SHA256
c35d217ff01e96b43e2548b82c7a7853f21da05a7c69db787b8fb9204a014713

SHA512
7e4371d115940e36e99857e6fafbbfed796e9fc74b93a834b8d4914b14072300110ab3f3048383c34a78e34353a4689fdc823c802d74b1c859bd33e8594f1e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fbf6242ac1cf1e7f30b847047715b4ae

SHA1
f67531cd8c8b66f040de4feeea2d65e9c73413cd

SHA256
c9ebbbaaeb8efe04ff478bd6e67ccb1fa374ceddbf5aac70a2eb99302b85b573

SHA512
714dccf5902ff47d57282bc93530fd953eb64db423c4ac073991733f2ea2b8bce01052c37891f9ae42182a4ddb254ecd573081719e2e61e2d823ebe652677edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce3af5147d9b1efefd947a47144fc5a0

SHA1
41470b60272238830813f994e4c2c2b121c280ec

SHA256
bb30639a37e9b88b4236dd2caf445c8afd14059a162e6b8962028ddc3a919d54

SHA512
e67dfe401b9dc2988db7c28a22bfd8ea05086ebd7f065bcbdaa33e06448edfc1d958e8d2cd370b6ec6601890268225f541e74a376cf0889bd14d43c134ca3fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5ffaa82ef3e360a0a07b7aa7270a4d1f

SHA1
2425ee1f0163aa973ecbea753b4ba192db1d187b

SHA256
564629d3020f161ad0157bb3bc0792eeb8fe8536cde63dfbd21792bbf796ec35

SHA512
cc26bad624ef4a22e465e1af8abb44f5dc4056f890d3c119b6ea202598820b5911ddf383cad5e5861c8f747a53523d03bf69da2832658b625c9b405db8b8d99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
164b8922e61359261e13c0ad0e4942bf

SHA1
9ad537881ebd8d61d58fca003528d5494d0674ee

SHA256
8f59910659786a833953100405ed03b5bf85ca2059136d4b5548c8593c66b948

SHA512
bdecff015f1f25736824f8a691d64712dfea46b2ff98f04c9d44fe21e8324fce01f84014f476acd7bde2b6fa08f4dc29fc324f04915510c613675da1e24ae264

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7c952940087eec677c14e821ad5e66fb

SHA1
5c3f38cf3b83c885315474b6e922a600011e12e7

SHA256
f61c9f4304d1d12576a102faf1efcb04f30667a1ff4ff72723bba0ab079263d8

SHA512
74484c1afd6631d0c52eb8ae928494b3b1c951a11eb979ceacfa7c8b230928cbd86293167f7fab1d9122717bfc414975b2dded57b90d4b4b0de279c4155e08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
64a3c2d88491d5beafe46c762e78f45c

SHA1
ecd76cc90c47cef807228d287a4c7bc370df1b12

SHA256
92536d377976808d9aa7e74dfb8ff502365efaf93a8c351bd51a5ff1ebb6306c

SHA512
4ce31bdf2ca274e810cafa08ce2deed74a8398729873ce43f74e01ccecf4930f9897de93b6b4f38dd898f252e60f305a71f95afdb2f657e9ea146b4719a02728

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3661db3a9b206041aff5e3e415738600

SHA1
85a6cb559aa7f1957a5e5cb66e33b09f0b5971dc

SHA256
105120097f2adf6e7246bb0c8b5d4a90109af6f15147f67b7aade925f346444f

SHA512
e477c1db67a26e08c7c12c8e2c98aa118f32e935f6f16d4317de3d467b77891a89239b8a8a61751bc2c3b6f05d456890f5f717ba5c3dc68be03c951ca5b343a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
331e0898e54d66241139759fb0c2efe6

SHA1
2a6babc788db5208b7c9cbd4abd25631c3a1f272

SHA256
a2f13400a4eea9347f834c05db0f473cb4e2819a16fdeb91a42def1d5e75738f

SHA512
40609f2a1b1bd52e88948673c21bb4a3159676b38899b7c478b2988957b04c7f8bda4399883f45fd6c6ca3500b88ca483a508eb5b7b20f61453c5c3dcfef520b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1c51cd9ceab829278135faefe6cc875d

SHA1
e12f8543d070e9b44450a0e9ea1c76247d3cd90a

SHA256
422f3187d85bc3c1a5e613715dcd4bf4ce8621279368c722fbc6b8050b81fbb2

SHA512
67889e34c3a1df697e508bf8381855cc97513d640f948dfe94d681221a766f1243134dca786b31ded53d9b57d0f44543dec7082258fa9649f3fbc6a083cd48ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b4e7e18a88e392fb1dc1a57f5541072

SHA1
ef40fe534cf7279a7876945a1cdffbfb4cbe641c

SHA256
34c95a6ea65a52b6dcae7bec678cb93ac5390143bbd8b376874dd7591a197321

SHA512
a2b0fababa71e2c6e550481e0adfa0bed3e1e8c882bdbf662e0731b4dfabaa90168ba234a046d7cdac0b6e1f0817df8d5bacc373d8159904328bbb16363cf8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8c974cf26e1f3f97d1692eeb4e3609c2

SHA1
aaafe288de2eafa6a0ddc8504624395a08c044b3

SHA256
95e29254db2a3c99cc95ca5c73179332f60af8df8185be30afc69dfad497e8ae

SHA512
b891641b268d47667f08be0722c300e8762f09c447b9340e7d00ede93feb2a7cf90f613ece94d694a01cafd5c000ecfa32633a5b3d0212b60f625b6ece5d1522

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2f53ceac3b372a0910d5a2567c8d4eb

SHA1
7156717e655754d31a72cc8799cee827a7653d49

SHA256
88afce69a018ca868ff4d9bf8b4b8472849c3a7fdefa0feee2c83ddf851f61e7

SHA512
18a411f573dac3eba1d3905a37b4f3fd108e5f4cf86d3d6ce92b8dea9a2b276dd79a8a8d77fbc7a4562106ef713dfb78b19d6812f313de5dbd8bd0f4536ae7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
322baf33644d508ac32380d9b82e201c

SHA1
45795b247a1443973cbdf49a7fef7717793b5cfd

SHA256
60bedb103cc19ea7718db854f9e67f92b051ed110c6f5f047d8d6eac14340f31

SHA512
0fa7dc9ac146826ac8d05e7fad8a19ea27ac7f763ea84648c6f58e0740f2a22ecf8f84f733034c04354f06d85065dd66445920d7ddb5d7fb86ca7779393d7001

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9c72bf042c27c38713544dc4da55c11

SHA1
082a4ac94a6d66b36af4e34db864cc37955539a6

SHA256
5633872846f6af0c9363a495237dc9012e66967cd33b75ac9331fb6a2ec18df3

SHA512
975aa5d3f273851e567f06f07e723d88f8c3e7bc933f78e894d460a6c44ccb6d8e49ab8d30e371de043d22df54f6a8e267a91731e025d358e01bf3ee1ac41bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3c5b53ccc54e0368284e173e2d62ebb7

SHA1
116cce0484c64380e55571f2cb971ea155067f42

SHA256
05201805139e1a1b3cd7dbd96d300ae2d4b2b599ff61e3e3ef00c86bcd358ae0

SHA512
b7ff698d68a8dc9f9c5fa6ab346050178c31c4a02c6b0590929031c7370d095147c09a659163352b35dc4b2157df61bf946833f8c0d0cc1c205855d65e642a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e96db48481480de4355615b73cd5ea85

SHA1
278125a95433204b906b4891e97b7afcd389be68

SHA256
4ab6f56cb389e9f7b0c5c4af21e047ced747e35aa3f7e7121e77949bb2b87054

SHA512
84636dd821d8075fd0cba3b0edf284b87d0c837a41924f0d16627dc22c1fa1befd989847dae5a7b24f27c271d62c9fd9736412d6740b5827d7921e63a1002239

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2cb79377c19c006ca783975db44fce62

SHA1
6a815ea275fc2a2eda87dbaeac40194f8a9ab7d1

SHA256
b49cbb7301c1236c9e3e9e74298970b487f1e9b61cb7579787ddf5e5c887f5d4

SHA512
5e95422960f37fb3f4f38382ea0bdc3179f69d024c80145876ea9ff9fed0dcc6a158ec12b158145ae28cd37c37b2879453b8ec7a616caa95ad04c40bfe226060

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
22beabfb792a2e37e5a2be64b416837f

SHA1
07ad25b8eb4a27aa04fe919bc25d8c4c1948ce70

SHA256
7f8f2463759165933dff317198ff202e01b4bdff4af4e72219ab5107fc91a6aa

SHA512
4f8ac3a41aa64785132d108fbcbe6313c0c388b575e8497c86f4f3f0c6877ec1d551037a3cedfc9baa1b2c265708296689d9b312ab8a0259bc687315931901b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
45cdbb7009ba36ccd8c45ba539406945

SHA1
e9b5f6f522032cb3bca3457ad2bbde10b4cf2266

SHA256
b008fff8cb079b63faa75ca05b9affd297df1d12b5c76e886743020ff913986c

SHA512
b44cd936bd3a43e2631810863b03da7fb2240a465503ccc697577cb32570973bc6744c1dc66cfe3ec353150150710de5671a6e8cf77c517fb47db945aeec5c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c4d090dbdb2432037fbbd8de0578467

SHA1
1f27f9a5d2b79c4259c4d58a483cda1a568aba17

SHA256
3509c9e9095f100134baa28280a79991bd3e9bca0f55ac5496f3345914f07ac8

SHA512
c1d72dbea672dda51914f9b5bf89e2b1f544cee5554bd6274d54b941852cb88c7dc4ec3e2ed86e337cbb24f4cf377b5e704bc60385010d9e42833278150b03bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5d393669c0db8795bacc1621cc62e19f

SHA1
cb55b141bbf62768a6b89b32a53829414ea516a9

SHA256
2a81186d6463de71c41ece7f33fe410b081c0a64ad6c59eb167ab13c222c4e7e

SHA512
0b331541405ca80dae995fb5140f3086621940a06fca9a82a4955cf9563b431667026fc8f86d7cf4de6260ea08f58106d92835bc3332f856795775fe7ee4b0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7fef6d02292a0d921d8e1225a276115e

SHA1
a10a9ded96610c133f1998979816a3ce36ccb28a

SHA256
f6198667779cf806bf179976705202432a4ba78d59310e24d956010f9804e189

SHA512
3801fdc09e093613473600211694911732d892c121cbda27079eb19e67abc7742ed0c21f97bebe6a6bd2a9692d4c2eda60d01e969431eade562ac2fa8197113e

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\install\server.exe

Filesize
400KB

MD5
1b419d4159ded45f22772b603edcab81

SHA1
df285c990d0a1628fe033a819b633ad22c1d20a3

SHA256
f436718e43088aebeb760f9fc661e40d0b926089088ceb9fc43f0efba5428ba0

SHA512
e65f7426d6d67a1dbec80f0b0084557547646eb96a31fc43cd1cae9791e812ad8f2782ddd5f159e2c1320836c8067f368229b1f494359908efe0661dbb9c19b1

Download Submit
memory/888-42-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/888-35-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/888-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/888-43-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1920-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1920-23-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1920-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1920-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1920-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1920-5-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1920-1-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3036-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-10-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-25-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-28-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/3036-323-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3036-106-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download