cybergate | d1d701ef1fb636f2f4ea5c203902cd71e84d42cb67682719dff97d1c0db6dee8

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9b91165c5e0d9005318de842d874dd24.exe
Size

1.3MB
MD5

9b91165c5e0d9005318de842d874dd24
SHA1

992f4ed98ce0aa3e9b45a7c759d1b6e15f248b19
SHA256

d1d701ef1fb636f2f4ea5c203902cd71e84d42cb67682719dff97d1c0db6dee8
SHA512

1862acba207fd0388028c10bec9993cd704d6d8881c4b16df1a1d28c68b685fe5d5d852f896029c81728e89dacd40c648948ae9be6c6b31aa58b437efd867e80
SSDEEP

24576:jJDkqzl9kyUpk3o5l+eKS9AotZzlgOYQ2GPMpnV7lkq/m2hJcax2EOZYgUjWGTd2:jJDlzl9TUp7mcunHkq/m2hJcax2EOZYO

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

Cyber

willcyber.zapto.org:81

Mutex

2A6E4J82EFRD12

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
winlog
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\winlog\\winlogon.exe"	Crypted.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\winlog\\winlogon.exe"	Crypted.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{886E145V-GHY8-6644-556Y-S42473JNRE5X}	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{886E145V-GHY8-6644-556Y-S42473JNRE5X}\StubPath = "C:\\Windows\\system32\\winlog\\winlogon.exe Restart"	Crypted.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{886E145V-GHY8-6644-556Y-S42473JNRE5X}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{886E145V-GHY8-6644-556Y-S42473JNRE5X}\StubPath = "C:\\Windows\\system32\\winlog\\winlogon.exe"	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Crypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9b91165c5e0d9005318de842d874dd24.exe

Executes dropped EXE 3 IoCs

pid	Process
5628	Crypted.exe
852	Crypted.exe
2640	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winlog\\winlogon.exe"	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winlog\\winlogon.exe"	Crypted.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winlog\winlogon.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\winlog\	Crypted.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000242de-13.dat	upx
behavioral1/memory/5628-16-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5628-22-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/5628-26-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/5628-83-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/4496-88-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/5628-159-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2640-179-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4496-180-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/852-181-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1868	2640	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Crypted.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5628	Crypted.exe
5628	Crypted.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
852	Crypted.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	Crypted.exe
Token: SeDebugPrivilege	852	Crypted.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5628	Crypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 5628	2284	JaffaCakes118_9b91165c5e0d9005318de842d874dd24.exe	89
PID 2284 wrote to memory of 5628	2284	JaffaCakes118_9b91165c5e0d9005318de842d874dd24.exe	89
PID 2284 wrote to memory of 5628	2284	JaffaCakes118_9b91165c5e0d9005318de842d874dd24.exe	89
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56
PID 5628 wrote to memory of 3416	5628	Crypted.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b91165c5e0d9005318de842d874dd24.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b91165c5e0d9005318de842d874dd24.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5628
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4496
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:852
    - - C:\Windows\SysWOW64\winlog\winlogon.exe
        
        "C:\Windows\system32\winlog\winlogon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 564
        6⤵
        Program crash
        
        PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2640 -ip 2640
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
263KB

MD5
fa072c80d06b32086ccb09a33eac8db4

SHA1
1835323325479774caeda723c45b414be7420af3

SHA256
dc53efd2e4857255b0b61f728f806ac0c6b9fcc578ab2f1b2dba4c5d6243a576

SHA512
139b017150a698f7decee15b9e8caecff4ca74475c7b37bddeaa7a66e698382cb94d3e246c65f079ac4672912a02d807547187343715e28a26d11fb4e3a6d222

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
adc687691fbd4f04fee63ea3ea09b2cf

SHA1
64cc3558709ac9206c2735ec949b53491554471a

SHA256
8dbef75b0b76535344dbae418a8398fdbff8d0136a87de45b228ba34acb47015

SHA512
75f761222085cc460e56c67a49d662d9966d9f941ecfeea4e65f6391ee3483f185e7a2638e68e58907c157d0fbfd6d5c242971cc796d1befca06e775848009bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4744aeb634e04ad9a41c41460cd5899

SHA1
a6f0cc7e12951e17b0179162e7df72d3fc4a5b92

SHA256
8a048c455b4f8960fadc538c7ad9acaa98aeccfa23855ec8227b0bdb400de377

SHA512
26f44291caa257775a14576009a4cafcfdf69c865083ef282805757a5d762cf00ad5d7b39e73ba8352e89f9e85593e1d48a51092484e85a953df82411d91701e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0f14835ede4aac034a6022f956aea426

SHA1
4a4aea406223e8060a8ff354dba6690b3a367f8f

SHA256
12548b9c3bb69741489c5a109a63a277570eb9a1fe1925de2f610507cf206425

SHA512
52a3c60f943cbf8a06998ff28876f5545ca843a852b421f17a3f47aca7aa95446ed8f25279309eee113c5dda923c34fc79513dbea6ba7c9d64208e89d3cec044

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4ff76dad7d751534d450af0548b6aa0

SHA1
650882eb37e776c2bd538f0888e931c146c85cc0

SHA256
44ee183d948d7a372ca45824d7e56323e17073be3c34d8eac7c36d8cc1ef085a

SHA512
aded15c76e7cf10a28dec3997b441533126d37eaf3f16a8ac54c7d4bb07a593316f7575f79c2c220b464bd6f796352a2f114361805dd115d1a3c5dbed3e5c33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fc66cf74400c3d867780a9316cf79825

SHA1
3673cc63022451f39be16fa0f5dedd14d244a157

SHA256
08215abcd1ae0e60d8852a0d366bfff7709507a38897362b778d9ee16213f4ce

SHA512
6def54002e4416b702924a000afd3f498e8785b4c2f1b2f46a4c7d12075465beb5c3ec12b1dac0d20a27bf099cd119cae5f1076e1347c9909b69ca28053f5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
34c76a70e9538d7749ba14ab2042fa86

SHA1
e29039e6d62f871a1cce0dbd97b65bc76c1c1d21

SHA256
846b1b02ecc0a374baf82ec8a76e2ccc979af9a245453fe45a984b6bca2ab698

SHA512
cdb44a9ecff6fbafa1f08060bb06fdd98a51a4824a5c390189b3c5a0458c0bc74965d35ae2b67326e5db029eb33af32c3f77cc0f84f0686bbaa13f5c015b01c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8213fba184d2b5ce356cd55e61c2d837

SHA1
ce74d11c26987c08a893ffe06cc45647be4de3fe

SHA256
7742934652d0e7af83fafbf4d4ca9c47ab59557659029a16c7d8893fab798c51

SHA512
12a2ec8e73002d4fbcbd9237bec271f202a5254e1bf11d750f447fcb6fceff426ca6d0fbf096252f9c9d026096ead66a4c80409a00f045040a1aaf9a1c809f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
69d9355c11584be9647cd0089bc9e1ae

SHA1
e75147b278d77d67d584d5839a70562676fbcfeb

SHA256
118bd589096217d944bb73ecd31ac8940013a47a7dcf7180e094416cd6a4cb6d

SHA512
60ffc6869f25b81a8b4455cff3c6644a66d7d0062b3358acb1c6738f2bfe07c433696a3b0e96bd4d60f49736f32cb99283d707d6508af018c96fa5c3ab9543bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fae661d4832ee41cbf4f1dabe958cd6c

SHA1
578c52a6decf703b74d638a6ee2e85d708220924

SHA256
6f9e760418a2c3770b9bd8bc18f45e169ef8582ac03714979bc5769d6da84191

SHA512
631c01bd90dbbfbf6fffdfe10ad8d36975f37a4887d800ec83fb23832f23295c7b49f9fb363dddc0da402863175a6437409549966f61e1f524674842a8c0416c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
25ccc48e88102b9e41d2c4bfe2a518e9

SHA1
845fe74e1bb5c5607d360de649437401fa2d349b

SHA256
2653aa421259d8ebd79df59ef7aa28c456f6b599854d4424dcf5c60a3073b006

SHA512
83d0de4bcbbafc6370d22a488343f92b5a1ab156d4a46e64d9bc99ba6eec4f196ae3b7b64ec27db3ecba700149ccb72eea60f1507fb78f52056c59e357117e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9c69210590dcc15cd8cf41478748f4d0

SHA1
6c68642a97e4985e8929709f53cfc283ae8a16fc

SHA256
f3e1aabb8af62c49d512a80c630d5aafb5f8ce8325e6a00f9f286319aeb1fb93

SHA512
bdd2c3ed901cbb270f7ea915644caf9b1a45d94f5a54582e180513c8f9e19e28477d353d8e36f0ee71d0df0ea449ccc1ae5ee9a7d9ebad377a6e07925d9baff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
46b11d36e437fc4b75e85ad4a48b265c

SHA1
be385f58b2662697d2ca93aeeced6e6e10063c09

SHA256
f0ce1b53e6ff5122ac002f897e3d13fff5524b4d28d8deac6ac960e169ce2df6

SHA512
1a39e7c767d44b511f3eb81f522664bd8f7fa0e66f76c646010bb6a4b0006b044479717959e39dddfb9dac268830701774a0ff8ca772bb110c6ea7843c961738

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d70cd72b5ae2c1c53ee7660ce535d401

SHA1
12960e79a1510bdb869f541c01e91641fc8db0bd

SHA256
f18b85635abf84392193ba2b1f7d1b1007a64c26d3f61b06b82550f3fb33f1e1

SHA512
7a482091f4535091714da44298813994a8054d87c35c0161f612b2a7bd7804c4b0cf37eab8361a45017bbad5b18a0fb4d6bc8d9bc8267ed14873b05aa3e656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
641ccae2d920ada50fbc93b9d5b1e772

SHA1
4dc2e7d21d6c6d6b426e49197de467089892bb91

SHA256
46e9b60e9cbfc0f8a223dc75d80adc3eb039ba46164bca0d1bd16f963caad056

SHA512
6be57ec3df302f77d5145f18d38dc849edac7f7da44282336d2e30d373fd3145c7112c64bea8b3f0538c41d91f2add02c4528fa48ed828ab71b1f61bac4a1382

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fb48f96b8418a968eaa8328ba9d484ed

SHA1
ca5349b350b92498447189185545712ee82b1569

SHA256
8594b97204892ca36d08a5ac5d38b66b6d2fce289c291b502bef560b24a1bf8d

SHA512
ae8badaaedfd6cdc03382bb2b9877b4570d335902d7a81d818d21d4d7b52bfe7c497842516a73cb13649cfab9b29727e794aeaeaf4e7d2563ddc594737dfeaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2a5cbd20a90ce96df7871a53dabc8cb

SHA1
7cf2115dbe5ee79e4f3bcbf7e0d4cf9350fc3216

SHA256
6c777fb52ec906f6cb50c323c4d59010ad43def22e0da834344869a0946591e5

SHA512
6b77dc805172b345a4be46c7a093faffb05a6ba2f11900df693d43a6e8e65ed19167a9e754a310966e0f3a4f203e6489036ec3b94f2b9914f2cceb7f1c84d3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e23e8864f4dba4b6ac6645954c4f1816

SHA1
a81dc0c26138306e32b4525e6b454b35c8058c01

SHA256
667b54941c5710e01132d1b8cf6a350ecbbb0a715f2408512e4f99176d41edca

SHA512
4b56b5f103c74877ec675843ee62a30537acb4468257b37df8621c095e3bf8dff4d49c47d7c0e49c2222a98175c464f3940e5c49e4d2e0cdee8bf8f1c36c8d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7435e9b67fa2a61d1d5df6db8c7ce891

SHA1
77a92492b7898484e86df0f90f4e519f132f3dda

SHA256
cd4f1b9ab02ae106790dc96e7a21fa2384c770669abcd4ff5d11623a01b27793

SHA512
9292fadf4a3efad8608c5da5069e42e735c169f7881f4e54bf3ae56241e31f1af7b70c9e005628bf7f8a70ec1cf1420e9a4e5949b12166ac03d6ad2bff2048db

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f7602f887bad8e13fd3795472597698e

SHA1
84786cf5c43ede22f548aa1355d86ab2a1b76c93

SHA256
dc84d5a668fc06c58b80a7c6aa68a1a8636245ebfdab239410ca41e5b84cadb6

SHA512
dc8e4f04e77e1deedb8b404e2f4c2d613131a41020323e88d675e72c147a86be4050efd78f714d0c13e8b069bc479cb23e96eea3bc5c71adccc50409b58933b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4ba8dabf931a519722d2ca3cd05c1baa

SHA1
3cef10fffb0de88119f13c90b492fd7d8bdde67d

SHA256
38cec3dbdee8b6246c5e8247dde8c31a94930865a9f56f2d6ac89c7d40434a74

SHA512
81ef23272432192f4fe9935c5455bd1c559f185ccab1accf7ddf756667dc176341ad16460dfacca1963cbbd8f75779504e87af04d14ab71b39d1e13dae0c5aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6723367b1fa3af201a373e399195b7e2

SHA1
60855a73eed03a2217310a38744ea1ff04a75b68

SHA256
fab14f88713c2385847e1c3a0ac1e04d9120a16c7e6e543e2b2f8a6949183d60

SHA512
1bf42b63224c0d5739be024c3d5fee906380af8b590e1c19632aba7ee61d9c67d90b98620c2e018c5266dd6c39d1fd55c2ca20fc101141d229cd1e0d37c26514

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e469b31b1ee05f826031acf702b57a17

SHA1
92c973144af5278d2fccb2f9b0f7ac38e7f33263

SHA256
911cca2d0a769dbae684de9e17a083907dfb0617f7748567517f2de765bea85b

SHA512
bcfa65f99bec21c84f0f3baf1fffc836378c187327b5dbd24c26cd3a1804c4f3d95ac1d486dede12099257cd364a8dc7df58eeecd926898c77db9bf59f794c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e1484e100839d0b3e9d569081d1058d6

SHA1
da62304c9890edf063b3a926dec1f199105fb12b

SHA256
f62e68c3c911ac16f63169459a25ebded35187e6ca2f022bc785164026c26195

SHA512
587a50f6059d610536c05f149e006b64711c837ffe21ff3c7e1235d7a03a8b4bed33a58869404a1ace1547c51824b15ffac6e8bc913db3213ed473b10246706d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7dc06fdd1799c5129f39f4a20b428d79

SHA1
528bfc814a93cfe3d07c7f2a79916a9fe603f1d9

SHA256
5b8d8b1de934765a32848f4e86e612d34083058155e896a29b403b42fb4fbdf8

SHA512
049b90d2f0a9cbc739c52694a684330b5ecb8e859edb521a7aeef6b9cd1c8510c3df08de0b1ca3ca7f36132f72d10395900362db0385011f849b4efdf141ec4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f188e183e28df8d8d35b4f76bcf4efc4

SHA1
437f3f803d26e5d342d38e0c17f7e9836d53fe8e

SHA256
22848c17dbfdc913880a44570c9956719bce4ad1fff8b5ea77f77de6d687e85b

SHA512
27d85fc42461d928e3fee5436704ff0c9a46d440b8087dcb63a2782c8ff93bd697136e7084c4706b47ee819a1436dc28097ee8e014bf82c229edb21cd37b9ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f3b0c66a79985ce9c104958c72f25491

SHA1
08bf5e0eb9fd102fcff50a4785f0905042a8d61e

SHA256
c45abae9459135437d3a7946b9cb30266dadfef650e87f7153a266f30de6396f

SHA512
ef9708200627b967aa016ebcaaf2fb8fc418f7f578c1d94f76455426b2cb261442da84b60984dc7bbb669661906229610c1725056f79ff99f935932c19fa9af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a720a752c716f755b8cc07fb93211854

SHA1
66dd147eaaecb1d53931cc86b813834dec4f01bf

SHA256
8f86e967270d8273e6a8ebefccd04817c26dc1447e30f60bb3a73dc0d7fa0f79

SHA512
cfbf310d5e0ddce817587341bf111847fdc3284f44fa79093772f4a59fb63fa012b6791df830ccaf48393a3ac6d7ece1915f4c41d08d5289359829c185ce6a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
14f97851928910f0a952b51bd35df254

SHA1
720ce6516e6a00f5ab8116e98b46f023c92f5cd6

SHA256
422b644e333cb4bad3334b1c3e14195c89a3a9d90300318851853946ff4b350f

SHA512
9537545693d6e5270aedd8fd12f858d4bfd63c094da09c87665afab7031beaaec291cbbb7ef5e223ecc7e56c9f6e78e87c5701e89cd5474d501a7fcccd63c5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e5ba4a1b7f52e418f8ab5c81d1b572b4

SHA1
7c33c5bc48ea48a6a9320bc9356b1e9f7fa833ff

SHA256
786c505fad51055e3160f912c1fd55198d214f98d7e313e35fadadbdc85c2596

SHA512
7469a8110bab65eaba96c4654856713200a08c3282d13920f7e76c570733b7dead3805bc18008383b4b140e722ff8b121d5fbd98a52bf1df677808cdeb2216da

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08ddf2c1122a956b9277225ebd026bd7

SHA1
62695ec7813bb2593ee2699314ec9a61cc98c478

SHA256
b13ac72d050c8b4c4dfbeec81b6ab9adb103270ee35b4635e6866b6ec34e5388

SHA512
e2ccdce0cdc4d0732fcf8569bd54c790bf35bd32b3536dcbcdec1ec66fd61c7dcb2bf323db27170450bb34b30c9d1d4830c42d65db1ccab71458632985d8da8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fd154599fd06b8228d014bf3cd079b74

SHA1
8c9e4160185926c3b018d2af080c0a1d695b2cd6

SHA256
926f7314e90553f3203feae77881e7c469c25dc16f794503b674cedc33d43ebc

SHA512
89df51c00c2934f3c5c2a81c9324ac6d91b8910045577312f42b79853feff961fee06fc2a77e9e4fb9acb052a8de045c81a24ce52c172c147ca4f00dc57c064c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6f7f1d3e63b0a9fadf147f0a33e54a3a

SHA1
11459bb297d325e4744118acf9a90681f27c9884

SHA256
5f4bc16556e0ca2a44aa9ee2b01c84ba838a36f874bba757834570225e8ad2f3

SHA512
451fdb4fa17d6b4435fc04b52c72e4d7436c17f1d9d2c241a31a781c1a0048682bf64c46b183b1096700ff599d25133214ae9f4c9828af613c20024e239dedfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f7aecded396f1b882a9a975d0a3c4fda

SHA1
00fbdacc6b065ca97349e7e641a4dedb2c431515

SHA256
375c674cb3b608b1475407a3dc80d815a09f4b6a0dc63fe01f70a69ad219729c

SHA512
cce5c3f029ad18401517db73f5ba7aff2ec23e434e4158662682c53a6d046ff1e08f0a4ceb936cb74cfc724a26c212e9a5d5b2769edc2538cd5fdcf77f13f72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4909bfdb9a2894a71c66cd6ed60972b3

SHA1
fa2a52e0e0d3b25fceb69aa12a37031ec6e817b2

SHA256
40c00db21fc17c1e7d6daf25dfe97823a0ac1e177e75ebd6a7c25f5cfd84d485

SHA512
3b411cb48d3b8d72d0ec92604a2815fcb8837afbf617e03e7e070d106becd66934c8febaac80555b66114cab880769290cf41b3169b0be1e153fd689cff626f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
df395c8158b8b75ba4cbc4d39a0f17da

SHA1
23782f3c5f42f83dd8a9116efe2ac10c2b563a9f

SHA256
4c1085497afd0f601eee678b2bb6bc79c89b3d2e0d48b88da4c05f8ee921aeb6

SHA512
ffbb6fd6e727c4aaec242f64ec233fe9ba3d5a8a4ef1cb98846059008e3b2b961e929a161afeeda59ea338fe672c69b263488d0f70accd06603c3a67cf3a5a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bf8f855e92aab915ed257c924f17655b

SHA1
dd4a79743519978d4aac283d8b2551ea7385650f

SHA256
bdb58038b7d388984b5ba2cdf61c712f4e80350401a91b8d8c2d0dc9b4921379

SHA512
1ec913cd779da0ee078333cc377ef4863fe28c277741aabe947d66dfe6d74f888650a539b38342397ffc01bc2673852eac56234606816dd72027639301c4020b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
da7e16910cb56d80aad1339931195d6f

SHA1
149ba9cc9e29d222a70be939664453f78b5d3874

SHA256
726f34f8743a56fe5e12baa16f15da062292a3e4ccfa781972602a8dd1fa8f94

SHA512
ac2cb33e1cc11075446d22422fa5930979aa6ce7c1d5f2cf55531da2d6e719e3fccbe76eda331749a8da77133f46e5398b3dc1cc5f4c42e176c74414170c515c

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/852-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2284-4-0x000000001C7A0000-0x000000001C83C000-memory.dmp

Filesize
624KB

Download
memory/2284-1-0x000000001BBB0000-0x000000001BC56000-memory.dmp

Filesize
664KB

Download
memory/2284-0-0x00007FFF3B3C5000-0x00007FFF3B3C6000-memory.dmp

Filesize
4KB

Download
memory/2284-2-0x00007FFF3B110000-0x00007FFF3BAB1000-memory.dmp

Filesize
9.6MB

Download
memory/2284-19-0x00007FFF3B110000-0x00007FFF3BAB1000-memory.dmp

Filesize
9.6MB

Download
memory/2284-3-0x000000001C230000-0x000000001C6FE000-memory.dmp

Filesize
4.8MB

Download
memory/2284-8-0x00007FFF3B110000-0x00007FFF3BAB1000-memory.dmp

Filesize
9.6MB

Download
memory/2284-7-0x000000001C8D0000-0x000000001C91C000-memory.dmp

Filesize
304KB

Download
memory/2284-6-0x00000000015D0000-0x00000000015D8000-memory.dmp

Filesize
32KB

Download
memory/2284-5-0x00007FFF3B110000-0x00007FFF3BAB1000-memory.dmp

Filesize
9.6MB

Download
memory/2640-179-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4496-27-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4496-28-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4496-88-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/4496-180-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/5628-26-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/5628-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5628-22-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/5628-83-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/5628-159-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download