cybergate | a1b5162bd9bd6c3a7cd5364437ee6236843d1d4ab5e1484ce26c131128adb9d7

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe
Size

542KB
MD5

53f0ed5f9e43474e706bac0f4cee3a2d
SHA1

01dc2278149efd3deac51d08747bdb88566a9660
SHA256

a1b5162bd9bd6c3a7cd5364437ee6236843d1d4ab5e1484ce26c131128adb9d7
SHA512

69c6a962d93127a5aaec737989d6a44f5a4bdb34b9fca4e4a5b943e2ddeac5a1d1909e4ab57d77c0b400ca73c6493fd4614fd6fe28f87881fb394c8777d52233
SSDEEP

12288:I+uEhTDrv7r2bDmPn5WOstC6kGI8yxnUyeUdWBFS7:IyhSqkYgqn2UaM7

Score

10^/10

cybergate ross discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ross

rossr10.no-ip.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
java
install_file
java.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
12345ff
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\java\\java.exe"	Crypted.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\java\\java.exe"	Crypted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{58P3TQS7-3BFH-7FYA-VI00-B50240D66PS2}	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58P3TQS7-3BFH-7FYA-VI00-B50240D66PS2}\StubPath = "C:\\Windows\\system32\\java\\java.exe Restart"	Crypted.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{58P3TQS7-3BFH-7FYA-VI00-B50240D66PS2}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58P3TQS7-3BFH-7FYA-VI00-B50240D66PS2}\StubPath = "C:\\Windows\\system32\\java\\java.exe"	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2776	Crypted.exe
588	Crypted.exe
2932	java.exe

Loads dropped DLL 3 IoCs

pid	Process
2776	Crypted.exe
588	Crypted.exe
588	Crypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\java\\java.exe"	Crypted.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\java\java.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\java\	Crypted.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001956c-10.dat	upx
behavioral1/memory/2776-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/108-570-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/588-597-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2776-595-0x00000000002F0000-0x0000000000345000-memory.dmp	upx
behavioral1/memory/2776-905-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/588-928-0x00000000061F0000-0x0000000006245000-memory.dmp	upx
behavioral1/memory/108-932-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2932-934-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	Crypted.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
588	Crypted.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	588	Crypted.exe
Token: SeDebugPrivilege	588	Crypted.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2776	Crypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2776	2184	53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2776	2184	53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2776	2184	53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2776	2184	53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe	30
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21
PID 2776 wrote to memory of 1200	2776	Crypted.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:108
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:852
  - - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:588
    - - C:\Windows\SysWOW64\java\java.exe
        
        "C:\Windows\system32\java\java.exe"
        5⤵
        Executes dropped EXE
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
272KB

MD5
f0dc85b1d4ec08acf7137a14583b889e

SHA1
915e785c5e82263edd3c73e9059df3f7176fae94

SHA256
4a5d94d6e6332ac29cefd6c18860539f59b89a587ea1c505f85cc94d0de89c12

SHA512
07289052c13605127903d53dde6b2a54f59067d4bdcc6f0820ed49df9a9417ba2831e72f4b5e980f8739bdea57b4297b0749e1eb0d6c53562e1c29990956cc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
0374d0365f3d1b07b3d94cb6e019458e

SHA1
398ddac15c942c1427019f247458936bee0691e9

SHA256
98e10f340a119d0086109d58a91828a7472d8d206c070679efe244570f2e7361

SHA512
545e774b4705c0e04212872c31cdd6360a6643e2bebd0fd1f918e73631322db32e9a88bd2fd623da7a0e2c2038ac5dcf11b090115c1b70a53e7e791296b19700

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26f08f079c68f2d2e7bc24f081d8ebb2

SHA1
1236d1703c455d456a56e630ca6dd47489ba344d

SHA256
014ddd98e7d84ebe3a91379c702f890f588df1cee874d1f7b8a201685b8ef706

SHA512
f7fa4e64da4802febebd46063c846fe2d4a5c26434685f29ad6e02d473d481db61a6b11d2536c9456249b70c856670ec72cc0da551b41181b7c0b5b0594992ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d490dc8e956225b7ca4a49bc928c8708

SHA1
812f3bb0a6cbfc2f1c4307bf99decb14399b5a12

SHA256
6ba17da189ff0580f49c7ff58cba3b174d65c5b531cc65e115f13a4a5533a888

SHA512
834ede579d3ae446fef24227a23688861d75d7e4cfa8df33be0a1e87bedd4559c0855612e2f06575cc9f515749784acdfb98f0a92c7faf14eef1fab3f12a9c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63858c5181dda2338595d99dae238405

SHA1
b52493c2e375f332a6e2fa7f0f9dcaba0ea8b749

SHA256
fef4943dbf08f3a0a46a9873dc6111d6c2e1569c6f6257d439a39d29d8606ffe

SHA512
e795ffee33f546633574fc12345a818c24da5da54781ff1378ea48d0b6856e3be5f02fb92bf13b1bf6703514a79b2e8c8df2daf7aa54d61745c62355652a986e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c3b646c4c55e1492df91ce0936eb7597

SHA1
28f64ff6d52afcb7a19761f1cfef3fd9e7584de5

SHA256
bdadf3ed888a5d0d1199777a7284d9c166998183e80f0ee92897eb7295310bfc

SHA512
c377ab62b1a159aa40b3afe18fdae58ed5c58b1b8124a5098b3a2da1277c1391805733ee6d2c06cff7cedfcff2c3890e1d3736f30b639e4e0a8b5feadac3f480

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6c045de3ec1a04656392e58756aa7aa

SHA1
bbed21acc48306f15b132fec8241c8bfb6aab265

SHA256
9d9e1d3cc49af19ab46320de61414a5e2755eb4e92ed4e6237145e633d27f2f5

SHA512
fc0c85d80b7e58c712f00bba77d3f0992d1578e1873cf142439b58c4e0103563961c6d927f746042d3b315924029e7f97cb7084725ba8e72948312d8b0154471

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4dd1d82027dd1c08c4d8380ea1d03f65

SHA1
179997db7afca55e38c1db06a74070e61c0bf71b

SHA256
f9c883114aea40378171fad59bedc6dd77541257c20ff7e3b687390fe0339c7e

SHA512
f9f3a3c79dc70503be31b2c838af3370974f96a5d026c29c030379b01a473c6bbaef1460243822ce4ca8da5805dc79488eecf9fec3f3961372676afea6aa6760

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5aac325010f95e477aa834cde95cf1ec

SHA1
cc1eea79edd6325ef4ffeb4a15ea032000c7712b

SHA256
a1467626cab6f583ba7065295134084afb3e1778105f026ce9ba3a6e2f50088c

SHA512
6a308867e7684e4cb7db0476f38c83e62817823f4bc2c49b882ec733de9eee731f87f618e7dae0ba0e47ce1abc1a5a7b279ee160ba1ef9639f91cd8b44a1cba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
efcd119be8efae3732405af6b15f1d46

SHA1
a6b912692bdb86afcbc6aacf8a69a97759da7ad1

SHA256
9ab69a1ce760beccdf6f7dceee1052b5f3276c1864128ca70a22dad94a44de9a

SHA512
cff4b472a0f5d25230b266686e929748c0055cfb18154d8e520ebd19a8686b25f801661e5a65b3074ea4adf721c007c8cade66dd3c22fe390aade8e8dc53f0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f15438d5fd434afe3a091b661b8744b9

SHA1
3e278b78e9b1d371117d6664eb26483fe0e35cf2

SHA256
71bd560a15f26dcf5044f9158d6f84eb4a95907d0ccf5b75110e9a4264ab37d0

SHA512
8b3b41db20b8506d122534658b50cbce3dfa28744b7dfbe14c1a3816f228f71811dc41176c1521fc889865c29b77814ea9af89617d4dcb5dd4222d7689bae208

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f88a97e00db587def9478dfdcf0fc424

SHA1
1c3f05648ed68a545944de99dfac81a89a03d5dc

SHA256
c85a745dc9342704c2bb1539b6a42d1b1a2e58bed34c63abbbb4c9e72638dfc5

SHA512
331ddec0cf0bd7f93ba6e6d23c3466d45f079da30de0b611626ce1c2892c0e5db498fc626291b965be06d36f076fbeb58c9041ac48f9a66ba9c6f065061d2b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bf98dc42f357eb843f24ed8237a3669b

SHA1
a6244d70697624e9ffa5bba9d8861734d87b4a92

SHA256
ce43acfcbde258453e2522fc3ee997fb2d4cff3bda2d688584e09b216229aee8

SHA512
185a150791111ad75b92c0b8245129e65bd8188ba89398ac5ffd3101a80624a727e19b484b529fe70a27dcf64466e4b6558b8da32ff43bd0a35b9a394235049e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9c443a74f57459c9962bf422669e3c5

SHA1
f5572f83082014184055c4434ac901ff10991df9

SHA256
2d5e1809026c15145b2509f723988ffa1cdc06806445fdee8d5b8f6fa9a59806

SHA512
bc1b42550581dcf2ffc718c50b5e32ab73e5b275d1c890d3db4318baeb350808cf2be95fae68dc89d5193dfcd369ca0bad27053a8448e88207e896966c631205

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7a62ad261e7e5f82a69fb2633619934b

SHA1
4bdb3a1a72c6867195443c6bd084fb188881ffc3

SHA256
1288d5a11a28d93089d995a978a32d46fc300543ac8ad64685addadce9d30d31

SHA512
1a0a4557adce6a6517837162ee2294cc429d9822571ffeb41a9943e0c25cf49352539dcc6f72bbdb7dc0de0ee95263ce641b8d4965dd69a1001df5e027e55816

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
45a8f65fae06ee96ca1341ebe822f6fb

SHA1
aea6bc1a50a4aa45c74eab747d22b9ab924c9fe5

SHA256
b8ad3210e17f7bbeefb0718bb3b73931edc1156489f72f5ae7d5f012c26650a7

SHA512
3050ea53e7c48216b0fe8b029a59d62232c42ceaeae6386de059a26f6ea916aaf03618bebbea5e16d263aa10ea60fc19619e55d6b543b8b7f66d699a493af28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f0ccf99d5e481ea4d37d8016d96709ac

SHA1
0bf95ea3f124768feda45b3edb11083f08982714

SHA256
ef62c18c7cdbef94b2ed04deee5c1a181d088bc0eec2f00113d187ede01dbc0d

SHA512
f6af8d4e3323b782cdc0a68dbd271803bfac6f09d7f91ebb818518db5fa2fd97a370b35c13e9ecc9398c38932b5a41b71dc2d3c8142560c68ace6b08aeccfa40

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4c8ea908603e64db91dd8e95ff0e83d8

SHA1
2c2fcf97a9692fae78d20226beade5c591976ba2

SHA256
65f75c28f9b5c9e1d57dbe04b8619aebc41225836a73afc0e3668f803fddf1b3

SHA512
96146066721d61fd4242d218559dfd6e9cceccf74d904933485cab9aae7498e74c12edd923ef49838bee2b5e1fb8eb9cbc2c26d67c1d039f6a1d9daed92f144c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7bd37fd10243dd3782a6b5f77a2f3790

SHA1
6b1aba13bc598e1d7f5eddc121bce4aa04971915

SHA256
210afc7588d67100c770932578386b07dc1857ada033fe211d9e34ac7c219f94

SHA512
1c8449f4c420fed100e8eab612a925f79deda04da810e5679a45fe3b81e3e8ec18db46ef9b823e2a427d222e33e0255f4ce8b7475092c193f3ad6e61525d9656

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cf2f8cf3e9f80a32ee0231b9a364f327

SHA1
a8f9a687361ebe2291763247e1ee4f0a40a3c0a6

SHA256
a95159b2290d4c696c88b66be6ab63cd83c068900071e815f6b3e7f05f2a4244

SHA512
87b85c79699ff16210dff73df51279a1c02a755a0322c67d453b3e2274a6dbb756e1b31721c985b073ab1b2b8415b10e7b9aeece04fd40228dc4e3b4efea510e

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/108-262-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/108-570-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/108-264-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/108-932-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/588-930-0x00000000061F0000-0x0000000006245000-memory.dmp

Filesize
340KB

Download
memory/588-935-0x00000000061F0000-0x0000000006245000-memory.dmp

Filesize
340KB

Download
memory/588-597-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/588-928-0x00000000061F0000-0x0000000006245000-memory.dmp

Filesize
340KB

Download
memory/1200-17-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-2-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-0-0x000007FEF603E000-0x000007FEF603F000-memory.dmp

Filesize
4KB

Download
memory/2184-3-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-12-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2776-595-0x00000000002F0000-0x0000000000345000-memory.dmp

Filesize
340KB

Download
memory/2776-905-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2932-934-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download