cybergate | a1b5162bd9bd6c3a7cd5364437ee6236843d1d4ab5e1484ce26c131128adb9d7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe
Size

542KB
MD5

53f0ed5f9e43474e706bac0f4cee3a2d
SHA1

01dc2278149efd3deac51d08747bdb88566a9660
SHA256

a1b5162bd9bd6c3a7cd5364437ee6236843d1d4ab5e1484ce26c131128adb9d7
SHA512

69c6a962d93127a5aaec737989d6a44f5a4bdb34b9fca4e4a5b943e2ddeac5a1d1909e4ab57d77c0b400ca73c6493fd4614fd6fe28f87881fb394c8777d52233
SSDEEP

12288:I+uEhTDrv7r2bDmPn5WOstC6kGI8yxnUyeUdWBFS7:IyhSqkYgqn2UaM7

Score

10^/10

cybergate ross discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ross

rossr10.no-ip.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
java
install_file
java.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
12345ff
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\java\\java.exe"	Crypted.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\java\\java.exe"	Crypted.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{58P3TQS7-3BFH-7FYA-VI00-B50240D66PS2}	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58P3TQS7-3BFH-7FYA-VI00-B50240D66PS2}\StubPath = "C:\\Windows\\system32\\java\\java.exe Restart"	Crypted.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{58P3TQS7-3BFH-7FYA-VI00-B50240D66PS2}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58P3TQS7-3BFH-7FYA-VI00-B50240D66PS2}\StubPath = "C:\\Windows\\system32\\java\\java.exe"	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Crypted.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	Crypted.exe
1140	java.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	Crypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\java\\java.exe"	Crypted.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\java\java.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\java\	Crypted.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023caa-12.dat	upx
behavioral2/memory/3024-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3024-23-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3024-82-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4028-87-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4028-86-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3024-158-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1140-181-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4028-182-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2512-183-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	1140	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3024	Crypted.exe
3024	Crypted.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2512	Crypted.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	Crypted.exe
Token: SeDebugPrivilege	2512	Crypted.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3024	Crypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3024	4452	53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe	87
PID 4452 wrote to memory of 3024	4452	53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe	87
PID 4452 wrote to memory of 3024	4452	53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe	87
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56
PID 3024 wrote to memory of 3520	3024	Crypted.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\53f0ed5f9e43474e706bac0f4cee3a2d_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4028
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2512
    - - C:\Windows\SysWOW64\java\java.exe
        
        "C:\Windows\system32\java\java.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 568
        6⤵
        Program crash
        
        PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1140 -ip 1140
1⤵
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
272KB

MD5
f0dc85b1d4ec08acf7137a14583b889e

SHA1
915e785c5e82263edd3c73e9059df3f7176fae94

SHA256
4a5d94d6e6332ac29cefd6c18860539f59b89a587ea1c505f85cc94d0de89c12

SHA512
07289052c13605127903d53dde6b2a54f59067d4bdcc6f0820ed49df9a9417ba2831e72f4b5e980f8739bdea57b4297b0749e1eb0d6c53562e1c29990956cc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
0374d0365f3d1b07b3d94cb6e019458e

SHA1
398ddac15c942c1427019f247458936bee0691e9

SHA256
98e10f340a119d0086109d58a91828a7472d8d206c070679efe244570f2e7361

SHA512
545e774b4705c0e04212872c31cdd6360a6643e2bebd0fd1f918e73631322db32e9a88bd2fd623da7a0e2c2038ac5dcf11b090115c1b70a53e7e791296b19700

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3df1b9beaf63d7448861684726c94f5a

SHA1
ed1221f644d068e2659f431e22dcd756d07c8807

SHA256
5ddca14d3b2ea257d9b8987c687620c11e6b594dad14048bd989abaee18796a1

SHA512
23f1c42f214bb29b7deabc121c5e0f4bb44df34170c20873c3813152afd530ab3172659e64ee8ca4c1ad1ac36d394380c37c7e20aabff676f3f8f207a16cb11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5aac325010f95e477aa834cde95cf1ec

SHA1
cc1eea79edd6325ef4ffeb4a15ea032000c7712b

SHA256
a1467626cab6f583ba7065295134084afb3e1778105f026ce9ba3a6e2f50088c

SHA512
6a308867e7684e4cb7db0476f38c83e62817823f4bc2c49b882ec733de9eee731f87f618e7dae0ba0e47ce1abc1a5a7b279ee160ba1ef9639f91cd8b44a1cba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3142fa1a281841974f08f362ecbee87c

SHA1
f8c1033fc9a0f2a2f6471113991685466c87da95

SHA256
d807bfefd8ca48f9ddee1cc02e203fe6c8cf0fcca89b7dfb6abd797e14a88270

SHA512
cd7b0bda0071064e04106bc25784e66826c347acf4f5deeb4d25c863ddaad024bf90f7bf9139f71ede5c657335e024ed77dbf1ab7cf8290da82bbde35bc214ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
efcd119be8efae3732405af6b15f1d46

SHA1
a6b912692bdb86afcbc6aacf8a69a97759da7ad1

SHA256
9ab69a1ce760beccdf6f7dceee1052b5f3276c1864128ca70a22dad94a44de9a

SHA512
cff4b472a0f5d25230b266686e929748c0055cfb18154d8e520ebd19a8686b25f801661e5a65b3074ea4adf721c007c8cade66dd3c22fe390aade8e8dc53f0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bde798da1c9b836bd4044faa758938cd

SHA1
01e7025445b36e532d3c5b483536e965587ee855

SHA256
c395cbe66db8b424df2db956b707aa0eb10ef4774922baeda515a4ccfbd59c4c

SHA512
ab3d0f0c0cf8e82fca065539f579c682e82981fa9e9bb756a45c14fd8418ed270ed298d96fd9056866c017a2c2a648d43afabea3ecf31e5aab87a9347b90e4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f15438d5fd434afe3a091b661b8744b9

SHA1
3e278b78e9b1d371117d6664eb26483fe0e35cf2

SHA256
71bd560a15f26dcf5044f9158d6f84eb4a95907d0ccf5b75110e9a4264ab37d0

SHA512
8b3b41db20b8506d122534658b50cbce3dfa28744b7dfbe14c1a3816f228f71811dc41176c1521fc889865c29b77814ea9af89617d4dcb5dd4222d7689bae208

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e7b1b032cb8ca6681888e7a4a5b989a

SHA1
f01b3dc6a139d750ce0503767bc6cc71f49b0379

SHA256
bf0261554e8f497d5c9c98082d9243861672a0838e2bdac69f97468d89258823

SHA512
938625413d3d839c5513ef9b118aa75443609980ed5b13a13da854a9d719d2ea5e4a3bd7a23151722e42d0045e3786ef5c671124fd664ad7a3427bdf9323b2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d3412a296dbaa91cdeb68b30ee15687d

SHA1
86615199c52cab6a40174ebdb3c593505766208b

SHA256
d3ed829d50505e41d08f1cde8c3a4a50ecf3bbcd010bd97aff16f96761122770

SHA512
708321b3bd7a2ae9d372af4f1247f9e98e030188a4bfdcba4717b7451fd20cdd77d88f80e8ddc5a0ae0dcc93aa4995e86639434d25ef675ead1878102ed3eb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
132125ce1da9f40738fe3c595d5adbf3

SHA1
8b1aa437b301d8834ee9d329ac0407d5e023174b

SHA256
6aa4dbe4db9a2ca3b97d4b402716901ca1827bf312673c5d4b3ef3a3e220dd99

SHA512
e31077eb691104b9d65dcec017d461988faabe89ee5f9821ae93affaeada47fa853b3ae9e0d90231258cad40632eb2d9710e1b4f2dd279b33545ef79874b408b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a81b23a0bf4b7bd9a9eb71030298a8cb

SHA1
896d9a3b3549d85b30ea69a72401ec0b06e8e51c

SHA256
9d862ea34abef2ad973bec75ceb0ba6a8925a8ad606214e9af5732069360f0fc

SHA512
7d57aa2bc893ea8ab66a5af50373d56a6e85cef544067e415220f1a89025063ca7430ab667c15bdf5f523ab30017bb9ce33d5109c4da76048f2e7e9597dbd3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a3e11705652a53f41c8e5786d6020811

SHA1
63c0f02f6c8d8e7ea4dc265738199b7399e9850a

SHA256
8f4c2cfb72b6df6a9473e2ec8c6f04c016dd9c93b63fceb31950f7f61a72e040

SHA512
993c254e866a0f9a099db44a31a68148d7ed85f784f736014d6f859c7d976af200b7051e34ac3865411b25207af9b858c725d734f9ca92c8e62691d36688b51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
164f26f83a83b789f143bbf1a42d9e69

SHA1
ae73ae75066269eecdcc7081b7d84427ff3e294d

SHA256
3975a9966a8569b34ce58d3e4c6ca3e6e970d943cf41f930b80080e0cf39e805

SHA512
858e2acc683793a7f85e87ba64f3a99fd1ee78c1c06334f09a99eb0ac2b331d31639839204cdc2b14159624ad92883b920eab4811f5aa7710e256a569729ad97

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
224a1b168f77cbb0f26cbb0f8481f9aa

SHA1
cb7f91805a4104c66a44a4f738dcbd07cae539d5

SHA256
f6a52ced53c94250758b90b6da4a90fc0cded51c9045db718c4b3c3018c9b6e6

SHA512
c768267623ac69c6ce8c661c2a3f4d4c4a04c32986ce38e554fb1579794de5f827958efd8b0d15b12ea9cc793d247c12bf8b069dd4c51f78631d6bdc4de82a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26f08f079c68f2d2e7bc24f081d8ebb2

SHA1
1236d1703c455d456a56e630ca6dd47489ba344d

SHA256
014ddd98e7d84ebe3a91379c702f890f588df1cee874d1f7b8a201685b8ef706

SHA512
f7fa4e64da4802febebd46063c846fe2d4a5c26434685f29ad6e02d473d481db61a6b11d2536c9456249b70c856670ec72cc0da551b41181b7c0b5b0594992ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d490dc8e956225b7ca4a49bc928c8708

SHA1
812f3bb0a6cbfc2f1c4307bf99decb14399b5a12

SHA256
6ba17da189ff0580f49c7ff58cba3b174d65c5b531cc65e115f13a4a5533a888

SHA512
834ede579d3ae446fef24227a23688861d75d7e4cfa8df33be0a1e87bedd4559c0855612e2f06575cc9f515749784acdfb98f0a92c7faf14eef1fab3f12a9c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63858c5181dda2338595d99dae238405

SHA1
b52493c2e375f332a6e2fa7f0f9dcaba0ea8b749

SHA256
fef4943dbf08f3a0a46a9873dc6111d6c2e1569c6f6257d439a39d29d8606ffe

SHA512
e795ffee33f546633574fc12345a818c24da5da54781ff1378ea48d0b6856e3be5f02fb92bf13b1bf6703514a79b2e8c8df2daf7aa54d61745c62355652a986e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c3b646c4c55e1492df91ce0936eb7597

SHA1
28f64ff6d52afcb7a19761f1cfef3fd9e7584de5

SHA256
bdadf3ed888a5d0d1199777a7284d9c166998183e80f0ee92897eb7295310bfc

SHA512
c377ab62b1a159aa40b3afe18fdae58ed5c58b1b8124a5098b3a2da1277c1391805733ee6d2c06cff7cedfcff2c3890e1d3736f30b639e4e0a8b5feadac3f480

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6c045de3ec1a04656392e58756aa7aa

SHA1
bbed21acc48306f15b132fec8241c8bfb6aab265

SHA256
9d9e1d3cc49af19ab46320de61414a5e2755eb4e92ed4e6237145e633d27f2f5

SHA512
fc0c85d80b7e58c712f00bba77d3f0992d1578e1873cf142439b58c4e0103563961c6d927f746042d3b315924029e7f97cb7084725ba8e72948312d8b0154471

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4dd1d82027dd1c08c4d8380ea1d03f65

SHA1
179997db7afca55e38c1db06a74070e61c0bf71b

SHA256
f9c883114aea40378171fad59bedc6dd77541257c20ff7e3b687390fe0339c7e

SHA512
f9f3a3c79dc70503be31b2c838af3370974f96a5d026c29c030379b01a473c6bbaef1460243822ce4ca8da5805dc79488eecf9fec3f3961372676afea6aa6760

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/1140-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2512-183-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3024-82-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3024-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3024-158-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3024-23-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4028-26-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/4028-87-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4028-85-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/4028-27-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4028-182-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4028-86-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4452-0-0x00007FFAAC365000-0x00007FFAAC366000-memory.dmp

Filesize
4KB

Download
memory/4452-18-0x00007FFAAC0B0000-0x00007FFAACA51000-memory.dmp

Filesize
9.6MB

Download
memory/4452-7-0x000000001C320000-0x000000001C36C000-memory.dmp

Filesize
304KB

Download
memory/4452-6-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/4452-5-0x000000001C1C0000-0x000000001C25C000-memory.dmp

Filesize
624KB

Download
memory/4452-3-0x00007FFAAC0B0000-0x00007FFAACA51000-memory.dmp

Filesize
9.6MB

Download
memory/4452-4-0x000000001BC50000-0x000000001C11E000-memory.dmp

Filesize
4.8MB

Download
memory/4452-2-0x00007FFAAC0B0000-0x00007FFAACA51000-memory.dmp

Filesize
9.6MB

Download
memory/4452-1-0x000000001B6D0000-0x000000001B776000-memory.dmp

Filesize
664KB

Download