cybergate | cdaf339f2f2ced25d561cbab18fc3c3750df3cdb51728eb3e5f3a7771051aa67

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6908de2028a305b65da810d2003c1c0_JaffaCakes118.exe
Size

454KB
MD5

c6908de2028a305b65da810d2003c1c0
SHA1

c83d695d1ef80ac2048fad7b582a2db26b87b45a
SHA256

cdaf339f2f2ced25d561cbab18fc3c3750df3cdb51728eb3e5f3a7771051aa67
SHA512

4f3f7e6fc9d473c4a583b7f771315345eeaf75cc8e108c04e80729d2e15edf53861e795267a4456fbf4facae29c74c3aeab49f24679de1bfaf6165dff1d91cf1
SSDEEP

6144:ivs/JRlunhpFGzP+XkJZmy/xPAsAOYAG2jzMHJFx8CHnbSd5qoXTunO+zQXIRe1y:V/JAMwQ4sz9G2UHJFx80Sd8oXQriyj6W

Score

10^/10

cybergate discovery persistence stealer trojan upx

Malware Config

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Blackout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\winlog\\winlogon.exe"	Blackout.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Blackout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\winlog\\winlogon.exe"	Blackout.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SD540B1I-3N36-1EM7-KG5J-76Y3602X7FK8}	Blackout.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SD540B1I-3N36-1EM7-KG5J-76Y3602X7FK8}\StubPath = "C:\\Windows\\system32\\winlog\\winlogon.exe Restart"	Blackout.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SD540B1I-3N36-1EM7-KG5J-76Y3602X7FK8}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SD540B1I-3N36-1EM7-KG5J-76Y3602X7FK8}\StubPath = "C:\\Windows\\system32\\winlog\\winlogon.exe"	explorer.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c6908de2028a305b65da810d2003c1c0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Crypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Blackout.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Blackout.exe

Executes dropped EXE 6 IoCs

pid	Process
1400	Crypted.exe
4320	Blackout.exe
3096	RunescapePinGenerator.exe
4572	Blackout.exe
4924	winlogon.exe
3104	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winlog\\winlogon.exe"	Blackout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winlog\\winlogon.exe"	Blackout.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winlog\winlogon.exe	Blackout.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	Blackout.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	Blackout.exe
File opened for modification	C:\Windows\SysWOW64\winlog\	Blackout.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4320-39-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/4320-40-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/4320-100-0x0000000024070000-0x00000000240CF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1412	4924	WerFault.exe	90
3344	3104	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3096	RunescapePinGenerator.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4320	Blackout.exe
4320	Blackout.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4572	Blackout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	Blackout.exe
Token: SeDebugPrivilege	4572	Blackout.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4320	Blackout.exe
4320	Blackout.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1400	848	c6908de2028a305b65da810d2003c1c0_JaffaCakes118.exe	83
PID 848 wrote to memory of 1400	848	c6908de2028a305b65da810d2003c1c0_JaffaCakes118.exe	83
PID 848 wrote to memory of 1400	848	c6908de2028a305b65da810d2003c1c0_JaffaCakes118.exe	83
PID 1400 wrote to memory of 4320	1400	Crypted.exe	84
PID 1400 wrote to memory of 4320	1400	Crypted.exe	84
PID 1400 wrote to memory of 4320	1400	Crypted.exe	84
PID 1400 wrote to memory of 3096	1400	Crypted.exe	85
PID 1400 wrote to memory of 3096	1400	Crypted.exe	85
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56
PID 4320 wrote to memory of 3588	4320	Blackout.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\c6908de2028a305b65da810d2003c1c0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c6908de2028a305b65da810d2003c1c0_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\Blackout.exe
      "C:\Users\Admin\AppData\Local\Temp\Blackout.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1564
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\Blackout.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Blackout.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
      - C:\Windows\SysWOW64\winlog\winlogon.exe
        
        "C:\Windows\system32\winlog\winlogon.exe"
        6⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 536
        7⤵
        Program crash
        
        PID:3344
    - - C:\Windows\SysWOW64\winlog\winlogon.exe
        
        "C:\Windows\system32\winlog\winlogon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 576
        6⤵
        Program crash
        
        PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\RunescapePinGenerator.exe
      "C:\Users\Admin\AppData\Local\Temp\RunescapePinGenerator.exe"
      4⤵
      Executes dropped EXE
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4924 -ip 4924
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3104 -ip 3104
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Blackout.exe

Filesize
280KB

MD5
b6e7f0b3fdff1748a6f185ade0eab521

SHA1
81db63ec7b20b4601408e9be832a1a9914aebd92

SHA256
eeccc2af5b11a09c0df8d20ac9456d47fcf413f65a60f383347ce60cff4175d2

SHA512
9d7859f2c16453ee7ee3a591d8527c5bbb5a5f03f32fb38f44a0214930e98aa3b27f7a8c5fa16a84443a0316f58dcebf88eed67f2a374820482560b6df7d1b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
410KB

MD5
387528e521032fff732d3f9d6610acf6

SHA1
2eabfdd1944cbc725599cabdd01d98eba392bc6d

SHA256
b173f83dad0427136769c6b34ab2995424d93f79d25e1cc5f19cec39f52960b0

SHA512
428b961db24396f6db0c3e49b69908d0f535f5fc8b5f8700e487c72f37d557c86dba5a34cab3aac7f57337e62d00a83df4c3b38e30377aaf581c1ee54e181385

Download Submit
C:\Users\Admin\AppData\Local\Temp\RunescapePinGenerator.exe

Filesize
383KB

MD5
24a3fb06ebf325ef89e11ea9b0d9f0bc

SHA1
63e6f1f5cbe5bde7a12fd358a073d22e48197758

SHA256
caf615c1644b4ddc9b27ff2bd34c004e8adb0fc82ec8843b3cc0c72ed0450c1a

SHA512
3f8df0a64ba9e6a5151818f1f07b60ab2338e1312193b9fb0887f1b90581697a62a23883e151423d0eef00ca4eb4619a7685dc54c2524349ceebf88909032cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
282774e2959386cea97122f2a55a1e45

SHA1
1e3347dcf79e0e0c7ed13c5cd42a55ee00a42b4f

SHA256
d38f482c7b0ea53169f04194673c0e11cd7b5fcdcf61b3991dc6ccff40516ef8

SHA512
2e89951ead42ff6d2549f63f4123ef09603fcec6b98c689af8d7f8816dec55b359c2d8f2ed23b188526b2a94e00ffd6b7d7e205607e5a45f91a4d0163808283b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1070c7211d9dd0126ae501d33f08575c

SHA1
867a5c217e9f5c027083105260b8a3c06dc095b4

SHA256
4e3316b88656f9699dcd0147638984428543a3e09289268c4e6665e9445345a0

SHA512
3571c0d7b7aaf57e7cf40a88140a33083e0b369f1a8a17d1bf18a989f74e4c2245a6678f280be25d6683569700bc9881359004a7e91dec177455eb5266e44586

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c5aa0ff5e4e09eb97d473d9002400736

SHA1
c9ec384896a6b221fe16954cc1a542f153add887

SHA256
78eeb1ee5b47ebaa388bb8debefe444bdd1ea34472af671427349319ae17c7ee

SHA512
a82bf229659790db160eb607bc2a54ae7822930fbd33f0bb4979b6298ce3d1102b5d9b41b1b55b230cc2f18e0d8b8dea848927e40b2715d956bd0bfacb8e42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c2eed61b46fd0cd31612ac316719d32d

SHA1
236508b1505fcf45728a397f86c926acdaf10dda

SHA256
20e1593de4aa7e134886491bbe0b242bc5dd0b34b8b4675cae120f1748825960

SHA512
35520c132a2c87a6cb4002c9662952c21534b64c44725472d619213b95f3d88f124d695a298bddda3d0e9f0dd5c9fbdc1840d84147bfe7138e58e56b23da6157

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9e72c7d7600db3f6d06a34075f13d4c0

SHA1
bcb5662ca8a88338e4da25f047d8967fd39a7cdb

SHA256
5b4a2f49afc39ca973271b6576c61d07747d106c033dda643e14e3471c61ed46

SHA512
8e901deb59d03235587ce6b2116af8d2733eb26ed35a13f904d6436b310917c93aadadf534683f236715344e77325ea3707aeb59a12083a6a45eb6b6a16586b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8bc6b88646ed4635a861e27b657dc03e

SHA1
b0fbbfb20776050835889c7bd0b322198da6e7db

SHA256
2c75c027964dd76ca3d6de2e32661662742e7d28f3dd144e78ccda8a300e018e

SHA512
e3d718e4ddd0d789c20299ce4d8a350f85da1ab2b8371368efa61b8fac42c01b6d019958c1421cac8354c22223e1b14ebbdd84f96e6bb18ea0b1e7579ecec455

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a49cfee43ac31a8e583f070d0945467

SHA1
4d394de1b725e7d1e519866764e9d474b0526a6f

SHA256
bfb0adf3182b2f974e90a0870767c56b56ad078a3a1f0cc29017e904f7b55af5

SHA512
6cc7cb2288cfd40964ddb4242e3d8f2bfe0ae5e27ec4607987044afae17ff56e94e6b9f814b7cdf760dfd478cc93438ca1146fce41277bf8198629536ad9c287

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2c14ddd5eb881f9c9f9ca4e5f788aa5b

SHA1
e5c63831ad2fa76f9d757c49cf6c90fd81544388

SHA256
eaec5eaa90eebd399174400a789a47bcadab92078a151a8d96f32efb20779816

SHA512
e6be6c574e1fa37659ebdbe2603a73ac5c6e9768d420855ced3830f42c1acb24b317341d0c540de680ec51bfa1f63fb3ebc83fbb13f343c114524d76afad7c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
24b49bfa02bbcfc9078af2e60ed99f26

SHA1
3490373b6bf874dfceaae76f670632c2aabcc689

SHA256
19b928a15e4c905a80a372373a5055be5693bd6d717bc772c3550fcdcbf17c6f

SHA512
e24f791ab15f96c43979a2e4d3f3b8281c076683cb76907b9f72891985faddb0a2bf82c46df2bebb5ecc7b51f6f2d4061dc95f737cfdf0fe4485802f2b0873cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e815b94da2bc5773de962751530c5904

SHA1
06062791cc08a1b1f617de216eebd52fa6156381

SHA256
8d8d527bbbeb02406082bfc0362da1fc24ea29bcc171bb2c7d611c0098beafc7

SHA512
1945767a0deb95a82d2840f683849b4a3b65e323714c83cf2d5c4162ec3b4e92d8dd6a6713c860cb4d5409b560eba0e19cdc6d74c96e316f21599d5cc017a726

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f199aca6bdf6fc758598888d980fda88

SHA1
e2246f99eee3ee031f119b843acbd24ff9cbf090

SHA256
cafbf24cc48c39563e44fd93f90420375bc71a9feec9e6120445f93d4a9ca17b

SHA512
0daa3207339d1a113947725ecb7209b0deadc64e7750c0a3295e6fca8fb64017ecb74b73242e8c2d3459b376978636c112dfda63a84f756337b12279abf09351

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4258816142c3d3cb5500bfc0cca62458

SHA1
769a523fa2743e05c677e4bec0e31c6bc97bd2b5

SHA256
80f9edde3ba19aec96cd20f26305c20b97c91b5ca850afa89b757d7cd22aca70

SHA512
987884800772773f018d9bdfa12c606b01fbcef9fd789953a618b5a61574e65f77d2c20691ce987278f581390cf1c132e1b82728a2d7fd7d9fe0a424ee670e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7933934cf0cfbdaacabc408a8f449ae

SHA1
9875e037af91edb4f0f20257f93df9e58ddc2f45

SHA256
a9e91f0978faf12f491710a19f59d08b31d0cbc66034bfa7419c50cd6b2266ab

SHA512
373f8671e56a2ae798869a844aeea9c456b14b0c129ba1616005d9a42b1315d2e42e377827719abf5bb73a85acd4b44a0396f15cfdc6520bc9fd935851a5baeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1172dd944489a369bb07cae53f3e909f

SHA1
d7f9da5b081df04ce36701d53b682ed28c47d93a

SHA256
9aea39c82963f52b0155583dcd79bd962af02aee25a3a0ad375efa33295de2f6

SHA512
03c07b436681937b8d5f6e984ea99e7e2bf1f2399047d6f1a6f7d062601ff9a3109efb874871bd596dd590bb20e66ef3aeaef97c141842fe948d5b25942ce926

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0d4e667ad38f5f0113425ef0501f0890

SHA1
d808d89a07e1e05cc73c7d41695f5201d07e7bf5

SHA256
87fccf21e9bb5b55f185eea232563db5b66fd7d013359523f4d82664d6679e3f

SHA512
41ef862537c4ed256071aa7f6ab15b8d97f31e32a6245faa25c492712beb2616654cc3f86fc990fb0851fff2bab1cc874d8d8975769380667a46919891bb81bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
442769561acd363aa1221687b0412428

SHA1
83a695f12e4bf87134fdaed9d783cb3b6740e7b6

SHA256
6e29de75b24fd1212496320bbb7814c6e6dc76c6afa6484c25045a81a5f48bb1

SHA512
8284c6a87010a8ca73a761123270a2500748d5de457461f221f1e738a1161b8564e36563ba7c5078ac04a141cc6cf40a7732a83f479df516e6a71f852d159cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
79aba0a5f98e43f32b798ad40b200b78

SHA1
1e8db60fcd5a4faef6f2fd30f678118a454fdebb

SHA256
9dfcd34b888b93850a92ba8986c8bf811a7e6cb3ebfb67e87a581c1a2e727c88

SHA512
32bae69cc2986e5d8778fdef0c3abc3301d54d8538146653de4c86a01e672377ae1038025d5934038a2e57be0b0b1a8abfce91d8b408cb410c983131086b6ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f2d32d8d71564795d5d2025d8902d4fb

SHA1
39380d04901f07e8503abf1db115a5760be1aa2f

SHA256
47681d1cc39010d06713b017554b247ad496d6e488bb6abd0554e493eeadd75f

SHA512
f8167c930727bf47d9f713804520b66f07c5b85936b8b5dc4b955c89ff54ef5efec4a0af3081e6c81852e2a0ad6cc06804812c463d6a8c4441ef50d5c0ba3049

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d363889fa4892fb0e7cd3c37cccb37e7

SHA1
ae458b4c603bc762e88decaf7aa79cc4f8cb1e13

SHA256
a498ce5a7c9fd5e61a20ee6eb14815256fa63de1e8fd58251a754e2f6ddf66b6

SHA512
745da65a4a1d21336a710bdac5b7569eb727d930716ac511e0776c40e5f42a536bbcabf285ab6ac698688cb2e63ab55c7016e9cf47128020a39215bce58ef94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1cc84d088f972c1805cb3122be757ece

SHA1
cd6e25a22058122f6ab0a0c1063d73b1fc563114

SHA256
c0a14f4f1eaddab7b98bd016927c1ba0a5cd94875a1b7a779be0533a1fa20f5f

SHA512
87daf28ae1ed1cddd695e48bec75f816da77fea9a0bd811b64c1e02f160099d602979dd59c61382a698e2cd3a4bdb5625d6f1c81e26d7d62c117831fa94b4187

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/848-2-0x00007FFA24580000-0x00007FFA24F21000-memory.dmp

Filesize
9.6MB

Download
memory/848-17-0x00007FFA24580000-0x00007FFA24F21000-memory.dmp

Filesize
9.6MB

Download
memory/848-6-0x0000000001910000-0x0000000001918000-memory.dmp

Filesize
32KB

Download
memory/848-0-0x00007FFA24835000-0x00007FFA24836000-memory.dmp

Filesize
4KB

Download
memory/848-1-0x000000001BE00000-0x000000001BEA6000-memory.dmp

Filesize
664KB

Download
memory/848-3-0x000000001C3D0000-0x000000001C89E000-memory.dmp

Filesize
4.8MB

Download
memory/848-7-0x000000001CB10000-0x000000001CB5C000-memory.dmp

Filesize
304KB

Download
memory/848-5-0x00007FFA24580000-0x00007FFA24F21000-memory.dmp

Filesize
9.6MB

Download
memory/848-4-0x000000001C9B0000-0x000000001CA4C000-memory.dmp

Filesize
624KB

Download
memory/1564-45-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1564-103-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/1564-44-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4320-100-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4320-40-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/4320-39-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download