cybergate | c134fa58a35c04c0475c3c8f3746f8f978b4f3e8e6920aaf8fe3f1230806886b

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe
Size

1.4MB
MD5

60a9e86c4b77f46f58ec5f072ca0a2ac
SHA1

680d2139c24cbf360021c5f03a74e06efe53fe72
SHA256

c134fa58a35c04c0475c3c8f3746f8f978b4f3e8e6920aaf8fe3f1230806886b
SHA512

d6b7a411887a591732d31b55f21575937f808e259456d06b4a5569c1dc51f0526d8dce00a851fdf6525971cb63093eae908bc9d33b83ae92e1c9f815ff6dc8e4
SSDEEP

24576:2Lj5wuSgemx/+ZEl3mKJQYjMR4HADMINEclhUCNxd08adN0m9F+6MU8aGxu:oVwuSmx/+ZEljJNjQMahXNk3Km9F+K7

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

192.168.2.12:1020

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1020

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	GAROTA~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	GAROTA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	GAROTA~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	GAROTA~1.EXE

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	GAROTA~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	GAROTA~1.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GAROTA~1.EXE

Executes dropped EXE 6 IoCs

pid	Process
3828	GAROTA~1.EXE
5016	GAROTA~1.EXE
4388	houdini.exe
4416	server.exe
3964	server.exe
2316	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023c77-5.dat	autoit_exe
behavioral2/files/0x000a000000023c73-13.dat	autoit_exe
behavioral2/memory/4388-18-0x0000000000400000-0x00000000004B2000-memory.dmp	autoit_exe
behavioral2/memory/4388-59-0x0000000000400000-0x00000000004B2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3828 set thread context of 5016	3828	GAROTA~1.EXE	84
PID 4416 set thread context of 3964	4416	server.exe	88

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4388-15-0x0000000010000000-0x0000000010096000-memory.dmp	upx
behavioral2/memory/4388-20-0x0000000010000000-0x0000000010096000-memory.dmp	upx
behavioral2/memory/4388-19-0x0000000010000000-0x0000000010096000-memory.dmp	upx
behavioral2/memory/3964-48-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3964-54-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
808	2316	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GAROTA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	houdini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GAROTA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	houdini.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	houdini.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	houdini.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	houdini.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	houdini.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	houdini.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	houdini.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	houdini.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	houdini.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	houdini.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	houdini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	houdini.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5016	GAROTA~1.EXE
5016	GAROTA~1.EXE
3964	server.exe
3964	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4388	houdini.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3944	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
5016	GAROTA~1.EXE
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe
4388	houdini.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4388	houdini.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 3828	4128	JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe	83
PID 4128 wrote to memory of 3828	4128	JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe	83
PID 4128 wrote to memory of 3828	4128	JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe	83
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 3828 wrote to memory of 5016	3828	GAROTA~1.EXE	84
PID 4128 wrote to memory of 4388	4128	JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe	85
PID 4128 wrote to memory of 4388	4128	JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe	85
PID 4128 wrote to memory of 4388	4128	JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe	85
PID 5016 wrote to memory of 4416	5016	GAROTA~1.EXE	87
PID 5016 wrote to memory of 4416	5016	GAROTA~1.EXE	87
PID 5016 wrote to memory of 4416	5016	GAROTA~1.EXE	87
PID 5016 wrote to memory of 3432	5016	GAROTA~1.EXE	56
PID 5016 wrote to memory of 3432	5016	GAROTA~1.EXE	56
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 4416 wrote to memory of 3964	4416	server.exe	88
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89
PID 3964 wrote to memory of 2316	3964	server.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a9e86c4b77f46f58ec5f072ca0a2ac.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GAROTA~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GAROTA~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GAROTA~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GAROTA~1.EXE"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        7⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 76
        8⤵
        Program crash
        
        PID:808
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\houdini.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\houdini.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4388

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2316 -ip 2316
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GAROTA~1.EXE

Filesize
982KB

MD5
6f2d823c1cc85edb87df59b070c72507

SHA1
69a10539fc51771c402eaa49424b8f3980351e45

SHA256
80058bea65c5b2becd1d2c9fa1d24337364246e3ff8807775bfea20516dc6838

SHA512
a2d200d63a04c6accab9c21a8354dacdb7cbe60c647fc688dfd2e6db5b51c256c2080a07161fc8e5b4e1decf305b224f311eb6768b263db6357b60238a36766c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\houdini.exe

Filesize
1.2MB

MD5
5498e1c4d2c4e312781079b998a2fa62

SHA1
908e1967f6c11f11d52151dd3720482b6c50536f

SHA256
9ad1d11d144fbb22c50a2d11b693686f0c68db1548a7ec8f561e619ef723abdf

SHA512
5ac8d690ec8e53a009d6610d7103123b170951a11798b87f78fdbfe65bc22224a694ff11977304474ad45b5e876c84b6361a1702ff7f3477c311f849f3597971

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
325ac8c54831ff744a98a21c3de89eee

SHA1
01aa5a4fa0a4b213fd377b2d06b99b2edceaabf0

SHA256
64f5157737363729bfda3ddba8bb913fc91f26fc43d2a72607fb35f1173418a2

SHA512
9bd7ae1382908ddb3a1b5dff74931d5f67c679a83fdcd33b35ef9ed12bad3e182c5a681ad9449c179537f5f66886d630cf79e5348129133dbc9689d0c24be813

Download Submit
memory/2316-49-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2316-50-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3432-38-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3964-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3964-54-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3964-48-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3964-45-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4388-20-0x0000000010000000-0x0000000010096000-memory.dmp

Filesize
600KB

Download
memory/4388-19-0x0000000010000000-0x0000000010096000-memory.dmp

Filesize
600KB

Download
memory/4388-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4388-15-0x0000000010000000-0x0000000010096000-memory.dmp

Filesize
600KB

Download
memory/4388-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5016-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5016-11-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5016-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5016-7-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5016-10-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download