cybergate | 4b8d89222bcb168f7fa439d58e79c53523bb08f292f4fb3c9c6abdfaf7e95eb5

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 12:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Size

328KB
MD5

a29ef4ff4366d3ebdacb8cac2206dbbb
SHA1

e7549813c7d4f7cca2d9df6434b35e5f4f1bb680
SHA256

4b8d89222bcb168f7fa439d58e79c53523bb08f292f4fb3c9c6abdfaf7e95eb5
SHA512

2d509bb8c783edee2ccf93bd958db22e7f0840dad8d4431b76332fd05898ef796894fa4a7c19a2005ac961e16cae79bee3beca0b01f11fbe100a20e667306969
SSDEEP

6144:miDugssO8z+cuWlL+ZvVDnYx80uzgPs3hTHfz/I8qg+LBRwiIUSjF3q:miDugsDfcuWl6tZYxDjsl/rI8y0iAF

Score

10^/10

cybergate killerfull discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

KILLERFULL

majes.sytes.net:666

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
adobe
install_file
adobe flash player10 .exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Runtime Error 339 component'CONCTLXD.OCX' not correctly registered:file is missing or invalid
message_box_title
Hack Call of Duty black ops Free Edition
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\adobe\\adobe flash player10 .exe"	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\adobe\\adobe flash player10 .exe"	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OBEFT33T-31V3-6M1C-N66N-0356HS31LFM5}	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OBEFT33T-31V3-6M1C-N66N-0356HS31LFM5}\StubPath = "c:\\dir\\install\\adobe\\adobe flash player10 .exe Restart"	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OBEFT33T-31V3-6M1C-N66N-0356HS31LFM5}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OBEFT33T-31V3-6M1C-N66N-0356HS31LFM5}\StubPath = "c:\\dir\\install\\adobe\\adobe flash player10 .exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2444	adobe flash player10 .exe
4404	adobe flash player10 .exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3608-4-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3608-8-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3608-10-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3608-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3608-13-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3608-14-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3608-17-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3608-34-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3284-80-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3608-151-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4756-152-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4404-182-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3284-184-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4756-185-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3096 set thread context of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 2444 set thread context of 4404	2444	adobe flash player10 .exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3216	4404	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe flash player10 .exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4756	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
Token: SeDebugPrivilege	4756	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
2444	adobe flash player10 .exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 3096 wrote to memory of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 3096 wrote to memory of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 3096 wrote to memory of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 3096 wrote to memory of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 3096 wrote to memory of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 3096 wrote to memory of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 3096 wrote to memory of 3608	3096	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	84
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56
PID 3608 wrote to memory of 3512	3608	a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:3284
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a29ef4ff4366d3ebdacb8cac2206dbbb_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4756
    - - C:\dir\install\adobe\adobe flash player10 .exe
        
        "C:\dir\install\adobe\adobe flash player10 .exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2444
      - C:\dir\install\adobe\adobe flash player10 .exe
        
        "C:\dir\install\adobe\adobe flash player10 .exe"
        6⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 532
        7⤵
        Program crash
        
        PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4404 -ip 4404
1⤵
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
230KB

MD5
12356a34aa25d50faa483b96526dda5c

SHA1
897f745878cc276534bcf260312e2fdae64b40c1

SHA256
320a7f8b48205f9e169e77ed37a5cddb9dcaae0930310a535736cf6485ffb0ec

SHA512
7fbe12d609d903b34ea2527755ad445cad977ff1435dc91b721b0975fff57d007b2a9fc6702898195fbc915289b4f2a3559310353d621f3fdb35c30bd138154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0040fd6b8b1e099ecc01100945d980c1

SHA1
2d3dfa1f2513212e7cad9ad73479a99f42b0f709

SHA256
60cb4c5eeccf9c81fc05ef95e79a5d74ab6439c6ac96966f3113b12bfffa6474

SHA512
d83f7821db06c1931d176be4f70f462682318f62c2f3aa21b165e22c3557894fa86218b0db86e8d8ece5a96437721f4ef2417a7a0ead4721d8155ad23d207c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e091cb7b17e3441fae53db772a9047fe

SHA1
25afb2bc84ba4a7d9e3bd7f58c615c14dd53eb5f

SHA256
aa1eccbe9b61ec4d61a4743313774b1e0d969d39abed4ca5fec793844836d795

SHA512
0af9ef06b9bf18817ae6f4f2ca8cd5e33e7df5856b65f98e93c14341460c3084ab9478203e11a7dee06314f892b9c6a149ee200ea6525d1dbfa3e4272305f1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
daf427338df916cab7a21c520553e326

SHA1
088770f1c3fc5ab0607430d5590cd9e339336c88

SHA256
6ead4aeee9e35d35ac88cd164b87c8dc7c13f60170e792dd6d98c0716137f7fe

SHA512
15297fe2a9144b68eedcbf1fd8158907397184aeed9de35780e7e3e2d9b1471027473e18b30f905682e2563e2cebf05a858fd62cb670ebd8db9216df08168fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8099f0e7638fa4d4f7e02713afcbbe4b

SHA1
a502b99e2f5a16f2f4b784aa8e0bdf89b719844c

SHA256
997dbb729a31d5ae54c0c3e1f88f874d70bbdff8fc83794f36c1c3d7882a30f7

SHA512
2ffb256cb6d634c7152430e0b68ebac5856f702ea5dc2a93f34893cc63aa79916928b23e213e3db6e15c6ee9611476f02fbadfd790f5553d36bef9a9295110b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
37c04204d3f419b603a29830fbb2ffd5

SHA1
abfa4e80fde4658f018f010ccf3e1943541c0c93

SHA256
c66eff072f2434733337ff3d2424be7523780c0834544c4acb9568398024fa44

SHA512
b16b7bdc25b2b9fc99cdfb64ad8403c7bffe76d68ba7b096b9e8ff076e9fd798a16136b586ec0bee94e2a8e7562f78d4038be915a025bddf1360b81df4bed071

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a1f5983c85a639be473ee4abb6407fd0

SHA1
d6bef3a904b7d59a2a87ec2024f49938cf4f12e5

SHA256
e75ba4227f0b305518fdea63f9e21ce95e42d4749c26f337df1e976400e06c6f

SHA512
7b974fa1ec69a9625d3f4aabc54cb7cdfa9ab8d0de5af647deacb9bd0dfb2f63408f81e110f28d2aa521bded8cee0fac147db55aeb23e042ad4f5d62c16ec028

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
376cd1fc3cf66e997989064456d13574

SHA1
562f1ccf8efeccfb478a844806b72ce676b2352c

SHA256
3730be71fdebb5b6b28a1b90b7d850bc8b3746a5601fe9b5bb0bb5d2ba9e123f

SHA512
d9f4028d2d60d4305ac236580e46e0830142ad1c58f26be4dc6c2f5af5e7846ab32cbef432a6331304ee0cd5a7e95902f2048ad7f355d4c7b8941d4a2eec1613

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
59207e1a15b5dd3fbe27fbc5f2f22401

SHA1
915db7c714cbf15773208754c524ae24c0e5a500

SHA256
761b950f4a48a95bd0d55a4e5bab21d1de9d23b7394850d9594edec37ca61e63

SHA512
6ceb1c205e0bf381ee85a8ea6ed4b21d4b9fa219bec706fe83555dd7ab44cfb26de2dd8c606ef93298a587d484bd2f61b8ac347739735762383d503069efe2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6092fd8f0c85eccc8677aa5ccba5a657

SHA1
935e45cc53974618e7046aeea99b576a39be65c0

SHA256
ee1c068c8c9540ebdd7b8ac0a5b03af85e29d6660526ecb7fec979708b5a024f

SHA512
6f06946ee68b857c799589255383bb0fdd4723d50e687513f1dc1f57815b37843d652ef46ddf2310e003a5aad629ea4b4eafaa8cd03b2e69bd69280ff6013d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
87585f35c53942d103b2a33dafc475de

SHA1
f56fc896d4ac0ab5447c5d26441fca5a90e0546f

SHA256
74ee985251dfbc48d15249ebce5bb3b91447792e00c53814639ffd561ec08103

SHA512
ff1c8665a62e44496e20d0f131d0d6a2d9e38a5b2def3cc73b6e5cd4ab9e5a41a088b8ea623e8273f9cfcf0833f5e24532e1505d6ee9f4f93a82defbc14ef071

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4979f3bcc7a4aac79ec71ce0f3f31b69

SHA1
cf3840d92bfd20d2b2338c2ebe516d414856c621

SHA256
be065467da9a71b76031a6e05156f69244c8fea79592a3bb531a01037193cbe9

SHA512
f8558877a589abdcc8e6e782a2e9cc9ba1d99d5141ab0a5a679fb225fd09887957766429759db35cc92ce209af7704397f5ab2ae32212578f54af484ad337fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3b2c60a8814a6a0eea37b005dfe2e6a2

SHA1
f87001cd29ba106370339cb8d9f7c1c81662a20c

SHA256
4ea183c627aa40db7bcffee54f3ba361725674160824353b7502394a92f3ad4d

SHA512
6c0f5e8fe1cfcd718f97abb8d7ccb1f1116c156d7741748c8ed67c50eeb70a78cedc42b2e18051287d9b122b8bc24d7dd094fe893c9ff69591a1d3948489c5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f781c67cc0bd3170a0e2024552187a3

SHA1
5180244b35deb30dfa3d768380d9f73f5684d8f6

SHA256
68789ca3d30dffda36917f7443a1b82d00745e9e6d72e3e8c56da1a44e9c2da9

SHA512
458e6bc8de0a94472c56b5f2c11883361140d8a6e32b9bcb97a625f6863f5693b0b6cb532908e9177539cd997960ed2fdd989c5944e75da37391814908c07040

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a98b6cb2713011d3de3475054cd13437

SHA1
10a822f0914275be47aa5861e418800f3e8c2542

SHA256
941f9da66eed4df8451a5bfbaa5ade4195344872fdee2b49d2d119dcb8479034

SHA512
00927c605205d0664ab8c595627ef3df5a770db066900af563fc517f2d955061e8ac5c64eca1dbc55d90071faa6027a395c94aaeebd5b3bfffed50263eb23c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
092304cdad3abff2ba6e05fefea1bf35

SHA1
90b553b38191836bd6a89ca8c839ab54c4a3512e

SHA256
4a485d3525f0a83ad4354bdc35faf600fab51bbf8f3efb934bfe7cc67c9b5e2c

SHA512
7547e322276ff71f84b82bc1ab51e33ffd26bd803ca7bfe04b3076bc241c833b5bbb35e88e929e23dc4dc582a87c1dfb70e58a2b391ebbf6935c7f0458fb558c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
97b46c9b9c14e3fc3d07fe975418da6e

SHA1
c14a22494a4562924e6cf8fa62f888baff8d33cc

SHA256
7991bc74df88d2e66e52219c9e753c68912e41314c18169904bfdd411628a16d

SHA512
813ef1cb5d799151a48ceb56c6a9da3027f938513fe6469300c83110ced18b10d07f5d36fa82995f057e5eaca8331a65a6476c37d53e82c76313ba0b590b6861

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c689ee04c32d32aee935bbe65f919621

SHA1
74e8a9442d2b20d2bdb10cfdffee1402c96b8165

SHA256
de9419b880e4c7fa1477203f857464d013a780a3ebd1e602b430f2ef5f862a0a

SHA512
0f21c0a01309087873d40a9cb99e531aead400d8362ebd51a098ffdd7c45be4a9ed0c977dcef2ed105a48e2be1bced2f8f154cfc386c757ef12ea3ebb8d6e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
54f0c293a6f538422b3c8b9a3bf51fa1

SHA1
9fc9bbd21adc75299e00e32c665d3de61473e2f4

SHA256
7af11777b2e8fff48e1bf7cc3a301d60d1f57d74abcacff3d462121fa385c453

SHA512
f9b7829ae658d9d8c7997c5234afafa01b98ba0849415dc318c9df28ccab82171a01927d402f71775f6124eda1fd08bfb0490ae9344235ff131374bee06fa7a9

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\dir\install\adobe\adobe flash player10 .exe

Filesize
328KB

MD5
a29ef4ff4366d3ebdacb8cac2206dbbb

SHA1
e7549813c7d4f7cca2d9df6434b35e5f4f1bb680

SHA256
4b8d89222bcb168f7fa439d58e79c53523bb08f292f4fb3c9c6abdfaf7e95eb5

SHA512
2d509bb8c783edee2ccf93bd958db22e7f0840dad8d4431b76332fd05898ef796894fa4a7c19a2005ac961e16cae79bee3beca0b01f11fbe100a20e667306969

Download Submit
memory/2444-178-0x0000000000400000-0x0000000000469400-memory.dmp

Filesize
421KB

Download
memory/3096-0-0x0000000000400000-0x0000000000469400-memory.dmp

Filesize
421KB

Download
memory/3096-7-0x0000000000400000-0x0000000000469400-memory.dmp

Filesize
421KB

Download
memory/3096-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3284-18-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/3284-80-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3284-184-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3284-19-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3608-151-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3608-34-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3608-17-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3608-14-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3608-13-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3608-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3608-10-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3608-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3608-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4404-182-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4756-185-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4756-152-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4756-1895-0x0000000000400000-0x0000000000469400-memory.dmp

Filesize
421KB

Download