cybergate | 12e802f0f99ac1228a9e8d20e69f10b06c634346fe0067e58216ed7f2a693550

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Size

264KB
MD5

be7aa4d49c2a2218d4f89aa38efb93a2
SHA1

cc57afc95384522224a00b21b1e93e350ce5c0bd
SHA256

12e802f0f99ac1228a9e8d20e69f10b06c634346fe0067e58216ed7f2a693550
SHA512

919cf8a5255c76501e0469b605f6afc36bad3ec6eccc3e0cc018c512e627d750b3d59771be7b3ea27042c6be5257006de271c5959c67d5e5dad4753667420deb
SSDEEP

6144:XkkoN2DGukkYj3GOZITj81FGlTNvA8nZH//mw:0k6IGuU3G8ITgKTNvxfew

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

remote

farman.no-ip.biz:82

Mutex

D58407D5XFMRF6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
csrss.exe
install_dir
Microsoft_KB784512
install_file
update.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123!@#
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft_KB784512\\update.exe"	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft_KB784512\\update.exe"	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DP4800-462U-54Q3-083T-M12WEG87P44P}	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DP4800-462U-54Q3-083T-M12WEG87P44P}\StubPath = "C:\\Windows\\system32\\Microsoft_KB784512\\update.exe Restart"	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DP4800-462U-54Q3-083T-M12WEG87P44P}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DP4800-462U-54Q3-083T-M12WEG87P44P}\StubPath = "C:\\Windows\\system32\\Microsoft_KB784512\\update.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
1364	update.exe

Loads dropped DLL 4 IoCs

pid	Process
1276	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
1364	update.exe
1364	update.exe
1364	update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Microsoft_KB784512\\update.exe"	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Microsoft_KB784512\\update.exe"	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Microsoft_KB784512\update.exe	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft_KB784512\update.exe	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft_KB784512\update.exe	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft_KB784512\	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2964-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2964-3-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral1/memory/2964-301-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/3060-529-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/files/0x00360000000160e7-531.dat	upx
behavioral1/memory/1276-554-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2964-863-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/3060-889-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/1364-891-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1276	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
Token: SeDebugPrivilege	1276	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21
PID 2964 wrote to memory of 1204	2964	be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\be7aa4d49c2a2218d4f89aa38efb93a2_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
  - - C:\Windows\SysWOW64\Microsoft_KB784512\update.exe
      "C:\Windows\system32\Microsoft_KB784512\update.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
c7ec60be96d368a449349ceafdb57659

SHA1
f314a36f1fbc6917b91efc4fabe4eac4096ceaa5

SHA256
98dd41f2f5b8ce1480b4dbd2dc3fa69acfb8c658790375a2da940e3dc29b4290

SHA512
ecb18a99109b616e939215638e3b93388931f0697d36a803cb90588ee54bda2d923e0af304bdcc55ff876d7187c80325fd9e0a3be947a9ff27ee61b12746ab9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
774448420722fb026f2180195f280d62

SHA1
0be400825159e4453448c4729773fedf3db922a1

SHA256
1f75e2a91ee7921f7af81f0ea9cec5983af1be7409f94ecf659ad03baba9d50d

SHA512
6d6e08f594672ea0bf2a4900255aafed8349e86962f20c9fdc86df935d62ce6f5c710a8e2ca708597a1fbc8838688242e477251a875dff647ff0ccd622a0589c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4cc737378498c0e03409d274072623d0

SHA1
71711e8d62ecc336e7a474fc10069c9295426267

SHA256
905fd96ca2856624cc06f9b2a845a57e69b9722ea5c01f530aca860632ac3805

SHA512
461d51fc01f026897d2dd39a22521143697b66134c0d99b2be9e3c69a19f5e79b4ef17df53703212c8e0cbee77bf308516c995757bf0a8f70342537472152ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
202b32673a1d2efb9d373dc58fbbd5cf

SHA1
5099e2261ac9d6dfee442a93513478a1414e097a

SHA256
ccfbd1721752dc691603b07f715f01e7c133a86dd2642645e901b5566a294d06

SHA512
6d6c4edded37bafa77f2c1b97ef19651f846423093b6ba481323626ef10df54160afa4c56f4548731ff7eed9d74b05e0ac4f7720717bd375fdc360bc8d955c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b3eb7be05735ecaf57b5f6cbd3303e9e

SHA1
9f033d46bf15f0b911fd3e34c32003de8f195a4f

SHA256
980d1fb6c1d450712e154504d994b811c28dcc9679f5a80eee7c84a55f1f26ce

SHA512
9d2b1f368f6c659729d986cf84c2ffa55965a723ed3c18911f67e9c83109b294fb33411c506aa052350125ef394e25f9bc8c9007b1657cf12546fcf267e45600

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c1da2adaf52c60e79f93ae1937c32ad3

SHA1
adbab55af48e95631c8e34da385dd5c97cacf604

SHA256
989a4d1474def595fa269a9406b8c7e623cb27461839a4d91c54af7ecf970e5e

SHA512
3a3ba8f6878ff933a99d98a8005d70990ea439a3a77955dc2707fc45e0b35ea5163b6febe1c1c40830e875f7a77955f4bf610049862bffe0ccf660b0cf279aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2e6615dbc2a90c3299acd684ad4696e8

SHA1
ac78b034f8e0eb7171597509d03ce1a9ff1d4f22

SHA256
c15b33de20af8fd48ed126b040b2230392e9a26e808bd6c9ed770f9ed18eec3b

SHA512
892e02e3a0a395f1c212607c8f3a028513a74af69c321b03dcfb1ef3bea393222fba034a920946af4d13acae7fc40e47b233483683b6707766f1d47a0bd2b241

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f14b170e19a12e7c2e74e255ae9a2d61

SHA1
bfb26dc46d063d8edfc0b05d4ece7e054d2f7567

SHA256
49d3a5662e37cd3e9b00bec347870609953940ae67fa05fb7ceae9c732cc923f

SHA512
7b36ad78e3cb2ba52b81498d7981a00cbb62a438c39c4f3948653f0850c280e70f535efffcac2521e0ddafc8922c22cb122b31d699e57982fee2942ce36246ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c4db87a4e7f91619357658ec596f12dc

SHA1
15ef2e5da673f21eae21442e032ce60a02fc04af

SHA256
5c8b5b087e53dfe7af848100b0bc83e95a47c1bec58bb04e294ebdd27038934e

SHA512
68bda4ebb40c83299f7271d873a3b2802d768b14588a782bdd83dcc970cb7a64b7216fa8431fb12618aa0af320e23a2217f449d8e6ae43be044197e24878d58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3e576cc70e73b85d9254fafcbb8300c9

SHA1
4ad900c9abfd9e8bc672cf6e61783fbfe0b2bd62

SHA256
25c2d9203e62b5f5d2dbcfb809b474af4a6346764ea7f80c1cdb07350ff410e9

SHA512
7a403c59b524e6c608eddffd2a7cbcabdb86034c1d23b8b6a394f6089a64dcf305933e0f580f783a0070fbd39a97c8d2ab1e745b5f98c983eab983a3ea32ec14

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
37e9070baa8bfe74951cba85643e6855

SHA1
32116cfd6400e1a5bf3c78a5b7dddf076e1ab34d

SHA256
f53adbd59642cd6b431211f42babb9f348a3b98ba806f9e9fab367459eec69a4

SHA512
ca410f17d94e5adbe85c35c0e2972775a5b3fea54493a2b09cd712f661da28b24dbcd5f941053ca2ee72447b61a2d9d68075c95b301e21ea7ef7936fe8d19de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
385c0c336fe5fdd6117d09a9f90ef2e6

SHA1
9bb7941ae17e27df00aaa8b3607c4adb9d79b2a7

SHA256
4f87d6bf133cc8027e4041b4df02c290ba74fd21f0a79a7dd2078910297d2047

SHA512
ac7050580b4d6da0d99a9ae9dc1c7adc1e00977536e8444f307a5e8bd577712241c456757b1a8be0a01e87857b94b59b49c50092f5c7d39bce361e34a96d5bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3c95c0bebd53ee690e6c21c9878a7374

SHA1
aff1570d75aae6e30c64354459536e026ea685a5

SHA256
2d8720b65a89d3925193f05b47742f01884a818c2c271d83f821200d97bf522b

SHA512
aed952ada76ad3f539456c9fec0480c72d49b60177fdb1f7024e5f771a5bd2b78b46745f0c3471c6f151cad54fc01e49deac63ea0f49675b8225b3cea1b268e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2afcfe603bcfc53b611e29e0fe0e9cb3

SHA1
8c43a920695a2e5b2a147bc145525a55c1f243e1

SHA256
10c4a9f1d6537caf8586fb8f0fcecdcd15633cafe6aec992f5b07ea28b26eb63

SHA512
743d7652601928e78322f79537943c072c743d005075100ba512b64cfc9838c886e2465e5713b5e5f0ef7ccc26504dcf34397fcc05b3af53a845d977542182f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dc4824092dd223dd3462b947aa45a5c7

SHA1
4ec97e9a036f28decda48e282fe8471891544794

SHA256
bb7920018d9512a6f158a9d91419895f7744d41451b4217d719dcf658f81a9ba

SHA512
371a8565b42291b8215f0f766eb595549aa004f9918791987f34fdb2241514838552b93f4630940fa6c5ebff98087f9c0a0797d6d63ac22951a437046e3eb649

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b55a0a9337b6a41506e00553811afd9e

SHA1
464fc7030a47f207d4349df992c34e0a49b74299

SHA256
357b09d084e8ac475675ee31cd2d91efe06b6e0607a3a401c5b75dd37f2305bb

SHA512
ba8bf31be20a79ffade9b15c2b4ed35cd9017bad286fdebb1055ac032253d91518bf338522b8d85f4cf774bf5dc633af189dcb59119205a1edd9691142e0f670

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
225aefd44853f9d36ea5d7831103ba09

SHA1
c32624d43116d61b49eaffb87d3fe5ef8eaee19a

SHA256
9f25c44da6899880694b855de97571ce1161fcb57c2439fa3cbbe0e8110640d6

SHA512
217f2394ff6480adbb5249574d490409c2164944b3965b1f06d364eee41729f140ded7b9f5eec4a19ae07fc563010e8639fae9d145a39ce0285a3b45973e31ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e6a209b95cdc580d34a531820d5892e

SHA1
94de9ce177f2b3ec81a02e9a90984a52a5036740

SHA256
194fcb66219c7ff7d98438806206d5dabffc5126cafce3a35e75ca523ddd5a1a

SHA512
21aa0766d517d2182120dab44c5f5e15d30abd062e3032ecd5004420d5eb71c423bcf6d15b5a9b83edc21e0c06ead4e2384f4b17c9b2e8b832f36b3ef3661d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fc845d5c879057998a93fde40aed99c5

SHA1
1aff8b7f778d6208eafdcd5386128b9101a912ff

SHA256
a807917e4701ccf34563f7893734aaf5826f5a60e139d514ecaa0c805dd7fe6b

SHA512
15d509ab758a51a7c94f292b496bbf7a487497e1ca91e70d1add2ceb8677aa3cded4a262dad1df4321695f4f9e3ac2f978d6c0597bbad5067be25209cae9b014

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\Microsoft_KB784512\update.exe

Filesize
264KB

MD5
be7aa4d49c2a2218d4f89aa38efb93a2

SHA1
cc57afc95384522224a00b21b1e93e350ce5c0bd

SHA256
12e802f0f99ac1228a9e8d20e69f10b06c634346fe0067e58216ed7f2a693550

SHA512
919cf8a5255c76501e0469b605f6afc36bad3ec6eccc3e0cc018c512e627d750b3d59771be7b3ea27042c6be5257006de271c5959c67d5e5dad4753667420deb

Download Submit
memory/1204-4-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1276-554-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1364-891-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1364-885-0x0000000000230000-0x0000000000284000-memory.dmp

Filesize
336KB

Download
memory/1364-887-0x0000000000230000-0x0000000000284000-memory.dmp

Filesize
336KB

Download
memory/1364-888-0x0000000000230000-0x0000000000284000-memory.dmp

Filesize
336KB

Download
memory/2964-3-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/2964-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2964-301-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2964-553-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/2964-863-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3060-247-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3060-249-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3060-529-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/3060-889-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download