cybergate | ce3c83cb9c09169ed7b2b4f5cef17eaa5d24f0ba11ea73755591515392342b15

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Size

345KB
MD5

6a86fa4caf935d582001c1a4b3a2cec4
SHA1

f13f84862e118adb7558b76b24be1f9390e61872
SHA256

ce3c83cb9c09169ed7b2b4f5cef17eaa5d24f0ba11ea73755591515392342b15
SHA512

271df45609e0d5c9fa24d2463f22fa25f1b2e8007cc62d9323b7192c5296152593d8c7103e00f840b6b1cd40812eba8ee0fa0e8a8897f918fec0959fac76a7cb
SSDEEP

6144:xmcD66RY5JGmrpQsK3RD2u270jupCJsCxC3ID6hG:EcD66jZ2zkPaCxn8

Score

10^/10

cybergate server discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

127.0.0.1:4925

jlk.no-ip.biz:4925

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft_KB57H43
install_file
Microsoft_KB57H43.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
This crack is for a diferent version of WINDOWS. Please visit http://www.warez-bb.org/ and download the correct crack for your windows operating system. Continue anyways?
message_box_title
Hide my IP 2009 ERROR
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft_KB57H43\\Microsoft_KB57H43.exe"	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft_KB57H43\\Microsoft_KB57H43.exe"	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7T7807O-8F37-V7EU-7HU8-FOSMJK02OV5F}	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7T7807O-8F37-V7EU-7HU8-FOSMJK02OV5F}\StubPath = "C:\\Windows\\system32\\Microsoft_KB57H43\\Microsoft_KB57H43.exe Restart"	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7T7807O-8F37-V7EU-7HU8-FOSMJK02OV5F}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7T7807O-8F37-V7EU-7HU8-FOSMJK02OV5F}\StubPath = "C:\\Windows\\system32\\Microsoft_KB57H43\\Microsoft_KB57H43.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

Executes dropped EXE 1 IoCs

pid	Process
752	Microsoft_KB57H43.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Microsoft_KB57H43\\Microsoft_KB57H43.exe"	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Microsoft_KB57H43\\Microsoft_KB57H43.exe"	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Microsoft_KB57H43\Microsoft_KB57H43.exe	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft_KB57H43\Microsoft_KB57H43.exe	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft_KB57H43\Microsoft_KB57H43.exe	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft_KB57H43\	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/680-0-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/680-4-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/680-7-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/680-25-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/680-65-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4760-70-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-72.dat	upx
behavioral2/memory/680-140-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2316-139-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/752-163-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4760-164-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2316-166-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2316-167-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	752	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft_KB57H43.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2316	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
Token: SeDebugPrivilege	2316	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56
PID 680 wrote to memory of 3556	680	JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:4760
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3184
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a86fa4caf935d582001c1a4b3a2cec4.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
  - - C:\Windows\SysWOW64\Microsoft_KB57H43\Microsoft_KB57H43.exe
      "C:\Windows\system32\Microsoft_KB57H43\Microsoft_KB57H43.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 564
        5⤵
        Program crash
        
        PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 752 -ip 752
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
230KB

MD5
46f05ab126d3f061158e1eae5d5f6b3b

SHA1
ffe5daccf0bece76af3d6edacde5de12b7e3f8e7

SHA256
b6f3f2358dcb1ec374b57050c902608a9f3c5c8bacce12523ac5ae4aa5039e13

SHA512
fe092b348e04495027b18e0297d1971ba807203ce6829a7ce5db2402929dace214f02113b5edf84278f1efb036ef0bde4c97d6599379e363c01bcceb70ca9959

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f0350076de900ea100149bb0edb316c4

SHA1
0e3a6dc34e6beb2259f7b0015ffb39d2398eaa1d

SHA256
ad3f1e4ea228bb205d445fdf0b2058b8fcd23a2d95053ca92af92b00589a51aa

SHA512
f55cd593ec3a3bc548aa930d5633d7feeb8345936f673856c02079cc677df2c29d29de252736499b7f748e267163a68019ff7469d8530a1e9e65d04284d6ac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0517742a6e04b66f5e42fe8bb429b345

SHA1
efde6319e58ba44d13587e1ac594c896edf86f92

SHA256
c6465f15257fd1df1fa804c7b74c48bf37862759c48c1ea9586c07f68b355937

SHA512
1c45694d7aab418e4d6bab4dbdf54ce5e32193fad66b028a6f55073c652e785aa47ec67aefc95f1287c4f38d08ed39b370733f79a1d2400701cefcbfd05d0233

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
78b45769ddc0d0310ab0a0e1f15063fb

SHA1
e3b56e268d77882cdeb5da62557de1a31c933828

SHA256
95481bc74188dc4a22aad29992fc8ffce9a7e8b20d4d8106596cca57476edd0d

SHA512
90019aeabce602516d7b8465ab3697f0ed336d48cca08f87b240552252e7a1559bca6dd3a741dfea88c010c77e4296ac266dc68fdb6cb69fbe0d8d10e8bf901a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ab21f300a385c84cb2ef1d24764a0f46

SHA1
9cfac3d2d3d7f495024a39f0723d7dedb22ebc07

SHA256
390876c033eea1c38dafa6cfd43760d414ff615842cffeb35651820067cc4767

SHA512
596863aac65fbdf7e74b579c4cee02bba1d4df28512533b23c7ccf7934fc0eb115d371f59aa9a2194684e292430bb2c621730f11f9819e453e65321438c83240

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2a91ade73b9b89dc816167ee5b3b1c6

SHA1
2757b9a5ebc93ed7de3cc1ff244707f6bdd20c3f

SHA256
eee5b00515c03e17aee5bd3fbe6bac8e0c224bac938e8cea4027e2a6f21c5668

SHA512
4f88ec925a48f0929be27b318603b75020c98ee7c4c1983a23b7760096e4a75ba6e2fcfc0ddb301fef885293c9152e402316dda6be47064dbd0185c2cd3e0603

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4d881317777eed3ffa43be0f0decf6f7

SHA1
35595198e97a57ba831ff40348aed8178ef82704

SHA256
0febec6c04d8a362bb9b22f0edc4c8a575f9528e6f1cd122b95d0df532f94a33

SHA512
8b2cf6a4b278c1aeb6f8b9505255f5b86660e57db2ccad38aeddc5386af5ef640c26205955315f5f0b90861c8348a806fefe716741290d5eb5d16c885a20b776

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d96e90f2749c44e00828c9ed5070194a

SHA1
ca4a15677aefa3621ebdcc12c5b6432e11065f4f

SHA256
0b4e1c655c2200aa72f7e7f63234803d92161bc0734262f63b28579f5a884fde

SHA512
ccd45fef01705e99fb4f9931a3a676c0ee8079c966971bc8bcbb04b76d8c864ceae027aa12f3337885aaacefb05840dec05571b5fa9052fac7435b95e336b436

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5af0c3e9a9933de2693ec6934b035eb1

SHA1
e5e045a955c1b8ac8fcce34e156258cd7c71b773

SHA256
adb792f59bd35f1c9bbe13dad59f47cdbae0bc95ca1c6f371d320d38c830017c

SHA512
ce4e733f1c8dcb145197b27d741b28f66469c866a3b60596bd28473deeba639659859cde78d9cc05fedaf962012d55e76dcbfe6afd09866edad06ebc7a031887

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
594de724d1a17fc79cb1ebd2763c8eb5

SHA1
00615bd971ce8d91d5ec5aa49756730b75c517f3

SHA256
4590c8ee0a1e417833390fc5de76e1c4fe866398af861c91be19a6e5f895b2ea

SHA512
84b50e63eef18e9601fecf72a681e97e116ab3756c65c4ba738ff69b756caff045bcb619d8ba3091e755b10d094808f712611c1157209da9b0d6df9c839c070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e46618281cf20d973fca3ad5c670fa7c

SHA1
d9d62731a481a84311f9f914cdb2d259f04ab17e

SHA256
29577cdad046de7bfc9fd50535e1fefa363f4f0e810075d6badf6536bef99db9

SHA512
411743230cfd850121bedb2f4b624704e5b04267061d49e61ca5166ee36717b27199de88e54f4993e356e54fe5b3f916cc4f1508fa1fcf2db5657c18b0d421ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1e1c6dcda647bf8c62bb7cd85f587f3c

SHA1
39320ee784e3a536b038c313a118f18419fdc6e3

SHA256
06943b6d20db0b79d25e52e4b9b7446270f584e1cc56577e7ec262e773b1f06e

SHA512
47746632d1bff59e8638b5dd3b057624f2d478a3a05f28bf8a3d5065de3481cf6a84a14bad47fb38acf1c571d0824e72f4d2f375fb227f2dc9847eb5258ec2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9b3f9286a205ceef84f3b48358a5fa6

SHA1
def55d76b137fac5e41326f22d8831ae752a3374

SHA256
17fe79e90e96082dd12b6380922391c54f7592e677d0be8861fdccd82a93109f

SHA512
b0c0b2a828d7d6b87e27645ca2a11560adf6ed679ed091565a54562a48d3c5d95889981cde296719e17e87a7b1d04204827d27328aa589f3f220949d3a760f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4097580778e47c931a4cf0ad43214c06

SHA1
3e5e60e9c3c7f5b1f234313851d52bfe06a0cab2

SHA256
e11c5463f554b9080889d41a34510364a0059ba7beaca98e6aa608e4a38ffe5d

SHA512
0dec740d94776d8aa23614d1371d401782f044dbc2960606f20cb7f43ab63800c47682188098a2c0a915f2cef01650d5c32d20caec21321bfb7e43bd99d2358f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7f047df5f18cd6084cb1a5fcd1b31f6a

SHA1
aff6c544f0929ab95b5609af564835a5e6cc6956

SHA256
df634cad13eed39a1bc94cf310b20af091d1e09a2cfa05e690b6b48e105b52dd

SHA512
1444cb97f06e4c90c9350e90bac758f87ae0263043ff421d3ef86a54098f8d1e03e567d5a1e1556ec4f1731725223fed0bb13c75dfac73310a299e110c061bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
92366d399cdd75081b58b2fc6e08fa5e

SHA1
95f1ca8abb61591f93e7ac517ae0965573785382

SHA256
6c2f0c50c8d5df63927a1731010685760dc556b0eb10fafb746054f42a00fae2

SHA512
7704fce8d2a3bd2769f757bd43659e3bddb313746b9e271fa281e74e2b70e179b21ccd0ba5eb496e3f102ca5b8dcd62db40c5ef0b70151efd43c961c924f3665

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4fd08cdced143e4808634c703b127787

SHA1
86ef7a6a8fe1bdbd897877810d203a3fc8d41d20

SHA256
ae65452a8f2fae8eee05bd94d6bd949645b59fa5406219143a4cce758f15c5f6

SHA512
955f555fa2c4a1180f7c4ca536a8eed0182a7258d3f0cadf2e3120b81e474efa634c81ce6e1dc6490e598f42131c748a2888b4725c43bb7f63e08d3cf5c41896

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
665470e97ffb6ccd86a705a2be156a95

SHA1
24eb1afb0f52449f6f8a121b79c215ec0fbe4b69

SHA256
aa896b5364920cd830284eafda6404b3a8fadbf7231f96e6c97fc833483955f5

SHA512
87f5aa0a4d933f4ae6818a14e1a18ed923aad13c896632371084ead68caff1854c7467e87445de0f3a21561723bee5ccbb43beb02a93ae00f416150c597a7fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
410eb82576e05f8afee3cc596c31a91e

SHA1
d03b9e1ab96767223465453a89c3a1c4ea385b60

SHA256
34579b2319c15a7a8f5c7436c0581b077b9976437f23a645392ef297f877b0bb

SHA512
b2c9905242eef03e9c99339e17124cca9f2f405a2f34d9e115ad082c3548e8f1f9ced2bdc2e2f6ae66a81dcfca55ef41fc59ecc8bddd389ad7dae90a6f7ebe53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7959a4f0be791419abe4233219c1e963

SHA1
87f8a7b0163d6006f043a852692dd967aac29452

SHA256
f8eaee2a29b3925d411139c4cab526a5e046cf0c29cc1a465bc7f7bba2496725

SHA512
743e77392d8d691c1c603fd66ba94401279924101bceb692071ca89ec7c5e0c02f56413bc81785656d8431b799bcfe8c3e6c6b99286fa025c6345388191844f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
05adc93c386d9cffd94254c5fc3fd414

SHA1
0262ff77a644f5ccdf26609f75c3708b67a7f3be

SHA256
18bcf7f8e3f30549e28d051a0576222f5bc167db52d0f749f87df2953267009f

SHA512
4ea08679723f609ce39eac50e723320da4771fd7125c930f602cd6792f24a1dc64838e9ad453a52169cfb160acaef35fb60d91fd5f13b08648bd094c360097d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
053e5c46e3ddace50c07f7ea2af6e52e

SHA1
e280d75751478c700bb047c7c6cc6676f264d40f

SHA256
d92626cb5d313a82d3e193d256eaf00ce6ec0f25f7f20c494b5b90c8cf29e726

SHA512
a978562277c344b95070d787e9d48484eb51afffa92bbee41cb3d78dd96457fbf3f57b69719469a59f7c695cb006a636ff537b0ec8807c894aba4be834a1d9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ad9e0b454400ee11d560d361b203bcd

SHA1
4dbb15992ad80faf392803129c7ef2347164a676

SHA256
013501d013c596ea77d59afdd14661241915210b62de666caf0fe5e13e0bb414

SHA512
2a1795b356fa943936d3fc1e438209ec5629d0ccf15cf20347a4d1c1cdcc51fb5170769728986267122bbd0ff7357496b813cfa5841a0728a62041d25b6852a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b9125af20b4a67c4baeacdc4be672543

SHA1
9aa0a030ab1a9e1ee844be026e3f9162a852de05

SHA256
067cbb62ba52be2fee1489f8fb23c422e603f0fbaa00168e10d3e4a78de54318

SHA512
7f2859603b1d79989d741886fabd76c25734f2d725e12a4c753e387cae3cffcbf982f13469a529eb4471cd5633429af27084ce551d192908ea547506e4c97028

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bd531891740e7947a5ff3b1b82be6353

SHA1
be98afeada08eaf6692e188b8ae7212ef20dbee5

SHA256
3b0e591576f0a475ce176ecff1387a41fc69e6b1b7eb757545bfa03b33e180d3

SHA512
2fbf2430a7a163218d13b9a5040e3bc5c4e019e47d1ef7d3b8fbb6058cf04a1928f224c6dd239d37be5a75218ff65977ef777eef422defb47d8b1b95b2eb750c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
09ef240aac617737f2b348bd5c1cbdda

SHA1
00de5183f0356be48aaf0cdddf14cb1c06cf6d6f

SHA256
545ff7bb2aa5d003fd60a7bb707672dcd6b1fdc2739e8a9621057073990e9a4f

SHA512
1e9d6b24cfff0866e0d193d5aa501aa364b88744df8fa089f2a34d07fbac96058563ed7272ad59626eebc0747787f5181822c88c395905ae4fb3580ff2ab4625

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4b202ffa4241f6bcbce317b7950b7899

SHA1
c1c8c81c22c66b2ab831bfac625e1c30a120035d

SHA256
81a22cd9d436a171a27516a152b6e4216b8af16fb0321d5cf7fa0f9b953b2dfd

SHA512
04aec77102acebd08a7b3f227f426f7a3ea51a9fe36ece7877bf21ca4fa8f7f1deb233c94f960811a498de48bab98b5692ba29227fdb602a97298b5e1071c1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6df1f69327875d4c267cdb3f94504155

SHA1
7cf98f21cee8946502ee1f30cee8a276085cc864

SHA256
81247e42b66d26ec906f61d3b3b4551339a0320ba0f4fd1f82ee471526547f2f

SHA512
5ab97096a7cd7940acb04a2d0a6764e5871da2d02890e4ec108f3aaf99e7806ad88f94dc87f2af011abb6763e00cf0b07c1a994a5fab31dbf94c9a468634a1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
29a02d647bdf94911c1d7cbc99156994

SHA1
f98f6249bee7a5a78df6695c952af76e927c944d

SHA256
78292f21c07b992bd39c5d07d6c9d13b846eb931304ffbd6893f08906755c403

SHA512
e4569a8c2d12d381c59edb4d47278c0465d71e1f6ad1369e5f0cf04fed6dd674fd0f9fe700b733f4146310ebffd3998002e2db29b8e3634d00deda898d0166c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aefc3654d5066a267c9b13de4fbc9173

SHA1
b74350395ce3d4eaa3aa692bf15e9d07570aa41f

SHA256
2427171ee7d530f09881936c1b1140dbe8d43e704ec6e932629db43d8c5cadbb

SHA512
c0f13a037b977022b79a298c2a8df8bb7ce2c43f3e5dfe527d1fe9bc5ad29eaf889745d352c692d291845b230dc48ab3f034657f356568edded343925af4f2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
13999b4e1a92fd4d5be9d423b4a6768a

SHA1
031bc998e909e4d877cb07fb6e17c2b15e6a61aa

SHA256
e16ae827c0bd4dba466080c3735651fc1c348f4e2ef8a935de2385133e02f3f7

SHA512
ae8f24ce30b6fa64de679ef326e10f2e5199d76915fb2514d13892d750435604d956b717295a99063ff282dcd4bfecda0af447fbf907172922ca1dc762ea57a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9a8e243ed583b6d170b01228ac06450

SHA1
b5aa79d35566d20131821ed7ea44c8df9d1db20c

SHA256
3bb1a9b9b982cb0e117e197e47afceefbc6c4f7310e68d0de2056bc8c10a337f

SHA512
1eada6fa78ea9c601937e722e9057095b5a63d4fc29d34e613898f366611023772bcc1049f290bc32a91c1e166624c3be75e2905fe361d2e531644e7ca936b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0964bef0e6f38a159842e918470cfe72

SHA1
890b56196827237ef51ab1608606a63c3ba6262a

SHA256
2611c945d2fcd3709a7167e51b62549dcd7da40cde0caf0a54fd96b8179e1275

SHA512
e53249aad4ccba02cad3548907185212fa61a716f6c199f01b3c8cbc51adcfbc198cfd60e3172f838bf7e21082f947145612ad89c6e5c41644f6df1246c45a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2d2c8924c6422f4d00bcb13a28ecf70

SHA1
623ba26320d1f5185efc9424d53918628d546cb5

SHA256
6449613e87bf34a58a17cefab3a06a98998ff86eb2249015d27bbe81fab7c59a

SHA512
9a6a10eb76c423fbfb49a70fcaac4c1f5512f6c0990f9cc2c9354ecc717f2a73b9963943073819eb71c7595fd03c4b0618c6927c1f5b7f05a88470de47744be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ffc3457e9ce3eff24e63d99f7b2579a

SHA1
f68cf9267809fd40e7a2f1013ffb62b0f68ac175

SHA256
100c584a95df31b248a2e2eb26a05fdaa920a8a034467e44a5eea75f1e1b625d

SHA512
2566a4408713b97dad672dce89784a10d2a392761d5cab9e5b6f10075d31246a9be26df8817caa3479700e86b388f61aa8f0743240e713382e0a4c2acb08f4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b20902bc8624af31b943ebc3bce3101f

SHA1
230c0a13eb9ad07864bc330475cb7cda961a09d9

SHA256
aada6de3e770feba967b6029498c6b11c648f1b3dbfae8ba1fabbe81c48756b3

SHA512
315f3e6372392cfea28f0867775de32a2808160b57840222465604e29e3af8ce6277f90b3b4a9001ac5fc71c54302e06999cff1f8c428ecb52d4a51eb344fac2

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\Microsoft_KB57H43\Microsoft_KB57H43.exe

Filesize
345KB

MD5
6a86fa4caf935d582001c1a4b3a2cec4

SHA1
f13f84862e118adb7558b76b24be1f9390e61872

SHA256
ce3c83cb9c09169ed7b2b4f5cef17eaa5d24f0ba11ea73755591515392342b15

SHA512
271df45609e0d5c9fa24d2463f22fa25f1b2e8007cc62d9323b7192c5296152593d8c7103e00f840b6b1cd40812eba8ee0fa0e8a8897f918fec0959fac76a7cb

Download Submit
memory/680-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/680-25-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/680-65-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/680-140-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/680-4-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/680-7-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/752-163-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2316-167-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2316-139-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2316-166-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4760-70-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4760-9-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4760-8-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4760-164-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4760-68-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download