cybergate | 2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7

Analysis

max time kernel
264s
max time network
306s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd60ad05941f2bee3dfd05c976bc2eff.exe
Size

301KB
MD5

fd60ad05941f2bee3dfd05c976bc2eff
SHA1

eae3af05983d5e47ebb3f228f98517f9a3806376
SHA256

2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7
SHA512

b16dbd2bb8c169bb5e772469f2bd98947e74dd7c30a1899b3416da6b2c967c6644baf97f138192b725e343233ec10c4b2516c889b7f0e302f0161392052c522b
SSDEEP

6144:tmcD66R7M5JGmrpQsK3RD2u270jupCJsCxC:4cD66DZ2zkPaCx

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

mise1.zapto.org:5210

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fd60ad05941f2bee3dfd05c976bc2eff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	fd60ad05941f2bee3dfd05c976bc2eff.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fd60ad05941f2bee3dfd05c976bc2eff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	fd60ad05941f2bee3dfd05c976bc2eff.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5VA86RD0-3W22-6R73-7QS8-ODE408423R68}	fd60ad05941f2bee3dfd05c976bc2eff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5VA86RD0-3W22-6R73-7QS8-ODE408423R68}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	fd60ad05941f2bee3dfd05c976bc2eff.exe

Executes dropped EXE 1 IoCs

pid	Process
3044	server.exe

Loads dropped DLL 2 IoCs

pid	Process
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1176-300-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/3044-2333-0x00000000318F0000-0x00000000318FD000-memory.dmp	upx
behavioral1/memory/3044-2416-0x00000000318F0000-0x00000000318FD000-memory.dmp	upx
behavioral1/memory/1176-2523-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	fd60ad05941f2bee3dfd05c976bc2eff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	fd60ad05941f2bee3dfd05c976bc2eff.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	fd60ad05941f2bee3dfd05c976bc2eff.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	fd60ad05941f2bee3dfd05c976bc2eff.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	fd60ad05941f2bee3dfd05c976bc2eff.exe
File opened for modification	C:\Windows\SysWOW64\install\	fd60ad05941f2bee3dfd05c976bc2eff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1176	fd60ad05941f2bee3dfd05c976bc2eff.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	fd60ad05941f2bee3dfd05c976bc2eff.exe
Token: SeDebugPrivilege	1176	fd60ad05941f2bee3dfd05c976bc2eff.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27
PID 2988 wrote to memory of 1176	2988	fd60ad05941f2bee3dfd05c976bc2eff.exe	27

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1696
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2476
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1108
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:952
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:836
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:660
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1692
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    3⤵
    PID:556
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    3⤵
    PID:2844

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff.exe
  "C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff.exe
    "C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      PID:3044

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
19f2535a2563a0582f9746b7f6ee5d81

SHA1
5285fb4ffe727e78d55010c15da08b63c185fd54

SHA256
9728ba46578e633c0fb5243d6c7132d1e2a8f95abf35e705a1c9c6c6f904b736

SHA512
b0a415608be026868283545c71d752468ca0dc4eb290021dff4d188e8dc20a411e3df59c31560b5580155427aa2371d3fe1362e3379b999934340bc7fbeb4b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6546602d8a3b5b788ff7e28b1df6b44

SHA1
044aea7e6fce7b674bd7378eff6ec61c8c584fff

SHA256
8301e9feee01a8a59cc945beaf015475c41688ff990c5d1daaea79790cce27f7

SHA512
56ae3bf0e3f789dfde73ce48106e3e6b2dd5ef6729bbb72e9fe72bdd269afb53b5cd1609fed4b0d44bec38080895085eae881ba78c231c1d04e4801ff7873058

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0dfca03d1d602975865809e73cf2f67c

SHA1
9e3f1e08edb79b484b8374a22f453519488f6e84

SHA256
baf230824c3246b5379b5694c2d7acf1e53418383a3e0fb9f47428a28781ee5f

SHA512
46e7aa1fb3076515b996156a1de6e7eced343505bd41fd7c8c68d40b23e8bdd154e0e116512e885e7dabb027241c6dec559c0a9cdbccfd32536d13f83cf01591

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fc5525b90301a2daa917dcd65a0fd5dc

SHA1
85bf8978936dd0b0004a190e1827511d8dfc6fd9

SHA256
f7c373a8391e4034332d284a9b27a6018bb5547c189f376fb132994f1fe1bdb6

SHA512
192ebb08a0476bb3c3f7b76dfa20160fefccf84035d1c5bf5354d640f283466ee812c590290980c19ea12c4e793eb96f99fec718591add1a6bfdf57eb420cef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7265e6529cab6558e698e1d3aa8f5316

SHA1
5cc50f09009fc3a6273475f5d363209f31062f4c

SHA256
44b57541ea694e8bb64e98b6dfa7076b8a0697a1be8a455893d12772e79c6c46

SHA512
bb59e8cfda3271a602ba02127c10a4b2246a8a4c7af4f7bea31ceaf9ab2c709a9c63d1ca8e5352424bd1f585ed03a8425920590528738e89a9a379b64b9006cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
da0cc48d25ed456a3c69e7b088b26e59

SHA1
0992dd243c6915b9f196c23814c6268b1ff9b7b2

SHA256
38a0da207c922e76244db8286b443cdd1c90a8abf0dd42ee81ac484b2f7fc71e

SHA512
53b8f8cfcf72454ee94cfbd71b0098d2b5fefb391dd8dab919189b5d8dc59b1187b7236b4f6b0b2131d80b702428154094ccfa5fadac863ae21c5a7afb428ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0aa9b89bfdf395111cec329fe108f5a2

SHA1
e3e3d2b6ff7e009d48a44c9eb878caeb88c59207

SHA256
3b284221ba91fc911c2587e55ab0ad2c0f129ffbe764778f8cb711d241c651a6

SHA512
5f8b84ede27bf79e1177797fb99da1d89220ff0b7de7cd1959f9ea55febf49f7e423da89c95eecef83786ab734266e511940ec033d669138553bde530dae9d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f459f1704d66fd5eb0448a0610901309

SHA1
3d5cc4e62c8483ca2cd4731c88be0a2e2af4abbf

SHA256
bc6fe060cc837f89b5fe65cca8dae45af76044024fa62d2a64631aed53968719

SHA512
d6870b5f811abe292f8c63196a8279f7ce514cc4552fd4d44b6c5fb30924630a2fa53a55da9a14d70171223095b6b37aa8bc62d336fdf84180d00564ed19ae6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
50ab967cf072171517e5598431832c20

SHA1
2e6f7d36885b3994f5c047d32846babee6027a52

SHA256
fc808de3150b41e4b86c392aa113f73c68ef9cd9bc303118bb8013a64829a3a6

SHA512
ba4f2e212870d02dc34a66df1830ba0982482c43bdad531b53df8f7fb29a35a47dc8210f4679aed2e63618423700c42de2a97855aaa148bf8b650778986af85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
58cfdd38ae86fdf0d393adbd879433a4

SHA1
27b03b1214aa406994fa8c1abffcefc7294d38de

SHA256
670f79ccb676e066a721a7547d5ea0230dd222e47e134d5626337f16fa8b8e7c

SHA512
3c91869cfcd6102fc9e1dd95b53ca4cbb062d19c744c964b35d1cd8cbb6bf933a7c5c0120dce62f5bae029eb6ab89bd7c47c7b1cc9af9184c3223f5e98a31254

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b22869e95c4c605df4be145f09ea6d8c

SHA1
9e814b22593751c1895857229057c9035b31ab13

SHA256
1d7dcfcf8d31b806e575e7215e21d0e259831528c42eb66675542d3682dd8c25

SHA512
85fc450b0ebc62c9664d48cf42660e1ff62d7d383d9dc343d8321da7b61d8b94b01951c25dace4b24682e4d6698fa45ae2f9048d1214b634d348ff3973fc4275

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
92dcca0af7ae5ea88ae7d6bd01be3c8e

SHA1
efca4c3c4e423037535f3d583e722036a877b9c1

SHA256
299611c025c2d8cd9370b807140e86aadff86866db934fa126bf9cb2eeccb474

SHA512
35bc40cbc00cda26059e481689b1ce4e0b2e9db55e47afb06ac9d462f78fe7d8885ffd8120a5171906f0779e0e10b38bcadc495c853918a4ab6f73f985ae5707

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19fd54338bb88592709ad551f82c95d5

SHA1
7097dc926b1a45961708a158d8fd4c2426ea55f7

SHA256
fead14d99150ba9437003ff0b642f159414b70e1ea2d5961c17a99f71ec31c41

SHA512
043e2e840eb6321aae7944f212e58d3e741b1b46b50c508f075686cd95d63215115255527dd36ca4d5e45e83465550874d97be18730d1254f9ef8d9b75b0fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3b022f7ea2dba5604cd1b563218502e7

SHA1
fd95acbe01be6e0a6fc3625ca08faefc97053088

SHA256
efcd7d32c7a1ad9868a2ffcd4f7d3bf2ff2bda255556c9429617bd62b0a0ae50

SHA512
19c774a59c11fa8c10a500d7a7a930cb55eb912f0a90e9d03434448e036f1a35c301fd03725ba6c25fa3240926f9659282b8c367011a32ba921ba3f2d10389f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d7498860d0c2926dae8b3d9c3d140285

SHA1
3f493f79fcd7a21911aec20a29ca234cdd1edb5b

SHA256
540d9d43792659143c01cf7ce31857ed7252e9dab3ef4b936581bce47ee2860d

SHA512
8600c7733b57c80b6c9cfb34e8cf753e4dbc3b2d031d95de83854f0c22b5b87140e621a221eb287de46b386442ee753d8f77d21749e7bd4843d0d655c9f44480

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1fee57b589d13e3f0a0f104f8d493acd

SHA1
d422719537f6d14da9ba97e7d1f57539f85eb85a

SHA256
4c1caaac2560154d895c6722024948c15890e61d72c7174b1a960f4793d3a51f

SHA512
50a1f355125079134caf13eb4b9319f2256bb4f55999bf2894449aa9ce617c06c19a2afe89d1fd81a7646c7e4beb6c48cc8a48d13dd31d184850449fd02ac612

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef15930ba4f4d7c697d43b318a8c247a

SHA1
b456793f7ff10ffd6b31b431552d10733efba39e

SHA256
f476a9c48c7d50d5e993622f4b2c9505364bffb022292f3c62267cb2fab4d037

SHA512
b2e6c84e8e73104c75d624389e63f5464d02742b42bd522e77610fdabd777e140c4778f6a7eaf5c882d37c6844871e716bc8ab3d9ac3b369f3ff019acf0f5769

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
66f23e487dbe97d0482030384e2a8fc8

SHA1
0408c784f33faf706ded0c0340f365169329b87b

SHA256
6f309ad72042d3610fce2da8b83c5c28d763a59e7ed58da8520f3a0a08fd509c

SHA512
71a7cecc1b6547dcc7b3e0539c08195ec418f5590e38632a0f5ecdd9b3471eca8045ce98ecf1c6824b9c207bca084e71f91320fe0734daf9256f15dd0ee5cc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4ebfdb80f891846cf6c68d235719d9e

SHA1
3c8a66a7a3bd356d1629e0794cc0b8ead7f73642

SHA256
bca5e6beda4845d6531936d71fb2b7abc2c07f80330151ae623ee53f76d8deeb

SHA512
c38479e1abb63e474c554106af53c558ce2120b7a29d920f671baa88faa0fbee623e9f2ffaefc1b800278a6ef1f15b7bcb65e82d28d682ec3a467051cf14f236

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3d5e0288d9b1b57d6fb9dae9593a89ac

SHA1
df08575535f743d2ab192b272e9a231565a339f1

SHA256
32f09d77d773521c8be71942423f173cda7a3c9ee929529e0f07eb1ee4403b01

SHA512
0c7b89d94e83825a31891b1199be0591ff157f2d5a5b8694c38ec1a92ea7966e6aeca0b11c7aa280eabbfa381d0c078eaac19533a15c4ff06ec4c8187bbed4f1

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
301KB

MD5
fd60ad05941f2bee3dfd05c976bc2eff

SHA1
eae3af05983d5e47ebb3f228f98517f9a3806376

SHA256
2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7

SHA512
b16dbd2bb8c169bb5e772469f2bd98947e74dd7c30a1899b3416da6b2c967c6644baf97f138192b725e343233ec10c4b2516c889b7f0e302f0161392052c522b

Download Submit
memory/1176-2523-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1176-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1176-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1176-16-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1176-300-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2988-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2988-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3044-2416-0x00000000318F0000-0x00000000318FD000-memory.dmp

Filesize
52KB

Download
memory/3044-2249-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3044-2279-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/3044-2333-0x00000000318F0000-0x00000000318FD000-memory.dmp

Filesize
52KB

Download