Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2024 11:12

General

  • Target

    9704acf70f601607084200c2b8f24146.exe

  • Size

    282KB

  • MD5

    9704acf70f601607084200c2b8f24146

  • SHA1

    f8d29c3f73e71fabd9d3835c04603fa5fd00c805

  • SHA256

    8e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67

  • SHA512

    31f3c3347dd9f414641dcbe2c45144f3ca6cc8f1169506014a35c7e68a369c19e3b78b7ef4d5d63dc770c4c90989a82283bf206c538c997c62b206c4cfa136b1

  • SSDEEP

    6144:ZonYdhUSyP6t2zQtDtdWn7T1iaOufuz5wOUtlKOuhPbjXbK:ZUYdaSPtkQtDtdWfkaMz5fUtlKOuhPb

Malware Config

Extracted

Family

cybergate

Version

2.8 Private Edition

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:612
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:60
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            2⤵
              PID:764
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            1⤵
              PID:760
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
              1⤵
                PID:608
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                1⤵
                  PID:1120
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    2⤵
                      PID:2680
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                    1⤵
                      PID:1176
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                      1⤵
                        PID:1260
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                        1⤵
                          PID:1604
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                          1⤵
                            PID:1720
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                            1⤵
                              PID:1964
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              1⤵
                                PID:2144
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                1⤵
                                  PID:2716
                                • C:\Windows\sysmon.exe
                                  C:\Windows\sysmon.exe
                                  1⤵
                                    PID:2896
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                    1⤵
                                      PID:2924
                                    • C:\Windows\Explorer.EXE
                                      C:\Windows\Explorer.EXE
                                      1⤵
                                        PID:3476
                                        • C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe
                                          "C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"
                                          2⤵
                                          • Adds policy Run key to start application
                                          • Modifies Installed Components in the registry
                                          • Drops file in Windows directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of WriteProcessMemory
                                          PID:4560
                                          • C:\Program Files\Internet Explorer\iexplore.exe
                                            "C:\Program Files\Internet Explorer\iexplore.exe"
                                            3⤵
                                              PID:2332
                                            • C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe
                                              "C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"
                                              3⤵
                                              • Drops file in Windows directory
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: GetForegroundWindowSpam
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:972
                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                          1⤵
                                            PID:3908
                                          • C:\Windows\System32\RuntimeBroker.exe
                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                            1⤵
                                              PID:3976
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                              1⤵
                                                PID:856
                                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                                1⤵
                                                  PID:4004
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                  1⤵
                                                    PID:2868
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                    1⤵
                                                      PID:3056
                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                      1⤵
                                                        PID:2312
                                                      • C:\Windows\system32\DllHost.exe
                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                        1⤵
                                                          PID:388
                                                        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                          1⤵
                                                            PID:3796
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                            1⤵
                                                              PID:1512
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                              1⤵
                                                                PID:4828
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                1⤵
                                                                  PID:4768
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                  1⤵
                                                                    PID:4528
                                                                  • C:\Windows\system32\SppExtComObj.exe
                                                                    C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                    1⤵
                                                                      PID:4464
                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                      1⤵
                                                                        PID:3628
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                        1⤵
                                                                          PID:4060
                                                                        • C:\Windows\system32\DllHost.exe
                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                          1⤵
                                                                            PID:3816
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                            1⤵
                                                                              PID:3608
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                              1⤵
                                                                                PID:3292
                                                                              • C:\Windows\system32\wbem\unsecapp.exe
                                                                                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                1⤵
                                                                                  PID:3188
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                  1⤵
                                                                                    PID:2936
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                    1⤵
                                                                                      PID:2860
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                      1⤵
                                                                                        PID:2808
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                        1⤵
                                                                                          PID:2724
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                          1⤵
                                                                                            PID:2648
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                            1⤵
                                                                                              PID:2536
                                                                                            • C:\Windows\system32\sihost.exe
                                                                                              sihost.exe
                                                                                              1⤵
                                                                                                PID:2520
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                                1⤵
                                                                                                  PID:2340
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                                                  1⤵
                                                                                                    PID:2252
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                                    1⤵
                                                                                                      PID:2224
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                                      1⤵
                                                                                                        PID:2052
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                                        1⤵
                                                                                                          PID:1740
                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                          1⤵
                                                                                                            PID:2032
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                                            1⤵
                                                                                                              PID:2024
                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                              1⤵
                                                                                                                PID:1844
                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                                                1⤵
                                                                                                                  PID:1752
                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                  1⤵
                                                                                                                    PID:1744
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                    1⤵
                                                                                                                      PID:1632
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                      1⤵
                                                                                                                        PID:1612
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                        1⤵
                                                                                                                          PID:1456
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                          1⤵
                                                                                                                            PID:1416
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                            1⤵
                                                                                                                              PID:1328
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                              1⤵
                                                                                                                                PID:1244
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                                1⤵
                                                                                                                                  PID:1160
                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                                  1⤵
                                                                                                                                    PID:1112
                                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                                    1⤵
                                                                                                                                      PID:1032
                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                      1⤵
                                                                                                                                        PID:404
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                        1⤵
                                                                                                                                          PID:960
                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                          C:\Windows\system32\svchost.exe -k RPCSS -p
                                                                                                                                          1⤵
                                                                                                                                            PID:912
                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                            C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                                                                                                            1⤵
                                                                                                                                              PID:788
                                                                                                                                              • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                2⤵
                                                                                                                                                  PID:3940
                                                                                                                                                • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                  C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                  2⤵
                                                                                                                                                    PID:4560
                                                                                                                                                • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                                  C:\Windows\System32\WaaSMedicAgent.exe ba1574bb717fcafaf1df18725572d6ea a4JVRCOevk6z+x22777iSw.0.1.0.0.0
                                                                                                                                                  1⤵
                                                                                                                                                    PID:4596
                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      2⤵
                                                                                                                                                        PID:4848
                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                      1⤵
                                                                                                                                                        PID:3248
                                                                                                                                                      • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                        C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                        1⤵
                                                                                                                                                          PID:1936
                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                          1⤵
                                                                                                                                                            PID:4260

                                                                                                                                                          Network

                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                          Replay Monitor

                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                          Downloads

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

                                                                                                                                                            Filesize

                                                                                                                                                            240KB

                                                                                                                                                            MD5

                                                                                                                                                            cf9b9bbff175bf3bc37215889ab0eeb9

                                                                                                                                                            SHA1

                                                                                                                                                            50168e04b22784056508d2436b0ebdbc0db30888

                                                                                                                                                            SHA256

                                                                                                                                                            2767d1cdcf9539a7314d0f7e64e4b56715ae8f4350c2e20f5d7394bc1e9c4218

                                                                                                                                                            SHA512

                                                                                                                                                            ea47ca865327afd8e793ad430d099ae329cfc28266d5a9916db1f915503430a00f2342352987e5816e28cb35e1db1542df58f08090484536174f1577fa2b8b24

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            40e96f5c65b61609109c94236901d482

                                                                                                                                                            SHA1

                                                                                                                                                            01a10f088e8a293bd366660b019d776ebd50b9a2

                                                                                                                                                            SHA256

                                                                                                                                                            9a924e8c883f68321a26900fdb30b27e21ea1f8e6fb309a6633666ddd5ef661d

                                                                                                                                                            SHA512

                                                                                                                                                            ee46894d890f8f352a58d9f859ab67951f5c864a984e087d50b78bcc537bbbf65df25739f34b105854b3e86a04edea7b3f35dde6494f75bc2ab55a274b7cda7f

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            7d8e1dd89bd7c90e9b0a87f4eac3fb13

                                                                                                                                                            SHA1

                                                                                                                                                            ba602f160b847f6331e9f3762fa1725cbc8e04c8

                                                                                                                                                            SHA256

                                                                                                                                                            6208c188dcfc7f99be6265ae1030de4a2cb11f908a804e132cd727eadd38fe75

                                                                                                                                                            SHA512

                                                                                                                                                            c7bab79330d10a2eee6d0e9c4cc87087da1933ed15671d71cdbec0bea444a0c2c404542fa780ec27e6f592d9d2204c219219a800d1d13dfd07f087cb6e150e80

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            817f7e7f5278a72ab3059a6f062bf1de

                                                                                                                                                            SHA1

                                                                                                                                                            361888179b9a499f12957697dd77d1ad9302b52a

                                                                                                                                                            SHA256

                                                                                                                                                            e39a825cba58937c50a4ef86cb3f8db7367f17312bb2b35523b1c2218c0055b3

                                                                                                                                                            SHA512

                                                                                                                                                            c656f5fc3183d742a45fe09cdf2dc199015414715beedcfa1fa74ebce9e2c24df276ffc44144422fccd2bd96bf766212301917a6fa731ea480dad4f6c5b4796f

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            48c5daaa22f18f64c950c71b9448093c

                                                                                                                                                            SHA1

                                                                                                                                                            830bcf5640a326a82fb37948a163d69fc4ba3147

                                                                                                                                                            SHA256

                                                                                                                                                            7650de22861e7e2302f5d9734ba7d9bc03a7adc0f911af32460c9943dee7098c

                                                                                                                                                            SHA512

                                                                                                                                                            1e58331fd8a7d30574c327accf4283fb3cf65f815711432a7e573bd5fe06614b8f347694390a22abaa190c98690301a6aaf18572e5791f1a926512a0cf1dcdd1

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            a733f008ed8412088800d0fa7ad82539

                                                                                                                                                            SHA1

                                                                                                                                                            c524651a26400bf629308138ee04b3030699477f

                                                                                                                                                            SHA256

                                                                                                                                                            cdad163883cabacd83f3c99c1673d52f7885a45afdb96b71e4b2e7f36d8cf8f2

                                                                                                                                                            SHA512

                                                                                                                                                            e12818c53db65be58c11e61ac5b9631c82d497877003495874a7b478c2bb31796090dd6b6e36d1e78dade93d8e23a5c25651f834223e919812dbce41149fbc46

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            780d8fa1d864d630197523faf47d5644

                                                                                                                                                            SHA1

                                                                                                                                                            97c931c9af41daae0dd90048a2535399e8d4247b

                                                                                                                                                            SHA256

                                                                                                                                                            a1df2207aebe8fbd3abdeed9f9b939ba49f80d87b864ca03d7907692df88448e

                                                                                                                                                            SHA512

                                                                                                                                                            5ec3289786d0c8adf4b08ac123bda097289f91859885295cdd63552028b512bf933d1cb061d5be3383fad360306e58e92addf3b6895eeebb5d39a9f1bbea5fcc

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            c3dd1ab9ff55270b633ed2eff308ff5b

                                                                                                                                                            SHA1

                                                                                                                                                            c3f4230e6a6f4b7171a9650819b7c707be4f53d8

                                                                                                                                                            SHA256

                                                                                                                                                            02091676492070ecdfef404fa4f1c7cc5a4f66eaf66d0367b1ef648f54b1f582

                                                                                                                                                            SHA512

                                                                                                                                                            2b314c1e0f1999c80d1e77985590b24281227337c40bfa984c977f12abbeb4989ce898080b01f8e5399b11e5b909954e15f064db21a6dd9517b1c8aae5b30a0a

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            10c82b760d48ef76505ff697547d0083

                                                                                                                                                            SHA1

                                                                                                                                                            734c2666aec190c486a907fc1e106b3c8852efae

                                                                                                                                                            SHA256

                                                                                                                                                            ae046f46e0e98bfee1007a76af39dafc15455ad0518ccfca4da21897e0fe2d5e

                                                                                                                                                            SHA512

                                                                                                                                                            da5b4abc8d73ac547c45fded862f7fbf0d6783e6ea249d3b3a1c804cd129a49e1196ec1cdc1468a04a98864b86cce305a3c8e1d909541cd5b1125d5fe82cc0eb

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            5c3374031609016e075a0552a9c7f699

                                                                                                                                                            SHA1

                                                                                                                                                            dd1d1c7d6e4c6b7eed11c92514f8fa8a4c78ee8e

                                                                                                                                                            SHA256

                                                                                                                                                            f221853e4cc356fbe7caa48d05b2153f9cdd81b7c6d44b5ba7fdbd921b649981

                                                                                                                                                            SHA512

                                                                                                                                                            99514ff48c4af3848c032d3a03441aba41f563afa05ae06b8a6bf118a4a93a57e764ac3e04316062917bd67ef67d7499e31c3cc38055971bc52517481122731c

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            aabd3f6520ab94a83b238b935e53d002

                                                                                                                                                            SHA1

                                                                                                                                                            f15874894ceb39607fde9af11fdccefec60ad84a

                                                                                                                                                            SHA256

                                                                                                                                                            13955e5f34c9fb3cc277dba4632c025b4735ab4c29e23191c2b25e327d55e1df

                                                                                                                                                            SHA512

                                                                                                                                                            6fad79b45fe3f1ce274163f4ae0583fafff1be738a2860194f7123b82904970264acd3e7020d14d23babf1d3e7da6748ca3b24c0866041c5a18a488921caf0e7

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            78ffa509b80c8f5ec3d01d30ddaad507

                                                                                                                                                            SHA1

                                                                                                                                                            f8483baa6b6f2fad46eac92f54a4552a901a8ecd

                                                                                                                                                            SHA256

                                                                                                                                                            3bb0b226b675991467e0e58acfc2b610d00c6057889a667cf26904c14bc3884c

                                                                                                                                                            SHA512

                                                                                                                                                            f2040678072e30505f6e91caec1d0c5faf11edf9b79247917f49044b883b63a18027a7c02b0213ecf472e1c271db0c59c0879107f0b45da9d4ebb75c0069bce3

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            8bca05a85fd43fc1d30ef84557d6a6db

                                                                                                                                                            SHA1

                                                                                                                                                            bf141fb385b3d74dbf6c433d7a0dcac973d7358d

                                                                                                                                                            SHA256

                                                                                                                                                            d40ade2d8a89f2c49304a337d6942081a9c00169c0b1763b660744da4bbbb2e5

                                                                                                                                                            SHA512

                                                                                                                                                            a7915f7fff95eb0db6aebb52d00387d24b1ce92705e4f2155e3c67657a43c0dc4aec5c65d24e9a63a3d07a15634ee0f26a67672608b997ba236780746902d1ee

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            4dbdc7a22fa8351e4165454e0c3b058a

                                                                                                                                                            SHA1

                                                                                                                                                            86c58c2d3931c33b5d7a616c391a17e78295f7f9

                                                                                                                                                            SHA256

                                                                                                                                                            e5b0ff9e6c244d145fc10a082424f4a7e2f85aa50168c24fbe7f37c263ef0cd2

                                                                                                                                                            SHA512

                                                                                                                                                            e49e5399caf0aa8bf0b5ffb7679c0452ea11349e9e563bad940927abd20589361c5cfc8cc88f138b33b38c71c5bd3ea29d7dfa66e548044387c1126977622704

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            fd549a11c6a8d82d5089501dc28cef81

                                                                                                                                                            SHA1

                                                                                                                                                            6d9964cd2a7a55f5f9904ae6f2227e73af91d52d

                                                                                                                                                            SHA256

                                                                                                                                                            559de9146062a052e293413c3fd50312114d70dfad32514ac41ba211e2f3380e

                                                                                                                                                            SHA512

                                                                                                                                                            c3704bf1c280c9c2838794badaae6f43dfc4405c59d528431c22dce7ce83859d05d3f749f76b81a597dd8b4787919834ea1d2c8c67cfe921b2e3581da7d83c13

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            70b7283ffb2d91c4bfa15b647095e8b4

                                                                                                                                                            SHA1

                                                                                                                                                            56041654695016edb9e4752797ab3fe422545738

                                                                                                                                                            SHA256

                                                                                                                                                            da8269a99ec1ccea9e814641426ee5d032bd74b171d467499412c6d8242b20cb

                                                                                                                                                            SHA512

                                                                                                                                                            2a2dc78d9bef79b80d6c945232450d418b5970f7991be24cb1732ae21e0cb55abbb5bd5b804ae2856521bce5f234304a426e2b0fee6cac8f83c971bb39d8710e

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            2f1c225f6e4aea6d369f062ebf2826e8

                                                                                                                                                            SHA1

                                                                                                                                                            73a049986d2967d27caac55b5067cb1bca5969cf

                                                                                                                                                            SHA256

                                                                                                                                                            6490eb6b9b71f5896e11d247a76b1c0074111deed7fe3586ea66ce125ccb4504

                                                                                                                                                            SHA512

                                                                                                                                                            2574b9f9f977bc8c73fddc8ee1d87c9cce21ebad1f5dcc2c54787fb3ef732bdbedfb978b0c62d19ae04a894a6c69a3c41f218d0fbd2a558f47783603facb17c7

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            b084ba2e54a9a1b392f3ff925ba6ed5d

                                                                                                                                                            SHA1

                                                                                                                                                            e3391c3214391c67e951acf66780a7c7e87293fb

                                                                                                                                                            SHA256

                                                                                                                                                            e574055ee61fce8401623c33c59ecde24da3d0f4b3b164c8a38868cc0ef140d3

                                                                                                                                                            SHA512

                                                                                                                                                            7abf2e188c426ec11a876252ab23ce24399d7f228d19f54a6ae84d066fed297b855812d830fac88e21302bd465a058a6277540dced38b42e1aad996185aae34b

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                                                                                                                            Filesize

                                                                                                                                                            8B

                                                                                                                                                            MD5

                                                                                                                                                            9e3999a21e3677f49a884cee1582bba1

                                                                                                                                                            SHA1

                                                                                                                                                            5834d244f830793441248d862e9c372377a1ed3f

                                                                                                                                                            SHA256

                                                                                                                                                            912c27e80f8a3dafb7feea03e5398d34e85981abbfe135af70f3f8db1274a56a

                                                                                                                                                            SHA512

                                                                                                                                                            cb5938daf2fd818fffdd4c7c5c7352b51369e6b20558d10b253f4332bfde08724c0adddd58c1c9f260e27769acbe570faa2cca0bc722fe6c6282f4eeb3b4f208

                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\logs.dat

                                                                                                                                                            Filesize

                                                                                                                                                            15B

                                                                                                                                                            MD5

                                                                                                                                                            bf3dba41023802cf6d3f8c5fd683a0c7

                                                                                                                                                            SHA1

                                                                                                                                                            466530987a347b68ef28faad238d7b50db8656a5

                                                                                                                                                            SHA256

                                                                                                                                                            4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

                                                                                                                                                            SHA512

                                                                                                                                                            fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

                                                                                                                                                          • C:\Windows\install\server.exe

                                                                                                                                                            Filesize

                                                                                                                                                            282KB

                                                                                                                                                            MD5

                                                                                                                                                            9704acf70f601607084200c2b8f24146

                                                                                                                                                            SHA1

                                                                                                                                                            f8d29c3f73e71fabd9d3835c04603fa5fd00c805

                                                                                                                                                            SHA256

                                                                                                                                                            8e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67

                                                                                                                                                            SHA512

                                                                                                                                                            31f3c3347dd9f414641dcbe2c45144f3ca6cc8f1169506014a35c7e68a369c19e3b78b7ef4d5d63dc770c4c90989a82283bf206c538c997c62b206c4cfa136b1

                                                                                                                                                          • memory/972-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                          • memory/972-68-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                          • memory/972-11-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            352KB

                                                                                                                                                          • memory/972-69-0x0000000010480000-0x00000000104E2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            392KB

                                                                                                                                                          • memory/972-1701-0x0000000010480000-0x00000000104E2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            392KB

                                                                                                                                                          • memory/972-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                          • memory/972-71-0x0000000010480000-0x00000000104E2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            392KB

                                                                                                                                                          • memory/4560-65-0x0000000010480000-0x00000000104E2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            392KB

                                                                                                                                                          • memory/4560-0-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            352KB

                                                                                                                                                          • memory/4560-4-0x0000000010410000-0x0000000010472000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            392KB

                                                                                                                                                          • memory/4560-72-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            352KB