cybergate | 05dde0fb84b16f700d2ee79326fc7e63e08e8cf318dddcfaa211b3a2d945760e

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Size

344KB
MD5

4da6797e5adcfb2a3f183c7b49cabde3
SHA1

9f66331b2cecee3171cf8b9d33fec9932a165893
SHA256

05dde0fb84b16f700d2ee79326fc7e63e08e8cf318dddcfaa211b3a2d945760e
SHA512

68c9e19ea57966983e753f8d06435a421810b7226aca23b490bd033390759b8dcc2b9412ecadd46b8be6c02277b396c6051129bd19ed5d5386f31b2865baf10c
SSDEEP

6144:KmcD66Ru5JGmrpQsK3FD2u270jupCJsCxCHIZOr:/cD66192zkPaCx

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

noliife.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2I4JXT18-EI7N-WQSE-2DU8-C7QDQVXRX4PM}	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2I4JXT18-EI7N-WQSE-2DU8-C7QDQVXRX4PM}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
612	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
2896	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2672-0-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2672-4-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2896-20-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2896-294-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2672-293-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/files/0x0035000000016b27-313.dat	upx
behavioral1/memory/612-318-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/612-319-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2896-775-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Token: SeDebugPrivilege	2896	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2720	2672	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- - C:\Windows\SysWOW64\install\server.exe
    "C:\Windows\system32\install\server.exe"
    3⤵
    - Executes dropped EXE
    PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
bc953605d52d27cb768ce3078fedbba2

SHA1
3908cfa0428079fe7fda2ada4522053e1e12c34b

SHA256
c4fe03cec37473ec97b76e44fc1980d94e5bac2c5e3bb86c544262a7f18f4208

SHA512
552334a5180bcfce7c7e9341dd58d75ef92e86fb0bfe1ab6697b8b0d72b3081af9bbbefa29421ea19d30a3db220f5a3434ddbca28dd27096afe14abeaef2dd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7495d86dc9e9c4b604f5f557d4a893e2

SHA1
c8d4053266f83d2c7af99c79aad3070bb16eaa0f

SHA256
2a58688b47d9747d38f7ba5a7cf73b12dc47629caa5ae35061b5c2a48c79fc19

SHA512
0ffbfc69a4eef05c70ddde9e815c0af46287caf218990feae58ab8e66e34b4220b81d9f8a8dd1f59e21395ce07d233bbfe733739ec909a58ceba3525162639be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
583b551dd1aefd0c4979ed09ca6c1dfc

SHA1
6a79b773ae4e55eff48e786c192b904c1c390ad9

SHA256
0c42f2fb015832e400496635cf8899981911ab8746b474785f0b7baac101be3b

SHA512
8f6ca36b9d1721e1f4fd0e003678c2065d2941a086cc5fe8a9d90db0e4db3943389d0e2fc735d6dc2770c4b68ab563f9caee095ea37f90318b4ca85525420c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4fa874a0f654974c18ff0007bb1ff37c

SHA1
67b04c6889a927d76f3eaf93e4cf314407d1899c

SHA256
67d4dd5b3b1730df652f3989ede18aa8aeb8aa82fac7eebf32e9d32b7c61c022

SHA512
1cb3999440aa48dd7d552cd80f29c88a2d44cdee2e98c32ad82064fd4b2fc5e9bb46a9cf67e37feee4adbf3ce01bed692ca4d822286555de394fb6d93047e837

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71e7353e7537553efe4005082836ade6

SHA1
484c65432b4bd70ef79c67d7d838df865759c000

SHA256
cb4d47d76370905fb9fa675b447502b5b8900020a13022355f48f0b3bce71607

SHA512
a5f58fcd017e57c85f814d58adf5ce497bb54679cb1aee492a92bbd6dbe8470c819909e7f52def7cbfd4812253acf8c8fdd0a73b71ace258e02057782c7747b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1cef060a194f8c0d865604e9dc243328

SHA1
f010e2b9988e33916f968e4ee61079635d4c9887

SHA256
550472a3732284bdd7cb54d122e22ab4e83cec2a43b8642ac8526569e2a67ca9

SHA512
0498fb43e7ecaab037b9ab095f7818280dfeaec7c5193e5b7f147ab18b6a6d70fd0a383188a70d13802214d1e307d19fc5b2aee062f2a12d6f4595d369006fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4d5ecd897a2cd38d87a08cf5bfdba5df

SHA1
6d16fc6e009247bcc17fe56bc6efcd078a1fb165

SHA256
fec0049f8d0b610f6bcfe8e9e9e9b1bb13f78fce525995e511b4681022fca474

SHA512
4785fd0c43a46920537a3f39c76f401a7f0b8f9746839e01cfcc254ba8b34951f985f5ff5ed5c1bde9ec345b28ff91d503e50133e31728467cb1c4233f20c90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3bdd0b8cb6115df11c6377796d337e21

SHA1
6bd9a98de6ce50f27ef825946b8c2c3fbb20be71

SHA256
cde7c71599252ccfa051dd92361d8404a7434130e2c0dd7dbcc4904c9e7b2aa1

SHA512
81cf78ddde41edf01ddb9a3c6feb55ecdb824d9434a227340539fb73b5edc7f2c749917decf17956b95150923b6622ff8739f4ba29949c9ec412df0716de5143

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fad70dd439b97002d5e782611ed132ac

SHA1
014cced58f715e3720145e072399747dc918eea6

SHA256
a486944fe576e0e775a8a4aa4dc709d49a21fab9aa7dfa14429bd2e39ab1f65e

SHA512
9e6e7cbe3a3ef226574aab9d9ffb9327d4c65bafd14a537d395945ab04447a9e6d5cbf65135fe2fde5a2c90959eacaf07e5e8b08a32f79ecfad54ff481efb01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
188ece01a8ea9697c7fb56c4aafc22de

SHA1
26bb2eb11ae49b1bec80b51a031748d9113f1296

SHA256
6b37867a087ad8d5de1477295b538163323e1f314b95273f9c992a42356948cc

SHA512
a2165e25b2a4f14dc3871837dd641cbf2f294ed38d76827a54c53d4e4c5590f00407ba67ec444b1c092d13c73d1c9afeb0ed3c4905f33ab1c762b49d6bb46e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4473bab7e500b010a791a6cb369fc119

SHA1
8a3909ecb7f344876384c070cf5457ad7a5c3471

SHA256
4880d38543c7e7a767d12b717d0c79e0f70ee7f5883eb2c487b2ca93a47ab3a7

SHA512
0b9aa415b8d798d33a052430f129cc664bc8189aad4fd8fbdd100fe55f9e0e9ba8178e58e61b1c131580deb3e3caaeddb0bb8709b8825dbbc0198f3949fbfcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f9bb1984eb4a9d2d24945c00e27a1949

SHA1
15aaad7ad0293b0480cd99858a26d6a15bac0acf

SHA256
51ac831ff0246bd5ea2c9894dc2752c55bff382abba9ec6de6152a61d5c7aa65

SHA512
6357fd6bfe606d1102bb1f4b0b227d9795809b602c24aaeeb1e32e68902812ee1eec3faccf204653c6a81cdee84417570708cf51b860b501c51e5d5b459ab1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bbb0557949c9c378cb1d85fa02f1f26c

SHA1
ebbed9c8df73e9e4d84fee0367bb099ed5e4095f

SHA256
d917efdb1c496a0a3494a322103d76f56d2fb3d74160c7d5d4638d97c96ca84d

SHA512
b7fb82a55ba15d6c0bee2dce3a1b5ee97db1da72cf20d500adc490ad8ecd9bc596bd4ffa5b199ffe4d4689e03e215b63749b8a9401012df5dfdcfb2ff6294380

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
49b1cb650c4d1e14e268e9c628b75c41

SHA1
62e747be6432ab0a76533b9d5c12c1fe354074c7

SHA256
14db697bb840460ccebd85be84d5233ef209ce805bff1e0672f0c4b58704636b

SHA512
df52eec74e58597ef752bc4b2a854cc6d4806b93d4573089e19a8275f7c23d99391fce2bbbd2e916cc1a867f56a9d9ae890cddcde8a241d4c0aaaf20102bb498

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
75c96a042fb7038e9f317f1474d5c901

SHA1
2addb97d87c0584acc700eee84742e7f20577e1d

SHA256
a6435a27ca2efe33872f70323983b9c1d8465f65f7a6e313e97515408e4cb1c4

SHA512
ba4dfe7859aa069e318bd0629d47c279de0ea7bfd6ef4498162f73d764472daf573495ecce3937dbd149b297d114a3a8f67941adb0ba1ee2cd2af7f34830847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3b23a084387e5357d866f99fe46890d8

SHA1
c8c0eb38ca926f7ca759231cbb3d4ec27353e2c8

SHA256
5f6eb5320db489a340b3bec5ad7031ef975fb1914c64798ffa9b33a8e0023f73

SHA512
ea3a7c178abdf5f5088557edadd4541d2f6c4e8224af4dbb4cf1bd891d044752c5c70b415a45f5fe6ffe1b3c7f619dc2260b02def5d53c6ffaaf94cc58abb317

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
046c1803d6e79b64fe8761b147995e30

SHA1
ce821818e158049979be45570ccd708ab1773806

SHA256
943503fc393316e6a64f003752c3ce3c21ca1f8a91d87272fe271e6991cb4877

SHA512
10c7b203f31719a16c9f8dce0b9a85ec1fa78a07ef5f33939993591603d88f919506d097b9b33426fc0d253632ec7030f9f56219e8a05cb1cfd30912c0395a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f71e897f75c5c068ede4711fa36bc037

SHA1
2383e7f6b0eaab2c764d35303cb250849d966347

SHA256
3d522677552a2801a73479fcc5ef260badde0394665a426d2593ecff88c217b1

SHA512
7ea69659c1ac494d2152734269480e108e54c98ae3f62ec87e4b981fbf09ee855ffc2abdf66c4e9149269e86607f75b89b3e87e9f14d58fc6841d15bb1ebc365

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
494912bb634a559f9263a937376e30d8

SHA1
3898cd8ee24570c2d1ae6353a1bca7a6cd734392

SHA256
da3825d8ed8071afd43e5688148cb8576322f78a87a4f0d5ca5b2d1f561bf547

SHA512
feb6cbc285f8e84b35b8c870605ca4b40e269176ab84874eb4c745975dbbd3c96b1ba53875d33fa3e67c55029faa1d2c4a55b56d4ddd249736e95cc5b174d60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dae4b950ab29e24f5379382fb504439c

SHA1
cc799da561e8f904d6a62f1081e52890a79b92bc

SHA256
9edee3e139db390b11132e83d849ca45d3a09c141d1185dd12a8dd439bb0fa35

SHA512
69804fa4fe6f9de89b29ff4c443e6f185765452ec03baec38fd5618d0495a3d3f3754ed243fca8d50f3c274efae767579cb6006a3cf9a51a8ec5232af46d2ec5

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
344KB

MD5
4da6797e5adcfb2a3f183c7b49cabde3

SHA1
9f66331b2cecee3171cf8b9d33fec9932a165893

SHA256
05dde0fb84b16f700d2ee79326fc7e63e08e8cf318dddcfaa211b3a2d945760e

SHA512
68c9e19ea57966983e753f8d06435a421810b7226aca23b490bd033390759b8dcc2b9412ecadd46b8be6c02277b396c6051129bd19ed5d5386f31b2865baf10c

Download Submit
memory/612-319-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/612-318-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2672-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2672-4-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2672-293-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2896-775-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2896-317-0x00000000054D0000-0x0000000005527000-memory.dmp

Filesize
348KB

Download
memory/2896-20-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2896-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2896-1030-0x00000000054D0000-0x0000000005527000-memory.dmp

Filesize
348KB

Download
memory/2896-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2896-19-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2896-294-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download