cybergate | 05dde0fb84b16f700d2ee79326fc7e63e08e8cf318dddcfaa211b3a2d945760e

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Size

344KB
MD5

4da6797e5adcfb2a3f183c7b49cabde3
SHA1

9f66331b2cecee3171cf8b9d33fec9932a165893
SHA256

05dde0fb84b16f700d2ee79326fc7e63e08e8cf318dddcfaa211b3a2d945760e
SHA512

68c9e19ea57966983e753f8d06435a421810b7226aca23b490bd033390759b8dcc2b9412ecadd46b8be6c02277b396c6051129bd19ed5d5386f31b2865baf10c
SSDEEP

6144:KmcD66Ru5JGmrpQsK3FD2u270jupCJsCxCHIZOr:/cD66192zkPaCx

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

noliife.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2I4JXT18-EI7N-WQSE-2DU8-C7QDQVXRX4PM}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2I4JXT18-EI7N-WQSE-2DU8-C7QDQVXRX4PM}	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	server.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4120-0-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4120-3-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4120-7-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3416-10-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4120-65-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3416-70-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4120-71-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-90.dat	upx
behavioral2/memory/2712-92-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3416-1179-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4276	2712	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3416	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
Token: SeDebugPrivilege	3416	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86
PID 4120 wrote to memory of 2996	4120	4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4da6797e5adcfb2a3f183c7b49cabde3_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- - C:\Windows\SysWOW64\install\server.exe
    "C:\Windows\system32\install\server.exe"
    3⤵
    - Executes dropped EXE
    PID:2712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 572
      4⤵
      Program crash
      PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2712 -ip 2712
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
bc953605d52d27cb768ce3078fedbba2

SHA1
3908cfa0428079fe7fda2ada4522053e1e12c34b

SHA256
c4fe03cec37473ec97b76e44fc1980d94e5bac2c5e3bb86c544262a7f18f4208

SHA512
552334a5180bcfce7c7e9341dd58d75ef92e86fb0bfe1ab6697b8b0d72b3081af9bbbefa29421ea19d30a3db220f5a3434ddbca28dd27096afe14abeaef2dd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
583b551dd1aefd0c4979ed09ca6c1dfc

SHA1
6a79b773ae4e55eff48e786c192b904c1c390ad9

SHA256
0c42f2fb015832e400496635cf8899981911ab8746b474785f0b7baac101be3b

SHA512
8f6ca36b9d1721e1f4fd0e003678c2065d2941a086cc5fe8a9d90db0e4db3943389d0e2fc735d6dc2770c4b68ab563f9caee095ea37f90318b4ca85525420c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7495d86dc9e9c4b604f5f557d4a893e2

SHA1
c8d4053266f83d2c7af99c79aad3070bb16eaa0f

SHA256
2a58688b47d9747d38f7ba5a7cf73b12dc47629caa5ae35061b5c2a48c79fc19

SHA512
0ffbfc69a4eef05c70ddde9e815c0af46287caf218990feae58ab8e66e34b4220b81d9f8a8dd1f59e21395ce07d233bbfe733739ec909a58ceba3525162639be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71e7353e7537553efe4005082836ade6

SHA1
484c65432b4bd70ef79c67d7d838df865759c000

SHA256
cb4d47d76370905fb9fa675b447502b5b8900020a13022355f48f0b3bce71607

SHA512
a5f58fcd017e57c85f814d58adf5ce497bb54679cb1aee492a92bbd6dbe8470c819909e7f52def7cbfd4812253acf8c8fdd0a73b71ace258e02057782c7747b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4d5ecd897a2cd38d87a08cf5bfdba5df

SHA1
6d16fc6e009247bcc17fe56bc6efcd078a1fb165

SHA256
fec0049f8d0b610f6bcfe8e9e9e9b1bb13f78fce525995e511b4681022fca474

SHA512
4785fd0c43a46920537a3f39c76f401a7f0b8f9746839e01cfcc254ba8b34951f985f5ff5ed5c1bde9ec345b28ff91d503e50133e31728467cb1c4233f20c90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fad70dd439b97002d5e782611ed132ac

SHA1
014cced58f715e3720145e072399747dc918eea6

SHA256
a486944fe576e0e775a8a4aa4dc709d49a21fab9aa7dfa14429bd2e39ab1f65e

SHA512
9e6e7cbe3a3ef226574aab9d9ffb9327d4c65bafd14a537d395945ab04447a9e6d5cbf65135fe2fde5a2c90959eacaf07e5e8b08a32f79ecfad54ff481efb01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4473bab7e500b010a791a6cb369fc119

SHA1
8a3909ecb7f344876384c070cf5457ad7a5c3471

SHA256
4880d38543c7e7a767d12b717d0c79e0f70ee7f5883eb2c487b2ca93a47ab3a7

SHA512
0b9aa415b8d798d33a052430f129cc664bc8189aad4fd8fbdd100fe55f9e0e9ba8178e58e61b1c131580deb3e3caaeddb0bb8709b8825dbbc0198f3949fbfcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bbb0557949c9c378cb1d85fa02f1f26c

SHA1
ebbed9c8df73e9e4d84fee0367bb099ed5e4095f

SHA256
d917efdb1c496a0a3494a322103d76f56d2fb3d74160c7d5d4638d97c96ca84d

SHA512
b7fb82a55ba15d6c0bee2dce3a1b5ee97db1da72cf20d500adc490ad8ecd9bc596bd4ffa5b199ffe4d4689e03e215b63749b8a9401012df5dfdcfb2ff6294380

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3b23a084387e5357d866f99fe46890d8

SHA1
c8c0eb38ca926f7ca759231cbb3d4ec27353e2c8

SHA256
5f6eb5320db489a340b3bec5ad7031ef975fb1914c64798ffa9b33a8e0023f73

SHA512
ea3a7c178abdf5f5088557edadd4541d2f6c4e8224af4dbb4cf1bd891d044752c5c70b415a45f5fe6ffe1b3c7f619dc2260b02def5d53c6ffaaf94cc58abb317

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
046c1803d6e79b64fe8761b147995e30

SHA1
ce821818e158049979be45570ccd708ab1773806

SHA256
943503fc393316e6a64f003752c3ce3c21ca1f8a91d87272fe271e6991cb4877

SHA512
10c7b203f31719a16c9f8dce0b9a85ec1fa78a07ef5f33939993591603d88f919506d097b9b33426fc0d253632ec7030f9f56219e8a05cb1cfd30912c0395a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f71e897f75c5c068ede4711fa36bc037

SHA1
2383e7f6b0eaab2c764d35303cb250849d966347

SHA256
3d522677552a2801a73479fcc5ef260badde0394665a426d2593ecff88c217b1

SHA512
7ea69659c1ac494d2152734269480e108e54c98ae3f62ec87e4b981fbf09ee855ffc2abdf66c4e9149269e86607f75b89b3e87e9f14d58fc6841d15bb1ebc365

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
494912bb634a559f9263a937376e30d8

SHA1
3898cd8ee24570c2d1ae6353a1bca7a6cd734392

SHA256
da3825d8ed8071afd43e5688148cb8576322f78a87a4f0d5ca5b2d1f561bf547

SHA512
feb6cbc285f8e84b35b8c870605ca4b40e269176ab84874eb4c745975dbbd3c96b1ba53875d33fa3e67c55029faa1d2c4a55b56d4ddd249736e95cc5b174d60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dae4b950ab29e24f5379382fb504439c

SHA1
cc799da561e8f904d6a62f1081e52890a79b92bc

SHA256
9edee3e139db390b11132e83d849ca45d3a09c141d1185dd12a8dd439bb0fa35

SHA512
69804fa4fe6f9de89b29ff4c443e6f185765452ec03baec38fd5618d0495a3d3f3754ed243fca8d50f3c274efae767579cb6006a3cf9a51a8ec5232af46d2ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4fa874a0f654974c18ff0007bb1ff37c

SHA1
67b04c6889a927d76f3eaf93e4cf314407d1899c

SHA256
67d4dd5b3b1730df652f3989ede18aa8aeb8aa82fac7eebf32e9d32b7c61c022

SHA512
1cb3999440aa48dd7d552cd80f29c88a2d44cdee2e98c32ad82064fd4b2fc5e9bb46a9cf67e37feee4adbf3ce01bed692ca4d822286555de394fb6d93047e837

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1cef060a194f8c0d865604e9dc243328

SHA1
f010e2b9988e33916f968e4ee61079635d4c9887

SHA256
550472a3732284bdd7cb54d122e22ab4e83cec2a43b8642ac8526569e2a67ca9

SHA512
0498fb43e7ecaab037b9ab095f7818280dfeaec7c5193e5b7f147ab18b6a6d70fd0a383188a70d13802214d1e307d19fc5b2aee062f2a12d6f4595d369006fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3bdd0b8cb6115df11c6377796d337e21

SHA1
6bd9a98de6ce50f27ef825946b8c2c3fbb20be71

SHA256
cde7c71599252ccfa051dd92361d8404a7434130e2c0dd7dbcc4904c9e7b2aa1

SHA512
81cf78ddde41edf01ddb9a3c6feb55ecdb824d9434a227340539fb73b5edc7f2c749917decf17956b95150923b6622ff8739f4ba29949c9ec412df0716de5143

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
188ece01a8ea9697c7fb56c4aafc22de

SHA1
26bb2eb11ae49b1bec80b51a031748d9113f1296

SHA256
6b37867a087ad8d5de1477295b538163323e1f314b95273f9c992a42356948cc

SHA512
a2165e25b2a4f14dc3871837dd641cbf2f294ed38d76827a54c53d4e4c5590f00407ba67ec444b1c092d13c73d1c9afeb0ed3c4905f33ab1c762b49d6bb46e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f9bb1984eb4a9d2d24945c00e27a1949

SHA1
15aaad7ad0293b0480cd99858a26d6a15bac0acf

SHA256
51ac831ff0246bd5ea2c9894dc2752c55bff382abba9ec6de6152a61d5c7aa65

SHA512
6357fd6bfe606d1102bb1f4b0b227d9795809b602c24aaeeb1e32e68902812ee1eec3faccf204653c6a81cdee84417570708cf51b860b501c51e5d5b459ab1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
49b1cb650c4d1e14e268e9c628b75c41

SHA1
62e747be6432ab0a76533b9d5c12c1fe354074c7

SHA256
14db697bb840460ccebd85be84d5233ef209ce805bff1e0672f0c4b58704636b

SHA512
df52eec74e58597ef752bc4b2a854cc6d4806b93d4573089e19a8275f7c23d99391fce2bbbd2e916cc1a867f56a9d9ae890cddcde8a241d4c0aaaf20102bb498

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
75c96a042fb7038e9f317f1474d5c901

SHA1
2addb97d87c0584acc700eee84742e7f20577e1d

SHA256
a6435a27ca2efe33872f70323983b9c1d8465f65f7a6e313e97515408e4cb1c4

SHA512
ba4dfe7859aa069e318bd0629d47c279de0ea7bfd6ef4498162f73d764472daf573495ecce3937dbd149b297d114a3a8f67941adb0ba1ee2cd2af7f34830847e

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
344KB

MD5
4da6797e5adcfb2a3f183c7b49cabde3

SHA1
9f66331b2cecee3171cf8b9d33fec9932a165893

SHA256
05dde0fb84b16f700d2ee79326fc7e63e08e8cf318dddcfaa211b3a2d945760e

SHA512
68c9e19ea57966983e753f8d06435a421810b7226aca23b490bd033390759b8dcc2b9412ecadd46b8be6c02277b396c6051129bd19ed5d5386f31b2865baf10c

Download Submit
memory/2712-92-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3416-10-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3416-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3416-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3416-1179-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3416-70-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4120-65-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4120-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4120-3-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4120-7-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4120-71-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download