cybergate | 9fee1c16424d1e935774840dbadc5c674deec263704f31709f9d75710e17b474

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
Size

998KB
MD5

4e350b017b9508e698be2f56d74a78ee
SHA1

fe9a434e4e754a8da95afbb055255e238501b447
SHA256

9fee1c16424d1e935774840dbadc5c674deec263704f31709f9d75710e17b474
SHA512

e38d1e27a26b21349a826d66697e653b8c32f6f6f04258def304e2ca294f47b9685ddaef32da4c1c32eab2a2f6ea71d3afbfb22e14238202d1b516c9fe109cbc
SSDEEP

24576:MafIiy4NwdLTtCYVwTsIrxR35HVwxDekFi:Tffy4NwptCYeTsIrxRtVii

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

yotshi-xd.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
msnmsg
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	servvver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msnmsg\\server.exe"	servvver.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	servvver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msnmsg\\server.exe"	servvver.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{557YN2SX-X280-0L71-WE7S-H7S8PLNQ5T4F}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{557YN2SX-X280-0L71-WE7S-H7S8PLNQ5T4F}\StubPath = "C:\\Windows\\system32\\msnmsg\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{557YN2SX-X280-0L71-WE7S-H7S8PLNQ5T4F}	servvver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{557YN2SX-X280-0L71-WE7S-H7S8PLNQ5T4F}\StubPath = "C:\\Windows\\system32\\msnmsg\\server.exe Restart"	servvver.exe

Executes dropped EXE 5 IoCs

pid	Process
2260	servvver.exe
1852	servvver.exe
852	servvver.exe
2452	server.exe
7108	server.exe

Loads dropped DLL 7 IoCs

pid	Process
2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
2260	servvver.exe
1852	servvver.exe
852	servvver.exe
852	servvver.exe
2452	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\msnmsg\\server.exe"	servvver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\msnmsg\\server.exe"	servvver.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2844-0-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msnmsg\server.exe	servvver.exe
File opened for modification	C:\Windows\SysWOW64\msnmsg\server.exe	servvver.exe
File opened for modification	C:\Windows\SysWOW64\msnmsg\	servvver.exe
File opened for modification	C:\Windows\SysWOW64\msnmsg\server.exe	server.exe
File created	C:\Windows\SysWOW64\msnmsg\server.exe	servvver.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2260 set thread context of 1852	2260	servvver.exe	29
PID 2452 set thread context of 7108	2452	server.exe	34

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1852-20-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1852-23-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1852-25-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1852-26-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1852-27-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1852-30-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1852-328-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/976-560-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1852-895-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/852-1242-0x0000000006080000-0x000000000608A000-memory.dmp	upx
behavioral1/memory/7108-2585-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/976-3529-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/7108-3537-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servvver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servvver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servvver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe
852	servvver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
852	servvver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	servvver.exe
Token: SeDebugPrivilege	852	servvver.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
1852	servvver.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2260	servvver.exe
2452	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2260	2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2260	2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2260	2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2260	2844	4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe	28
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 2260 wrote to memory of 1852	2260	servvver.exe	29
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20
PID 1852 wrote to memory of 1116	1852	servvver.exe	20

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1708
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:5484
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:7024
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:6968
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:2444
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:684
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1052
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:872
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:6980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:292
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1080
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1088
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1164
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1412
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:540
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4e350b017b9508e698be2f56d74a78ee_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\servvver.exe
    C:\Users\Admin\AppData\Local\Temp/servvver.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\servvver.exe
      C:\Users\Admin\AppData\Local\Temp\servvver.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:976
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1988
    - - C:\Users\Admin\AppData\Local\Temp\servvver.exe
        
        "C:\Users\Admin\AppData\Local\Temp\servvver.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
      - C:\Windows\SysWOW64\msnmsg\server.exe
        
        "C:\Windows\system32\msnmsg\server.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\msnmsg\server.exe
        
        C:\Windows\SysWOW64\msnmsg\server.exe
        7⤵
        Executes dropped EXE
        
        PID:7108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
d4bbea54344baf0954e6f071b93e0bd8

SHA1
53206b3890fcd0a83da7b3bc569bb9ca1d708ede

SHA256
9aa61f3eb7f8f535633615d547b1ff579312ec0c8e3ee52f01f4e3d4e4b69cc4

SHA512
0b7fff5b48a16032be80c6ddf0677c4bd7bfb328f050fdea4ba30a636990c612267ec5095bab717868699ab1766b3ff9b56511444cfa539684a70e89e1243571

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1c84e15ea96d2beaf5330769ee01219f

SHA1
a76f913afef55561d40490a39f90f17965b56a38

SHA256
da42b437eb28b14b6a8ef021f841b01b15a9fb94d729ec8a71dad11c5c0801dc

SHA512
bf417c3ac17da087ab91d57d1bbd3983288627c9bb49f5c41f093d992fae8c29e33d63d775e8b9f9e6bae8435219f67793150fbec3c8c19cf9992bb1c93b05a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fc996743dbf4c5dbba1816c855269674

SHA1
a0461b02682262717d335d0320746845fc054cc5

SHA256
9616ab74714a0929eca8a6e355389ba4bb91611d4b73507ca93964e8e3fde84a

SHA512
0e1a629838c80ac38bda445dd06cb50dadbf8d45e8892038a1cddbafc4db5200b3f243e2dae4163d78d4d5afdde0d9cf5f0b347ffbc9e113acfc15a5a3522bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b98613718d9aaa9032113d3de67a8c8

SHA1
eb55c0025132888c42e311931ef824423311983d

SHA256
c085f6d733b7c7c49c92953608fc24ddab06f44f2a96e07ec0db983bb3b1607e

SHA512
e7c631ea49e8b5ec6c3b37553051d1d0c1399398ded5199e83b9790427bb7981023c612a40b48f3bc4c64567fb4e0c4977b92be77cc56f7740dbcd03d1d035c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4c71c8e31c464167a9e8c2411c295315

SHA1
2d9e3e6c235abc9418613b1af789c0bb050cfe60

SHA256
7dc16b6bd45ecbdf667b7b27ed04584835193207579a5f3fcb5fbe2a4464cef7

SHA512
a0de18704b6d89c2858be9af76db8b399e21bfec5d6b5c3608c7ada0c60ea63bbc9ca53d646e78fd177f71c7edfbf45348361b8ca68a7ae6fa7f35095caa31bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f64eeec4fe613b59bcaf3ae2d4d2bf00

SHA1
6760d3d8d7cfec7b92de10a3dc908196ae4c6b5b

SHA256
780d4dfeb867f1909fd6215c4e35d13acef448aa7de4812c5cc0064f3918828e

SHA512
0f7404de8a25d2401357fdc602d64c872f5cf21056064c1dc45b9fabde6248449a772f237de905a7977d669f4364f17fe1bde9c84aed111bd77eeaf13d22579a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e1119537e7283ed03d35e697440df2bf

SHA1
67e218deb814e68572299eae781056b3c995a71a

SHA256
4d45dbbb2d3ae0f3ba11b2367db374b09a4e66479b5707be603cf8b6a1ba4bdd

SHA512
2481ffbcedaf4421238a94752b7a05722e38a9ee9b5d2da409698f0755d4590d6890de6463abb8c6de97a60fbfe803294f7df657f5a1a8ec4bf992826149daf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
efd7b40f1a4a0e44bd5e37e352e790ff

SHA1
7b94fb1d0f8a2de47bba47a6f99917c2ae7efab4

SHA256
c733d945b732dca5cfa34f9f32251878e6de434cf7135966df52910487f566d7

SHA512
1ed737c0585912edd223312a220051543bde2fedc542d688c65e53fda5e4f3f0ea48cdfce01ab885011e9030e05f25a40e7c732d443d43bcfdc8f4bf5ec6aed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8034640b7fc72d399df34e871fba1427

SHA1
339440e986254a1ae210bac1c36a7cc7f84eb0e3

SHA256
6ebb36967b12bceae216e2559af15d2b947c3177272584cc8e6771c38e1df253

SHA512
7f701bc934d64451cd0e7f48f5c242bd31a00f454f191e79e436fba5519913dd5191415f349c909e7677d9c8a5049a4ea12e28e20e31b639a606c9ce7077ed7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2940ee4385c4320a516fe349ca6ddd76

SHA1
ed9bdaa96cf18069b036ec101ba7cf77ac01e64d

SHA256
7342e00d0f321972d270dd6af4598328715a5710b616a5fe3e7e40d089d5d42a

SHA512
c03d586a5a6b72b59920057dd034576db2f7708190f57cb4b062d43f25b1c8fc74a04fa15f526c6411c3fda65e70dd7cde3a6b2f5b72eb43c332f3ce435f8a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8c95804c9c8a1096cda641bc25b55e04

SHA1
b72141570056e35315e994745d460bf0eb5f83b5

SHA256
90632ee3d4e03ae690442cf24855d2745c32fbef2e32410bc372b801fb1d93aa

SHA512
6d4d792acef5141d085c81cf17a8a6cd0946f4cc90f171be976e920eb684da0fd4737d7f5fbe7650f3994e2fb248b3ff20046db659b5ac38e70deec99b1ebfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d56e4d4b8b992be78fd26e94192d6d7f

SHA1
7811f6d3fbbf9d7b87711bbe38babab301fcda5d

SHA256
cdd2213426d44f75f6cf5208a483614ad0319f40acb9affff77a6b30082ca386

SHA512
a474f487eb3d977cefa699b992a216513898ad43c03ccb271f57833b212931d648dc1d495ac90b8b3cc448cbe9a44a5bf3e3d0475ae2238a5e3fb51b366615a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
90baa750e667ada7a313e6d6141d6331

SHA1
97cd190e4aef888ad5feebc818f335e6cf89351a

SHA256
65ec801f12ca1938934385b0ab7bb270fab81ca11744121e0a6f4ec09616d827

SHA512
658139a92cf21321f77923830f32f649db05920f276d254dfbb47be00cdc814b2176fc9a5f30b29e96973751149a8e90097bbc94c3fc283ee467d7c515efdaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a7955205a97b54d4ba3c34d8c887d3b

SHA1
90573c23f45526305a9b611d7c7d0438941182bb

SHA256
436aa450c28762be67db3bbc60f5ecaf3b215a8f141665bac9c1a8f06de37e41

SHA512
270189212892ccd9d9685a188390f8b9b8f527d47726a20148533f5fd57d7e982abbf0b1b98f89f6283b06621520dcf0a84ca430fe34ed68a3efe8fed2cb35d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3593b8d544891a8bf96c508c5c1bc001

SHA1
0ad5b4a63c768594d050f3517833a6b3b7614f67

SHA256
51a0f8587f371de6be7adf55ddd7213d3e13a6a1ac6886ea574da004d7df325d

SHA512
9c72749bbc04250f62e0e570844f94447abb4035f3fbddac8bcbe493a1453ac638d7bfcd3c562c0b83ff0b5c28c4e7badf296c53b4fbba8d766016b1098811bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6c93a19978ab7cea5bc6a23243c7a831

SHA1
4532ec54df22c1518849166d06d5960f53510377

SHA256
a2e5f74d0ab349f03a8fa4d2dcd7d9f7c1439ca3fa26022e130e0c0bc5c1d524

SHA512
36112b4d24150c6a837b1df7883fa5a72eeae4a7460690417bc194eb4db61d310cc12a4d0894630c050457637e0f4c5f424c68ac8f05c48809c5df70278383f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1c38246c3d49f379d8dfb8d334064e57

SHA1
dd1365b8cdc1377e0712cec065cdc2a53f0efa87

SHA256
560af2d9dc3d2f8250187155fcc63354406c00bcdc381716818ec4b30cb71aed

SHA512
41003209a3b0993107ddd8aa38f5cc0c7a04c2844d96e82633ab145dd4734a38540779b16035d900937c739dabf8aa9f71543b7cc6b98b73b151ee2fe7aeb11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
684091f4ef5c9f44c2623d01f4c9281d

SHA1
9e9b3c6ae631c3a27a1b204996906c5788145f2e

SHA256
f132b4a48d8b02e3edba32bc011a551a14b477d90519a5d8a24b6f72ece831ee

SHA512
b11d9b9c3d25aa98d24a4b96a37d667877f6bc663b554a776d3ba6567eb481e14062faaad2add3ef82a027ae5ca56fa2401f6a8049c31ad6386d5fbb859160aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ec9ccc5f3a23e0a67d3aa9d947ac1c9f

SHA1
2394635e09cc4af00f5f1c3547ea2c150e5470d3

SHA256
325fa13511ca2d3903d935afae2be6964417e0fc4cfe03eb3a8a9cdc627c2cce

SHA512
814883f59e54b14ddcda634b19545d2feb4273efe7f622eb7bc009141d889092aeff1cd5c4a2633ce4e781d2d0755cdc08aa85db221a9c4c96c10ca6476ec825

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c414aaaf408be2fc586fab1fd1d96aec

SHA1
da60ba99a5960a55aab3dc7ee1f2425e126e08f1

SHA256
5b5ea2cc84c142b22c14fd9654588acd4cd41067477023be7678e8e1ae2369e2

SHA512
89841531534fa9952ea8e086faf1e227ac8c3036208beb5c866df08f5af1ef3138f611e29ff706010aa60e89b08e2d80e5d5669de400c37321f103c6772143ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bd93c274223be40cab9d1188ccb84f31

SHA1
06757a8060462c181c3eddbaf052f6b7ce34b28c

SHA256
f74d2ca2fe3c0492fadb2aaa5281126a306955c8fe19e17c0e6679e4b6254397

SHA512
f0e75362eaf425c8ab62f088b80150659e21ffbbb2662b5ba7a802cac7292960aa5c6aff19a23312cdf815961bb084d16baa55c6d509f5348a2145be6ac6cdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
11f24f5e2c0fc7e57b241ac7372267bb

SHA1
d5ad3c90bb22e9abdc82af840f82f5d40ab1c74a

SHA256
4be61dd2dec43f93502f630f4f434774d19ea58269c5f0cb91129ef10ab90bd7

SHA512
47a345e62ab486fa984f2ac6bfad8de2a70ddf662651879bf28f1bb71fc9b9ad655b830df91cbe00f98756f8efc7a72a89623d6d0627b20829bd3f481cb982f0

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\Users\Admin\AppData\Local\Temp\servvver.exe

Filesize
316KB

MD5
d8b25e81005f3f45522e3c92e405fe5f

SHA1
bc57c181a07c6d2c0d57ba14b0224b18d22a5ddf

SHA256
361ef7c6c1fb9ae836817b4dfc06d9ff30b8a47293520e2ba2793c93c0656656

SHA512
df8eeaaec2103a602cb5fcb0f64f7cc0f6cb7ea541c5a0dca8bdcf91dd50eb943b906c0b351b317fd7e221b058d2e0a39587c0b4a11957f3cc3c0bce990b072d

Download Submit
memory/852-1242-0x0000000006080000-0x000000000608A000-memory.dmp

Filesize
40KB

Download
memory/976-274-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/976-560-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/976-3529-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/976-276-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1116-31-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1852-26-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-23-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-895-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-586-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1852-20-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-328-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1852-30-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2260-24-0x0000000000400000-0x0000000000409001-memory.dmp

Filesize
36KB

Download
memory/2260-19-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2260-14-0x0000000000400000-0x0000000000409001-memory.dmp

Filesize
36KB

Download
memory/2452-2579-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/2452-1243-0x0000000000400000-0x0000000000409001-memory.dmp

Filesize
36KB

Download
memory/2452-2582-0x0000000000400000-0x0000000000409001-memory.dmp

Filesize
36KB

Download
memory/2844-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/7108-3537-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/7108-2585-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download