cybergate | 21468d01f2395d2d049867680f03503804933a6d95c239179749ef05e91e132e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Size

886KB
MD5

12ae8d8a6e804e0f7861e2ce8efe2d83
SHA1

e5c2f9b52e5781e1cc92c9c04338be3137f098a0
SHA256

21468d01f2395d2d049867680f03503804933a6d95c239179749ef05e91e132e
SHA512

99fe525fdc0cc24cb3206ba0aeecfbbbe6df15e5dfcf747c9640146ddc6400bedb29a19ddc7bf1756122ca512df090d7861c10203ce308dc0930e799810016d2
SSDEEP

24576:5DF9CCTxjwXcgMTrVwnlI2MrJ6BQZOklP:R/CCTxjUMTpwnRM16BUOs

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

bebbux.zapto.org:81

bebbux.zapto.org:82

Mutex

UAGDADA

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Driver
install_file
drivers.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Driver\\drivers.exe"	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Driver\\drivers.exe"	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{TXNP0J8A-UH34-8BX5-SNOK-4KPSISBCWFB3}	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{TXNP0J8A-UH34-8BX5-SNOK-4KPSISBCWFB3}\StubPath = "C:\\Windows\\system32\\Driver\\drivers.exe Restart"	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{TXNP0J8A-UH34-8BX5-SNOK-4KPSISBCWFB3}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{TXNP0J8A-UH34-8BX5-SNOK-4KPSISBCWFB3}\StubPath = "C:\\Windows\\system32\\Driver\\drivers.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

drivers.exe

pid process

4432 drivers.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

pid	process
4432	drivers.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4468-3-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3592-67-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4468-63-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3592-68-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4028-138-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3592-767-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4028-1447-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Driver\\drivers.exe"	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Driver\\drivers.exe"	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Driver\drivers.exe	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Driver\	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Driver\drivers.exe	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Driver\drivers.exe	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2672 4432 WerFault.exe drivers.exe
Modifies registry class 1 IoCs

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

pid process

4468 12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
4468 12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

pid process

4028 12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 4028 12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Token: SeDebugPrivilege 4028 12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

pid process

4468 12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

pid	pid_target	process	target process
2672	4432	WerFault.exe	drivers.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

pid	process
4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

pid	process
4028	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4028	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
Token: SeDebugPrivilege	4028	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

pid	process
4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe

description	pid	process	target process
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE
PID 4468 wrote to memory of 3552	4468	12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe"
2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12ae8d8a6e804e0f7861e2ce8efe2d83_JaffaCakes118.exe"
3⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\Driver\drivers.exe
"C:\Windows\system32\Driver\drivers.exe"
4⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 564
5⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4432 -ip 4432
1⤵
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
780KB

MD5
0b914113c883481d6b478354cbb6a674

SHA1
912977ae12a0aa4a0d0264626b39812a8227cf81

SHA256
dc35fbc54768eee044a6b260427246c2a676783c30975ea7f38d43b5b756997e

SHA512
1b518947c6866a575addf8827482c75052cdb77b0b1a4db45a7d3e0c2f2ba155cc9028b8439700fddb61dc0d78d3b6f6890bc17dcc139f786c62334da75ecd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
aff64bd6d7daa210c0db9a32b5c560d3

SHA1
ed83b7ddd6b9135e673f6fcaafd4f2e6ec16dd68

SHA256
86d5458fad3ecb57815a2b97022afdb8553d03cd1d74d63c45b7b1e6b7b5ec59

SHA512
d8b5a49ec6630bc3bce0d3f8d4aa81c7c3ba5b3880f43ee5ae294b4a1413c19b107fea00b48bf2c87cc88ecedfe112dd17054d5b5432a8dc8e9763555c3e9eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
20c019ab971914c8782614970c54fbe7

SHA1
2dacb418e62cf4dce4fbf7decf1c9b0bd69c6dd0

SHA256
e850e1455bc60dfb9f38c95bdaac264485ae7998d60bf7826228f1d7ee45f05b

SHA512
c2999fff64c8b1ac1406317abf0b6d71ac923ffc252f999df8a1cd2b47ab9a5b09bd93520f00e3fc0749022d1969f816bce2c82735342a2d91af0349a0e56481

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1cbcef7908f8f35d5cc13fb1237f01e7

SHA1
ee0e1ac59a57ea4fdad3357a987b9c7935fc69e1

SHA256
3345a5ae5528fef9f2fcb7e7a0b5bf60c8c1a0f5c48823cc0d80d7241f802556

SHA512
d453fefe4d82abb2bc6ea86907763ef77314dbbc5b429df8b6b7f62ea65528baa0c358f7a1ba9204ad2e9e4ed91f1ee577af5a9ad0b40b7c60898edf40b49e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9e9dc6eaffc362112026c648138bcaa1

SHA1
fa3f42b2b2473b9180d5b519b7cc2ceeafa9ad7b

SHA256
f94b0887fc3b8061770c5898a1478e514b9f47ff8d2ee95aadc8cc8e1e524b98

SHA512
eaad19b2d7b39929a8f12ec73f0c1ada594fd89f700596d325af797fc95f3884d5075bce2855aecab29e29d011fb71ba5df799e0dad7ee23e4af8994b5faaa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9011be482d23dbee913e802613df98d7

SHA1
3e8e22190e6b3c1c3ac7678a113ebe820d3e1683

SHA256
2fb55b396c6132467e426b793dceefcfe8fe36dc3a2d17477ed7f148653ed053

SHA512
e1c7872aa5d3e708489af32ae1761c9ca616e86b30924b62ec8f16c037d73881e89aa0b8ae31caf0e88083c6c33a996a9617bd6ca4e0ddaf189686ea4ae36f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
62224276bc3faa75d5c424e3d49bf994

SHA1
6c9c75026b3f8d8de5c62dcbe3aa2e1d900c1021

SHA256
3f1498bd0ad893a0e0316506d2312323c0cc6b743e28382b7f7ef9fe874ccea6

SHA512
047c07e0f708b78bf2fcc2fe719b754f7893b2f3c2572b4456700aca9377e31318ae9a3a1182537451f8c6634fe19d8530f57d4ba330856a710de8abf42b5516

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
cc167d6e1cfa0ebbf035fce2c43f73d5

SHA1
febb4757946e5022082952db3e0c5bfcd41fddbe

SHA256
7830ccd2b75e6122402adf555fb679789d508ce5b7af88057c28628feaa51b26

SHA512
1a184e99e35c8c51f98576c1dc3a8a980d8a0cc9f8f1eee97185b2cbefd45e7a091d59207a2510a7a601f05acac0dd667a15fbf92a5b8e7a6f369d5f23bfbf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
ff7bd79fad73056efb2da2797d0333c2

SHA1
442389271b0669b12c2a98c0574a1c09ee6c4a17

SHA256
92e7f0261e2cc011e5ea7617edb15f341213059aa8e4b80046bf0061509c1e2b

SHA512
4a3aea438e9f28cde2687eb1946a92dc74900cc9556c9ce9b31b4885b3407d701a30c2f54dd73a0dbf2564bdcbea2e0c1be38a988ea495f35dd16bb9916c7173

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
512dffa0407f3ea759bd2a3f1cde3426

SHA1
9114516d02423f7b336f00e063a2e861c5312b20

SHA256
f56e4ddef5ce9d90f1ec7e289c5dc4289519da4ba8fb73c6072c17d7fa8a6513

SHA512
efdf0428da96aece18b8a0200a1af231dea7f71ab26ac3970a35f094c6f2ab58200477f9cfe594ebc71b2e7c921f9e1df03770a493cac904a7d73a57e505bd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
189fd9e024f25f1904dbd6deedf60ad1

SHA1
df506083ee128593ec33da238bd18d18a0e7355f

SHA256
f00d1c16d78820a2952ded4b6f2b58f50d472c451cfe4a36e086f7941ac2d343

SHA512
c1f85290ced548696833d96cf9e80ccdf8451de628c28dc4b1a4af04ab455c8150bbabd5bc8135da17ed7650ec9008e246f9fc0f0e9b565542b7adb182e6b6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
b03998a5ecad98f0296b729d61ec2ad9

SHA1
d46fd3aef19efe76cc9bd0408dd10b44bbca9553

SHA256
26d8a9bdc35e08d98b9f3a8c4a5c73ee428627d423ece3e55e572ff690da51f6

SHA512
110fbe61f99d93ce0c2d44aad89ba0f1e222f146e0be0d73b827dc3a148bbf27d2d0ec6f17aad23a414af9b5e9695343915a12dd780a3041de2bdb1d2dce2192

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
a51634407bcc274bbaaaf36ac49c4b73

SHA1
f644161f674a653a21f9c4c53248be8e62b5319c

SHA256
b9152b6a92ef748c7bdb9f2798ca66f8dae3bd6b83aab57cb296a65d501507cd

SHA512
37fcfcb2bd391481fc50e154ba5b5706ca537e0ffd3702f59f05de878ac001c706e9355c14ffc420154e16578b2c49d60feaf8ebca63f08d30d4f960d5fa0bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
fb9e12afaa8c4e6428477c5224ae5439

SHA1
94e071e9c53f716be4d2dfeb301ed6b4f497e387

SHA256
00ea7b47e3191557d4f5e2610cb2a204f0712076fa27ff654e6a3fcaabc762ee

SHA512
29a8b7792de1c01fe43da569d3fcac6b4193b5114b7aecf40718a0fedf154ffc82f8eda2002551d5bef9f70ccb01e042becd412810cf844adc0a1bb3ffdbc4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
2c7abbeb6bdf052238ff54e17cfd58ec

SHA1
18654dbdb6b8009dbd5acbc387aba82d467a2bf5

SHA256
f9c41f2c28e838d90fc8b341c94f3ae767981d1c1cb80c798a74f492fc9e4e7c

SHA512
618cdbb4663e10989951120bc1db990062dd2140d83b7d0353795390653129fef5df8a962b5ac9574d8105f7525e43ea74185f4eb6232babf5eebd45d2c942e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
91ae45ef71332a6e70ccf253ef647af4

SHA1
dffd6e7a1994d1167d22779665c2d5697d3f6636

SHA256
5adcfe51c5d7e2ce9ed2aa1b96ab416f350f1d6232f4a87ebb5f7a9db582eaea

SHA512
4efc70a2334c3ac6fb03216ba286eccf8bf1ae59f619375a337d7768e1317ac79355c05d7ef25bd9900bb394396a54a53a63b09eb67c9487f231967a7d900d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d1936eb5f29ed821aae4050402fac15c

SHA1
89be374242939064e597cfadb0005181d6525250

SHA256
a5f0472b1db7877172e318e98024220c3938533b5d6584b9e4896e5c52bca96b

SHA512
bf948a6eb94cc4bb4e04d9dc1d2c89bce80a5d3e99bc28cd36c84f0bfc5474ce3ca9aff861f31f3ff2802f20c68c3844a92e4dec3f207ebb2c1b32ff361f0887

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
0cd04f75fe585bfb968b4b02be646a82

SHA1
2a9f30507f47218a086f2abb9ac8708040e09b6e

SHA256
547e6990dfd84f26beb876893bbbf1496266d1efa75c20415227b62d6a452b85

SHA512
773adf4f591e1ee04ee9a5f6d5516a78219c65b89a7babf16f9e7d07191ccb87fc434857b9cc8160f031b49ec6d6d3d1853be636a7830e8907e57e914e364e91

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\Driver\drivers.exe
Filesize
886KB

MD5
12ae8d8a6e804e0f7861e2ce8efe2d83

SHA1
e5c2f9b52e5781e1cc92c9c04338be3137f098a0

SHA256
21468d01f2395d2d049867680f03503804933a6d95c239179749ef05e91e132e

SHA512
99fe525fdc0cc24cb3206ba0aeecfbbbe6df15e5dfcf747c9640146ddc6400bedb29a19ddc7bf1756122ca512df090d7861c10203ce308dc0930e799810016d2

Download Submit
memory/3592-8-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3592-7-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/3592-66-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/3592-767-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3592-67-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3592-68-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4028-1447-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4028-138-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4468-3-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4468-63-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download