cybergate | 0ae8c685e2f0db7f253adcc5a6b3cf223bfcf6cf6692a8b490673cfaf1f2d329

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Size

573KB
MD5

1e6eb43129335b1255965d6c63aa70d0
SHA1

7788c5ad78fe9355dceda05a4bb85f001a851700
SHA256

0ae8c685e2f0db7f253adcc5a6b3cf223bfcf6cf6692a8b490673cfaf1f2d329
SHA512

eaadf73b10112d7f454a363e4dfc3149ae1bfb7e0913507164fec535173f10be01664ed2453c36392f227ade1b9f67937c1919b6a562881bc85da0dfd29abae1
SSDEEP

12288:JI94NO/QF7wEbm3U6IkzBpApCNGFGslP4caL11CY10Tysy/u:Ju+OgcMI1VG4slPef6TNy/u

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2.3

Botnet

vítima

hack001010.no-ip.org:80

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windl32
install_file
windl32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windl32\\windl32.exe"	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windl32\\windl32.exe"	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\windl32\\windl32.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\windl32\\windl32.exe Restart"	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4516-49-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4516-51-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4516-55-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4516-53-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4516-59-0x0000000024010000-0x000000002404E000-memory.dmp	upx
behavioral2/memory/4516-107-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/1716-111-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/4516-119-0x00000000240D0000-0x000000002410E000-memory.dmp	upx
behavioral2/memory/4516-116-0x0000000024090000-0x00000000240CE000-memory.dmp	upx
behavioral2/memory/4516-171-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windl32\\windl32.exe"	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windl32\\windl32.exe"	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description pid process target process

PID 4608 set thread context of 4516 4608 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description	pid	process	target process
PID 4608 set thread context of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\windl32\windl32.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
File opened for modification	C:\Windows\windl32\windl32.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
File opened for modification	C:\Windows\windl32\windl32.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
File opened for modification	C:\Windows\windl32\	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

NTFS ADS 3 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description	ioc	process
File created	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFPBJTV974LT0KPPBYKX9759W0MXFSVF7JB4VP4GF	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
File created	C:\ProgramData\DYA_HTCJEFDRMOGNODLWK\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFPBJTV974LT0KPPBYKX9759W0MXFSVF7JB4VP4GF	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFPBJTV974LT0KPPBYKX9759W0MXFSVF7JB4VP4GF	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

pid process

4516 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
4516 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

pid process

2232 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2232 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Token: SeDebugPrivilege 2232 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

pid process

4516 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

pid process

4608 1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

pid	process
4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

pid	process
2232	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2232	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
Token: SeDebugPrivilege	2232	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

pid	process
4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

pid	process
4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe

description	pid	process	target process
PID 4608 wrote to memory of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
PID 4608 wrote to memory of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
PID 4608 wrote to memory of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
PID 4608 wrote to memory of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
PID 4608 wrote to memory of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
PID 4608 wrote to memory of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
PID 4608 wrote to memory of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
PID 4608 wrote to memory of 4516	4608	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE
PID 4516 wrote to memory of 3508	4516	1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe"
3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e6eb43129335b1255965d6c63aa70d0_JaffaCakes118.exe"
4⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DYA_HTCJEFDRMOGNODLWK\1.0.0\Data\app.dat
Filesize
971B

MD5
b7052e7af271fe7b4fd700c16c3cf492

SHA1
8b8aa664c47027ff01d840cec453841b8a816ff3

SHA256
9210236547007e43175f493a63434dca79d48a316be91bfea039fb4f045eda1e

SHA512
a82db93a6bdb62ffc1fc95b84586b8c6a6ac28737cb63e5c423af5b6dc7d05a9b93fbbe5e6615bbcb28711fa98c0383eb1ccb3cc5285f9da4d225d8c6a1ff24e

Download Submit
C:\ProgramData\DYA_HTCJEFDRMOGNODLWK\1.0.0\Data\updates.dat
Filesize
971B

MD5
37ead804af922fe7a3c3f2a20b6c0ca4

SHA1
aca5345dac14c90e58e67d0ace6ab2e992904802

SHA256
cfd43197bf544543146ca868ba0add21e75b92b359e170354b0ad5bb7ad6f48d

SHA512
2b2ff1f43249afaba400b4aa8605e9c14aafe661eabf6a2b4216a0a229fd2f9a6e53526ed526b29d4f2eeff64c5020df5d44ff86c00787d1661e238d792de66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuU.uUu
Filesize
8B

MD5
6464f418811aa61073fd20829356f73b

SHA1
9fb62308fc0ff6a3f4c4dd4bbd426b5626725051

SHA256
7eadfa2943bcec488ae41f7d5767b859b2ba06db55278a8f148a400f6431c414

SHA512
f904fb4bdb234a80621e0c4b5b5027163de98f56738f6e88822bdd29f898219f38157d764e80a44e7f0d3b4b60b752bca70a865d946150fa7c25b43b6c5af438

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
141KB

MD5
eb79586271fd728d44ff4485a452e616

SHA1
904df75592881b113f52b3cec44498f261e64ce4

SHA256
3471fb55390c0be2e28439b4b81529ee0ad7c7c338df10857e7fc41b46897642

SHA512
5e1ee68692a7091a45c4e506ffeb9a682b59e3c9444b8947f9a743b1f632b38e1ef9597c6b63a2f48feb6af968277f6409e5c56b119bfc627c3d03fe91c5429a

Download Submit
C:\Users\Admin\AppData\Roaming\DYA_HTCJEFDRMOGNODLWK\1.0.0\Data\dya.dat
Filesize
971B

MD5
8d52dfd6ae8af489cff035019f916773

SHA1
54eb23df9e112ecfdc7cf7c1c9bafa38edbd7314

SHA256
d854f0706b47de286c8f6708f4950ded17605e9ce0f8be3ff51f48bb77a09a02

SHA512
022fc03b1e85f06f20f61f055cae05c5ddbffb5163791c76bc5a7a6e63735fc1002b237a1b695c8a83308a5e2773f74a6af01145beb914832c6452349cdafbf8

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
C:\Windows\windl32\windl32.exe
Filesize
573KB

MD5
1e6eb43129335b1255965d6c63aa70d0

SHA1
7788c5ad78fe9355dceda05a4bb85f001a851700

SHA256
0ae8c685e2f0db7f253adcc5a6b3cf223bfcf6cf6692a8b490673cfaf1f2d329

SHA512
eaadf73b10112d7f454a363e4dfc3149ae1bfb7e0913507164fec535173f10be01664ed2453c36392f227ade1b9f67937c1919b6a562881bc85da0dfd29abae1

Download Submit
memory/1716-112-0x00000000000C0000-0x00000000004F3000-memory.dmp

Filesize
4.2MB

Download
memory/1716-111-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download
memory/1716-110-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/1716-64-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1716-63-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4516-49-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-59-0x0000000024010000-0x000000002404E000-memory.dmp

Filesize
248KB

Download
memory/4516-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-51-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-119-0x00000000240D0000-0x000000002410E000-memory.dmp

Filesize
248KB

Download
memory/4516-107-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download
memory/4516-116-0x0000000024090000-0x00000000240CE000-memory.dmp

Filesize
248KB

Download
memory/4608-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4608-52-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4608-54-0x000000000040E000-0x00000000004AB000-memory.dmp

Filesize
628KB

Download
memory/4608-48-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4608-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4608-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4608-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4608-1-0x000000000040E000-0x00000000004AB000-memory.dmp

Filesize
628KB

Download