cybergate | e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
Size

968KB
MD5

2e7daeea485a58aa6a5fa6730a4e1f62
SHA1

e21d499b44a53359a8a3c11233ff09bc7a9bf8fc
SHA256

e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c
SHA512

9f9f81b54140512e28b612dc94e77a99b760be5e32622aa08879cbf92c85dc3af291569d749d6f625b5eff8b945c9520ff3f827a0384af671516dfefa36ef1be
SSDEEP

24576:u81EdVcVF3d1nuzbfLpAs56ku4WQNNCYaArS8IcI6ooIj2N:uZ63uzbf9Adv0FT9ooK2N

Score

10^/10

cybergate marlom persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

marlom

venox.no-ip.org:82

venox.no-ip.org:2416

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
raltek
install_file
pluguin.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
31741043
regkey_hkcu
padrão/
regkey_hklm
windows

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\raltek\\pluguin.exe"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\raltek\\pluguin.exe"	1.exe

Executes dropped EXE 9 IoCs

pid	Process
2172	start.exe
4748	Rar.exe
4744	1.exe
4332	2.exe
1924	lsssass.exe
3756	1.exe
3704	lost Door Pro.Exe
1460	lsssass.exe
3376	pluguin.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CCD5N4-2M3G-2U71-CB1Y-GRM1L5A2QQ13}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CCD5N4-2M3G-2U71-CB1Y-GRM1L5A2QQ13}\StubPath = "C:\\Windows\\system32\\raltek\\pluguin.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CCD5N4-2M3G-2U71-CB1Y-GRM1L5A2QQ13}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38CCD5N4-2M3G-2U71-CB1Y-GRM1L5A2QQ13}\StubPath = "C:\\Windows\\system32\\raltek\\pluguin.exe Restart"	1.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001e2c6-133.dat	upx
behavioral2/files/0x000300000001e2c6-134.dat	upx
behavioral2/files/0x0006000000022e11-142.dat	upx
behavioral2/files/0x0006000000022e14-143.dat	upx
behavioral2/files/0x0006000000022e15-144.dat	upx
behavioral2/memory/2172-146-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x0006000000022e11-147.dat	upx
behavioral2/files/0x0006000000022e14-149.dat	upx
behavioral2/memory/2172-150-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x000b000000022e0d-154.dat	upx
behavioral2/files/0x000b000000022e0d-155.dat	upx
behavioral2/memory/4332-158-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4744-159-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1924-160-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4744-162-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4744-167-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2580-170-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x0006000000022e17-172.dat	upx
behavioral2/memory/2580-173-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4744-175-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/files/0x0006000000022e11-180.dat	upx
behavioral2/memory/4744-181-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3756-184-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4744-185-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/files/0x0007000000022e18-187.dat	upx
behavioral2/files/0x0007000000022e18-188.dat	upx
behavioral2/memory/3704-191-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3756-192-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3756-193-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/files/0x0006000000022e1f-195.dat	upx
behavioral2/files/0x0006000000022e1f-196.dat	upx
behavioral2/memory/3704-199-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0006000000022e17-201.dat	upx
behavioral2/memory/3376-202-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1460-203-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1924-204-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\windows\CurrentVersion\Run	lsssass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsssass = "C:\\Users\\Admin\\AppData\\Roaming\\svchost\\lsssass.exe"	lsssass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Windows\\system32\\raltek\\pluguin.exe"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\padrão/ = "C:\\Windows\\system32\\raltek\\pluguin.exe"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\windows\CurrentVersion\Run	lsssass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsssass = "C:\\Users\\Admin\\AppData\\Roaming\\Dir\\lsssass.exe"	lsssass.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\__tmp_rar_sfx_access_check_240549328	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
File opened for modification	\??\c:\windows\SysWOW64\start.exe	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
File created	\??\c:\windows\SysWOW64\Rar.exe	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
File created	\??\c:\windows\SysWOW64\joinernormal.rar	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
File opened for modification	C:\Windows\SysWOW64\raltek\pluguin.exe	1.exe
File created	\??\c:\windows\SysWOW64\joinernormal\joinernormal.rar	cmd.exe
File created	C:\Windows\SysWOW64\raltek\pluguin.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\raltek\	1.exe
File created	\??\c:\windows\SysWOW64\start.exe	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
File opened for modification	\??\c:\windows\SysWOW64\Rar.exe	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
File created	\??\c:\Windows\SysWOW64\joinernormal\b2.Exe	Rar.exe
File created	\??\c:\Windows\SysWOW64\joinernormal\zx.exe	Rar.exe
File opened for modification	\??\c:\Windows\SysWOW64\joinernormal\zx.exe	Rar.exe
File opened for modification	C:\Windows\SysWOW64\raltek\pluguin.exe	1.exe
File opened for modification	\??\c:\windows\SysWOW64\joinernormal.rar	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
File opened for modification	\??\c:\windows\SysWOW64\joinernormal\joinernormal.rar	cmd.exe
File created	\??\c:\Windows\SysWOW64\joinernormal\aa11.exe	Rar.exe
File opened for modification	\??\c:\Windows\SysWOW64\joinernormal\aa11.exe	Rar.exe
File opened for modification	\??\c:\Windows\SysWOW64\joinernormal\b2.Exe	Rar.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\lost Door Pro.Exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2392	3376	WerFault.exe	93

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4332	2.exe
4332	2.exe
1924	lsssass.exe
1924	lsssass.exe
3704	lost Door Pro.Exe
3704	lost Door Pro.Exe
1460	lsssass.exe
1460	lsssass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3756	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	1.exe
Token: SeDebugPrivilege	3756	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4744	1.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4332	2.exe
4332	2.exe
1924	lsssass.exe
1924	lsssass.exe
3704	lost Door Pro.Exe
3704	lost Door Pro.Exe
1460	lsssass.exe
1460	lsssass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 2172	5004	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe	81
PID 5004 wrote to memory of 2172	5004	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe	81
PID 5004 wrote to memory of 2172	5004	e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe	81
PID 2172 wrote to memory of 4740	2172	start.exe	83
PID 2172 wrote to memory of 4740	2172	start.exe	83
PID 2172 wrote to memory of 4740	2172	start.exe	83
PID 4740 wrote to memory of 4748	4740	cmd.exe	84
PID 4740 wrote to memory of 4748	4740	cmd.exe	84
PID 4740 wrote to memory of 4748	4740	cmd.exe	84
PID 4740 wrote to memory of 4744	4740	cmd.exe	85
PID 4740 wrote to memory of 4744	4740	cmd.exe	85
PID 4740 wrote to memory of 4744	4740	cmd.exe	85
PID 4740 wrote to memory of 4332	4740	cmd.exe	86
PID 4740 wrote to memory of 4332	4740	cmd.exe	86
PID 4740 wrote to memory of 4332	4740	cmd.exe	86
PID 4332 wrote to memory of 1924	4332	2.exe	87
PID 4332 wrote to memory of 1924	4332	2.exe	87
PID 4332 wrote to memory of 1924	4332	2.exe	87
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39
PID 4744 wrote to memory of 512	4744	1.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:512
- C:\Users\Admin\AppData\Local\Temp\e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe
  "C:\Users\Admin\AppData\Local\Temp\e62047fa245be1fa1811267dfbbf69fc97d890137817b9ba92bf91bd6fbb481c.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\windows\SysWOW64\start.exe
    "C:\windows\system32\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\814A.tmp\start.bat""
      4⤵
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\Rar.exe
        
        rar x -hptrojan joinernormal.rar
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
    - - \??\c:\Windows\SysWOW64\joinernormal\1.exe
        
        1.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Modifies Installed Components in the registry
        
        PID:2580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:400
      - \??\c:\Windows\SysWOW64\joinernormal\1.exe
        
        "c:\Windows\SysWOW64\joinernormal\1.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\lost Door Pro.Exe
        
        "C:\Windows\lost Door Pro.Exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\Dir\lsssass.exe
        
        C:\Users\Admin\AppData\Roaming\Dir\lsssass.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Windows\SysWOW64\raltek\pluguin.exe
        
        "C:\Windows\system32\raltek\pluguin.exe"
        7⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 564
        8⤵
        Program crash
        
        PID:2392
    - - \??\c:\Windows\SysWOW64\joinernormal\2.exe
        
        2.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Users\Admin\AppData\Roaming\svchost\lsssass.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\lsssass.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3376 -ip 3376
1⤵
PID:2604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\814A.tmp\start.bat

Filesize
547B

MD5
e3a7082e48220fbe5484a461fa945a2f

SHA1
affcdea72fcd6b17322b5ab7e31c2f9011051415

SHA256
2543a689a80c598763747d959d754e65a511a7c87e34266fb8b57086a3034498

SHA512
848f9e986bb4ef2fb47d7bbe6b9bcf2ca6c0a904d4c130bd3d23b654a966248a8ac707ec4d7f1d5e56ce7d25fa1f0ca7478bf991f3f1a9069eca398f55467bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
300KB

MD5
c71affa4e2f875876c551449f436ecba

SHA1
6800db10c2e252159811a86959ef4b3a440ec7ed

SHA256
c4668a0a7a29739c5cefe86ba18decf38e62665af1969ece9a293619297759c5

SHA512
04adbe20dbbdb5c9412d4f4e323f513304c7b32adaed31005b578342b5ffc35a401442e3e5ac990d0f1d4015f479038bce8d114b83cd8edb5c20458265811577

Download Submit
C:\Users\Admin\AppData\Roaming\Dir\lsssass.exe

Filesize
70KB

MD5
2085ad1adfc8cd43df03b2e560821b24

SHA1
10f53861b94c112d5b7b3e375b158efb62a00667

SHA256
03a27b5b88644d9dbc7d9422066ba582f058c92f71a13b1b404e46ca5fd0cce8

SHA512
534d626b2f8d85036e94752f1e63524157a34a0e3ac831d25af54270c3e8a58cd31304ee6842f9aecca30fc655dc12335cf4dc8e8ca2c60e8e165129d231b07d

Download Submit
C:\Users\Admin\AppData\Roaming\Dir\lsssass.exe

Filesize
70KB

MD5
2085ad1adfc8cd43df03b2e560821b24

SHA1
10f53861b94c112d5b7b3e375b158efb62a00667

SHA256
03a27b5b88644d9dbc7d9422066ba582f058c92f71a13b1b404e46ca5fd0cce8

SHA512
534d626b2f8d85036e94752f1e63524157a34a0e3ac831d25af54270c3e8a58cd31304ee6842f9aecca30fc655dc12335cf4dc8e8ca2c60e8e165129d231b07d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\lsssass.exe

Filesize
70KB

MD5
7c2027f10b4e8c3638657e3bac8ac88a

SHA1
e0724b226dcbf3d6f5c08be5ee642cb9853eb1f3

SHA256
41caf84884bfc3f48dfe4863ba53d7d01f9f1744ae356f6bd21e8882b760f6e2

SHA512
1ecec801287e6dbacaabad834b6489997596ef4cd3b80f5d8528c140da3b5124d6e06bb563c44dec6e65854a4018ad896435aaa1ba4c991a9f29ded14f37f71b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\lsssass.exe

Filesize
70KB

MD5
7c2027f10b4e8c3638657e3bac8ac88a

SHA1
e0724b226dcbf3d6f5c08be5ee642cb9853eb1f3

SHA256
41caf84884bfc3f48dfe4863ba53d7d01f9f1744ae356f6bd21e8882b760f6e2

SHA512
1ecec801287e6dbacaabad834b6489997596ef4cd3b80f5d8528c140da3b5124d6e06bb563c44dec6e65854a4018ad896435aaa1ba4c991a9f29ded14f37f71b

Download Submit
C:\Windows\SysWOW64\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\Windows\SysWOW64\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\Windows\SysWOW64\joinernormal\1.exe

Filesize
345KB

MD5
38ef9c21520dd61c60ceccbbb898081a

SHA1
87cff24ad8123ee56b72ba1ef14495bc4e36ca4a

SHA256
797da6c75a82f29e044d017f26e92fca938a2ff504cb303525efdf5db7f77214

SHA512
977055c463dcd6a3e350e17fc103b80a1b034dae4855d0356b6cce7c8b73ddf63cd7cf3e6ee850b482cffe1b3f8a0037d32195e8afa2fe1c8f7a2b06155ed591

Download Submit
C:\Windows\SysWOW64\joinernormal\1.exe

Filesize
345KB

MD5
38ef9c21520dd61c60ceccbbb898081a

SHA1
87cff24ad8123ee56b72ba1ef14495bc4e36ca4a

SHA256
797da6c75a82f29e044d017f26e92fca938a2ff504cb303525efdf5db7f77214

SHA512
977055c463dcd6a3e350e17fc103b80a1b034dae4855d0356b6cce7c8b73ddf63cd7cf3e6ee850b482cffe1b3f8a0037d32195e8afa2fe1c8f7a2b06155ed591

Download Submit
C:\Windows\SysWOW64\joinernormal\2.exe

Filesize
70KB

MD5
7c2027f10b4e8c3638657e3bac8ac88a

SHA1
e0724b226dcbf3d6f5c08be5ee642cb9853eb1f3

SHA256
41caf84884bfc3f48dfe4863ba53d7d01f9f1744ae356f6bd21e8882b760f6e2

SHA512
1ecec801287e6dbacaabad834b6489997596ef4cd3b80f5d8528c140da3b5124d6e06bb563c44dec6e65854a4018ad896435aaa1ba4c991a9f29ded14f37f71b

Download Submit
C:\Windows\SysWOW64\raltek\pluguin.exe

Filesize
345KB

MD5
38ef9c21520dd61c60ceccbbb898081a

SHA1
87cff24ad8123ee56b72ba1ef14495bc4e36ca4a

SHA256
797da6c75a82f29e044d017f26e92fca938a2ff504cb303525efdf5db7f77214

SHA512
977055c463dcd6a3e350e17fc103b80a1b034dae4855d0356b6cce7c8b73ddf63cd7cf3e6ee850b482cffe1b3f8a0037d32195e8afa2fe1c8f7a2b06155ed591

Download Submit
C:\Windows\SysWOW64\raltek\pluguin.exe

Filesize
345KB

MD5
38ef9c21520dd61c60ceccbbb898081a

SHA1
87cff24ad8123ee56b72ba1ef14495bc4e36ca4a

SHA256
797da6c75a82f29e044d017f26e92fca938a2ff504cb303525efdf5db7f77214

SHA512
977055c463dcd6a3e350e17fc103b80a1b034dae4855d0356b6cce7c8b73ddf63cd7cf3e6ee850b482cffe1b3f8a0037d32195e8afa2fe1c8f7a2b06155ed591

Download Submit
C:\Windows\SysWOW64\start.exe

Filesize
22KB

MD5
547b4abcc4e08ce05e9e1a5b6d921df5

SHA1
81dc5698a3f8dcb7ebe45bb05dc13dcd54b7a317

SHA256
240642613dc8f346620d9aee6c3dbfd5d0159c15d7d9ecc151e7214fe8d370e9

SHA512
6ed2d6849f97e11b6846d963bed1baac035873dc37180913170118ded7bd438827b29d39a4bfdf0d31a10cdc338ccd6852c6c7fd2d97a69a5d24c57e74462d2c

Download Submit
C:\Windows\lost Door Pro.Exe

Filesize
70KB

MD5
2085ad1adfc8cd43df03b2e560821b24

SHA1
10f53861b94c112d5b7b3e375b158efb62a00667

SHA256
03a27b5b88644d9dbc7d9422066ba582f058c92f71a13b1b404e46ca5fd0cce8

SHA512
534d626b2f8d85036e94752f1e63524157a34a0e3ac831d25af54270c3e8a58cd31304ee6842f9aecca30fc655dc12335cf4dc8e8ca2c60e8e165129d231b07d

Download Submit
C:\Windows\lost Door Pro.Exe

Filesize
70KB

MD5
2085ad1adfc8cd43df03b2e560821b24

SHA1
10f53861b94c112d5b7b3e375b158efb62a00667

SHA256
03a27b5b88644d9dbc7d9422066ba582f058c92f71a13b1b404e46ca5fd0cce8

SHA512
534d626b2f8d85036e94752f1e63524157a34a0e3ac831d25af54270c3e8a58cd31304ee6842f9aecca30fc655dc12335cf4dc8e8ca2c60e8e165129d231b07d

Download Submit
C:\windows\SysWOW64\start.exe

Filesize
22KB

MD5
547b4abcc4e08ce05e9e1a5b6d921df5

SHA1
81dc5698a3f8dcb7ebe45bb05dc13dcd54b7a317

SHA256
240642613dc8f346620d9aee6c3dbfd5d0159c15d7d9ecc151e7214fe8d370e9

SHA512
6ed2d6849f97e11b6846d963bed1baac035873dc37180913170118ded7bd438827b29d39a4bfdf0d31a10cdc338ccd6852c6c7fd2d97a69a5d24c57e74462d2c

Download Submit
\??\c:\Windows\SysWOW64\joinernormal.rar

Filesize
668KB

MD5
63af2c4a6650f83500d566663fac854d

SHA1
39c900bf0d76995b8913f8c53e8be5fd3bfbff72

SHA256
e1c8ffb36fa5d91347bda08cb07652b1a3e2f68f6d13154db82c9e25f82ce832

SHA512
47dfc1f4cf3c17c27d524d21560e35d2266a54ee08e1dc9438386b2ed19f346f182b275cd8015d81cd53d329dae05c0e07dd3656b33597afe5a3f4159dc6a6ca

Download Submit
\??\c:\Windows\SysWOW64\joinernormal\aa11.exe

Filesize
345KB

MD5
38ef9c21520dd61c60ceccbbb898081a

SHA1
87cff24ad8123ee56b72ba1ef14495bc4e36ca4a

SHA256
797da6c75a82f29e044d017f26e92fca938a2ff504cb303525efdf5db7f77214

SHA512
977055c463dcd6a3e350e17fc103b80a1b034dae4855d0356b6cce7c8b73ddf63cd7cf3e6ee850b482cffe1b3f8a0037d32195e8afa2fe1c8f7a2b06155ed591

Download Submit
\??\c:\Windows\SysWOW64\joinernormal\b2.Exe

Filesize
70KB

MD5
7c2027f10b4e8c3638657e3bac8ac88a

SHA1
e0724b226dcbf3d6f5c08be5ee642cb9853eb1f3

SHA256
41caf84884bfc3f48dfe4863ba53d7d01f9f1744ae356f6bd21e8882b760f6e2

SHA512
1ecec801287e6dbacaabad834b6489997596ef4cd3b80f5d8528c140da3b5124d6e06bb563c44dec6e65854a4018ad896435aaa1ba4c991a9f29ded14f37f71b

Download Submit
\??\c:\Windows\SysWOW64\joinernormal\joinernormal.rar

Filesize
668KB

MD5
63af2c4a6650f83500d566663fac854d

SHA1
39c900bf0d76995b8913f8c53e8be5fd3bfbff72

SHA256
e1c8ffb36fa5d91347bda08cb07652b1a3e2f68f6d13154db82c9e25f82ce832

SHA512
47dfc1f4cf3c17c27d524d21560e35d2266a54ee08e1dc9438386b2ed19f346f182b275cd8015d81cd53d329dae05c0e07dd3656b33597afe5a3f4159dc6a6ca

Download Submit
\??\c:\Windows\SysWOW64\joinernormal\zx.exe

Filesize
276KB

MD5
6eb55a4ba28c8b3b125808d5d31fb9e8

SHA1
7646b66640daa821777b547c9b3c3816de923ed8

SHA256
b1d014a6d12ee8f7695fd0eacc71bd1b91d367f5dea64400e892f2cb4c810e7b

SHA512
3e09568c4dc39e82cf9e1a1761685eb8eb2eff5d38fb5ee0ee3e81c0620fb6984d0d86382677c8d02e97bc87c927f1285be9e1cda05332ccea3744b9c775fda1

Download Submit
memory/1460-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-204-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-146-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2172-150-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-173-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2580-170-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3376-202-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3704-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3704-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3756-192-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3756-184-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3756-193-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4332-158-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4744-159-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4744-185-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4744-181-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4744-162-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4744-175-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4744-167-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download