cybergate | e2432c2557d60f4b2d04839d7165fd557958922c71c5c2592c3b0d9d731e53ed

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Size

727KB
MD5

e6099ca8db4183a6c693eceeabd41dbf
SHA1

6b8d11ab13960b8f2f28be65678a3f8551edfde8
SHA256

e2432c2557d60f4b2d04839d7165fd557958922c71c5c2592c3b0d9d731e53ed
SHA512

98f162291b0d0fc262c79dbb2dd02ddc266f0d33b126909afced0d568575865d3eed4b2d87f30fc3568b5bdcd181514f885c65b363271372247c7c39a9e8a38c
SSDEEP

12288:JVJAdZyNtEYEEKD1viyHRyFqINl7WgC30wobExboUwV8ayWErVYjG8Y0wWAy03IH:rJAQ9AD1v7xyFqIT7WgChogx0UwV86Eg

Score

10^/10

cybergate victima bootkit persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victima

blouregar.no-ip.org:2000

Mutex

jujuju...

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
win32
install_file
ocs.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\win32\\ocs.exe"	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\win32\\ocs.exe"	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}\StubPath = "C:\\Windows\\win32\\ocs.exe Restart"	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}\StubPath = "C:\\Windows\\win32\\ocs.exe"	explorer.exe

Executes dropped EXE 1 IoCs

Processes:

ocs.exe

pid process

1756 ocs.exe
Loads dropped DLL 2 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

pid process

2160 e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
2160 e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

pid	process
1756	ocs.exe

pid	process
2160	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
2160	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/572-571-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2160-870-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/572-908-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2160-1329-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\win32\\ocs.exe"	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\win32\\ocs.exe"	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exeocs.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	ocs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

description	pid	process	target process
PID 1208 set thread context of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

Processes:

ocs.exee6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exee6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\win32\ocs.exe	ocs.exe
File created	C:\Windows\win32\ocs.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
File opened for modification	C:\Windows\win32\ocs.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
File opened for modification	C:\Windows\win32\ocs.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
File opened for modification	C:\Windows\win32\	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exeocs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	ocs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	ocs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	ocs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

pid process

1172 e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

pid process

2160 e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

pid	process
1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

pid	process
2160	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2160	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
Token: SeDebugPrivilege	2160	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exeDllHost.exe

pid process

1172 e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
608 DllHost.exe

pid	process
1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
608	DllHost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exee6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exeocs.exe

pid	process
1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
2160	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
1756	ocs.exe
1756	ocs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exee6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe

description	pid	process	target process
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1208 wrote to memory of 1172	1208	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE
PID 1172 wrote to memory of 1408	1172	e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6099ca8db4183a6c693eceeabd41dbf_JaffaCakes118.exe"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Windows\win32\ocs.exe
"C:\Windows\win32\ocs.exe"
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
480KB

MD5
a69a14c69aebf1d80c3c6a2a18849706

SHA1
b4246b3296a0b29f7bfa258be208ba1575c83818

SHA256
312790da67b5739352e003c1270de011de68c1d50a634e5a68328f83836f9b81

SHA512
cedccbe2a2d0df61eff455a94fbb7f0a693bd87693190614cab7efa79f13b6677c7b04eef7465e0a4224629a049ff01385be2dbb622ac6965075fc26e944e9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
3159ea2bba4bbf741197fbe476e235a8

SHA1
82ddeebaf458877ab4e10bf14b37f33cad8481e8

SHA256
f13cf798f2ebc921eb4a7dee0627c3c30aab2034e46948151a8780a1d5edd16c

SHA512
a0d4ffdd6fdefd214866c68019ed9d38d487aea44ae400414de3fe74e593254dd51f1c14a4af9d9e883f7afb846bd4ec974ad6505ea1657b57924faca32451a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
74828b9d7227e46a0a80de57af40cace

SHA1
08cc7b09179daa260ce9af0280f8c6ec9d0c2111

SHA256
6e729c084a7628751cf6f90fe996c743399a77bf7a03cb0a8f4e0d8bc1b33019

SHA512
f09d9f04406c6f55f526ee616b6752c7074f7fd8b0b8a0f6a0d363899c72d8b58a4e44cf30ac9e175ebfaf2af0cd7e4c9127510219cd58abb6d7fdb5073e656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
39a1a308976b6a4e2af9e65f541f186f

SHA1
7a8179724f9e08b52af65b613126eb8a632f0e75

SHA256
b530c1e8c82d7f454ec6640de92fce4daf10f01db08943b038ba7862742bb8ad

SHA512
ef7053168f3016b9b1b507a9380f9836f5afcf84bf5da6e422eac87cb5d2077945ac44298b73a3625871fa0e7d5002facdff8f44fd25e538b37be6e79cb5a927

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
02e9411f94fa7c6509f918722f8eb619

SHA1
753c8eb2cf20628050e88d066f91388f5bdc6d3f

SHA256
5e53720592efef96a4b8c66766f57a17036375973c12efe81896088ebf3eb84b

SHA512
14d04b9647c39ee12b00304030f751384454479506529360bb393133801d0bd779006e32967d92a638d3f01dbda515ff8e7f2daee01907833fde124f6097287b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1a9d8dab4233fa0bc8c6fa04ff71a3ef

SHA1
92f676d4335377ab2b5e82c37be81d0f6f7c9d19

SHA256
bea596d2015140a38f6f2a914e0e28ba37be05e7b128555368ba4b6ae336089f

SHA512
4b5d362660d6c7085b85cdbcd97ec2ae3e7cb38f1f0589a1a63df2c5a66882b3369289b0d0c783f73e8462e9c095114b3e0914772c8ec6bfb422292af524fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
744e3f9c55d7c8c344590a3b5a4804ff

SHA1
a397bf2907686283fdd271f2394f7622366a283f

SHA256
91617d8f9e4624a563405808b8f394aec9ce4ab9302fc3cea04b5bbdf697513d

SHA512
3ec3bf691bd5df440c83fb795c8eea3721de3c016cbd0fcc58d87d6c299881b783284d7271ceeb9d04515423239fe83cc03dcf46ca744203565e8cbc452823ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9f0968080d42cb1f48164ea4f98d000e

SHA1
7f748d9bd14d76f57c218863bc41fa841db01fe6

SHA256
b81d8dca28333c1fab79a93650c621c2c3766e8506b276c439f229487c07cd3d

SHA512
017823a4aebdac66a2d03ec0b388905d3e576fd7a7985f1b1cbccfa6fbd4ab92220fe6e62a1adc339ab3c0874e557216f762007ef2613fc07fd324c553af2afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
b0172f1edb08d1bfd38334193340dc60

SHA1
203ed48ad5970d79fe41d032ae8a8a15f92cbd81

SHA256
ca504010bc9625474cf3b70af6f228346e45d16675abd21c782f71257a3ca613

SHA512
3bbb27b721576d0a91e477c41f68d61cf6d3bad80b3ef16db9ff62f5ea2a6d642e4cafd2086b11049c514a723b3a5fa60111d131dd15e1d0959d4c49fd2b696e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
061548352ad3179560adc50aac0d8b6f

SHA1
ca699d82380134606f4cb4f03408caff39d910c8

SHA256
8896dfa29f8a01e7a678cf68ac66374d8044d57ad3f81573ea5eb783a0653069

SHA512
820a446a250a4d5027bb62dbb55db1333d0db7f880c5930b0038f29310339812636ff8cedf322a0c2fa34170855300ea3e02c1a9cf2de6e08ffe196e52faeea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
7cb48ae1d2ee8a62b9031ee322413599

SHA1
5b9007d29f48f76ae87a206bfa12c752add36bdd

SHA256
43372adbaae2cf084216233617cd52a8b28d349316b7c3adb16ff717768d5820

SHA512
25c7eef9af0c8814526698f26c3ff80ccf4480119c3a035b6c605a846cd5e33ef0604f6e4644f032070bfe37a19a0e03bc46c0a30a26b5bb19ca27b646288164

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
450b32dbd5785b14822ea43ae91278ce

SHA1
900fcbc032fd17dda3ce59baf096e212956e8938

SHA256
709dd8a1c92aafe2ef60e87ef15801b9e1a94ab64203d1c277c04543bfdbcb5f

SHA512
8bfac56ec0afdff9f284069ab4b2eea6a973046906f021cf905d0c659636b36e1a48ab5f3437e2fcaeb573775bcaea99aa831f232185da8432d5f3717c4cb320

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d316a3178b18dd5d9082838f032d207f

SHA1
7562652b6b6fa92cebbcca20d30782655dc2e000

SHA256
d5bc1b734df1f512def63a2801bdd227940afa4da349a31f16b5c889bacd8635

SHA512
3a1b69e2070510f4495579cb02d2cfa035e9000681211b2b195bc546325d6d6f0d6cdbf43ce0ddfcf0ec8291b1a6332add004649284b2ca950cd49befb8bf163

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c008577151a069d567b7ecad9c4316e5

SHA1
054d11612ed631f26c4fa0f3d2e4726ddbd4efae

SHA256
ca4550441ff1fa5d0fae20929bf7fbf6a6b26ffad929b0c63dd4e85f2ae825a0

SHA512
13b947271ea63bfb8acf6489126beb912af469e55c6a02dbea24f9d3005bb6336f340702f77e2643419ab0aca1708c41453d69d2a64850191c2162746d91a72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
bf2526624ed76558188f4548dd91e8d5

SHA1
1cac661339eea5a0b815ae2cbe7180e7eab371ca

SHA256
907c7bc0239f699abfe5d16e9bc357ce4a5a30a03986b966a97c2b6dae4eaa8a

SHA512
1adfdec41c5146655be7391cc4fc48c52f9187bceed3d8a658dda4dcb6d364ae55638c56ca5188dbfdbce69bccd5945a7d327d58669cb6e1a676a6449f922e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
77a7f6f1ca59e53897559b228faf9ef4

SHA1
132bb5a457e73e61c0b84b35bc51c41ab33385f4

SHA256
c4224b3234d3786d7482ed82e039ff535588a04cbeb9ae59f7c794fedb274dd4

SHA512
2746f3423052049637968686376d6ed790a03268e6adc45dcff80a562437e00e076a67e8b6e96cd841d04be6ae9b0e5d9c997291a49e90ed86df64dd70e547cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e93c5c66348b19c18f269baec9da6560

SHA1
b0f75c70f461596096b5d4fa0f4202fa9692ff87

SHA256
363c21c4dccaa7d2027f9fa58512b3ac21db385e16fe7807875e96b648ffe5dd

SHA512
1e38138a3da24365a50b9f1112c3941c684d158f2f131fc7305697e3568abd0ecee2643d358bbaddd6457fcbf839fda2f51b46deacd5cc5ef81bcf656f6a018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9a80dc1182a246f27105452fa0b0cad3

SHA1
dc5babe38879a0967375160028d918edab48bc1d

SHA256
3fe33f7f044b4e17f3172542f2822051fa93eb784f1d550b8428fdf684aa52fd

SHA512
844304f0b764aa82fc063cae555f467d344860cd79bd45abcc3377f75717ac7a7c2971dd0b4b8c13f90132f005c3d0bf2bbe6b7e80de803c8ff3937c114cbddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d5fe7f14b1a9e5b511493a0a31e50aa8

SHA1
bc1df5fd1ef54524074d76ab8aa9f1fd3865fadd

SHA256
3786953ae7390d86e252c1fcbb3c887fb873f7852c783ae91f8513f3c3efae55

SHA512
3d43b7faaca9db4e8e08245a1a18744a742d06563b37925cdb2b6bb9e1efcfc44b02499c06e5671d425e2b258247ee8c52a11f8dcd8dc8256596958a7d4c7e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
97d9931c520cfb83dfcf3bbe2aec1b4e

SHA1
ffefe7278b7cdd112fb203e758656b9717bbb18a

SHA256
f7434840425041247c692e7792f9ffec3932b28032ec51c6b31fb653481c8910

SHA512
67e3bdd40703b37d67cbcd92edc2b39ec96be42758151ce7b5523044ca91738dc8e16b71c4ab0d76ed37e8b46e1e5cb54cec03a960ff4abbdbf897c22879caaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
7e759ada2363377cb6f155ff55e5e13d

SHA1
01adc0ad4c9cc9b291d86c1e35141ba4e57fad76

SHA256
f8b038a1df5a13baa632ff8cb491e988c5368cc07a1c3a3a24f2e1375f5e69a4

SHA512
8e280a59128812b6c7db13ceb70128d759b85a7da9fa87e75410c04caf19126ea6d1d08490cc1b20970eb78e7028f662b62f926d21e3df8a917266fdc88b96d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
8ccad011002b7371137c4edfb9ebde7c

SHA1
81c0fcfeb5c19f5371a6e97831773910f91260af

SHA256
db0a096d48ea0be7ed96565faee4ca7937c4d08ecfd9fc2a55d3b685cbc27f0d

SHA512
6b6d734dff90d445c68dd7b4e022daf752f026dde80a1123e0a94870960132c6990b7357d9f12f26938876e0bb4acad638f71737da06e86289b920446ede24e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
32a5bebfda281319941606ddc8afeabd

SHA1
a128dc85ab7c1844569ecca5bd3d14d649171a54

SHA256
7f30851b79b7f610f2055cffcf557754641d9ef238d9c63774615b6c3c2e7ccf

SHA512
bb2aef3164d5634154c7ada2ac1b2c21ad9d54c3440ac5cfd97e61340ce9e45423bd133d02f15befb29510896259e11f0cac11afcefb28c8a2be4aa144525275

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1c9181d82fd94c398faafadcd3490826

SHA1
a842f63f07322445b61c69d30210e30b9014c869

SHA256
270e7668eb46931e1adb78129cad14af27398bc4adf887b58155f7ffb6178649

SHA512
92c5e49059872599e6434f8878e7cd3343db24425541f5951f0ee86a0c10855656677ff9ba22d3d5188e755c1bbbe9fcdd5360aae82c1837689c1bd489354f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5f80d79d222ca17aed12bb2df3dd7fa1

SHA1
f8d97ae8137d37437c7c51396c91857b49719a37

SHA256
043d19a225475899fcf8cf5dd0fd7aafe6b6b5d7d818a9064d010e093b954be7

SHA512
1ff5ad3c175e7627d0cd70729a8a0fc0284a88be0d838ca11b0da4e9a984e643ca8ebe55b089341a59242f677ed5bdf1040f21dcc30067e4743f68bcbff1cecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
438fe234e85427d8de7c5da02baa5b3e

SHA1
cf1640c887cc1ac0d3433f109c21a71424b4580f

SHA256
f75c4bc92d611e35809204c61a1053c1bf2ba7ad5aa4f3ee0f885b65d94f184d

SHA512
a2c4df4ecf3590de13537ce40575fef338e8b71326c7d4515ee3d616a70abb36d546559b5941eaac8e64b5211bd700372c1c28787ed273067cd57c829783dc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
0439f629559164d81651a3f5a9a130ec

SHA1
48a8579f64fd5e6353a5f0d1751177b772f91e10

SHA256
60148bcc3ba4f98f828f4d5f6d93a620d1137e5415e10e2ef5d7f5a724d09d2a

SHA512
9bcc79f65586d8294dc4e983fe54409f537db3ed2c6c4cd908ae60ec488112017a6f7a038a6505afbe4ac7ecb24111a8aae4ecd6c19cab1492edd4a2f7c2524c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
981ff1b99abd9936c0d84093d5eb72c4

SHA1
402dd92455ce29ac1b23fdb1a29a2c8a5915a4ed

SHA256
55dee12c4dc46e65d02ec0d456a0eed1fd1bccf6ba87382ba308c155cda6ca24

SHA512
3b48e0b9f7262f71c081693c6f5e6c3796e5f486353af7d9579e1a49a30455282d2dd2cb76253507e6504af3c29c66a2db4e84abfa9511eb945afa24170fb0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
74248d2d6164cb4ad2b876ac109bea9e

SHA1
1e6ef192bb7805e197763c77711ac2e757685391

SHA256
d0c00daf2b031ac686d5dd08f8fc398b9b9809ddbfeab3fe91d74ccf8fb6da30

SHA512
a33c295822033121279c5b93f89403e329870ec9db4b01b6d1155224a5713ceb19220f3a054e2e071ad6d2ccfed32168163a249227c1e5d8a54cac6d4f511cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d593fa9cc8d2528ab45861f6d0a5f3db

SHA1
19bdb856c0530e640bdd2dc9a93444167ad080d9

SHA256
fb8f7bb84fbb3a1e8dade0ff2e10ae09813e6f7de4e92109452c9d410d9bec93

SHA512
74c05f95a853d177fbf1c78d7e46f9ea02d9df187d1d808520911c70c959bac21b210d155ee22992eaae8d77c8d200791694aa32af94a13186da3539bdc64bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
189b4e30565fb37c8ade3c65c9445db8

SHA1
b5431ed6ad4cf60623f139165c86eec5d7d6222f

SHA256
441185cd04f44a4198a38bad94673fdf53e3c3341534a6ec6f8b036027ecd5a7

SHA512
52688fa324536972787a3298c3c63cbfc57d4ad9cee15072f9d0b674a5d4a5c030cf0cce5fd5e77ca78c8f6d77c89e1db6adbfd52e8ac8011444c5a56397cc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
93f0eaa7a836082a28e518f90c27b3e3

SHA1
e4828adfc024b487683fa2bde4b567a3a699a99c

SHA256
79e1ca4e525feae9a164fd19151c7cd6de51b4343e6b2545507e4453b2c33733

SHA512
7d49cddad64fb0bcd84d43af1ad5e49019bdc0ea2690d649348fa26898c38233966e6ce2458a0f2338aa328f69e5b48e48d9ff4782029d230ac513c95c2f8988

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
bf8ef5bab61e91070c7a2f37b3c5f39c

SHA1
ad632851c9a60e0c40fa03a3c6087414da92e5ef

SHA256
cc63f253999c5da8bb949b09e951f107194d0b14dabd5c24ba6efc579223f0fa

SHA512
a827237c9d1464b208dfe72cb398b36df1d3329fea90ed04ef672a18f920e0ed1666d92298b99008322de1e2985abd7920374d62c768a347ac0b2012515ab363

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
0a220bffe44496fde7a2f69b83c1f13b

SHA1
8d8f8547e2df6bffd8ead931ebe19c1c71ae653e

SHA256
f713c449199c7c4f14d5727b23f4590077c2891412fd2ac021131ed9912993e8

SHA512
79ca139cf93450b653cfd006a2bd5753a3947d8487a8079af5257b207712d3fc9b409ac8463d2a7c89e429f3592d12ef32b6b6cd3bb9a01a84e962915d3ae980

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
f6da38aed961177ba1f389e6fb4361ab

SHA1
ca0c1514a1dc730fd71ce67035501f13fc23a575

SHA256
0599dacb40f526353f8c6fcf23abaf9e30dca14b130f60982cc4d7b4ec9af20a

SHA512
a7e049a5bf4d801e96a4f66b6704abc031f27be0c1d2b7ec6a81c724ecf1d3f4d59cc7868175a17a3e40eb94ab33dab9521c2a97785734952512ce67263c379c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
b6adb55115f53774509e5fcecf6a7f8b

SHA1
f1796279101cc1b8b9dc3ed3f0be8a4ff9392ab5

SHA256
56981802e93ab29bd1068f35b0ee5db0ca76a24d06c7e86eee95ecee6166ec17

SHA512
6f6552eaa4d0640af8a3030c4b4016ff66ca74ce762f21bd40c40b17448361051de1ccafbc9e2c4fab7470318024ef340858998c04f855c45177045bf1941532

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1118e246ac70068c64a94a07771b2ddc

SHA1
0896a33971818a8d94408a789b870beeaff8f833

SHA256
4a42db58f8cedec91626b8d025eb7680cda5f014456c9f8738beac69407324f7

SHA512
9d629144d20a4018ed373dfd997ae1ffa7abda03e20f251ed5e4dcb37c93e37f5c2cf920a208b63562545d6ca99d638b80a46d32a3937dba9cbd2ae75671e43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
236c98810ed1e1f2430615890b999c57

SHA1
c3f02313bf8af8a099ceb0d915240a4215eda86b

SHA256
ba815b548bc65a83f36d5960bd16c81c805cc69e58fdc0fcf6726f712f1ddc9b

SHA512
3f19ddb00fe28d0fcad310461e75ca2cbe4512c893c474f905da319112a26bb6b3abadcda7b6c8859e3dab202661fee022c6720cfb5e872e60481d2ba5217596

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d19097952e8205c5d0209d2dcbc7952c

SHA1
8d1be993c6fdf2b3555d3bdce63bf525a305a172

SHA256
9270136e2ca8b14ab8f0e91efdc07fd9f80e4bf69b1151cf92e5e03f26dfb42b

SHA512
169c3b5b342cc7e73262decc5dba4cd45ea51dc9fef5cec587261c6028b631637af9393d4d2462a9d5b6361e3dd3c65cf0de54f9a0a1e93580a0d62f37b6ccc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
f431c83fc9607e89201cd8e5b37baabf

SHA1
2ac51db8692bce38eb31194a2b5aeafa3a50ac99

SHA256
f26b97b14197502b15da4774ce6622a3c64f3d8fe72547fbfc9a6c3a903b305c

SHA512
d21f3061137e03730b270b7afabd346d2c7bbc4ce1414e9ab08049be85b6d03e104519acf899637d3f57a5d252c923d0e20a11ec80c3779c756eba16667f30ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5c26d10046e316a0f8d3ec2b16f8c7f1

SHA1
beb48fda66ee4430824945038ca7568e7863dd2b

SHA256
1509bbd04c3ae0da7336175a26ac85a7ade30411301606ce0d495bb68b7ac257

SHA512
db718346c5e8364ad55d1ff3faa0236b878c037dcf466f771e736297238eea2c74959bfc6cdc614c42d7a14538cefbf786f415729464d5d08950fbc5889c0d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
756b9a6d696b6f4832006119e5539d67

SHA1
662db6d40217fbcc87a060e2aae6a0b6977fdf7b

SHA256
53754fd2fe80f3fca258d0d7d47332606d4cf58cbc9a41907f77322b620faf16

SHA512
071006fb95193effd97bc9db54387fe381a9b5caf5e735dad96f6548ada01c0f539b4b5580f0cca9a6275982e9260808c780fab0e2cad8acf36b51b5c16c070d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1c888cb374d6d34aae29cf3faf5b0411

SHA1
c5107801633de7f67d372eccc5d72d576a2b275e

SHA256
45400b37d7d4583aecdd8fa08557bff187d6a9ba967821b221959af58aab9332

SHA512
38296747b084688b48c92580672dc4f99ab97a89b375d36b51a2aff317a31b49fc61aff483b1abb18670dea48b5ef24351ac37955575d02a75600d4aa3ec4d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
35d825a47d116f294c4d3de18b82e192

SHA1
ee5c3cd8cb4d32ad8dc75c143894b8390d9010c2

SHA256
ea0723945507c98b31fe3a5ed03d38b7bf054fa6a959f8085d4ea002c89ca873

SHA512
c98c04419e2d01359c0e3bc8abc8f2ab91eff8eb0b5501815cb7dd8a7867f669922731850c0229017ab49bae1bcf5504831ba182f48a5b94201f68ca10d48ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
45211e68b6089447c432dab88a97420b

SHA1
4c5c43f76a2fa92d77c86db062a574f4a72a2d20

SHA256
9f9e7ef750dc7fdca6da3f92d6600a0bd57858cc5f9b701186bf9824943b05f4

SHA512
faa7f9bc75b10b541643a7ecd22ba1595a452dd652bf4b5b7a1cfb684d1d1cdb050c90dcd3398c0767d5ebd1488a089fd1179764d96229483e648746f4dd060a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
74e68a61217431e27f5e8c411f47b1aa

SHA1
1a991a32ba9c12af084477498ea292fd26b695de

SHA256
150c013387e9982cf77fd8e58f8fc963e9601356844697acd3aa0896c215b94f

SHA512
e23cd73730e0c737580958dfb7c5431a8793d788de16d7ffd3378784322d2e389c71e200ecb2b4e3c8b20cd292c8b6cc46ab50253abc9ed6a1a1274801aceecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
115dc1c34b3721bb779e80689509779d

SHA1
c2da6f492b3d9282e0479df064588e6f1628dbab

SHA256
b06f29d28798b0cfb5012cb4369fbfa24231eb16ca3e8098eb3592eb7e6baa21

SHA512
21913b31f90535f6b8336517fa9fe57d3cc6be7bf04346b6a24443465d13b4f114f54dfc9aeaf977eb0c939886896daf0e45a3ac0acbe33b6567b0d6f5006b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
76a6af73d9580c15d15efb2436ba5182

SHA1
a500969f28992e444de8cb048d5dbe1269516192

SHA256
60e9467fab08466ffcc9048e81cb2b2ee37fedf63cca26f9e03d517ec9736ef9

SHA512
119bf945e5367bf5e604f9ebc1b1c370ca337699ce348ab0972d8963b0885849add8fc564b25a5f074fe2ee7e5bfe996eb053df4c9e4be1fc2a9cf47ed0d5e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
8b61f873902659dd1680b6419127585e

SHA1
7a4206508ee415bd81abc1643a78e6461321558f

SHA256
1568a26fdda4c270e6ee72f821bcf2e5960bf470e1305e5ac34c319ec334ea36

SHA512
312557e8cf839cea2cbf75582211f3b64c5f044055cc279b4e23bd057e94a8e5b0619846ebb81c31c2f99501492f4a0b41e34d8b8437a215c2a2b7665cf4ae0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\naruto_vs_sasuke.jpg
Filesize
250KB

MD5
27fd0737fe361c33feb687c735c81569

SHA1
8bc8894cff05a5d4e893eebbd029810acb515d32

SHA256
861b1d8b062892c500658efef5c12add7bbf7894c4e46621e0926fdfddd15279

SHA512
a1945235aa16dcc0a6261363581cdd3627494874373d28c7ce4957b661d5837312d31dc275cb6fae5062f29a75c5fac9fea6c7177a40064a5b42c5c8aa2f8a96

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\win32\ocs.exe
Filesize
727KB

MD5
e6099ca8db4183a6c693eceeabd41dbf

SHA1
6b8d11ab13960b8f2f28be65678a3f8551edfde8

SHA256
e2432c2557d60f4b2d04839d7165fd557958922c71c5c2592c3b0d9d731e53ed

SHA512
98f162291b0d0fc262c79dbb2dd02ddc266f0d33b126909afced0d568575865d3eed4b2d87f30fc3568b5bdcd181514f885c65b363271372247c7c39a9e8a38c

Download Submit
memory/572-571-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/572-274-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/572-908-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/572-294-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/608-897-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/608-1450-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1172-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1172-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1172-21-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1172-871-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1172-25-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1172-590-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1208-3-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download
memory/1208-6-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/1208-0-0x0000000000400000-0x0000000000481029-memory.dmp

Filesize
516KB

Download
memory/1208-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1208-23-0x0000000000400000-0x0000000000481029-memory.dmp

Filesize
516KB

Download
memory/1208-13-0x0000000000400000-0x0000000000481029-memory.dmp

Filesize
516KB

Download
memory/1208-10-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1208-12-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1208-1-0x0000000000400000-0x0000000000481029-memory.dmp

Filesize
516KB

Download
memory/1208-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1208-7-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1208-11-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1208-5-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1408-29-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1756-909-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/1756-902-0x0000000000400000-0x0000000000481029-memory.dmp

Filesize
516KB

Download
memory/1756-905-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1756-906-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/1756-907-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1756-1452-0x0000000000400000-0x0000000000481029-memory.dmp

Filesize
516KB

Download
memory/2160-870-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2160-1329-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download