cybergate | 01ae192871088907aebf2bbf9c83143926945f5f032f45c3d78513732ce5bc7e

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Size

1.1MB
MD5

76a97a2b7e772539875f4e14a9c10b15
SHA1

334db4c26d9a12b878322a5370a75341e0b1d0aa
SHA256

01ae192871088907aebf2bbf9c83143926945f5f032f45c3d78513732ce5bc7e
SHA512

a0cb7f12277ae31ab365f94d478d3bf103abdd4f16a4011fe7b963748991badb7c1197ac7ef7f78749b762b03b77b2274f8fc5569373aa74b375a18f5469f465
SSDEEP

24576:++QOgtSy00VD04W0zqBsAeHGTAkdsgqyRgl7pgwjZaa:++QltSLggfJkiqySllgmZaa

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

charles939.no-ip.org:81

charles939.no-ip.org:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
ftp_password
cuntlol
ftp_port
21
ftp_server
hsftp.no-ip.org
ftp_username
ADS
injected_process
explorer.exe
install_dir
install
install_file
lssa.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\lssa.exe"	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\lssa.exe"	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\install\\lssa.exe Restart"	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2820	lssa.exe
2844	blackra1n.exe
2732	lssa.exe

Loads dropped DLL 5 IoCs

pid	Process
888	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
888	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
888	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
888	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
2820	lssa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\lssa.exe"	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\lssa.exe"	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 2820 set thread context of 2732	2820	lssa.exe	35

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1148-28-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1148-24-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/files/0x0008000000016d0c-366.dat	upx
behavioral1/memory/2844-379-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2844-420-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\install\lssa.exe	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
File opened for modification	C:\Windows\install\lssa.exe	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
File opened for modification	C:\Windows\install\lssa.exe	lssa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lssa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blackra1n.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
888	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
Token: SeDebugPrivilege	888	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
2820	lssa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1148	1984	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	30
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1568	1148	76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\76a97a2b7e772539875f4e14a9c10b15_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\blackra1n.exe
      "C:\Users\Admin\AppData\Local\Temp\blackra1n.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2844
  - - C:\Windows\install\lssa.exe
      "C:\Windows\install\lssa.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2820
    - - C:\Windows\install\lssa.exe
        
        5⤵
        Executes dropped EXE
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
824KB

MD5
39096f3dad6784065b0b1564f73e7886

SHA1
1ec678166d36dbb5d040499b17f02a05e71f4cbd

SHA256
41bf78a9b76daba0ff4020a00b439c984ea858dc13367bc60b828957d3f87726

SHA512
ae5ca38747db3e9c8a0a98a115590d5652b801928d9f3d1eb94c3e7ead859e32ef05917f5920079cae6aecff1ac6a5b1b6bdfe36ae3c0b3bf36c45814ac4a412

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
86fe63f118468b8daf5568316a63f171

SHA1
c984d1e34bfb789d75bd36d88ad8c360b9dd0fc8

SHA256
2674b350833f81a0db2c2a4215aa9fac0ef1343fe114bac0cb650e1e26b7d556

SHA512
647fcf7c85b75de3993cb1664d4db3a149afcc3fab6f83a5a5f0b525501b08df976725de6851fcee57a9fd491ccb9b7cefbe07bdbf9e36715c3f9eafa71d1b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bfa53600b6c22f08d7c1141e3de8dc88

SHA1
824f978aa4eee5f2537329ba7c97d41b0c61c308

SHA256
455472735c263e88c11c14a27f0c6c55ca024f97b57faf41e52a12d6429251ec

SHA512
b7e02e8f1bda3c0459cfb7b7ad76ff3a40089319af41a2e5cb1815464288a6fc5ac12936d0a70ca722e10cacf545c765788d4534be36cc5c42c704ac498d73aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ec98c4a8974723d13a3b2beb6d0f1f9

SHA1
48bbff7fbd109bec872c7d49e981c51e319c6ef3

SHA256
72b520f0566289b494543e228dbe607a7282742b1ce37759c94bc6470824ad50

SHA512
3346e35c730b3bc31a28de8d23c58ca4cdc77010f85ab1600905a611307896587f305a9be8d293de8764f888ff69784c57faffaa8416b55b2f4accbcc950f229

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d3b02ce4710527145d50572af7475d8e

SHA1
1723732d4d991c9796dba234a8f3f70938adc652

SHA256
dc2b4cdedd42a2f01a54715547b1eaddecd264d901bd9b0fe0811dc484130b23

SHA512
e9c2cb2977a7dbc76f71229d0d869f842bf7f7c6fef48a5d36b8c743517563f502af1c12a8282f00c47b609534a9a3259e7160280f5d3fd2be35ff9322c06f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6b2b69582c6f3b330914096f71bf0ba6

SHA1
fbc9e7605fb935ffcf7c4da7efa940e1bf7135cd

SHA256
9e376ae5a9a0810498c0edc23b0a39c57201d522ac2e6c5687e276868b836be8

SHA512
810483a36885b9a568cd1c63952416ed036ce821819bb753e7d3231713aebbd0c3e74578175252e85a8f70f5eac91e623fea0309d88ffda82a63a98d2178ea57

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1e42d94d37c7c369c7d14fc7a31a2735

SHA1
920e60d472d01ebcd3ef5bc636cde19eacd1a558

SHA256
6e4ae3768583eb9010accb59af5eb88c51daf0502c51369dfe57589df71d3266

SHA512
b656857119b68c57f21d96e6d6dd790e94bb541e93d121b09e1e1fef72bf68219379e831771c426bd5b963b70862097fe8111554990746a939c1e9a1da114075

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5212962b94d8171c0805a33981b65bd0

SHA1
2964e980973903bd2fb53e77a24e897c4651ac20

SHA256
6d0f5f50e1731ca03482fc3a3e19cddbdfd13183b1c49103d39e62b2d47dc4f8

SHA512
b2f1a10a2479345c36f608baf4f7eb7f8465ce25839c6e30979f5a40e070bf4b25e87a2c34aee4375b0441a3bff688e2df837f7f9b3e4a16b2f4f74d374a4286

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
13559c3c07de39df7ae26224edab99ba

SHA1
57868a0b4cf8620d46dbe8ef9726148c0226789c

SHA256
b31106ce8e089831a3db98b36f5554e101e4952fc1e6174ea729a422e721116a

SHA512
ae256f5d0730f29a82338a698b0d3a4fb509d31c4ca304e82ed1454935cdd3ea46bdac15790db68ad3518d2b888b4506cdd5a5881a339a2a11ca8db4384db79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c9ea68e96df42e0e8a889524bffb9396

SHA1
9d1c32c4dd52387a21eb3d95ead2bbd16a32451e

SHA256
b5178cc11fbe01d94f89c5837b2cfe0ccf5e04d608e3e530322d6ff8837fa2cb

SHA512
96225fb92aa5c017114f9c4ad2ceb0482ecc78f5d4928e0718d655908c606cb37ffb1eede675ebe3d77ae2848dfbce1fd7a2203470a33daf45b3816bbb02fb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b17b013d324b099738ca1699655bd7b

SHA1
a03becb3db8f470a89f32b14c13ab0fe6210d193

SHA256
9893a76a5e5c1fa5a1967edd0c333e8d2244522099f6f11be25736ba18883cb2

SHA512
dea00086bb3b0aa831b685f28e6d02cf283779144eb146b33609ab223b53e45425d6210c8895edce2d241cacf9d3bd901dd583df56629986972ee0a339549085

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0b32c8c841950864ceffeb40a035de05

SHA1
aacffc3366721bdc4ae5d3024e8a4b112894e494

SHA256
dfa626a7781e09329059c403c7545999ed0a87dab49d3b14fd67d7f3988a8d1d

SHA512
f4fed9530b58512ae775e7d180e39b05820218c37512e386f4e2a1ba92e5fe7ac07024757e0f963695ecaf2ba8c0895d33290f8ca2a59a361370cb4fcf2e6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
449295735513a0e1bf40faae92178ffb

SHA1
77de78f6b7f841b44c11517c97dfe6938653eb80

SHA256
98a5c11f3141f0aa0332ca73aaeda2bfaf928f2e51d6e5cdba5aaff7504b5f2e

SHA512
1dc34f4f9dbbbf1f22754cee4d72cc556349ee8fe6ee1dbd36683e944ee3ac488bb79fe4c84318a75464f9ded0007e45d8211a983db3c25028ac7e15800b3b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
03c0ec2f58f95e5ef4827e3733c528a1

SHA1
9ff8a50cd8ccc3c34e13d67ed5998912be4cd1a4

SHA256
a5107a0612f20c9e875ebeca489681abef021fb0f0e5596551266b55209c2f67

SHA512
65cde7ae7152d3037808fe72676786ded24e5b67fba6098f9f069609f2524a3d831248800b7ec21775a12b6bd9174a036f5210fabd4c724f76a3206060070147

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a2a13dcf9dc2c2cb8e43b71c690d9325

SHA1
f699b78229915428269991a1e4c205e36b51c89b

SHA256
0143b82c911cf3f6e6b013a12ed84cbfe5983e52d2133c032f90a597d12e409f

SHA512
e0594f8cb09be94afd02af64a3218d6c1a81f98bc97245bfaf2cf101fd44568373c47b1936412dca1489b1c06b6a6643c66bf2921f87b60eab220f14546bace8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a9aa32ccb452a7fd4ce1df5d7350f574

SHA1
f09efc87cf152824d1b3a417527630dbf852eaa5

SHA256
ce2ba5329624f329ef0ecdcb2b641d11f3301e4504d470c63808c41a8d4977e7

SHA512
3419070fab1f65b8727fedab17d4fadb684266149037665f024fa158eb5f3e005dc99af0e9777f244abd96cd2b1432510f26dfcbe724e88bebcc0108ae5f4d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ea6c378c9d199c3c2f24b44428f455c

SHA1
82152162defeb1406be25d3a57f6b65ee057155f

SHA256
c58cc1a71b22ddb05c13b0ba2d5bb4d6650cca19f74acd5c02ff9a1b244ff457

SHA512
1d8dba333a98a2412056307b7d00e24e4742d21e4e6be4df5f49cf74264f916d4e8b4e74f2ff442629cc791346c647c5ec05489dfbff13d8b8f06133aa3f46d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ebba176b22891bdbf67a66f4549f689

SHA1
ec822d256ebd708f3522d51ca28528aa3a093d51

SHA256
c2867ce2f614816d60fabaff00a11f0caf844e0a4e8c5d71e462655609aa9e82

SHA512
ec297610694757b5f8451070091d0c7aa82d2755aae4949edf9a43d79d887a43da6a3e75cec051dbb9c341f9514d592564515cff7b38dfdb396c532070518bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fa700442436b3bb9517b84743f6452f6

SHA1
388b03ea7c72dbc5d7d600f618260c3fed8a07a1

SHA256
89d24b94e6669a84a170b9841f63c85940f6d47aac26c0b1ceebc0dc2038f2ba

SHA512
5a775a9bde7bf89ee507e8a4cc74ec0500ebc7154872f52bbcfd83376f40b77f6df955d05dc82ca8468c7434d5b67e4f69e771289de96b3617785edd4fcd6d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
29efef07d4bb88be3250b5481d5d8541

SHA1
25b7ba22a01b53662a93844a4e3508fa6e0d3482

SHA256
602494b35e75ffa9805b63c1330d6571dbd0cc962ab2e5362c69dd5fc6df24db

SHA512
caa3068e85c721bea2a86abd6ad9bb268eb9a07b429d18432b444eed1a8a5a171baf76cd20ee45693c106e4e1dcde848fe8925f3770cc43fec4cc2535700f6fc

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\install\lssa.exe

Filesize
1.1MB

MD5
76a97a2b7e772539875f4e14a9c10b15

SHA1
334db4c26d9a12b878322a5370a75341e0b1d0aa

SHA256
01ae192871088907aebf2bbf9c83143926945f5f032f45c3d78513732ce5bc7e

SHA512
a0cb7f12277ae31ab365f94d478d3bf103abdd4f16a4011fe7b963748991badb7c1197ac7ef7f78749b762b03b77b2274f8fc5569373aa74b375a18f5469f465

Download Submit
\Users\Admin\AppData\Local\Temp\blackra1n.exe

Filesize
594KB

MD5
7ad0a6a31f0dc6360d7080b0c7ba1717

SHA1
f7f86ae4a900653fcf8b7cf6ff91c330e1707438

SHA256
21aea2862672861950f5f8917a0c0a52a63650e9cdc95a9993bf3747f0809578

SHA512
d96b5cd4798ad67f5209e3cc9fe518c6b07e285a6f01b116f2f203ddff52373e39dbb47e1995f4e3d209d75b912a0aca75390f83008bf2fccfe074090c2c69ab

Download Submit
memory/888-41-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/888-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/888-376-0x0000000005FA0000-0x000000000608E000-memory.dmp

Filesize
952KB

Download
memory/888-403-0x0000000005810000-0x00000000058FE000-memory.dmp

Filesize
952KB

Download
memory/888-404-0x0000000005FA0000-0x000000000608E000-memory.dmp

Filesize
952KB

Download
memory/888-369-0x0000000005810000-0x00000000058FE000-memory.dmp

Filesize
952KB

Download
memory/888-32-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/888-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1148-6-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1148-28-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1148-339-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-10-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-18-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-21-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-2-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-20-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-4-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-12-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-8-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-14-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1148-24-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1148-19-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2844-379-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2844-420-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download