Analysis

  • max time kernel
    99s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 22:36

General

  • Target

    707A6FA9D0DFC998063525E6697402B1.exe

  • Size

    262KB

  • MD5

    707a6fa9d0dfc998063525e6697402b1

  • SHA1

    e5a930dab328f46a1f7f9b25115b08a8666616e4

  • SHA256

    c9bc1fdfd47f19c1af3631334c0687809cb0d4f5307af3037823212539d81c20

  • SHA512

    80d682e357f08fd02abfc255000cc4ba0d7b8ca705a850f78822c61fa4c7a702984ca2f8e73500dab33964a43bba7098b16e1a3ad7bb9375f34b698377b878f1

  • SSDEEP

    3072:kJ3DOOITimBCpBigzNm1VD4Uh4iYatRlgpa/hz58O0Bz65/M6If+3Js+3JFkKeTn:WDdb7Tz0T4ihtz8WzYxBt25

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

Chiclete Tic Tac

C2

lanternaportable.ddns.net:7159

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    Plugin.dll.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123456789

  • regkey_hkcu

    Win32

  • regkey_hklm

    Win32

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/6bPeUTd1

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\707A6FA9D0DFC998063525E6697402B1.exe
        "C:\Users\Admin\AppData\Local\Temp\707A6FA9D0DFC998063525E6697402B1.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:2744
        • C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe
          "C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe"
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3052
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe"
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:868
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
                PID:2872
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe"
                5⤵
                  PID:1360
                  • C:\Windows\SysWOW64\Microsoft\Plugin.dll.exe
                    "C:\Windows\system32\Microsoft\Plugin.dll.exe"
                    6⤵
                      PID:5800
                    • C:\Windows\SysWOW64\cscript.exe
                      "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
                      6⤵
                        PID:7116
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dlls.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dlls.exe"
                    4⤵
                    • Modifies WinLogon for persistence
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2596
                    • C:\Users\Admin\AppData\Local\Temp\Plugin\Plugin.dlls.exe
                      "C:\Users\Admin\AppData\Local\Temp\Plugin\Plugin.dlls.exe"
                      5⤵
                        PID:348
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                          6⤵
                            PID:1184

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

                  Filesize

                  240KB

                  MD5

                  739a5f5ecfbb5ff8887dc2fbdac2da59

                  SHA1

                  871ff11eb227f1194e297429927a9f9da6d30ff1

                  SHA256

                  44db3126f736a3c493c17c491136883a53e0ad0df75ab80f6db5b36d744d2028

                  SHA512

                  b37c155ef54555c314df7b8ebae41210737417a1d405d2fc939350261bae808d5b738807f9d3133431a1f34e59b111c6ec349389e407582ddf6ef6fd387c9975

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  8ea53f2d3f383ded62c69024303e3fed

                  SHA1

                  438fa2f85a89569efaca494a98a2266f5e8abd06

                  SHA256

                  e5617985c5d6e2aa8a60bea88bef383b7a710526d3e3b55569956d31fbf3aa7a

                  SHA512

                  143ff420e72b1247fd906999384cd20294e91acabe67082b2ebd6139cd466a18fbb11843da38379b1a472baf9f001a05faaab1e25b211f569fed3281a86089e5

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  44eaaa0cc73a9614ac589c0606988f26

                  SHA1

                  3b75eb598b0e72f4005a22264d5736bc38572784

                  SHA256

                  f66ccd48ead3477d231ae344ba82fbf77003294e4989a5deb9d590b7d1ee6c66

                  SHA512

                  ec185e77c0fc0aa53dbf22c3e1fb285a4a5a40bb5a30555e957c43222c7727c670ceb6aa14f4a8277a9785693a3aa9249d44fbc5f9c810b988906ac4931e73c0

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  3e3b25e2c4a5f216814b4253aba91ff6

                  SHA1

                  50a5dc31731df4463d2dd4224024968c6b0873cb

                  SHA256

                  c7adfe9e9841379d5f3fe54d26e9e79e9c599c84b78e6d612852f238d0e27967

                  SHA512

                  8ede4ce127f7b93f2cf5b61f45f090957f2463c50ca74c0b2947bdb84c7f3f8808e4fd4e4f64a742caea2bc0525d28588d4263d8da7fcac873df7c98bbbd5edc

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  26798752c847b7210f381d02db895d9e

                  SHA1

                  aed907378523b0d2dbc99f785ce7852d12b8caa0

                  SHA256

                  78ba66563e1aa9bed80f0303a1b69b1cab848286c407185f7ef01705d6047d5f

                  SHA512

                  3863d4c7d46aac2f71139bf615df0785b38fbb863c628365c15cfc7a5f9d216c4ad1dbbc3edb244e6b7e67358b1516a38e939d4be13e9e25c2868fb534a713cf

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  198cfc1b966694a973f5d75dc50a19af

                  SHA1

                  d601d305fbb67699601a067caf22c0e29120f1b8

                  SHA256

                  c1c7934261719772a0c43adf0b7451a04130b375a6bbc84e8e4f0e337d088ed0

                  SHA512

                  5038b2bcd07de32f8ba41676e75fbebfffbe9ed9cbf3b3ff175622e87d8af03b734aa8e2d160a149d3f4d26ce016b4fa98476200859a28b6650c267485e0c0df

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  eb51c74a401e31af7447bc9995995110

                  SHA1

                  53ff1a83f3dd4aa8d4a076636ab7fd269bec8ead

                  SHA256

                  f1a4b534414acc75ef572367620de3c2ce28217858dd8b9ccc0ed0306e4b224c

                  SHA512

                  81f1b2f9272c03f7e5382c0e0bb58e39e47382cfe24633d9d5aa75bea9d139ed6c99bb8d56c99a4d6b95404546e2cccbc9220ea0b1c51c9a6924f8606f7a5cb6

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  d788267e6c6666e5c275bbacb1278f31

                  SHA1

                  e1ec1e3f6e6e2960979760d25b30758a4565941d

                  SHA256

                  fcc1bf4d5eb981a020c20705b4edadd8b32230d9b21aa433530e5f6ef321dbb9

                  SHA512

                  41bc48b9739e5343b0e2a0b07ebc6c4069b2a1c0477bf2751fdcbb52362c6ea9d79473b8e83ef324e584a331573d49c6792ccff4a00569eeaf6c61d514e0f68a

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  f57f0bbe1851376d6d49e7386c84defc

                  SHA1

                  aeae7c66e1ec4e2ed9e53d208d375f3de257ab9b

                  SHA256

                  0dba525582137c88fd03923ec687dadc2f7b72290a3d767c3d9bbbd394c4d6f6

                  SHA512

                  f2d48b1f51fdac00091739d18b8d74b4bda53fbaba707dbda8bd0e0973fa3d06b33594cd2e2a998470eca0c03ff8933c0054880d761fb2d1647c420f4e427134

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  65b9d1d1970f2443e39e5a2ff7dd97fa

                  SHA1

                  5dcb7198f43080b505adefdbc80a318a97162491

                  SHA256

                  a40b600910860997af144a0e3c2c2579e45b052c2dda8b6087feae32370c8770

                  SHA512

                  baa39e6337d848ce481fcf7ea62a5a6704c78c103bf5dbc7ea6d9b84d8f5780c22a4bd7400ac4e3e547a53d0e92470da4b2ee50b4bb84aa1c62b070401704004

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  92a9f16c4882ead9aaebfa9f9daaf854

                  SHA1

                  b77f743ed29396b57d3dd74571899a7088772edd

                  SHA256

                  7687b189f0220730937a9bf8577b5f2b9f4470be85b224ff55edd79c68466bde

                  SHA512

                  51593cc7f7a0d531d19ce9273c123dfa40528ea5058724183d11ce0468adcbff3efc8c3142128973d1a04ce5b2353def237d71be20055a1d10f5e375c94f9e1a

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  3cc81d0c437d236dd921a0d21c476fa7

                  SHA1

                  3b944e7d391fc336144957871b501b6c14469d60

                  SHA256

                  e2936bf0159b04bd99a3061ed3f3705c22facc220e168be7ec6958bebeda520a

                  SHA512

                  7fc42fc1634ed2f828f7690382b6efb892f593110a44cb73cb1541b9b1194db17023068fad09dc93b0761c12ba8e88bbf82c17fa8a89f34930acc9adfafca2cf

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  b123e90a955570ef947a7e874533ca4d

                  SHA1

                  774e539cadb35e9cb159aa854810e1f75f0227c2

                  SHA256

                  d13c63979c747847899f31e8f0a7ed571c20e6c8f31e9eb8017104bcf8654f51

                  SHA512

                  e15f8d292f817bcec3bfc6a9bbbed1e37e72340a429c27891ea2afdffbd0bfacaa68711d98b35c4889b3bb0a7effea28f809458a924eb146b7eb135da80ec2e7

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  dffba2a091ad53cb95a435aa3fbff1c2

                  SHA1

                  dc45efae8db52e5814c91e943e47907105a8f465

                  SHA256

                  44eb34df0baaa2c8128f6889fa7a65bdfdc83169bb316bd62a23add19a85ede8

                  SHA512

                  5ec258db84a9e41aa035b83107db6640a9e41fef43c0cec7472de672786da003bc2f2fdcb6ccf57210cfdaaa11c2c35f48d3be5ae6d41d0936f27859dbdc4c5d

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  ae05f2a046d82250f2dae2617784ea24

                  SHA1

                  cf411cd7f2e96a62c76ec7e68492dc98234dd3d7

                  SHA256

                  19ff1c9d0787edd5a5bb121770ede2eae9a9b8472b6d656fe8fa4790475a5fad

                  SHA512

                  39ad5f7cfacda0f55b9293d36f371f71453f45742002d3bc8c878457c0062fce3b8e639c80818fc6366417b9bceb6b7b73bac063e61b27fdf59532e612b9b8b7

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  a5d167cc18323fd3935a8aab758bffd5

                  SHA1

                  50682ce5699b2d88c3100b09814c3e0625342654

                  SHA256

                  5abcdb3015fc5645dac76ce2855a21c49ea45f4d2e318fbf61e0edcf870bd696

                  SHA512

                  ee70998ed8d58bf664b2c94355342651fbea0523feb8b4768f6252916bb919c344d5e73e318eaa611ba91f0703ff8a14c1593b93caa7614d30ef40203c7191b6

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  78b3ff3e6f0fdf012b6fb7429f58bb9a

                  SHA1

                  038f5c103c69fb06c60bf37b885d76b4b0a5e73e

                  SHA256

                  ef767c8cf78e64a75b7872a70c17adda9733e20124659d71d9d0ccaabf31dc49

                  SHA512

                  5926af8cb8a290e91a1dcb96c08f9d865ca2d100bc4593ce228734ceb35eb21e2157faa2ff298915a5444f20f39ccac549644eaa8aaebf17577534a40e1751bc

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  84fe197df6879e6c0d9c6ca58e3118f1

                  SHA1

                  96a89fa8e98486ff153dae0b2dc27cf2f9df2ad6

                  SHA256

                  c35d4de129056311a78d8f863eb65b5daa4433c15ab1447d5f15105d18e6d68d

                  SHA512

                  441caf062bf1bb35f0e8c6c972fc4daaa349c6f298ce880e4387e6d780416f64120259ca1e6f8011e17607b64df0e2673991405e18d2d4900e2aa926c15a045c

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  8bf597021cab87c8eb123a6f0b934639

                  SHA1

                  dd5b838221d127686de7739badeb28eeca1332b1

                  SHA256

                  17ca03a5da42ce208447d8499d3ee12780136bc8eb5cab5fbd3326a4ae376ade

                  SHA512

                  2427bd4917860aadfa55e308a3c803191f2738e6bd43d6843c73d4d58f6c4cc3efb5f458696b6ae51a789b7f92d5288935e5fc4a72671406c55166004ac08319

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  f1fba878a7b8bdb32cf2424eddb7269c

                  SHA1

                  15f18e23d41118687f85d4ec1f3a5c7a1bae2e06

                  SHA256

                  00a542eb6ffb34f078b04bec30ad4cabf3301afe43139e70d10ffb592e3de656

                  SHA512

                  5bc38f9f6f9a4102e343475cf73e524e98203a2d28af7edcd396f8efffb248d5042b2ae87227787c12a30c5347d3549442e063a8da904b14f5292bf1b4d39897

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  2e79f1bbdb7109d16f440e0c704ca1c0

                  SHA1

                  bd49746cfce073d561856c7ad204b849b746061b

                  SHA256

                  4fb038a1b53162f171732fef21c9db65f265c130e297ded7ca51fd133a8fbae8

                  SHA512

                  fe444b5593193c3f07166371150bd4f52384d819d9fea74d8bc520d62d182d0bc8a0dd690199e257ca1442d2f5fb1a77422a8c95b1d15ca3c99dffe4133e748d

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  48de595268b2f8c1a7922f6286aef4c0

                  SHA1

                  2cc3ad3fd13da95a7c815f1bec913533d690c93b

                  SHA256

                  0ff7af9855c00ce85edb2d9c545031e1ef2023f0c8c70e9bfbc4c5d48119be21

                  SHA512

                  6ee03335f28f5cdc2d6f2e6c41a142bdc590cb0b265ef1428d5b024197ac664ba21d895abdb2187116fb341e70ff6b928c79e29c95e6129aa4351f8aa811703f

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  cbe080ca598e64871b1d7fefd3e958f9

                  SHA1

                  8e5445d0bb2bb234e5cd4234a8505bbf6b108225

                  SHA256

                  8daec75eba115bbefdc7f99eb98517ee5501c97360ecfdb894bae42a7a469287

                  SHA512

                  673f55c3177f49604c55b790327be38e90cf69f99650309993f29c2fa4a9d8959e53875378ee009c857be110c0b409107a9901bef23e2f2aa7f5f07647621710

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  7a4da777168dca54553829126f400d3c

                  SHA1

                  f14cd13449712f81f48008bf006ea6589bf12b2b

                  SHA256

                  01a6f378c23275329910a9ae0bbe48c32bd4b7f8d37f3489ea16666e943ecd4f

                  SHA512

                  e9c43125572327948a1b1af44907e33aee58b96d704b9ced349b858a70e97439d63e53f45101a0ad1650b808d658a59d299d6b278f2e6018cab1ff6f53837a82

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  c21365701bbeb0138386b063f46037e4

                  SHA1

                  1966279021e82d708e89b8170393fedf274bd920

                  SHA256

                  5cc9fb36b45abb2bb0e959da4cd31cf0a4fd69aa260fae7a3e21863a9aed5b03

                  SHA512

                  baa5bfe78b6659a0373ffb6cd15edfd3e4a74e34690b22e48763f648e8ca8b5a0ecb3da09b70c405b1ac42ba0819120e5db64636be0e27a9d5741828cab07183

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  b32dccf41c22cb2eae23aeca5efcf9ec

                  SHA1

                  052134d6450275b6012a5adde6c4e6a5960e7882

                  SHA256

                  e3d3081901301016c11397851a92bc93033c9d82363e26c1a4edfe68278c4eab

                  SHA512

                  ae19b0db2229a31aaa77cb47b0ba3449f45651344ee2c574f85b564e2050d258554aeaf529881d62bbc1d225a20c124f39e7f2ac9993780aee04a69005013bd6

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  afa2228d16b167a3ef21f8ca129f7a21

                  SHA1

                  c370ac483786fb74d7211ff65b4705c08e77ff6c

                  SHA256

                  ab9de56b5d213a2efe89cce3b7a3db9d1d7b324464c0d09aeb03066f8a61c00e

                  SHA512

                  3c76ab83c0ee7d4be0f295c26a8b5c65ff9b5b977130cb85370a7fd7a41610f16ff7ac02c2637f755655a940333c86c65c33f9e39b826046f7f77c15ef2869d8

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  60757db4c923aeea654b09f6759e7061

                  SHA1

                  98da39d091d227825c6815f1f453df7e4772bae6

                  SHA256

                  f998415184ec87aa530c428d3d3da09550f553d494262d7cf1f36bd784a3fb2b

                  SHA512

                  f93ee0a16e39ace994a5b9474d201269847ee21f7724004decd373cf27ce5f68b7df9ce8d4b33824a4f529ec833af94647a9f7fd84ed86e200f7074cf09dcb64

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  b2db08b1552d971ad8fbb33d71b86029

                  SHA1

                  5905ad3cedea30ded325f7111433f38783920a3c

                  SHA256

                  887a976a123f8c51d7b92a8feb2e74f09918ad81cbd58434bc4d7170a23d3695

                  SHA512

                  b41d78a78591d65afd752c8b3af404e7b59573a49f8bc797670e6382938873ea9437de1c096ad49aa6644b2798091ca86822c90af9f213715a085636b11a300b

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  f3b0345362348b9e21dcae3521bddbc8

                  SHA1

                  5f4b60039b8df0c541b6845c53c94b7743743b69

                  SHA256

                  253c9cee22a64901492bd0e30e6a2a670d5b650d6952f1ef805d6d33ec4c4288

                  SHA512

                  b0048b2f34f25ac91bcae3fdc5bbae7a986f2700cafeabece1276551c2ce312b909459b6af5f684ab6ffffcb5fd83d0782f9a9a5a683a6b7e0ce164e3d55a0da

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  ecc835273d85460023cc3373df337ed8

                  SHA1

                  0934e1a1de99be0ca283561a901b9213b7ff67b3

                  SHA256

                  ae4ee19a5fe1a668699b4d96af21249f4dd7c851088c3986c71436093db896d7

                  SHA512

                  15ce29a7325de7a428516af081dd820af919c3ef65c59551b483b4a7d531a1a4587bbd9d2874d8cb03c9a16b76baea0ae1a2042df8215718d5acc45a898248a5

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  b6fcde8c8807e918a1fc7583d234f97a

                  SHA1

                  d7dfd3e6c29b0660ca5dc606c28ba31d5cd29c60

                  SHA256

                  f38c72b4031d3f5f97d614598fef148c5652481459a29f9786b6086ceb5bc3d0

                  SHA512

                  11f67c7cb6dbcf383d3472fdd00dfe77316498fcac2580abcd7c7898282df04f171ea3396767863a15529109f05bc677e1f5fd35b342cab9bd19b97e61825169

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  46ef455a0150a6e403cea88c4bf50d4f

                  SHA1

                  12ab47faa001c3ee93953a0a51f09d8dddc65159

                  SHA256

                  793d0ca6315bf3ec002544fb2b085024c4d6cf8a29c697cbe266e40c19818167

                  SHA512

                  605c31469776f28ecc420c50a368257c40c5aefc97867e189e0df797f6c0a4d87b6cc915ddb01e6134c07d328185ce85e3679f34e604f333fba45d1573c092f4

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  41a3b03227455bfa59577e1e204ac11f

                  SHA1

                  3ed7cc1ee31cf2e2a97262ff1b3a98589a1fb0cb

                  SHA256

                  d182452d226064c60eaa832cf175f2dac69cb834153537e20e3d8153c8e0c9d3

                  SHA512

                  5c4779727766aa885cc59f54ae8f6f63303085ce7ba9058a38442472f5121332d9e5835d50cedb49c628c1a167bd19602428593f6bcbad7d2ede17c2802bf657

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  13cc1eb151dc3d2a2c0be1d01e600470

                  SHA1

                  c029b9a1dc3d6287364128385bad6998fd1b0765

                  SHA256

                  5cb2d15ef39c1ffef445c8ad9a572d89360875c6bbc1478da56f71747155e117

                  SHA512

                  95341a5fe779b54e7c20c682747d87398c6e8a052f77d398d620acb37836e71bfe36a725410e32e2f75f242535be9966fa39c7a04b44f48bcffecc5ae40b56f4

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  e28d87998fe5bddc660010911174141a

                  SHA1

                  cc54c93d4fbf61f13f5f47edbac9efa1b76e413b

                  SHA256

                  b2dc4f2f0daa548d3206899ba9e35fa35a1b9cc6e562af779258a87a08dfe061

                  SHA512

                  718f210a19983af1de1b060d85e15e23198c5f1bb5975cdd21c7f3785937d29b7512ba05eba816fe3dcbe99a2f6403869abc6b98443d1df546abeab371c918a4

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  4725e3cfce98fe465d34d3ac44311a49

                  SHA1

                  17f495383b5e5fabf3eeda42a49c1066276b2420

                  SHA256

                  424b341ce5a5191be8365765bb64b415209c3081c88cc315ff5105080300e2b0

                  SHA512

                  07c52a0fd5eadf419f2634e59110f277d5ccf1332e0bfed9e15f2327e397ddf3a5d4e5fb3e0a3fe548e74f85438264248d14bf8e1a68d6f44303825eea3272a3

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  cb32c8c4bcf4195d71c615e2c43f5fa7

                  SHA1

                  f0aea0c72e884e80acdc72c717080edffd1b6579

                  SHA256

                  0ecb5f7a77e157fea28bd539ad9caaf432e4370cca32540817dfb62221f0aef8

                  SHA512

                  c2523fb0d32d985d1a83417ea305671ee9d3fd9830f5f85cf82bdffeebf824518c5672ef32e03ca5177eedfd63f992d3afd6f039352867acefec924196735e43

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  2ff8e915f08cc2c5cc627d6f5c53543b

                  SHA1

                  9ed1a7101e190cb4230784aa48f116c77586f7b3

                  SHA256

                  9f0755ba159503976dcbfbc55765e0ba04a149dea758cacc4801c0389178cdbb

                  SHA512

                  9a364f1a38949758cd2a016c7dc4ffbc87173754679457625ccf12c8314fc1eba1518cefd9d00da29f9ec75dafee84cdfa848ddf5c7978b4b8d3276e67449539

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  6402e68da38024e56a1564c84ecb96bc

                  SHA1

                  8b5e76b9acf5708011f051c547c695b3b3860f99

                  SHA256

                  5ebad751eb45d1938c1fb8827b2358f31a5e979dbe29485efe46198c445173fd

                  SHA512

                  bbca3ddbd6ef65f0458a64ed1a5393ba478c4bf295982f3d9e4e586aaf0df32127bc26da5900de806e88d62fc82eb9d7f9ddc48866d8bbf12a15f94311c7edf1

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  7dc1db7a4a559a3cabc9994aa7094397

                  SHA1

                  39aaea33f558259f3e370e5f869971822ae4ef54

                  SHA256

                  4b83c3908b55c9680be4288102742f1ad9c95f890588a7977f9116ba957d5dc8

                  SHA512

                  0903166859ff9922f31e602749c317ef966b727de628a87a5e396c36edca1c7bc894aa403ceaa3e7c6669c06a4b29e8c478521dcfc8b7dc25087d1c04d144b2e

                • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                  Filesize

                  8B

                  MD5

                  3832820fce403d11be5dd853510fc240

                  SHA1

                  669eeaf8da52601ce05458e68d900e844aac4525

                  SHA256

                  9c19dfbc15371d00c47f95e744a37a341ef4da7cb05baa4797a07af1614919a4

                  SHA512

                  b13061b1220ed0dbde5c5c70add7ef999383ac66fe9b7d0433e292e2dfbb589151a1abee7bb44f5fa80d1d8ac6fb5ee9d767381bdd131bef4bee64ee278dce0b

                • C:\Users\Admin\AppData\Local\Temp\teste.txt

                  Filesize

                  2B

                  MD5

                  81051bcc2cf1bedf378224b0a93e2877

                  SHA1

                  ba8ab5a0280b953aa97435ff8946cbcbb2755a27

                  SHA256

                  7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

                  SHA512

                  1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

                • C:\Users\Admin\AppData\Local\Temp\teste.vbs

                  Filesize

                  841B

                  MD5

                  615964e5ab63a70f0e205a476c48e356

                  SHA1

                  292620321db69d57ba23fa98d2a89484ddcf83d0

                  SHA256

                  38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

                  SHA512

                  69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dlls.exe

                  Filesize

                  756KB

                  MD5

                  e825fa3224d4c353399fbbc8d6b70832

                  SHA1

                  e1f11b7f2bb805e57268210dcdf6e2a06dd6bfe4

                  SHA256

                  2e8614eb2aaf064c6a07e3074027fdca1f050552366f3fda867d9c0a5eb5f1d1

                  SHA512

                  763f8ddc38e824d26c8773fbf0245eed32bec8fc9e1041ced2d73651de4cf314713ab68c228cb7c2b7ea317076140f9c73184d4a29d19b10b6ee07ad274ca533

                • C:\Users\Admin\AppData\Roaming\logs.dat

                  Filesize

                  15B

                  MD5

                  bf3dba41023802cf6d3f8c5fd683a0c7

                  SHA1

                  466530987a347b68ef28faad238d7b50db8656a5

                  SHA256

                  4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

                  SHA512

                  fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

                • \Users\Admin\AppData\Local\Temp\System\Plugin.exe

                  Filesize

                  262KB

                  MD5

                  707a6fa9d0dfc998063525e6697402b1

                  SHA1

                  e5a930dab328f46a1f7f9b25115b08a8666616e4

                  SHA256

                  c9bc1fdfd47f19c1af3631334c0687809cb0d4f5307af3037823212539d81c20

                  SHA512

                  80d682e357f08fd02abfc255000cc4ba0d7b8ca705a850f78822c61fa4c7a702984ca2f8e73500dab33964a43bba7098b16e1a3ad7bb9375f34b698377b878f1

                • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe

                  Filesize

                  499KB

                  MD5

                  fe483ae19cd2573ee35797f199b1c81e

                  SHA1

                  1d2c850d269bea071596193ce676621189038de4

                  SHA256

                  742a3a33861432de375b25385619c1d0844b688460f565190906e39ced5880db

                  SHA512

                  46da348d542bbc8982b787daad5ccd9b1593cd7493585d6463cc263df5578824e6b27ab17ff7b2f0818916c46edb878e57caa6df9f45a5b3ce6678d9d9934b68

                • memory/868-46-0x0000000024010000-0x0000000024072000-memory.dmp

                  Filesize

                  392KB

                • memory/1208-47-0x0000000002A50000-0x0000000002A51000-memory.dmp

                  Filesize

                  4KB

                • memory/1728-2-0x0000000074AF0000-0x00000000751DE000-memory.dmp

                  Filesize

                  6.9MB

                • memory/1728-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

                  Filesize

                  4KB

                • memory/1728-1-0x0000000001110000-0x0000000001158000-memory.dmp

                  Filesize

                  288KB

                • memory/1728-3-0x0000000074AF0000-0x00000000751DE000-memory.dmp

                  Filesize

                  6.9MB

                • memory/1728-14-0x0000000074AF0000-0x00000000751DE000-memory.dmp

                  Filesize

                  6.9MB

                • memory/2316-16-0x0000000001160000-0x00000000011A8000-memory.dmp

                  Filesize

                  288KB

                • memory/2316-15-0x0000000074AF0000-0x00000000751DE000-memory.dmp

                  Filesize

                  6.9MB

                • memory/2316-17-0x0000000074AF0000-0x00000000751DE000-memory.dmp

                  Filesize

                  6.9MB

                • memory/2316-18-0x0000000074AF0000-0x00000000751DE000-memory.dmp

                  Filesize

                  6.9MB

                • memory/2316-19-0x0000000074AF0000-0x00000000751DE000-memory.dmp

                  Filesize

                  6.9MB

                • memory/2316-20-0x00000000006B0000-0x00000000006CE000-memory.dmp

                  Filesize

                  120KB

                • memory/2316-21-0x0000000000440000-0x000000000044E000-memory.dmp

                  Filesize

                  56KB

                • memory/3052-34-0x0000000000280000-0x00000000002C8000-memory.dmp

                  Filesize

                  288KB