cybergate | c9bc1fdfd47f19c1af3631334c0687809cb0d4f5307af3037823212539d81c20

Analysis

max time kernel
99s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

707A6FA9D0DFC998063525E6697402B1.exe
Size

262KB
MD5

707a6fa9d0dfc998063525e6697402b1
SHA1

e5a930dab328f46a1f7f9b25115b08a8666616e4
SHA256

c9bc1fdfd47f19c1af3631334c0687809cb0d4f5307af3037823212539d81c20
SHA512

80d682e357f08fd02abfc255000cc4ba0d7b8ca705a850f78822c61fa4c7a702984ca2f8e73500dab33964a43bba7098b16e1a3ad7bb9375f34b698377b878f1
SSDEEP

3072:kJ3DOOITimBCpBigzNm1VD4Uh4iYatRlgpa/hz58O0Bz65/M6If+3Js+3JFkKeTn:WDdb7Tz0T4ihtz8WzYxBt25

Score

10^/10

cybergate limerat chiclete tic tac rat stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

Chiclete Tic Tac

lanternaportable.ddns.net:7159

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
Plugin.dll.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456789
regkey_hkcu
Win32
regkey_hklm
Win32

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/6bPeUTd1
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

707A6FA9D0DFC998063525E6697402B1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	707A6FA9D0DFC998063525E6697402B1.exe

Drops startup file 3 IoCs

Processes:

Plugin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dlls.exe	Plugin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.exe	Plugin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe	Plugin.exe

Executes dropped EXE 1 IoCs

Processes:

Plugin.exe

pid process

2108 Plugin.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1556-45-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1556-105-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3432-109-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

22 pastebin.com
23 pastebin.com
24 0.tcp.sa.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4852 1880 WerFault.exe Plugin.dll.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3004 schtasks.exe

flow	ioc
22	pastebin.com
23	pastebin.com
24	0.tcp.sa.ngrok.io

pid	pid_target	process	target process
4852	1880	WerFault.exe	Plugin.dll.exe

pid	process
3004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Plugin.exe

pid	process
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe
2108	Plugin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

707A6FA9D0DFC998063525E6697402B1.exePlugin.exe

description	pid	process
Token: SeDebugPrivilege	2092	707A6FA9D0DFC998063525E6697402B1.exe
Token: SeDebugPrivilege	2108	Plugin.exe
Token: SeDebugPrivilege	2108	Plugin.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

707A6FA9D0DFC998063525E6697402B1.exe

description	pid	process	target process
PID 2092 wrote to memory of 3004	2092	707A6FA9D0DFC998063525E6697402B1.exe	schtasks.exe
PID 2092 wrote to memory of 3004	2092	707A6FA9D0DFC998063525E6697402B1.exe	schtasks.exe
PID 2092 wrote to memory of 3004	2092	707A6FA9D0DFC998063525E6697402B1.exe	schtasks.exe
PID 2092 wrote to memory of 2108	2092	707A6FA9D0DFC998063525E6697402B1.exe	Plugin.exe
PID 2092 wrote to memory of 2108	2092	707A6FA9D0DFC998063525E6697402B1.exe	Plugin.exe
PID 2092 wrote to memory of 2108	2092	707A6FA9D0DFC998063525E6697402B1.exe	Plugin.exe

C:\Users\Admin\AppData\Local\Temp\707A6FA9D0DFC998063525E6697402B1.exe
"C:\Users\Admin\AppData\Local\Temp\707A6FA9D0DFC998063525E6697402B1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe
  "C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.exe"
    3⤵
    PID:4364
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe"
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:3432
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe"
      4⤵
      PID:4896
    - - C:\Windows\SysWOW64\Microsoft\Plugin.dll.exe
        
        "C:\Windows\system32\Microsoft\Plugin.dll.exe"
        5⤵
        
        PID:1880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 572
        6⤵
        Program crash
        
        PID:4852
    - - C:\Windows\SysWOW64\cscript.exe
        
        "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
        5⤵
        
        PID:3556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dlls.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dlls.exe"
    3⤵
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\Plugin\Plugin.dlls.exe
      "C:\Users\Admin\AppData\Local\Temp\Plugin\Plugin.dlls.exe"
      4⤵
      PID:4392
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5040
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1880 -ip 1880
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe

Filesize
262KB

MD5
707a6fa9d0dfc998063525e6697402b1

SHA1
e5a930dab328f46a1f7f9b25115b08a8666616e4

SHA256
c9bc1fdfd47f19c1af3631334c0687809cb0d4f5307af3037823212539d81c20

SHA512
80d682e357f08fd02abfc255000cc4ba0d7b8ca705a850f78822c61fa4c7a702984ca2f8e73500dab33964a43bba7098b16e1a3ad7bb9375f34b698377b878f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
739a5f5ecfbb5ff8887dc2fbdac2da59

SHA1
871ff11eb227f1194e297429927a9f9da6d30ff1

SHA256
44db3126f736a3c493c17c491136883a53e0ad0df75ab80f6db5b36d744d2028

SHA512
b37c155ef54555c314df7b8ebae41210737417a1d405d2fc939350261bae808d5b738807f9d3133431a1f34e59b111c6ec349389e407582ddf6ef6fd387c9975

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4362114b94247c0f0fccf65ca092df53

SHA1
c625023364617489890eea58b89c19ed61accf64

SHA256
6d47795c31095a6078d377245d0785c178f249663749fc503c310ab7e2ab864c

SHA512
eea65b3541a87c92198054300af999e1273f3fd63508b4c9747a800a06a7693ce605cfb218aa52e8c7fbef4d9ec3a753f1dd0a5b206c043ada5b2afb9ac6eabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f57f0bbe1851376d6d49e7386c84defc

SHA1
aeae7c66e1ec4e2ed9e53d208d375f3de257ab9b

SHA256
0dba525582137c88fd03923ec687dadc2f7b72290a3d767c3d9bbbd394c4d6f6

SHA512
f2d48b1f51fdac00091739d18b8d74b4bda53fbaba707dbda8bd0e0973fa3d06b33594cd2e2a998470eca0c03ff8933c0054880d761fb2d1647c420f4e427134

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
65b9d1d1970f2443e39e5a2ff7dd97fa

SHA1
5dcb7198f43080b505adefdbc80a318a97162491

SHA256
a40b600910860997af144a0e3c2c2579e45b052c2dda8b6087feae32370c8770

SHA512
baa39e6337d848ce481fcf7ea62a5a6704c78c103bf5dbc7ea6d9b84d8f5780c22a4bd7400ac4e3e547a53d0e92470da4b2ee50b4bb84aa1c62b070401704004

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
92a9f16c4882ead9aaebfa9f9daaf854

SHA1
b77f743ed29396b57d3dd74571899a7088772edd

SHA256
7687b189f0220730937a9bf8577b5f2b9f4470be85b224ff55edd79c68466bde

SHA512
51593cc7f7a0d531d19ce9273c123dfa40528ea5058724183d11ce0468adcbff3efc8c3142128973d1a04ce5b2353def237d71be20055a1d10f5e375c94f9e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3cc81d0c437d236dd921a0d21c476fa7

SHA1
3b944e7d391fc336144957871b501b6c14469d60

SHA256
e2936bf0159b04bd99a3061ed3f3705c22facc220e168be7ec6958bebeda520a

SHA512
7fc42fc1634ed2f828f7690382b6efb892f593110a44cb73cb1541b9b1194db17023068fad09dc93b0761c12ba8e88bbf82c17fa8a89f34930acc9adfafca2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b123e90a955570ef947a7e874533ca4d

SHA1
774e539cadb35e9cb159aa854810e1f75f0227c2

SHA256
d13c63979c747847899f31e8f0a7ed571c20e6c8f31e9eb8017104bcf8654f51

SHA512
e15f8d292f817bcec3bfc6a9bbbed1e37e72340a429c27891ea2afdffbd0bfacaa68711d98b35c4889b3bb0a7effea28f809458a924eb146b7eb135da80ec2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dffba2a091ad53cb95a435aa3fbff1c2

SHA1
dc45efae8db52e5814c91e943e47907105a8f465

SHA256
44eb34df0baaa2c8128f6889fa7a65bdfdc83169bb316bd62a23add19a85ede8

SHA512
5ec258db84a9e41aa035b83107db6640a9e41fef43c0cec7472de672786da003bc2f2fdcb6ccf57210cfdaaa11c2c35f48d3be5ae6d41d0936f27859dbdc4c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ae05f2a046d82250f2dae2617784ea24

SHA1
cf411cd7f2e96a62c76ec7e68492dc98234dd3d7

SHA256
19ff1c9d0787edd5a5bb121770ede2eae9a9b8472b6d656fe8fa4790475a5fad

SHA512
39ad5f7cfacda0f55b9293d36f371f71453f45742002d3bc8c878457c0062fce3b8e639c80818fc6366417b9bceb6b7b73bac063e61b27fdf59532e612b9b8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a5d167cc18323fd3935a8aab758bffd5

SHA1
50682ce5699b2d88c3100b09814c3e0625342654

SHA256
5abcdb3015fc5645dac76ce2855a21c49ea45f4d2e318fbf61e0edcf870bd696

SHA512
ee70998ed8d58bf664b2c94355342651fbea0523feb8b4768f6252916bb919c344d5e73e318eaa611ba91f0703ff8a14c1593b93caa7614d30ef40203c7191b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
78b3ff3e6f0fdf012b6fb7429f58bb9a

SHA1
038f5c103c69fb06c60bf37b885d76b4b0a5e73e

SHA256
ef767c8cf78e64a75b7872a70c17adda9733e20124659d71d9d0ccaabf31dc49

SHA512
5926af8cb8a290e91a1dcb96c08f9d865ca2d100bc4593ce228734ceb35eb21e2157faa2ff298915a5444f20f39ccac549644eaa8aaebf17577534a40e1751bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
84fe197df6879e6c0d9c6ca58e3118f1

SHA1
96a89fa8e98486ff153dae0b2dc27cf2f9df2ad6

SHA256
c35d4de129056311a78d8f863eb65b5daa4433c15ab1447d5f15105d18e6d68d

SHA512
441caf062bf1bb35f0e8c6c972fc4daaa349c6f298ce880e4387e6d780416f64120259ca1e6f8011e17607b64df0e2673991405e18d2d4900e2aa926c15a045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8bf597021cab87c8eb123a6f0b934639

SHA1
dd5b838221d127686de7739badeb28eeca1332b1

SHA256
17ca03a5da42ce208447d8499d3ee12780136bc8eb5cab5fbd3326a4ae376ade

SHA512
2427bd4917860aadfa55e308a3c803191f2738e6bd43d6843c73d4d58f6c4cc3efb5f458696b6ae51a789b7f92d5288935e5fc4a72671406c55166004ac08319

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f1fba878a7b8bdb32cf2424eddb7269c

SHA1
15f18e23d41118687f85d4ec1f3a5c7a1bae2e06

SHA256
00a542eb6ffb34f078b04bec30ad4cabf3301afe43139e70d10ffb592e3de656

SHA512
5bc38f9f6f9a4102e343475cf73e524e98203a2d28af7edcd396f8efffb248d5042b2ae87227787c12a30c5347d3549442e063a8da904b14f5292bf1b4d39897

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2e79f1bbdb7109d16f440e0c704ca1c0

SHA1
bd49746cfce073d561856c7ad204b849b746061b

SHA256
4fb038a1b53162f171732fef21c9db65f265c130e297ded7ca51fd133a8fbae8

SHA512
fe444b5593193c3f07166371150bd4f52384d819d9fea74d8bc520d62d182d0bc8a0dd690199e257ca1442d2f5fb1a77422a8c95b1d15ca3c99dffe4133e748d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
48de595268b2f8c1a7922f6286aef4c0

SHA1
2cc3ad3fd13da95a7c815f1bec913533d690c93b

SHA256
0ff7af9855c00ce85edb2d9c545031e1ef2023f0c8c70e9bfbc4c5d48119be21

SHA512
6ee03335f28f5cdc2d6f2e6c41a142bdc590cb0b265ef1428d5b024197ac664ba21d895abdb2187116fb341e70ff6b928c79e29c95e6129aa4351f8aa811703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cbe080ca598e64871b1d7fefd3e958f9

SHA1
8e5445d0bb2bb234e5cd4234a8505bbf6b108225

SHA256
8daec75eba115bbefdc7f99eb98517ee5501c97360ecfdb894bae42a7a469287

SHA512
673f55c3177f49604c55b790327be38e90cf69f99650309993f29c2fa4a9d8959e53875378ee009c857be110c0b409107a9901bef23e2f2aa7f5f07647621710

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7a4da777168dca54553829126f400d3c

SHA1
f14cd13449712f81f48008bf006ea6589bf12b2b

SHA256
01a6f378c23275329910a9ae0bbe48c32bd4b7f8d37f3489ea16666e943ecd4f

SHA512
e9c43125572327948a1b1af44907e33aee58b96d704b9ced349b858a70e97439d63e53f45101a0ad1650b808d658a59d299d6b278f2e6018cab1ff6f53837a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c21365701bbeb0138386b063f46037e4

SHA1
1966279021e82d708e89b8170393fedf274bd920

SHA256
5cc9fb36b45abb2bb0e959da4cd31cf0a4fd69aa260fae7a3e21863a9aed5b03

SHA512
baa5bfe78b6659a0373ffb6cd15edfd3e4a74e34690b22e48763f648e8ca8b5a0ecb3da09b70c405b1ac42ba0819120e5db64636be0e27a9d5741828cab07183

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b32dccf41c22cb2eae23aeca5efcf9ec

SHA1
052134d6450275b6012a5adde6c4e6a5960e7882

SHA256
e3d3081901301016c11397851a92bc93033c9d82363e26c1a4edfe68278c4eab

SHA512
ae19b0db2229a31aaa77cb47b0ba3449f45651344ee2c574f85b564e2050d258554aeaf529881d62bbc1d225a20c124f39e7f2ac9993780aee04a69005013bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
afa2228d16b167a3ef21f8ca129f7a21

SHA1
c370ac483786fb74d7211ff65b4705c08e77ff6c

SHA256
ab9de56b5d213a2efe89cce3b7a3db9d1d7b324464c0d09aeb03066f8a61c00e

SHA512
3c76ab83c0ee7d4be0f295c26a8b5c65ff9b5b977130cb85370a7fd7a41610f16ff7ac02c2637f755655a940333c86c65c33f9e39b826046f7f77c15ef2869d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
60757db4c923aeea654b09f6759e7061

SHA1
98da39d091d227825c6815f1f453df7e4772bae6

SHA256
f998415184ec87aa530c428d3d3da09550f553d494262d7cf1f36bd784a3fb2b

SHA512
f93ee0a16e39ace994a5b9474d201269847ee21f7724004decd373cf27ce5f68b7df9ce8d4b33824a4f529ec833af94647a9f7fd84ed86e200f7074cf09dcb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2db08b1552d971ad8fbb33d71b86029

SHA1
5905ad3cedea30ded325f7111433f38783920a3c

SHA256
887a976a123f8c51d7b92a8feb2e74f09918ad81cbd58434bc4d7170a23d3695

SHA512
b41d78a78591d65afd752c8b3af404e7b59573a49f8bc797670e6382938873ea9437de1c096ad49aa6644b2798091ca86822c90af9f213715a085636b11a300b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f3b0345362348b9e21dcae3521bddbc8

SHA1
5f4b60039b8df0c541b6845c53c94b7743743b69

SHA256
253c9cee22a64901492bd0e30e6a2a670d5b650d6952f1ef805d6d33ec4c4288

SHA512
b0048b2f34f25ac91bcae3fdc5bbae7a986f2700cafeabece1276551c2ce312b909459b6af5f684ab6ffffcb5fd83d0782f9a9a5a683a6b7e0ce164e3d55a0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ecc835273d85460023cc3373df337ed8

SHA1
0934e1a1de99be0ca283561a901b9213b7ff67b3

SHA256
ae4ee19a5fe1a668699b4d96af21249f4dd7c851088c3986c71436093db896d7

SHA512
15ce29a7325de7a428516af081dd820af919c3ef65c59551b483b4a7d531a1a4587bbd9d2874d8cb03c9a16b76baea0ae1a2042df8215718d5acc45a898248a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6fcde8c8807e918a1fc7583d234f97a

SHA1
d7dfd3e6c29b0660ca5dc606c28ba31d5cd29c60

SHA256
f38c72b4031d3f5f97d614598fef148c5652481459a29f9786b6086ceb5bc3d0

SHA512
11f67c7cb6dbcf383d3472fdd00dfe77316498fcac2580abcd7c7898282df04f171ea3396767863a15529109f05bc677e1f5fd35b342cab9bd19b97e61825169

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
46ef455a0150a6e403cea88c4bf50d4f

SHA1
12ab47faa001c3ee93953a0a51f09d8dddc65159

SHA256
793d0ca6315bf3ec002544fb2b085024c4d6cf8a29c697cbe266e40c19818167

SHA512
605c31469776f28ecc420c50a368257c40c5aefc97867e189e0df797f6c0a4d87b6cc915ddb01e6134c07d328185ce85e3679f34e604f333fba45d1573c092f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
41a3b03227455bfa59577e1e204ac11f

SHA1
3ed7cc1ee31cf2e2a97262ff1b3a98589a1fb0cb

SHA256
d182452d226064c60eaa832cf175f2dac69cb834153537e20e3d8153c8e0c9d3

SHA512
5c4779727766aa885cc59f54ae8f6f63303085ce7ba9058a38442472f5121332d9e5835d50cedb49c628c1a167bd19602428593f6bcbad7d2ede17c2802bf657

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
13cc1eb151dc3d2a2c0be1d01e600470

SHA1
c029b9a1dc3d6287364128385bad6998fd1b0765

SHA256
5cb2d15ef39c1ffef445c8ad9a572d89360875c6bbc1478da56f71747155e117

SHA512
95341a5fe779b54e7c20c682747d87398c6e8a052f77d398d620acb37836e71bfe36a725410e32e2f75f242535be9966fa39c7a04b44f48bcffecc5ae40b56f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e28d87998fe5bddc660010911174141a

SHA1
cc54c93d4fbf61f13f5f47edbac9efa1b76e413b

SHA256
b2dc4f2f0daa548d3206899ba9e35fa35a1b9cc6e562af779258a87a08dfe061

SHA512
718f210a19983af1de1b060d85e15e23198c5f1bb5975cdd21c7f3785937d29b7512ba05eba816fe3dcbe99a2f6403869abc6b98443d1df546abeab371c918a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4725e3cfce98fe465d34d3ac44311a49

SHA1
17f495383b5e5fabf3eeda42a49c1066276b2420

SHA256
424b341ce5a5191be8365765bb64b415209c3081c88cc315ff5105080300e2b0

SHA512
07c52a0fd5eadf419f2634e59110f277d5ccf1332e0bfed9e15f2327e397ddf3a5d4e5fb3e0a3fe548e74f85438264248d14bf8e1a68d6f44303825eea3272a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb32c8c4bcf4195d71c615e2c43f5fa7

SHA1
f0aea0c72e884e80acdc72c717080edffd1b6579

SHA256
0ecb5f7a77e157fea28bd539ad9caaf432e4370cca32540817dfb62221f0aef8

SHA512
c2523fb0d32d985d1a83417ea305671ee9d3fd9830f5f85cf82bdffeebf824518c5672ef32e03ca5177eedfd63f992d3afd6f039352867acefec924196735e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2ff8e915f08cc2c5cc627d6f5c53543b

SHA1
9ed1a7101e190cb4230784aa48f116c77586f7b3

SHA256
9f0755ba159503976dcbfbc55765e0ba04a149dea758cacc4801c0389178cdbb

SHA512
9a364f1a38949758cd2a016c7dc4ffbc87173754679457625ccf12c8314fc1eba1518cefd9d00da29f9ec75dafee84cdfa848ddf5c7978b4b8d3276e67449539

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6402e68da38024e56a1564c84ecb96bc

SHA1
8b5e76b9acf5708011f051c547c695b3b3860f99

SHA256
5ebad751eb45d1938c1fb8827b2358f31a5e979dbe29485efe46198c445173fd

SHA512
bbca3ddbd6ef65f0458a64ed1a5393ba478c4bf295982f3d9e4e586aaf0df32127bc26da5900de806e88d62fc82eb9d7f9ddc48866d8bbf12a15f94311c7edf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7dc1db7a4a559a3cabc9994aa7094397

SHA1
39aaea33f558259f3e370e5f869971822ae4ef54

SHA256
4b83c3908b55c9680be4288102742f1ad9c95f890588a7977f9116ba957d5dc8

SHA512
0903166859ff9922f31e602749c317ef966b727de628a87a5e396c36edca1c7bc894aa403ceaa3e7c6669c06a4b29e8c478521dcfc8b7dc25087d1c04d144b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3832820fce403d11be5dd853510fc240

SHA1
669eeaf8da52601ce05458e68d900e844aac4525

SHA256
9c19dfbc15371d00c47f95e744a37a341ef4da7cb05baa4797a07af1614919a4

SHA512
b13061b1220ed0dbde5c5c70add7ef999383ac66fe9b7d0433e292e2dfbb589151a1abee7bb44f5fa80d1d8ac6fb5ee9d767381bdd131bef4bee64ee278dce0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5426b5ee46ef5d94c147492af817f669

SHA1
fb3320c1fb297dbc63bc4a22982e144a20100216

SHA256
50b31ef352a6a3423186f63cab8b59204285d40649e9a9a9613a329ed78a2ea4

SHA512
eabdfca0eb21baede2cd9a827d8b6ad23d9a0724432814c9841c40414de7c92d77420b3320da2c38192807d62674b7e48b918f64ef13478b8c00fff254c60ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e746d6dce1bfc85b1cd1a2f4a70d0df

SHA1
5304b62435224e5f3566eb75ec3f2e48839999a1

SHA256
0ba501979fa5de063362100fe15a703f54b767b8697406f9e873e2799c911e9b

SHA512
7ea59e9e0d1ed4dc6d5b0c0d9e247ce67209c463b2ca8eff9d5471dfb644275d636522f77364116755e15c5d66e2466b3e5f53d2b21f5dc979368e817ac6089b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4222fdc6b0b04488e36923f790b35108

SHA1
d547529e2b696b09712cbf8e8e06f20e844585e1

SHA256
2b86343657e698e00035b44922b5f4d1284193af074aaec0f82d0c6b4d1ca261

SHA512
e4427b8884948b06e77e14e52ffc46394d3c77150ce52847250e85036af3e012d195efebbd7d2b198abcc90ffb9280bcbb7737ce6e809314eb6d770a20196c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.vbs

Filesize
841B

MD5
615964e5ab63a70f0e205a476c48e356

SHA1
292620321db69d57ba23fa98d2a89484ddcf83d0

SHA256
38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

SHA512
69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe

Filesize
499KB

MD5
fe483ae19cd2573ee35797f199b1c81e

SHA1
1d2c850d269bea071596193ce676621189038de4

SHA256
742a3a33861432de375b25385619c1d0844b688460f565190906e39ced5880db

SHA512
46da348d542bbc8982b787daad5ccd9b1593cd7493585d6463cc263df5578824e6b27ab17ff7b2f0818916c46edb878e57caa6df9f45a5b3ce6678d9d9934b68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dlls.exe

Filesize
756KB

MD5
e825fa3224d4c353399fbbc8d6b70832

SHA1
e1f11b7f2bb805e57268210dcdf6e2a06dd6bfe4

SHA256
2e8614eb2aaf064c6a07e3074027fdca1f050552366f3fda867d9c0a5eb5f1d1

SHA512
763f8ddc38e824d26c8773fbf0245eed32bec8fc9e1041ced2d73651de4cf314713ab68c228cb7c2b7ea317076140f9c73184d4a29d19b10b6ee07ad274ca533

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1556-45-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1556-105-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2092-4-0x00000000050A0000-0x0000000005106000-memory.dmp

Filesize
408KB

Download
memory/2092-15-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2092-1-0x00000000006B0000-0x00000000006F8000-memory.dmp

Filesize
288KB

Download
memory/2092-2-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/2092-3-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2092-0-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/2092-5-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/2108-21-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2108-16-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2108-18-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2108-17-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2108-19-0x0000000006EB0000-0x0000000006F42000-memory.dmp

Filesize
584KB

Download
memory/2108-20-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2108-22-0x0000000006E60000-0x0000000006E7E000-memory.dmp

Filesize
120KB

Download
memory/2108-23-0x0000000006DF0000-0x0000000006DFE000-memory.dmp

Filesize
56KB

Download
memory/2108-24-0x0000000007600000-0x0000000007B2C000-memory.dmp

Filesize
5.2MB

Download
memory/3432-109-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3432-50-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3432-49-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3432-108-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download