cybergate | 16201e427085c22f33f0263fb0bf38620e9b7c20ccb502aa2a60a69597ef49eb

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe
Size

2.4MB
MD5

e86ad40904b8d251d9ddef1d1a54a26b
SHA1

354fc288ada35c1bda4ea9f6b4e6243d88d82cb5
SHA256

16201e427085c22f33f0263fb0bf38620e9b7c20ccb502aa2a60a69597ef49eb
SHA512

cfebf4652de998a6b190b8e9473b2116ae5548bdcb101c61c38fca628852b0f0d747fee87ce7fe2110de620d7d152c8b387310cd024a00da73d3ea95edbf061d
SSDEEP

49152:CfzMiizP4eW7O13XIUOcQ4Gi3zsyWbVd6wbSnf+9OdfnQ4Moe:GWzQe6fUHGiDsyWbVdR2n29OZQQe

Score

10^/10

cybergate ratas discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

RaTAS

spy2281.no-ip.org:17604

Mutex

Microsoft

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
WDR
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
cache
regkey_hkcu
CALC_Sysrem
regkey_hklm
SYSTEM.DLL

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\APP_DATA = "C:\\Windows\\system32\\WDR\\svchost.exe"	update.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\APP_DATA = "C:\\Windows\\system32\\WDR\\svchost.exe"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	update.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10M2CW8-0510-72H7-QE28-KLJ0GC1DGFsL2}	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10M2CW8-0510-72H7-QE28-KLJ0GC1DGFsL2}\StubPath = "C:\\Windows\\system32\\WDR\\svchost.exe Restart"	update.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10M2CW8-0510-72H7-QE28-KLJ0GC1DGFsL2}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H10M2CW8-0510-72H7-QE28-KLJ0GC1DGFsL2}\StubPath = "C:\\Windows\\system32\\WDR\\svchost.exe"	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
1516	update.exe
2856	update.exe
2996	SpyNet.exe
1304	update.exe
5432	svchost.exe
5476	svchost.exe

Loads dropped DLL 23 IoCs

pid	Process
392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe
1516	update.exe
1516	update.exe
1516	update.exe
1516	update.exe
2856	update.exe
2856	update.exe
2856	update.exe
392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe
392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe
2856	update.exe
1304	update.exe
1304	update.exe
1304	update.exe
1304	update.exe
1304	update.exe
5432	svchost.exe
5432	svchost.exe
5432	svchost.exe
5432	svchost.exe
5476	svchost.exe
5476	svchost.exe
5476	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SYSTEM.DLL = "C:\\Windows\\system32\\WDR\\svchost.exe"	update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\CALC_Sysrem = "C:\\Windows\\system32\\WDR\\svchost.exe"	update.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WDR\svchost.exe	update.exe
File opened for modification	C:\Windows\SysWOW64\WDR\svchost.exe	update.exe
File opened for modification	C:\Windows\SysWOW64\WDR\svchost.exe	update.exe
File opened for modification	C:\Windows\SysWOW64\WDR\	update.exe
File opened for modification	C:\Windows\SysWOW64\WDR\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 2856	1516	update.exe	30
PID 5432 set thread context of 5476	5432	svchost.exe	35

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001000000001756e-72.dat	upx
behavioral1/memory/2996-77-0x0000000000400000-0x0000000000957000-memory.dmp	upx
behavioral1/memory/2856-81-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2996-2125-0x0000000000400000-0x0000000000957000-memory.dmp	upx
behavioral1/memory/1304-3110-0x0000000000020000-0x0000000000033000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SpyNet.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2856	update.exe
2856	update.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1304	update.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	update.exe
Token: SeDebugPrivilege	1304	update.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2996	SpyNet.exe
2996	SpyNet.exe
2996	SpyNet.exe
2996	SpyNet.exe
2996	SpyNet.exe
2996	SpyNet.exe
2856	update.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2996	SpyNet.exe
2996	SpyNet.exe
2996	SpyNet.exe
2996	SpyNet.exe
2996	SpyNet.exe
2996	SpyNet.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1516	update.exe
1516	update.exe
1516	update.exe
5432	svchost.exe
5432	svchost.exe
5432	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1516	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	29
PID 392 wrote to memory of 1516	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	29
PID 392 wrote to memory of 1516	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	29
PID 392 wrote to memory of 1516	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	29
PID 392 wrote to memory of 1516	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	29
PID 392 wrote to memory of 1516	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	29
PID 392 wrote to memory of 1516	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	29
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 1516 wrote to memory of 2856	1516	update.exe	30
PID 392 wrote to memory of 2996	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	31
PID 392 wrote to memory of 2996	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	31
PID 392 wrote to memory of 2996	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	31
PID 392 wrote to memory of 2996	392	e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe	31
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20
PID 2856 wrote to memory of 1360	2856	update.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e86ad40904b8d251d9ddef1d1a54a26b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2372
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
      - C:\Windows\SysWOW64\WDR\svchost.exe
        
        "C:\Windows\system32\WDR\svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5432
        
        C:\Windows\SysWOW64\WDR\svchost.exe
        
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5476
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SpyNet.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SpyNet.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2996
  - - C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IP.txt

Filesize
119KB

MD5
4e47528c7f2dfd38aea11aeddb024c11

SHA1
9e0734c9d92adfb4a0f4878eac19f1844fdab8be

SHA256
25503d2d8d0f9204183778e1111e6fede3730552cb7ffc6d0a7cc1baa25495b8

SHA512
3669a59756d8b3aff9da8f98a857e135904d84a4d828ce358566198ec34772eef12552a1a28be1702a00b83136e0ad9c139ea1bb8b84683bb42bccd47bb322db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Language\Default.ini

Filesize
14KB

MD5
ee9826fd3883b9756896baed5d076cc6

SHA1
d1c829cabcb967410e03489723d9e51b9549d6f6

SHA256
e06ff3e2b4cf78d6147d00dbfd00066751d1d6680b3dd672e861574741a894d9

SHA512
404cfe3632fc3614a0e686504a2edcdf984aab20afc8fc4c7785d76bd52bf466078e756838c2ce5350439ad128756e55e1c3b12f3badd70fba8e74d171a05538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Settings\Settings.ini

Filesize
1KB

MD5
448a49c2d7253c927e820056e9e7ea8b

SHA1
c7171c7b597beea4bb584319ddac80eadee5d3be

SHA256
afcc1b53d0e2ef177754d4f6ae9ab391e7115e39fc73caaabcb3cd585c2e4c7c

SHA512
54dc9c1eba0154aa648ec317c51642fd88d7dcd50b4e5f1eea5c67e1c7db91a7e8cb97d0b538e4a280d91a65fea8baa888734960fbf636b7067ac407840a5224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SpyNet.exe

Filesize
2.0MB

MD5
98de7bcad1ba2caf74007bd97bc2b505

SHA1
8a79d06159a339313b810f23835b8417429dd356

SHA256
e4b3b3e72bd3bf4052a3136cb811ea54923bc2d7807709992e0345743d49ced8

SHA512
ef57cc4f0ad4bf1f54baaf7213bf868c418eebfb0eee3c32ff376b67d5d5337c35a94a1418951d82aae371820ce37eade7cf0a74ce54a4198e18327bd232a35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
1f2ce9fa3bde1b8f422c1340a75b03d2

SHA1
b97f5c6114cc7524e5fd87e828d360d11b6784e2

SHA256
eead11e2e07b2b573ffa6ab96dfc6d52a435f75f2ae6f8f16456bde10a1f08e1

SHA512
c865f1d88b4a6d64079a145c63cf836dbb10249720f2df9312b774254edfd8267185fd442e6e8a72aa502fc30425c8c0749c830a1a61e08b675de20eaa857afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6971eea7e75b079e10e73d4738c159a

SHA1
1acd884e994decc605063dd724285801e93f74e7

SHA256
7eca657c5f3c296e735640d0cf1ae3a4c90d73d5cbba49d686ca72118acd4541

SHA512
eaee14c5bbecde12c84121b013c1116ab692e70de4f2d4970b8099c783d1c31392b327ac60142124b654352bc5e800eec7012a1edbab0034d14cfba3a81c330d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ddb5a63e20593c0831ff12a0b908ffe9

SHA1
ac4b61a5ae74a0919a5f0838d66213cf034569d9

SHA256
efcb4208d50a98afbef8c5d082c2cf2fbccd9292860c4e707b7d0937a7d3e098

SHA512
fd96defc1ebc48e481c2af8071ebd48b5d62237c610d58508db73afa851101758506fa91edfcf1cd3e382411028c852bb3824fc3a726031f7223bf693c304aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cbd9fc48751019e2b7137f01768c3bba

SHA1
2680a48c6bdacc8d0d2f9859ae7a689c0d626106

SHA256
e98b9fc7aa79d0e5a001014f6f76d4015ba281e6a9af0cfcb3c98f877f526541

SHA512
ce492e3b3745389ed74adb7a2073aaea7edfa0db17581ea06f4a550489f494599dc413cd3694bfb2cad74bcff5ee5a96e0a2dfc3b2a74825c8c35ef0dc660bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f49323a217bbbae8dcb857f1300424c4

SHA1
b008a005d57ca544ca839b450c386d456b25dd73

SHA256
1f79c7b76b8352c0863877cee6096e2b52ff34b4b7554f616d576bc77d5e4023

SHA512
5eccec655664a97e558496f541970922fd22fcfd39d5c86cc6bc19421725cddfbb6ee720ab1c5945ea511790fe320ade25d5f7ea16392a4c224d724a15ea8bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e2dd123eaad59cdd31bcaf3631e4cf6c

SHA1
f979341fe56441fb61a2810c699ef3302c0042b9

SHA256
9907bf3bec1d9dd60c0032fcac6f2441cf6e4c192f92aec0eb9bf9eff860d41e

SHA512
6c76f8dbd73f95909d6006465582b8565b8b8ca61e65a673234b23b936c22d2ea175f06ab330af6285508d3023f1532eccbc59428448fb80dce949fb244e7f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
90af7ec42dd0240ef9ef0d02a3886144

SHA1
daa7b7d1b00b0e697d26bc8c778200bc8d109761

SHA256
c64db50f2ea2c8c0da4ec303cfcdabf28e164c659219cdea4822b676cf250895

SHA512
f0224ff00a363bf0680eca79b7aac332b07ee50d71da70064d8266e7fd53d3cb1ab7ea558ddbcf8caf7f7427c05495a347e1258b9e33a20a8ddb14eebb3a59e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
114d703183d1fe5de2465bfc35b48eed

SHA1
63752e2d2a4a7e39f1d0edc0fe3421dd741f2a67

SHA256
017a8cfeb9cdee87f6309e6922c38170acdbb5a4af0703df8792a10abd785030

SHA512
1c06d591602713a22e147466ae8c4a4771521deb765c47418e5e1585e668a3a5db66beba3fa8c514b5cd0a2d4ec17df327d2873dd81b3f78c24d85be5b9fcb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d4364c535b231ccac027b8be60c92f8c

SHA1
7831fbc25bde732018d7c0759ee9f1894e1eba3e

SHA256
5ffa98dd1767fbe21c4bbebcc8e0b5f3d8fb8b2037aa06ac051b02a599e4c70f

SHA512
a32556d5207c53306862c80af3bc2bb0741e9d18b1959ed7fe66ea4402869019ac41925b10090738c61c61e98aacbf16bf1663272e7b4e3f65dc465ef442f6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
129a3e917168a640863caacfde88d5ee

SHA1
15ef12c60797bf76add9516549097fa4a55edd22

SHA256
25104d170dbdc450a0812798ecba76807b2355aa5d778eedaab75ca0efdac76e

SHA512
d1f2c5183ddb13c86a9cc9d5c97c0f25bc230898323b4b270368503935e4b4d7b6146b71ba1fd55bae0af4733d16ed4eb7b19981c2f43943c698e63989fe1b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cafbea9095a73dd9c4919ab74ed379a3

SHA1
79fa09743eb080370225d0de4d749599b732dd94

SHA256
ba59b24c51f23e5b990a61b59e23da121bf948fbd8d73f32b286951624dd77b6

SHA512
e973c206b1a48b8d019752788bd19e300107e6639dffeaa47aacf21d06e4dfeb714acc4cea4fbf6d0d035dfcf5b58d7420f5d4d4349a63cc5a775db6b24d44e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bbadf066cfdaabd59a4dcca3a49846ec

SHA1
c5aacdf82c0f13f9a36013d9cbc204d3dd852bbf

SHA256
3b583d31d46015970c15981b8d55bf7017e000eb267cc01920f1f9f22f97f687

SHA512
ceb0c2dc30f4b83fd7454f43c87b33c2c6b67f85e7d62ffa6f1c7d7d95d33226ce585759a63214a2a55a502e3bfd59e134e0ee497a645b7360b25cf0f3296c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7137ce803df1a7c4024fadda01fa3e8e

SHA1
bb2b5486684865ecf3a443fe75ac77a1a844a615

SHA256
c2a2c9e473d56792a5850df79b0a515d9118add99b60619ce49401dd418a94eb

SHA512
55d0801af44c35ca71832ea1628eb7a39db2f12c486c3e8633be12c2772d0213624b18a8192455dfbf0ea21391703eff8e36459312f12dd102f796e763085d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3975246b5c6a7cc9c7de096c55eb0e15

SHA1
25f1d8e196ed4fd2c2cbfc12df4e60ff206d3195

SHA256
b74f0cc0a5d33bf50a0e4e30f98b46e588b57049e1a226a447de987c46b443eb

SHA512
64c9367c6165c6f91509f43981539438e1a7d42b17d2a18fa7aeab36533c707be4e0005ce98791631d7d133ad62d21157b39d1eeaccf0232b68e7a6c6b7d90df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f65298ef8906d3d8ef66d552b8f56ca2

SHA1
9445632e781e0773c4ab785f672d26fde5224aa9

SHA256
4880455547921168812a501bb3cb9412254952804beb7a9f7d7663dd44b36c17

SHA512
41dacaff92940bd9a598325ed71d208418d8bcb631d6bce12675c18c7113ab524e9efe2dbf2974317f0f8c28dd23ab34d4e48f9c7577f9c15b3f4772787bb9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5d95dc2934d7a375c5b978510370f5f7

SHA1
e0048ac038f554a4b4421b3a1ccb7e1d34842be2

SHA256
d0d18587e6bdf12f4904047beb5e17fb24d3625e3ad455f56c4a1a1f9f564809

SHA512
f96e74fa51e7cadc5811f6558ef0b7b4dadb6a40d9d75d67603b73abdb44e7a2496058c122feb55bd6644b12f188926e1a3794d375ee2a947b9df6164999128d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3be5bc1ddd08959ff1caa9c713da3d7b

SHA1
324cd95d2dd0354835962c85bc08150269cf35b7

SHA256
90aef5175ee8820802e6f8508d0e66aabe0e813a641847054dc9e553e75aae3c

SHA512
d19167b526ddea334674a0a6a97adfe69804c77e97a123e96174b01409902cacfefb30590c9f7c5f70203eeeba03ef92a1494d966aec47e21aa1d8fe8488ab93

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dafd2af6d24183b6e8402cc3243820ef

SHA1
ddb9da45d82d815a4b80f486edc70bd7370d4f39

SHA256
23ba7acedf501cf6b18204487607131c6a10705f3ea73daafd752dbb143ea27e

SHA512
898152382c8ecad3f7190ff1f71bb82a5a91914ccb6d4007b5729c15dd058cd7907b7462dae12769c1d5fd585924e0c3fcec2024f25dd5506ae01f1fd41b7228

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cdfd5fa726cd14c0f2529f34830050dd

SHA1
6492ecc88c0f5a43b231dc361af33c06f3ac313c

SHA256
72577707d1f171b8ae329dda387361e530d7861d3d72503f40c711e817613c8f

SHA512
1f046adbd90b445c2f94778c3cac51669de739136f1442a6f2f38b19a6e612af9008c8bcd88a604444e3955ae98b8d2a21d01318d16e4ba30666c9c4a1b739a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5b993ae80685c1b41f2ba31e1501477d

SHA1
5dd97191636a75eea6f011375d039f15c4c85af2

SHA256
1fbc8675592c46ac7f2636596006871c84af01b84cc87af2f716de49d1bc5341

SHA512
d18e7fc501ec79f061f8ff5f44c63597f7ab6d1efbf080fa92b764641fcd968754360770675cf3c959e0c6f8d18121c2571ff288ac363aa5bdbb28574dbf88b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.txt

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.vbs

Filesize
841B

MD5
615964e5ab63a70f0e205a476c48e356

SHA1
292620321db69d57ba23fa98d2a89484ddcf83d0

SHA256
38a2c0e90a7c86eb5355710dd205f22f84dbba59e688cd3da6394af8c924a102

SHA512
69886825baf2075f8e6cdc50b0b34f92d5d06d42db4586396fb3db806fef79986ba5754c7b1251b007cde4f943efe9e3d27800dd7e15f8084fd7e7e6046c3ccc

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe

Filesize
364KB

MD5
9f83c3e14573faac037963bb7932fab7

SHA1
c17853ac6f3c1423d6d471944f3ecc04813fe997

SHA256
f42a6bbaabb0a7a78a72aecea9f06707b41b4b45b33720e07abed3d07b2a964d

SHA512
cf5e4c3fa6d72fb5399460f4c7e5330c4c80b175f97503b935bb7bf89c73a6674c9a3e8e8b32a383c0655a3516a064071b7454a95b96c3b619f78a497365ee38

Download Submit
memory/392-76-0x0000000002660000-0x0000000002BB7000-memory.dmp

Filesize
5.3MB

Download
memory/392-75-0x0000000002660000-0x0000000002BB7000-memory.dmp

Filesize
5.3MB

Download
memory/392-3103-0x0000000000160000-0x0000000000173000-memory.dmp

Filesize
76KB

Download
memory/392-7-0x0000000000160000-0x0000000000173000-memory.dmp

Filesize
76KB

Download
memory/1304-701-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1304-702-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1304-3119-0x00000000058A0000-0x00000000058B3000-memory.dmp

Filesize
76KB

Download
memory/1304-3118-0x00000000058A0000-0x00000000058B3000-memory.dmp

Filesize
76KB

Download
memory/1304-3110-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1304-3111-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1304-2101-0x00000000058A0000-0x00000000058B3000-memory.dmp

Filesize
76KB

Download
memory/1304-2078-0x00000000058A0000-0x00000000058B3000-memory.dmp

Filesize
76KB

Download
memory/1304-700-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1360-82-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/1516-15-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1516-13-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1516-37-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1516-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2856-53-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-65-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2856-27-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-25-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-43-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-699-0x0000000000280000-0x0000000000293000-memory.dmp

Filesize
76KB

Download
memory/2856-47-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-51-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-30-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-81-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2856-1587-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-64-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2856-49-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-66-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2856-19-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2856-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-35-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-45-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-29-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2996-77-0x0000000000400000-0x0000000000957000-memory.dmp

Filesize
5.3MB

Download
memory/2996-2125-0x0000000000400000-0x0000000000957000-memory.dmp

Filesize
5.3MB

Download
memory/5432-2102-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5432-2103-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/5432-2104-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/5432-2105-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/5432-2108-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download
memory/5432-2111-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download