cybergate | 50fd28cac0f84db49d0d6d3502f77a4ac9de3e8dfa4de23d94125b58384613b8

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe
Size

427KB
MD5

fd29aa28ea03f9b81d11fd4a9a9a16c5
SHA1

b2801b63eb99e7c41e5629e1d9a0fd4f37a136ab
SHA256

50fd28cac0f84db49d0d6d3502f77a4ac9de3e8dfa4de23d94125b58384613b8
SHA512

43cd00dc92a7a6dccb325ef36ec06d1b8af016978133280de8620f9871727497cbd52192e91f138153beb66487157c08d4f520e03de5aedf9bf2084f3749dec4
SSDEEP

6144:WSncRlyMeGs9Gl7Ke3wRyE5pOKMbZBzg3/34Y42H83CHLnm9bM9Za6Zq76shovC3:74wMeLGlKIcy8pCPgvP42cd6ZXmlLT9

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

bmabot.no-ip.biz:100

Mutex

04G605WG328X81

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BRADYCRYPTED.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	BRADYCRYPTED.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	BRADYCRYPTED.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	BRADYCRYPTED.EXE

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5S04JQO4-VW14-L586-8KHP-101T633F6DC4}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5S04JQO4-VW14-L586-8KHP-101T633F6DC4}	BRADYCRYPTED.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5S04JQO4-VW14-L586-8KHP-101T633F6DC4}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	BRADYCRYPTED.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5S04JQO4-VW14-L586-8KHP-101T633F6DC4}	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2104	BRADYCRYPTED.EXE
2012	BRADYCRYPTED.EXE
1552	BRADYCRYPTED.EXE
2484	Svchost.exe
792	Svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1236	fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe
1236	fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe
2104	BRADYCRYPTED.EXE
2012	BRADYCRYPTED.EXE
1552	BRADYCRYPTED.EXE
1552	BRADYCRYPTED.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	BRADYCRYPTED.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	BRADYCRYPTED.EXE

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	BRADYCRYPTED.EXE
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	BRADYCRYPTED.EXE
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	BRADYCRYPTED.EXE
File opened for modification	C:\Windows\SysWOW64\WinDir\	BRADYCRYPTED.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 2012	2104	BRADYCRYPTED.EXE	31
PID 2484 set thread context of 792	2484	Svchost.exe	37

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/944-586-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2012-611-0x0000000000460000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1552-943-0x0000000006130000-0x000000000618A000-memory.dmp	upx
behavioral1/memory/944-967-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRADYCRYPTED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRADYCRYPTED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRADYCRYPTED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2012	BRADYCRYPTED.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1552	BRADYCRYPTED.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	944	explorer.exe
Token: SeRestorePrivilege	944	explorer.exe
Token: SeBackupPrivilege	1552	BRADYCRYPTED.EXE
Token: SeRestorePrivilege	1552	BRADYCRYPTED.EXE
Token: SeDebugPrivilege	1552	BRADYCRYPTED.EXE
Token: SeDebugPrivilege	1552	BRADYCRYPTED.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	BRADYCRYPTED.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2104	BRADYCRYPTED.EXE
2484	Svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2104	1236	fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe	30
PID 1236 wrote to memory of 2104	1236	fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe	30
PID 1236 wrote to memory of 2104	1236	fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe	30
PID 1236 wrote to memory of 2104	1236	fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2104 wrote to memory of 2012	2104	BRADYCRYPTED.EXE	31
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21
PID 2012 wrote to memory of 1204	2012	BRADYCRYPTED.EXE	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd29aa28ea03f9b81d11fd4a9a9a16c5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\BRADYCRYPTED.EXE
    "C:\Users\Admin\AppData\Local\Temp\BRADYCRYPTED.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\BRADYCRYPTED.EXE
      C:\Users\Admin\AppData\Local\Temp\BRADYCRYPTED.EXE
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\BRADYCRYPTED.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BRADYCRYPTED.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
      - C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        "C:\Windows\system32\WinDir\Svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        C:\Windows\SysWOW64\WinDir\Svchost.exe
        7⤵
        Executes dropped EXE
        
        PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
a01b55169b8bd1e841253a34af979309

SHA1
4d425eed909ede173a9c30df204f22e74c08e8af

SHA256
f6e1fd08d9a00f490e815eb41feb4c973ba753a4af1172a9350951faa9543599

SHA512
f699b2b5c0cf561c42658dfbf6956dd4818927094e192c46f462a426e76fa06a93503580adad2da989b874f52d199040c3c27ffd074a64c67565139ae053a61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e4a2b42671132b48f071a943a37a7ec

SHA1
39aa4295c5b321734de2d422b7cf1a305b46e772

SHA256
d992700ed5697fc140685124b192b7cc818b7196fe63d43c5f8cc0a62d1e0264

SHA512
2c1ed6ca1badf172478d23711ab74891ccaf1530ac4b0591eb2c19faa2f72f10394bb47c06ebb7ce01f2a4742b736b1b844c7f7b08d72cf06f1aec54deb81542

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
17fcc7fdf1b25dbabb0b3c9219d39ec0

SHA1
5741cca34b0852e35b2abc1aae0425f50d2e345d

SHA256
cdd3a9a6cb7212a99e404390d713480fc08e80f355d6fed6ef70910b6fcab1cb

SHA512
e03950c55d267a4fbd346877528ecd2e75646436a5d8ca9b445a70c2d146d9e651bb7699e0e81d874b7ef0e0abd2075890c1755a6f5f1c9c5d786f2460860ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e938d2a32c99d64d4ecfbce9e49a8974

SHA1
b2d76da6b2a8023d3c36905f8aff99f0e3646475

SHA256
30f60336d1046a859b507a705152f70054e9e38e0ccdbd04761701b7c3962834

SHA512
3a33a8f37189774badee8f42118bf90a5783879cae85e32d1dfcf3c74b176140326ad9bba7d069480580e3414c682deeebfa155657da913f424b5e900661826a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6319dd7ddfcf78c9f4ec5b6643b0a801

SHA1
52d7527150943d5f6f0dbc43963e006ba3064c4a

SHA256
ee3132ec3216b36898e417b88970dc09fb5a0663698d82ad74b56656ccf93f25

SHA512
d4988f5f2043395eb4d6142555180469466bcf08f053087aff77ad48ece7c6aefff282f485d0483d902cc6d0b61ab227a27df454ce565e8fc68115720e0e748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cfe6870fcc3acf6db7537527cce18b82

SHA1
ef735cae08b2cc9e939b0db7e3eeffeac4b3404e

SHA256
9a7b8ba181c4799fc6a2d621d81d956c9edca94b1ffe4c350d4956ecfabbde05

SHA512
a63bd1c855b7fafec17de8dee792f338091d19c3380b4adb02cd70426588cfc74d997fb4eb1ff5a8add5155bcdce30fb3b3030045579ff8e19c19e59c0a0ef70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a3ac822ab046d76e02bdaef82371d843

SHA1
dd3108d4d3c021a364b7597a0a62364f6310d958

SHA256
40fd9671a561dfde8a47b7a2122e2e20fab7fbdddb89f655f8d0cc7ba424e4c9

SHA512
d381fe61fd07c4ce8f0f32b654521aeaec768eaa660d715499fccb742c8ef53164430c70af20a489ba7cd9c921f7b68d5fe5645bf3fc5b03cfa4b35e39efa551

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8c39c97e9d91ad9391ecae07b6f9edd1

SHA1
0413d71eb6ab35d15671349e6ff1a59aff93778b

SHA256
4fdaa1c6846cd3cf4a9cf689709b21f5474011f8dc2b86e42e81a980dbcac8f8

SHA512
e536883ea4e606afb9b04b451cd435cc1e2b7ce986f63ee49c785803b1f5e330eba8e399878deda949b7c55649d27efa5fa6cc8f9248015db9347fea4988261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2c68f0015b87699c6fc27bfd33114e7c

SHA1
794fd633c4f2a76304f1a93e85866ede5301ff93

SHA256
dfec7191f57b565b85d9be71c64ca8d46f32f3d6eff506ea59da9637029e1191

SHA512
30a276c354c21b13d8dd614b57d8a8ba503a0e6f79278d7081296192ef0e33dac52e2b906da93521eb48eadd843121a472e7a0e102a6f2501cd26d719fb0deb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a524bbcfe2176f017ff62d0a9fbe08ad

SHA1
0d926050bb0dcee8ff1ea45fe09900725792f5f1

SHA256
729af25765ca829779646bdab1ab841589594f6c73268a5fbfd0cc250e1009b8

SHA512
ccade3071ab71c5f4f0d131725dcda472631061a4c4dd60a755df1c5c1af9c9045865679014cb0066226a72e610e12db140e47d643040c334a3495fa6f43dbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b8ce9f1d02c5c740a949091a3b5c33c4

SHA1
92174e1306232574db73fe356181cba53ccbaf80

SHA256
6da6a21991a3a703b17b1ef1c93cae212c3fb7cf8d32c6ceb63020d2891e4f0a

SHA512
02d75395f201f9f4946949487c44aef3c39cbb1c050fef36c3668f888422cffa6ecf7c3fb75c82c702384fee5873d8c5c779ee3c3ae00e9d7515056ed9c46de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6a5f6c1c8dab1118049b9c4823844458

SHA1
f5cfaf49c7234bbeba8671d7257992414d690f9c

SHA256
ee7faea6f9a30360c8f496fa7aedf5eef19a836a27464bd0bc380d346117213d

SHA512
4e44efa5896971c02fc3f91f3cc2e73f72499a48f1dacecfacfd102313c51291e413e7e39c7b59e63570c9f67d9948a33ad42c07d86a6a12274376811d35a230

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
75f6f0ee4cdbe5019bdf98739de35432

SHA1
7b2b19bbab5e0ea07a90916793a6c8669507fa0b

SHA256
11e7ea26f93895b8f6925ad87f2f955bcf6e081debe732d172e4d7dabb4a0fd0

SHA512
cd200ac0a8bcef69231d1e84956ff2b781eb15c68b68b2ccacad1d6903f2fc836435fca89fb5365b03515bfe1294d575e57ee0a169d16c6a29d62c7d8e28b757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8c0118ff054bfd9081bf42c83f2137eb

SHA1
996837e4a3d079acdbc88cae5a7a49a7f53afcdd

SHA256
3968118781db9e4f86d81588dddaa45d56981b88b7b7dfe121a6c85e1c71657e

SHA512
3b9f1c1effb23e5c529d926cc64891a40bdaee522baca5c76e385f52327c6c3fdb3a767f1084f7ac082da4b4c6c35de6e80cc16ae5b0a1f2740c9e353845c2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4d44b974ce9b3e389ae4a69f2bf37d6a

SHA1
35ebf500efbd851f113d555ddb969f27ae2e4786

SHA256
5e3bf63a93baf3e7914ac5feea40bb2010399860408631e3cd7c6b5f68f298db

SHA512
2738a2032c528fd0193bc180d8a56349c402794eed597fe8631154c3012a1fd6ee1f41bd4e7548fd02a1d1d346c9b61b8e8c5e3be1b8b2354940d21e60b4829c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f370ed745eebd99173bd3dd651273a92

SHA1
a49340aaf06451ba20db3cca758c08ec746bdfb2

SHA256
4f301667f94e32090ebff7d9319f7c70e1fc46f642baeeb3a56e8b1562ba2189

SHA512
be8d73ebc18ce2c81156447240c735100d5663bf47e4c6d135b6ff72c7c91ac390f328505ef5c8d1736105d289e278020ff32729f17f0f2d1b6be146438f04b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6379d76e775dc61e29590335785b4340

SHA1
690ddb04c4e7f394ecea1c03bfa431690541c081

SHA256
3df17da482bed104a00a8d1dfe95c22d55f42f04e3fb3e7be4dd0e56b22c19ee

SHA512
1a8cbb9c3778ab2a153333046186b5a16d20c492402192566dd444859ac163bcd7d58495b209e641a00443d417ed5ad3cbe28a63b81231bd2b9d1b092b26200c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
07247d77e088bd9f77d86783e5f08889

SHA1
816b5562ffe901e0fbc0f092b7cdd5c467942f8b

SHA256
72041391da524bed6727ca3b99f38c10a923a81e1e1f813207348b0fddf8183b

SHA512
0dda7d3b62fdfd29d8816f5b96eba5b96f48d39f9e99aae0e8c09d779454512a43e9e32c7edc2dd35d9b4c37b7cf2f1b143fea0107f635059fd870dec66db538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e0d22cde262c2c0f60eb12b9f2a0bf2e

SHA1
88f04d71fe6272c7181de8553e3c79ff0cc4fbf1

SHA256
5a07a57c26d0bf4b7d5885400f5d40527bd8027a4e2dd43e31a05a1f88933cb8

SHA512
1b73eb9c9620b2631e31c4ee7c79549651301bb3725befbe77a1b6ccffea598b200868c32e4a78d7ecb5de99cfef4d07d0a1e4b989706faca710523c8285caa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
afb17f2f39c254193082c315e05e6ce0

SHA1
3aa83662833f648d54e4b3b553f721a63a897d36

SHA256
13be56e0aac3cd9d0864df8a5fbcc2bc3db522ad21c0e5cf605001823f20ce72

SHA512
db64e080b73776ec9c82c62cfd1c6e22ee1167f5f2cf9e1a32b17b2b66ad868f329de342eb31f42c2a00f649d1c6790aca52b2def53a7f3452dc7ed0039265f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9be7243dbd6cdd10ef8163233f4323c4

SHA1
83a39e6798f9bb5ca036ce4d34cf949dd036ce01

SHA256
10f9cc635eb93291aa06100de1fab6383439e45d7ec62361b1ec70a2fce4747f

SHA512
325f00f86e9b92f3e19ea345ccfde7e1421a0a1b9ae1d791ad930001e7ead415011b1f4685df6ad395cc9b867566b67805dc688563a354fbd7b3d4d6e8069a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d9aaa300ee5e3407e7d81d91aa789edd

SHA1
aa369aa5840cb00c476991a624d20d2f6cd80240

SHA256
a311e3520c1558b617a890a986ad20cfd13dacf61d974039bdeddbd6ae6dd3f7

SHA512
5009ba592873cb39ac0fbb5da16a10222c20a62d899197912982cb8bf2a5b68596d6412a0a082c0daa0a0d4028156bda09009fd06144ba7f5cacd16b8d633c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8d2f572a3b0f74d396e2a1afea5beae5

SHA1
a143ab20fddf3cde1af4e0700d5cb23c93af3c15

SHA256
658b36c7834d9897d71f238829d8988f194ac04ba2718185eff99faae31864d1

SHA512
201314eb71191b80f94944ac6b1096f7c78c5400efc0a7f474824b63388b3715179ff2507b07bf761378bab2c5f6b12e18227349d2a5acabc191a18a658909c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
68274e8fdfb1c650797ffc6bc46b6234

SHA1
d924a70531563ae482fc7196661592d8f739a270

SHA256
c037b3082e9797ebf446d3152f0e5ff81376ca97cb30134b956f94d305e679a9

SHA512
e0687c9c949fa3b2c8dc7e2a4cbb134803835add7715a2ba16fbad355f1d3ab597befac98eefa253f00d07e77ece0a3117de30837268333c198260d160fd0673

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2b97bb1b1d827526e450678eb0a822d8

SHA1
41e092ada7a39e6250af9a073695ec4d65f914da

SHA256
c8c1722697de291c771ed62a4ba555c0e37d28fdb5894b632af51979edf00e28

SHA512
eab9b4918fc769c95d522fc8ea5145cb636d576fe26000b3e46ac400fd7485eee73c09527d696ffe5832976106b37b6e6dd1d49dbc0e9798132973553fa37dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
58a50eefd29d08c8d0521fae7e395653

SHA1
2afe6538eb429a97c25088afe00b418e30d485c9

SHA256
5f037556728286a88f0dc43fb503b576707a6845571cdee24208ba01220c8bfe

SHA512
f61da75749b47ede99316f665cf7a6477e4291c8ca2fd48a27b11dccfc716fbc6be9fd8a0f2b268b491fb0e8fbfff021788a7f37d9e8c950e689ed52082132bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8e622497e3ad3e6148ac5de6c2dbd1e1

SHA1
96e035d6a4f32ca1ff53b36a3046a57a27257bf7

SHA256
9adabc13ba5f3ae3dba3cfc3ecc9cdc9fc9b4ed8c5dd205617f49ebd69bc006c

SHA512
cd2e681b5fd3cccd171364899a05ff07975d4c42812cb267aa8d9bf063660775a0f7f74466fbcbc5e82a2f51ca58a43dee2ba448fd57573d0d5dd6db85f6a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8f304723219a77ba8f7a2b93ff7b2237

SHA1
7cdc5fa7067e9f9998365eecade224ee295322f2

SHA256
62d8f97d1041faf0d3535e75cdcde5230d573ecec30cb7058a76dbf33229980a

SHA512
69651e9c35a4c5bd0acd75c106e9f569a6aab37dec9f98980c195e57db0987292f198ebe685c815022a7dba7a9b66ef3d6e47cd8f20553cc4de6bc49eca06002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7c0165f71dbde1003a9774c530be98f2

SHA1
c4915835f88e1157557fc0b792ef579bbd96d7b7

SHA256
efedc853c22d1dae3319977221ccd7d1bc5a118fd2c0bf5bda0dbd2f976df1ed

SHA512
f04cd8788ea327acc084133b5c43c7e4b9d9ff53f24b1dc56eba4c7c43b5a77c87457d50d6459c73beb5e13f2eaf689db8d881798e8132a7635adcb1891dce72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4992ba3f4a42724c20c9468a03c47f28

SHA1
b5d0f2625ec47b61331e0d93cb64a7cfe60351cd

SHA256
72935c17f8d1f330ce4bbb77de7543d2854bcffa98468686e508e8ba45cf4b7c

SHA512
33d902a5e87831cc54da1f991c5f3085ff9a282e8f9c05732b9a07ce73bd92d22374bcfff2b822fe84179d9c0180fc60a81c9179abd101ee36137fe5f0866d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
09044d3de3dc222a434d8eba40f97730

SHA1
0d8c7fc398447fbeac9632e33f3d194e88a2a6cf

SHA256
e589ffa1e6ea4bb991bc67144408d8bd7933e05c7eff00ceb30ee13254d6f986

SHA512
11c0db2455ab6065e0d5b5b1d4ab18cc8e1615a1739d33ce54072be6b372c3d8a263f0a55b94c0f6f19efe718e3fadeefc6592945d57b0f2a2702cebf5dbb23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
851e44cf5090db85b172cc4a7471796f

SHA1
9aea2cba9a14fe7e44222bc4c63aee26e170345b

SHA256
900817f7e038dcc44f491dfdc5121bef7e94af5d141631b63fdb839c5f2596c0

SHA512
d4143bf01452883c565df2b204c348d81e2416079bf6dd1b38a5714c2e69990b9a4adf2991ab8dad210a4fa495f7f27b0ca943671a31328e2fa183d34fcc88cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bd5afe2e4cd8c5c15d1aa50b513ca718

SHA1
184859568a448b1719bffd40417ec037d85fa3fa

SHA256
6de34d1e6504216854350ddb546eea7fd426f6162e1bc209653a8114791efe67

SHA512
87e28e16f9b73800e0a05e95039b6b113b0937bc3e754e80b357b0991923c4d9c02fb92ab4eef70c46760ecd99fb8e37f5d3984ecd9d71441f90cc38c1e15217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5e3c7e143b5dae966ce52b5e3f737011

SHA1
2ee48f6aaf123c22031535a4516cc928e59221c7

SHA256
8300b92875b4572ad5aaa5700b8588f94c34177bbad335e0a684d74cb06426ed

SHA512
60c9fa2d5f778f2d68da78a9b01483d2f37c96fafd203b11835954f9aac0509326174400cc28a2fb4e6fdd8bed332327f1caf09fdc08f7eee6560cb38497c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a787a86d51d28cefab4adf5349557a45

SHA1
591a747dbd3b9744f59db18b957663cf4a701a42

SHA256
412bdf134619dd089be8eb3a7367bb0910a81a440afce8d2203c7c33d3c13d3d

SHA512
1f25904d29639253fed477b5dfa2083bc1dc2426217ba71c99c1b8405ffed4a98a821baade8ddf05c9f5e3f561007a0798f25ad07e63d788c1c1f746fefce1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
267c5df4fdff8b0deadafa26831eff34

SHA1
3b98a8ca7177714e61292506d036e865aac96d72

SHA256
b8d3672eaab86d74b5be5e3956603f588d0a365930a942547f6e30bac9c222b9

SHA512
6042850d6a9aec9cfcc7facf77b39612948b770759c53b1b742e05055d66fc55e8ba44c58dd5aead5d9168b6ec7aa015c182dc1d8a50aff525b33191e3c7c380

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
78d208c6f5081a50b23e116eb4f41c11

SHA1
c671129607e3ae7f0e5ce59c12ad7bdad13d17bc

SHA256
76ce047400883d8f82489881489e53466c84bb721515137340d93fbac9b0eb8d

SHA512
5560861ced48fcc09e57fed12cd3e35aa6afadd6c8362cce533b201cad2c67b4a8d3b72654bf167dad20fe866d7d5da73f63e1b2b08c6575d6f995652d0414a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
373f5ef1c45cc2340b0f6d041e05ca6a

SHA1
5ee39510b43a3945a5ae5972e217426d1ce54fbd

SHA256
56bdae45b228e6828db592b5be37427fff5b59a25d08513fe41bc6619068230f

SHA512
93629b23afd2e91096176e7a0ac82b1b8aabb786340cad6de5b9327bac15c190be677b18063b0312be6c982d18428b37201f8cd9cd01b80ded84d2e331696ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9e15a7eb1d9eff2bdf21974836176698

SHA1
246f98efd8196972f35642176cdafbcb83989385

SHA256
9286eb51b2141fa4bf02fbab621ccaf7afd670dafde65266ed0a4d146c354825

SHA512
75583322149885aaeb6a39f88e73360edecad005e9ba3afb41096dd21475d275042da62a7a0b93b2107e036a731050a88e94d8f95b482efd06ab42251b2cd35b

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\Users\Admin\AppData\Local\Temp\BRADYCRYPTED.EXE

Filesize
349KB

MD5
40f3d14b5aadb76797163eee7d7ee689

SHA1
741dd1883eb284ad398b9b71700963d6f77f0a71

SHA256
680985e2b6c0e3a482e1c3f5843d9bb20d974b04e1a21ecc654ab373c7284a75

SHA512
4eaf0e786e044e43fc84745536c6f7a56b54e040c011facda5b3e29362a1dcf8ee6f2e3f2802a59088a27205a24903d47315b0be8b82322dae2f5ab025ebe875

Download Submit
memory/944-285-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/944-287-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/944-586-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/944-967-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1204-42-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1236-2907-0x0000000001E50000-0x0000000001EAA000-memory.dmp

Filesize
360KB

Download
memory/1236-8-0x0000000001E50000-0x0000000001EAA000-memory.dmp

Filesize
360KB

Download
memory/1236-9-0x0000000001E50000-0x0000000001EAA000-memory.dmp

Filesize
360KB

Download
memory/1552-943-0x0000000006130000-0x000000000618A000-memory.dmp

Filesize
360KB

Download
memory/1552-2916-0x0000000006130000-0x000000000618A000-memory.dmp

Filesize
360KB

Download
memory/1552-2912-0x0000000006130000-0x000000000618A000-memory.dmp

Filesize
360KB

Download
memory/1552-942-0x0000000006130000-0x000000000618A000-memory.dmp

Filesize
360KB

Download
memory/2012-30-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-21-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2012-38-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-37-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-35-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-27-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-25-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-23-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-611-0x0000000000460000-0x00000000004BA000-memory.dmp

Filesize
360KB

Download
memory/2012-353-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-921-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-16-0x0000000002570000-0x00000000025CA000-memory.dmp

Filesize
360KB

Download
memory/2104-11-0x0000000000400000-0x0000000000459200-memory.dmp

Filesize
356KB

Download
memory/2104-36-0x0000000000400000-0x0000000000459200-memory.dmp

Filesize
356KB

Download
memory/2484-947-0x0000000000400000-0x0000000000459200-memory.dmp

Filesize
356KB

Download
memory/2484-964-0x0000000000400000-0x0000000000459200-memory.dmp

Filesize
356KB

Download