cybergate | 6de9de8bfba8fc64c50b6abc9f80fbdca06f8190ce4a406a0ef4e2d88ffdf008

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Size

656KB
MD5

f53effe3da071a623c0c17ef0dfce980
SHA1

c864047bc14e78995a5f00216c4eb502b12197b8
SHA256

6de9de8bfba8fc64c50b6abc9f80fbdca06f8190ce4a406a0ef4e2d88ffdf008
SHA512

332633ce3eb0f82c4acddcae5d4576819f90a61ea9684690957ddb5a967781a5676b1fb3ff1bb1dfc62c60cc5d143fa5ec383b662311e5810cf9ddaf4674b995
SSDEEP

12288:OQ/GEWcV1ywW8TGL3syhHaS//0zdhGh4AG+2ANB1xNUZiRi4ccu3BS:VGJcEP8yhHvWhG+AG+2aKecm

Score

10^/10

cybergate server aspackv2 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

safura.no-ip.biz:50

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{866QVDC0-GTT1-8PB1-4X00-4NOT727AMK57}	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{866QVDC0-GTT1-8PB1-4X00-4NOT727AMK57}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart"	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{866QVDC0-GTT1-8PB1-4X00-4NOT727AMK57}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{866QVDC0-GTT1-8PB1-4X00-4NOT727AMK57}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000400000001686d-96.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4872	server.exe
1848	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spynet\server.exe	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	server.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 4872 set thread context of 1848	4872	server.exe	96

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4808-27-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4808-31-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2712-94-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2712-204-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2320	1848	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
Token: SeDebugPrivilege	2336	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
2336	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
4872	server.exe
4872	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 2816 wrote to memory of 4808	2816	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	91
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56
PID 4808 wrote to memory of 3412	4808	f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2712
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f53effe3da071a623c0c17ef0dfce980_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2336
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4872
      - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\SysWOW64\spynet\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 564
        7⤵
        Program crash
        
        PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1848 -ip 1848
1⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
9b201f81e94646120882c9127ad3c07d

SHA1
6b79cb432a59e04d604f9fd0279e377557393371

SHA256
56a403516c26b06c3bdb6489c3f7887c27aa110ff03adf509316a793f5fd0fb7

SHA512
ea510fc67e1608cebbdbb4cf3566790bc18a41bbd9d2b905debc85e765752a8cf21b2923c0eecf5ca33c5c4452503c57e6e356e4a8b8033a790e572abdff8e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4508453612b7c552c78030276c056478

SHA1
f8b1c8359353e3a8ed1b05ac046300d096e824ba

SHA256
b372384cbb32eed79e857e4f8d680ef10ac8819465a47305e965454bc4ee3602

SHA512
fdf3abebf06f2d7377ca1d3797175b11a2c474eec5189d72218d9304eae6ee2eef94aedf68b01e4a3329d5e6844acca9dbfee5a942634855d701890662240291

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
98d60f4e8bc9fe0afe06f31f04d1cb87

SHA1
2a30df272d7caf0aa5aeb388f25b478c598fb256

SHA256
8069441b2a8b2a71873f5db474309944eb4f56d8612906b25f3327dc9d8643be

SHA512
21e4aee9646ae309adeb890767956b8bcadbeedd1b97f06504b24f1f6fe02692963caa974d16f617af396977fb706471c9766886d0acba88fa4e15d91f832192

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
320c344a8d120db9eaffe7d26b13d3b0

SHA1
d48223460ea102607798cc735da2ee0b64b01b7c

SHA256
732c9a41564757e9b1de591963e711f74cec96e85432800abdb643e48d7884bc

SHA512
2c19756496943d12e9605ba29d078517acd443727f951dd0bd495f275d6cc59081d18de0f104a10d734defbc59c6f5f484a674bb7d3d86beb9f52423f8184562

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b51f8ccba4e08853ad27966053d20551

SHA1
42c389c9bd5251499befe05db1d226d4b7885ff7

SHA256
ec0bb7a35cb1baade621e97a69d74b22951f83f8008cdc5e0a50612aee593843

SHA512
a581a40603f2da8f4ad4552092fc3f9c8ae2cf7721ac67c9597581c4eee0fd9ef5352cbffff6389fb7c0c24d0d534a3a41038b3d39d47b1b611c270eaee7d2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d8010b13000896c4d83f5459a2e969f

SHA1
8e7140b6c55042fc1da1befd4c9bb5e5d8250b07

SHA256
14ad26e08e69a57f5014a683a51ae3d895d718b16e00dbf0115af92a6be44bce

SHA512
5a6c87bc72206ac16d17098f5014fbffdbc7a87c553e141a92560ca3fa51887ba0df2b98ab9cfbad24a7147cfae31596c69b0762744b7b3c5c32e658ea2bd587

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c00b94da907d352e022bc3edcb1105d9

SHA1
f96f7f0506cd6b75f904584d2566a44c7ba60b43

SHA256
1d6fe603a8f04185141bc321b103b81ca76b3e2f9aebee9a1dc1a49686312132

SHA512
25fa9f9d7fbd2353642275f7007107b2baba943d75bab81870b5e3fae67b9714ea68aa3d16c009638b54946446374c9e5a1fb6f1ff4d9f39ab783bc88baaac55

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
195b73a031d76567ea88095e8e30f0b2

SHA1
0229f27cc2d1e3d0a84fbab5da8648a7354a8439

SHA256
2c8b8030aa93d6730480d5669b121edddf38dd8fa12ca321f183f251c30c21a8

SHA512
f34c2a2fd537707e237751ada15d455c2a01cabb8ac35c0d5096756a28be4431c0d5566c301b694c6f0a550909d1dcb4cd5dd90b921d1f3a6524174991f8f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e41533f6c71f2fbd7446658bb11e22e

SHA1
39b65ba6ecde94af6281eb146ee1b234aab27030

SHA256
bb328a326d0dee24f2ee33ef855cabb6ff610ba3ff71c20fbd73900788800094

SHA512
5f537bd1f3fb62108815353dbab5cf689c982336895696645cf994746a1d2767583a933a88d08fc7e8e415be18da1bf62923afed22a5c480adab8ad9152bc5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0a86f34274b594d3510a8654cd7aed71

SHA1
965caf29de0a8790cac5f5263595b77e499bf8a4

SHA256
a045418be8f218aca82a892c955d9e5477109cc775f9f4143f8ed12e0e8272cf

SHA512
c7ad424977f3b35405742963c3366b24c9f407f944598e9a5001ddd9f1bd58cfd93c6a9c1e193b1edcb19e4a823785bb663447351c5f3abe19a31c8f6f701cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e673e3ff2e3e08d59d2f3dbb93ab3e49

SHA1
ae09c40eca7bbba7515b76302c47bfc4a2595c87

SHA256
f5f2467735614c29c8a0ad059e5139828605ffde0a5d6ba53c70e7f3cb31808a

SHA512
12868d459649c68397586e985d138e31a5ae6ac39b820c50875e4fe6fdc6a95229f99a4bd1e66fc0d04710c25fe3ff111e0b917ee03e972c97fbf648ecd714ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7bd9beb8cacc5733a8869369639c13ed

SHA1
660f66a5266c2bb83a0318cd967d61efbbf0c993

SHA256
12346ce90a1de168bee620e69ece5a64951bba342400f4de7262d77b1a6f399d

SHA512
3c592d773de421fe90c2300716462852bbd66750ed98353bb24887c5deb2f5bc619e4be74c6a2267f32fdb4dcc31de419c048f7fbb9d247485e3c238e8a5a094

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e392b813d5c7fd334e96001ed9edccab

SHA1
69673ec6ad72c43d0956274ae579cddcc0276f9a

SHA256
864eedaf72c336fa44b3cb218197999e5f99f50b0e30be8fee2f00e2a59df9cc

SHA512
43db9d5271d71f24bfd9ea43b7c0f663693db227e496861cd464c50f7dd9104cebc3737371abf4d0eb74813c7020c3e49cb0fe685432e0085412b82b7f824c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8255f96b9845a542f65896c79482820e

SHA1
26e005c2e3c5b5d996df961e468149fdec83b583

SHA256
bb2a552dce4196288010bc06307c97c72165556194f9ad9bbbe05d9fdceb6f39

SHA512
3171d7028d5abb2a761fd7c838fc4edd89c2169b2b527b30956607ccb33c9f3220702d7ae79107e0a1431a818776c31de48c73959c4dd6beecfc1113f56526b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6adc3b449e12d3e931fb6174bc18c639

SHA1
13c57b69669abbce314148ff8ea40914709f2b01

SHA256
0f1f2315cc591c01a1b86f6f10f7ebd48cd5104d0847a0642c2033825ee8595d

SHA512
027f00ecb19c2fc37d013ff85b85b766a75a6d9633456c94db60e992021e413cf305815feccf7ef1d828cdb4d0d6bff6c2fedd6780f76f95f8d2b3cf9c8bd6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c3dcdf0956b47c64c412990a55d37827

SHA1
1ee69762b6d7f1e05c948d5254b9bd0d545d8226

SHA256
71812cf97fd08403d385a3003c60aeb38117c884ff144f9995eca625448acd28

SHA512
00ea4459de1ba510ab65d63b972a81bc58bf578b9781ea0ec0bc3b894da60e1a28e7539b7181ead257a40e865e4c83714966090134663f8ce9b8f00b0036da20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7ed73234001d3a9c2eabe238711ca354

SHA1
84fb0af91aada6043f98e253a742ae2a367a034e

SHA256
e2df326671273a67f89b649e01f05daeddbb2f012b23cd2dfcbd90fb0b163cd5

SHA512
e35309be1f25242edc5cc043b5cf32912df54241792a6701e1c99e40d5149a31f368d3048c29429bf19b4a8c307b85e0d9bcc89f363cc833e27c40ccbd261018

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a8d0f87b7b95328b500cdde467550f0

SHA1
2f3d67a6b6eafdccca2578de1aceb096ee126dbd

SHA256
072e2152dcaf93cf3e7b92eace46b5ce9fe0fff71f5320277f80960b5e867ad7

SHA512
5e0cd59942d021dd3565543059d57ba1b072d3dc40d2cb53ebd0d09db45ddec616e11347150a6d0834fc5b92103296722ea730125c45a98a5c2c98ee1f527001

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19973dd21cc4e1fe22464d5fc12dcca2

SHA1
7a5af6c9dcb4133c0828cb72a33ad522d9612371

SHA256
75059b2795f9727868b61ec91908c9fdd92484b7f9cd823448b74673b50535c1

SHA512
152a5fff26de0663c4ac718f1560d54d7da619e49938084fda3a3a2f3cca4b10d5c2de038b2bbf3457e57ca154c27c9258a5596160cf950c801246dfb3faa18a

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
656KB

MD5
f53effe3da071a623c0c17ef0dfce980

SHA1
c864047bc14e78995a5f00216c4eb502b12197b8

SHA256
6de9de8bfba8fc64c50b6abc9f80fbdca06f8190ce4a406a0ef4e2d88ffdf008

SHA512
332633ce3eb0f82c4acddcae5d4576819f90a61ea9684690957ddb5a967781a5676b1fb3ff1bb1dfc62c60cc5d143fa5ec383b662311e5810cf9ddaf4674b995

Download Submit
memory/2336-205-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2712-94-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2712-33-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2712-32-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2712-204-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2816-17-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-12-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-4-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-5-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-1-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-2-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-8-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-3-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-6-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-7-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-13-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-9-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-11-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-0-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-22-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2816-23-0x0000000000510000-0x000000000052D000-memory.dmp

Filesize
116KB

Download
memory/2816-10-0x0000000000510000-0x000000000052D000-memory.dmp

Filesize
116KB

Download
memory/4808-19-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4808-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4808-20-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4808-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4808-31-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4808-46-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4808-165-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4808-27-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4872-201-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download