cybergate | 0a331526de95dd7c3edd3fa23fd22ce23c41c2057ee1c6ab5046cc7a9ba9dc73

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Size

408KB
MD5

447b0cba41a368a69450e602e50fdd2e
SHA1

c178034409d86657eafd1d31572bb0df30c8a173
SHA256

0a331526de95dd7c3edd3fa23fd22ce23c41c2057ee1c6ab5046cc7a9ba9dc73
SHA512

c6b5ce89a65772ba23a3ce247718ae811d4fade3bf97650b6f00b8cc72426faea3d91f235b7b78eb1d9eefb7a49311e0b2ee4e4fdd73a8ee2ba066328d8b5245
SSDEEP

6144:4Az42HRijcXcYo9kz9psQid4WPWU3vztutRihpaU20plQFl:zhgTQJbidpPWU3hBxdPQFl

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

yotshi.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{313413JB-84RR-348U-BA6H-RKU0GU42063I}	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{313413JB-84RR-348U-BA6H-RKU0GU42063I}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart"	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{313413JB-84RR-348U-BA6H-RKU0GU42063I}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{313413JB-84RR-348U-BA6H-RKU0GU42063I}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid	Process
4416	server.exe
2904	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exeserver.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	server.exe
File created	C:\Windows\SysWOW64\spynet\server.exe	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exeserver.exe

description	pid	Process	procid_target
PID 680 set thread context of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 4416 set thread context of 2904	4416	server.exe	94

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4540-5-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4540-7-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4540-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4540-8-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4540-13-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4540-150-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1224-151-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/2904-178-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1224-182-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
928	2904	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exeexplorer.exe447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exeserver.exeserver.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

pid	Process
1224	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1224	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
Token: SeDebugPrivilege	1224	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

pid	Process
4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exeserver.exe

pid	Process
680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
4416	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe

description	pid	Process	procid_target
PID 680 wrote to memory of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 680 wrote to memory of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 680 wrote to memory of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 680 wrote to memory of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 680 wrote to memory of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 680 wrote to memory of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 680 wrote to memory of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 680 wrote to memory of 4540	680	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	86
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56
PID 4540 wrote to memory of 3392	4540	447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:3412
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\447b0cba41a368a69450e602e50fdd2e_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1224
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4416
      - C:\Windows\SysWOW64\spynet\server.exe
        
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 568
        7⤵
        Program crash
        
        PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2904 -ip 2904
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
18838cf7174b504110aa43ccda6a12b1

SHA1
a6e15a7196713618d9b8f9994d63325447c01e3e

SHA256
ac6a2f3b184570998aa32eb69d1fe46341bfdc79a6419f42dc13020fd8c2dea1

SHA512
01831a8d0c05b6570a5eb56d9db79b83e76f00f0ed1a68c29634c59867ff02e52b2ab412992ef75cbdd2aca709378e22fdf71958633e11e3f121a9b6eb436f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9ed35234c0040e9de24b1c5b9c150cd9

SHA1
b2772782fc258fa4b0c646bd2b62466ff1adee85

SHA256
2bb6e0f89ee205a39a6bbae5d358234c8c3f9d00937a0f4101b0651d705da75e

SHA512
fe800addf568c23337e6278b6be6ebf500ad40c7aa01512a2998510229fbec701ae38010c6eb87f873b0fe9fa1cbfc7b927768f62c5950f286923d1b90be1eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d5a6546f472ed4e8da5133a279b8a4e7

SHA1
bdc2ab57211685699cc36aa277d3b7baafc4e664

SHA256
58fdb22f2d408ace153b544390e4e8e47d0b1f1f2a2430358ad575575f30221e

SHA512
974892b3c8e3d1084d87b3b71553291bfbd813aef318e48ddeb52d2c241a1d905ef9dd55777fc8fe1cb751829cc6b63684b9a4217a7ce43e15ff4a83922705b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
198ae54798352c590704b9e185fe75d4

SHA1
e45b37fcddf316068b8a433a3d9503c4549ba96f

SHA256
fba3c5e1ae1c3b3def07ca14ca114129f5ae09c77c6cd4330f4ec32acba69db8

SHA512
dacef5558b403f85f3a5e19abf317f555affaafa263e46003b9002257a61a6e97b46c439aa42018fca7d54d3304f201b7a26b1f41c8d91b7af5dbb7944f4fe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6eda1f984f95ded0d92ad6a8103a1970

SHA1
26f1a11010525926ab9607210d36407665d9a72a

SHA256
89ab6c08a9d2fdfbbb9abf5ffde52a40de1f97808e32f502409312b5706cf6f6

SHA512
958853e79aebcfc91cd18b33585ff5b6e783154db212b82401905e266dc4365a8f1c23f65fe634bab322b1d5cf567627422eed1960eb308c999e43bdc4cc4126

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e3dce86948f02d96d3ecd0273159c98a

SHA1
a39e3e3412b9cacca2fca36af80b19bc34de95e5

SHA256
9246ba5311b7f48c8488de0440ac960474c2038d4ba92e9dd6d16330692c6e24

SHA512
36ce5662442dbbbd72f5f11303506df12e9c5c9aab74d97bb10237212722f959a5ea8f8adea56800fb59c99470f205eeb1010724c4ae34d0201992c28e7a5d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f34d4a254bca195a7df1049b8041d3cd

SHA1
d14e2190851c9c338634e393c9ce1e9b11e7f252

SHA256
2ef522d01640b5eed8b8bbf18968cdd2653ef84f75499e5e1b5e3e652c7e775f

SHA512
32100b7ce41604d0f64fbfa7fa7531f204f83a95ec4b79be373370eca5c0c4d78ee3fbfedfa5469faf253be90c43389cf481744f0315a13e50e9fee97caca81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3cdf9bf09075a228527e62925c7a1e8b

SHA1
b52fb0a670eef47376c6f6613a0bcd7abd9e7ce7

SHA256
7b4131892ca4bb2c99e8648d7a6859ec486eeb3e0c7edfffff360053b694f9fc

SHA512
d6515bf4c10f322a5e6f49249814e6eb088c7906061b6ca89c7b9fa431b14718e1ea0e088168262fbbf426db9d5951a5907f824384c4c504f74d712b7ffa173d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
557489c51a98de87f7d72a3539dac271

SHA1
217e9935d551ee5cc24f7dd124a649e0dd355141

SHA256
6c12509149d7d9d4a6456fcbbe21d32da387c41528a8bd1f627f57c17dd30769

SHA512
08e90ee24fb73fbe5d115ce2455e6bf7cd00943cabe9453344c56453f4e97310e4fdbdce7a6e096cc0045f5f25d17cb2214185329ad29d0ab35d1529a934683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
06e1432f6055370525128758ebc4bbf7

SHA1
f2bec384d24cd6f59b00e5b1e62233cfd8ff05ef

SHA256
42ec343e17b06b7c94d71d5fade8142ead7409360884cd9922c58e1ae414ccf6

SHA512
d3c3ce0135cc3bfd63908de390a3a6f2e73d582453ea306c0da3f846480cf3023f84910b858a8b658f2f1cadc38bff47dc2fe8523903917887a68b3230b5963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dd85fa31630540fdbe87bc8b0e56d248

SHA1
70ede47c72ca7b29fca1c5594b15127b1a721118

SHA256
0f3ff707f219d5313e120487f83217599509da34f385db4fedbdb15317283cd2

SHA512
c0a8fa973a70583518ed66f24fdc9ed931c7e6514da637b1d7f1241e9643e1543c7f380ce4de907d8832012aae51ec7d407cf4fc2f3ef621aa45b82ad299aa45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
abdda0aa48fb08738fcd4e082b5519d7

SHA1
33aca1295a5f49951c8d32136c5d7b7e12dc167d

SHA256
b0d71eecba409e9abb412d4b698a1a88e6d0494db41a3f40f1a3024510b2a966

SHA512
b90deee82d042ee05256207eea36abfcb34596facdbfb9757abd7cf3a38cd215f29c6c94a995aeefa97043f1b88a5b84ec2d2906b007bc5b03394f14a5bdf591

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e519f416a9217f12dbee07f6efa5fc32

SHA1
6cb14e5f1c85aea8de95e526a13242ee3da99d64

SHA256
b38079564262ee12c567a106876e898027076b46db07a7daf0ecc4dfefc87cf5

SHA512
cea9f3fb0bf65d3e0fb86b5805194e4e1ce0cd754c277c826916eb5db3d79c06b9186739ac8e9ec187c34841a428afcaf2bab83a8d058608bacebcbe310a564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
af6ce326a99bf9478ba961b98833e14a

SHA1
bd28943f8d21553e10424cbe052f319be318b1a0

SHA256
dcb418800231a49bfc6663a2a770d3732bd8ab2b0b4e80f8bcfae7689a806ffb

SHA512
0da293f3b1b42e1592969b980748a449728aa71f10756858247edfcc2b7575b500eaa7eeaa8e2930a844d6e4a0fc447a3360d2465f2813bbbc438661feec98f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ddbf48ebcdcc98e874ef338bd06d4b7

SHA1
1ac510638b6782cf0006d96d90449cde3571ecda

SHA256
13d2aa057619182289037946d7b023f2186c084bbd7f02c6e2e25ed8a245e6ff

SHA512
ede36303f7ef8c0d5b6206875c53e47d20e9e3b9bae8911f065765611223f0ade5a77d0a87c9721b1966730dda20b82aa3a00ad596037829b73492f24297d37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a26080d099b2cb984cda1a535db2fbd0

SHA1
9d88071d2225c14c311c2039f927623a37665bf3

SHA256
6d938ebd0bd9e6818202c552bbf196e1052d43111ee3d41f98ab4892cd4d5a54

SHA512
4afffdb7d5397c51472f34f0a4cd1dbf5e1cc773f2e8a14708888dfdccf0e49b58e0b2d3860f40ff7dcd6e75573bf19d045bc48f29a1b8fb96b183bc802fbc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d65a5202fb148e6bc2a4491beb59c19d

SHA1
5c2da6eb74e9bb59a01722afcbd36af55d166e4f

SHA256
9c328d5bfee32568de1ba313e8b306ffda18528180e64b98eb0a91ee149d05d5

SHA512
83306cd876e2734df853f89c9f5ccc4a1d4a18fed160ed30905b0eeae07608584de28b38681cd1a130ce4cbc9d0cd5c4d9dd9b2e88e9fa86b9c219d09350b661

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ac4d5f8545bd9607847c3e62192575dd

SHA1
ac78510c483e17216a205dc9e33acc591c7b94e3

SHA256
7bb30254788f4926fd689aee14d577f54022b195b9b7eef40643ed51a961b20c

SHA512
4a14159d043c880f74bbbad388272f0866f2ab9c51f461946bb430eb18aebbf1e327ee7e7f22521f70cf5c1596bcfee03bc64692e1eb89c4f73e74c0268ba674

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
574b852377c6d75c78677f949c37e33c

SHA1
1bc3d9b16f23a0efbbfb94a6311325b4a0f8c6ae

SHA256
6913f293a6d06e6d5cb7dc1ce30f4ce4d5b711c2abd216cbbb0f5e743f51c461

SHA512
6ab452d3881fd9f7381ff90dda529c117af990f310056cd3201b822036075b49c5769dd56a631a886b3035522fb6efbd8c95c01e5200d64343f7462600596f54

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
408KB

MD5
447b0cba41a368a69450e602e50fdd2e

SHA1
c178034409d86657eafd1d31572bb0df30c8a173

SHA256
0a331526de95dd7c3edd3fa23fd22ce23c41c2057ee1c6ab5046cc7a9ba9dc73

SHA512
c6b5ce89a65772ba23a3ce247718ae811d4fade3bf97650b6f00b8cc72426faea3d91f235b7b78eb1d9eefb7a49311e0b2ee4e4fdd73a8ee2ba066328d8b5245

Download Submit
memory/680-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/680-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1224-182-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1224-151-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2904-178-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3412-48-0x0000000000190000-0x00000000005C3000-memory.dmp

Filesize
4.2MB

Download
memory/3412-18-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3412-17-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4540-150-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4540-13-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4540-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4540-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4540-7-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4540-5-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download