cybergate | 1383e4aa30feb4f63b22963e9da74472f58030ae9d7ea1e6d96d60b34f2039f3

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
Size

531KB
MD5

161265a5a403c2e8b995133f72e4451c
SHA1

155887abf79a88f7c14060fb1b8164828e96f046
SHA256

1383e4aa30feb4f63b22963e9da74472f58030ae9d7ea1e6d96d60b34f2039f3
SHA512

94aae102e3bb1a8634e0dcef3d4f9382ef7170eb2d6baca115a89162976f8e50fe27998e28a6467edbc1cec37fe58ee7fbde65bbc30467ed1ea4071923a61c5d
SSDEEP

12288:K2yKELYNt3nq/sg10fSk+Qbp9/dL7cdt074q6y:JSLYvcR10fSsbrdGt07F

Score

10^/10

cybergate server discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

achrefarshavin.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Tzoom [00005*5] Tzmt.dll Not Found !
message_box_title
Application Error !
password
abcd1234
regkey_hkcu
HKCU

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe

Executes dropped EXE 2 IoCs

pid	Process
872	server.exe
3048	server.exe

Loads dropped DLL 8 IoCs

pid	Process
2804	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
872	server.exe
872	server.exe
872	server.exe
872	server.exe
3048	server.exe
3048	server.exe
3048	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spynet\server.exe	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 872 set thread context of 3048	872	server.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
Token: SeDebugPrivilege	2804	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
872	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 2828 wrote to memory of 1288	2828	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	28
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21
PID 1288 wrote to memory of 1204	1288	JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:480
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_161265a5a403c2e8b995133f72e4451c.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2804
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:872
      - C:\Windows\SysWOW64\spynet\server.exe
        
        C:\Windows\SysWOW64\spynet\server.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
be9133c64544d377087afff6b34998e7

SHA1
adfe4efa50d9274d3d1e027a31d0a7bd0146382f

SHA256
6735d692a2bc60187ede7ac8bcf56fed9ef8a0d5b9056df33f44dbcbe4d8bdf0

SHA512
a5494265a2fa5175221c37c1c289602465af3f271894e1196750bcd3a5d3056f126a960f94e921a31c8f3ac9077f6166c6fd456898d22efbdb02bb01d853f1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ad65c7e7aacf6c2d9db14c5fedc6890

SHA1
2921288034f9c74b64c791b66c84c539edd93355

SHA256
6fbadd6ed149280182fe0d4938b4cb2f97bebb346efbc5d427216d4ee9a3b28e

SHA512
74284134f19d5fd2891f2a2f47da53ba2419537293c092450dd81e3fe1f94f9b5a3a03c5018b23f0654e7b0fbd4d9e490559e93b6ea8169189f8b2900fa96d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8202caee7950b2553fa6e3c2af7668ab

SHA1
067f5acddf45097322a9292ca15c7f0c5913e32f

SHA256
a5aea414450f1630ceca18910ebe345ba443b94aac5ea499e58aa143d95c14f9

SHA512
3434fb21839576f5d7190c0eae66de2023505d113245bdfa55680afe5e2f695d044fd9bee8b34bf9b8cc03b2a87a94224aace2b00fc3b5c24f469053becf1536

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b1a266f85c70d3b47f9e08d2eb503863

SHA1
786d32b73d8e58a982494f1e55be98d740204632

SHA256
dca7e444e8ac77964621fe9bf8ba6eef4fa86b7aa6d3b363d078842a14d7687c

SHA512
4acfcf13243f48f07f4375a399e3fe50fbc26f9f5dfee1d95405cff5116c73bf7c95dfb19689f7592d589193d62808f38699a4af157b066e5e63b3cbda88a834

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
74436ce6e32fee3f4565cbd03fecc912

SHA1
8de10ef35764bec2c2d30d7ed183d59c0413dac0

SHA256
17e5f12642b13702c1d49e7394baefb1f54c5212b4b8800452425d7bc5a6bfa0

SHA512
8cf7c2013bf354f84498a00f67e176d114bdd90f6ef52655e5bd8c2a22df98dd0b2042579c5c26a9cd8b3def85c86ab8f187b41a5521d7abb65c50e7fd65f240

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb048df429631c7d0cd4a5a0eb799389

SHA1
b11cc7883bd8497a1d35cf286642eb528331c1b4

SHA256
0961475d9f908d39029ab808f115a3931b4f6dc0aee7b6ca121bbc44149fbab9

SHA512
da5c29fdf2caa19c4fed13f38deeb93a103a673697546aa5cba42c8f8df30f25e0d60bc4e4544151bd73344abec4f5c61d3e533884980bbb5ba1f17583b07fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2432215ec5c44b71a51452e4810c0693

SHA1
45be6c228919ce183eb9b5c262a8a4509dee5b18

SHA256
7c3c47d82a0e04b851e24bd2d5f49f05f5448219f0f4091d7b6df92d677f1938

SHA512
8b3d62be38d07e5c0b508435804bac1cae1d8e4feb1b7491be97d2ca9211edc7d6cb72a7cb7da11f24bbdccdc22542b1e4de8e00b87a042812b7106c19e97a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
62250cd8d09f2f50e2b853523e80f060

SHA1
b00563a9a62760baad8e3155fcb786921d78591a

SHA256
e574f17c706a7e40f0b9d8bad2275cdef91968c52feff261af649e90ac597a48

SHA512
9de92878e173d8db82e9b460f4a928fc7bd3a611bb55e7f6619aea20daaa2dfad25df25302850efbf160fab8c85b8fbe99af55ef6e41dc71640a46aa05fd72f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0cd4bede04ff2e06b929cb94aed37148

SHA1
fcb1ed9f6d0c52fec7e297b0282e8da7f326e48c

SHA256
f7b109c023416836be10f5cb09810ff029aaa985936b04e303153ee949871fda

SHA512
0d82ce517680e8335563cf45530faa42b4c4261880b6dd78f34a40a29966ce457ac6a276f74ad68d0d22ea8533908437af6bf8d4e1abb41fae777eb3e19d2838

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4ea13cd126f69552851c6338862aa8de

SHA1
e636e89589d5f0c156e5e639ed10c773764a48a3

SHA256
244440cc4f9c1fc3678e95974a2d44795f51007f7b5bef5009bf81829980559a

SHA512
b957ea81cc15a2590db4f30fd5ce5038cac99ae924cafaf749c148c2113838e8c2fbc18e910571dcb9c3575e5761192301ba940aa3f51c42d07cc842dae04689

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c56c9583d68169ee77689d570197e9ed

SHA1
7a5b7df4ba40ea1e64efc2dc6053b23db3eb8a03

SHA256
e656f148101be7412a6f6945bd1bab76b61667f19fa69d5440507ace9ddbe682

SHA512
dbe2fb9a463183ca04bc487cc7c1327e20ce6387de94e4179bd9860e1f01d9b6206e6b01bf11e99219dd032e074778a579ee7f32769be0e8d73cea653ac4db09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f3ba38891644d58e8eb72c2c0a833626

SHA1
fba585adb311bb3010a3ac0ba699825ad5619548

SHA256
dd88d2d1b3430d291e3d59b1d7863c1c3946a983100cbc472b75464207b2701e

SHA512
76229b75e9fdccb2cdbd178e18e88dafcdbf962e115ab1c02d7bedc53f230e0744e8883d1bc5b22a4c1ab0000a7abdf8f5f938133570e768b78c11724707a613

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e1adf49a391c6143980a0b4d2df89595

SHA1
0b8d9f860801999cc51e9b4ef4099da3dbcda45d

SHA256
dc39a85ea0664c19290da1e8876c3e7d2db5802fb788fc4ee898e8b3d8434c88

SHA512
dd80634708d9ae1f32dff33d1260b4ffa114f2816d719666cfe9aa757f816284c40503e4aa8a1296ae0165eaf2e257d5d935f8a73c61e66d9d558a34de56d239

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9dfa7831569440e289ef21296e7e0e27

SHA1
a812b3774b8c4f93746f1c3b94ffd6fa255fbb12

SHA256
ba23bca05108c9c3d0cd9e9766031035fecaa319ff5abf7bab7621bcbee27741

SHA512
fc39f373ece813dc8a2ddf729f39ac5bafb34a973a5a1ced3958d5929fda2009a1726fd1c75117bd59946fde30f366509c6329a731775317076bcb61d971f551

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
997ec6828e1ae8e71c172b902f6a902a

SHA1
f97f7c2b88df0bc59d8e7cc62413d00020e17ba9

SHA256
ddc37695b45285e66f995c0337bfde4c4569c1888b538f8e844dc6c3b4f0b20b

SHA512
13b286be8650db9fec479eb23eb6b27a32f95092504c388b792f31f3ccf6738d9b9b6183400fce114b77a6dbdc23b882d91f96a81f674f8813c17a1f6bf213be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4a9888b2e1c9c7c6d3963ee3fca7521

SHA1
14f23795cb05e508f50ed08eb111b15048e23421

SHA256
d732cb96ebd234424d82c251bdb1dd7e66d3db938f2892566d41bb15be27ca78

SHA512
803830dd8c7e3e1700e0a761035efd3e512a9b2ade769031d0ea0d8faf377cab8d0dfe4c4b323faaaec1ef3b47e68e97002e0edd7d62ceff8c9f25a4d81d0501

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
680e4be24b6a98d7be3bf5affab09363

SHA1
fbda6ea9de0c0f7c4d4c4667b2fbbfbb8d013d04

SHA256
51fbdbc1a83da97a2b81306a9bf3081e4283aed5ce27a39368b24e4d634813b8

SHA512
d63a7c8f25af588c784d34379c371fba33c11ff231e2d845eace8cb01d5b10043ade9c85fce65856b3a43cfff515562260bd323dba676993f4363a2735e68429

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b8c1a99043a91bd062f6cadbf3b91816

SHA1
422c9b75f32ffcc3db4d92ecdfb8daab185a9bda

SHA256
7fde303fb706df8c1515ceeded4f67adc424d33cdabb6ceb6119517613e6fe50

SHA512
b26f1750cd67bec5b0636bed3472e839a08ab8ea55a47b78c52ce6dccb6b29674419614e2c87bdba18aae653197ff14c315881a304d9adf8d183b63e4e77f10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
38794ab7c31956d99ed0368ad8a3e5d3

SHA1
940ff5a153ea42921accf03e286267f5cbf6893d

SHA256
82105160038360b080f0ed6f1db5d447d42099eb84f80141070186bd4c2ef9b4

SHA512
103b7809410d0852f2059a220f5b61352799c25810a1f0b635b6d17c860f5deff1d45081382f747c46433d224b5546f5e19cc2d7bee266d1f266f9dd4bc23ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b85fd46444f6cd230ec89ed3d4e9496c

SHA1
4e7249e522c95f0645c10cc1cd22c93bea989df0

SHA256
3c9e458f5b8b814e67f91b556a5161c0b5eee0cfed09822d7529027eb80819d0

SHA512
941fdf3edbb69e631cff7ad9f0bfcdd2d5eb3c1ce6efe241bc13f99956dfb5812e028490546844de573bb588f51a75a2d969fd294b95c6a5683a01f1fdc3766e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
54d33f30d37b7476eeb62dc0aafa62ff

SHA1
ca0f916070693942b55eb9f1d20bdae4ad558549

SHA256
7909b1b78f359bb0925225cfd8f5cee5fa9368e6fe2d190ddec922785842204b

SHA512
fc165e6e35a5393ae0aa6536f6c513431506958902e925ea8d4d59314493f4a8c7c3d631cd99e7e55090beccf2a8d5011fa68de209cd142f14f0a8ca815bbecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ad53e8d0a275091326b7b0a766d10fc0

SHA1
cb7d58c2409d5c89aec3b8ea7f60fc4edf227e21

SHA256
40029f0bb71b2be2aaf72b1dd579c09e00ad9be2f5ebff5a8c98a85cffc6abd0

SHA512
11ed2e0552411594010e8c9365397b090fe6e3ed3a5d4f4e9006bfcacbe1fa45e9fc5534c5e287feeb34459814000e607d7b7705765367b3efd8c641c6e5a7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d23293ccb584b9a84e76a210903ac33c

SHA1
a48a8768b02479ea716c3cd6691258f6250959c2

SHA256
dbdfcb18b8a81d552955d8150ba65b853ff79a95c61ed68067e2a811bc36d794

SHA512
0a52bf9f5981bac987f3bb7dbad7a91ce62e2a43a223d7f104476641eb4d08bc890d2ce367dc3f1d1f092756fa7e598aab165c3563869e685495c80d87d2c9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3c4b806dcdc323861a527b310a4d04e8

SHA1
aa99fbead6591cccdad1309b2a01f9ce32ff9e03

SHA256
8424dacd3745923989f4240c8aed84b8fd6a456b4860a2b92f8cb4c579e5302b

SHA512
7be29600c353663d89bfb9cd4d90a24134c8f439ec12f626a97bbc904d56929e84b9cee3a7084fa4f781ba0deffae4dfa0b51c54fcb72d0da171683b52bec488

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fae7e9832404a1dce6a41430da5c17b5

SHA1
fd358741be10d9925b65ed9a1791dfaf889fc72a

SHA256
ea7f805aa981eaaccf0678460a9f8a28ab2063a9e557f999cfed5540e08e29b9

SHA512
60fb0033da157826be8a84dad9071cb10422466c510203ab60b6e594f228d318494699ac389872829d4f626589ee4c077c062457f5fd9c11cfe02df5c50484c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f13e02b12bfc78bf3dd46f38b0601399

SHA1
760dd08ae751265ac2ed425d7ec74bf9ea08a898

SHA256
7e1a23a6851753483637b90006ec35d7400623098311c52e3967715db617cc29

SHA512
fc2e4a68509987103f6ea37171df834dd3f6a6747b5ff297b24d628d99565b0a1d0c4e64942a878f47e176000c24516a45e1900ac17853ea02b0f12dd49482bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eba279ff0d7011d40a2fe449b3dd102b

SHA1
637d8797513e5a7ee3220ac21fbcae00fef18236

SHA256
e4f06f1936df4e76050813a4fda31c3be6ffc1b0440a8750185c5d544189755f

SHA512
7da6a5b9b20d7021b44f729485fb717c6e61e006d670a05b28e9971a6a7e899d818cf1535b1f2986399b77ac7cf47a99659f8329251f2467d2a37de41a7b4a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b96227c7962b9b47aa7404f885281a61

SHA1
18573bd767c4179017ab9bfe7f5c10f416cdcc01

SHA256
7fa58b31f2948b6deb10c2e9c508d2569394abea1a6f632efc220547538fc928

SHA512
84af98194430568ded44300eab5573bd7309798f15e98c24c98de594106700d3aec808b1db34a53ad9cf2bfc17e264c97102a357f8530f6cc6740e25f4ea9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19b9f0f4364e90bfbf2048e5077bfe8a

SHA1
88d4cb95fe6d4b73d7e4a40857dc962f90573433

SHA256
4507670986753f86f89b69366fe7c51b6b3dd63d780663c945348a164ff3fc51

SHA512
e19117ed6a1ffd5dc70f57254a42dc2bdc9ba13b035cbd21d40839ee23ca6a938df6fc535a86dffddf91375feb0f59153212eb69bee78e2c6a069075a7d4ac36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ae98dec270fd753195c5072506866f70

SHA1
8e0f875f0cd9db5b333bc7f234a4015a536a1ae0

SHA256
076e13551d17f9a832b96335c7d73aa8a72f3c495e28212c573ca0cfa0d4d95e

SHA512
464e8c14b67edc65552d247b870dc9cf327ae58e089f6761a6e6bbfdc262a6ca8d1ffe8fd4b88603ea661e60f54a4b5a1df9752a1b73ba9ad11c5ead2767eeae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f17f47810029af11dfcd1a37c80809e6

SHA1
d7f1692f54e628064a1d13b442d26f420ba3685c

SHA256
ce023ac4707c21e24c92b1f2f6a3d0bbc61d7d0815d6ba58d459806820e06e89

SHA512
20ba39274e89e2bd748ebf19b6e3a7b30f10bde659cc69b4eeb1919bd508cdf75b2f412e9af3a7c0d140cbfd01f27ed9160801dbecee4ea9e2f3839fc4112833

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
680f5af987e9d822ce3a4dfe53ebdeb2

SHA1
61696641129c8ca9870d797f3d58a3bcaae1e2f8

SHA256
6a9da0bff36fded8d389f6a57614b8f47f0e6b00aa14557183cbd06486e75bb2

SHA512
017b138ad357d6a8766fc6792ad5ff78bc40cdc152f394d114ae0f34b35f33b4c7b5f4b536f1a6d9448dbe0d3eac801d9a7c8ce725c58dbf86c3397230b0aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
692285b7f13cf36e87a3f6bfe0103107

SHA1
873129229980a7f4a8177e3306dc6dc65862966d

SHA256
52e8a4df21f49786f93c94b560781703939760054601bb36162dc12f391976a1

SHA512
ef1245ab9b95adf839c4ea9e09d7c50fe89f8a1ec083f9f4c6571fb9c9fdd911a76a7ca5d4fa4b946585432107889ae115c55282e42d08c41d86b2b8bbf54d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b8b85d735505cd873418972e9f7070c2

SHA1
b5c1e2788aae0a0643d6d9bd178524cc2609dea4

SHA256
1cb91fab29551b48a3ba159be93651117115c0e15ac02a64d21fb6062fae4ce9

SHA512
1f7c01336f3be07ccb17e6d939a77f65161a5a3556db9f3748467729243c6d73282ddfe00ab0f341c89d4bac2557da6d45f14257050c8053ca3e4739c5138801

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5053a04065f2524befe2aab832cbff04

SHA1
5c68370c534b0352796630fb878a3728909fa879

SHA256
94d45fa58a6398d8921097616cd6851411ba9f595af73519a5f2ce954a52e6f9

SHA512
e634cca684e7a28150a4087298d82c69a8f09d93f2b60b14f24a35835af1d7d3d90c8d599bdf97478e3a44dbc1010253a64f82fd93077f946bd36c2a1df9f495

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b3bae5eb3abb134595dc4e1e9511e410

SHA1
effebd0d24bac242204c9d09238b7c7c35af3a1f

SHA256
d5a339dd93912fefc61e414ee89e01f5a75bf40156203d0cd66af6aef7b0f88a

SHA512
bcd38a93cddb242b7b8512b9b226a91ad64662a908c55d56490cb0bf40ba7455e2e65a300494085bc91da938eb4bbd2a58b42d775788c5afd7318cb5bc0baf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2d35fc98580e9e49906c3dffb44215e0

SHA1
1187757a29a6336d0daa7350f02007d20f22923a

SHA256
bfa4a0311037a6d49fd1b3623f825d665886c5186b676f2c3ecb889cc132b8f4

SHA512
bdd2f97a7eef9a425d6d6c729ff5f89c0b5fd058d76ac58a37c7f6f4f6f5e35208245bd920be3611d0217691d35e2089529953c0e83bec65a054b385bfb34f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ecce78c3970191e8097e02196f6c4819

SHA1
c7e53e6d205b16afcae43d8fbf192b847a3e1f9a

SHA256
f941c648979f68adb0b2ca3b15c70e0196cfebed94a27b2079835acd26ac5e0c

SHA512
043833180892f613fbfd0f23630a2de4fccb909d03b6b50274851dd4f771ea278df780f8cb9586545ad7555bdf2b4d8507a2002301f8c1ab9a0c2d2dafc1e18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
171e5e08ee23333da29b2f106b5b58b0

SHA1
47129ce05c48dd969f3165e797ed68c78ac21c58

SHA256
cfd4c37eba5eb2425d88c39b935a21991f3cdc21d8ce3ac691a038ec540be8a3

SHA512
5ae94086510f31e182abd5f0e6a7de1390680d349fccead1334a65c1b130914b61b6f01f8da3fc9f554ddb37dbec6db42df2cd4ef649fa469c9afdcfa1d5ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f3d5c44f3da6e3b1100b1805366c5a33

SHA1
2edfc35cb4fe686bef09dd4596a53fd43c546410

SHA256
4f15eeac79ae85795ee81760bc74da462058a9f8d16e55f7dea01a7eac4ebf8d

SHA512
7bc7f3a0638d9a56f8d4aa6a45b83e91cac7971b8f5d8a9143c77c8e334bdeb50b2dddb34d2dfd51730d3e478071bf0b1269c15ce163593699a3b911b76d9c00

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
531KB

MD5
161265a5a403c2e8b995133f72e4451c

SHA1
155887abf79a88f7c14060fb1b8164828e96f046

SHA256
1383e4aa30feb4f63b22963e9da74472f58030ae9d7ea1e6d96d60b34f2039f3

SHA512
94aae102e3bb1a8634e0dcef3d4f9382ef7170eb2d6baca115a89162976f8e50fe27998e28a6467edbc1cec37fe58ee7fbde65bbc30467ed1ea4071923a61c5d

Download Submit
memory/872-960-0x0000000000E40000-0x000000000101C000-memory.dmp

Filesize
1.9MB

Download
memory/872-961-0x0000000000E40000-0x000000000101C000-memory.dmp

Filesize
1.9MB

Download
memory/872-982-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/872-962-0x0000000000E40000-0x000000000101C000-memory.dmp

Filesize
1.9MB

Download
memory/1204-40-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1288-930-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-5-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-15-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-17-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-26-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-28-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-33-0x0000000000C50000-0x0000000000E2C000-memory.dmp

Filesize
1.9MB

Download
memory/1288-34-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-36-0x0000000000C50000-0x0000000000E2C000-memory.dmp

Filesize
1.9MB

Download
memory/1288-20-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-13-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-11-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-30-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1288-621-0x00000000026F0000-0x00000000028CC000-memory.dmp

Filesize
1.9MB

Download
memory/1288-35-0x0000000000C50000-0x0000000000E2C000-memory.dmp

Filesize
1.9MB

Download
memory/2804-3874-0x0000000000ED0000-0x00000000010AC000-memory.dmp

Filesize
1.9MB

Download
memory/2804-937-0x0000000000ED0000-0x00000000010AC000-memory.dmp

Filesize
1.9MB

Download
memory/2804-3877-0x0000000006170000-0x000000000634C000-memory.dmp

Filesize
1.9MB

Download
memory/2804-939-0x0000000000ED0000-0x00000000010AC000-memory.dmp

Filesize
1.9MB

Download
memory/2804-3876-0x0000000000ED0000-0x00000000010AC000-memory.dmp

Filesize
1.9MB

Download
memory/2804-932-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2804-3875-0x0000000000ED0000-0x00000000010AC000-memory.dmp

Filesize
1.9MB

Download
memory/2804-933-0x0000000000ED0000-0x00000000010AC000-memory.dmp

Filesize
1.9MB

Download
memory/2828-22-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2828-7-0x0000000003CC0000-0x0000000003E9C000-memory.dmp

Filesize
1.9MB

Download
memory/2828-4-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download
memory/2828-2-0x0000000000B70000-0x0000000000D4C000-memory.dmp

Filesize
1.9MB

Download
memory/2828-0-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/3048-983-0x0000000000C50000-0x0000000000E2C000-memory.dmp

Filesize
1.9MB

Download
memory/3048-984-0x0000000000C50000-0x0000000000E2C000-memory.dmp

Filesize
1.9MB

Download
memory/3048-985-0x0000000000C50000-0x0000000000E2C000-memory.dmp

Filesize
1.9MB

Download