cybergate | 7bc7dbb2d42e923716e2b9de8c8b445964042cc757e012a4882fb002d6627f6b

Analysis

max time kernel
22s
max time network
128s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe
Size

387KB
MD5

fa2f5b6df76d495ccaf044381c30159b
SHA1

7fd2137b801222520d34ddd9ae44a5f9d03a9c25
SHA256

7bc7dbb2d42e923716e2b9de8c8b445964042cc757e012a4882fb002d6627f6b
SHA512

e872752dd08a53a5a82ca609598fc538dad8a73c19b255401e4b76d4cebe554cd13c46c0890d0df6422d28b46e21ea09ff4e2c79d0e05c9cc712b91d346d3bbd
SSDEEP

6144:r2Enp0lvHYVBsDKsx1td4pLHmdLyahteP74CXavlFy54pmdshr0++:6EpmYVBsDKslqLsLXiP74Cqvy4pRr0h

Score

10^/10

cybergate wolf persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

wolf

alonewolf-45132.portmap.host:59129

Mutex

PAYÝTAHT-ÝSTANBUL

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.EXEfa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXEexplorer.exesvchost.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe"	svchost.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe"	svchost.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\install\\svchost.EXE"	svchost.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\install\\svchost.EXE"	svchost.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.EXE

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.EXEfa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXEsvchost.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{21V5SAK2-0OUG-H225-VP80-54Q7737A3IWS}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21V5SAK2-0OUG-H225-VP80-54Q7737A3IWS}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{21V5SAK2-0OUG-H225-VP80-54Q7737A3IWS}	svchost.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21V5SAK2-0OUG-H225-VP80-54Q7737A3IWS}\StubPath = "C:\\Windows\\SysWOW64\\install\\svchost.EXE Restart"	svchost.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{21V5SAK2-0OUG-H225-VP80-54Q7737A3IWS}	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21V5SAK2-0OUG-H225-VP80-54Q7737A3IWS}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart"	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{21V5SAK2-0OUG-H225-VP80-54Q7737A3IWS}	svchost.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21V5SAK2-0OUG-H225-VP80-54Q7737A3IWS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe Restart"	svchost.EXE

Executes dropped EXE 11 IoCs

Processes:

svchost.exesvchost.EXEsvchost.exesvchost.exesvchost.EXEsvchost.EXEsvchost.exesvchost.EXEsvchost.EXEsvchost.EXEsvchost.exe

pid	process
1556	svchost.exe
2064	svchost.EXE
2480	svchost.exe
2564	svchost.exe
2112	svchost.EXE
2340	svchost.EXE
608	svchost.exe
2884	svchost.EXE
896	svchost.EXE
2368	svchost.EXE
1736	svchost.exe

Loads dropped DLL 10 IoCs

Processes:

fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXEexplorer.exesvchost.EXE

pid	process
2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
1176	explorer.exe
1176	explorer.exe
2064	svchost.EXE
2064	svchost.EXE
1176	explorer.exe
1176	explorer.exe
1176	explorer.exe
1176	explorer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1176-550-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1176-718-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/896-1816-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2536-3048-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2468-3113-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXEsvchost.EXEexplorer.exesvchost.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe"	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe"	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe"	svchost.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe"	svchost.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\install\\svchost.EXE"	svchost.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\install\\svchost.EXE"	svchost.EXE

Drops file in System32 directory 11 IoCs

Processes:

svchost.EXEsvchost.EXEsvchost.exefa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXEsvchost.exesvchost.EXEsvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	svchost.EXE
File created	C:\Windows\SysWOW64\install\svchost.exe	svchost.EXE
File opened for modification	C:\Windows\SysWOW64\install\svchost.EXE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
File created	C:\Windows\SysWOW64\install\svchost.exe	svchost.EXE
File opened for modification	C:\Windows\SysWOW64\install\svchost.EXE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	svchost.EXE
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	svchost.EXE
File opened for modification	C:\Windows\SysWOW64\install\svchost.EXE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.EXE	svchost.exe
File created	C:\Windows\SysWOW64\install\svchost.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE

Suspicious use of SetThreadContext 5 IoCs

Processes:

fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1148 set thread context of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1556 set thread context of 2064	1556	svchost.exe	svchost.EXE
PID 2480 set thread context of 2112	2480	svchost.exe	svchost.EXE
PID 2564 set thread context of 2340	2564	svchost.exe	svchost.EXE
PID 608 set thread context of 2368	608	svchost.exe	svchost.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2500 2468 WerFault.exe svchost.EXE
3068 2536 WerFault.exe svchost.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXEsvchost.EXEsvchost.EXEsvchost.EXE

pid process

2308 fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
2064 svchost.EXE
2112 svchost.EXE
2340 svchost.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXEsvchost.EXE

pid process

2308 fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
2308 fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
2064 svchost.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

1148 fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe
1556 svchost.exe
2480 svchost.exe
2564 svchost.exe
608 svchost.exe
1736 svchost.exe

pid	pid_target	process	target process
2500	2468	WerFault.exe	svchost.EXE
3068	2536	WerFault.exe	svchost.EXE

pid	process
1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe
1556	svchost.exe
2480	svchost.exe
2564	svchost.exe
608	svchost.exe
1736	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exefa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE

description	pid	process	target process
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 1148 wrote to memory of 2308	1148	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE
PID 2308 wrote to memory of 1308	2308	fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE
"C:\Users\Admin\AppData\Local\Temp\fa2f5b6df76d495ccaf044381c30159b_JaffaCakes118.EXE"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
PID:1176

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
7⤵
- Executes dropped EXE
PID:2884

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:608

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
- Executes dropped EXE
PID:2368

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
7⤵
PID:3012

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
PID:2092

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
7⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 468
8⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
PID:112

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
PID:1328

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
7⤵
PID:2668

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
PID:3028

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
PID:2132

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
7⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 468
8⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
PID:304

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
PID:840

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
7⤵
PID:1840

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
PID:2696

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
PID:1772

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
PID:1532

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
PID:1824

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
PID:1900

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
PID:2632

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
PID:2472

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
6⤵
PID:3020

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
5⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2064

C:\Users\Admin\AppData\Roaming\install\svchost.exe
"C:\Users\Admin\AppData\Roaming\install\svchost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Users\Admin\AppData\Roaming\install\svchost.EXE
"C:\Users\Admin\AppData\Roaming\install\svchost.EXE"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Users\Admin\AppData\Roaming\install\svchost.EXE
"C:\Users\Admin\AppData\Roaming\install\svchost.EXE"
8⤵
- Executes dropped EXE
PID:896

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
9⤵
PID:344

C:\Windows\SysWOW64\install\svchost.EXE
"C:\Windows\SysWOW64\install\svchost.EXE"
10⤵
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
ccd7752587efacc2cf7e97eaf8e8a6b5

SHA1
e53c168d3a17da197220e34f9d785a25608fac54

SHA256
215a85920763afa6681739696af69132096d0a51b9108cf4f9d5764a3e04c281

SHA512
1a90de1cd769cb2f3ad77a2ced514b8b21c60cd5a55debbacf32e6ee45d9a6ef564121f4b3cb9b97e4aa1605da36077f576bd70e45df8ebeb405040b980e7c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
5fd62dca5ea207c0283de21c04762a82

SHA1
290cf10835cfb6e86309e4a952af03eb36e87886

SHA256
3d33c0faa41b74ce3cbb7453017933427cce7e3ec4602314a1b41efd41152223

SHA512
1c5ff156f80a4d70f5cef81fc29ef67bc06a10cb2801c3d544c21ec3686eb58f8c44e32236909f26aad16555bb88f162cc695990f91f7e755b489caf7cdd1495

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
d3337b5bed8436e8b070e681ff7f8c1c

SHA1
2d4fd2be38125430ed89f46ac95fc9a6bb2492a5

SHA256
cbcacd63a4f2631bb37b29f29eca8bec47a313ce9c531217b88316c013853ea7

SHA512
9fc642cf7acb7440708046b79c5ac4ef419480618b289ee11dbb45835ecc3b5fb7807715f30a119688ab220ec2e6101a2db3e05e78d3147eaf3491ac9e646c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
de9c3c39c16b4a47b32e04f49b7229fd

SHA1
c1d61c3e01e1bd2ba360d8db2f308713ff3c2470

SHA256
9f535b0e76e539ac0cd5ce28c22223eeee0a5b8e99198ad5d2d39f4fbf8ee43f

SHA512
17088bc3cd361f13bc70d164420287fc6a47c5df53fc3e361307fc3f0d52db278ee8c0f10ac79a845307abaf13fb1e9340ba848a1b3e0a754fe8f7262445b3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
3e2f97128a32addd0bfe2375778a3688

SHA1
c9dd467bc61a2857b5685911678fb9492a33183d

SHA256
dc1b351ddc6ff1d3668a1c8edb749987040f35ca0e5def0ef7b1040f468452d4

SHA512
1f608d4116fa54b179d81818cd082ea90b457e7d5c6c87e16292f888dea792cfc3b761715f93f183eb8af36c6d0173e5e924070628e78f4eb9014af37666f229

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6e21994e727d87cef4518c35ecbb343b

SHA1
0a9d21706897afb3247163a8fb58692c1228ea52

SHA256
cd48a682cd713808b24897d3f051fe6fb57a129202e7a8de5300829068ed479f

SHA512
4340490a2b3435ca571f4ce68a13e4efd1ab644b94eabaf66dc10bbe942df0a0801441bd964e5a50f350c1d77ff9b598b56745cff346aafe1d950a5d670f05ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
42bedfbf06285dd82455967fe414fff1

SHA1
814585c632885e0ae8d6501b7551620c8b585136

SHA256
2e6be6c091ed6caf490964af0c6bfa2d16cb53e45537094b482d01b32e8d9715

SHA512
b3cd6d9ae5a6b953a62dec5ccc4eb6aa38c17cb834579aca250aa2a4088406a8fa36c0d67846027d9ad6debd7167cd519616da8a2c18ac046ae510296926334a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
11959f6ea048a1fe5b616f7f7436b0df

SHA1
fc0b52cd96e0b98c9403acdc8cc1c2ceb7d79ea1

SHA256
21092a3bc8ff9859211b039f5092e6046b6536fe8b46c66d072bfc2f1ad21aca

SHA512
85d4cb066bb3683c842d3e475639bd1b0212c0bd9cd635d89e39cc43078ea5fff3a29aeb8365afdefa72108d358f0d9c4a28713efb83d7b753a3bff973591e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
b085e0fb6daea4c2cd449e5e6cec3f66

SHA1
9a39e340ee288f7e1bc297c8617bc47d24e009a8

SHA256
04a39cb864a8ef207a66cbfde414296755eb8bec9279028b472d7f068b0b7041

SHA512
71194f142d0bfe6612aa948d5090dc8e63bb7b59e19dfc973dd35d346128900820838ab84a83b69d20885a31317cffeea19c574166ddf25e6b8ec9d985520892

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
516fe4d3f953eccbe93fb817da10f17e

SHA1
d088ca7e93d8dcbb6538556cbc19a20275ea845b

SHA256
52be8d834c098b4334af3c5ba52a4a094bdacc6be88fe717231214cb84339774

SHA512
fd04d0dbda3adaca6023178e30577e5a61a3cc4ddefbc74b912a1ab97a58cc07f17df68c055b03d26fb365867fd1981d97ddfdf53bc5bddf5f2f79d98872c4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
3ebde48713d11397039b7c22f68d8a7e

SHA1
863b0a214f148551e92ec0c58752f94a78d9a051

SHA256
78c7c75b7f3b7a7c2dfc2c0409ac3f2bdb13a59f221b66f966e895bea1add517

SHA512
a95e44ee285ca63863ce28a50c6a9d269d511daf9f65ddc04f87353b52c0aa5d3f7f799c9b406662b784300a6f4dba7162bdece48e6f8e7d42a883ed7d2d13c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
8b0572f90146e4752a82454baee44afb

SHA1
add829c593bc375e2a9dc27fb5b55fc3a3727e12

SHA256
642f2c9501e95a80613d37eb3e4ed012a065a5f3e18122d48ff46b7212d327b0

SHA512
6f19381cf72b140915cf5af2f6d3503941c8169c4e4adb2f688f24cb52e19d0629f4b162a80967846a9139a76e05082aab5052f1f8e77074016bd15a4951f00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
3920a1949047248b76f8d7540cd319a0

SHA1
aa70fb465ff9c67c1e89c2300b6da3b76e32b85e

SHA256
3baff3b5a4f340912ce1c4c361a0aefdca0a4339119939301402f9f9a3629a1d

SHA512
a216c4657d94a0e91b7572f3266b8567a063b454318c8bd045cc5f6c8d7e5814dcd2885622bfb0ac75f1eaaf972d4f0102770b199009159a58db324723c42425

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
8ed4161005400ed7ed8a4f8b5344b9f1

SHA1
0bf1068321ac2ab98b8620c88d780f6b0fb02630

SHA256
2f578dec08c0ac1c649a115ad376ded201f97461dc823efedad87c115bfb1950

SHA512
376ff946a9693c71291631ad4fd53a19242d71443bb54c39d38fad947ce0d840b8b6be5fc1ea2d4b62561a3fa22b462f263775b9075919bb76d533a9f0a432f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
2c80d79ab1be29fb350f4514b52879a3

SHA1
805348c77e74afb5754d3ce3715ab7277466bca6

SHA256
84a814fb07b16f4ff83a542caa685206478908d8edb3d8f6f844c6f17fdac131

SHA512
336188591cfe5424f12a07c4d3f431b57263274ce877ab3e4ac51886781ddd3c58a400844dba165fde7d97eed58836fe830b6bbaf4ce7040390b69f606d946e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9f8257033d9787bc43b5a620681088d9

SHA1
b1be3e755a5af07cc9fcfc15f6428cb7fa094c2f

SHA256
20d1e235e21fc31f6991b3c7ce03d59742e5f4d369e2305c80704814eb68f791

SHA512
ba57e4facd9399ef25518fe45475a0c052a2d1511e31a2fdc52f846d6398ce7446f488190acb92c4344588ed5b4371d44c8040d0cad99bd56b4ccdc1df2edf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
15d71a331e902808c5f8db57433c4f0b

SHA1
cd74a83abae834dda061de4005dcb1d89f4e16a2

SHA256
22a963ae18b9b881ad2a2253f08acd91805d261a687838802e2e2a88f23093c6

SHA512
0849320d4208836020432371017e99041a132d5925c5caad0de82ec261f464620997f1de4184ad3754380574ebbf89ab24299bf06a1d43ff8a5c6c734fbf9246

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
813dc15d21560b40ecd75f64ff410411

SHA1
2cdfb0f466e49c0d8ddd666992cc1401f860ba4f

SHA256
9b03487bf5c821f1f57d8044ba812902983250a58772546e2c1cb43341f224d2

SHA512
c14f2712c5fcd1b1b405ab02db46241318e86267c546da4a321e9ca09d84f4f2bff9186e27dbf2a1eddbed11356f033f9f7457ba077982e03c3c218aaa24d88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
145c592306a3b32f407093287d59cfea

SHA1
3d95ecbda925786ea54fc82f1606d7389a6430f4

SHA256
c49744f3cd1bf964cf264037e6c5673602b06b742310c85e078a17b94db546c4

SHA512
20ca8509660bf844f47a426526cae25d3bd4b3f95c42f6681fa31cce7a00382eb2b9f27f6854728c3622e65463a916cd38bfd4d9ac24392694ba2645fbbcfda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5a75b185006054d28b5d30a12f99a2c5

SHA1
593ce3ecdc789f89222af46c8732fcba27edbc91

SHA256
91da15860209e746325fa413196d978d6fd65d3fc8b5e002872aa65245b0b180

SHA512
4057756777e386e74490058cad0d304a330f368650f36a983c364a6a718b85b2bf206becd4996351b21ebc82a7195bc1646e27eba99778cb0c062f88a6c85afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
ee994aeca1ef7d1533bfe21f35812795

SHA1
fe0e88b85debf95c5979d2bf9e0e87ca81d2921e

SHA256
f52ae25959245fe8b38c7c4c59517deb051ce5b92bc61b28ecd9d887de36140a

SHA512
7e1f16fca94760a4d5785bc1155bcc74b5f81eb4050209805d0341acd1d7d6d6728b279e1a2e103017c8b39e0efae203e43eb5226e19f581006e793356464575

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d06cf0cb18c1d1cacf367f3286f122b7

SHA1
2284eb1b34a6e21700fb9cecc41130de47546e50

SHA256
bf0fb93b88d2b3586b41dba1c3e51bf86cba3e3e0e17b4d666bc20f805cc0988

SHA512
2d04b7b5a6cdbceccc8f3cec1a8d1bf5a1d35790503384f5f1ebda2506fca3a1fa576d35218a8bc0a7bc6ae52abefc681d2e6bc9e9e20fdf207bfd5c8107fe9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
3eddd4f35c2b568e2d35ff12ac2320d2

SHA1
4d8074e8eaaa5f2fa87099f7fc6893d350a8a52d

SHA256
47b98ef4286cdcb460de845a7c493d62c98163e4a6e94dbaf5ba950a950e9428

SHA512
49945cf63157122bcd7cb480620e4d45e26b2386fac195462353af2d77b96beb0f8f78fcc63e6e81ef14b650849021541c9aeb1e202291fc0669d23d4b71c703

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
b6ae1b23e39ce272171e73024a37b943

SHA1
6836640c21c94e7fdd9bf2df37b7b07350a0dcfd

SHA256
8f3c8c43626190143bc364fe1999cbfb607f8a78b7ae5a2e7e000e24ad581524

SHA512
8f25d413accc6c0a8c385e2cd9805bbffd887221238bb8bb8cb4d95448100257e50e349ed9e70cc5f5908b5fc7373900d6def59056fe1f610462d5da02e62ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
fa06b26d8b2b0fdbaac71b9e10a757f1

SHA1
d824b244663add3912867b17bd72c28841bfc88c

SHA256
bcfd5a9323435db7996f4d74fa4e39ce69557cf37decbccec1bc2859d48f03ff

SHA512
b8291ab9ffc33b7f049f229344a47a09342cca2a5fdf79cf3de8d40e56221efd70e0d012cafe1c5af0ae8000d36858e1e3951cb4a5ecf5c3119fc27cd8459523

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
0a09dc79b69f0e7a5b6ba88a4647cd39

SHA1
ff7eb0689980da1a45fa7809690a06d0ef070601

SHA256
8e0f805473d7e152c3ce2a74ffb77464dd7e34b55c488da4cf5e0384a552e16f

SHA512
b06060e6e6e033aa9a2e9df98bf0dd18758964871e1fbfcf303add6175ae5a813d2639a3811704b59db62be2348367c8b4c7abdbff1559dc61108eec5e595b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
3a994a8bc08cdc5646d821994520c98d

SHA1
8775b39194540067eafbf150ca16a4ab6c670a1e

SHA256
0ec6f8141a12bd54c872327e35b61e763573c8e6ba97be7e539d6ebb2926c52c

SHA512
a6ce2597d1e3a2579016768cacebda06e16b897de3ada162b13c0a34f93d491e1b8feb084a4f367d481de476fcacaa8c3d228016cc49ef874f8864bbc699adca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d93aeb8ec3a8f209438a56e7fe762b21

SHA1
5f57954ab05dab516fc18d962fa8efca71a96fcf

SHA256
4c04dee586698634c946ec130c7974d7b2d1986fe368369a1f7d0d13cac0aa5d

SHA512
f35d769acc8752d71704ef56a8a082eb2d2537ebd1bfe1807934bb4a98aaf57e6d8d15eeb62c31de8b09c583a625eb3e17756644a205e49f3b61728bfa16a9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
8f966a06ee1087f589c265f6948d5741

SHA1
68fa39fa612c786cbca628e97fd9afb8b824f7d3

SHA256
24f11b1ad8ca7827cbd46e02a6173c8bee9f323337c8f40e58cf1865dd13eb41

SHA512
e2b790a48ac3d67649c05a261b9029441b3d08514d2e9609eaffe66acc04b731fab17f76613a1ffb163d9304d3e8c8fff4ebbe9fcf8a252f43516553e1a61ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6c2a9007f774f81a44df8e453b7032ff

SHA1
22df12080594a909d86b249de16fae2b9847ef5d

SHA256
e7881f3a8263d11d1b4640b5edb392ad719239806da4455ece506e31f6fa24db

SHA512
ef55df266e649359859ff10c9f39e343b66a078fa21c29cebb78e9a6c4ebbd7d531542588c01a81f901dd13e36b2e07aa7c6a09a87f38b51d65716cda4913c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
71befd642c6b5d6360849a4ecb343511

SHA1
ac3e494ffba341b9b25b43a2b78319f346b668f8

SHA256
af8aa9cd2670efaf8bee9d0cdb70bfad0c8013edcec67d4954f23751accdd2d0

SHA512
33eeb13077da954a2e8feb2d5c536c859654bcdfcf4bf11606f71fd7a8ee160b4d5718818d3d9bbda4c38328d50b01955c3a364ece2f2d6e086771961a73edb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
efaab2744b39a8474963b77cf6b757e8

SHA1
3147bc9ca08a0677dfad8bbf9b1b839ed76be9c5

SHA256
a7c6e6c8f193a67daa8f78317bb1bd858cffa7ecbeacce91b22ec477f00a809a

SHA512
430d654371bbb2c2548da4c5676728968c401a7e4c6ea4ea3366cc5af5fdbdc65a36f8488164a56e2b9a87324e9d6374d36661d7a8603bf1c057d9957ce4c54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
745af004441aa04aacde704cbc5b2fcb

SHA1
0ca9a080ea851e4a276d6659799c0be828c9b1d4

SHA256
9b340997223172c58d07dd9620c392d21bfe09c6fe4d975c6090097bb9342d42

SHA512
d15ab178cd3ab1f93efa99f642ad49677e5ad5e1bb39df9f9d1d2626180b20f3d7803cfa3b2fa4d4bbdd7c12e0b94042d5892b33a98f0e67fdc53c1232073308

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
4669b77755be2ed519317bb9dfa90040

SHA1
15c9e3d2fbd60e4685a20ade702d3d8ab554a711

SHA256
bbc4974dad011ff5eae0cab65b007cd4d9ba4be87896aff102ccc69dd098867e

SHA512
afc202568f95c41a954d69daa086300d83ae7eb2f871cddc8ae347b080e3861c128fabf4f85f0b724e607e2629e6e99637152a4bb1f4b86331c7544d3acacdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
f2c5aed04d44e9001dfda06975939940

SHA1
3307196354fdeca3ac291efe74e4a12002cb7f99

SHA256
8122119c6e82dd2466d7faddb497f5e83b90102fbb9d808bb4d915fb71c3e574

SHA512
643ad663c22d32f55af69b3cde3f8813b02878a04c68e307bbe1331da8f53aee38a7f982d6ffd2ab641b2133434090baf45671b0370de455eef6bd87a1200187

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e9d808c7f6719e419e7e570ab681991a

SHA1
af8a69c900aed0e8fa948bb63eb1672ca5499512

SHA256
ddd13f65f986712827623e1f6e57890ff1d1994b744b4009afe4ea8535ecb537

SHA512
78bb122aaf6a6db1ae55c762a8d13231930cfc1f5c82d31e84acca4ee8fced3e36168e62d32acda0adebf71e9894e60c0279ac66f96d76df9671225ce1a2d0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5d15d9fefc553a7fe2caefb72fe8e5d3

SHA1
842e767bedd00dd232933871f2ecffcb0a28c13c

SHA256
52d6d8187d879932ee6866fc7cba4cd40ae17f517e09d9fca42a24af4084f8e6

SHA512
f981a306fad63dec0d2a1a9f0b35e5bd1cf43fa48d32dbf91b40c3f970bc1148d3f28415682211d1b60ef0815a5f354cb649692f399b97fd4bbad20cd37c6979

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
83fa24594503b958d266b3a83ad1d79f

SHA1
df2ef81ea9e20a16c0d62f98612cf18be3632646

SHA256
e2b0d582af28206558093ef4b844d22aa110a61ad9f47bfa6899d78ac7014d0f

SHA512
106072805923273530eceaf268c5aa10c7a3f09b7ba03585921db9002ea97e00d83d7d1b9f00f78130c4a10103e0f8ad46ce3253f4e12dee05c460200f8de969

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
ce495462022f0ed55ca93c66488d9007

SHA1
ddd4a02bae0d45a45445a02b237f71bb24791fca

SHA256
7932bd1b4ae8c1172209900b0805159985d298d1506c9ecbe6eb826e18cff53d

SHA512
56034df8a45f531cf1092dc94c9227ddbdfc4f18a6e928fa62c07f3bd5f08bd992788e40bfe7260625bbe0a2d39f6a201af84009e84c18140f768b847b70f087

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
aa3376cb62ccf62bfb49f389bd0dbd88

SHA1
0bf09248660ee936a8a7a575b4f89876576ac8e2

SHA256
0ba173f0e903cd83274ffd04ab0ce213c34deeb2a0f202f60287eb4121e4aaf7

SHA512
80f7afa2db591d9ff6db0060c3d77237513209be66e5edf106379d044e08d69c93e9f8870454d147cf8ac10955d37192ed12f3d4a9c654c0f21bdb4c93f0dab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
83def2f8f29d972419ebe053be017bdc

SHA1
7152f503816cce77285a511d7bfb4a1e6894d6b7

SHA256
7fb339ca1cfc8b0f3358bb065479360149b1850a3564150ba0c846a976482c03

SHA512
d06e96f6f392f539b49685429880fafced63a49af70e2daae88ece26cc3af98a6759248ec1e439cba77e86a88b267fea08afd304ca9a5e777e320db39c0b9daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
ae44d04e0d76a4b145465301382b7be2

SHA1
726f105c6afac70362949e5aa18bd28c9ab58fc7

SHA256
f99ee4a5c5359184a130971ff34d3f84618d35853fb4183ef09eca7d7f1367b6

SHA512
204ec51323ba4bbd9b3b39e2d3b5e9f2be2271a8b796d08af28c08796021480ce207db3a529f71776286d12d70ac5fdf7f64d32214c25bb22217d9545d946521

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
b568e7a7154745d6d5db01c8e1f6f5a7

SHA1
e8dacd376f3f130a2b919c1572111ba8f7e26ea3

SHA256
89343b5570b3316c55fede11371196c6a99cb5f253779878e9de4bd15aa4e53d

SHA512
4ebdf1660d854c9f91860026af04e637b869e491cc5b7ed52ee473d2399d0ab7b1b6066742bb149dc5cf4e84d8eb2bb9c256adcb3389e18a4c4c4f5fb80edbd1

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
387KB

MD5
fa2f5b6df76d495ccaf044381c30159b

SHA1
7fd2137b801222520d34ddd9ae44a5f9d03a9c25

SHA256
7bc7dbb2d42e923716e2b9de8c8b445964042cc757e012a4882fb002d6627f6b

SHA512
e872752dd08a53a5a82ca609598fc538dad8a73c19b255401e4b76d4cebe554cd13c46c0890d0df6422d28b46e21ea09ff4e2c79d0e05c9cc712b91d346d3bbd

Download Submit
memory/840-1772-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/840-1593-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/896-1816-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1176-272-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1176-271-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1176-550-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1176-718-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1308-25-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1328-1652-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1328-1325-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1772-1991-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1772-1797-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1824-2127-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2064-613-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2064-587-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2092-933-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2092-1108-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2092-2595-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2112-650-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2112-749-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2132-1697-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2132-2783-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2132-1497-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-4-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-19-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2308-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-566-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-21-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-20-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2308-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2332-2573-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2340-656-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2340-759-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2340-1827-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2368-820-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2368-988-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2468-3113-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2536-3048-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2632-2049-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3020-2192-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download