Analysis

  • max time kernel
    8s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 13:00

General

  • Target

    22734185ef6b7e63867812097af90491_JaffaCakes118.exe

  • Size

    781KB

  • MD5

    22734185ef6b7e63867812097af90491

  • SHA1

    0d951fc18d489a15099375e2953c44cd47fd11ba

  • SHA256

    889068df52de03555ce97cf810e7569358551ca89ff92ab6f96f53f7a82b8d47

  • SHA512

    e5bbf1deb040b20ed65cbb9ededaca57d13c355f177289647dfdaff18cf18aeccb002ad5c6ff428fa6644c60be3f0ca685076cc9ab8e084e5e41a7d3477de472

  • SSDEEP

    24576:Dsth3qgzXd4o8Yfpq1161DRutrS9eAM85V0981:D6NqSuo8ep4S1MKeAh5u981

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

maske.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Modifies firewall policy service 3 TTPs 6 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1112
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1212
          • C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Adds policy Run key to start application
            • Loads dropped DLL
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2052
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              3⤵
                PID:1032
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                3⤵
                  PID:1744
                • C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe
                  "C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1816
                  • C:\Windows\SysWOW64\spynet\server.exe
                    "C:\Windows\system32\spynet\server.exe"
                    4⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Executes dropped EXE
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • System policy modification
                    PID:2940
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:1760

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

                Filesize

                229KB

                MD5

                e9fbe7ec9d02221731ca2fc99026a0e2

                SHA1

                33a7a01b17ab72428c7ed4b5930fd313dd257eb6

                SHA256

                9df31f8949f24692c9226e3dc125897ab6087be7a24b673fee42bfb46281d4ef

                SHA512

                e0a28f3f0eb35f4fe4df306f5fd2a2318587c028ae3b9f7a48553be181fb888d0abba9d632418adba3714fe070749fa079d86852f6381a909199a18b8abb8397

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                8809db84c4430ab581ad35afcb151607

                SHA1

                60402156b4fe65a5f4c3be8a92994942aa24b932

                SHA256

                f1bf1cf506704dcb5890187a937afeaf9292556069e018c7c04d9e0053215157

                SHA512

                6cdd9561b06c230f4783c628d127c551085f1978afeaadcd58f82934c1847cc3699105327dbcdcaeb4c9cf61ae88f45b9a61aca6c3898a63eeddfbd2572da0ff

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                07c3bb63b743819f6d8c42c02ed0f5c5

                SHA1

                dbd5bb08dfba8c41718ef401f943693a072b90be

                SHA256

                b4c5fa8f6cd326e30928e27e2a8c274819844930f7bb2f66c2976755c552a18c

                SHA512

                ec70d169a53db544239dc56de7a88876745e373e6c66423b5e0262db61a0bb9c137953e006b5cb1e8bfbc19076e3d2956c4f54e6811e21f81d401348bff1bcd5

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                d9d50f8ac5e7e3f4ba70607951a49c42

                SHA1

                57d3cee4a8a8d0cf8d1ff35246a246d6da920a7d

                SHA256

                f49b127c2786d37c68d349572ea9e6a00bb41822cc7aa6b71733bb35df8b0912

                SHA512

                d0e69411fe0780db032a5dd11da3021088c5e81099c104b754202dfc4569f88fd5f6dfe09d7fc9255df3c01d292f1b75b8173cc6f0b143d4f85cbe48a17b1c11

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                ddc9ddccfd960a7adc56af82e14447c1

                SHA1

                f7d0c951f9a2807874891bc9f61b058a0175c588

                SHA256

                ed54e6e1ba246e6e69af8f213b0ecdd37124b7561c60bb99391703b340110e7c

                SHA512

                9c32e9d59dee5f247e5122f3e8a4c1930fc1f6ed38f5cb7c022525f9a642683431dcdf8c0da1017b069a4208d22ab1db023030a54894b98530362dbb4b54e546

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                5e7e97e93d5a2d449623c92d4ef18ec4

                SHA1

                95d89f6f8896196562c56644ac4c0adfad007a29

                SHA256

                ee8f2fa91a5522fbb50fa1f36b613939bc3f840644993d72d0f52516b0c8d345

                SHA512

                8e5075910df01f2e099b9aa4eaeb685d2c15feca9dcb916d0bcb9efb221daddde12efcda96df5bc505ffc921cfdb2ee1c4ed86b27ca7de9c567201fc5e2b3b91

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                fff90d773695d7bb78916199786451ef

                SHA1

                36d33a5d5073289057dbf5af3bb210c7c43f8dde

                SHA256

                cad8d895bd4be4a3c9285cc0af11fb96e4d0fef3ea5e9a20355f96fa9ec65a7f

                SHA512

                94f3caefe8e8abe4f88470aba65a2f80d07c0fbe3bb465d89066c30a341d1cfee79a963e20ec9ac6d6e492c7eb7c87ddbb9165ceb27e89c394a495b8f01e5b0f

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                4106be2a3bcb0625a2738ac34dc5fb6a

                SHA1

                d14819c2009cc2357a678d5d61289150e21c83c3

                SHA256

                2d8f1ce7bcea695f8c03e85f1ed52f7d8ecb7ba6ad535314f9129694f15467db

                SHA512

                f497a77d443d27250ed3387b281334ebb88e534bb035ac67c0fda666dcdee6484948afc59aed61c44dbff9832e84b46f4d22c7cce8e33b3399d141e3be16c77a

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                821d12b51832acfa3742c09be58889e8

                SHA1

                f3efafa9b047f814079112d3abc68242e48b98e3

                SHA256

                fc3f27f7c5e2d38f87c5557969397b8da752fd108856f907e164ede9aa78d31b

                SHA512

                b1da915d5f59233bbdfff2790e81f1664ee173219ed1dff72828ffc490b29f2cdfbb2ff97cd40c982fa6f59f173d91929536beba1df9855fb0b0be4418cf93ae

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                d60951f32eb6357bbd29a09c6528c31e

                SHA1

                d8352d55c74881a1183e73247e37d361fdb73b0c

                SHA256

                f44bec15a669ba3af5968dfd1b3fb0ba6c7e7c671a2f04d2f30d5a9edd3bb6c0

                SHA512

                0a6ad4a0416d9b484a0f0085eaef9df66eb9abb350a0ab6e24f6f16c769a3cd6cfce4eed10d3222682b77130272e5854a1c380be997441353bfdeb57d880432c

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                462b5366ff9f51d5a8f5580199cd4baa

                SHA1

                9f8d584b38b80d6ccb389557adbda2d00e88ce13

                SHA256

                6e690e38cc8596ff5713e0a2c62e427ef814973c73d0d32efb5993b421e36298

                SHA512

                817d9b6d5655ea4ff626f56c6818ce43cd86d8432b6f2cc04ac8f7fdce169d8dd187be54cbeef49c737d23182700e13688fe5af2806f0b288a2f0cce488e4123

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                440279dbb26df16d9b7d6f8888fddbe2

                SHA1

                ac951d0b36fac90c3573af1c4fcd3a509b3074c8

                SHA256

                15c4e8696a603fc4fcfbdf7bc1bd7531b1064f706ecd60e666b29c7258267f2a

                SHA512

                73be8d0543459455107db4ac00c08bfdf1403d265a7233e2d2ed7f56c443ffbb4b4063168985b2c12c5faebf2a5a53d986a34038fb7e94a7e6d87cac8abb1cbb

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                5316088391d840138fcf999a46e6edc7

                SHA1

                232a44aea627a39d7e14330e06f41dfc1d5eabdd

                SHA256

                b5cf13dace21aeafcea97066c91042f75168f5dbb3417694ad550582c3b8d1b7

                SHA512

                15bdf7cee37ef490f13e3b2a6685d2752f761414cd4bcdb0630a31cad2c826f6f35cf6fde18550e98f751e67bc935bea0f4439f0637a0de48bdbb877abd02592

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                c7815494aca5b6b5d8fc6b9182e52f9e

                SHA1

                554d74b7de9f637cc065a1728bc27fc28a763301

                SHA256

                808e6647327820c48cdcb2dda0c4be21011314d62b35616833d391f7b8039f96

                SHA512

                16712d1009b593d53bcbc3b6ec007a2b753ac509d820f216a4be35270d4826624f365b73d3832f3f768dd0752fbce8ed2ccbe5d2f2072591f3d2a11aa38f1d44

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                25e9b7b304727efb449be79d706fd48f

                SHA1

                6371fc1c6c830d3bb5e68fac9b1b312b72a5bf26

                SHA256

                7b73c000072e4d05e2d74fec94489e155ab21f82443e62dfc44c377ddb9c9810

                SHA512

                1cfa20ed006c33106321d7beff56e4a4d22bd13336afe4a12f03577876152fe5c7d504c22e2e6869125ae4381b2079041fe886a7b876b6bc77c42bf3a2e87c41

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                cf7ab68f1e3e3495b96590dfa33f51ae

                SHA1

                db0285d2bd254bcc35ccfe0070be29cc8df83a60

                SHA256

                7aa59dead148a3ad07137afa9d416f0ae232a8bf6f23fda160cc57a312062061

                SHA512

                9aa236fa2faa09011333e4e9c08c1e958c4c9cbfa4e6467b8e90f926a4b6cceef93d49e46ae024e882eaa7560410d1c5d357e8b7e71e24268b2de29ab1364f4d

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                f3dab819696b1f1568b76859fb1e74e2

                SHA1

                01d578a10a9c4df9e87f28a1310b7dd6e1e45a35

                SHA256

                cc9f8eeeefa4e3ac543cad9393985ec9aed8a1a15f59162f0501123e1a944f45

                SHA512

                2812a3a1daa8b1ce533f34d6efbe302e674778a8dfc681137f7d4a2355cceed168c56dc8120f8081ffc5fcffc8e27f99f8b8f66c0bbe2a39e9cca759e4c14025

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                409e6010fd596259e1cfb3b463b71dee

                SHA1

                46d2f4ade24b4b49b4c3505f88d31df26e3a6b32

                SHA256

                249ad2d1c3ba4ec0350dd2539a227192dcf19f6b1f9dfc397e1c4acfb71adac8

                SHA512

                2f4945691e4660912f4dc74464a519b25e73960e4ad61e69d250b01015803992f6d514931b051cb8adce6f9203c0d6093a54bf6a154ad70fbdbaf76174b41a2e

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                41c437053102b7a4a3859113c224e018

                SHA1

                c0dbb236baeb2278c4e775cd7a9a9a4e9de4395e

                SHA256

                8cb7407fcb11e42d1ebe64f0cf3213b1652dc5c2ab35d7405c34622c3b559af1

                SHA512

                8c6f60a5ecbd44491154b4f2ec98aa56569fb78d120bf41ea6627adb86151304007dbe59f68b33d96bb5b6ff80af6493d3f95529c3e7c39a7d1ed3d84922ff75

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                97a1e6c2ad77afa7b1490ea26236c265

                SHA1

                3ed075c9908215802572728584ea739252772763

                SHA256

                bebeda0ca2f8b1e7cdc96274b7d361ceb02eec2b6ae2fb648efc7db4f243f31f

                SHA512

                cae609a616c2f5f363a74fae9594dafdee91fa778e54b85a663e2a5d8cdb2db3da8364a2873fe3376e9490ea6a3d31f4fc6c2951027b7c8f5bcc8d5e272baf06

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                25a039a9812e4d8b627c4f49147d0dbe

                SHA1

                0d4069fc3c868759a263dd721c97ddfc8a85b4fe

                SHA256

                97bb3e55626c2ab2ef1db10896e90343fc482a206acf4697c2092e754f7cfa54

                SHA512

                8cffc67b0c1893dad07d70ed6666efc3125166258829de00f649e17b4f494aafef8aa13ce339913d5ef10f4d1897ad0ddfb17769d89d17de6608035bffb8e7ab

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                a68e514b12a4e998692e3a0bf9bcd192

                SHA1

                5c0f8e3f152881f799f9af9856c7486747e3ec25

                SHA256

                4d97f0af946db8230493cc2f57e971c6e7b430815feeb729bd021be117afceb4

                SHA512

                47924d6e13b6ca9891bcf10f3d6790c3012ad83c8615e9996283b9cf3e6f8b0109a28ef77f514d797a8034878b09441f525a59d0264b7f67b69ec8e57d03a93a

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                787336ebee22abe42cd0de0a54e779cf

                SHA1

                b993694bc3c774f44fe1320e9bb7390521515700

                SHA256

                6baae3db93a0e8b6baf16c1fa8d923422082c1ad712fbabe62de401a31a99968

                SHA512

                a6c061870dfcc9335d13cb37b98038fbfbed3278d207857aad1daf35e2342e14084d0634b25dcfac802b61f3e2f6fe19fee5a9fd802093eb195a4784fa4f0a87

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                27c4391ef62de105c6ae442fd375ed88

                SHA1

                2f064e9e870ab91603094833586a2a70844e381c

                SHA256

                1251c0128a5e8212ecad8be8074c8a0e57c7f9aa512fa588cd49af55a9f74a92

                SHA512

                76e6266178d396e5e55aae7f78103945b2535c0c4a43952dff4186ffc9f41c19aa968983f95463a77c59fc3696cdf0a583d07cc1842a0a167601c0aeb498cb67

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                02d4c2fdd441651f5aa4eaea31be2792

                SHA1

                b463a31b0e2597172a8655d73587c91b7fad6a24

                SHA256

                0de6bc2ebd4dbdfde16f93b08fd4517fcfa8122e941ce107cd62df241557ac77

                SHA512

                323d5d632eee3022c78792e3631e5bc901f6ab52a20d7b4ae246d5ae3df495853fc0624559103dcfb8826eb94eb2364425b5bbcc499001617a2a1db75282c3b8

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                0d9cd10aa730e159cb6df2c4f89064f2

                SHA1

                5bf084f2078a59c041260d6da0989308ac2e6c47

                SHA256

                d37ee5d85a17fd1b72dae8187f29c199adfd6f47b456eed56b2d1638d7ac48aa

                SHA512

                58514a7904af015ab2442f7c8fc2d13895908264525548af9f40261e18e5808cca803f8ed2c68f9fa6c1c9c8841d91831e614e7edf2f419342585e347e68b437

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                b7475673bf7121279a1ec6d5fd077bce

                SHA1

                3392aa5aa5fc372716e5e1614b2ad1216a54126a

                SHA256

                989153dfdafa82bfae565f83b35a321fdc7cefa5d521cee5dd32b28abec7290f

                SHA512

                f040331cd72126ac91814c227d5b485f5de93e84cc6259e3937942d79f8aebf1556c00806875b2713808473a8cf6500ee2e5cbb15255c9ba8747ce1b49fa0a01

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                669e29c60dd5da3570ec5eb53660b143

                SHA1

                54a64604dbe8b218d60a70a8cacdd8530084317f

                SHA256

                65a8f11f1dfdaaf1889572991060eb897b754b9e6bfcd9863fbe8a45326a9dbe

                SHA512

                d9ec0bff267e3445435fd9bb8a2b91c2ba77b34e4e428e7b2fbb118105e0ae09fa9b0284cf125c16c31ef9fb13cc67a3da490c475040e06ed2a3791dd9dd8c7e

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                b3448010e591aaef2279f5ce3edbeeaf

                SHA1

                b762fd4688b3e8f0fac9a54bd4c6d53d7efa2cf7

                SHA256

                780e6d4c0374ae7b33d75455393ed668ffbede08e08b53d30047e7fdf905a64e

                SHA512

                985a1a586c77f9191c6c41e7907f0ac3ae807bcb5edc757e53dc397a33aee330e591da8008576b10c8ad6b374b9fa0e6ae8e58585b1af04bfb4b5ac0d741b4fb

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                f36b30cc958e10708300c1589cb96af7

                SHA1

                d13177a0d93ee182d5196af8d9bd72cff1fb4300

                SHA256

                8def2b2b5abda38bcf8987571a9e6ea60be765f77af821c5873f808d4032f33c

                SHA512

                a2140c9ffead4d56c37c161caa21d680b2ad4e1e3720666c8d28e8b005b3b1e13e2d33a031b8bd0e67fde6830da8b87b3376cee2e847620611cd1f10b4634ad1

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                d8dcb42f104ff4c541f300d1d9953a24

                SHA1

                c2a3df22765ccb6a04d3d2b108088ef4722eb5bd

                SHA256

                647ef443457893aaef94487215e3eb7c94969e4d0e8f93600e038cbb0513bbae

                SHA512

                7368729db0ae9bac8f61b1dd8892408d3cb0d059192800a5f60ebdfc9c8f17b0f531014ffce5c99ccc87993381fcf1135211ec7b40adaf3b946577f20f00df0e

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                dbe1f98468fb89f0f6e18a6a40f60e9b

                SHA1

                a40d7c6578fdd150e16aada79b2c5be320a205b2

                SHA256

                ae96a66463e0cae070f840e5c9fdeadf29c423ca47095741335306fd40061c4d

                SHA512

                a950ad414e40642f9ac7a8b212eec0f85aabbdfb7df242f73e82eb35e518c4bd6e1bfa1970b182322af81f04f21d8781b395b202cb85a782ea628534269fc1b9

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                96cbc12aa8c2f18387b5d473b1532626

                SHA1

                3507ffe9cb234d3d0972871a1e9a1043776b72e1

                SHA256

                ae2f9a8de5253760b4bf0c18c149248c289fe160b357c09dc0f017436286a8fa

                SHA512

                1adb12a3b5db65f3b2fabf629b417ad203fe0c68e02618f904d7f9f5b8d18b4cd6a7a19d981605c64d17b70fb4e8aa6f8540104b6db72fbd0a55e5a2b698a9cb

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                1d06469fd13dcad64f3a907603d5cce9

                SHA1

                b6031a0ca8b19e91848ee8769fefe7964261cc41

                SHA256

                11a50beb5b3e11042aecae944c4f944f4c70c9aec25137d01f9aa0248ad3776f

                SHA512

                0fcfb3a45d9d17271f48c6ee1dec36f5d9b511ee6115c9ed4baf2d3eb2d00e9d66739b12124e081a8ccaefad0727eed3053f33f7b39894caab12da96e4c48da3

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                6bd490ba4a98397690bcf43e59f8d943

                SHA1

                657baaaa676867ca5675032a7acc56816ba21c49

                SHA256

                827693d65da87f04f39128eddd398c24b92ae969aaefb8df4b1ab56a7a656cf1

                SHA512

                937f22ba20464b9dc38904436331d2c4116be3140fb55ef2afb89bcc7133ad94f6a2cb33f449fb9d38c8b14d754489606bbc553de2039d536580f56cf900510e

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                022c0faca3bd1daafc8d63d822a1356f

                SHA1

                1cf079ea8cc8d524ed962e51cec56ee8fec383be

                SHA256

                636bcfea421ac834ee06be51ef91cd18dc394143763130e72b4c42af2e39071f

                SHA512

                754bceda2d82da8fbb24f703d260a0db3bddc81800fa9ca62a07b72fbc2d2ee4eade67559ef16aa9307153d78a8e59e4a9e0f84bb24bdda97638f659270d378e

              • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                Filesize

                8B

                MD5

                1c92a0cbef59bebddaa7127e9c7e486d

                SHA1

                89bb55b7ffd0880706d63153f0b6ea13202764e1

                SHA256

                22c8d1436141bafb794e712de9c6948983d5a0878a6d81b6dc37dfd1209aba92

                SHA512

                7750db0c5ce0368ba4b60911f2036977a4a28f17f8199c84f52fd8ac6f23a1d606e5207bfc8ad5ffac1398dd71edd0a255c6d6661569831969f25ba913f116ae

              • C:\Users\Admin\AppData\Roaming\logs.dat

                Filesize

                15B

                MD5

                e21bd9604efe8ee9b59dc7605b927a2a

                SHA1

                3240ecc5ee459214344a1baac5c2a74046491104

                SHA256

                51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

                SHA512

                42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

              • C:\Windows\SYSTEM.INI

                Filesize

                257B

                MD5

                d650d688ee7f166bc2fa5ebddfe04449

                SHA1

                f9a52bba916f81d4fea356d0d3c6683d595a86d8

                SHA256

                5db995ef2a7f67fb066c23a88d57655dca86e70f38a332429aef7305bf9f8941

                SHA512

                c4cedcb3880ab05f072d3930a1e8f94281f61c5a58dcc8e52c1e282e619597870a50f173422363892cd220c2444111f39e5fae1183c22b5249e1e6cbb93189f2

              • C:\Windows\SysWOW64\spynet\server.exe

                Filesize

                781KB

                MD5

                22734185ef6b7e63867812097af90491

                SHA1

                0d951fc18d489a15099375e2953c44cd47fd11ba

                SHA256

                889068df52de03555ce97cf810e7569358551ca89ff92ab6f96f53f7a82b8d47

                SHA512

                e5bbf1deb040b20ed65cbb9ededaca57d13c355f177289647dfdaff18cf18aeccb002ad5c6ff428fa6644c60be3f0ca685076cc9ab8e084e5e41a7d3477de472

              • memory/1032-556-0x0000000000130000-0x00000000003B1000-memory.dmp

                Filesize

                2.5MB

              • memory/1112-9-0x00000000001A0000-0x00000000001A2000-memory.dmp

                Filesize

                8KB

              • memory/1816-632-0x0000000000400000-0x000000000046A000-memory.dmp

                Filesize

                424KB

              • memory/1816-1786-0x0000000006AC0000-0x0000000006B2A000-memory.dmp

                Filesize

                424KB

              • memory/1816-959-0x0000000006AC0000-0x0000000006B2A000-memory.dmp

                Filesize

                424KB

              • memory/2052-27-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-6-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-4-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-0-0x0000000000400000-0x000000000046A000-memory.dmp

                Filesize

                424KB

              • memory/2052-19-0x00000000002D0000-0x00000000002D2000-memory.dmp

                Filesize

                8KB

              • memory/2052-8-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-3-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-31-0x0000000024010000-0x0000000024072000-memory.dmp

                Filesize

                392KB

              • memory/2052-26-0x00000000002D0000-0x00000000002D2000-memory.dmp

                Filesize

                8KB

              • memory/2052-28-0x00000000002D0000-0x00000000002D2000-memory.dmp

                Filesize

                8KB

              • memory/2052-25-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-631-0x00000000044C0000-0x000000000452A000-memory.dmp

                Filesize

                424KB

              • memory/2052-939-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-935-0x0000000000400000-0x000000000046A000-memory.dmp

                Filesize

                424KB

              • memory/2052-24-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-7-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-23-0x00000000002E0000-0x00000000002E1000-memory.dmp

                Filesize

                4KB

              • memory/2052-5-0x0000000001D90000-0x0000000002E1E000-memory.dmp

                Filesize

                16.6MB

              • memory/2052-20-0x00000000002E0000-0x00000000002E1000-memory.dmp

                Filesize

                4KB

              • memory/2940-1002-0x0000000000400000-0x000000000046A000-memory.dmp

                Filesize

                424KB

              • memory/2940-960-0x0000000000400000-0x000000000046A000-memory.dmp

                Filesize

                424KB