cybergate | 2476f7b7ef5ad3c5c55b8f367d63875d1e3a3f402a7315e8071b9f4dd3566891

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Size

284KB
MD5

848c9bf91f695c6af28cadaa862140e1
SHA1

369b43275f03407c3d01e50ef4d30555488aee8e
SHA256

2476f7b7ef5ad3c5c55b8f367d63875d1e3a3f402a7315e8071b9f4dd3566891
SHA512

9852d61c378b500d349843125cc32f9c66634b934e7700389868a5c126a9863ced8c3f4f8af630bfd2a3af4e1adbf9ab9015767e810f0bc37376a91300dd4eea
SSDEEP

6144:3k4qm4VgWSUQq0SHSVOBZ9SydFhekft7WNzDGvgreQ:U9wZbq0Sy0gWFxNWN2vgreQ

Score

10^/10

cybergate öííé discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

127.0.0.1:288

127.6.5.1:81

127.0.0.1:71

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
5
ftp_password
ª÷Öº+Þ
ftp_port
21
ftp_server
ftp.server.com
ftp_username
ftp_user
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
download file
message_box_title
4shared
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{FH6DHM67-6JM1-64A7-TC2E-C74I8NNR4G4M}	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FH6DHM67-6JM1-64A7-TC2E-C74I8NNR4G4M}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart"	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{FH6DHM67-6JM1-64A7-TC2E-C74I8NNR4G4M}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FH6DHM67-6JM1-64A7-TC2E-C74I8NNR4G4M}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4412	windows.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/896-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/896-4-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/896-64-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/5076-68-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/5076-69-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x000b000000023438-71.dat	upx
behavioral2/memory/896-139-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4412-564-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/5076-1487-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/884-1717-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\microsoft\windows.exe	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2452	4412	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
2452	WerFault.exe
2452	WerFault.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Token: SeDebugPrivilege	884	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
Token: SeRestorePrivilege	2452	WerFault.exe
Token: SeBackupPrivilege	2452	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56
PID 896 wrote to memory of 3472	896	848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:800
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:812
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2968
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3776
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3864
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3924
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4016
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4112
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4244
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4580
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2752
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1744
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:376
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4968
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:5032
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1968
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:3280
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4812
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1288
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3748
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:644
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3012
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1852
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1884
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2484
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:4980
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1508
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:1736
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1200
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1568
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1764

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2608

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3380

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:5076
- - C:\Users\Admin\AppData\Local\Temp\848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\848c9bf91f695c6af28cadaa862140e1_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:884
  - - C:\windows\SysWOW64\microsoft\windows.exe
      "C:\windows\system32\microsoft\windows.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 576
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4756

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4412 -ip 4412
  2⤵
  PID:3040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:212

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
f564138c1424fd83743046bd51fb8d65

SHA1
9452ba54b8df0aafd7f3608e5d8985649bdbeee7

SHA256
6bc1d36b0a4942f8504976d2924406c2ac2145b1f295cc9c807629cafa872d76

SHA512
4a5229813c04e4bfabe6754008e6180253cd679cf68320df11fbee6b5eae5ddbb3cd8f91f5e4d741b40297b39037c3d3d0e64ea2ee958205cf42797b876ab89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9f1849b31f78030ddb9c735813aec2a4

SHA1
f611fe7cf6621d0cd7d9075471542c9500d33e19

SHA256
5fc0e4e5b0c2b8487698348f93579f5a44db0a1ecfae138938f94dfdc5f4f107

SHA512
6df3f2a5dd1730690d5c9dc93d3c95620ef38f527f0e24fbb8560693fa2ace2c3e5876be9acd4c3c811368234f88a8f7647594e15a8a464ada7ae39a0c0bd213

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d012d019b15e4706c8de241712d3464f

SHA1
a14ca6e19092f2f50e98fd1757b30d07b77398f2

SHA256
4652fb34faadfa2c39005fb303bbf7aa8896bf74ef961674cf93485b31806fe0

SHA512
f062816860223aae08561a3e30adec6bd912a21eb8d4ce4d1fe9785bef589dd30bcaccd27cefdce44a7136aa268c3f45242b14c0c5bd98286a9e72ca6275bc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
85aa47bf0cbb4235295b5ba7dfb1dfb2

SHA1
c6a04f5c41da517c397ce39431cd532bce7bff39

SHA256
3fe07787bc77d666ce1b33ed79a91a695ab68e0d955438aac65b267eba3c3786

SHA512
44ad60d0671d9da89d5b955d68eab24ae19d576a6c80026d80b3ca5d93be5289cff15c8b065da260757bb89736519b4a6d4225a4863b8bbb1a1d582684d64791

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
93998c47f33ebe9217d4b056e0e9b074

SHA1
7218c26b5a93d37d516594f515b6ea791fd4e582

SHA256
24d2e071fcedeb60fa309749343d19c552a76bff5a251ff555e7e8f74ce3997d

SHA512
e0ec001bca36ee32b30916b724a6dc4d5f67f52407a8965f8b126c727a723f13441173239ee4c52155aeec9b1dab1c74e99ab0ad7cd02a0ff07f3720683fad70

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f799c35aa047ab42c011ced959d93832

SHA1
2bab7c6b2169eeacf17e977586c99af2b5374145

SHA256
accec71efd2be1b700e239dae56ddd5109628eeba6a09dd54a394a679d622f1a

SHA512
90fe82128862e2d11c36b54281e4c810e46ab250d125a9c30de2d994d851c725eee7f30ed4d5a039d9eeea5238956ee850bde2683c24f5ccc3a7174b33468c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4ec430c523c836469ea491aa8903d285

SHA1
9ffd43da822f44fcc957c693ee1bbf5393d05596

SHA256
17f924c0d0aeeb3b84a6eca5d59a50360c5fbf02dcbe179bc1f2edb06fd3936b

SHA512
d37c71b82e5d673b45870f5b733fe4d61c97194961e04800cf30aa221ffa4333a6abc376fe867d311afa9271c47f95091300e0d84c58709b674e9eb99388c2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db0bd89ca9ea39e0e4e13592efe269d7

SHA1
a05fa29605bbd719f7d99c305d366d9072b6e122

SHA256
c03229ed78c860c94059dbe14d6d8db9638fdc5dcaf64384effac9c87871fce8

SHA512
6f200746114dd0496ad523dd14a8b30806a941b8cb6b87657c69d68c71586762a998c56a256eb02f2a8954fb1cee5a22ac49407c1861304e308903946c64755a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5250dfe8e9b12a3f453b781899d5c12e

SHA1
8e77c5fa78a06cec53825803987a8af5e7df88d8

SHA256
3f0efb0e231e4af84a1a692e0226bd16cc24b497ffbacd7315439ab5f7cfa429

SHA512
7a8d4c0e89495562d953579a35718f0d92d8a1a160482367510e4acfef39f246cf8cfc1bdf6d9db799e9004448d23da2d0a1adbc325aa1a17be0657b5ef19554

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dfbdfd193551db697499ac776ddc89b4

SHA1
fbb55c69618fb2ed6106037988c918136f025197

SHA256
9dfc5c66f2f3202e42e9f02536c51c7283f3d1c99ed274ffbae867cd48220e98

SHA512
4c2ded5fe9560ba7be82435d851f0384571bcc812ab7408661cd061dc06ce0957f8f2546eac87a2d5158893f7651a4aac3171a2497c86a573672ecde291f6678

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7c0a8d69487ccb3f1821a78f67b4e8d

SHA1
733625e85250cafefe2b173b5baed13394b4b555

SHA256
6459598e7f180289aa604b610e5259297086e71a49b5049f0c00f2b98f634496

SHA512
2de02b4114141b243f7a82ffd38e7f868d0a531ebf456f16bf221eaf9665873edb33f0005c185949bfa9bd8d48b80cc3fc39c98ae65da350facf483ade8e3ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fb5cbbba5bbf94885a44432c2a779d15

SHA1
75faa0d840235173b4c3f86036ca952b259b8a18

SHA256
c2e746f41f254c259dd0731d9f3eacfde379c13c11fa29e101d099d57a8e99c2

SHA512
35d79b2bda88bcf22f5a27589ea7ac1412ea37e672cb6914f1c30acb7127271dec192b9f5af98d265d3b2cf55c39aa473c09c59b5151e5f2647539de0284a2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c8002ddc5e7b7340520bf6fe4aa6d25b

SHA1
55d9e4c58da61f85d68a0a952da6d914cefae619

SHA256
cc1854f33884aa3c1e47c9263b06fd56d5398dbabd18fcd0fbaca3732b26f5ae

SHA512
f1e49d89b39582afb55a67079e81d8ae6bb61f2db5b55f2d212c7607198214632ccdeaf99568aa7c84e53683cf4c88809881f40b5f8c5a39cee36bea5aaa70e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c1d164f5670e433487ccc722a17f9100

SHA1
4f7bb4b29ab62fccf9cea372659d9f6caa8b64ce

SHA256
46de5ae4e0856d7bdb56b1beb7944855ede65da6eb69cc3168098237954c8f97

SHA512
9a67e0286897135f36a93c8de5b4cb239fdce8f97227bceda81df5d59c855b272f76deb465b5d66d544221756d2ffef1e8191a5ca6566eb2a07c5e38d5a4b6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b72e2ee1c232d0e1d9bc5a7aeb6a42d7

SHA1
bc59e5b6dce51552361339969f7d322a75b34539

SHA256
08f859133cd3c6ecb4e35e0639ebb98024c6c06dd7cd42cc2ba19f2398561b81

SHA512
8c2c6080c09543440fb950a45542dad9e707a1c36417ca7279cefb12289ab55ecba420efd7a6a37a8606eedfd991d17946e5a8743d7f2427f4259c937e7bdd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ff9c10b73c539ab98e826cf3797698d8

SHA1
716a905abf68f296fab101788f3f033a563699f2

SHA256
ceb8976f2104f26def33867aba5b1e12e4d163f3f19fbff6527b0186bab114b8

SHA512
e0d7e32e480546049fc6ace5e62572ae0f5fa6819abd616e9317c1346bffee9d8567fa0e9f205e9901dd5a57a01df90eedad5082bd514e2e43941928fd5e9f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2d48658ca223a43b3cec62db49697229

SHA1
2be33d19bce18b25d6e65157d13645916313eaf2

SHA256
0c04e76a498f414ec0082b61b45a5dc00da554644863ef5c7586f4acbc6ea60f

SHA512
d4187c8612ad63ec10a87a03b78a37a8d7d99869522e537dd60212dde0f9234f2871680b7b190f17c9a70d10a98b9ea865970e9dfa3e7b75a798d73fa73a98dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
60f402c903bb561458726e054c5e73df

SHA1
19dc8cf1402fd7495b812ad088315a2b214b6e35

SHA256
44cd8a5bb18feb89c744bac42eeb303264075e304985c201541fd61dbcc6c37b

SHA512
7c3ee4a87c3b3d6b01cad3e470803972387fe6654d46fa0ca7c85accddb96f9d4189ec6335cab3f0d7276933e973901af6ded1024d6ad4f22a94a28596f6142f

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\windows\SysWOW64\microsoft\windows.exe

Filesize
284KB

MD5
848c9bf91f695c6af28cadaa862140e1

SHA1
369b43275f03407c3d01e50ef4d30555488aee8e

SHA256
2476f7b7ef5ad3c5c55b8f367d63875d1e3a3f402a7315e8071b9f4dd3566891

SHA512
9852d61c378b500d349843125cc32f9c66634b934e7700389868a5c126a9863ced8c3f4f8af630bfd2a3af4e1adbf9ab9015767e810f0bc37376a91300dd4eea

Download Submit
memory/884-1717-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/896-64-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/896-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/896-139-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/896-4-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4412-564-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5076-1487-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/5076-9-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/5076-8-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/5076-68-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/5076-67-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/5076-69-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download