cybergate | 26a0f4ad07e5dd08bf875058b74f68a8fffec03b22ec97ed3c259ee575f9fa75

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Size

1.2MB
MD5

7adca0ca09b92b86708eb4149485a009
SHA1

28385cc528e914e4ad52ffe0ace317a9d8c49806
SHA256

26a0f4ad07e5dd08bf875058b74f68a8fffec03b22ec97ed3c259ee575f9fa75
SHA512

c72aa82e2258a8103f1756c80e66f819ae82e53ecaa2dc3e9187b06792ef0a03d6f05d2e1104517e51b6cca263ef9e19dccc6b58d4b21069a18c0cac7b6271e0
SSDEEP

24576:hkOQbaniGtz65a+CZLTvOjcaKmdqww7qYGBJXYQfObizclZQG9skD+ISmHdfRN:hkOQban+MnTqcaKmdTwIBtJObgIeG9s

Score

10^/10

cybergate öííé discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

111111111.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows.exe"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows.exe"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L082I2T8-3FYA-BAHF-2T0T-S5FYV6OJ167N}	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L082I2T8-3FYA-BAHF-2T0T-S5FYV6OJ167N}\StubPath = "C:\\Windows\\system32\\windows.exe Restart"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L082I2T8-3FYA-BAHF-2T0T-S5FYV6OJ167N}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L082I2T8-3FYA-BAHF-2T0T-S5FYV6OJ167N}\StubPath = "C:\\Windows\\system32\\windows.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
3344	windows.exe
4260	windows.exe

Loads dropped DLL 2 IoCs

pid	Process
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windows.exe"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows.exe"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
File created	C:\Windows\SysWOW64\windows.exe	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 3344 set thread context of 4260	3344	windows.exe	35

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2776-8-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2776-5-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2776-11-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2776-13-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2776-16-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2776-15-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2776-14-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2776-891-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/4260-3713-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/4260-3849-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
4260	windows.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Token: SeDebugPrivilege	836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Token: SeDebugPrivilege	836	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Token: SeDebugPrivilege	3344	windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 2696 wrote to memory of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 2696 wrote to memory of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 2696 wrote to memory of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 2696 wrote to memory of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 2696 wrote to memory of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 2696 wrote to memory of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 2696 wrote to memory of 2776	2696	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	30
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21
PID 2776 wrote to memory of 1164	2776	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:588
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2004
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1512
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:3912
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2812
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1140
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:856
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:112
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:352
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1052
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1088
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1480
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2160
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:836
    - - C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
      - C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\SysWOW64\windows.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
ebebf3450c8ddacae17959b20cac931e

SHA1
cc09ef88d52105d7d65dba17755ef3dfcfd0df8e

SHA256
45c676f6e7559f15b7fb56d466f014eba5c7aab37d2ff73dc777ef63e58b4ad7

SHA512
1ccf2be2e90cfba5d3fa2d3789712210f6b946acf9dac73a782bde73b800f4e7ceb371738533aa2818dd4a92b3f847cbfed69af9562c8914d3e7fa15890dfa2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2250d35f19e20b2be66b2636bd0c27b4

SHA1
edeee1a9d28bc60e727edf70d5e55e1114edbd29

SHA256
4d2d25d3fa40df6d99615f7944712acece66870303f16b8b7fc970d17c47a8c0

SHA512
e82edf2c8dc86c20c10a930a74bed044d889ecf3bfc6256da4e3b5902b4179f7009c08310134d33af2487bfa0e746ff10dc7c0a5b4c3706df54f9eaaf0115c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
101912be44f4b48cbce1510c4abc06e2

SHA1
03d540394cf2e4cd37bc9256c0a2b1e1699f20b7

SHA256
d1cb3c5869f1a1e86aacde465a4cacf92656f120312312f666c031cff2e64b72

SHA512
080eb6f08bcabfc977d16d7dde23dc5cac93c75de9089250581fc0dfd4a264d2d626156b3bee4a934216d72652d8f4abb9357086827663770324b360834491cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2e066cfe3b0d2d1bac9595a4c8b003fd

SHA1
61a66bc1e2bc70058ea9bde2c542ef0390a8f548

SHA256
ea77e7c8875292647a43a24abd5d932e95552aacf3e7c2368ff089186c9563ff

SHA512
93240deccc99be0fc7ff4bcc0e565db1fcc017914a48e8b386d0f3d9c77df8d72b2ab1b6d82a51f923e05e7fb23eeacca88e6e32eb183c7cf29607b5065f6077

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
57af01ff9064e5171ad04a0758f3c11f

SHA1
6b711ac77db268b36fc85cff5e7d1b36951ba2a3

SHA256
9a11ae6351d6e859f74f0402fe7efdfd48f38b2fc905c60e55dd547e0a371bd6

SHA512
766640d950106833a0abd9ad9da6221ad81267ecfc28ade8eae00f7fa5ed49bfca4019f4bc1a07aa2e84afe2ef603a6b05c31edfb10da3868ed5d29b6018e443

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b4f39b85a0674b011f66a22bfcc1146b

SHA1
adbc116e3db6c4423ad00eb49b7983cdd16e0b36

SHA256
7b1366c89f9f8fb31fd3152b6641bf5e0cbd671ca0b86fa5b79d10746609d1ce

SHA512
97b25c41a8f27dc373b45fdd7b7d34eb974f57d95e598789f163066bdb66b3c2617a2da354acc9964fa152918c3e1cb1e1eea7b0b28fc566ea367b86bcafb9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d0e2c43be15dff8c4f317089883bf3c0

SHA1
44ed07532cce51735e1482839f18498016ac6f6b

SHA256
d00dc4b75e8bed5eb79135e972b3a2e15d06f1a4a86b5c593d9feebab79fa796

SHA512
01f49131132196f0c2c42e56b1e1f180bf9a5b380e9561a3953d5e0d508b1a146b0825de063ff0cc42b109189be6d0a23ea46a357628c9f026751c3fc23d12c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
74c6da2699b207581fc4ef808b3c9de0

SHA1
99d1a9af4e51e9ef4371513a242f94909ff5a06e

SHA256
94c1f01c844bc30350c00dc9f2e037a8e69693f878ec062e75e6d57582496d20

SHA512
ef7369dbde5c77027bfc86e57cc9325c2d80e253bdf8ca363a87c507ece4dc01a9f5ac16fd78a6987b74e10bc8abd00a3a6c2924f96ee968027364126f2be806

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a85b3c01bb802e7fa91da3f2a45058d9

SHA1
85d4dfccab678280fde741a394ecea73eda5968f

SHA256
7e7e537d73f6189397a60716ca871d7a2f3499eacb92c6d4d11cfa1604414d16

SHA512
392b877d28c487bfc1864daeec1e5e3f1889d3a631635889e8c6a2ba6647f6affa290b8aec6e778951ca0bcad70202b95490ea6fa3b74df413b2f61ebce44e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
761c26b306ecbbcb0586f74aa6f8481a

SHA1
fa6e296f4ad5043228befebabcf48cc8f6469bb5

SHA256
8091c8861d81179e0519d24d61338c14b84e2639ed98b6daf190969adee9305b

SHA512
93fdbca59b4a39ee72899ae17d010b157a4c95b2ce6287a163bfb66d183717481979e6508140072ae6564bac60e2f5a808b44ae771ec2fd7a6173ee8448eb6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
38afe0dd7266ef42ada800f593b40eb9

SHA1
cde40e40b479a8e474a77839edac45d599aa6375

SHA256
df82b52aac57e9f603d26bdf61711826a20141e6a4364eef0308d0637b428362

SHA512
4ff1466df001869c7e60f6973e79cc988ae2f2317070e3f44abc85fe1a674ace55fab03e2c87e3cce7ecc74901ef2ba0e4518c3f1b52aed82112b471ad609e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a87688138900d50d57c729718a5e309e

SHA1
1a854b1a3e8b7bc53e23a1df4b0fdb2ef5c1836b

SHA256
a9817f4dc83cfdb3ca08679d269accd8aea4501db032487028597dffcd30d1c0

SHA512
7fd8f7e2dbba88b4b40a7fb139ccb8c3ca775af8734dea9e1769a34d0e1fcdd268c82346c33ecd8ec455fa68b45d3a1e962040627b1fc1af9f3e98cb65159f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
59c5c75a9e1fa7d46bec2c12399d35ee

SHA1
16b16281f21e8bb08f07b6a62dea6c388ece150f

SHA256
cd324d6a16ef2286854be61bc38248cc90b4e9698b99bacbb8cf1f67fc8c5dce

SHA512
e7a26bbd84f3017444dae4b1e98561edf619bc374e683b19880bbf92f6e2ebe5e14cc4428d9a6540c775ee4f3ae89c2e577aaae3d6efd8855623ce1a07ff329c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e8f448e8fe6a7f921d11cc77cba6da8

SHA1
9c6670b8f7c4363afb81c19c494864135ae70f7c

SHA256
e5a6290db2e0b147b1473208df913f49e18c6034b7cbfad93e6c842cb83dec10

SHA512
b63a7fd1f19b8d458fffc1b982510e8344d19476b4005e11b1c06eb809ccbecf5ea543305b51c2fd1a86fb84cd9f6ed64a7e818a400c29e04a847a8abff71b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5bf6eff2f879f06e73692eec543a07b9

SHA1
c2795e771cf7b19fb845e0fd14d5698c96fb0781

SHA256
a28781e016284ce3b670a022ddeab239bb7dd42fcf1ed5760021b5251467af11

SHA512
5f28bc470ac14c8c17c5abd5dbb4ddb42ba70eda949095787ee6d36c2ca363ddae7d7a13ca69ef9477946b53d8dc4da2e457825ae8c22b7cb4bb001598e28b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6b12f46513d41b13c57c9cb1f58f917

SHA1
6aac69cd989b5535397ca241463445acf2119f4e

SHA256
eb2f354c9fc1ca558cea6aaf21dbb9d6d605c85b93408c96b9351ad03ca8410c

SHA512
5d39fab28fc5aa665e085d7b7ff3f1c80a718b98fda6dbff5cefc7cf3198f8a97d9e397e2089be27fa1af3240ae8234aa398d8430ad33f6513260553fef816cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
543d5606b501f67e6e9d19a0b62d9af8

SHA1
a6d3f72f437107fcc850888f639a4e06acdd4c9f

SHA256
21f25139cbc856bf05a739c235b12035b80ca704bd4c1de60d68a10192b94f11

SHA512
979db1856719f45858d0cf3a421126c9f106d0b3a71156aaaefc6f8748d4c039c0f4d895f2cb6ff2675e86a002d4576318c9e5822bfd85d320af2541864a370c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef7bc1517989ab305ea3cfeed958fe7b

SHA1
9149844ad764e24561181f554593ba99d78c5923

SHA256
c5171238fe6e4a825a006885dbafc1231d77342e4f4430aba480fae3d05e1d82

SHA512
d4604cbda80d57ed1f1deb7b74d0a46affd8f743d705394dbbb93e72322121586be9bed1a210c6c58865fb106f37c0cf0226755407a1e6423cfb6d058ef491ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
43e4b79c5a088c3ffa0d9f2abd6814fd

SHA1
c7e5f867fa1ec06570d43b7f7ee8618737c3e9a0

SHA256
7eae8d33ac9a5fc4f05a66793963b8350969fd3d2b09566e817a3de7a266a436

SHA512
00e648085c6004f946c4a24b41d9405f99b174f26629614531967117a88a9a7f729874b30b4431f9d641a29959f1e18b5354bb038dba2c031647a87a0e0972a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
873f9830d15e90205ea374cb0005c575

SHA1
44bc11c1eef3a6c331dbf229e1d88c029da82e0c

SHA256
5182bd3792b4801f1f523d371975d6040771f1d11c9d410ad296b462a7cbcba8

SHA512
dc8ba2ef3d0430bfce2543979f243d7c4b52d34a0eb2fa0b417e2d06b29889b22d1193c1bc9d9dffbed272010a570a57f5d85b87e127cf67ae1d77ffd1d4e10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
56c12b26594a4f74cf89d247e6b1128d

SHA1
b76c4c5edfb2c38be93ca9bb590151beaa1f4a91

SHA256
ee21134167d5c2f77f6de5db97c503054c71223708d35c3cb62646e77386317e

SHA512
beb16753cd7d29cba65a5f06421299c080f422acc7d21964488d60a8233ca0071d65a46ba79d29ffb55bf61431971ea1583881433de6a968d9e7b3934887072e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db1286d083083323ae7d6ce8def90fac

SHA1
aa54d5c49da95b7187e51d58dbd0e1410da23310

SHA256
419108034ea8bb54eacfb0fc7b9629b2b385350f5cd3c9dcaa15292a7dafb531

SHA512
f640ffb9e36e2de1f060846cac1616920fa5a6bf74b6086e897221a4de3493e8a33a12204c74c99285b594535f4c9be81f98eb04cc976ff6949aa6e0873015af

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
166e08df54366ba28a168752ffa473f6

SHA1
d06fb14544bcb1c18365c3379387e2c89cf4eb4c

SHA256
cc638af04b2830ef2f20a5b64a3c4bea61b984af2f19d9c81a0bd4df87d8a2b4

SHA512
d80f546cd446f805794fe787c86044bc3e18b16f097e007fd058a4cc56f57d847a9f2910dd65cca9b8c49c6ca255760176f637626360bb8ce985a49ae4fe142f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
832da22e21ea9ec9cabdc41a1c29e12c

SHA1
f10be03145dd1d1fb364cbe9857ff0c3cbcd3b94

SHA256
238910639947b39208a7312aafd16abbd6013599b02413fd3cc2a8be1ec05b2c

SHA512
69c9f9049e42518433fc773e1d37434a88dbd33325f9dd56a2725a89eecd3727a7c4e46440ba10ef7f63f9b8530bcbf8058230cd065e53948d75ae008735aa59

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ea8160f51a2152ad71c7a426309db088

SHA1
e80a19cb4bcba86a6532419fbac2be374dc8f9ad

SHA256
f2697b0c5495eb8709b24df391eefa9f6d51dcd891d62d4607683afefa00d8fd

SHA512
7a49ca796f137daa2c3aca437744f67f9becef06301aa9413ff6c0b53bcc0fd24d94317ebaca5ee153738b23a07561837a77c732fcdecd282443388b43089983

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
02cdcc115cb00d17ef259fa5f5cdcb7c

SHA1
e586490b23e1fde13347a4e94c40c81619e54d69

SHA256
6d2fa73cfc8f0b565fbe1e9bfa9ba937d5030c700ce4450f6b66727ddf807fe5

SHA512
77215284a9d1bf9de71e9831de2fa721578ffc61f770844c878b262ec3d1b806762ae7d0d293b0dbcb8f0e44cdb5a3c57a7c6b4d5d4fcbf43007120d4a500ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
58058d186f211cc299a40047db7df71b

SHA1
d1e2c60d2438bb15bfcdeffc3ad8cf1ca7e3ab99

SHA256
6f96e9e19ac572a6f6db389c862d17a64e53ac0005acee413cc66e107288e983

SHA512
634ef69a71117a2b1ecbd6528560654cc68589a4627a9b8e7e5ba2f58982db0fd910a51d281d6c16f3a7bb9125bd33457cb723d83d05a4c980830e583ff73844

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3409a81370e1e10e9d7322232a30cdf0

SHA1
511f64bf09c56d205b714493dfd40acd01e70b3a

SHA256
7a05fd4fd3a524cc5cb9f1eda4a675029eae6c68a3d2ae7f515d490338eabaec

SHA512
183270a4f544c1654df719abf24562aca8372d95b456ef6de9059448fe371a38547e03969562384d718756a4972829e57b201de88734892400cc9ad38694984e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ad19a2819a59d1d5c089a1898d7e4ad

SHA1
7b5c886d867fc1de4eb8bd10442446a7b5216614

SHA256
de71d91ecd8bd6ddbc5bdf3badd5542548a99d338e3b3977df3d47d4015ec951

SHA512
42de5910374d653fb38c513e3ca0ba3a295a6d9c79febfb04b7a4ea17b90bc500810a572ad1eb226b0a2e4a8a0d9112b9f3f428764d7c3e68b2e018ee38d2924

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8ed21e438f1cebe55f7d8d395ae93344

SHA1
ef54714538653cbc53f93ef8ead590b2061c899d

SHA256
f004161b09eea1c04120815c69fb6fb1ccd6317fece54232fb141374290f4a58

SHA512
995f7e59a781cb22f3812524a246ff25d7702472c92c7619b2ea60c398dcea8e81c68953c2e294c01653ddb1255f12dfda19d9182c7b55488ce9189bfad11c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5bbc092a7f3b9845fdf4d7bd26524070

SHA1
084cbe765dcb5b8c25b9ce713e9297df698f4be0

SHA256
76cf2d6ee550e46f4ed102fbcbe9ab4e0a532df80e3ee5ef9e44ddb1453c6a55

SHA512
e37fc93a504381f8162b4aade5af695cd8dd9017791ee596f9a4f33a102282ab1c6ea5f811a8671abea384c2e6b75ab92bfa7e690f60adc657a1ccfe629e4fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f7f9b46592b16cddf848b01554d09ba4

SHA1
b244ee3c86183cc32a6ae1b04d77ba78f19f31bc

SHA256
166c8cc034e5f13da302072e15974341d29da9b5fc840bb22a2c4f48095cdae2

SHA512
a432f2da5892757fd5104ad411f44ea7d04968b6a82f565b0f0c057ad99e288b5b595ce5d3804a8e987a5c1617b8d5317415738d23b1f40c887948500c942343

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e96c7c21fcf1cf87e179f545ede35b98

SHA1
dd1425d490e07b01b986114dce92fd77964a6bd6

SHA256
15c909d109dce8bf7c0d528e483d6a9670a0e42e942140fb00cbfcece9961814

SHA512
318d3ba3634c03cf375a043987acb251ab83cd5d717a2a8068fd3354ad9fd24dc62ed5941cbdc642d9bf4360b500c14ee5a9025012e97f646aeacb98aa4eb343

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fb093b7be3f30079bb60774e307387bb

SHA1
f12dadec03fdcb9077cf54aa40d9327e62fa3280

SHA256
4d95f1685bf0373780bb1f3dc03f2e12515ebeda3af55c422e9903a2880cf9a8

SHA512
af92325a95b2bac7676d8ab220e8f109258c891d5e1579f8f51092f3da07cc8849db04939f256638231f7f37bc06bdfb403c297262357121722b305ae628580c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
560d1deedc9613add8771f3790a0bfa4

SHA1
09900037cc2eb0dbfa9b130ee065c33c563a3d21

SHA256
3c0383c5811381ed8b511eb62648c19319aa9d1d2f30e749d558e861b7905816

SHA512
1022c25462046017a5305b9ea1309960233901b13d1496bd43ed7ec707612deea79d76e1e2a7be69c5a4cf6dfb2e064a06c6a907ddc4f7d7d6997db6d66fd92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4af7f1dd40a7c93572882254b1d82d22

SHA1
07115ec9f13926d7212072528c1ef6807f4bf5b3

SHA256
8a1e27988986f5b45ff274e8782548674b91528cca339fc1b2d5506625b55d4c

SHA512
f26b9eaeb1befd37dcf910020529cb9c00bb07564b7f7e6d83f1bf74c7a8099c72ab75557a0fddd7045d3782a8459e70cc06bcd9ccb93236c2450f9cdcde6928

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
111e57c5a73c91fd9a4b30aca23e719f

SHA1
f1041050f3a08d9f96f592b5b1a5462e187d59d6

SHA256
15dfd67adc0efedbf62ed12433d781bd15d31e586e0836b85f40bad3353fdc47

SHA512
0914f1bc43a7926a1bf764a1afaaf2624ea1ce77ae9e11ed351796b232e684e6be45ad2e1ccbf7d7eb248594cd18061477781d221927944d0277bca4fe8af7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e91d497ac4a66836d71d6214bac887f8

SHA1
1a6940075e02475edc0198c1d25a58b7325c6b1f

SHA256
3ace788b576b1043c159a49b5e007f939109ccb8f664e5484c51e08d40b281cd

SHA512
c1cfa2ba4d47211b00f94f661d77b558a721604bb38d799e584370ec42a5aa5909149c73a790b85715b5d38e1654b64897f820147532e75e624fe799db638711

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\windows.exe

Filesize
1.2MB

MD5
7adca0ca09b92b86708eb4149485a009

SHA1
28385cc528e914e4ad52ffe0ace317a9d8c49806

SHA256
26a0f4ad07e5dd08bf875058b74f68a8fffec03b22ec97ed3c259ee575f9fa75

SHA512
c72aa82e2258a8103f1756c80e66f819ae82e53ecaa2dc3e9187b06792ef0a03d6f05d2e1104517e51b6cca263ef9e19dccc6b58d4b21069a18c0cac7b6271e0

Download Submit
memory/1164-21-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1424-557-0x0000000000190000-0x0000000000411000-memory.dmp

Filesize
2.5MB

Download
memory/1424-3841-0x0000000000190000-0x0000000000411000-memory.dmp

Filesize
2.5MB

Download
memory/2696-17-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-0-0x0000000074601000-0x0000000074602000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-2-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-5-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-8-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-3-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-15-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-14-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2776-891-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4260-3849-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4260-3713-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download