cybergate | 19ab4d81c19c298a1b357f3120dcde0b54b2ad1d322651cdcc0e152dedad29b8

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Size

792KB
MD5

04ca64e87e716190461fa9b3a48d1584
SHA1

ade167ae18bccff1afc1e3a89f8c851535d5a30b
SHA256

19ab4d81c19c298a1b357f3120dcde0b54b2ad1d322651cdcc0e152dedad29b8
SHA512

d0e7bda0996f9427779cb18ab831c54a142e5648981d58b138149de2385ec7f5a07cd41ea1b5ac2a5233a068c89c7add14bbd555264122f32940fc565c39df76
SSDEEP

24576:IlX+d7OQkpz2zGnOBzw9eONZnAUjA3VBl8d:IlXiOPzfOBzAeONZnBQk

Score

10^/10

cybergate êáûííííã discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÊáÛííííã

hackerooo.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
java.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\java.exe"	java.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\java.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\java.exe"	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\java.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\java.exe"	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	java.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5T558W1X-742F-IUAH-AKOC-CQWR14R5M1J8}\StubPath = "c:\\windows\\system32\\microsoft\\java.exe Restart"	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5T558W1X-742F-IUAH-AKOC-CQWR14R5M1J8}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5T558W1X-742F-IUAH-AKOC-CQWR14R5M1J8}\StubPath = "c:\\windows\\system32\\microsoft\\java.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5T558W1X-742F-IUAH-AKOC-CQWR14R5M1J8}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5T558W1X-742F-IUAH-AKOC-CQWR14R5M1J8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java.exe Restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5T558W1X-742F-IUAH-AKOC-CQWR14R5M1J8}	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe

Executes dropped EXE 3 IoCs

pid	Process
1812	java.exe
2500	java.exe
3452	java.exe

Loads dropped DLL 5 IoCs

pid	Process
1280	explorer.exe
1280	explorer.exe
1812	java.exe
2500	java.exe
2500	java.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\windows\\system32\\microsoft\\java.exe"	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\windows\\system32\\microsoft\\java.exe"	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\windows\\system32\\microsoft\\java.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\windows\\system32\\microsoft\\java.exe"	explorer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\microsoft\java.exe	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\java.exe	java.exe
File created	\??\c:\windows\SysWOW64\microsoft\java.exe	java.exe
File created	\??\c:\windows\SysWOW64\microsoft\java.exe	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-9-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
1812	java.exe
1812	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe
2500	java.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2500	java.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	java.exe
Token: SeDebugPrivilege	2500	java.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21
PID 3060 wrote to memory of 1192	3060	JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:856
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1612
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:3724
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:752
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1164
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:304
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1064
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1100
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1268
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:668
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1656
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04ca64e87e716190461fa9b3a48d1584.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1280
  - - C:\windows\SysWOW64\microsoft\java.exe
      "C:\windows\system32\microsoft\java.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1812
    - - C:\windows\SysWOW64\microsoft\java.exe
        
        "C:\windows\SysWOW64\microsoft\java.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Users\Admin\AppData\Roaming\java.exe
        
        "C:\Users\Admin\AppData\Roaming\java.exe"
        6⤵
        Executes dropped EXE
        
        PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
58d9c68e5a5ed0675be997234180a0ce

SHA1
fe3fac521854f663cc139bae94576a10749a7940

SHA256
4eaef4a5827fcbc35e3954560a427e217b3ae7c364a4bbbd587e7883caf6db99

SHA512
4c1959549eaf3c90f25ccbac2494938073e4dab58dce826571fb39ec63837c60e7ac8518bbea6c312f62d3daafb2ef6458e04fe68d3a3f7a88f3b40afe053516

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
29ff48af17ed561d7b13694ecfba08f8

SHA1
5ffd4ea690a10bfe562d6dfae4bdb6aef07d550e

SHA256
fa1f61a0d1828774300e55c39e717ad6cea2e37943fc4f95aea96ea026efb700

SHA512
3ea4eb07ee1df68f1642eb6234d8b5f78d88f027b897e8fbae55ab55e3a9d39d9cbe1ad799f8965360365b00915cda23cc72f3c6db38308af5c75c4237c47335

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a06da07d9b8f3a3677608c9561e26db

SHA1
c9a701fe293c75f2b94928ef9dff948bf472105c

SHA256
ab90148137401add5a9e2bd9cac6b8aaf2f8235e1d4452437463766efa963820

SHA512
474f38075b86418c338971a6b80e33a822eb43ecf5e9df281b6fc2db0c71a88da1ee72dd8b925a2546a902a4412a06656b8acb2de066b58bab4f9e3c5bf2da32

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d7d5936982f97d17f0eb22fce97faf1f

SHA1
d0964ec539aeb9a5b1d92a87bbe1f6e8c547445c

SHA256
a6dd773558cd3b1c003997e4995ac7399f6a27b137a800dab8240a906d0af5e8

SHA512
4b60b57b543d7c1a0fbd0de226bc2b141e8860df9c44fd63d21d32104b8089095e890d02225b9a2a453e8393a7ea44940d53341546842a7c9e495b581eadd878

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f3ad21ab7ff1000ccb899fcedeadd0d2

SHA1
53fa72091700f8099f15c21025abf8a0fe5c558e

SHA256
f037c0111e6c57e9b621a6e30c0bd89362025549e12a91300484faf90dca2ba6

SHA512
f7f8cca25b07748ff397a851907a57b22916e517213c39f7c7d282d9cb6cee799d959e039ff3fb4a806e031c13c33c7cc73086989f4675244a0476bffcaea029

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
86426e70727664d2fc0c17b19fc339b2

SHA1
caa46f11a1c4fc4787508db0a0a978b110885316

SHA256
1947f9e40de9bb96c825b9bc28a6d880c2a1c38f5ef876e0191750a902249db6

SHA512
57aebdc8f0760ab4b613f34d94e17a75f57403a07c9baaf80fb592c70ffdbe22b62371abe76f8c6f86c5d4f804e43a460de56dc21d562e9f334133bfe2683c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
53cecb635902d7f3ab42f37351633d26

SHA1
fdca11a7f8df0b7b474c2d7986096ce48483baac

SHA256
74734800028724e2e7aa0452ebef24fc1134681c6be02debce8bfca28ce0ca74

SHA512
a7c2ed8e926aaf6b360e5759358c2441f8264c8203a8b6b4c4e53aa3ac9d2ed1bb792a121c58559085b09bfb7bc3708232036ab6d8f5e47644392b93aef129cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
05c9b273cc72fb640b5dbf89ce2939c2

SHA1
a269f71d032d69ed103f8186952088b67ec8a2b0

SHA256
abb24fc360549f9098822fdff2e506ddbebf24ebae61bcadcfa7ffa496ac2cab

SHA512
2ee0ab34fc6bf936d7bb1a2761d291c432ca27e7064f60c266395ab20d7459999cd6f982b10218c8461841b635e60d4bff6167e16367e80bc6ae6d50e664f9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81e9fde044b9d214612f447d7fbf3f4d

SHA1
7cd7d635841f7a8a904ef879e67d2718be23ba8f

SHA256
bd2b6bb9c336e95867ffacf3ff9984a26861606e123d6ae324f4d820a7ab1fc3

SHA512
613358929487332aaa2a4bd4e47ac76d78b0110b4ce018163bdd14b860c46cabd9bbb8003f7c6fce4584f1c59b3456eb3602a027c20366b00fd17b4c3f7c981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6c9a24c09f86b755c1cd172463def9f5

SHA1
70c0f6b76270096b55983a51daeb51b6931bc071

SHA256
91357db2d9805175462f9f53b0d0f83ad581b775108c93f5658d1e188e975337

SHA512
a5f629d37681578d465b52f44f0c99afe28467c8d90ed95e0a7bce4752d4eeaef8c4126ad66237741b60416f7dee6c4be39fa0a9d271ddb44b65a9615b5c7569

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f5039bbb0c9842e7e5d4270694ec93d3

SHA1
78d16d08c4568baa5e57a5a159ab7451dee02a14

SHA256
3d01cc8df5e927a43a4ccd7fec96cd487cd7b6296df1b5467ae9e183d616bb38

SHA512
f5ca9143f4db678714b25cf329a493cbbf7b2b0729e21e3b415b7176fd45c4b1fc6448138a5587e2b5e3fb7a5b9d545678c1a02fc46c5431bbc730f579d23f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d2a088461cfb57de21a6d8cb341a373

SHA1
be0d4c3a0a108dad63b5ddb824dd8eeea010470b

SHA256
c0654d71a18f4f3a7fa1cda5deee257c029e8d09afe55da6de8c58f1a977d724

SHA512
c086dd0ba6d5048b76b7752fa3e3d3b9dd9bcfc21515e0b3954c3074d7a7bcfec16379a771db37348cd17b42260ee7d124e7ef81792c58ea75128efa5b3e6911

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9fa3d3d5da2ffc74db4056e99a1e301

SHA1
5b114afd90f44b8bb1b1dfd84422322fd4bc932d

SHA256
86343287059bcc07e108b750685dac3f57be6e0eafe22866209d90b235863bad

SHA512
90a304be46e9d5953792a02e0178ce4350d1dbb03d98e9d68827edb39d297aabe1c636c7d3b78c2478a67efcd9b500792fa156ef9896b0aa5b68b505659624af

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7c6c0755c5dc9b1193d53d96d4b7e2ca

SHA1
52a464d9b16f7ecdd35fc3bcac104cef84c03caf

SHA256
bb682dcd2cf8f4c2a446b3e83e1974e9950c1a2e262e61252b60014fc4df90bc

SHA512
e38f813c2f862f189bf87abbe35197453d80682e71250ece9ac37ef9e33c318cc6ddebf896943faceefbf71200c1732fda3104cfdb50bd5cd493e97a19f12ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
953d4a55583576fc65f3589741f73fd2

SHA1
d2d68d1f1850210eac0b9b851b78e2556f6994c7

SHA256
4c43c023e1a059a0e21fcea49f6c43fc108e17f521115345b754af3ed25fded2

SHA512
dc721e8118ba07f24e72649b1982f4898edd951fc8e96d5e76da696cad74557241c38d42581eed7794523cedd3171689ceff3258fc9052382ee88a5ead3f0954

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e6ce0a5a0f51866041facf961fbaf7f3

SHA1
d89f4df332ba86ae0a6679768d4541dcbae1cfca

SHA256
57cc6105dfb82e94dcd21234ad47feddde66b72e57fc02c27939daf781dbcbed

SHA512
0eae780ddd3b61894bff29abddaceb33c46a6621eef39d2c584c32a5bf45435bd1ce3def1bb4cc93f6ea3d058f1b34bb70ee35b07cb625f0ef206d3270c11053

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb7eb55728de631444d9adab71e5d02f

SHA1
8671f3c14ce44b3ad113b2ddbc81d61668c09831

SHA256
4c743ec67f76a179e49784eb501399e833857a6814c7bab5250e897b7c4f3865

SHA512
034edafb2a2a212ac4796edb74c56632ff11b95561853e8138e59e08bd7147fb1097c2257663d7be12d2cb9cc5bde4cc708c36869513e7cf65466797ded0cb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
43dd30ede73c35f8fea16264e36e1f2b

SHA1
24a743b23109a6582f947f4c770c7d4044eeaaeb

SHA256
90f5791082610b07fb6779991ba5d23e99aa46abe3af7b70137f038c5f021fe6

SHA512
0036b168c10e30d3cf26c6a5db434030e60bb1126e811d96af8813296ff22e734f64c99aafb00140444afa5a2626bed235d2bb70b217befcab1893b99f8fb289

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
15cd02367fa3a18233eb2b730037b00f

SHA1
01ffb4129231e8cff3a53a07cb626cfee06a331e

SHA256
6a26ee1bd2f2dca500ed8167fa57ec9d4c502dbc7e97dc5413a564a6b7306daa

SHA512
6c11b8a4719a9bdb5cd804375d65c81f93ff7613d71d1a1c275ebac833cd34310525fb635bdd4056d1131d5db02dc7a18b443b653e75c2835d9fbfac3e712434

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5f8cf2d168fab27aa3414c8bb15abc1c

SHA1
0b71975e17bf25b8e60bf4e61f31ecf1bf407149

SHA256
807a98af7da510dba3bd5bddc4b7c3645c1bf8567593dfea99206fb65499ddc7

SHA512
001daa36f0f1beb4b3d10e938b360f2d7f7094514f034100e72eebf9966493f7d9935a575e8bd24106d76e30f579bd50b8b2e158c284689dc98b6ebd9d0bde67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e340fcebdb26cf15bc468eb83fb9b2e

SHA1
8efffb74416b7a7e8e7e91d5149abd35b3f58465

SHA256
62a57ce9cee07c760e7c148110e2ea81f1198b841dfc988532c8a73d5de96cac

SHA512
7ee8308a21c0825cbb8270a9e1bae67927e6e351645d027d18086bcc822f5ee2de5d8e5c025bd29a14ad4c952c3707439e240bfd6a51264b55846854ff055467

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
585e89890161bda3bb2f6f637d73bc23

SHA1
eee6aa8e0246f2902f7bce272e7577b037b641a3

SHA256
bb185108d94c54ee1107f3f46b9735ccd8999f2e1244ef741f64efb64bc73d3c

SHA512
4b378c0253ed8f7f9ab8a4da403df6aaa2359fb613dac3161a3cf9106a713093ce49777a99ec61e367bbfa60c70d6f24c158986840ff4b01de6ed4d86e18a00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ed1c9fc8e418efd0e2bd5a278c28fc6

SHA1
63278844c2d952f02f5ed40bcaf2f81948d74fb1

SHA256
23e733fca2b919cd8c521032d26ab0d380c2c85f54d70d9baf559872caffae20

SHA512
0a3e9e2507095bd586a26abefaac82e8968d4692f2729acfaa62ccb9c9673ca6480d8605eec534463c187c65f4f74a009970b87a2799cd879821d80e7871bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8cf8058c0c08fe8b0d3b8e78eb16e5a0

SHA1
e3e0ae31d5aeb6b249b30111250f18820b2a8a48

SHA256
b8c62d9cd5a8dee6d8bb5782f602630e6c5ae04de70c555135a4c3beb9fc2805

SHA512
56234624ffa0c4ae9ad6607548ba3fe73b94ad5fff70391a0943d542c0930769bc22ab08554b5a3209568a6af0b4715d1e9449350157214b9ceeffe0fd06777f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
09f97d76072a35bbf88fc2b59b902648

SHA1
58350f1e154fac7adc94819f53f3589853305a5b

SHA256
af02759ca11d6d2aaa99039daf43afd88f38a2dd6a4e3cb4b53d1d13063a8956

SHA512
d41a2273a3ffec553e85f30301cdfe351b42fa8144d9fc10ae719ae5e664831f2468a7af414664247ff841af573b0d789e0b1b08195637d413cfe80ac551a461

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
baada5f8226a51be437b2aea2b3987ea

SHA1
6b890b63a8a36986c6f5b8b3d27d6ce3f1d14d53

SHA256
1fbce38d5b6b3cf83591bcca174831a30f88398b7bc884a136792052b4d263fc

SHA512
46c3e06497262f7afe7b6e72998f689c513aec954f3dacdb2ce7f55ccc8fc369b3425251c7417da423b655854248269bc1e75a6c456b4265d0dcb058419bd4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4b27d4e889fb4d72d535eec18ecc65d

SHA1
f856a97220b8c7684ff7298abbb1ab4c7f7b35ba

SHA256
e10139ab3ad4b3b7cfc099fdfb568863092f286aa50d2a4ad414b31bf073975e

SHA512
727db1cf4f1c7daca05ea5170ea0e545afea001438001be35e669e651bc84611d2c64f1fc35413529ac72ba7923eaf049fd07ee9ef742b4f513f3323288459ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
759df4285925be23447a06e1a619fb49

SHA1
4fdf106006eb4ecfc7d87f0a41897aee59a20a0d

SHA256
461e3f0137d97e3e3864feabfc8818ac7711cc662ea1f5ecf73efee983bd3a40

SHA512
547db456641f91f40f0daa1d02a5e95d97129446d8ef88575d22aeb26637f2c8c6ad30693da3d197fe46f23bf8f767741fe94a4050adec2e89a9bac8bc4e0bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
498e7fb46ac73d195aed5e8ff2e4462e

SHA1
f06b7b1ff1df09531f3055ab6e0f27a1998ae6aa

SHA256
e4d603408399c61405c92721555b25167aa980d0f5332901d97d29ad00ec2ffe

SHA512
e1d629b95b60fcf9a9f5bf625ac252971e7f527aed8de136e793a1099855a7b0a90b3d7b8a131830c316654a708bfcf62847e9442d3b8b5e5b45965c8decd287

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a36e4b4482e6c2a412e60da91d6ecf8e

SHA1
c5fa19230ad6e6b4d8cd8689b6ac379151f947c1

SHA256
f06159e3ca2d833cff6303afa1c9957b034910307b2436b46569ddab88592347

SHA512
91ebd11e0b7ae3e88afd9873774efe2d22e06024794211575556a579595f51880ae0558c2d242b1499592ffecd8ac6b989d763fd207aa0dac410b4292d440987

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
83568fe667113d34260952d4d1c4f064

SHA1
ce2ef8f6d8ac3ec515472fe4425853c2d73113d8

SHA256
b40f026159611bef4f3791e8f7451f58c3e2fe326c875f31a7f8a5710e7e2ec6

SHA512
3a8ea8c0dc8aa23d68c2e39f5e9a7939a98ff0e963e6a622d8f7d2460d9c1a25a8b0d284e27a1e9632da7b872213cc418fc4e79b4398bc35c7a1f008ae79751b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
471e48298183daba96fd5161c7b16bd4

SHA1
9382fa0a69ff33d9aada0af73c8625015f6c4090

SHA256
d4584dcf6e2e378f898dee3cad5f1a212d6138a0221ecaa2c7d7bc766889f749

SHA512
15c8fa159465a01da5b58934e7fba74570168912e2d6cebadb5597eaeba173002ad7b9ffc1d7981ffe9f49be0adb00eb6da1b7537af199db60695a174fd3fd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dd74859e7c6d1774ed5c6a6c97f60cbd

SHA1
9bb2b21bc99b30e474034e5dbff5b9b42d77879b

SHA256
fc5deb8ba77a28f54314f74430deada8015cfe9faab4ffcb3f7125b34c306554

SHA512
069ba1c8abc127897248c3ecdb7ed825a76f59e1362bea8cd5be38bc31a966a2f944351ebdc63e0e5251061e2b25e5b8b2d69e557986c87067f33010c1b39f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7a9e4e97b51de5dbdacf444c467f4064

SHA1
b78b2aafe374a026c19bcdd0466195b99a095422

SHA256
7a0664977a34ccf3494951f5b20b0b0fdd56925b65c760a4d4dd6d31be88a62e

SHA512
259f74ac723a2093f7d9c506126482314ea3952bedcc3c54944361ec380d6c8cad6a0ca7d06ce625ea132f1f451a3f51f1218a746b9c1e64459117ad0cdeba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
81b52518c2afae6d33c908eb8f3393db

SHA1
02a0943f192a6e8cf55a9a614fe08db980ce0aa5

SHA256
bf1dbbbf4fca5b8b55ae54ab308bb909e17c635612c7fa0483264f74c18d305e

SHA512
390fbe1423579c43d97ac06898fdfa8d0cea4c9079d26738630c9fc00b4ff41ae4118430e405c32345273805df1d80ebb735cf4adc3fdc82638ce34b6b368edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
df550acc2cfe30ead1e88e171f77d240

SHA1
8b15174210fa902bce36c63433366a83feed17bc

SHA256
d4345c323bd4e41e4d717a7b92218e891ad62574a67c6f4f1cde9cb4dfdff306

SHA512
b6baf2803097a393f4be0f61ffe3b280082e51ba9851b865f0d36b5778fd8e4cf2a4c236647a37a6dd3229eeaaa3667037822c46b52ac557d58e378fa9d748aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
56199d62b4b861d337ebefc6468d5439

SHA1
25880e6dfe38e19538e9e4359db5a983225c7094

SHA256
899d0a91a788d0a4aea483ec9a257e773f70aa40fa135b14aa55c8dcddbfce82

SHA512
d458622d7b7190e0719b182084a4c5eab841ef49464c5ed5623dc733c89a8d861aa7eeb5b7b67e9ceb03011d7e96cca3d805c7068102ecbb5b5514ebb6ce0f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
95ac4b996baff4508b6da5d14afa4ec5

SHA1
b1ca480bcd3093aab9ce4f0000f7b2dc45e59883

SHA256
075a1b438f04ddc15b9772d4c044a912f8f8d67d654e44f0d671941182628823

SHA512
7b75d282556dbdd11a843e4da3a26bf1103fc409a9d504ae1e22f5520e6bade3d0c038cf7f332aae874a1563a854d3bb02aa9009b42290222c3c1d116ad22c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4f33d9def82258e19fd9c96f3829048b

SHA1
ab176c643134617e85ab91e912478709863f235a

SHA256
407d935986bd659025382a314d1db54f2832a9ec64f78b34d19ecf7bfb0253b6

SHA512
cf686636f56b9a1a10b39f3030b96b4bc8911b3868f4b182eb62db91fe90fc6b01d28cc85789b5725b0585348a5390946cab9a34b99fd9ab3d9c4e5dc5340415

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\windows\SysWOW64\microsoft\java.exe

Filesize
674KB

MD5
de02c1fc012173f9de30377d6fcc6476

SHA1
e0b079d91f53359374e6256305e81e54fa2f2d84

SHA256
79292f27aebaeadb2df2fd8fb6a125ce6aa9f751ad7049cdd66d8af87f518cd9

SHA512
f7cc4ea6ff842967673955def3d95b7e9bcc848aea9739a79833ecdd04522f7774ba7d9679e836496a74ced841718d5b1775eb2939b428b5b2f0cd41581a0e0d

Download Submit
memory/1192-10-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/3060-9-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3060-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3060-261-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-572-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download
memory/3060-573-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-6-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-3-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/3060-4-0x0000000077A80000-0x0000000077A81000-memory.dmp

Filesize
4KB

Download
memory/3060-5-0x00000000757A1000-0x00000000757A2000-memory.dmp

Filesize
4KB

Download
memory/3060-2-0x0000000002090000-0x00000000020A0000-memory.dmp

Filesize
64KB

Download
memory/3060-1-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download