cybergate | 251f12028df54d184f3e24944a1a7834eb2d9d333f7ab5e3c61b9bbddf2b2a2b

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Size

2.8MB
MD5

8b2b3e734d448c4f765c9486e720ae80
SHA1

58d4b6aeff37e40dfe73cdbc4b06007e2e1f5bfb
SHA256

251f12028df54d184f3e24944a1a7834eb2d9d333f7ab5e3c61b9bbddf2b2a2b
SHA512

1e4d9e92077ea2c46488b2950cf954c33c65589592df7ea5cf9ac1e63351a589b94d447a38502fd5354eb3d8a87e9449ea63dc59b1720f3c6f328ec5b4d815df
SSDEEP

3072:iGFKquYf0tG2YR2PWwzhh3dODlc6ru6/P9C2qMRXv7Wbx6Mf1rbVLsIQb2Oz4n0i:iu3mG5G0lc5GS14VgCI5

Score

10^/10

cybergate vítima discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

sa3eka.no-ip.info:1130

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
azerty
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3V38KOJ-464W-113S-0NBQ-53Y3SUKI2TE0}	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3V38KOJ-464W-113S-0NBQ-53Y3SUKI2TE0}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart"	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3V38KOJ-464W-113S-0NBQ-53Y3SUKI2TE0}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3V38KOJ-464W-113S-0NBQ-53Y3SUKI2TE0}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
3324	server.exe
6644	server.exe

Loads dropped DLL 2 IoCs

pid	Process
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spynet\server.exe	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
File opened for modification	C:\Windows\SysWOW64\spynet\	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 3324 set thread context of 6644	3324	server.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
Token: SeDebugPrivilege	6164	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
3324	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 1052 wrote to memory of 2044	1052	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	31
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20
PID 2044 wrote to memory of 1156	2044	JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe	20

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1684
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:468
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:10344
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:21200
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:760
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1080
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:876
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2104
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:992
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:292
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1088
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1168
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1580
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2860
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2996
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1156
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:3216
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b2b3e734d448c4f765c9486e720ae80.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:6164
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3324
      - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\SysWOW64\spynet\server.exe"
        6⤵
        Executes dropped EXE
        
        PID:6644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
602KB

MD5
df19b99daec41dfb7d220371e407690e

SHA1
424ddc0f5d311f3e4fceaaa31f8cd61661665f4a

SHA256
e36bad782009a6a678ba73252d38b0769edf38599d2cc5e32415341563b8d679

SHA512
7f5d803fcc4a1948a9c2b483fee9deed39aada13f299a0782cddcf52e7e9a9f7c1bee6326c5f0ab8995dc4c890e953eb678843a3198e2743590728e0def0bbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e0e0717cf67bd25c07c76b318104f4cf

SHA1
952bbb707871987856d6a6c5e6b0c6f82549a031

SHA256
5f1243fc560e817ef91e67f21d3a457199fcece8dd867c2af398020bbd88adbd

SHA512
f977b22acd36136aa1630508f3b378ae9755258636307d4e57c7c9a6a8a3d9d551c5be1076a96de20fef629a499e388da5df79e6c4c8bdd04869aeaffceaee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d02f4068a7ab3eb30c525cd87a3cd15d

SHA1
d920ff5e154017f2d1032ebd6545b54a3d6c50e2

SHA256
07ac064b3ab0fe55323cfebb11b16c9f26457a632ab4e9cf4277e7b30e5a5b29

SHA512
177946f48dd0eecf1bfb4557cbcb334ff32fe076579086b49bda98ce745ed4345dfc62173cfc6d54a89844abd723c813a12b2e80d4b31bfaec013d41777a1fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3eb8451134da220986eacedf3c2df026

SHA1
847fd79561d542e1c7e45a3076a4bda4a8c5a603

SHA256
e54061b6a3b4b2d4e1ee8e028a0f91fb529aa1858fad7a09b1da19d6f9bdff91

SHA512
a7c61b6b1d43463297e04084b972e2f679b8998284ee31d34a4da3c8a6225961f6adf1f9310d65970acf6cbb327eddd5e6455ecc45acc863adebc0d86103c638

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d73a606eb295736f848acfa6903d5876

SHA1
4a6a7257c8b1858fd1ac81d4cc00f7ceac91cfaf

SHA256
4d92ab9b2ceb863c43224bc04a6209908ad29ee2891aacd975e6a2d3d20b2190

SHA512
d48f8d24b9e43967583ba3293b841bf2be417ffad38c0565d83fd068ce8ddb9c34fe60aefbf3f7a757cfbaccddddeb7c97e85d7ccd67337fd86120de1d03e87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
146095e2b86319848364729e3688500a

SHA1
54812b522b277056a761a602a1520938120b217e

SHA256
bd97dbd8d24b3b5dc08316c8a681b71bd77472c91698d4393edf373cde795d29

SHA512
7f061d82d48ca7378ddb3d049db69fb4d85af324e1a5ee30be454deac3121c6ed3f9d779b5d854489cd6d5ddfbb298de132a44c88c8789eb03ebf847e89cd7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7c6dbdfed4a4e89dd6ef36c2951b10e9

SHA1
3c8008f76972eb3b8407b2d8eaf47708f706be3d

SHA256
d2b46e1b018650e5457122459272a7ee27f5861c875cdb2f1e6578b40dce8eae

SHA512
dff4031a3c56839715c289f89b56c698e0f936d1892a3b97cdcb7828b0b13ba96631427ea3cf9f84f0aeca56f3c5ef5efc5416a10b9b6203a49d266e86885564

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9cbe5176311af52cb3cdd57c29a990c

SHA1
6367afc24ddc29afeedb8a68846cd34b89c87b78

SHA256
1f0532480170b207d936fda961e0070944d21c1a1a8f3f51d50fefae89ea0bca

SHA512
7cf433ab50af191b65425857749b58249dd43937233344be5c89216b5f7ef8db3ca32ae201a2b41d712fca56142e7ac9a60467c47863cf769149d8531278e223

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2fd53a42223096c51a00fe7e6aa285c4

SHA1
956bbea6809e6f107506c5bb10190cb78cda6d27

SHA256
dd5eab89d5db53644de32cc0e344bb672f74f286894714005300171642c8d5c8

SHA512
8d717ea1b494db32f8d2374a27d82b6763414adb8dbf92bfc4886e5eec246d424225572e07f93e70bf9ad678be57633060872c8ba986d2a7d0e7c52206e9128b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a6e064608169338dcfc2352f887e6011

SHA1
a7b3ddd722d60d28c94adcbc77f179d84663613c

SHA256
bbd18cfbe5a5c2dfe1cb79581d9aed2392dad3ac1e5a750d02b5393aa394b585

SHA512
dec98ae452287f607c067d06c01e67909936a9b490e8ad74e06d222e8526aad740d693d870286b03d634c902d026e0eee33d22352badd945782bdbf3edf95a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f46b1367ead1f7eeda80e6a62ea8a97

SHA1
606dac124386f3405acbc9d5a7acd7d3ff927739

SHA256
7f80e5ad28a26ed1df59610071c942b21aa57f6f3210105a9ddb0c79cbe99e9c

SHA512
ebbb1259a986522d687b7dd410dc7a25496809cda39888882bb29d2459005f97049e61d2b63ff363dd15a5cd236ec16dfd1807c0046e7e9db96eb38c7a5e5b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6998906a199aa1545a5cebdff621bfcc

SHA1
0692ec8acecb88eedfd2ec47a54fe9432c7cd4b2

SHA256
3f9cccf0fc2b580987233f838f7435a6122b2be870cd83e253115f4cb452d766

SHA512
6d59dcc48bfb27e8a58c055e2a062600e2a747a18e57c79078ef8b0c8a3b5597dcd5ddc153757b95b37017a22ed9e7364236aafa65ad443244a70ca4525c1cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a74c5415b0b19df8d558e781cb5fd98a

SHA1
d34cf2354ad4904657fa0e9f5181708210716770

SHA256
e0a0ab6f7d34f23291d781690681a8dfb2696bb267fdc9176c146dfe4b7a0db5

SHA512
0cb07daba70a16a393dbef8491917e96817d968857e64ba3bb96e62e1d5cdf7ac0ec8dde8396c39311df15c2b887ff7b5e05721a2859a3513473c33855dd3c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ed6e9d5c9ae28c51b700bafc60a6d2fc

SHA1
f7fd9e1cba2f7f1a27a5688cec33667707d2a226

SHA256
23626fa5849bd4c403e9ea99b806cd5ff4d5dc4b0c9bb08a57a6a5bfec860b14

SHA512
d24551f2f268ad19c34b04f9549aa2ed9afcb0a806faa25203924e573e5410ba13456860f8b6c4263e27d7c5987fa24f10d5f2fe63f6772c9e816fcdcb8a4212

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
932a6a9ef5f00b148ee290bd3175baca

SHA1
d12473edf066cab8ef784ba216e138f7219541e1

SHA256
cfe763d52b4834cc1af1d01d1f4bbc270d1c6227881ff94691b6a1fbcec96b06

SHA512
56a8d75b1c4b93a7b53a22c1959efa6fc626b269510684d7ac31754cc2e328baedcdea4f4dc2bc147a6844554020927fb0baa13306af7ae7cad87c68ac5305b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
611dd49e087ca100d7dd2ab80c3ec536

SHA1
226e2454f46575f9d30de90a13f84ded4e875dfb

SHA256
b32fa54c76b8274c3fe97029fad65cc5483299613f11024227d989dbcff8dafd

SHA512
3dfa66a9fee1a526965ead7c4045defc5f610323ce3e4f5cf64093f123aacc9a60d2d26333ce742df3b9c72f260ef44044464859bce116eb03c64ccb69f3f262

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e70d0832025dc74925eb135ea5a8273b

SHA1
62f6ad3812d280c0582179bd8f674bd48b1c44b4

SHA256
b80749041b9d7dc7381d3e91ee486f2148cc416c2497f6d615b1f7ca2aa3d1a5

SHA512
1ad9f279c237b238ee368a5d9ee31136f4bf7b0bc87ab97846fd53f9226ac3e2f90a12d09aa5359886afd22f07c28617013e537b885331660733465fe6914c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
313562fd4644fce6e57c3822da614115

SHA1
b0a4a4bf5b3f79ab813351b1272725b7d8a3c5ff

SHA256
6388a3d09f6ed4063cfe98701056516e1a48beeaec146b9985df7373b1560ac6

SHA512
15a8322e5dbd2a51319e2b6711f6a0ea92570bbb9b88de544e1474f4be7cea86cd72cedc714e301e0cff04fb803566669ecb39404232468dcb26441045d7f7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce4d5dc9a5ba62325a428df076d595dc

SHA1
62a3dca6c5ea0be21a4e0f64bc6a9236f0c641e2

SHA256
b04021fb7ad20682cc1ed3166f9347ddba122aa30f6729b92784f61de5c82609

SHA512
7af9adec29b35c8dcdaaf9d249a9f5ce5ab9e0e0d1607d052199fd4ce651193a1899c6167ced01ae7884c4ee427c5a26098082ee04694f037b422b26f275b094

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
88ac325c4c16d1c3cc8ee188ed4515ee

SHA1
6a2ffad1216d0bb3cc9d6fec55f95372ebdc251e

SHA256
3fa9957b2d5f8caeba40c7ec584375dd772ab1b8e85a61ac3cee7c2e5e8ad5d2

SHA512
c462b0bbbb292c63e1086929c73673113dd8abab65e74facba582d1444a39a53be9a6ffa6ed83b47d2b8539fc93ed96021c8243b6cadb498795cc23741b41fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9d9a29afea2d942ffe5748b5f5865837

SHA1
608fca2566d1394ac496bcdee930578f52c24b22

SHA256
6a7068af4768835693c274616bc6bc6b06b56292e6aa98226cbbda037d3b18d6

SHA512
219a773990e83f3c53e215c79b79c66034089f881dab0f70ecaec1e9e1ad708bb2272f3ca256ca38eb872f50446cae200b0e220ca9d647651b8dfaab9abf18b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1045a30aac733c608ff4c211d20f2e5e

SHA1
ef7e34775dbee9a7d5fe5fcf800915be82b7a670

SHA256
5cfcbcaabf535a9549ba98f1669842127f3031bd0d6e83408fb003d2ea027c32

SHA512
45ec559515481fac0d3d18ddada23f74ed62a127e11b168512c9e067ba847682895ef3e724d221f2acf9c74d9df045e36fbc5373773519be67a5364b596a1b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
97a59532ccba5ac3afbf309678f991bc

SHA1
936ffc4489aec9fcafeb638f967f1e50a3958ab8

SHA256
6d7645a3d0d758ae1737e0c7b9b94d4c5cc687818ef55950f684865249852f12

SHA512
c40e8c2db3dba8e94f3b79c4f34c1bb86fbef7b90fc9eefe37448ed33d965dabe41171f929f46960fc32b2d0d6aef8d74c210e375aceeeccdde7f3ed8ccf1d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1559c58fca22b3b0787657e4f5949d6a

SHA1
b293387014838cc7509224baf76289dbb9d0993a

SHA256
27df229e2916e5df2c889f157e33f3d3fe51702af891ce832771079aeaef8a6f

SHA512
ba3c1202e91d2e2436c43966a04479c4c3285502cb037088661df1c6887fa3b8066211befa92d2c0ab04457fa9964b7a1664fbd15b9374989f6e7c359fac35e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef94db3389dc474672c2df8f6bf54b0e

SHA1
dd9e06e8458669b18ef20179f8aa447b93736178

SHA256
fa18598ff4ae1a8e332fdc280038a3848425e176cd90881d8a9ff9f721158984

SHA512
0ca691f66164320768e6e19ecf82dc22a1a7cedb0abccefe3755020ec6e82da4f90bcb1b3cb1ee1bf9d453eb1eb7c86c335eee86c31f7e2e7b20eba170e2aa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c80c6677beb5da4b8e485d0b5079d461

SHA1
bdb3f81e335aafc4180acb86e7363d86f092e011

SHA256
c19bb57adb9d47a0f82ca58bf1de3a1bc89c129addebb4cc40fdbceacf7db84a

SHA512
4aa1077bf0fc752837d184a61710b7c1bd116be12142dce1809aa0048c3c4455cd33aaa71204cd61b1080940d51693ae0d43d8394e2eeeafd153c4e1ffd3f7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ff26ca2162da48fdc114ecd486ec8db9

SHA1
363884574b362553e6a6c2ac112b82002805eeb4

SHA256
5448a36c54aaa3a3b0001fe97a35d77815686e0afddc6ea31f7b66ab5561acc1

SHA512
61282cceb3acde85093698340eb58526349d0d8d82a2a1ed202736937d4370f62e13890cf1a389819244e047f8b76a12e32f1498ff1d4a777660d59b3baaeffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7f57f5979703eaf38eaa90985a67599b

SHA1
c553cfdad7791322fd9e94d29958f42244463ca0

SHA256
2c8165124a0e84c2ecd073e560fd432d7557e78f82aaeb6019df010053340868

SHA512
a145442de931f398eb70b7bb848e507237eec7e5dfab86097b3fd8f78a3c975d280f2d577b7159457e3fdb89a8f9a59d78f89c48bc7ecffe2bf2ec28569e888b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4fe7a66d4014433300f07a92e56b44d

SHA1
f3e604b81e0b8c47c95e001680dfe005c6457bf2

SHA256
52b41d5e119526322a02e463f528bcb8b3256a7f12bfa85f734b9c472a06176e

SHA512
a76181731669f50ddb990921f95541767c4bd957ce2566db2d9633a540a7d89f0c95f5a6bffdcc3f2bfea88d1929685cb1257a34b55209afae9c66235808dc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
50e0acfb5e42a2b3086dd006a636b22b

SHA1
977756f86f39e44b90e1053de640f5546fee9614

SHA256
0c991a68afa05a0a3fbec018d3137fc1f2cca71738ca493d11a63626baf48253

SHA512
2bf61832911a0483c539ea37d0f8c3e872a033dc48d43795fe7e714a5c13629b836b21d1c4bfdc7403ff63f47feceb144f466163c72692884f684e22f2c2d87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4b72e133db13fb642f3894080b175015

SHA1
35234e088241c3426acc884e721e070f1283e835

SHA256
2207dadc51802a764ffb0b59b9eee58059e4992c7b4fb80a03531afb9cbdc3ab

SHA512
abf75933200f0eba6f80467bc38f2daf30eefeb783615953c7674ed09c50963bc97915403b620d86236a81d8d1221a6cc3c002960a2dbad2310bf676d9227737

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
524c36a36f61945b892ae0131b58bd9c

SHA1
04fc93dc46ddb8a5677edc9db778b21d8982632f

SHA256
2dee394f4c3dbfbeaeb2455c0536e6b5b761a789217aa569a1273287733fedb8

SHA512
73cb8c070241c4d490f361d8e946089b9fdde53050a1d6206bc67899e559acaea3fda70b3d39b98776427976ff79a76da5bbf75b14529a14eae8bdb0e1485796

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
00c030ff3c82797b4f6669820d10a10c

SHA1
280bd8a2f78fdc0b4f7c2fcd00bd951dc948686a

SHA256
cf363dea0d17834060bbdc7f5aa45fb8dcbe4cc8fbdd6e348132db4b26b89d42

SHA512
85ad2c2edcd2994a593cc908edc0631cb06a860cbbe2ce5573afff33b4ca9e579c752d657f4d53715b29e60ac7250bedeba3e1641b85997de4d673d5866fab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
647adf4af22727eee375d8c8220d11b9

SHA1
880374e8f53f32a1765e624588a6ba96102c05d3

SHA256
f18bd33bf62788aa0272cf3ba8335f059bd6cdf0809162cb1b7ca669cb645847

SHA512
89abe9b70ed13bfebad401d9e6e86dfc3432b824173ba8af7f3bc6cff330a263fafea2f406c9a363becae514020a91ce712831e4798155319aedaf47521cab8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
788c35fb76a9f1ca4381f40f8b099bd5

SHA1
9486fb00ab21b29c4a9b1e5c63e349d246e0e1e2

SHA256
086164069e91c6856ead87c8c132309a66a879144e49774b16c1db96297a1a37

SHA512
e921640cb414df41fe2a04977f560644af20b165f42d503aef2febe03bc70ee751851263285439d6b4c8b678a696811c25a9c627af24e25f1694f3a7e4e0eaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
61c1f4421088f85daf4e611c8c0cb99c

SHA1
48cf888df8748243e8a5ed6dc385d9b79e213d97

SHA256
afeeaf424240da66988eb40014594e39e59092d01f8874b5f0edbeed082db77d

SHA512
b2d3b3214026b4bc3103f107b0082121951fdfe93648aba8ed2fa17f13d7fae8cc913790fdd5c30abbcf441bac4020f85ea08516fca99d304424fe8df3a00bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2ecdde49831315700d14b00a4e095b3

SHA1
59d5bdfe146a26baa63574ecbf63cddb9010c66f

SHA256
01a4311934496cbe7d8e49d5e44564e1ab12eb5cde8ebd7b01fec86a0e793011

SHA512
b4c03831de8b7f22268ba6922e07a939300339396ac92b280ce230975ea38d5389808e46429a116a82babd99e52552186b87c09f493f2020e450ed997c7cd39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
568d6cd46665109e3a1c4d38d6ec5a5a

SHA1
937b3ae7d9965d4482f4fc9e4fa13ae84f99bcd1

SHA256
4623df0c254ee919f6cd43043767dad5cd3eae78761aff4d7dedee9d31a2161f

SHA512
eb8228db422595cedc8151cfceb9e70ce42410e55c433a18c418891133a9577e18e9b136a75c315fa76780cec829a60cfdf6a68adadd505298579f9912fae11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5fd0ee8e7dbf6f5b344c6378b8962c28

SHA1
fa8b28b3268158c62a12897af9216a5a0a13dd1e

SHA256
7933cd466c1fc17998f7bbd9b01843077a9bfbaeb71393405612c78e2e1478ee

SHA512
757c5d6316c04f33941608a48a4adcbcf2ee0bc83f81300c991dc8352503bd4e051436a15c5d99515f8beb9b7ac42c38dde9d1dececcfd1e4d718cee571c208f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b61545be155759f8150333ed15f1e932

SHA1
258c3279f74fe61861f0c167418ae841d4c68aed

SHA256
af24272c22c8f31082a448c0353c81ae156246f911106e8ea4fd0fe6c9a3268b

SHA512
b84b1f171d6c121f4a0c2febba2896690f8d9cfb12a9bedf1dde578dade4124dc31420ca8db601b376f2269555675d4eded622b5bf0b4a2718afa5b814178a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
280e1317a494292c6300673d2bd92b26

SHA1
a1279315df1fa026876c7ca2053c08e91a32c2d8

SHA256
e72fbbd134ca977b4c5a645ca9a5d0a60e9e9774cbde875518e3ee10eda0a452

SHA512
00c344101a3888dbdd60a23941d9dd680e814a2259d98a9264dae91c384c272f0ad14b86dd8d86bc086ef19acf12f0cac4b5e984420040c2e71e2bd2682d88fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4849f490328933ab0a366fbb70a56c7b

SHA1
3db406e357a84e5d3a9063f43a4e2ffed1d06a90

SHA256
045a8b070020ee29f4d0b1f76e02567e96b4efeff5e04ca6e83a96b8f736709b

SHA512
c11831186eb3ffb507560dfc7ced350e0f01861113a421178b5ab58db222b28bc54e7876a8210ccb45577a7a7de28d8a439e4462318481c7f9492371b2b47534

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
2.8MB

MD5
8b2b3e734d448c4f765c9486e720ae80

SHA1
58d4b6aeff37e40dfe73cdbc4b06007e2e1f5bfb

SHA256
251f12028df54d184f3e24944a1a7834eb2d9d333f7ab5e3c61b9bbddf2b2a2b

SHA512
1e4d9e92077ea2c46488b2950cf954c33c65589592df7ea5cf9ac1e63351a589b94d447a38502fd5354eb3d8a87e9449ea63dc59b1720f3c6f328ec5b4d815df

Download Submit
memory/1156-9-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/2044-2747-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2044-2-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2044-3-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2044-4-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2044-5-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2044-8-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2044-9386-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3216-2689-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3216-2691-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3216-6013-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/3216-20580-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/6164-20594-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/6164-9387-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download