cybergate | aa6bbe7eb29c6873250f2ad05b11e8ba96d93f237e45d07d60983b90552423e4

Analysis

max time kernel
150s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a567d6dc550a379786f539726496247c.exe
Size

344KB
MD5

a567d6dc550a379786f539726496247c
SHA1

d697724fc798a73ffa558f7872550514b9e3023c
SHA256

aa6bbe7eb29c6873250f2ad05b11e8ba96d93f237e45d07d60983b90552423e4
SHA512

886547002512b1156180eb2d68ae9697353ebef9bd0b60cdcae8917eee77e7c47235598edcfd0feeebabbded9705b615aea3a3fd6b17c6b4ce689504b7395c01
SSDEEP

6144:BFETaNH+FyvkT9wLIIvcy6t6RlsRf2B0VgsQoaUR6MIxLFogAn:BFkaNH+F6UWlQ6mgsQkDALFM

Score

10^/10

cybergate server discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

wwo.no-ip.info:81

173.189.70.92:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{03JPIUGW-6BBT-Q7FE-C8EF-476TT3SN547A}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03JPIUGW-6BBT-Q7FE-C8EF-476TT3SN547A}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{03JPIUGW-6BBT-Q7FE-C8EF-476TT3SN547A}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03JPIUGW-6BBT-Q7FE-C8EF-476TT3SN547A}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
4600	server.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	vbc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spynet\server.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\spynet\	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2976-3-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2976-6-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2976-7-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2976-8-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2976-14-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/2976-16-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2976-31-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2152-79-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2976-150-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4208-151-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/2152-515-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4208-516-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a567d6dc550a379786f539726496247c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe
4208	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4208	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	vbc.exe
Token: SeDebugPrivilege	4208	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83
PID 1600 wrote to memory of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83
PID 1600 wrote to memory of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83
PID 1600 wrote to memory of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83
PID 1600 wrote to memory of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83
PID 1600 wrote to memory of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83
PID 1600 wrote to memory of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83
PID 1600 wrote to memory of 2976	1600	JaffaCakes118_a567d6dc550a379786f539726496247c.exe	83
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56
PID 2976 wrote to memory of 3492	2976	vbc.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:768
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3164
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3840
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3932
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3992
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4076
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4164
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2280
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:940
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4544
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4260
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4948
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4584
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:3724
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3028
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1800
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:2836
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2608
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1560
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1808

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2920

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3456

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a567d6dc550a379786f539726496247c.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a567d6dc550a379786f539726496247c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2152
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4084
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4208
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:8
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4600
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2668

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:932

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 5977e014e31fc2d4150f46c54dc7dc1a TcmEzVodjE6RZ9bL45Unkg.0.1.0.0.0
1⤵
PID:3628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2692

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
e2ac2c220fd6c8fa6d8ee62ad1d35c4b

SHA1
c799cb97873bf18b2628b41d94b7151d64038257

SHA256
72009943f65b200d6ab49ed92cc74497ec07487127f1f6b3f1032e40b874f1d8

SHA512
e4efe590546190ed0c5926439392521b7edb1978593f9acaed593fac8e61e9e789352329db169d1ab781b108f2108e78f5328ac5b5668fe5e76b97be90d13571

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
157123372192db156afc705352e71006

SHA1
2e47f37cfd96f40f0544ca544c4327536726e11e

SHA256
a2053c0bd99de928a1bb35d18e71212de7b9af0cf1dbcae03637534956ef6078

SHA512
1711d961ce6b6d97c8a3868a6d131b0fb621fe7b2cd08ed5fda1ce95dd9b55e8881f4ca5adeb307048683c7b751b27021fa593e1b63e04cf096f48e593bdfda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
60ae97b553e46865172eb1d624948c6a

SHA1
4d9e1f1f249eeb9e4b012ce3f5547afadd8015dc

SHA256
d2452d3942850a3bb32ac10f94fccc548dd4c71dba1b85e42554155824fb1575

SHA512
7d167de4d465a4d0bbc614ff9480350144be00f9af586a10ec4d026b5dbb196ec1617e9cb11591c10c821a86343796d32b1d8d5ddb7fc225496dd74746697a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
80063543a0dfa58a3c0473eda4950c4f

SHA1
277954f661eb44c276d3bdc66c3154980618531c

SHA256
84dcdcd87a63538bb1fc474a82da9ddecaa36fefceafe5ab089b1040d536b528

SHA512
01940db0801a58e1a338f7cc6887e0c4eded308926ca5063647da0ee1774cc46795050582d30b4063bac81ed01a7c563026997f6e3b6cb192d250779dd072a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aa6ff1ad0b65b7ab462f1646d28b0a0b

SHA1
0c46b1f707286f940a102cf222d7d6b7d46f0616

SHA256
d5ef1f53c551c3b9ee6386d723d748b012d54492044d7624e111500d734e2abc

SHA512
87c0f81fdbc9122941ca65e98b447769a5085d53c77fc6f2dac52afc6835387b81c343aa64413e1631f7a03ed2674c2175a765a58267b919ef2e9f870f2150e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9235ff947117d6b56ecd9c3800c2ea2e

SHA1
f62d13a58e34462543d13cdd9f81fa1d888555dc

SHA256
65a8334c827f00376c1a161983dd6adcd81f8e483cbcf7451eb1c9456b6fd97d

SHA512
9229e783ac7d1cc5c3914c0c3cf3d891a4040317ebd5d5d569d3947d06f59d5f1317d7c68c81d33033d5f091ee4078f4e37db7f9db725a293ef2954e4e171dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
034ba533d26594ffdb324a0d2350fc89

SHA1
4819e814932a7adebda3c74ab6a471b6c725290c

SHA256
74d5d66ec569e6a77003bf80af22a9d1f6e911eb88a4bc25cf347be1dcdd8215

SHA512
7a0a3a1757c89450f7a061ca432eb6c1b2faedbfef9a9df0edf43eb830188cd2268e2e8d0efa9b14460ca5a5081cbf874ff8bbf823139b640e507dfb2458b35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1f1564876e3505ce02c090e9f74b4347

SHA1
1d9bfe006feb18e93f614d1ae9da6bdcb02fc181

SHA256
ed01aea0f18c6c6f8a9c98d883f62498e15bafe481f27286170a87e834d49879

SHA512
3c0faf475e87c4196204b523380f656a209df8afb2ebdcda17832e09eb03f7534591661ae0925ab20a5889cf680096f51aeeffdee62a6716e31f00802e7bc3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
41ec037f720a0b375e46f8ce271be5c5

SHA1
f71d036c577ae3964e3ceb7c3b30dee99403518d

SHA256
628067dee11506b020eaf0fb2f421938336fee5b991a6d5574f5cbfaa7c0e2f2

SHA512
86b83454631e67c680c18d77b51998c2de841fb5652552d66d779c2ffc8bdd3ce1bac109d4c5ac1b5d206c89eb90b4d772fb3389d27dd1356eb65d9a8bcb5ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8ef64b1984cae7c6562d64288c468a26

SHA1
cc674363da731bd414926f105cda5d9d392e03a1

SHA256
9f0ebff484bc4c736788691f39692b51603f6827ff6ad08218afdb9a35b3b979

SHA512
670d0f8f56e6db398f91c5b2131d50a273d4ded13101add05c8abbab32e4603279c05c051c5740793a6a08c97ec3f9dfbd67a26acadbc97a8b48b0e32e159901

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
646191bd132ab9a6386e2781b15f8053

SHA1
2b0363cdf035d3eaaa415ff7894946d11941bf03

SHA256
99853ec47222164557727557ffe8ec32ca65fb08883b13d2a837b829d5023cea

SHA512
5bf55bb286215dc9964a9d76b0c29a1d45d53a449bd02a60255a6414fc16f9690ff2ebce307433dd3e56a97e3ef92a19c77fe26aaf955c4f8d608dbee231d1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7bf58b193b10b03fb6177b38cabf6f00

SHA1
f5bfc73bab84e473745eeb0954c3d0a5135f0505

SHA256
3b4c7d77f40d38a35965719ee9a4f51885c011e3a53275dc12337c4e1372f55e

SHA512
376e911eb7b2387bf2f633ab29e04fa3c304eba724af3652c4e4ec9cf24faeea70b7b2c219d0ba633d04bb8293921b1114656eb75f12fe5dc480f24652b46327

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
31f0c8ab682d8770ff985475b699005b

SHA1
fb2740a5fc3e3e24edd27c58bba8accdc6881510

SHA256
a9556e42542f6798880dbd6cb1ebef24b3f0ae6577006679663d5295d79831c8

SHA512
d34dd93226ce5ed4ec045e3dc87dbb793879f785f9c944c2be0bc85463ea42f090b0a3bdf4e4165f3a804f097c1d61cbfeb6fedc7406ef5b4ca4ea4806c4be9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4030f12773115c9561f7f66fa8fe9707

SHA1
41c0906b29b9d8d6a977c277485acc2de556c151

SHA256
d4aa101c1e9556ad8ba4d3d9813d72ca39e51809a7586d0567d46e5b8aacb9f9

SHA512
6baf23e805f2567abd7cedf232a1d28b1e757d85bb7a050d048de497fa1c564901d685599ebba3fc93adaa8789c51f1dd2fd71492c03de47971e009a32912fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
446b19cf5475be7e030210a5233d2571

SHA1
5713783a10a2b10a0f445bc1f068159c78d4f29a

SHA256
a4b26d651f435cd10547204ae5dd482b129fa3b3e1fc90824f88075f47ba4664

SHA512
4525a0019a1940d06ec791367d94921bf90d79b4c5fc262bac2aac33a99a9995755ed6c6ad22f93397e537384c99cf14f2659e8d98772efcdf6e1016d70bb427

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
028be43bdb068942b3a54f115fc87919

SHA1
789393991ab83717b2671d0acb2fee2167f1a2e6

SHA256
26d57d90dcf4318e33554b3804c99e93e659f58dfb8a1272742b0b7cb6b20c5b

SHA512
b30a693c3d06f910f0fd574e14ce1c9fe4782dc008f04885e1d79a186c34442f03bfae3ba4e7b1006ffe10ea8f827608fc9317d3e08d42c5a477268d91ded888

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dd3d822abbeca2dba3e689f73d3c6238

SHA1
a3202634b5269fc96d5a360f6a2e19e9351b556d

SHA256
61a8b25f3b0c78dbb105539de8cbe4f42660501e1c71c284a5d525aff64ef38c

SHA512
cdadf493d7325867b80353b174203616e654fe428c92d9b70208dbaecbbb829b849e900c599837bc153fec1a9d80f9b91fd212d020fb3cae173a5d0f0c25b5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4bc7d5406b16a5d399c92d0fa556d72b

SHA1
5d378a9ca3f110c84dcbd2effc789eeee1b26259

SHA256
2dbde18fa1afbd08a544d70844f2460ec4154a159d2f4c25f8182284f9769ea0

SHA512
49f7060145530c276dff86c06e4436a6280787322e92d30b8c9aa9095b0551c23b9c0cbb841e9740e7f776aa403d0889c92b1004213311000735049424542771

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a244d3605521f594f0e0c0c0ff764d1e

SHA1
51d2b0913424b74794d3193f192435cac5a87ba1

SHA256
5a9326ef177ea4a4fadbf30eb559b0e87dad835c31c2bbba30e3df326138a6ba

SHA512
bd8e74a6f5d162fac93c8fc7c3a76ae24c89f80112bca01de3c807a4f3de115d5c22933dd47d0b485c7afa0da190846aedac932b51f183c93a10cd9f6eecc87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dea0490b64f21b29b40fccea7491996a

SHA1
2f6ef3ce3562b05ffd4ac72a0ba149cb790e9e36

SHA256
3fd5c3acfdd1379a7c63ae095fb2dbac7fc4cf03131bba5db6f037330c83a0c8

SHA512
94adff6d2686e328c16ea8475ef04dcea08fcf3b16e950bc4f6f93e123adb9983c1813db189daf54ff66eaafb68a8ad7678ac1be7dfa5b81fc7bba95bed87488

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
084b3bbdbb6d4b3a5bcd61d84d1e2780

SHA1
e7a266f0337d68a596d4f284b145b8301b94b745

SHA256
1180a214f31c968c6b5e08557f8799047722c826e789757d6919eda9a7639244

SHA512
07816c869e50e8cc68f0ee881e475285099f04369a988a6bab82eeb1274aa38a63e4e89031121c90791bbfef0450f635517f6d25619f9a697701f1f3043b5c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
823def8d058abf2d531685d760927410

SHA1
8710866c20b7d9ff9cf9abef77de6da0a6a3fbc5

SHA256
d3e1ab887e6621daf3b1c806d47818d1e295e0ef53404defaf8185e92920fb5c

SHA512
0e3eea617117efddb9518b6c99f0a10821948aceb4b5a9a4be3a09ed61312e965af2dafab7a2e0129153706f4674ec05f9577bb873f8d0cc377f3e37db7d6b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8c40253e654512612db695f73478e87e

SHA1
6376b0b3be1ba3c33a8236c35422616be98a06fb

SHA256
ac64e41fe01dca1e5854da997c562a457c04b74934eacd581780dd8f405c336e

SHA512
0e3f30aa9e8370844f2930f36a4c85870b5a33ab262eed526626897d4cfe486eae0288427f33f748d84f0019b1380b9521a13052c60d4b38faf3c25afd5cd34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5a4942e705424d2b2031c8a3ce05ced4

SHA1
f7e5d0b47168917d160cae960c1c4992db277e74

SHA256
c7281385b50f06787036d97a6ee4ae569d5a015b911f6a9a00f9bde7199b385d

SHA512
f518132b154932e6cf3f8aac4b5b0811b1de027419a64419ece04da931e721a0fcd0300b9a97172d2e7c693cf252a6ad45f009b440d08d16f67cbdaa5bcd8abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0a79a1256dd6c986a4c20ab45678fda0

SHA1
16e0a62aa5c8649e6998b7b26eb09b9201816691

SHA256
06bdd3ea99b9633b3082a053691f99a38fe851c0a982c511012b0f2f7c1e0cca

SHA512
f829facdbd43afe02efc22caf77923b0ea6e160f72ff9cad64fafff5016bac6979bb0e73a178145be0f2ad3e9c4ef41fe9d630eb5552d6684d1a94ef901d8cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8a3bad7f364a7e659a6190654d0fefbd

SHA1
fea9a4c4a17643d68027337aa349bf78e7521d9d

SHA256
3f349b1c6bc3b0d86338abd6e43d9a2abc0afbe32f6bd797c6c2f036cee26744

SHA512
2060e824ef6862ca473a099af98532396899df2ee71ea88d30b454d1d88ce902ebfae39b39981dd1c185c56b02811a80ddca453164b00517dbf37fc5b088fbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6091dcff1d78a349fd932d24f6655a95

SHA1
03218b93d795fdb626379cc1342763ec6ba29c05

SHA256
074fa0d6c11bf76b85d772dbdd0010eb6280de318c59efc138968ac47705e8f7

SHA512
5ea52e6a5af5057835213347146e1ad9911d38577e9777a86df9856b6196ef0ce02df910d6001e3693aa6cfff23e02c4461f3a6b099c213a403c5fe6bb654462

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
44dc784c976b6a3f4bd3af87db05c66f

SHA1
cd08c482678a39840cddf850dd3749ecb16fa0e1

SHA256
9d8726b1efccaa70ca0b1cf9b98daaa5837cb09db89e70618ebcbabcd9996a2c

SHA512
e2ed00c49a7924350be69b7d6c383224180cc28d5695ade0db77c1581feb098722d396cc37f3791e4bcf1a2cfe0482297c48fbf5f7aa129a84797ce78e8108c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce005fab818fec5512b6f907d0484c50

SHA1
d5ab3a44788ced6968ca5abce43c99976039cb11

SHA256
72c164425b908eba8d3e085bc12f494286b598985221387b14d25d9a8903b606

SHA512
7433cc462b39bfea59ec9ebbc3bed41e08a57acb56a21825879012eebe8dcc065cd5fa6487a679d4b28f93d971bea803ee907e5fad0ef13c959a4440e07eb334

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3c8b0f567a7026c66cfda5d202cd366e

SHA1
4f28c8dcbdc13413523d3de86fbcacd16e5e2d9f

SHA256
e48e0fc61b85d132fce68e4a83434a8bd6627b520c4d6814dd654849eb7fab17

SHA512
0594162560ac47405daf7927ed168945de668faebd0a24bf3c7acc7fdfca8702c3041a50c3a50e1863d1ec75a5b6dc627cee6694d173ca4549624c38511d3c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e96049f060a6c24e3126495618c10ea0

SHA1
9023ea10e080fff97638f9dc2e18592e3314a2ec

SHA256
53674a7715f3e8dc468f7ef2f4f237c5bcbffbd3d715c47161ac5092d1c103b9

SHA512
aa1a8b58c8eacfbebbafa5e33e8ed1200103f31cfaacd06a1cded0f3d61664a8b76e74ac5138fc2953120cd4ad91acf73d104509ab8f4c25e1e33a8cd9670d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9bff6d0e5120cf952b83587c795e620

SHA1
3b6724498372cd8cf48a5500337826305a9d9b0a

SHA256
c7accaf1ffc357ae3bf58abacd78118af3758d6098dc3a1f148855879d30f6a6

SHA512
5d4571e2195feffe8228b330bbcd146d2d6e0eb55b4c69d21e216ff45d9019095394aa007e33ea21235509d802468adeb9d21f69ccbae071ccaaedb43e6bc579

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef375c97640593155a812720c0b6a011

SHA1
548148764dbfcef78cbb14d1d6dd7e4d97c21f82

SHA256
adbc7023e972dd27290c1bd60c716e8d8cb89651ab1d11d5e79df6f778f083b2

SHA512
4c9039775ef3ad0a29129f8f8c94a538335a400850af0ad8ed2c462bb1146a1c550c05fc0ab4ec5f51a6a00b0149f90adc7dc5df4cf18c1fdfdc12965cbfeba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
38e8b501123323ed5aea4dc406933913

SHA1
8b11f93594853fea1998baadc1ea011b0a3ee944

SHA256
9afd3ab3065b102f23aa232e7d6cff644785d8cb5db7bebfaafceca7692b8cad

SHA512
3da3326fc234d59c2dd6f4a2c5be4bd41e5a538df85c0cdd743a70b35276eb470a30ad0706baff294f1f7df071fbed1a8a2a6354770f840ce968346bb1e6e899

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2c364c283ef15ae1aabbf07267c15282

SHA1
8cc040f334f6fe523905603010a80e385aeeb6a0

SHA256
295a91c3570a684d7c4da137c96aa93ac51ff393b882f950a46f46092fe4317f

SHA512
1624a1e3ef297dc5e4268eef8752c193d83d2a2d1dde03af1f3f900f916f7c82646d80256200a417c0e986fff712c00bdbe1ab8cc70ee432701967b0324b055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
37bb9fdaac32151050b5c5462ab913c7

SHA1
f5e525b8d4a0d9856b4463a54cbf5b6e990ff026

SHA256
6fa1764690192c5deb83ed658c64588eb973118ce1f2edd85cff21eb7b9c4ff3

SHA512
d3f964551ef295744acdb2012e44eed5797083a44224e4829884b6c5044618112864029bf75a41ceed0cfb77c6294a7fa8ff503d4cfed7ecc35de2702d4c922f

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1600-9-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1600-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1600-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1600-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp

Filesize
4KB

Download
memory/2152-18-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2152-79-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2152-515-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2152-17-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2976-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2976-6-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2976-3-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2976-8-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2976-16-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2976-31-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2976-14-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2976-150-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4208-151-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4208-516-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download