cybergate | a52a9093fdad5cc696b11845e8c2514cdeac7d4a9d97a49369412c39de7e524d

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe
Size

2.0MB
MD5

05bcfa3e64ce2d45b1457a1659291185
SHA1

da44bc916a7e619a4958c34fb425f149b1b252ec
SHA256

a52a9093fdad5cc696b11845e8c2514cdeac7d4a9d97a49369412c39de7e524d
SHA512

d746cd39811b77ba90b66d50ccad4be47bd5f9fc85de9761d3b04b46587bef6949a5690ccd2ff675d03673bc24490505d0a8d0b395fb61266ad54a872219c40e
SSDEEP

24576:96WOxWsYOWrK3TaUZ7pz3eCswkMjQ7cst8LSTAiV3yl5bvQVhG:9u8OoK3eUZzswnYPDAiV3ylSG

Score

10^/10

cybergate thecoin77eur discovery exploit persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

Thecoin77eur

ntspnet.no-ip.org:80

ntspnet.no-ip.org:81

ntspnet.no-ip.org:82

ntspnet.no-ip.org:83

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
x86_microsoft-windows-w..win32-dll.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Erreur de chargement de sqlite3.dll Fichier manquant ou endomagé.
message_box_title
Erreur de chargement
password
181098free
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}	Idman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}\StubPath = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe Restart"	Idman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}\StubPath = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe"	explorer.exe

Possible privilege escalation attempt 5 IoCs

exploit

pid	Process
6192	icacls.exe
5608	takeown.exe
5548	icacls.exe
6080	takeown.exe
6140	takeown.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Idman.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	S.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Idman.exe

Executes dropped EXE 7 IoCs

pid	Process
2244	Idman.exe
2072	S.exe
2284	Windows Theme Installer v 1.1.exe
2160	Idman.exe
3684	UTP.exe
2072	Idman.exe
5832	x86_microsoft-windows-w..win32-dll.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5608	takeown.exe
5548	icacls.exe
6080	takeown.exe
6140	takeown.exe
6192	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe"	Idman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe"	Idman.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023cad-43.dat	upx
behavioral2/memory/2160-47-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/2072-747-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/2160-1415-0x0000000000400000-0x00000000004AF000-memory.dmp	upx
behavioral2/memory/5832-1451-0x0000000000400000-0x00000000004AF000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\explorer_backup_wti.exe	Windows Theme Installer v 1.1.exe
File created	C:\Windows\explorer.exe	Windows Theme Installer v 1.1.exe
File opened for modification	C:\Windows\explorer.exe	Windows Theme Installer v 1.1.exe
File created	C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe	Idman.exe
File opened for modification	C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe	Idman.exe
File opened for modification	C:\Windows\UTP.exe	Windows Theme Installer v 1.1.exe
File created	C:\Windows\explorer_backup_wti.exe	Windows Theme Installer v 1.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5560	5832	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UTP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x86_microsoft-windows-w..win32-dll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idman.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe
2072	Idman.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	Idman.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	Idman.exe
Token: SeDebugPrivilege	2072	Idman.exe
Token: SeTakeOwnershipPrivilege	5608	takeown.exe
Token: SeTakeOwnershipPrivilege	6140	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2160	Idman.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3684	UTP.exe
3684	UTP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2244	4804	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	82
PID 4804 wrote to memory of 2244	4804	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	82
PID 4804 wrote to memory of 2244	4804	JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe	82
PID 2244 wrote to memory of 2072	2244	Idman.exe	83
PID 2244 wrote to memory of 2072	2244	Idman.exe	83
PID 2244 wrote to memory of 2284	2244	Idman.exe	84
PID 2244 wrote to memory of 2284	2244	Idman.exe	84
PID 2072 wrote to memory of 2160	2072	S.exe	85
PID 2072 wrote to memory of 2160	2072	S.exe	85
PID 2072 wrote to memory of 2160	2072	S.exe	85
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56
PID 2160 wrote to memory of 3472	2160	Idman.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:800
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2692
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3764
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3852
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3920
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4004
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4124
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4392
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4560
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3268
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:3132
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:5784
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:5708
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1056
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1328
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2000

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2576

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\Idman.exe
    "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\S.exe
      "C:\Users\Admin\AppData\Local\Temp\S.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Users\Admin\AppData\Local\Temp\Idman.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1228
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4956
      - C:\Users\Admin\AppData\Local\Temp\Idman.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe
        
        "C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 564
        8⤵
        Program crash
        
        PID:5560
  - - C:\Users\Admin\AppData\Local\Temp\Windows Theme Installer v 1.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Theme Installer v 1.1.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2284
    - - C:\Windows\UTP.exe
        
        C:\Windows\UTP.exe -Silent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3684
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant administrators:F
        5⤵
        
        PID:5884
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\explorer.exe
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:5608
      - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\explorer.exe /grant administrators:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5548
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant administrators:F
        5⤵
        
        PID:1260
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3164
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\explorer.exe
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6080
      - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\explorer.exe /grant administrators:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6192
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c takeown /f C:\Windows\system32\OobeFldr.dll && icacls C:\Windows\system32\OobeFldr.dll /grant administrators:F
        5⤵
        
        PID:856
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1276
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\system32\OobeFldr.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:6140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4360

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:760

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d9cb2f1f84a237e0c7fd0a90f8227249 YnafAUwiEkucKvkvKUGe4g.0.1.0.0.0
1⤵
PID:2416
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5832 -ip 5832
  2⤵
  PID:5640

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Idman.exe

Filesize
1.0MB

MD5
7b3ce789e266bcf032d193b4deb1cf44

SHA1
f5c0c5d14cce01096b4693a3e4bade6864645cde

SHA256
c060688ed4df13eeb4e78ad9f3a7408ccf88ed6ea593698f4e1d0f50571688d6

SHA512
4ee206357cd05affaf9944c4dba940b58eab67a8e38c9949d87938bbc1c2339ba2bc0d2b8276dc886b6cbddf03b9d89647c0ebffe87a5a05741846233edb223c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Idman.exe

Filesize
1.0MB

MD5
712f44fa4d49cc9cc7de5bf393858078

SHA1
644943daca2e8ee8ac8472d519d3e65d3171671a

SHA256
5689bdcb98e00b7a476558cd55161f744f04e15943ce52fc64a24be6d83c66ed

SHA512
281b7455331943d689959f0dc776c88244738ba632136197134f608409cdfc1b98ba785346e36611f86a9828f0aeeb119b31855d3be685929de5d97402a2692a

Download Submit
C:\Users\Admin\AppData\Local\Temp\S.exe

Filesize
1.5MB

MD5
b598f74bc5257fabd541c48ed549d1af

SHA1
7c40ae388cce2dd6363a1c6b45da5ac16add2d9c

SHA256
9ed830fc5f59c7c35195aa5d719e0b225757ed0a115a5eeba429b69d8725e5b0

SHA512
8e074d43db1b5e0eaf5e8c8cb48ac8af6b260226e86fd790e91ffa186432558059742ef639f9f58520b3dabb5f76c32bdaf96780dcf06acb33a1578300b6ab11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Theme Installer v 1.1.exe

Filesize
224KB

MD5
1dafaf48678f594b202a772905b47129

SHA1
a4c66a74d0b86370f66036c977ad763ae2b2883e

SHA256
d128551002d4323679f1db77fe3a6100ba55a14c90680caf515179d49eb589b1

SHA512
f74aea180deea6ce2e07be8f27411940c74a2c97845a9381f46ccc66f21f86000ae49aceb2c6254ca2759f607b14a12859c04c5778c63ce9c5a2e5299bbb5467

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
605KB

MD5
e63285183e174aed7bda3c522b7df196

SHA1
cfdcf7408c04b2a62103ba992bb653d1bc51fbd1

SHA256
11f3700a8151d7ab37d5dedab9f558a558605db41abef0ccd5ee7415c7a4e82d

SHA512
9b415cd182b041cdce5df6a4dbbbf4d8f2d7018fde0cd7efdaee41f071a141f53297556a27e487d29b8f123be59440ba23ac97645f11459bf1e7b705982f8c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26c0aa793ba4700c4acf490c0fadfbd6

SHA1
2058a3a8c3923c6ebc25ff0a316aac605994ac7a

SHA256
303cda5c0f13b44cfbe75efe87227b566826328f50f63c3cc7772a7d60b9eae2

SHA512
81388f71cd7387cbc966d0097f6dda46f774d6c429f35d5806fb8b7565b647eb8db07bf62c8374bcfc18ae563ed587ba0b4a636d5b7ab9f815dfa046e481b179

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ef4999b3e25f574694dd21544e87900

SHA1
0b52aded6498c516b7b6339f53a00a5696bc8d1b

SHA256
5967698f3881742b4fcc056c83ef0eb2523725197c2969981a02f2e002b297d2

SHA512
4226eb5abe7dd7216d70a1f7f7ca7116ce019327221384abec2b379f2ace0e0cc7d514723fa510a42f395e57c4e2991b23eba529fbf098a985a29a57b789ad4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
64d90ba9f60512cdad60e80e923326f1

SHA1
1b86dfff3df2f39bb38d70ec81d3293fbede711f

SHA256
00954c098fa847852ba93d377530a9469560365d59d44d9dae52b2c1b1410f7b

SHA512
6b08c0e23bfff99271ed8e58cd6c9181e399c06dc4be56a6599e01f7590260e514d3589a74dc4760e1a2e3be4c367af2aa855d5e4a5a612a9eb138bacd25eccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3068d5f530fd325bfb1499e990e9a612

SHA1
468dc6b35e430d5463074c518257ca39dc2abeab

SHA256
60135e491a8a2682c2b39574d0eff131df756815f784952d31aca901fac22745

SHA512
ea2745732cbe28b9cd7721899f86e3f7526084675c30e21cf78e2b6b8eed648f94fd278f466c8814a458877221673430748aa9291729651fc307020b6b95a920

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eebef440583482aebc2085f458e6cb82

SHA1
5129242fd54e35d00af9f6d3631f403fdf7a845f

SHA256
f03d6d4404c5cf1ca95424fb953d2bd85918a90265dc8cc09a37fdbe0e70c5b7

SHA512
975a9dbbbe331a2df3d8a9f882f4d62a4f458815613acb01097b67a01d4c1195d5263cc31feab0495544b1ab67f5c4c70ddd52d3a3f401fdaffc37922e544f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71c762993e0edd9aebf6d1ba449f619f

SHA1
84546cc08819d57a8f1b287887d35b6d44465758

SHA256
0c1c72ddf17d782c878b82f0002799a0c6bf6325f07f96aee06f9e053e358986

SHA512
b55567719550f62aebccd9268d74767e9ea3fc8c228cb28295a1fbc1d1d805bc101b62ebeeb34f2629c421a23d2625c92723bf468f20331f4aa85905f8539acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c1b737b2ab00f4099654fb66910311e2

SHA1
149105a0cdcde2f4d2c2e77aa7fae62e0cc9b1b2

SHA256
ef5683fb52e1cea0d270cd96dedcbe5b2bd7cebcd5a7f723a24ca7b62e59577d

SHA512
9d13103dfcbbc2ebaf4fb52cb087ffe8edbc085aee0648fd0f49ebe4813f7dda29bc9377506d41e4177f693eb0b1c1ce02d5aa22cc9442343ffe35ca82616792

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b7f25b7508c163060b215e5e090fa28

SHA1
f5cc3f2146d85f782cd2c4a8e28c33a0eecd320c

SHA256
bf286bd20ab12efc64069638bf9090e1a7a6746b421ff4ffab27d796697b55bb

SHA512
1649eea510fe98a6ed2e0cf83d7a84464d3f58cc220dd98ef768fd000e83bd9771e335b5d05799954cd5d900a12ce0b25665feda3ead6ce9efb1287c93e02e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e0d8f4953ad156270488d72d9e5ace7

SHA1
af4132a47d5767b0a2d2115d7d8905c837386d9d

SHA256
88bb3f23cb496cd8dfaa60b99ea5b6b782b15e4d3d3eb65e1d6b33b39b551c38

SHA512
c7f88c8d03d9083898f2971970d211d168a05a63bbc16068fb7b77541766188863999b8673dc3e961d9b8972fe40457c2aa88c47f5dca649b44552cbc9cdb2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
97bbbd1dc28813f02362fe1d55955c3a

SHA1
11923062283397ee39f70d896bcaecfece2b84f8

SHA256
d8c0110ab93b89e30604f3fca41ce59f61dc78c839092490241d100de9750ee9

SHA512
b7a1e689cc37ab00379b4d06506f7dce65f3e6d2400749c6b6c2008fa93b6699cc855e192d12f1fab30fa0b02fbdfee36cf43358b791c406a4484751e59ca879

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c8ccaaa00c06799a01b36455f4afa0e6

SHA1
fa8cb5800de77062cef50b5d129daf2443c9bd47

SHA256
c6ef4784f73222e431abe041d98debd705826ee0c76402bc3bfdb052f890380e

SHA512
4ed0bc1f66e9fe1bb5533c07d2de33c6753b55414a7f05a3cb78037c4ba1dd31a06694e24fbedbf7e2b0d30f1b4cdf507a4f9740bf2ec0c4724024dcd8151ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
005b16f73342226dbd8c5a4d6e0cf681

SHA1
3f5b3c7ae64cb46056b1643e9ebfaebf2e660641

SHA256
ec71ad0436feae066ecbc8b2b291c8303dc62a14e1256c8429c69a9ffc0440ad

SHA512
044630dc23485a863c9535868b08ecae2d89cbef5db71262ce8fd167d64adb7e53bb0db211a6c03cc25a5f438856d41aa1caf8223a32aad14a6244449f0c7ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
261b5df639e3bb3ec7151f49dab93b5a

SHA1
0271b1b09ab996a4cc93847172ca9220f6eb9056

SHA256
a60b75e98db217701323aa848f91852fc047863af5e47ead0c223e24a445a8e6

SHA512
d484e57a91a40170ddfcc8af2851a0eafd1b4ea643bbc0dd7ba23f4a2d1a16fd034f32688aa5310fa997dfe24b5cc25b9cc398715768331446362298fba3f266

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19252b5c03b62ffd28898fbd754c5a78

SHA1
aef8865ee123130d1e4685d2dcdd5b3d89d4f8bd

SHA256
a7139af2459d89026d68b0de056ef6c641b21d4137fb731fa373f46fa57b7dc6

SHA512
ecf0db8f46646d383e377f74b2dbc1770bd04fe63fcebd0fdca80bde043b1f191de14b8a0deb57d391a3cfa66f2dccaed43e7b20d2f5deddbd51bd1f87589216

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
72f00da8c035771e3cb987fa272b90cc

SHA1
2b52f1b9b94e3a9d6c8648ade88431eb1c9da858

SHA256
568df8cc4be112c31d293a8fce97dd90f728e0131c574357ca8d90ccbef0910c

SHA512
a47f72590cf2007a956677cbad6be97831d4ee492e07c70e66a7345f00c4d1ce099638ea5842dc063cab439b56e0d248a7421bbcedf0203d667b9e0ca2555df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f69ba5c2a623cff43fa519db3c599670

SHA1
201bac6ac66bd3adfe709045b0b8143cbeace3ee

SHA256
0bdf762e926804652265c7caddc5339f0a0f0540379890a6f580382abd39e89c

SHA512
dcb39bdd721942b62affa87babde847abd8b879a146d89b64af88a7cbfaaa8f9afbd3d5a6ecf207575bde25385fd12adccd6972eebdaf37d5be4c1e54753cb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
86281a863e4d7c3d50483fd184ec2285

SHA1
6335dac26cf3aec8623835a843d17d7e12dd741e

SHA256
b93307f94e3c7b94d3a4a378a3aad1f345711592975936856c1378645d999700

SHA512
a54a35b4b82ce7b03d72cf99d27f91b95825e090a303730d9546a4dcd16b4392caaadd82d09f29e2b54cc8d3ef1cedceef13eda6c876fc46500299c01922b87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
601c321af608bbb66ff32555e8dd4451

SHA1
e971c427b3204d2225328a496bf448f6ca06952f

SHA256
3a80d46107103863df64d7c1ed89a4c86791915d18df1783f5ba3d69e55c09ef

SHA512
02ef073233d67bc24d95e020c301b747e291b4585500e8de61c388aa12b4a75f0d4ee5f1887f76749d9448cdf4a22c07b9f7982be64b8336b9473e1f683c0a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
457ef0f9fbed5cb1d9b335aa3b79f080

SHA1
80cde7cc63266c055e7a64162cbe70e57a2eb8db

SHA256
933a1e7a367937ab68f5c13484ed8758f33794039b53cb3f2db800314cdc773d

SHA512
88ee387842b5694598fc2821df99def0d3bb683f3bac5f9d3e1a6c020a5af794e6b0fb2e2afe4f9034869d1718bd9f30f837f48c6ff1276bfce4f2bc834b9ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0a65ae2fa49a7aea1dbff0d295b6ae9a

SHA1
a43f740567e9131d8ae8b296215c063d9bbf00b6

SHA256
bca3b43239f80f61d03ac8fbcc138152435828d6e3ffc762a46c8fd105f394dc

SHA512
a1eb96bbb79f47d53c0b65bb92398adf45c48394df7cb328bbcdb640c2df729f25ae98ba5ef5afd8125080f72f7cff4ed76ad8244c8d5bd9a94126813e2087bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
481fbfe61bc5499481f0ae5db2928d18

SHA1
06a55b78fdf7319358bc2309dfc1c150c032db43

SHA256
1982d37d76d6d25e4d7ea7fdb92202adcba612d5bf1b64e5c395cd20db7446ef

SHA512
b838fca9c11d3c19fe8f47d42b00a58468ac087701afaa9b503d67c18a7a7f40944ec8fad307ae74def0a0ab2166b54e5a17159d44ad7f4bf5417033cb2b7061

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
42b52b99cf6b85c55cc5a9dfa1377f2b

SHA1
3f47b7e4b4f8e8c1d4226824486e73d98b54fc91

SHA256
cf628ac4e90b294604abab459479f24dcd24e3ceef22f8e5a9b414aff08912ae

SHA512
194f4d89fc9e48e57b560641f6ab329ab9631ddc63997ee2466b28faf81d00984dc26abbaac3c8fd0b880ab643362425cf7d65946db6f157c2e7b4f1d3f3e543

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9f9e0f7d11d5849565c50855b87d8ed6

SHA1
f94f8161e9083d5303e04c91132209965669498b

SHA256
fee15b9e6676bb38827e3226e38a44751ca58b97a1ada3d630984ae065c9e8e0

SHA512
9f0e185a0c1441054df180b6d307972d0feee22fe28ae9af762109ee8da00cd0f3726bfba962fc0403df8dedd2d687be679c567dd517b0ac2aeb70fec8fdc515

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1f5b2e4c2e0286192dbf70c9c41bfe54

SHA1
c6ebfab48011105816f145eddedbb7cd3eca2cf7

SHA256
32aac4c25517763077108b02d40524817886507fdf38caeeaafac4d182f32ebf

SHA512
92a18f01966bbdc7f6f04de6bc6d9314e2352afe3cd40d2f53719eaeb1e1cb96744f62bb1d480bfc11097ba267c36b5fb4774785c850dcad764b282857adfef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f822c27ada4d11b7298b665a7b357dce

SHA1
98e9e89d9af9085db7b9084a99300d891f45e50a

SHA256
03dada1d674f5591f1f06de1e5e30ab8da4782e01d4c211e856d9eb86022038a

SHA512
4ae695f17732370932e0dc1c829251e0ec3f4a8e68509dff9837c69aaf93347b2b7b5dbca02f6bbf95675cf79316ec50bf343219f01fd738bd51f6daf1229be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
515534b24cfec2d6802b6109f69b83c4

SHA1
1377d187cf2ac2403821b8c11890fe00cf14f29f

SHA256
f391ea3a70ff4d5d154ebcd0214141d002506339c4c15ae5aba580b19655ba92

SHA512
3b8396637e6a111b2b5cd60bac5a51aaae7a31e409c492db7f3220ee5696b6702f1fbcc906f54766dcc8c5be748db9c7cf1ed0ae40f729bf207ac5d6051f9d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb23ce679adda64ee7955d9bb124940b

SHA1
418bd8a6d0be0e2b34e19aa62e0d7ee6abb7c870

SHA256
19e12f8140090d2548abe4b66248b30e5cf04e72772ad0a2fffe16d8c50a2ef0

SHA512
515dcd26c6700e1aa1045ac17d44c222cf594eb4baec56c3c032a8a4fe6628cdada273e46dbf51bfe433b34dc3b13deb6482e341f68dbb5238ff24b3ea20df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f91cd03a4fb9861c64cde5a3288abbbd

SHA1
47c3d3d696778ddbf6dfc552f1a9bc513b1e68e6

SHA256
48088fe461845212389487da0c264b53293085e5248051a5a68d3d3956e4a478

SHA512
f65a4fab03a19ce2ac9aabcc2a9812604df37c467f5a5bb95129a634b78fcc0575a28bbab4a039e8cb9f4520b3f2b742f6e0d7a5004fbcb20190592131bf9e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fac8a8aba35867405c517e5cf9480354

SHA1
05aacd4e7d4541f1002c72c4aa4986957a738019

SHA256
34e2a1e8846e4101082c6991467508d57c1d3c783622ebebf684d8dd51abfc8e

SHA512
0cc540bc0c20e8cf4a5994befb7dcd889e9b4dace649be3969540a76202e94e297ddaad9e50a9f6556b15cac3d7f0657d8d7026792d35aaa36798caff47c1295

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2fa96a3f9b5f5b52edbd9df587938b1f

SHA1
c0326d41d18f2fd46c21a6a6a4f8e4a0969e37a2

SHA256
b521458cebe33abed9bda6cdb0b89ea1a4c43c694079a4d1deccd984e6cec99e

SHA512
53639fb3bc416c1f6e20b7e412d6c368439e0d9ac16630f2321835e23db9d7173dc383dfb85efc8c5b1bde5877bbc30da76f84fe494abd10f0edabad980f0533

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63d0d77062de97ca9372b706aaeac9af

SHA1
527b247579bd4b92dcb85b31a2d31202228666fc

SHA256
fd5b6da5d9a6522afd827369b749aaf4409e0ae966113c8ff97a58ecb013cac9

SHA512
eb38a1de5e8912742b72ea072957967bc94480fe6341bd8c6bf8d4d36d532cfaa812c44aa16e55889497b5548f0916edb34d9cf3a61f60b90b8949d6388f03e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
579aa36b25f340a80c8dff82526eb269

SHA1
7398aa3c9caa4432c7748007857c8af93b3a1762

SHA256
f7c88d188bccea61a948668f38929be7cd34b50333dd660d79038914a26b63f0

SHA512
81a87cd933dd7f1e6e047fd068b45a7c27b00703b19724c1eadde2073b655090ea691b138b2bbe454a64bacedddbf29e818f02b886e5ca04a0f72e2e86d709eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b058211afaa9aa561988ac346882fa89

SHA1
ce451f92235d446f8c7851eab30867fe69249502

SHA256
477b28003e974f468eabf53dc97cc8c92774cc9d30ae0e5cc954b459ce3f5169

SHA512
cf725638b30727542961dbb6923586d8dbbe82f60914ca18c79ab2ba8e1bcfdeeec5975eddd5e1a9f22501b1ad5d59c985e2dc135f17b2418b5536ac39c958f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f8e484d7b64997dc54d9fc782c475217

SHA1
998514356c4869ea76a64eef75f366c49fbad618

SHA256
535ac663a7653071f9817785bb4e093a5b44d995da798da037b46838401927fa

SHA512
2662bb18b330dce7b84aa7f85472e21cea4a6656d6b052c82bdc11acfb59d21d3d8c10717b7c0a94c5bc45f7a8464e64e7b4ed1531bb981f9ba1b35ab996126d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a36ef46624f01ac532d96d188b6d805

SHA1
30bcd8d6ec404bbe940dbf05b2b519949c0dc007

SHA256
531776806bf07a60271cce2f58f155b62436e0140f8139e446ad34ffcba1d317

SHA512
81bb5e0ccd7fcf76742d1c4382c220384e17141d0dafc3a75b4097070f9208fc8ddb40ac6d0c685830bccb63f456173de82766fe3f7c3ccec32365415750dc68

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\UTP.exe

Filesize
49KB

MD5
e126b77aa21df82fbd267b6785b5c154

SHA1
4dabd87c4d7c3bd5d6b75157ddafafefc233cbe9

SHA256
70fc5da0c8090091e9abba82f6185f60606b0e5f5bcb3fb03e0a6289c6c911f3

SHA512
7e2ec83c395c0a0210f308f87beeab6bb0e0c5331aef24cac1513617001db3eb099fb3144b9437b9e063eb987e256c56a930b61ce686e232edf532e227e45d39

Download Submit
C:\Windows\explorer_backup_wti.exe

Filesize
4.6MB

MD5
30decee483a8196b30643ec6a453a7de

SHA1
92266131aff3595c5a95d3aa23c9e40c85d5f982

SHA256
3dc254ad131a691acb1f9e3a5bb5ca5b3ea891869e516f4b3580ea4fcfdf2e76

SHA512
a8f370c060223d4c2985ac16e78547779e584020e95428e85b497464fc487611d7b080908f904c11aa93bc7b56ec102845fbb6554d97dcba7fdc856c93087f00

Download Submit
memory/1228-61-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/1228-60-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2072-35-0x00007FFA10710000-0x00007FFA110B1000-memory.dmp

Filesize
9.6MB

Download
memory/2072-747-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2072-48-0x00007FFA10710000-0x00007FFA110B1000-memory.dmp

Filesize
9.6MB

Download
memory/2072-38-0x00007FFA10710000-0x00007FFA110B1000-memory.dmp

Filesize
9.6MB

Download
memory/2160-47-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2160-1415-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2160-52-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2160-59-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/4804-1-0x000000001B6D0000-0x000000001B776000-memory.dmp

Filesize
664KB

Download
memory/4804-6-0x0000000001020000-0x0000000001028000-memory.dmp

Filesize
32KB

Download
memory/4804-7-0x000000001C320000-0x000000001C36C000-memory.dmp

Filesize
304KB

Download
memory/4804-0-0x00007FFA109C5000-0x00007FFA109C6000-memory.dmp

Filesize
4KB

Download
memory/4804-2-0x00007FFA10710000-0x00007FFA110B1000-memory.dmp

Filesize
9.6MB

Download
memory/4804-3-0x000000001BC50000-0x000000001C11E000-memory.dmp

Filesize
4.8MB

Download
memory/4804-17-0x00007FFA10710000-0x00007FFA110B1000-memory.dmp

Filesize
9.6MB

Download
memory/4804-5-0x00007FFA10710000-0x00007FFA110B1000-memory.dmp

Filesize
9.6MB

Download
memory/4804-4-0x000000001C1C0000-0x000000001C25C000-memory.dmp

Filesize
624KB

Download
memory/5832-1451-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download