cybergate | 98877addf206de59e375a2c09ccebcdf5d3610b87fa7d4a6b0a5acbd5c39dec6

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
Size

365KB
MD5

0b2f346367c8ae13d5f3eb2431f293ca
SHA1

2710c5f241eb7a30b20c8390122dafb6b6f9523c
SHA256

98877addf206de59e375a2c09ccebcdf5d3610b87fa7d4a6b0a5acbd5c39dec6
SHA512

1642906a00ce0140122074a0811c39961a09398f9a67ce6a27f0de6e51099536e3af986b06c12bd525fe4a1dc529dbdbe3e9665bb31772a1b053a065d9e300de
SSDEEP

6144:k7sdufcNtrb2elWf/DTu+CMu3Bc2lrfl5Slrw33Z7cepVP2+aqZciYjtpOGepSmp:DRNR2eleDT/CMiBflrfl5Slr6321qZca

Score

10^/10

cybergate jahrawe discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

jahrawe

jahrawe2nd.no-ip.biz:3309

Mutex

jahrawe

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
windows
install_file
win.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Please try again later.
message_box_title
Error
password
123
regkey_hkcu
pliv
regkey_hklm
polc

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA712083-48B2-P5EU-HW6S-730DACBJY3T6}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA712083-48B2-P5EU-HW6S-730DACBJY3T6}\StubPath = "C:\\Program Files (x86)\\windows\\win.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA712083-48B2-P5EU-HW6S-730DACBJY3T6}	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA712083-48B2-P5EU-HW6S-730DACBJY3T6}\StubPath = "C:\\Program Files (x86)\\windows\\win.exe Restart"	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Executes dropped EXE 1 IoCs

pid	Process
5072	win.exe

Loads dropped DLL 2 IoCs

pid	Process
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\polc = "C:\\Program Files (x86)\\windows\\win.exe"	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\pliv = "C:\\Program Files (x86)\\windows\\win.exe"	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2660 set thread context of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2980-14-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2980-22-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2980-25-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2980-11-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2980-28-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2980-27-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2980-26-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2980-31-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/300-562-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2980-596-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2980-895-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/3028-3492-0x0000000005830000-0x000000000589E000-memory.dmp	upx
behavioral1/memory/300-3617-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\windows\win.exe	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
File opened for modification	C:\Program Files (x86)\windows\win.exe	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
File opened for modification	C:\Program Files (x86)\windows\win.exe	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
File opened for modification	C:\Program Files (x86)\windows\	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
Token: SeDebugPrivilege	3028	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31
PID 2660 wrote to memory of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31
PID 2660 wrote to memory of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31
PID 2660 wrote to memory of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31
PID 2660 wrote to memory of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31
PID 2660 wrote to memory of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31
PID 2660 wrote to memory of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31
PID 2660 wrote to memory of 2980	2660	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	31
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21
PID 2980 wrote to memory of 1260	2980	JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1544
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:1808
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:832
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1184
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:860
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:544
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1052
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1128
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2148
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1932
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:300
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b2f346367c8ae13d5f3eb2431f293ca.exe"
      4⤵
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3028
    - - C:\Program Files (x86)\windows\win.exe
        
        "C:\Program Files (x86)\windows\win.exe"
        5⤵
        Executes dropped EXE
        
        PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\windows\win.exe

Filesize
365KB

MD5
0b2f346367c8ae13d5f3eb2431f293ca

SHA1
2710c5f241eb7a30b20c8390122dafb6b6f9523c

SHA256
98877addf206de59e375a2c09ccebcdf5d3610b87fa7d4a6b0a5acbd5c39dec6

SHA512
1642906a00ce0140122074a0811c39961a09398f9a67ce6a27f0de6e51099536e3af986b06c12bd525fe4a1dc529dbdbe3e9665bb31772a1b053a065d9e300de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
dcaf41ff77b93180fc9749b3a58b10eb

SHA1
a1c73a3ea2d8459950ffb3110ae200ee7debd84a

SHA256
ad77a3c3f190d990bd0780227897b978e2a38b45c791ac80c24fb6c8659b0472

SHA512
d5a525cb0da294649f4e798bf6c8e558c981830a1bfab1e99092ecf0028d6435d6bae9ca4d0370e30253e3145791b831d0eb877657c335b82a44309a37582af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3d16f7f4556449d6ae38153eab35dce6

SHA1
371556a69c62156368fbd691b8925a41039f0207

SHA256
7d9ec876ac14ab196c09cc477025585d9460a1a04368df56ac2e907e8ae66253

SHA512
e055545bf285cb6112735c17f90a2c3981fda6f5403a3318b074774f47b11407136d1007fc9a4010e1e3fc24fad9b6107ee25ff5ab5a1cb7f34a6f898788c5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
af96e2079a8b489554e4c59b176496c5

SHA1
46b577d7bd708440a66e0ea1506cfa6240ff30ca

SHA256
36c43d48d8a6d7d71d28fd26c5a7ae5afa2e3e2692950d93696ee7504747d921

SHA512
216cfd6464d23f59620339b9ed3f593c326b15b103e675a857a9e38b8e8ca2ff7bb61e3f834b3053fc28a9b17f8c5d8c5a2a6b4fac30ca48b841c9506d8901ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
147475cc88cf7aa0fee323618b2f7308

SHA1
d6b88f071151af0bbf296804cbf23235c1070901

SHA256
a1ade1d38ba2627d889de16a352afd1d4f134c4dfa9b3d4b2486e977c24b0e3e

SHA512
df0ea3d1e0fc27d98340b3ede8706b34f817d15e1f684df6b202d27080c3f56f1c0e20b9a6b2228085e6143db2f9dd8277ab36e40b926e403bea7f788e2c33cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c4e2eeb238ec12d787108f5db1cf0957

SHA1
8d7173e5e288b6542cb56ee2fc85fc9eed7b2675

SHA256
1efd9779bb313c9c6edd629cbdd62bb2ef6849d59b891f5c6a7cd493e1d95eed

SHA512
65b4f509c38162e717754d5b2445766bf72ee6b15dcc07d8264f0c2ca103c41358421972069f8acc9439a98b1b33abc8a67e1ec1a9e995ec2b9589d8111955ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a0f18941fff077659e4c2b3ce4b6a8c7

SHA1
58f4c72996e8a48807e323faf77fbac33aadf19b

SHA256
e804ef5c519f1dc57394516d2a8a257d47efec8db0fffa1319e9807f15867698

SHA512
8a5a5cab26bed1c7984beec3ee7f47a51becc45d698a784f922cccd9dd77b87e1ec73be72d7d9269f531a73db306f5b80840b3adaf0c586d728ac4f3c7898de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e91194a06f081c74d113a96fc8ca8016

SHA1
c35214d34f17b6c189627f41fe385cdcc706a37b

SHA256
a010561acdc540dbda0b3527b9335feec3132190adc02351575fea5872fe4c19

SHA512
eed353c7966e330f2ceb8b60cde36c290aa83e63803e8e4737380a285c8984405f376488faaabed687b5d02d4970326a735f6b303286bb93099d4b08ea0c6097

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e6a043f9cba57bbc91171c07cf8c5c16

SHA1
9db36ed97546d656af4690f8de4032d8aee61458

SHA256
b6e2e983fd3d78c2bd033e910dbb6e8f4a7e5170ccc5c4c07a071431f705e093

SHA512
74986c173b54d058f4ce975731ca2be9c8c8d201912b6588e977f8de7d31b6ba8b3ecfa2d89401670560ece9afdaef1395ce20ff4e4e30afd25477906fd754e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
13956d27d7b251fb0d247297b1968046

SHA1
d2ea3b8d051fa310e2ec5bd6b35d07eb9aab4373

SHA256
6d027246435550d6cd0718189ddabcdfb8a238596f5f08a1b365d009eaa35c04

SHA512
f2703a023bb5b514e5eaaf3842bdc2b1db46e4ddf1bfc8a3f9a8ef51f9eb8ff25ed01ac0ee19a48f8cdb33e42093e028572c5ffb580e0735a93e8f9f7180e4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
95088e14f0a861ab8ed8d19491aaf14a

SHA1
819391964f8333abaa3d961d6a311e9b5d0d5f67

SHA256
0485c5eefe7132c06531ba1eeaec526a0889c0955949c3eaff7dd643c136368e

SHA512
f4b062042aae5d14d71fa66cb972c763b5559f0c36774e1df48bd7c5811468d132a3003af2f3b48e7fe35762285e102602da8710d5a0e015e0da90f8c046676b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5489430ddf07f4c03aa4a693070243fe

SHA1
a04d9a492c9863ce1cb4e4db17323873033c2764

SHA256
cb966df5252ca72a22fdb280ecd40b0c3ebf09436f953f759204bc25b8e8b5ae

SHA512
d23b03164301a8ae61a3340a01d5dd70ef0c751dfd7978e8ec823d2a7a1283f13e85b72dcf42cd6f9358f17aeb2dadc309813f957452d74e2eceb26c6a199055

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
831b1e8b86c8935a5338aa8391fd65a0

SHA1
d66227ac7177d1013065c4213beda00b920e4270

SHA256
c52d735769949e739905a79257349b18357e90753ebecbdec93e2283284597a2

SHA512
c0c4f1c37f10828bfa7b927b67e27670d96b5e5c41241ac2494753e3ffd55ebc7c61a53ef42360f3f010982c57de13336d51720ab4dd52dabbbbb029d9393d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3757adda120b2fda6b2e7f8df146ed0f

SHA1
82e31ce7b4dc06b96470762fb0d02cd484d5a133

SHA256
9dc556b469965e1da09febc406be768fa4acd86e260b767b09711cd973ab8798

SHA512
d6b62c165fcd741538f1cf068df7276f62e50d1cabfcfcb3551a94c946f897c42967c61a470c4506e98b44923e272d298f9767134324c97e57275f8a0c767565

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6859fccf399d6582a804be3f5e2b50b5

SHA1
589f1dfdbf73e5a1720ffb67a7818b0d507bff0e

SHA256
960554c19717a294b2a31a6453ec1674c324445e6a972f23d062015979148ba5

SHA512
4a75c7e0c0844fb88802fafec79078b5f6fa8274e718c6142943313bb72530e8e8c159a8a9338318cad2005675fb883da2cde97fcb193d83e2fc3db147e32bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ba18c52b7102ef22781b6f36003fd4bd

SHA1
271a07daaa87e62d66091b774a5af90629d4b1b2

SHA256
c84caf0d0b31b18ebf716afdab60f1913c6abf9f93971f7a335e51524ebac7f7

SHA512
be71151e9cd4b3ef7c0045e32ce0bcc6770173531056c7d18948951d5ec8b01fc37742f4a76541dcdca978dac1e0729d1191802c4f334029a35dee2d22c5f694

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
75e817f5059dba757921245b45eaf012

SHA1
a0bf5cf4e1d003132731c41616d17de8d90403c2

SHA256
9edb742c82cb479b5d8b8b833f2b26fa7fe0e03a7dca9e065af6349cbc458ecd

SHA512
4bb623fc9849aecc0de7b131c0facdacddceb38c940cd875e4e3664db37cca7177c3f5d6768c8e4187f2b239456e6d61ae9a96bd2b426b4529e1cd33410b3aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4649aa1674ab3e2f0be44c064d96eb2f

SHA1
db291e3fd3ff7b214336e493956166978d457b1f

SHA256
8c7fd44e647cd7bf703c69ecd986ac80cb5eb9f352bf6506826c8b578a86fc67

SHA512
45c7a2a8abc22b2e8f9f77397dab9aa4ea89850be0c3bec327a1a9edbc339c82099da6fcc6d43e34e3b61adf9fd592387abb2f04a15ffe6065d8131815ac506e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
beff370f30477935313e5e770f950515

SHA1
6b1d73b8c3607ed809bb5dda736a3b93e9fb836f

SHA256
1e6efc9890676f3005be047b633a8de737bdb1aeab16675b19f0a4e27fdb0294

SHA512
5a495020f394e87fc32e13b0df711a0c4f969d2adbb5ee49240a000acb2b645afaeaa1b70f4215343b843aadd4ba7e7df09063f2e78c87dd1fa167f1ed97824b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fe4a728fa97d546e1139567ed7321af0

SHA1
cab8262a07662934f429d7bacdb3731ef29d66f1

SHA256
bb63fe1f34d34a9ce59684fab40e1061c34b0de03eafafde03f27791f2923af6

SHA512
73b573c5021323d4b43964e067df0814d6279c61d979673e4928da60a38ef42f8af8c22d77ecfa3d505ce22d4864c4c2a712bddf50f3756e7209cc3f0d2d7de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2ee04664409fa073b627b8fb61574a07

SHA1
7bcd8cf6ba8d22b90a88779faa7b3ece7461f5a8

SHA256
c20898186b1317ddab4b3dbad0222dc0ccaae3a503e41371044179ad3dcb233f

SHA512
79a773a28f5ded9aa291eada6eadfed758eba54e1c185171b6c9710ad0f80085118eebe04817355d52e46dc5ded05434fb4eebfb35744b8fc3c43dceb004aeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ce8c3d81263a06518e479db136b9f46

SHA1
319b42c7087b930f27dbc9048884e19542ddaca5

SHA256
81b375545ff0b3b7e118c4cc1173d8c49320777e2a558b64d0522b1c5ccdb823

SHA512
07ff0d9a3466e0b1698cdf053afc3ef7056fd54ef574db3ac8db54f4f6becc3aea35736d47af9cc0a70804ade23ff2d43fae43d99fdc3c656e48386fdc6f6847

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2549663f66da50b4c24421974cc5b340

SHA1
4ab46f4b5d89d7c73fa814cb7fc3c6a92d069a49

SHA256
bb67d5cecd74d36343af52915899329da7234d3d36efb634a87c3fe0a07e3a28

SHA512
985e872172c4b934138dff55ce6b42f7fa0cb884a2af1daac6d6698b8c33b5183a0df25bb32c3749f3198cf603d00529e5bbd45acf6ba144f12f764bae783f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c46b6d5dd214758a90839abcff2350a8

SHA1
29c7a3c2d40a2ea28a52d6598511e0396bdf4c1e

SHA256
1bed9e42b8e7ed11ad325a2e2e8c9b9a0983b4b2aa3ceca765d027f9d399289e

SHA512
3b225698aa36a849d93ce9dbac576d407d51bf81c378eb24e59f5dde9a14ee13584b03f53fd19fac5d1f947ee9f4110caa07f03d1d2164bca230c577ebbfb9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e30d1bf28600ee4cbdb76829ee4286c

SHA1
b3c4033c858ebf6ccc35a7314732faed5bce858f

SHA256
6d3b9d93834f1251f77d4a72685839193c02f34042d9822c4db6b748b443811a

SHA512
16cc1506254c201aa0791cc18803004d9e3b20a2d96fba6d354e2489a3f89f06504c630c0d6e3bf3d53ce3c017143ac14c310b6702e5e4ea32127821a788d3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
df8c0bab49de6f73b1ef74a4d5ec5863

SHA1
d3317c8abc6c344691922ac10d85788cc4ffeeca

SHA256
f2cdf8862191aa32bacadbbc442011acf4a25c0513ab360b305bad5fce3750fa

SHA512
34b224375efa5ad6fe48da985a6f9d878edb8d8d0015f21f53b18b4a9e323293f53e8ad1b24017aa91c45b139e22344093903ece044aaf1935c6d56b993bf3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
72c93cf0165946e4b8cc92e3e0eb7689

SHA1
ebb02f38e4703365675c432a345a0b30d64ac50c

SHA256
b656a5ecdd8927b7a8c38f856533efdb9ad6f732d53f18ce48aa4b4a6e8b702c

SHA512
106e16d373bce0a843f8412856de02c0df2085a73fa907b05009bc25216a13e7c951c4043914c5238c01dacb770c0ebf52e12c56244023566c132bc712f929ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
05affa91748a98ec8237790c7717df7b

SHA1
a70bb68aae6b0db7650f4c0b48fe61dc4323b5e0

SHA256
4bfee735dfc7f411cfa566a0786556276e15c02e233fb5979960f6d90af59c07

SHA512
2c50eca95a8b8973bd8a0b5ddfc0858d492f1c63a78575e94b86997ee3c2eb9f6abed5963ef8843d520f4eac69b04e2c870d4637ceaab61b4090a3703972aa9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c9a0f03d84c58f4540d2af184faf55ad

SHA1
8f4efb70b7049da45aa32814fe0a680e456f6cc7

SHA256
5f0ddb0e2eedba3b1e6692048f9aca4dacb3d2c5765874658e55d256e2df21f7

SHA512
f47db905ef937900fa8cee7a3ac761d8aa244f81e855e208411e81dc0ab33b516fcae0922e1842e5395ecb4b9a16404418e901e00ce6174f0c9bffd461fcf068

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e80dd3523e702a7548600ca67988411a

SHA1
d308cdbb07c82d66bb469e030c44d3a06d6478e4

SHA256
60fa8ddc530e8b9ac5eb96a96b2b027b37d2aa09c4a3d96213d8b964f82e4eae

SHA512
64a175697d8b631b6266776aab566a8a32f3a22fbded234820624cf2f601f88f25ee610c46112040f76f7887200eec134e74d26b98d333f091840f81f935abef

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e9d21ce487b313f5fd360ef2d0a0696

SHA1
564475b2ee641f0f74121f6cc8cb82d50a34b882

SHA256
fcdcef0631e145cdb37e607c613ae41bd417cfb8f1a8837c21747a64eec5b360

SHA512
6054dc5015145efd0b670a3d5de45c9e476f2e277f93db6cf587cfdc02c6d02392a7c40864950e7a4f5f7fdc90eb7c7628ff8cc33c5999a3f3d4e73fd3001a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
04ab52c73dab27d8c6a3922de96f4c3e

SHA1
3bbe81134bfcba0473be9832e49912bf77ee7c59

SHA256
fcf6a40e1665e4c6642b63de9f143c3f79177cdff174b6b916442be4bd92b95a

SHA512
f963164e87288c47cb6e17de8dd4b75512038db50ed295ff4f8e4993809beaf162f59b40d550235f12493d4ee761816b8997cf22912f4095f7aa26a1513e018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dd1b3ae5002b1d354c56690f11a49fad

SHA1
f234abd118a64869302771bf68838d41b5a742c4

SHA256
53b4634999269d15d0187e2c96654ea0e98de0f0c864d60f770fab120897828c

SHA512
9d128b2887aed7b27dd71ea51028716833a4cec5f82c99c749418a136d9ae9a54f66c09f038759ba1eaf5ef1631978a22679708d38fc95f2d2a1639953db701c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dde2fc2d56857dc6cce52492e95c1755

SHA1
93cee557ef6cdc203e9dd85af501fd02b92a0c9d

SHA256
5282f576cc227b947a46a5ab4fd8aa21600e7c2e17955eec1933c410db01875a

SHA512
0b17a6847b803221b3936e194678131d9f04593a372ccad8bd6fb0a6c8e39408097210a5a1a3defec440b17acca2410ee26008ac33cd6b67e711a2973b00f4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e68e5f83ea96a76fdf2b0636f35d32f

SHA1
2f349fa0315c736ea963af7149c84f156c447e1b

SHA256
f078c4b97766c86b356500029e0cfff0727f0286223aa84a2c22c66b97d1f58e

SHA512
d85f89c6ba07cd9f6f38288d4d61512f2e89f9e81b880f36dcc3f183912c948854379e229a619600cf7a6c6c2c670e726b22980cb1640b55362628132f03c2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e8073c339d7db72296ff4d170687631a

SHA1
b517a7663bac1d567e54d8ca3dc064e3f2399d3f

SHA256
06d30960872b5ea2e764d5ccbd9d73c04ed174f12b68d5a975b1625b011553e3

SHA512
ea46b016ba1c82dc21ba0498f080a715b3b6050086e5fd5e990dd3c48261ac506b514bdcf882a1b4f597b6543c07f25a36ed44ca8a3dfe96521c9bac0a393e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b05cb662770ccf6260eb029120926b31

SHA1
debe3b226ef772bf29b0c467737e7f9d1438f25b

SHA256
71f18718deb731f707f78aa5b3d2d69e9926acd83e5a4af92a5a45cf5e9cc3e5

SHA512
ebb2d926e5673e17122ca9ac2580e9573917fa6d508b40bda5001e424d5c258606915f044db097db7df626a3332e1386b6b88405f65831af37bd6bf0a54273f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aacd12649cab13852f5417beed769850

SHA1
c6279ec03eef8aba421a4e97dbef05b4a9f4c138

SHA256
45a764a3dec89d0edb101b509d2426334b92cac88c9485189e2186247b69e3db

SHA512
cfb82d01a0db2a401f3ee5f62d53a35813cad5a7223983da04fbf11e82e8bf082407cccfbeb1c4da5573ff1e7d908325f88e271dc810768e4212310e5154b29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1aa4a5f4013b3162118bc08a2100bf92

SHA1
6af60ef274a765972cf9f5dfa4aac224b3b0e033

SHA256
1b2dc4256a25536832ebe5fe8e3d84469fae586be7f8c08aa86703fe50978dce

SHA512
9f4d586b19f36219b82f81ca530e86fc99ed8d60c0fd509ae969f1ed0a49198d514d61f63fe1f159848a8fc3540e1f8d298b660c26025bfdef49c1525100206d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
40139d927feca824707150dca2d955f9

SHA1
cd07ff735a2b270ee8f3c2e68050153f87693fe8

SHA256
d732bca5cbc68176b598145a4c10d3d2f595403bc69eda0064587731aeb6c488

SHA512
d35f159fb17abf25c0c7bcff22e0fce629ddbaefcc65dbe5c6b5b2d0503062cf59d6da967f7e8c7ecdb6725c809f6b3fc3c1275be6bd54501c55fff3e52d16f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
30be645989b615ca570378b9b7579969

SHA1
9eb012a4b40fa75fbfb49b79ac252123efaf3f52

SHA256
0f971de5eab330d382b844e6c3ccaf24e9094bcfd7362cece9bd2000a05cb8ef

SHA512
18d4ce3e53585df3c7da8a1ce5260ad922c2702eb902d9220b40d4d93ba0b851032f57cb14882dd1800d04787fd3e5380bf056cd5a1e1cb3804726f78b3a66f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d61e132109b2e595e92d1473518ad22e

SHA1
c7f39424427a28d47bbb08b1d3126c24e9f1bfe2

SHA256
fcb3736c5cf27a126d10378a6891054d1b8324be970479ad03f6b56b1c96b7ba

SHA512
6cc2097d0529ed53b3574aca2e74efcbbfdccc01bc0bd3de150737ec159bc1d8e5b29e0f505fefaee1691e05b2797bc7249b53086f2f1c075af7add37de48084

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4fd9e4bdab06fbb62fdbb065769ff2bf

SHA1
883c46eb370e1f954870f44b49ea8ab07dd80021

SHA256
854fdb1ac361890a8fe31bfbb37f94bd836359e2786ea749325f3114d73a03a3

SHA512
0b6790627a6faeddcb4813e9c15cc820a8ab2292ebbc79899f01d881fb39bec9f97fe37e5c9248ee5d0b0256288c451c94a5415df9c1b4c29cb3a9d7cfde85b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7ed30f70d5c75eadd671b7694e046dd

SHA1
75f8809d0e68532c0a8bad087d0eb47af2380f63

SHA256
6494c67aa7f1e260a3629cda002dcdfb8bb4757c6db537beed90ed132d86750b

SHA512
ba396f8dc1c8a4a50c13b47920eb419d1205b4481bd57ce9749faccf7aa1516a4e95f3a64d7dda12c3a37f716901819e4b378408daba625b2146ba27fbb33fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9cc98ee6c3d21225f48e06861c7c702c

SHA1
b7bd07310ded894ecb28bcc47dc67b0b70ec9d0d

SHA256
c2c2e601380ecba266fba3f492ac2d19efd12c56e1c249c4477514eea5040266

SHA512
752afa0769b5465a15975a154df3445511036a6f9242bc40b4364869e91b93db8cfc82d58c189e506c9b846a85693f369b2f348675091b9797e119cf5a8078ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c52a605cf22ff65e56963e1799fa474b

SHA1
f41c6422bce8a7e4ed4cae4e254663420229ae62

SHA256
e738d1fda502e32ad3c3c8821d126fb7d8df5b82ec1ba375e80bb0f534da29f0

SHA512
2474c698355d73fd5b29d8b16b17676d7a0ece24ded89ab7de214329a5d83c7a6564fce4c1816ecc96a99a3efd68484b4dbc6730b4c2d563998928f6f58eb436

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c04e11bb81a3e40204690e03287d97d2

SHA1
e8a73d64452f71cb2d12523e84246f34b7d01654

SHA256
6291661b8b344cf595c777a39ddfc3194f210de7293e07bb83fe5948a55df1de

SHA512
8d6b9ba74078eac71a2303015910455907c569f22ed39b4dc6d3e1ba1aadd7c99c2dadd2b9c98e1963d48e1166d3ad5f0016deb4d32d38770197b5befd5e3acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8cce885f462ba5119a7df19cd8adb7c7

SHA1
4ef8a08e1f2e008648003c6e30f12527b3b675c4

SHA256
fc89dbdb8cca520a39896880d42675cb1d90eda1cb9d50278d87574e8a0bd266

SHA512
41fbc364f3cf1e628256af98f55565393ee7e57127d82eb6704037bc1cfe3897aae76cdf535a7e7623215f75edb68fbcdb48782e537edbc5ca86e7a6f3192ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f2d3e0071f5bd4c39b0b927f2b889abd

SHA1
940120d432be6efc8f0a86ffc137f7e81151a492

SHA256
b2e0d9af72cdefdb2879bad195fda54222660de9ebb17caa5258e7f2e0fdb2f4

SHA512
ac8d8102456e2378222180b07681d55aca329b4acdc663e11ee76832139ff5287350d6ca082436b1bd9ad26f02613de86e851f4839bbf5c7d8fb9e50bce1c4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9983ed8e83e827dc01ef68b83ecfdd2

SHA1
4f8a9fd4036c578f1dcd3d58afb638edcae92b07

SHA256
beb73c751cb6dac8087280620c14a675f49d68b94d220e7a0815d5cb64f9f2fa

SHA512
d70463b0b979f99f4363763dc9211887b0b54bf928e890c9b58aebf9af1b5b91b6e0e0206328c06951e5821530cd115b03c57719209879de0dd963828102819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a2e227d9f83b4a6f8a6e42e2cd6deb2b

SHA1
29e0c10b24cad1eae9d8dc4373f666bedb2c8600

SHA256
0e71d4c029e21500fe21e42b528e9af26b51fcc1c79e554f6c72a1603dbb461d

SHA512
4929308722421533302224b6c652004d27323f05049f75e25f6cbd535db35e4efeda7a919385eb4d81069e556e7ad3b78c2b30c0fc78e543dabe43b9f76f89cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0081b25dd7a7187a2e83f2d0055da318

SHA1
5c78e22224e2b072c23a0590e6ce45bd0f5a2fb7

SHA256
6213af25c9c23894d27a654ef8c232310429ad2bbe4d3ae0acf7eed3a7425843

SHA512
44d217e7ba67ee07f20e3fbf6092fc082ffd714dbdde6953577747625974c595cb30cee5b219dfe0894094a3d1054f1a4adc07ef2e918fa56d7219f172275f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
68eb53498d442a4823121c99781d0c2a

SHA1
7bcc36de0b19ebabba0252a06144c13933c1b0cc

SHA256
7e7e872a0741c51a2b49703ba0b489760e2ba023607fa69e39d9386ba587d0ad

SHA512
0c2c6d12fc3f5aa966d34551844d2c4030e190a418a6fb00f1dea3f85428baee4a89122c9824aa19b408d5a80b30b6e4e28bfa223b619dfb26bb3df3c8351f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
627c62425873a513f6b9b8dc983d9846

SHA1
5cff7099d37f171f9cb700f3ceee439683de10de

SHA256
b1f73230e74b4c1d6db407b851f8fcc4c024dafcad58d8024281adcec4b444f0

SHA512
c7561bc6953b122548de02cd9dfe0500a1cab3a332fcd63bafe58c563f78c378f1b4c1ffdaff829ff4b23263887ad8608cad3227a6393a3f2c1b188cffeff964

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ae2209bb4a645aa5970366b1643deab6

SHA1
648ec0a27ac1ed99ec9498207a06ccad1b1d2c39

SHA256
ab18a2d6215aa857fae3bbf964f2d4a73d61f3825c7a75de159697a12722bff8

SHA512
806edb76fb296ef47563ae818129b492d86d0da38ebc92cbb3f5e06f4ab702b6e1070c304e5d21a2abcc4a707ee735ea73c0372511d946c87a8fb45c83b92179

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b1588f9e6458526cf0cdac29c1dcdfd0

SHA1
efe88cc377bf9a9535a4939980534e7ce47a5e1a

SHA256
48ee8c02c7cedd55971558f73e7e3cd89f168d5b2378b82274e7c134e39c5648

SHA512
fccb268b0bea41391aab565cc2429b7eaba8040cd7ceeef6c6771dfd2d20cc2938bf6c4a95de71b779692817cbe90f08a87241e298c3bfa87c723363af7de49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
43664ce9032e82ff7d0b3cee6a1cd15b

SHA1
4da848437b34ebc180b58efbe53fbc2dca20ea5b

SHA256
938e1dd9a5ac72b47d055f17cf696deff004b76d018b1ae0387183ae9fb8d4a6

SHA512
bd9334fe280d58852ec83d5b3971bf59a1739dbee1a27758fc73eab97dbd223fcac97b1aebd2e373928906ae09a64c9da5ecf2c643bdea9be3e65c0506c8bf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f7547fe8bda4dd687a7baf88b1edf132

SHA1
a8d12fd858bc2eed847da5d3e3c948f0b907a1bc

SHA256
6764b10203a017cf75eb388a77878db9799144c7423ca74cef80d11e4116b21a

SHA512
a015029de932382441bfb4c14d5bfe7aef8a7d339191cfe03910e4f2027a8e50e0cb6febf68db4ce03d029ebbf3c5abd8b0c81815b86e5a0a7f7f0081c2f7ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6d4e4c2a7f5043a697151257cf52054

SHA1
b489647eef4c60916b7bb89498c1a557f1b12863

SHA256
d4afe97caa655f684bc353b182513d5e2283e664c4e768af4bb1382560d2f32a

SHA512
19f02c65801e1a05537ee8dc1205c6937bc2f1f21cbdb00066773ac61f2d5358cb27c00f589049c57201d4e8f0da8db9ebc705e570dab98d27bc35727d9135f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71318d3f01dc64d3ed5cf8b81712adc7

SHA1
1476f185a711ba38176ec88271fcf8e070579afe

SHA256
d2d9b690b6557fcc00788373bf8ee98dcec919f8f58192ba13b168fb92976278

SHA512
4a2c25217eaa7a3bfe3cf462788ad3253b222788133d7addce2320b6f311f13f69243e844bedce34708f86d38b378a8145d192e595309f852e55c3c66f26d554

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a110b027664b9c9b5f6a2824708a7bc8

SHA1
4e07b891f5ed994f81db102ef481b07e05235e07

SHA256
1a0945ad3d557b750a66751d6220add7f2047e9ef978192c302314870878c79c

SHA512
5814f655c60425d8eec0c67b82d18d82f3ade0f62b493d5884fff240b667e34c276e7c17974b39c151644bf2170d26e2cbd0326d9921a9aeb6a9fe989a74ea7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ca1609ba9910c2f9aac4b2cf1c450779

SHA1
23cc38c0daba7b41dfb6ff5cf44806516a1ccc09

SHA256
b72dab32454e3cddc294b97fac5e4f11494a4a5e20b03d32f7278f0895a7b407

SHA512
d32c92a684624d124e66ad11a2d69262650ec38cc082a9cc13d4947c8a9987e1875ba2cd7104705226ab3ed43516daa96dc8d081d697a0880633304f9047e4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a222a415f1d71a5aee8f56488e8ee467

SHA1
34264c54220f8e02da5bd72512b2627303c80f63

SHA256
8bde8cf4dbd705529c4375e62426a4294f3e324b7dc30bf092bdd6f4126f03f9

SHA512
72b0e098711f525d7aa50617fae7404ad66b95d12933b72e968b6ddb24e5d11b6f7077901df93eaea4e25ee71d365f52972d17cbb4c54c34a5d0a7b47cce5a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fa3905e713b2f2d4436e03ad6eb34549

SHA1
89e09e6deb91a774b1b21307503c24011bf2201c

SHA256
ca981e21120697f1086c81814264df627fe64e1005b8ce646ae57ccf19bcfcc9

SHA512
71d38442cf4a9464131ea4e98352306d12761e7c117397cd92b18f2b71da43003e95d7d5a8efbdbff8e274fc655b4a53b6fcc6ca0ded873bbed8b29690de69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3299d9d1caa562813221f0647e7b6db9

SHA1
340ce2200034e8a434aecf28df180b1e54fe18cd

SHA256
63e6863f3841f56c0eec51ad1b2a712ed0b97836e06db7aed86708a0176a4ed0

SHA512
d37ec16f7e428502c51c394b318a3d12088f3ad8180c42b9137595476348e1b46a1cbade2cab1d4e062bb8fd579c89f82d7a2708945198bb9f8447d55ad40db1

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/300-275-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/300-3617-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/300-562-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/300-560-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1260-32-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2660-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2660-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2660-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2660-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2660-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2980-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-14-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-28-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-26-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2980-31-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2980-9-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-895-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-596-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3028-597-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3028-3494-0x0000000005830000-0x000000000589E000-memory.dmp

Filesize
440KB

Download
memory/3028-3492-0x0000000005830000-0x000000000589E000-memory.dmp

Filesize
440KB

Download
memory/3028-3619-0x0000000005830000-0x000000000589E000-memory.dmp

Filesize
440KB

Download
memory/3028-3620-0x0000000005830000-0x000000000589E000-memory.dmp

Filesize
440KB

Download
memory/5072-3496-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5072-3653-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download