cybergate | 17309ba3a25d1e7d15a03ffe88716783128fd67e37c76db876412bd707cb70fb

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
Size

282KB
MD5

0db90892e5e72471c4fe5bd2ad5485dd
SHA1

90145cecf51e1f6dfbfe6a86565d0e0152d0fa66
SHA256

17309ba3a25d1e7d15a03ffe88716783128fd67e37c76db876412bd707cb70fb
SHA512

1b9a5acc259e75c4c0bbae0334e8cef6d01eaaeda5f9c93bded594afa890c116358d278d4213fc01f18dc87e8945e6f23c3692eeb5bc43338739de0e64b8dab6
SSDEEP

6144:TonY7SF0dtkOcCO1DxRNAs1uQPAmDhS4t0CrY3KNumRnFM7yiDWbDQpo:TUYeeDk9CIDBAs1uQPa4KCrY69nFM7yj

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.8 Private Edition

Botnet

vítima

127.0.0.1:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
ftp_password
ª÷Öº+Þ
ftp_port
21
ftp_server
ftp.server.com
ftp_username
ftp_user
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe"	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe"	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Program Files (x86)\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Program Files (x86)\\install\\server.exe Restart"	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\install\\server.exe"	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\install\\server.exe"	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5008-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/5008-4-0x0000000010410000-0x0000000010472000-memory.dmp	upx
behavioral2/memory/5008-28-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/5008-65-0x0000000010480000-0x00000000104E2000-memory.dmp	upx
behavioral2/memory/3732-70-0x0000000010480000-0x00000000104E2000-memory.dmp	upx
behavioral2/memory/3732-69-0x0000000010480000-0x00000000104E2000-memory.dmp	upx
behavioral2/files/0x0007000000023c72-72.dat	upx
behavioral2/memory/1496-136-0x00000000104F0000-0x0000000010552000-memory.dmp	upx
behavioral2/memory/5008-137-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3732-454-0x0000000010480000-0x00000000104E2000-memory.dmp	upx
behavioral2/memory/1496-456-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1496-482-0x00000000104F0000-0x0000000010552000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\install\server.exe	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
File opened for modification	C:\Program Files (x86)\install\server.exe	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
File opened for modification	C:\Program Files (x86)\install\server.exe	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
File opened for modification	C:\Program Files (x86)\install\	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
Token: SeDebugPrivilege	1496	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56
PID 5008 wrote to memory of 3524	5008	JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:800
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3080
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3836
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3932
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3996
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:612
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3416
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2356
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4440
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4540
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2124
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:736
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:1528
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:656
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1280
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:5072
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4204
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:2284

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1680

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2744

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0db90892e5e72471c4fe5bd2ad5485dd.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3684

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3000

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e8c9e74f45cbee2c7f989998f9a2ed83 486qsZYHVkypDSiJNCXljg.0.1.0.0.0
1⤵
PID:2976
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3916

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\install\server.exe

Filesize
282KB

MD5
0db90892e5e72471c4fe5bd2ad5485dd

SHA1
90145cecf51e1f6dfbfe6a86565d0e0152d0fa66

SHA256
17309ba3a25d1e7d15a03ffe88716783128fd67e37c76db876412bd707cb70fb

SHA512
1b9a5acc259e75c4c0bbae0334e8cef6d01eaaeda5f9c93bded594afa890c116358d278d4213fc01f18dc87e8945e6f23c3692eeb5bc43338739de0e64b8dab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
b6b973a15e0601eff41dc2cbb7c54272

SHA1
4ed312a431088c47bc2034534682e0e80476ff21

SHA256
e149e767f19f611d1997e3293fb60ef0824ba13e7cb47b319751b626a7994856

SHA512
0757490ec49a63d12c5b5db9b1e15b28718c2badc07e86ecd5633d17736dc333e82829f433a560f203eada2798cac859c937cb6f89a655b151b967ec960d3efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
58d1fb4b22aec40b517285fdf6f43cd1

SHA1
81eb6ebd9fde15aeb874e3247f84817dfddb9bf8

SHA256
3ace7c9bba1ab63004ff74f0b7888ef395e043c0595d4b924cd51b21805c616c

SHA512
47dcaf7945cdda3254c16c4b1f17624acfa38b6ed08b4895e8bc5d71b2ace0db5cb241082657501ac9427a86172abe6ec2b57c1878c262f5f7e533966d24e9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fe2efcd00d5828e513f3082d317bccaa

SHA1
2e777d99523f09a7ca28140454ac95a8b8e6d757

SHA256
23d8fa49722e9986aaad8c804494ff4cd75faadf73a6f65182643f8736268bcc

SHA512
8ba0a28a3511d4041498b6fbdcb543f08bb9c5f3c0d25b3e1b964e037dd629fb30795c026846442f6828dcae5b59bc396e2c02abdede766715705bbf03dbfd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26ca9d3600819add1043350005f3a39b

SHA1
2a4f460a6aa24429c859bf0c330867975e2843db

SHA256
0cc402e7bc621386e1698754bbd0b92726045d7a0ece845bf7013ed2683679b7

SHA512
c38faf99663b29b0e477974d58045244a1336688c3124ec4c353c6a452d1ba9c43548df0a0c7baefae0acab323b90941433764b491028e66bdf7c07b2d4c94b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a134135e9c6f4570e53efd050c1857d8

SHA1
04101f7b4cb087dea28c12a27021ccca723feb67

SHA256
a23f56a6473e2b83ecb828f20703ab30aef4f10709f8dd83794a3fb7b36a693f

SHA512
a9949166ff1cc22839e074669326036bf3ebe47882a927a8fc07aedd0b80cf82ee56391a5781b5f86b48f2bb0a0539105758ce835fad9addfa79c8e4e0a355b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0c9a97276dbcd3593bc4dd22b45938ed

SHA1
d20f914ed779eea7a8a07a82fcf0fce3f0ab1c3b

SHA256
5a60bb3dc6fb91df0cc154b8a029baeeac4693d4c15a185ab10ce13cfd6b0215

SHA512
96582b89e739d0b949b3b6efa108dd203c75450758b570c3bf4e96a3e7348e18d34fc7f325225ea9eec81af4992c366a9a31fc23743fed3748715104a8cc0e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f8016a068bcf87ad52069f894abfcb86

SHA1
ccbe2981b1c51b7d70afb6df6d7a02eb145dfbc2

SHA256
d236f767b16e4ea670ffb2d5a9d7afe450a81127158b4b536faf53de30b58c31

SHA512
110fe703a93c9e4812a65056a3b1be8a0c8f627a55453071c87c65a062bcb58d2d691c9bc3f1667ae9c513a9d732eb6e85675635af4bb8637f8bea3436259789

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f72a992faf10ce7a924c1f24cc095693

SHA1
bf2f034442eb861e7ca385e6e11ada88e9f4f64b

SHA256
8bac956965360342deb98f8c116cbf1787ffc10f8b53b93b680e35b84966be12

SHA512
d91edf63ab41ce945e94f08f1b11860e695edbbfb16bc4a04cb7cf3735c34bc9c2308bae7ff5e824c86c79d9f89bf4810fbb0e6bbcc42397b62c2eca860ba5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
01d0abd99dc983352c060d908f17e11e

SHA1
40da6a0d19dfb147350af5f36271791dcbf51af7

SHA256
cbe266acfabe562fda9b76ef4cfd64a225c8a354a6f73066c74f8f1eac637d7f

SHA512
0d9e40ccf9dedb566e0de81cdd06942328b07ad0f05e44aba0fcbdb45f4d227ed901a4e46720765f0fc4c15ae96a70653967cace4b277f78a1ce8a7c9cf7e3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9d419801210e69572a991618428d3957

SHA1
4c44dbd3c7bf9ed3c7bf1e9fa252e38ea3e27415

SHA256
6ac207ae631e40b98b4ddc4214c6537acc6347ba4295d7d7fc8c0c57f200c565

SHA512
11ae4d149a6191ac301a14ca24ffd6d6e620b866f7ecc27e7e3aea7610927660f90e41932d73614e9160abd2fecad400e43beff0c03a64a97df329d5d537c0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
27a0d7ed5ea152490724884bfc4ef8ef

SHA1
099aada9c3ce96eec681e3b37ec074f0690b0664

SHA256
82dd83a67f8c2c8ccba51ca853ac7f590cb9acedc34b67751f4703e17d537f6e

SHA512
7e87dcae0c99ae2f2404d53c901d8c46069d87ed8dbb8c99d99c017b02a6dd4805d10b93fed5cab95fbf43f1e08aa1ac2b0cefb8072ad2c102fb0d820050741b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aa18e243b53f34f8503d399664ca57a2

SHA1
ce8e520a5b33d5e565712d007f64dec984946534

SHA256
1c87a7a6842c0f839d90c1d3a4ca627575557134caf4a927851ed49c2bfa2848

SHA512
ddaba0857c0abfc681493b32572b67ffee4a8fc0091f2ea29e534da859c67003953c52525242bc3954ff6e2f4178cba5f71ff308786cebc28e9982d59ce0ab85

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d18abdce0b02e97a80d7d448d7b4eafd

SHA1
dc1a5be2f4d31d5d54ed83c9d55175f48a37d927

SHA256
4680f6bae8e2eca5fec7b339bc67128aa6f9583e298ed7a56b129ba790905a13

SHA512
e53a1bb8b5a56bdd07f15c8bde6abbe3c7e2def0c9d7abada2f4acc7dfae30c87287d244c3edc5d2181873b3d08cfcf5dc266d99b4e7c8bd44c30b5bfecddfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c807bccef5b178ff6756888a087b2f81

SHA1
50d6da2dd157f98adacf923a3df01576c7d470c6

SHA256
ba3c45b4f1b622a301f1772cfac77449d8495cdd8e7b6ecd2f3fcfe87fe2a08a

SHA512
02f06b433504ead6e297a1fd62fbd88ce5e119d71bebb309b4fbce97154eb433816ab988a8e130e5aef5ddcd3de4d7b9d80a550a0216ddf85e269a94a908cf34

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0022b9e1535692ff09e03a925152c3a1

SHA1
8c1a9834e12f124fe2daa5f689c72cf1b430ecb1

SHA256
473084d25ab23844893319b53c036bfcbfa43ebcd79ed168ea4e67a314bd9020

SHA512
46697db3d2193b8f872f30398cb9c9da10dbe30f744f6ea56bd1fb72dedafd06e962de8785e1e3f6c74d7f18098c8a2b065eff205c0766968377565f5e9794a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c67132cd78e28a086d5806921a4b0711

SHA1
b58c8ca9e52ae6f31949e774116f4415e1e769cb

SHA256
e730948625c75965372b95b54adbb80636679429cb56e0b05372f32effb27544

SHA512
cae5bf7b7fb34f428fd65dae2effaa94cb247aa05003c0f6ca5118f6e40b29a71113b25981e2b3ebfa412b51a003e7a7a3a9184fde790fb7601b18e82a095ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dcb7f6b76573712e31ec2b30a4e3123e

SHA1
b200b3f4ad48784ce287437343aa596d73fb516a

SHA256
d953bb4e0155afaed96320c7dd8cfb11a9f02cf6d2dca517181e20de8b3982b7

SHA512
013c7fa27429abf4d1af92c4f27429d0ed5f0bd7041d53fed26bb1843e06a725e97506a9514832f76992084f8d857e1a9f57d4f549d77ed5b7be0c7abf297c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
505b5dc4987c54e165b6fa6ad11c6f8b

SHA1
da713c99b347680c9cfe2b9616567b785a6c9e70

SHA256
137ad13c8cbe969ec69af4e84a9c74138cb82a71c7ae7ddfe4f60508d9cdeaa2

SHA512
9b43ca23fc904703d6cc937f25bf2057beca22748cec1966daf1b28a35d8623877b09806e1d6186a08588cbe08095bb16a334a7bbf2a885cbac4372e21ae5b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
14993d57f2e4e2bdc2f236bf39c5df2c

SHA1
e43534f3633140555bf650031dea6f881703543e

SHA256
e2b66924af45ae4af724fb0a5ae78f102c841c87c6b753153a3dd49b807c9842

SHA512
17fd7b4733cca847b589a3f6d950422844121850341a8e5fae633c06e5e23eca7a6b1407ab7290416ef0318ca36196b0dfd3f76e0d95ce15f28a6ed8a50f9734

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
03a31b5674b8a1ce25a230bb6119732c

SHA1
80de2b15f8d5c6925a94627520948edd4b6d26f2

SHA256
a7469654700ec71691c353c4ea82169a72b5acaa3980de47d14e39632f96f3c7

SHA512
3b38402da6a3fd1a2c640bb2834b9b266afb94a38ca26ac23dbdc1c5466e51b4710325d5bd037c04fd9a497bcf8ed41f5d6cd3da4c15dc953426e4f43fda67eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8afa0f84ef13dd7247a87a75cb6eada5

SHA1
0ae18b8a0cdb0c480cb25ddcbbc23295ba93bc4f

SHA256
e0ad9d85e0458d0ec915da2560fb38cd93820aaeefdc14f10567aa03f59156d6

SHA512
55d93d198b8540aaed08cad489ae4418ff81a8a085ec9a53b11a277cc5c522b7359a0d204af9359307c7451606ea10d2cf2771c585c7b1d11afc19ca03c87899

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
235b218856421fdad0251905b69389bf

SHA1
a2d61346c76deaad6f95a982a7f569770b510888

SHA256
ab735098260243f9481e8a06513799d5b0df1fffdab5b33f5a07aa8dab6e7a87

SHA512
d7a7287ceecf6c8bafcb716fcde31596fb12fca749abec5fab43353cf2ba1894f9a861cad981ac1174a766827dd421d1f33d232ec289608dca7a4054c4d2289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
39c483e59123afd79b4ee683fa948bb1

SHA1
9d57bb84e1e2ed469f7db2ed505023db3692dc86

SHA256
77240c1c9aa9966bda2da6b417d9f5f7e7df430c6151d799b0f42aa0707b9c9f

SHA512
68d7796428dc9482d83db80a5bf1953d5e2b44336e8b99e5c0984c29fb46d1857ed13a2b90ed1c34288ef3530d46ec5579c4acaa5ec813e82769549715cd9223

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ba7646fd94a3d3d1f75a20a165c7a0bb

SHA1
d2d65c86695073e4a2d5a4bbb960dcff58bf9df0

SHA256
a637dd5568e084c7010fa90cc621aff7f9f5da031dd1bad284b44e64b3f77bfa

SHA512
e1df1b8b7eba780b99af6d2bf0c90bc1b60cb1912c28b2fa8ab18c627b0298f797cb9bb04e1dcbbb4ff6438dff22cc70c8aa67d3c0da9519d0bf0d4d562c8b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7307e7058d2a6665d76730ac06f3a473

SHA1
8a9c189fa607b4dba7122e204afe076c4540ddf2

SHA256
748200cfed49ff8649a64b66a651127e1c5bf8ac2db97637e141529e3ac73b8d

SHA512
719f71c79b233986220d8efd8945d18d6bf76f819cc8815dc8977cde8bce8130f2f85a9776803afe2e9c46a32dd1d766933b717c3202de88e1636e6bbab5c3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e32ca09bb3c6db5b3aa7aa072d3f004

SHA1
b2638844bdc641dae308a2cba3304a41b0415f8b

SHA256
641b1f17ebdd36d89c6e49586dc5d059211883babb039ad2b6491e0572a282b8

SHA512
e08056a3b397164fdd0c86c366c3d8d3fb9cb13a0920d12153aedae479bf33c578f1bbea2d12e803f3244f612907da4fe20b1ca110eecd4ccd99ef4a43eb2053

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0236fa937cb9379ff8a94399160b520b

SHA1
e34a1fef4313e6ea51d2e1dd4d57428869587b21

SHA256
cf1dd6903546d482b755b4d9050142a2de5613d26abb48753db85487b11d179e

SHA512
5a4672c27b86743c944f6b00323dfdddd32d8be7ce6518535e4867ad8d96fd6bd63a819c4b43b741cd19fdf6502065972b88322c4f3c445d1b8d664a8c0b2d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
52b47daf183b89fc17faa02cebfc57da

SHA1
8e7ec28aa75e8d8ce04aee8320ebab8283e4baa7

SHA256
9a4ccfe1bc587e1874b4e48e878a8bfef124e96f7bc132b10158bc551205bef9

SHA512
305871ed657449c1ae2db9d4e037f6dfb857461cb5fa6bf0ce03345ef50eb97c9a021bc64dc922a818951a71031c032a134204421f323c3a53c2c02e21b076e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a071014bd69138fb924f422ea7001824

SHA1
34b6a5b268b06eb6fcb0ee6ccfb127145f42d911

SHA256
35682417f4ee338d01e2b1797864e556a6dedda78cd07591f9d4815093a8638e

SHA512
05fb5a412f31492b14da1291010a31ef275bca799a3a6a21ccb04da44ac05fff5562f0871d8b270175507baf59af1133b1e543972dc50d99d29840647570c2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
699ef36eeed8f7fc4e23d91f77511094

SHA1
dc93a39ff6211cdb39673725f590b5fe8bfeb744

SHA256
1a6dfb2fe6b668ec7f73373134572acb19c7c66c4ef8f0db7243f5a023cbb1b0

SHA512
553819c2bd63d74728f9a2ded024448a43261304b8d8540895bee9ff573d0bbb053034dc1bb94b9d4c83c65ea68bc3c10e99b89485fe8e5446c5986f34f86787

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
df18d927b407920dc9a3fc7b6190ada8

SHA1
a9a11f165462bd7c14267dd7e503bb66e58ca3da

SHA256
7d77e9e1fba735e48c0924516fb98a1fbca87efae654c7f613dbb85831725adb

SHA512
42bbc7666e00d7a090bbba794f23a52942ce02acb06f4c4aee66f31cb92b7663ea0e861275fc9b5c1d25231bb6313653957e439886829a32d90d7abc5c06c26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3143453d10afd72cd7ede07a174caa37

SHA1
9389f6b468e0e3219851f7870f1c778563691bf0

SHA256
621a77dd832c60e63a5b96277b6cf66f4607f00988a83fbe02313c3f82af58b3

SHA512
333606b44d8f1155aea57032a130effdfb0b7584605816fe5e53b92047e0f0f8ff93aa0f2bd3e963babdac107b4d0c4766098fd6f9809f397d0d505fef9e540c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
724cb96eda1bc3838c12f814cec09093

SHA1
86ffeed4049db0e5ec49385dbb7597f529618750

SHA256
169c4d5163c538498c09e1d1267e7d1df4881968d4cd704ac6b2791482eea376

SHA512
c399c54013835251d790dae6e97d6aa5ca492c9a5ca1888a6f07b8c2659b7d99c5ca798e7be4e601060657e7bd1509f8d9295858de107a401af1b571d4464af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9f468b76faf8ab3223a6cbdf2e8047a3

SHA1
ed90eef9c3c9eb7feaa40aacdefa535a26605458

SHA256
cecd83e2256854612d4f665a59c358aae111688134dfa0f9354a0648f68e4e60

SHA512
271686ba279fbcc1988d4895e494148d1566a938c9022ed6d28276605e2d198f56961c78431c643f95ec861dea19d1e82c31405cbc8da5a7adc499a9ef10cbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9660d985f551b9ddaf00024002102e6f

SHA1
15381fe0547b5b30dd6b91fd33c39adce2f9a2f7

SHA256
cbd7be2aa9bc88e707b555f43a4093a05a87d93df99ef7e25199c9a3995ae47d

SHA512
86dcb64ca548e44cbec52072ccc53ce9d583d4de41a78c8a70bbe2c21a6f11d0bf8bbdb3c7bfd72919f3f14362a259b2a352d49ffc6a4f39ad238cb6521e1b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6feb811ac29e83166c9f42133dd4b139

SHA1
063ab5d9640df021aed8cc8cdecfc27b1be2cdc7

SHA256
80212c0eef3358e24d4b1fa38597156fbd464ebb9a5dddaf71933274e098a9d7

SHA512
c4dabc4f6562ae30230b3ec78516daa5c12121319a03fbc3ebe70f4af844b2c800db0ba58848d5caf43258516fcfefc818544556910790f5ed17f7efceeac2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
17e523b61ac84b44831f7b79e9734de5

SHA1
afbc21482754b6df4bfe0994677ff22e60caa105

SHA256
c687c01d3076c02d77a47f4c2cb5a4b63b070f854a02499ba845660e44e2b511

SHA512
627820f5bc5b591eebd0948ce0a73e6b5df17f1656746f848501c9d4a50ff79c4eb71647607d6d2e38ac4e8ca86e0b319459364e07995c785faa93aeafdf8974

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1496-456-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1496-136-0x00000000104F0000-0x0000000010552000-memory.dmp

Filesize
392KB

Download
memory/1496-482-0x00000000104F0000-0x0000000010552000-memory.dmp

Filesize
392KB

Download
memory/3732-70-0x0000000010480000-0x00000000104E2000-memory.dmp

Filesize
392KB

Download
memory/3732-454-0x0000000010480000-0x00000000104E2000-memory.dmp

Filesize
392KB

Download
memory/3732-8-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/3732-9-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/3732-68-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/3732-69-0x0000000010480000-0x00000000104E2000-memory.dmp

Filesize
392KB

Download
memory/5008-4-0x0000000010410000-0x0000000010472000-memory.dmp

Filesize
392KB

Download
memory/5008-28-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5008-65-0x0000000010480000-0x00000000104E2000-memory.dmp

Filesize
392KB

Download
memory/5008-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5008-137-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download