cybergate | 2f322edb726e47ab2ed0498a1b8688adc7aaef3555ef8d53be895f2bfe1ed4a4

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2025 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Size

317KB
MD5

14063e0f1d09f42e1056eb1ab35db1f0
SHA1

d05fc793bcc9ced0511f9f8d2b7df9a4eaac0b72
SHA256

2f322edb726e47ab2ed0498a1b8688adc7aaef3555ef8d53be895f2bfe1ed4a4
SHA512

51eaacc969ff5df54585aa22e8c11491b671c99eb26c4cfed1cbabd1eda8e46ee7e87e0627ba5f118dbd848c46ca4cae1c4cda731fab4e3a8fd4a5e557758773
SSDEEP

6144:3k4qmJeRRnSx3LMCdjyqsPe6L2CCD3SGQh8oVRzjta+:U9UbhdjGeF32Zzjta+

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

sh3h7ad.no-ip.biz:8080

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4772 created 1132	4772	WerFault.exe	95

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\svchost.exe"	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\svchost.exe"	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2SC18I1F-J5FX-DBJU-5V80-12SJEH620T17}	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2SC18I1F-J5FX-DBJU-5V80-12SJEH620T17}\StubPath = "C:\\Windows\\system32\\system32\\svchost.exe Restart"	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2SC18I1F-J5FX-DBJU-5V80-12SJEH620T17}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2SC18I1F-J5FX-DBJU-5V80-12SJEH620T17}\StubPath = "C:\\Windows\\system32\\system32\\svchost.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe

Executes dropped EXE 1 IoCs

pid	Process
216	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\system32\\svchost.exe"	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\system32\\svchost.exe"	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system32\svchost.exe	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
File opened for modification	C:\Windows\SysWOW64\system32\svchost.exe	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
File opened for modification	C:\Windows\SysWOW64\system32\	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
File created	C:\Windows\SysWOW64\system32\svchost.exe	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4572-0-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/4572-3-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4572-22-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/4572-65-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1032-70-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x000300000001da83-72.dat	upx
behavioral2/memory/4912-141-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4572-140-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/1032-622-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/216-629-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/4912-630-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/4912-631-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3844	216	WerFault.exe	89
1132	3844	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Token: SeDebugPrivilege	4912	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
Token: SeRestorePrivilege	3844	WerFault.exe
Token: SeBackupPrivilege	3844	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56
PID 4572 wrote to memory of 3412	4572	JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:800
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:812
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2932
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3760
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:4000
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4068
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3680
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3816
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3792
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1172
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1012
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1356
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2348
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2404
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2500
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:1896
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:1972
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1184
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1568
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2756

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:1032
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3728
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14063e0f1d09f42e1056eb1ab35db1f0.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
  - - C:\Windows\SysWOW64\system32\svchost.exe
      "C:\Windows\system32\system32\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 576
        5⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 720
        6⤵
        Program crash
        System Location Discovery: System Language Discovery
        
        PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4988

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 216 -ip 216
  2⤵
  - System Location Discovery: System Language Discovery
  PID:908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 908 -ip 908
  2⤵
  PID:828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3844 -ip 3844
  2⤵
  PID:2832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1132 -ip 1132
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1132 -ip 1132
  2⤵
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
270KB

MD5
7f4b3bf85fb3fb72c3b25d018653233e

SHA1
c20ddaaf44fd6622929d74dcf85f019ef5111603

SHA256
7d90c53133d70a5e22f9adb3656693d7542b7c1a96cb99d9e162e635b7edc10d

SHA512
8847954b1480d166c20ce003f9423ae572b8a958c3fb0cc88fb99fe42d16ca8abfa1e693a3aea2f441f929f07c5d1e4c6396c4245737379c095336b685352176

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dd339f66899b03a4b97708836d733131

SHA1
889e65edfd0b55e55e8fb8d5b59fafee2951891c

SHA256
f3f36be4e965530cabef47d69efd50aee564ad32e53f986937e7407000b856fb

SHA512
46de692855a156390a8e51ec73d48cb818bada9579e7449276a0388ff984da0094b82739bac6a369fe438f728f9a5714f257b9150b9dcd2fb56619e050420f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fcaa4a049977ff140421b23738e109d9

SHA1
15e2f989ccef82d2b2a735444c9b88295d64d651

SHA256
748e77988d3b759bf625b87cf041958e4fb12c572a22609edd7ab963007ed49d

SHA512
1f4f5773b0724f99e7027cdae0477b30e7a3b711838396a039948804e31a48cedf9f1dbb0388dcccba0b88bf912431b11f7c3b69413f73e6804e375d26467174

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5704e7f9935d8baff03a0418396e441b

SHA1
1474471df16c4097286745c5c17d2a8258dc93f1

SHA256
548faaecb8eee2cfbe55e37dabb9b5070cd518377b27e8df7aa8f3b6bf790905

SHA512
d297a62ff32110df3ed3c11d09244d8f75d6190be66efe47c3ca8cb7c325b98f633bb98556f7646ad787e2da30f25f588e585c53a3b34a1772f925aaa332de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
068ac2e9b24a40f1e64291a1be60eb11

SHA1
f1ae4e1766cddf941e0b6b987fc2530e72c93bbf

SHA256
9468e0129b20ebd79f140c134e7e13eefe61a6a3cb089ebd299fbf038e60f596

SHA512
252f35e24f3790783fc82fd30fe8f01f71f322f4da67a4938488411193f1c2a997695b20469d29dce670637ed866e0c8783e59640b803c1088ea8140e141f1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f2c75f041c699dfa2f4bf176733f528e

SHA1
8d63ca044cbb349049587173f2de34ad16098847

SHA256
cb49f9982e1aef53d3565642b3e8b3c9f8c63d2cc555af9391c247e613ad8f6d

SHA512
e7cbd49d7b5ee487c029ddbbb6434ad707482927498f6d9fa3cc86af023e5f274ed4dfea9efe31602e64d6ba8ca650c361608faebcd00962139b7cf2be30a4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0f58c51d37827453dbfe33f504515aed

SHA1
dee4e6d28beef077380f8ea2a4406030995a25a2

SHA256
949de5458728743f274ca0064bfe3c544e747a02206c3fc2e431b04a73b5cf45

SHA512
1e3bded315320ec2c41564fe58f9369feae58f5440ce0a6c70b69483d361e82eb35e6d4ba1afe7a2263c5529031b5855333be17f512488203e0ac195654eb652

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cff2470ce802a2719554f5b1c2ceaa07

SHA1
51aa30ba34b6c4e9a4af1ba47203fbd957d5b661

SHA256
45ccce327bb38271ed2891fd1fc40f8ed968b605788659ccdba8414b3dad413e

SHA512
e01a3046fcecaadd2c6e1b2e7cac9e79b2be2292dd81eddec8f6e64f3645cb367a3d30c1c4822c90da05050cf2b352fa9e7e45fa29481fd194e151e40380ed9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d47f01ade34f5415d13116c989a700d0

SHA1
64f0c2c641566da618650ac219aee3003ffe8999

SHA256
66ff5ab1b32c74b4152c6ad04c322308b6e83f747eb18fdc4bb615a7ab1ee580

SHA512
199a2cc47d2bf1b938aeea318839abc51ef302e64390711eeaf7c8f5f944dfb78343f22c551b6715c63439f37d6936d94200fa5d1e891cf39066a3e6dca5a391

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1d7abe7056d648e92aa9742bde98723f

SHA1
bac5cbfe94f67e41bc6909c16abd420e1cbb93e1

SHA256
2bcbc6def9a298fa3e99f25bb8b494975e2aa7e7deb90c86059014613670619e

SHA512
84d9367e1f5b6c09536ed63f6c3cd669bae194d26bc48d86b09b3e190f6a43b8ee60e116832310007b2c34624960dea59b7a94ad31908ba8cb71165cc961a725

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ca61cd572b98f8f8535fbeb7fbd153d

SHA1
99cf9a82ddca290d8d346c6be88f8f7f1cbc1ee9

SHA256
ace822467c9315d450e093c1d99de7d96fcf4dee79a0dffc9e2604030b62ab8b

SHA512
1b6b773ab27d43d0b53afba3284f9a0af0b6f31767c2297df7ee2f56cdbe04109a2494b5af7e968d8a01779ca7a3a1397875e02a2ec79d6a76cc25186adb599a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dc8fa573213e14692dabe7e32a827d7b

SHA1
2c7ce0e4c986b91d860cf2b7455972e3e7df012c

SHA256
e58a18eb5f3a930d1bd5a34e60f8988bec7e156bb231343a5c19b29c487f80f9

SHA512
da9f25d4fd3aaf9147173da7de5720b4b0f255524a73c93656681ec49500396a8245b12fff0df26cfaebaaa5e793434d32322feabfdfe02399c6db16cfb36257

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7f6037900551ae9c42f523c2151bbdc1

SHA1
28e7a8bf9b7e7dc6b032a96fb410e8e0a6637944

SHA256
eb3e19fe11154d9ba77be4663d8c8606add7880d3e0d857db23ede9c9e06a095

SHA512
3d1190a2f28b14b183878dc462f8aee726f63da7e72cea9768f3c40e1394190b41bbe4d25e4b636397e819f51da3113a5b823242fd669ed3d19def4dfd4abdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
10cf39dbb2e7f93aa9bdd91d214ae4eb

SHA1
af9fd195bd8e1853eba2b630cbad5bed2743ddeb

SHA256
062f33b227017008f361c24466da0403f4416465af3f9e95ec317eeeafa56581

SHA512
2b591bf3505ccfaf748a766e0f5eb9cfa1edb3c2374df512f0c29b90e76e5e06ff6637328f6db75d64ec5657ec6abb3b3dbc425a3b21d391909ad62e49f08bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71db6827c2e390b7af3127107c0f67f4

SHA1
bd8eae850c9ebf88a6f26ada6d0c29aa1181fb96

SHA256
5ebaa7ed0c012c020022e4e504c67c9ccdf5f990550f6db0e521a57299221806

SHA512
854845e587efcf15396cd1c3e040309be3808b1c973eff4491e35d62f28ae13d1ec49f19dd3b9ac2cd5adf7afb10076669bfebb28e665b801bd75a6a40b43cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ef5a52a7627f1552dfad5913e44f018

SHA1
41852164135e41d805b37959baada6407d8bb19c

SHA256
3bfa17c849f3726d9d5210071faabd610e90fa6edfd7f23c6d90cade7a305302

SHA512
e4bea8b61246c228196eb2673783be1fd224bebd47eecdd627d9d54e4e52cc102636b8322d369d48d41cb039ce28eb56dbfdc775b5b8482bdc8e37d4b1455ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c194b629af0e217ea5d6655518733edc

SHA1
108bbf70fb196a1c7e7c379db34ae634a186fdfd

SHA256
22d1b5120c8887efaa422e318a18a4cb564bb85906ed77fdb479c54965c5628a

SHA512
d64923c3573b8a49f8bc87a829da4b18411f173e046240ffeed051dd55837f2582fc914d9f6a12180bf9623dbdef8107c38d15d3aa9218a00816ea659cfe3a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b766c54dedc660d0e4c31a77eb6c06d2

SHA1
ec993402e77e2e84b95e708e302bf96728e2ce7d

SHA256
f840bdf24847438847306b6bd368afde3ca85449cb68e6171cd0474fb44caae1

SHA512
b00eb67cb0d9901913733a7244016f4b5ea5da7ad8f31a99cb8ba75248f134fc8aa9a4352265100e650687e369e47f1c6e96f5d75f4d87c571553fe722294ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
98769852ea012ae33cd9b56d8497bd64

SHA1
79233daf5516ad4194265c9383b2d5e2ce979814

SHA256
c0bbe8dd260e55921929038368e3e4fbf7cc940d9659aa02e2ab2c8d48df3e7c

SHA512
5656129134ff1d80272a9d46ec18120f2d7fd6cf3dc6be800cd553ff83d1843b6f9acaccb86d037e29f720089079a8cfecaf385a9e6cf6c63b51db479880cb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
72b2de11ecbf27a7ef5a33979c05455d

SHA1
5f2d05e59f41464cbac9b77e49fc70f016517b0a

SHA256
d105527f3b39e0fb309f44ffdd75892da9b0eb9448fdedc7c340ffcd3924bddf

SHA512
6bca2a79f1121a5781036aa1b2adcd2522e72aab2003b5a23970052e8512953107e1c52fded24a3ebc978dc8ae24b3f779879a95ab1bd559feea820bda8344ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b5494fbcf76220a1dca70aadc30b02ae

SHA1
163c36f9c33da7fcd14a40584b9017dcccebac74

SHA256
329c4916a1e7239ea0570a15f062e722baea8d4bf13da2946b80cf4da0f7f6e8

SHA512
6171ece475de6c3eda05d6b0e8bcbeb6ddf3c74e67e72e9ac0c5fd61d2127b285a0c8ed52993645044103c80c6cfac166c451173cb3b8215308a9950d43df314

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
602b6d71b28d89ff5537309788e84851

SHA1
f179712fd85702fce72ebc0dde0a748c7c6ea654

SHA256
bf9ce2fd2753697f3015c31b9212a92d0eb6a08fdee71a9e4c8c5fb86915056e

SHA512
f79228aa6eaa351bbd4999e89a7643fc28571fb3c5f22458acdda6c450b3a3a5767ce2ec33bf36890fa4af28b3d04964bf57786bf8ece1e4e1edb6edf99f2006

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
464426731df95f7f1ad86ac67d836255

SHA1
d40bfe174f1398c7cc2b1549707d7e777953b4ef

SHA256
9a1ea01ca9635c41e04e37337ca0a10bcaa4cc1b2c3fe3a6e5ef452d94f846a0

SHA512
43e2dab87658c749e225ffec3af9d962eaab3f176e9518205ffc79ace17a1425e56948d97f297660e33aee43a27c9013ee147343fcc7a7f46cb21e11940693d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ab4f41117241b8b363f3f85fb60f8f3

SHA1
9ffdebe1d8a4f9f40239fcace9c378a2160a1062

SHA256
35183013aa948a7a628e9bec4eb6f9b65a82846292385b94b30054c98668b3d6

SHA512
2ab606a4810942abc829dcd011ab5d8237f52dee4428f5b730cf3706fb15cb7401e67a85ef55f0df0680bf7947ae78b1c607547b1a55eb6cf8d40c0a8fabbd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
15cdf9407c39fa482e0018ce3b153699

SHA1
60db01eaff64a29c15c84eeb34d54e67ea364f1e

SHA256
867ee0ad2a4c0dcf93da74fbc7c267a5cdf070fedb874a354a8480e7aa7e4a8f

SHA512
bd07e58d87d8654417012f6935764b194be303743a33393aa5bb43fb23a18e4e7dc26885829cd2778f6bbec2875a001164decc23f725d2a078c7d57583b2d7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bd1ab5d19dbe1d5453c8a4e37d1d4196

SHA1
cfe584546e357870936ea2a0038796a649827167

SHA256
f87b568f792515c29348a2319efad067e09b78f39b8493fb9b450033746080fc

SHA512
d697c286075d39f2b61988dece81870cc7cef3a0f74f9a085633965d01dcddbc7b24075fe6039cdadc8c9289fec0c478d035c9b7f57686d64c83329080bb9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e904273b6b53e3425b245a7d0b1361f

SHA1
feb6797341cc0c79570737650739cecd6942898d

SHA256
eb14c45d23395cba32e8cf7c6899f8cc2ca3061d60f51d76d8ad0dbd4e11dd65

SHA512
60d5a2755def038ece8c018eb7ea1baedc17f711d385b08d3f0ace79c33a9d151046602a7cba64266a8dd549ea09142acd520f83aad258578de95a6d86bc62a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
21bbbc09ed7ddb11d5ff672a8a9e0fbf

SHA1
4878ae061d3c3fbf4b9fc877548e186e69cd24ad

SHA256
f1c322b4f3717e93e37b82666112e5fd905cd3af8f5731e29e8b0e7d49c643c7

SHA512
01d2fa17b16b4863da7d484c0a54e5b89efbc76892d25b371c77f53dbc6710ad29e5842b6b612c90cb9c9e3421b33d215e36336c4fa32c6e142dd796a2d4bd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
64756e63e043422e7e458d6fa6cf6dd3

SHA1
cc9af32a7a08444eddb38e72ce1870369642cfcd

SHA256
57b7c0617a159157cc9736bde70f1e30b93ab18328ed752b9970f74251745011

SHA512
d36f2563680745b9719ac21c3fbe22b35893fb5e31910c39e19f629b979bf69d35d89687e1f02d3b9d2bd2a77f86738a8a8346b559aa11107ff8204967cfddd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2c129197060ce9a100c778b806d37bd3

SHA1
6d04dee3d247779ad06fbd1152768ea0e46f123c

SHA256
dbe3e678486ec9e33abac12d8fd8ae51d2f36303f8e78f424e3a35e77ca9f7b7

SHA512
6ec94042d9f45bdb7527928c8f7d8a526aa4dc83972e3cd9a3bf1ffae8b1cf93be8826a912820ffde63430c461093e14e38a39033363a2f8935b81381145ad36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e1bf891a12bd700ffb655aa6fbe32609

SHA1
08dde093428061eec1174abe54d4e3fe2874c3e8

SHA256
d97f1817b284285fa4369af7e9e10e8282deb9a70d29b9c6704fc277dbd5f19d

SHA512
672064f38891448dcaa4b1c79d18901a7d4e0fe98761391fdc0655cbc829cc760a6b889884fe1eb62d415cd393a2c455bb1d2146dc83c1617c5ca780b065a1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb741c700792849293d23c64e2a62304

SHA1
1782779221427c19715eac5ed36247920ac7ba2a

SHA256
a34efc44d155bfced5caa238eba16241aaa27bc65a20d450d10a0f2924b4823b

SHA512
30ec52a46213757967a3c4fda2f64cd45e1a8b8449623db2f5c7debffde3ac601939fc6913b9d88f0044a97f5a40d5519776331a10ec4f9d332ba5b0d70d90b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
78844c2e0a03cef73e99637b36494f09

SHA1
afd62c2a823b31feb439f5363677022089b24b9a

SHA256
474872e3e37528aab89bc54d14186bd62cb896ee8a4d33fd70fc13b5c45d68ca

SHA512
d59297ea5c7f7e34b59aff8bc7432872da409b5f5783c079b29ce325e86d846c460bb7a23de46cb91fd10e5769c96bd15caf90996791cc5566651d0b803de3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6b697a9d7ce45d9e2c97219e3f3b175d

SHA1
90579b93c0d8b1ccdda95b692931cf4199a6a77c

SHA256
5af4c80ac7865e9c20875255eeca51cfa1c36619664d949f8aa8706478495afa

SHA512
482985db3f90dd02f08ce1dedd5ef5c63b5b34d665324846168c54b4e6843d840a097a9f63f8cd103b2d5a1ebd157a3d37cb5f1c572e8ae7aed8b1a3f3142a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2e05a834521d8f734e1caafa62cc39a9

SHA1
d026b0d15284f56b91411583018b06473203e4ab

SHA256
394faffb2c2f60eebc8e412bf7aceb0738a543cdd95a4ad07bdc7b2f894ee2a6

SHA512
e72cb3437c8ac4d59ddfe940ef7ffac9e6dd7b1b72093b31146230785b3be9d846adeaff705888e1f6c75f0e4b60261e0e28bf532cebe0e165d994427a490947

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
56c0ad04d923319725c7cc7274711de6

SHA1
6f45073fa17b184615d19b1cdaaa17f661add09d

SHA256
919a6a19b7af125b58c8fce78d5769f93545376ffa86894602835b510b0e422f

SHA512
2b15f1607ef5e15d200796f42c58f2ae22ca1d689ef37eb24211e860257218dff5b28ba2168e97e557107bee934cc17569442b8a1e4e149d9989a75a6fead840

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
666e6f27576466e53c19dfa490d4ef6f

SHA1
3955920e9b70f5b1503163d2e042c30760435313

SHA256
107172a07c5f27075100f439c0d6eac79fd91a19d746ecda65454743d493db74

SHA512
08c95862585f0d0491324c126773e35d7f2289a8c2fe8a7ff2986e8183e6c21c3787b391d5249dae6fb3f8318ba03257fd95930fb894d8609548ce66ad6e0829

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cd95b1e31b059a85f63ea48221a5ef68

SHA1
48b9577b1f9166731073c0915cbba43f23e23e3d

SHA256
4896639198387f98cb7e36f8e6f302c89344f36b685b04aed0eb4bffed54ef8e

SHA512
54239ac067b5781c6ecd1a5e341f6f6bba5f5f4801bf04fa52ec42908fded694faada43b89effb0065129fc1a4c7af3fabd176899bb9ae81407463b3c006f3d7

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\system32\svchost.exe

Filesize
317KB

MD5
14063e0f1d09f42e1056eb1ab35db1f0

SHA1
d05fc793bcc9ced0511f9f8d2b7df9a4eaac0b72

SHA256
2f322edb726e47ab2ed0498a1b8688adc7aaef3555ef8d53be895f2bfe1ed4a4

SHA512
51eaacc969ff5df54585aa22e8c11491b671c99eb26c4cfed1cbabd1eda8e46ee7e87e0627ba5f118dbd848c46ca4cae1c4cda731fab4e3a8fd4a5e557758773

Download Submit
memory/216-629-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1032-70-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1032-68-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/1032-622-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1032-9-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1032-8-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4572-140-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4572-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4572-3-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4572-22-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4572-65-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4912-630-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4912-141-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4912-631-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download