cybergate | 02252ee5ff2937580ff8d3ded0ce0182d3ca99ca3df0ff11477be61c655210a7

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/03/2025, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Size

346KB
MD5

6c53dd033bb70047fd8c8cf5849c4a98
SHA1

a59758d4b46fa0be46ac9d1097b8a8502302df78
SHA256

02252ee5ff2937580ff8d3ded0ce0182d3ca99ca3df0ff11477be61c655210a7
SHA512

73912c64d1a900f4fa5441b5febebc36ff6fa838c493fe84c81389ade9db2da73d65b6be81a882faf47c6940eddeb3de498238da5773fec0526b906741c8f15a
SSDEEP

6144:lmcD66RRjsZwzZw+5JGmrpQsK3RD2u270jupCJsCxCV:AcD663s06Z2zkPaCxk

Score

10^/10

cybergate öííé discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

jjo.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
Win_Xp.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Please try again later.
message_box_title
Error
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\Win_Xp.exe"	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\Win_Xp.exe"	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{QLD2MQDY-Q75B-0CO1-VKQD-M7IXUF32QDTF}	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QLD2MQDY-Q75B-0CO1-VKQD-M7IXUF32QDTF}\StubPath = "c:\\windows\\system32\\microsoft\\Win_Xp.exe Restart"	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{QLD2MQDY-Q75B-0CO1-VKQD-M7IXUF32QDTF}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QLD2MQDY-Q75B-0CO1-VKQD-M7IXUF32QDTF}\StubPath = "c:\\windows\\system32\\microsoft\\Win_Xp.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
1624	Win_Xp.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\windows\\system32\\microsoft\\Win_Xp.exe"	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\windows\\system32\\microsoft\\Win_Xp.exe"	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\microsoft\Win_Xp.exe	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\Win_Xp.exe	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\Win_Xp.exe	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-2-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2196-530-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2704-861-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/2196-3782-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2704-3787-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
Token: SeDebugPrivilege	2704	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21
PID 2372 wrote to memory of 1200	2372	JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2036
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1612
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:2896
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:4308
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:752
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1048
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:280
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:348
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1068
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1108
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2976
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2348
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c53dd033bb70047fd8c8cf5849c4a98.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
  - - C:\windows\SysWOW64\microsoft\Win_Xp.exe
      "C:\windows\system32\microsoft\Win_Xp.exe"
      4⤵
      Executes dropped EXE
      PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
d145b8a2319810aa2a186c9f36a8480d

SHA1
84cb00614b419786c2c5b353b6196d9ee63fba7a

SHA256
dfb99431d7985b6ea10c57526b0fe2754a696f9a4623fff9c5d5829f624ae9a5

SHA512
40e67aa9c358941220ee9fb21cfca836c0d9935e46303f16559bb093e1d86c9c6b9a754e2a40e4b7aa4ce13f3526712f1deabf6f6b02f489ba76810d2811b600

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b3b2f2efdc834a27c52c17f343ade014

SHA1
5271167c45a1771317b8248c08635ffe1e23f1f0

SHA256
b121a815ee00bd6f41532d0eb58cc1f1cb46c146cdb0d686e98e1ad4abefb5ae

SHA512
a6ab69cfe696c959a5fd4e012fb22485def87a7661e7f603305682827aef3e150fd5cb62b7c7b8461b276c41166f4e1f35e5c7e236dfff1b5b0f55920c829f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c689d0cab2217bf011f83d0c2417bc5a

SHA1
9258614b81b6ebcdf0ea0d40958f3f241387c59c

SHA256
b35c5a4c44a6fced8ffe7554c1337f31a43dc91fba20ceaf5198ff04289f9684

SHA512
2712b69d3854409ac688bac41b1f50b7311b1734dac5d1bfb3ad256170d79edb37d88d4611c23f8e4768c9430297e92188d56e48b54310bf9aaf46cb4dbfdfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bdf1f5577835cab2b5ad9ad4489a5a3f

SHA1
26a72ed36f5998b6748e004a0ac451ec8928e43f

SHA256
048e7fc1b73e542474292e4ade87d8bca56d8ca4f913675a7aa99f78cbb8e6a8

SHA512
84e609b6503a47c77cdded3d58ff95a068d828462f6ea1c4d51adb1df152e2093b77625ba984d991d739a5b670273b12d503fbe9080dda9a03d1171d3276b191

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
54bd2c5972e26b28f15ac7388ddfaedf

SHA1
90ac4cef3fd03891b09f0ca954031fb45cd98d57

SHA256
f2f19887f57591aa41a7c24e830309b216c6f1fb18a1128581182ae43cfc066a

SHA512
7e0efaa488942a4d9e053d71c6193769a27b4408e36812572b6f5562c9dbb2b7a9fa6e0c62d0fda24481e5d513d9a9c30ac36fb8576f6ed5e3667cb1967d0111

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0a58c289724a25b4b9d0f79a3e15d002

SHA1
a64aa60b5c07703d461ec6c44143a2cf29bf1b65

SHA256
c77095f1a6a37499efbed3ddd4cf6b01016bc491b5a038e439dc5a26858a863d

SHA512
8648fdd9746ee4695aa4b56baa5881fe54375990a9d8c696a6e95e7b0d3826b3bca7e2a991c1cb1ec7d097ca2d9de4e936cca447d849cd154b630ed2c0670f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9611dabd5272fc9a76fac5a99e5b05eb

SHA1
08bf189788e9772f843c43a8a014eb3a8b2961e3

SHA256
79fe5991041ca07bc5b236484185cbb6c7b4b7a876d564f3a28d1e99deec934c

SHA512
7207bc1fe26673caa5d09505c816b900959c6a252e1c56d91e75f088a41df2aafbe08597ef71eaff7d4195faf07ceb2ced6f7fcc532ac4b17667f3efabba09bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
98df1cb2e34dc749125158ea34d7d3c2

SHA1
13b9a82fd90dfb3eff78a6057458747d97427456

SHA256
c8a21b0806186bd92a9c13f41a9db1ed0bcb19ea0a1012787464e3ebbbf360fc

SHA512
d5dde2930a74be5d4200c6187ab83ebf19c738a218242a5417a99f30c5b9f1cd6587f0dbb27c883e3a53a5d575804ad2987d56d54bd397bc8de939aa38519fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ea0ce407539daf767aea0f9e60b110c1

SHA1
df80de2930035575c6acff2d37394fcdfd6451e1

SHA256
d596a04fa0707b621f46ed5835eec4240f675809e0c6e4349240efa0c35aaaf7

SHA512
ce8a337d5d873bda315d4bfaf2f03450c7a7ca6cd25fc3c3e316b12aaf68b66812cca408450bbd9fc26d08c56da1ccf3ecb27182df722ca4603c8e656746610f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
83edb497abdfeee8b374295265594b87

SHA1
6b77d8dd78bf2c0bf99b35f39add53f5d15a9212

SHA256
6ca8fdbfc2dfdd45d988d0d36e5ef55ddebae1265b4a74c7ce6486b38a929cd5

SHA512
89c7215df3b7c7453eaee5313392db03a7ba4c4ea0e4316ac5be7aea2b91b25d919141bacf64754c126c570cbd6d25809657aac60f385e6f5d67be5438568f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aae78a5662a53b3729b1a56c2f86a178

SHA1
dcc9faf59dc09456336411a947c46824d3e3d966

SHA256
c86ea22726eb5de104d182e09a956667ab0895a11fe00c3c1c9f6aaeb1126eae

SHA512
cf8c5ed27844ce9074d1900b164a992ce0905d7ef5de834c2539529abd5e72b03ccbf60c1db3f26f3a5dcd84757d4a19b954d9e1526a996330ee5ab65b8b9448

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c177e56b1a365b3569adf5c886ee9725

SHA1
1830e35e92ae790d629597238e66ea8fd5ab8751

SHA256
15588e5782a69ea4cc0aaa7fa1581614c94d62405145432ced4abfb079348506

SHA512
6410764f232d9a73108b8ff50eea2282be96033b9bd6ed2718ee4906896cc26c2edaf7d4ca983a0d5f747ca058a6768aa582372e485cb9eaa24c98126c27e2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b8b1fa9f2a3ebc440a03f3af6ccfc7eb

SHA1
18387d6623db5eadf94202023b4cb84c9e78a86c

SHA256
6d1554ddadcf69d6d6b8cadf13eb319e832e0b88f0fabecdeab3e092b0867afd

SHA512
a6e9e02d094ae6c518f501f5635b2e4a7f6dafb0676c2addf40300c0a77672ee304f7b698f8fc239c553ea1f9bdadf057902772a3bcfff76c68d72e6d6c61138

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3b4f50ba7ac8623b213ea6f2f5259b98

SHA1
d884a8b35313d77e10482271badfabec4731a2b2

SHA256
7c897ff04be460bedffd6a900370dd34b0b1402e888f29819db2758152b3bd6f

SHA512
87d63076caf2eb1ec98bd2d6d33bbc35794d68d17ee635ce24f3c4ffe61b732310bd137f9fba204a2a7f51f4b965ceb6f15fa4e8c1e42bf0d4513419c77ba92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a21f1950ecfcc654112cdb2fab3e0ec9

SHA1
ce489421c2524b3d85a38f7794cdf597a57181f1

SHA256
4622aeb5f9ad559c92a0832bc39b19a8e53c774a78c64f1d55de03ed8ba6092a

SHA512
a608752e1579de088705d5991148a471d06a0990434c1e40b4762bdbce1c84a846e846e0fc9d71f0fb45ae0d6f1cd23b8217410e614c59d32d438d90b7cbabf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e4bc9dd9a72e7d74f1f78177df208b43

SHA1
9c57f1a3bc10b3b334dfd03fd40fc8db342ec7b0

SHA256
185f424c6988f3a43ce880cefe0efd1df7eb22794167e4a323465e8223f70ea9

SHA512
f7ab400315b92c4aeab1e6433da2e8e3b80b315b4eed83c2184a888af4a6beb3a14da0c6dc65a8c4525df1064a4b8db1935401e2dfae13fcdea762b2cf09e876

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
16e5720d1060d14e36ad65da79b7c3a3

SHA1
3c7c6ed16c8d312e3b0dccf58ed58170e9ecc611

SHA256
660953e0bfad85e87632cf9afb912e38002f6154a5fa24b67dbfaa51bf5df972

SHA512
03c35eaa4dc28a6c25af8849a63ed09d16cb15acf2fdd0ea932c3f17a4ed8a4c2706fcc86685f897e7000187e834d2c9a110e21dda15fb3b229999168c07f451

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cd8d400611c702351c62f930a0ce4154

SHA1
ead62d6ba4b6e401f51b8397bf27cc4683761ab1

SHA256
47b084e8a819184a0afd15f001e39f65afc193a692b4c9e380599e153af346a0

SHA512
47a32bf05cc74ac3b00fe0d9309f2021e26f1b236890894836a2634c42a976a6f0dbc20f621db7df3a523a7020d74a892926d9df26cf019536b065e9d73ebd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
531818f621940fe16d7bbb0f791cd7b7

SHA1
abbffe6df3a09ecd78e332c45d20682647d626b8

SHA256
473975a46f7e85b4cfc0364d288d9bda8fdeab5776d30e6c37edf0b2f852d6de

SHA512
b8829cb79251123877afb78142f1b20b006d6527d5681e75f01727cbd6b480df5773425d3f8fa0d94a3bc1d5a58c4fddcbea30f605b88c0793db2aa02b4ba7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9af8cab00ef7ebbbbf5f1d4eeaa6cf47

SHA1
2ffd723bccc276951f7cffac9de01d615bcf56bd

SHA256
c97ad299cf72b1b864eec90224755e8caf95f85d399374f3d596e7a26d35f17a

SHA512
0e67235c3e8ae59706c0e44121b12a5f55859726515ead45ff85f3efc966ff20144e7069a2bf953011a76630ab109a243b53aa9af923b5b7eaf14597e1b814a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a3628ce6da40336a1e6e595ab41d5ed0

SHA1
7316b636b66c76a72f818ba35f1d8a29f1381dd6

SHA256
35c24a028d4e0b332ff89dd7456e7d044f99566f2e69887b3dd285bef4a798b2

SHA512
20e09133d5902190f2649753dc94615afb9eca23a7ac48809e68ab03b8c012ad7ee8663b0fefbe1e42ff63840a747c37fb31a503cf27d10702faef674ecf750a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
efd71912ce4a4b200d770fb65b888546

SHA1
21a01246e1f7b53d81dbbfb3ceb545f9662938c5

SHA256
12b6d801ea5834b34043e35b623cb30fa4827f08854b52a6bb34855513efe21f

SHA512
7cf6d2da4537e2cdc9d87d27547258566daafa3f839b8f5dd70e89d496ee3119ea1b65d0d4ee8a98e6ec8573eef8609a30f59220b811dd9e33c8ea8c817f667c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3f6d144e2cf807da700d0adb5d997e08

SHA1
f45d78403195e1aa322660cd511d59975585ee9d

SHA256
ca3149ec01680c359556fdfb493000d0263645270610236dcc63363cb9db063f

SHA512
e850b2112477422bc43d88eda8d53d87f4ec28e92e4b9aabbe1c2b139ab2813a7e4d1905e5ab8affad27dac9568dbef827e0ac4bc8b675ddaf2195a891b628f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c2ec06cde4bd654aef3a555fcd8ad12

SHA1
005313754479587d70775c7437ae7db2c7eab17f

SHA256
269edd2931e5e53c9db4a2b7f0a13751776a3d36852323bcf960b09b27e2b354

SHA512
bc6339c9ef051ccd928a5d5ae739a4b64f0b180ba1de7eabbcda0513aa4d4ff33ccfc90a15953d6977f7f6023dc9f36725ce64838b538ce2900e88b880a81ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
360fa09da1f26f86449f8f73614cacdd

SHA1
21645ea37192e5899649e9c97177c0f0d38b226b

SHA256
b65ede51fd801e32924496e3d899cb458080c497c140b0369ada8e06186f9c73

SHA512
28c3a15394744128add631b2d9c5ec6aac6f1bf4cf5d732e6181e9be5dfa84043448ca5b86e1dc07d0086f64d8a9217f7d4fcfed13025a9812aaf56ab31273ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2f883b3ee79c10f24a60afed79ce73f1

SHA1
7d58af5a07fdb59d0bdd8d8ed95afda1455554ce

SHA256
1fc690b2263b5b1bf37010adbf07190a8cb34095d7b77826aef2885630125cae

SHA512
4da9d1cbc15f855dc4a278449c6c15dce7b080b69bd4a130e98184a5b41324e474988db5bce7de16c49055b4e049fbe15f654e5ef8b3aa25dfa1c12cf228d56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1172a136af090c317dc6757eea88fde9

SHA1
81ebbe1aed7041611e8a943066ecb769d86a384d

SHA256
afa705fe6d8772f7663db1e65df3fe50ab00181226ca54253071371c81bae188

SHA512
4f2da41b5ede16c5ff61387e6de1a7e579e71455a0dbd9638112abe61d1d7ff99ab31bea1d0b530415b15cda44d33ade92ba6d55caf504b6d38ab3fbad21a7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
219e55019dfbdcbabdd735ec375f919b

SHA1
5355ff5e5e5b858d171e81fefb48e65222bdb6b7

SHA256
b90c35062233c81d749587a15777234a662fcd22f8f0ce1728d48181e12b7c16

SHA512
0272c747a9c703fc214be2f0e76fdd75907aa5940c7c86729242a6902a61d7f65319360ccab6db9ed99a4bf7cb520e86e4da3f453bedff0d492a6a2f56105e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
788136e08a179062c1a7ebdeef1b34f9

SHA1
e9e33b22b97cb737a75ea1c0d2532db414dc7aba

SHA256
aed7c33fcd17023a48b085db0f995f4a01cd00adaa500bc8cefc8421e8ca02ea

SHA512
aca0551d85ebea29e61d620ead8d15b5bbabcff3c5f49e3d3194d62dfba6618daad9119d9792137b209d56e492419e0c21c58a3f47f2a35400bc288960000d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db97df4301ea281f0de2920acf254242

SHA1
6cce0b806dfcc1df8ac8c4e06464bb55a3bfae30

SHA256
e67ebd0373e0ac8dc0decde7fbd976778aaf5af56aa4cf43a2eeacab5e1cfcfb

SHA512
28be111b6216cb5876c50c965ace8b56728ffa3c62ebc837599468d52b60e7f08571ecee49dbf7aeb4aab23a1d5028575f3f26b7f406b93f61bca3d7625406bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dce780efe96994eaa5d18822432c1bf6

SHA1
47dd3c7120bc060fac9798d7269b27fd1c2008ba

SHA256
9d803aa1e9a5b4364201665eefba5279b3d47271091d10e16afb2456d59041a6

SHA512
58beeffca2898b6978c38f8fecd61b0b621b2b3c19cb2009ac82c91f09be2529134a12ced4d73901f1aec9543985dfce0b8c9dff69553880861228e217a9f6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef9d97d8191a2f815894d6bae6fc1f3d

SHA1
40bca895d073b14e6ea352175f95dd3b5a9384ac

SHA256
c880b876c57b6bdcd0bf85c706b5c6aff297d3a61e95c3d26d91e532db7055e2

SHA512
544dc4535df8c08e96ec0d593bcfac25eb067e562fcda789d69d94f38fc7254580bcebb6e07b07d126a110d3bd72fe2ecaa949142d9463a33fe698785bb2bef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6269b74ba72d2e631fa63ac446a2b4fb

SHA1
3a977e8199f00d86f32f4e27a131ec213bbe4c6d

SHA256
dad415ac99d91f26655c00b14fb2ec9faaf622479a3e8be34715f3049d41975e

SHA512
eecc9436d914c2a6f663a85e9b81eb28df8b70c478c82515f7da454c64928670cd001baad3149c1e4e8fcc84555dd887347c53db6a644e1b3bc28510ec2eedc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8011998e7727e589c6641c5f50baba29

SHA1
258ebf2e7b93a54718c6f588f060c338cff4c0e7

SHA256
ed1cf5619f81a8f2b8ac0fc91a6085107321da75f71d26e112fb807fa58703a7

SHA512
1f8d71049dbd376d4ccca432045ce543dcfd59f13ee0f6155a57fae1ce89f8a516b5e24d867b4cdf94aa691ddb093e01e99c60f4b6951c7b4a37de5a05a2ec4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a74c79ce08333243b214feaeded10fb9

SHA1
cfdafa7729c9cd610296c8aee92991e452498fbc

SHA256
1fe933969eb5f5db1015de6f8d2185c6d681a881b4a8c1ed820a12e50530bd60

SHA512
e6dfe4b699c278ab234bc0a802ef8cd2c05fd0f23ac701834a31b5e5813bbfaccdc86958cd2b6944bb2264c4480781aa5798fc8883c26b67c860ad2ed6f6fa01

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9ac84319666dc61bb5d6e7f2071afa2a

SHA1
87c4278e0069e76a6db60d4e18de346aecb52b90

SHA256
12ff95d13ab001200c44502820e031a5621439e87f105a289dd9a2460b2e3b68

SHA512
64bf7695e2c84d1dac314dddd006a20404f71a0cd0f7618d914f7caf28f9265c080a2a0c77874b95294e3d214452fb15859f72aee6fb121b8d1ea7c22ad49d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9c796f7ab94b6f0b0d1ed1021fdb95e5

SHA1
f661c00f9a3003e2f66695970d484a37310ec878

SHA256
9f79af3496e1f73403040f923383764117c034731c25c009e5bc443d8a416bba

SHA512
173686a16029ed90ce67126505e61c488aae7ca098afe3f08fef51f752dec632c4e9092f0aa54740699151e57efa3c44e9f94fc76c2a70b66f8d5c353d46e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1aa9d1abe881bb4b02f4a1d650c464f0

SHA1
4895a1c2459f04d9a6f2084a0da41f968d26276f

SHA256
1954fd5df10a48dea2ee95c862aa4f56871e8d079f64cc72e985610e1168bb81

SHA512
4e949666d52ad5fde5987d76510715acb6d4285da518734967b107deba1aef51b2b19fe6bdcc30750676ef3d81898ed4afab325c675e620cbd1a599efa519043

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
697230afab8ca19e9118c6dc6dec419c

SHA1
06e5db00df65af1fd5e89503424afd5ea9195b53

SHA256
75d35b573f62572bf7c6e62adf28c51846871f2ae69cf218e3a24430c09daf3d

SHA512
6654ca9719535d9e5bbaca4704c9b262d751326f0e1a288c3f5e549ce4fafcb779d58cb66d44ca6e02eea56ab2c2368254289bb620437814bdf6b98256ffa623

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
33176155b5d8514c363f5663544d6e8e

SHA1
252404e5d67a538ebdbd050903625bdda789d840

SHA256
42b68f800e425b02b0a19baec84e218b2e83a31262990450178c44c88743a300

SHA512
acbcd48aab8d1605c348172dd149f339cec8b1274e58553f233d48445628407bac4aa5ad73a41b94d153307b540e4359fb647b6c18dbbb7193d6428ec2061c44

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\windows\SysWOW64\microsoft\Win_Xp.exe

Filesize
346KB

MD5
6c53dd033bb70047fd8c8cf5849c4a98

SHA1
a59758d4b46fa0be46ac9d1097b8a8502302df78

SHA256
02252ee5ff2937580ff8d3ded0ce0182d3ca99ca3df0ff11477be61c655210a7

SHA512
73912c64d1a900f4fa5441b5febebc36ff6fa838c493fe84c81389ade9db2da73d65b6be81a882faf47c6940eddeb3de498238da5773fec0526b906741c8f15a

Download Submit
memory/1200-3-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/2196-246-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2196-3782-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2196-248-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2196-530-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2372-2-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2704-3787-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2704-861-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download