cybergate | 28b7ddcc8adf11fb406198b688da89add30e58765c88b7a3b46faf50ab7ee2c5

Analysis

max time kernel
161s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe
Size

1000KB
MD5

1bd831b3e9b8824b97dd4b591b24a492
SHA1

3ec7ccc1afdf3e1c3f461aead688055bb7a733d2
SHA256

28b7ddcc8adf11fb406198b688da89add30e58765c88b7a3b46faf50ab7ee2c5
SHA512

57506aa5b042b4ddc54e20b5953b863a50baa84c7a4504cd24f3b001c5f1d5bb8b6dfb826ca4fbaaf8d41903d6bdc98ba676c42659fc4f2e8cb336c9bd53fb21
SSDEEP

24576:6sSXVmefVMTqtjP7tg7Vx8JbvJxnsA9zyYpdvV44plDAI:6sKz8ezZumFzfrp

Score

10^/10

cybergate latentbot xtremerat öííé persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

127.0.0.1:288

medoseleman.zapto.org:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

medoseleman.zapto.org

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Detect XtremeRAT payload 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1.exe family_xtremerat
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1.exe	family_xtremerat

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	3.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 56 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

java.exejava.exe2.exejava.exejava.exejava.exe1.exesvchost.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exeexplorer.exe3.exejava.exejava.exejava.exejava.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{D050B46W-I7HJ-G2US-18WI-R8HG5DW6R433}	2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W181O045-TB5U-U305-6T2F-H6LTIK6HC3V3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W181O045-TB5U-U305-6T2F-H6LTIK6HC3V3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe Restart"	3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W181O045-TB5U-U305-6T2F-H6LTIK6HC3V3}	3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\SysWOW64\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\SysWOW64\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W181O045-TB5U-U305-6T2F-H6LTIK6HC3V3}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D050B46W-I7HJ-G2US-18WI-R8HG5DW6R433}\StubPath = "C:\\Windows\\system32\\InstallDir\\system.exe restart"	2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F474V75-KEFC-EAV8-BCUI-1PE85W1N07DG}\StubPath = "C:\\Windows\\system32\\java\\java.exe restart"	1.exe

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

java.exejava.exe1.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe3.exejava.exejava.exejava.exejava.exejava.exe1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exejava.exejava.exejava.exejava.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 33 IoCs

Processes:

4.exe1.exe2.exe3.exe2.exe3.exejava.exesvchost.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe

pid	process
644	4.exe
2984	1.exe
4748	2.exe
3588	3.exe
2604	2.exe
4476	3.exe
3544	java.exe
4032	svchost.exe
4084	java.exe
4056	java.exe
1908	java.exe
4508	java.exe
1240	java.exe
4940	java.exe
3052	java.exe
4656	java.exe
5148	java.exe
5252	java.exe
5212	java.exe
5388	java.exe
5436	java.exe
5528	java.exe
5128	java.exe
5260	java.exe
5632	java.exe
5012	java.exe
1420	java.exe
5484	java.exe
5908	java.exe
6100	java.exe
4764	java.exe
5616	java.exe
5228	java.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2604-42-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2604-44-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2604-43-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2604-48-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2604-52-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2604-53-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3588-57-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3588-56-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/2604-61-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3588-63-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 57 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exejava.exejava.exejava.exejava.exejava.exe2.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe3.exesvchost.exejava.exejava.exejava.exeexplorer.exejava.exejava.exejava.exejava.exe1.exejava.exejava.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\system.exe"	2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\system.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\java\\java.exe"	java.exe

Drops file in System32 directory 44 IoCs

Processes:

java.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe3.exejava.exe1.exejava.exe2.exejava.exejava.exejava.exejava.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\system.exe	2.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\InstallDir\system.exe	2.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\java\java.exe	java.exe
File created	C:\Windows\SysWOW64\svchost.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe
File opened for modification	C:\Windows\SysWOW64\java\java.exe	java.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2.exe

description pid process target process

PID 4748 set thread context of 2604 4748 2.exe 2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3592 4032 WerFault.exe svchost.exe

description	pid	process	target process
PID 4748 set thread context of 2604	4748	2.exe	2.exe

pid	pid_target	process	target process
3592	4032	WerFault.exe	svchost.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	2.exe

Modifies registry class 1 IoCs

Processes:

3.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 3.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2.exe3.exe4.exe

pid process

4748 2.exe
4748 2.exe
3588 3.exe
3588 3.exe
644 4.exe
644 4.exe
644 4.exe
644 4.exe
3588 3.exe
3588 3.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3.exe

pid process

4476 3.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3.exe

description pid process

Token: SeDebugPrivilege 4476 3.exe
Token: SeDebugPrivilege 4476 3.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3.exe

pid process

3588 3.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2.exe

pid process

2604 2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3.exe

pid	process
4748	2.exe
4748	2.exe
3588	3.exe
3588	3.exe
644	4.exe
644	4.exe
644	4.exe
644	4.exe
3588	3.exe
3588	3.exe

pid	process
4476	3.exe

description	pid	process
Token: SeDebugPrivilege	4476	3.exe
Token: SeDebugPrivilege	4476	3.exe

pid	process
3588	3.exe

pid	process
2604	2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe2.exe1.exe3.exe

description	pid	process	target process
PID 1284 wrote to memory of 644	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	4.exe
PID 1284 wrote to memory of 644	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	4.exe
PID 1284 wrote to memory of 644	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	4.exe
PID 1284 wrote to memory of 2984	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	1.exe
PID 1284 wrote to memory of 2984	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	1.exe
PID 1284 wrote to memory of 2984	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	1.exe
PID 1284 wrote to memory of 4748	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	2.exe
PID 1284 wrote to memory of 4748	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	2.exe
PID 1284 wrote to memory of 4748	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	2.exe
PID 1284 wrote to memory of 3588	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	3.exe
PID 1284 wrote to memory of 3588	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	3.exe
PID 1284 wrote to memory of 3588	1284	1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe	3.exe
PID 4748 wrote to memory of 936	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 936	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 936	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 936	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 936	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 936	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 3940	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 3940	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 3940	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 3940	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 3940	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 3940	4748	2.exe	msedge.exe
PID 4748 wrote to memory of 2604	4748	2.exe	2.exe
PID 4748 wrote to memory of 2604	4748	2.exe	2.exe
PID 4748 wrote to memory of 2604	4748	2.exe	2.exe
PID 4748 wrote to memory of 2604	4748	2.exe	2.exe
PID 4748 wrote to memory of 2604	4748	2.exe	2.exe
PID 4748 wrote to memory of 2604	4748	2.exe	2.exe
PID 4748 wrote to memory of 2604	4748	2.exe	2.exe
PID 4748 wrote to memory of 2604	4748	2.exe	2.exe
PID 2984 wrote to memory of 2532	2984	1.exe	svchost.exe
PID 2984 wrote to memory of 2532	2984	1.exe	svchost.exe
PID 2984 wrote to memory of 2532	2984	1.exe	svchost.exe
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE
PID 3588 wrote to memory of 3332	3588	3.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bd831b3e9b8824b97dd4b591b24a492_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:2768

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3544

C:\Windows\SysWOW64\svchost.exe
svchost.exe
5⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:3384

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4084

C:\Windows\SysWOW64\svchost.exe
svchost.exe
6⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2432

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4056

C:\Windows\SysWOW64\svchost.exe
svchost.exe
7⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:3872

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1908

C:\Windows\SysWOW64\svchost.exe
svchost.exe
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:2964

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:404

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\SysWOW64\java\java.exe"
10⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:3132

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5156

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
12⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:3264

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5968

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:5428

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4728

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
10⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5240

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5988

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
12⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:6064

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
13⤵
- Executes dropped EXE
PID:5260

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:644

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
10⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5524

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4756

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
12⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:5172

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5136

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:5436

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
9⤵
- Executes dropped EXE
PID:1420

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:6108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1164

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\SysWOW64\java\java.exe"
10⤵
- Executes dropped EXE
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3832

C:\Windows\SysWOW64\java\java.exe
"C:\Windows\system32\java\java.exe"
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:416

C:\Users\Admin\AppData\Roaming\java\java.exe
"C:\Users\Admin\AppData\Roaming\java\java.exe"
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\2.exe
C:\Users\Admin\AppData\Local\Temp\2.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:3780

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
5⤵
- Executes dropped EXE
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 564
6⤵
- Program crash
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4032 -ip 4032
1⤵
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
44KB

MD5
9c1c7328a0332d138eba5ccd7907b92b

SHA1
b7e3b2c42144be214a48230656c770ee5832177e

SHA256
019dcceb9ede7f4b5ebadcaad89fbadc7a83024485f00b7e4e8f9c9eb9e25377

SHA512
06174dafd336a1d90321c0712e81bd6c7093cd7f4925939e0ece0ed55477af8b0939491320ef04876383050d1f42ab827633c1e6a6057879eb17e0074b96795b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
375KB

MD5
48f804154183d88bc96a6f99f69c7cb5

SHA1
249e0346263844928cf4eb394466676943efe286

SHA256
80630e6fec9c375717d26fe79e81f1db43adc5a7609babad4827e1ddb93e0a60

SHA512
0a6c2d595d56b9cb0d23e86b75f56e0a3b3147ada75f2a32b99d31e6009d6e940abb299b9c16cf76761d9df36cea20e40a0c27dc1a70a5496a309feea6535eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
Filesize
283KB

MD5
92d7cfe28ce3c9be18a500d3030231dc

SHA1
0f1a22ce25c69a62549946f04b5e1852d2e7c7a7

SHA256
29575a25dda96648bfdd713aa560609a5529a9a890e260ca8eeb4a42b6a32f67

SHA512
9ca2da5c976488f8c93ef57333320d9d299c2aa70e04aab9e08880fee6735b6fddcdc131ed669bd669da686e98129d9ae163b40d93781868cda2b6d8a0c022c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe
Filesize
31KB

MD5
8f02bc9a1677ce38a52f7a752a5f6118

SHA1
393d9532a08b0d3e9255784946fc4fdc4b2a0715

SHA256
a5d9e864333ba79804b5b53f066f92c3110667f048f9bec02d1331af0d7b5571

SHA512
0a27bb8a77db657dc435db471639789cd92f875eb764cf7825e5cfd40e5ee28c337441cf9d9c40b3b301010dec72d2762a826d1a6e5053e91fbbeb630e42300b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuU.uUu
Filesize
8B

MD5
14aff2332d71002cd9bc17aa52f31372

SHA1
47b7ebf2e141d3ff1079b6e7ad74caaf88d4b93f

SHA256
a79537c8fa47b88d3a7e29b0cdc0dced6b221591e5ad9a6cd55b744f7112a1d5

SHA512
6f7d7c93b32d7f2ce221fa1eca65896ff6f440275aa1342fd6b72019bb5803c7e7880fd91eec6e77ddb1ac591b976a22d7f4426adf9ef13e4b876ba6d51551bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
36d71ca5f61e74f5e77c2bbfb26d58a2

SHA1
b597d73cf8313dc64773d8957cfb5b0fc6627a4a

SHA256
3e9fa141fe61c586e2b9b75a6eb92161c12185f62e3c57be3aa66a36b8b1fb90

SHA512
390bb160172d0a7289609ba78f6f34741096952d020795ca97efed9a267c46928727520dfcc626cd76f9a7b81117e4f76f37404d7bc41f8ec19d5a8abff48f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5dae87002267aba059636a033f65f30e

SHA1
399a3b8353f4ad3b76b51bbdcef81cac0d6db1a2

SHA256
8c1d1f50076dec7aeb432219b1b2ad48a06478499b62f002308969509ed557c7

SHA512
476ed12f6cb88658f495f32795ed200b327ef9ec40a6090a52327dfbd3362a1abf09582c1d1dcb367039110cb2f7d4e2eb3104eaf98912e13907ec1716491177

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
efe5958bd649f9cf36b23cd3484e1726

SHA1
7bcccf8475c8e705528f27b84487c4afa42e2b72

SHA256
9615151498eca99bdc0444083e33f0795b04dd0862f11fe2d0074c5d4c48f067

SHA512
b9e4aa4c288621818984e04a19474c780eb11df313087485efca789d6e11b8e10d193e86e24f5db7a44e6fc570d574e87eb9074b89d059881fcb95c3db05927b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
93c20beab7915da3183dd81ea3d10f5a

SHA1
0593a526afef1a1d807d6496563e06524fe9503d

SHA256
996c09ee63a436d53511cb2b3ced1358bed6a2b3daa82dc7ef17242bdcdf9fad

SHA512
a111f8bfaba065951cc36dc25976bb004d78fbaca11d5a29d138e3a45d92a0e05330b877c0c19203b1420a1756be0f6f4715f5fa648cf1dc9cab77fb5b7be63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1bef868313aa25a096b03ed179f6c91a

SHA1
e557ed3daa304c131930d8c64b8708181977bcef

SHA256
4d43622cde44e4086e49277267b0f20db4ffe42aab1adce3ededb23a69d43f9b

SHA512
5c5efed1a804f902c7c4608f471d106074b2eadd2410bd9250fee7444a58483d07c3e4363874df7b0ce44d621beb94a5ea90192b7a5184f04397a640b73bbb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c08da5b39820dab2ba268c9cf6d40f5f

SHA1
9c53ea17ebaabdaf7afbda4ba9c85de5c0b09226

SHA256
7c3adbc8d150f251ea61bffbc7283489c7fa8f8d037e351ae9918fe5e33a0fcf

SHA512
309462e9f039059265ccb8833f5ec4c8223386385dc818989d959500385405bd4fcd9da372ce8f587d93ef7b4db22e80fa14ffa699113c3b63b1cf8326574dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
614103741aaf5bdc51ae4e82390a0133

SHA1
2067780481dd357cc29062e00b3f94215375fd72

SHA256
45800756fdd62f11cde4aa6915208d0a5e81562ab73a067499dd4fec78f7c59a

SHA512
48c764ec85b9885688a205fcff7cc5bf8dcb7b054599abcba0f5b6a94771bc9942337de97b7ab2c05a76f224bfd077f2583f5facd48ba9fecd2e78e686f7ddf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
0b35193f1fb25156b6df324f2d26575a

SHA1
841e9a75685a40a77532a799c1797ac401e02b6f

SHA256
080dfc4887f3b3b0254ab2b85c9c86b354b9fd041bea83776d2db57488f22b55

SHA512
10ce289627eaff9087dedfabd57b04bdc74fa8340c1ba31baf140d4572dd2c2df7cb9516b4fc5abab70355fbc7b516f52a2b32293ab62aa22b2da5147a8b0da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
7fa5584dbe86e809ddbf9b8aac14a7cd

SHA1
bf80f853e4f75893c57ed1f14372c40dcd96c997

SHA256
4d30e4824a1979bd714ac2dd011152c12aab4b45e1e90309454d5676b638be81

SHA512
2d401d98eccd7d9cfa30fddbf764667571cdbd607c68309ece298e5645c4bef2baed7fda3eb582b6bf964c3131746d8818ee1ff227a284a047d69ef5990dd16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
bb590e1d8b6e4427c52dc3b493e07db0

SHA1
4ea05a6103c4f7ca91edd579cc20ab6dc4e87cde

SHA256
a6f40f73af009177d15748971f55c22adaba6c4528c48ff638157ef33794a10f

SHA512
f155c1f77ee864a3497dfe709451472845eec25ae32d2c581a9203d7fd31495ce531c7f93f087b889042105746d5fbc0c5fbc083502ebce5f216a107f4a09343

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c3c7dc8613306f621541fce19bf32917

SHA1
29aaaaeedd64dcfe0ee0a4eaeb6d75e1ee10b2d3

SHA256
bdc825f120dc385966fa369041610b7a80a965ed2c1adb09f0f04cc2c5bbbd67

SHA512
3bb0837109cefb2b56a9370d1c523ab92172a351fa645025e224c2d055a564fd9d854c0bb5f03e76489a919a65979fd0e4bd2a16176f164fcf06b764d26e527b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1e545b7ea7993afd69a89ff67389a813

SHA1
acb14b0fcc75767ad59e2a7122961f363003ca48

SHA256
7f5491b9193f961cca16efa7dfd2964578df135d04b1d040a4b4d2b1192815b8

SHA512
29e2eb80bb672d8c77f382ba0ff7ee77d6b911517a99358dc0270a8edb7d31d62a30bdf62a4f500409146a7459c33c53c66adefce566bc42cca1a27fe5409c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e540db3aab570cc40cbe0fdf5d2c9ff1

SHA1
9cbe93d54374dcc23dc7537f13c0fd06262058ab

SHA256
9404b9556d614b24128b5c26db3eec229988e83f443965784652c2dee41668d5

SHA512
0fade41bd9a0bef6a9b20c50f16babe0eb8fdc4d292936bf1e4aeb4c9fcf14e47fbdb0638827b4f3beb029cb05869ed9e2b38e793c60eb25f89b23d1c2fb6b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d36c385de4829ab82dd3899a9f436b7c

SHA1
2265305c834ebbbdc8a2263d0547703ad4fa9ee8

SHA256
6dcab068f3fe3df3d8ef55f518c6f338a7fcffcfd7f589c8471acad96fcab71e

SHA512
bb78bc7eb5e4f23bea89433019915066d2ff4d640aa98f7826921d2d8bcf7e27884a36422f5cd8a4a4af56ed773b327f41b9aed644ae6e767c5b62dc4df76155

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
4609f9a1052143a3d3c610a295a69f53

SHA1
62720e3697ae549f0d213924aeae477707c7dc3d

SHA256
6b3ef5c7b3ff15709a1ed999a092d26e1ef9b9ea765733446d642112708015c9

SHA512
c6250bc9fd30e76e9817a05be30751158227b6354993dc0a261d1584c89229bafce7a5b46d75b7850f9351b20201d3afe21da9e319eac2bc0f909e798b4bb02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
eecb218d0ae72a49f5ab914e5084522c

SHA1
4ebd7fbe8e8d90b91237425180bc0510f8ac3d6b

SHA256
6797ca45c8ed45d8ac762da0df93d5c64e0338ffe4cfc250ebed9d6f879992a7

SHA512
ce6895a94e9fddac6f009795b4c895d4643510eb48142164544031287098abe2ec3c69b9f801210894a31619589557ea7bf5b032192b224d864619d0a5d2aaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
56020266af16fb88a896f5e709efd774

SHA1
50b38c600d78b3ff558a9bf84628211cfb810548

SHA256
b4d17a84bb03aa0cac666bd8b5c68434a5e76f5358ee1ec81ae7d47fb7f1390f

SHA512
9145030d92089d6d129c52cc7f1e2580130f3d341ffe08ff716045f86faf61291a0a4a4da2894da8aa80460f9a25bd40923cd027b3405daff66ea4e8eb0376ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6573e6f2cb4d35ed7d9e17a73f1eaf04

SHA1
caef1a9e0cc3f989086eac7df9a7d79791840f48

SHA256
101a68a6510065d5bf227d03d77f248457a2d8a19aa54943f996d4dd11fb23ce

SHA512
83695b78eed1301d3188722ec16dcb8a82e57a6f4a79bc0ed662c5119396a4f0bf95930ba92040c32531ab15780cb3ef9e1211da415e5f3e9645ebb3861ca064

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
f9ab1e53768628971fe2b33bf081fc79

SHA1
41797b64cbbd78221fa15353d44565c58432f293

SHA256
abcce9063e8d8d1cd12e8276ee00c91db4b6cceba187da3ad77ad5bc25b7fb44

SHA512
f6d17c052f2e690c554d01c6a6658147b7c201ce6ce5365a586e7f5700d7ba0cd7b268eb261537a2962863b2d07d26fdbb0281b4b89c17d49cb565d769279dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
0fd0d1b1d46b578f3998983788a1f83c

SHA1
0c0393898e6282954eef80884238bd1bd1ac1ee5

SHA256
345daf20813e77d82ed284e83d71ad1ba8951cc72917e55c356716cb6fa41333

SHA512
a053c755bf08fbe7f298401481198eaec9a9318a6400c470623fa22df74fdef4442bf805559a6e6e9b27f29cee06d2feaf3ad5c86601e96c93ac88fce0a77e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
064112a427ddacc60bdc6ccc0010321b

SHA1
4b76206331ce70e0e371324517ad064d4e57b2e2

SHA256
a77c959547aa6e2ab4cb51a7dd999f2c439a9a6073a4ad8169519d682ba09ba6

SHA512
9412f270b1de2422dc024227d82558f992c240da33aa6cadf745002e1030023c4113ee1dbbf6fcd5c12c39d62b60e80979840a69481cd256b1753d9f90c2940f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
0e24b89f41b3befbacc7c60268e107dd

SHA1
28af483265d05e0fa62dd4dd9dd06554792cc131

SHA256
926490b77adc87da6a2ce1dce54104dcce50617d6969422388d91cab3e0e1a70

SHA512
962e8e19d4a247fd9b62be436ba2730e0c973e34069c71109d776faf755d9eea348c2c1e58f3bec90d84daf3b72f77f5be29f7b94779801bae5229c9951a0656

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9d7030d74b805e5b74ed6045b59222a0

SHA1
7bd8144cb837ce902e2e3803b03af0cced6b24b3

SHA256
634368caa05ea21705745499666b73c7e862ef04ac097da6c5b1d365cb111171

SHA512
d8f360596144e291fcebd421fd2b638c3a2cdecdb6c77da2c71dc45640c6ef42fe923913078e29c6b377d5a6639128fbab0374f5a0b3b2c55eb53b6295bc81c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
73c541104f23e666ab008768cf75990e

SHA1
c3aab78effbf52b5e43f96a276ce000ad382a82c

SHA256
46027c86d0132daf587c3a4512eef904c17cbf1090af162b52d0d0726812c1c9

SHA512
89e31b99c51556eff5b44f83e6a5ca4dd257c383e800aef5375428a4ecee327ab1ffdd0b989efa774b5ce18c433f192d294557cedec9d2f1d235b659d418be99

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
a49c9b7ea4f27405c62c794fcfb3bd95

SHA1
b54fce537b7764a4b8cf5d988ffb34695f64267a

SHA256
99dc7f04df23fdeecfee896ea6b59c54dc5de309df25b142021f86d5e71d06fb

SHA512
bc1b4a752b2978b048144b821a097ff41d1277aca2262d3cc23efbabb440b03325f5b2188518d1e4d2c321be814e68b464313192bbf57261fc6e1a8da722aa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
4898df173d1ea6f6f23d155cef682cfa

SHA1
6d1e64c803d9f2b0f8780691adbf129785e4316a

SHA256
84cc8413fe413cc002e9c934eec3da3d1520132d49e45ad277067dc18f7901a2

SHA512
7e49ffc03c8ad6d93abe890be10b3c7144a588849c5d4ffe8102d16a630debf4668c82f4a2362011d3e09ffa3bb43651c0dcffafbdd67392b997527bb3754b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9d5edd57a4a9840700528bf8f0b440fe

SHA1
273fdae7e25f6f3a2b08e5f3a5b5eb97017e5de3

SHA256
598660ee5e52fb9700de2ba118503e4b5c68605e75343f30c7c9ab4902a50970

SHA512
af0260197aa7f7de9a58da295fb2ca9bd63cb46e84d9794ecbb6b0e510c465e3b89573032d6c1b2b0b636cd872e7c9877c9944dfe7937c23a9a6d1f40f59f470

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
23c9b8c295bed197066fe9520ba08f7d

SHA1
1bd05b198b0961912b32c9f9e80b6067e223d98b

SHA256
e7411117ec2a110fd4df09073da25bff8177726ba620a9ac6a41f26575ec587a

SHA512
16ccc638d0df8e6bea8b4fe89428804f09b4f433700d0e52ce8591fa3664c75b033b07cb364977f425759d233ac8f423b23319aa18622c0a85a4591375aa274e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
aaad40455cbfc70259f412b578239493

SHA1
7fb9752bc26f0d26cf14a6478e86b62094134461

SHA256
cc5e75cd5cbdd3c733dec24b7fb51a945efab40adf7086c4f6e03b68a1cc65e8

SHA512
74446c647604b8bbf1df7f59c3013bd3c89eb19a39400d583aff6f705dfce4133f54c84be673e7b17bc84df02582e4e74443be094ec18146636b83e81b81ea70

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
2e3fec532ee55343352d6df21da8f9de

SHA1
928b1c7bae419d0867b5d1f6a5ee8c11f7255a4e

SHA256
d66365c75e704d31f9cf8156c587bd93f0d6938f727efa21b22f3d15efc4def2

SHA512
8cab058faace394ea497cdd943da863afe46fb9a8c1d0203f728fbfaaa508c7b924b9211ab6ddf29a592198191a0636884a8fb276a9cbf76453044f46fa105c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e1e8f682b496acd89ec264217bfd38d1

SHA1
5b63e323713cbbbddd3e5bba160e0f7d2f1e0a89

SHA256
c8a8815185c9e8e4114a8b326a143a2962e228306e885925d25e1340ca1d5a48

SHA512
304fbaa1d4ae40b59f651e8c181178ea41e9fbf47551bc99d2812491827dbac5b65e25e72c18d62ec487fd53ec124c326e17187b102954a04b56d9761248930b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
8ca57db6ea2ba2618efbd362d6e332d6

SHA1
0e1ddbec2e69488df1c955f9e834905da47bbe5d

SHA256
14a3f490f2c92e49f3c2e946b6389113b9d5eba9fbf7211e02e83f53a52919ff

SHA512
ea6edbb4e532d353a20740b6798c69c97a6ed752e007e2d19466b4f69772b20aa265c1965383697e2dc7752bfd83ade992fd25576409df53def3012cb0754cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6ce03437984bb172d7dc510ad5c784dd

SHA1
9e7763c1e188f6cc806873cf4896b92bc24e7cf5

SHA256
03dba15eba3656f8c8fe7f9695aa156e03519a1dcd454dc9ee96b5eae86404cb

SHA512
b7ecf20269504bc5086925e15576eb29f11f1cf792266f6b68d501c3b63c88c56b6465055538fc71b65e12fd84e39f08ccc0a7532afc70ce2512bbd4db241d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
f0dc7b9a394a20ef7f2a3cdcb66784b5

SHA1
1f4f15721fdc840893b47c733bad53ef6cf74723

SHA256
2882d1f98fbed1f6798552d34ed26e04624eb0cdd9cc0c06cdbd227d71161fcf

SHA512
e71a363cf8be23cc4832c258c6b0dd4ef797dd15c3fa83725e9bbc58f804a30f741d5100ccc9b4ac3bda37af3cd0fbfeb5c7d67c07049d5ea7bbe551fd32f5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5a054ef78d14cc7c1d4cf2112341e5de

SHA1
c7ff90f9082a998d9f79cf956970c574f6a27cac

SHA256
9438b3e11315b930b8fd075a4da22c2e8dec50a4ef875fd00df1a40717be2335

SHA512
e689d3e3020d98cc9694444ff15a2af05489dfc7c4abdf4afaf6a4061a192b93446ae39fbd5c2fb0d3b474426eff8d680ef4ca8850eb1d037fccdb02c907112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5ad7df1a397b841868377a5b184d3f7f

SHA1
8ae8d2defd5616f576aa93651f7d888a6a8277af

SHA256
0be07ce1c12fce8e7229764f157c5cbcfbb665faa5eb27888cfd34af843ae142

SHA512
4ef76d7f54c3258eb80f09f480a27599da708246541ed8a8a5082b4479926287241e0959d39642d1eabe7d47e782c1931618b39b87e1d1deec7152734f4f0557

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e3fc4a09b5b8aeec403fb884fbf6684b

SHA1
901727a5fce7a7ae27ec86d0feb2bc2d3588e958

SHA256
c358329a1c0d00fc6a327e5704dd64e86dbb0b3d29476259f130fd0028e77fd2

SHA512
3f39e9bc120037e8f1627a237a3bca23cccc0bd444838f7cfe58164d7b3203ac5a855cde7266610a5f2f61792f31731dc558ff6ffef44ea73c875fb88b6c9bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6064ea4e4caf59be7da447c2e1c95965

SHA1
0b5bcda44b16b2ee4ff2819f6195bd045f5a345e

SHA256
06387e5ce4e1aa9ba94ec45c191ad01bf76c0d06f31094123881843d36d37497

SHA512
c8a99e5840966bbf8f38334ead7816a02ed87856fe944893ebb9944ea54967adcc983aa1b77932d6e3a3cc1ce47753419d5c4c5d68a44bec4200da23857b94c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6bcb9443f53246d7a1ecd34063527e2f

SHA1
ddac0acf64950b74b7e54cbb79ccb309a35d960a

SHA256
fe50e5e8e6abe21858fb676f78caad21298d8c437f79deacab733ad338fdefca

SHA512
1090451079667b749724165dad1d5b89e5a890c61bed383757bfa448b791657c8035318a3c1a7b2380aaf03cd50bdfdb3770aa28061a936a160c311dd6fd495c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
218d0229b97f3429cb0c501effef47dd

SHA1
8beaa8808efa4575f0d2749c7b13a336965946b4

SHA256
28cadd807ab74b401b633325b0cc23e718d9d1d92c7e8a08b6b3a0ebb6b8b4ee

SHA512
844103dea19773f6809c91c0b155d577aded69840336927f85361c3d48e910810b0ebd6d673175fa4965876da0fcc16145d91ee1bd9b56fcc5ab9f4b72187156

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
2320ddc29a49eea1a9982aced39e1a09

SHA1
16d7f11fe44aeedc06d58853fc52b5cdf4f79494

SHA256
217c2205905c543d001119889c68debcfe44b7a48d7282d045ecba53475b667e

SHA512
412fe3233a0ad4378a60d8cf38619fdce33230fe86b6d10c5dbb019f9a0e1c6324c8020dfbfb904834e7f195ac67501f43ceab7915c44013511d0d74158c6e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
01d5aaa312a2bf47c59e30a62ed37469

SHA1
5c7b6a66232c1defbf9ab092ee223d6e7b03350a

SHA256
240dc2283430369b1983334d7e6ecb2a864472c7b25fcc5f17f1838e8821bbfe

SHA512
168da113e704acc5dec1203bbc761fd31977e923f6be2c167397306c48b016728265affb82e6078c93d2a70a2db490068bd6ede43e56ba894dfd1539b2af5f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e72d43cd0ea07f2aa876c8e8a51f4c7c

SHA1
4fa1139ec047640f8d9d8b45dd7807bd3fdccfd3

SHA256
1f040b4983601e62d1e68a1758523075d1cccdb89ee2ff3897c4b4603fb95bd7

SHA512
c9149ba5b9ef333f74780a71cafd74dc525151106cb3f0d2d71f4592318870c1e6830f5002d1ef98c89deb11120f1ad376b1ee158a109146e4ac2d9da3292eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e4921df4c5dffba016cc4356bc30b142

SHA1
2bf112164bd5aeced80ba109051b91408c206d03

SHA256
b71cdf9cde5632689b4d57219eb84853d0c6f50b4df0fce70448ef42b0fd5613

SHA512
5e437351d3c60d1d45b23f2dac1481032cc47ae3066afec9b4689299861b5f8bfa4d1ae6544cd17fb74be8e22a7e6a0f66728ee3b0d36b60a70487eb3bfe1448

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
ad0f9dcadafc91a09e20de8d0c2eccb0

SHA1
ae4fcb7907c71f2ff97a6a9bbe9b8ee0b3074cba

SHA256
0f2ad4ba92e1546153b5f1ece9c527ce8cc23dc8a4770a36dd65f4f4a6f56aad

SHA512
f541a363cb7f6b9c6911b186cd4c7d6c3c35c5c43f6cbfa8ba49ef0bd8ae97b6637f44b2d933527ae2fcafcecbd2723189647c6d2b40c69dedc2a8a515794b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d2a91d14eff3303baf7a26cfe1f8fa0c

SHA1
7101bb2692708228325c748ee9a3768c726789de

SHA256
8790065398b1280d892f4e40feb1a44f6ff0d4294bc8671747fc669ed3e4eec2

SHA512
3987959a67aff9fd1e8ed312750132614d48750da9c0536f62b32160d065ff7195535bd4a068f3bafa46d44fff6e2cbff2a01ab9ce51b3598fe864c4e6db131a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
7347bdd07805bc633ee4931e44ee1aec

SHA1
05636ed6dc56914dd6286e0d58b0d7d3ddd1cd99

SHA256
d6ff276789624deaf4186ea887b8c46000b7991899f56bb18985f1325044b405

SHA512
6bb731b39cd93b245bec42c25c51234c625e677ad8adf8dc16a79a353421054756101061f82800e941ec2e36902f10e009c75e537679555f129af2ce8d8531a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
f9811f1befa6c8c315c5806ef5c6b08c

SHA1
ba3c1ea6b387b6bae9aab017cfe848ca23b2d591

SHA256
3e7c7de93665afec82be56eee4f250851fdae2b42a7a58f1676fc5bfb7d119b8

SHA512
2a43401c420e8de3755ce55c2cad24d7674462a1c913e25cef4230620e585dfb3887e7ed141fdc6eab63f41b7b43c87ad619f9515e329a4247c4d0220a178186

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
7bd08011690b4136e7cd1fe54c897aa2

SHA1
33bbd597bf973808cb6d3659230a4f57d7efbcfa

SHA256
14b62cca8eb538ec141207a93623038385b2ee97964b6d42074cf1da421b17fc

SHA512
c231af5aecc56c20274369e6f3c55d3f235de763791ab2d6177ebeaf5e52a4ca0e0e9a1d4ed190a5507f87f5023602d1cec7545ca14e78eccf230b4081150b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c35a1d9b238acee3b6426c0973955cb0

SHA1
dd230ebdf181cce7377f51f6378b4ff012802af0

SHA256
7b3c146b6d38384060c0f4605e8e9b68d9b5482ca624e1d00e735bb1d0672a13

SHA512
22afe3972c4f08a17230f94604684fa611d231db5a33cbbda4710ceb1035ba608170128e6014429066e7d3fe5db4b1b0a3f18946c71e90ee4c6452e668661cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c3007f96d987cfc8fed396d2f0bf57cf

SHA1
42289aa5c9daf8527dadc2ab2c924e0886e662da

SHA256
ae9e76c561ccf84bc44d838730cc99f0c2a7247eb7f53a1fdf480cbee58218ac

SHA512
a2fa958c07c6eb07406148c541b58eaca563d295008313f450250194787e6637e9e56bc68ca0ebd8869e45288aad59e9bbe3b6aa8f69e2dfed6b8c3a1b948c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
7ab9a9fac8c59fcb324a3b2d2a48382f

SHA1
5f230c5f969282ac3dfb4f0f3669a6b2d29b7fb6

SHA256
799246023194fa0769fd32aab546ff6f1d3d80935d82dc3a402e86fa9ae5aa54

SHA512
87b40e04787c8f4562e9db850a0931cf86fd63512490761363b13bf51673061a2ccd5e802f00a5387846f694a6ba5f47c123abb66ec295098f1d7c8344a50570

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
deacd76de49d40f39d8bcc34500a6a28

SHA1
a1cc6e3a183b71850defe016583d31d245c1852b

SHA256
7ca27d50fe4b389706ebb9b8d1a5a1664e281a67365eafd4ea691d062d023cef

SHA512
967dd879d3f78f7598f5dfe0d3442b533f1ebec79cdef94a045ef42d05cbc612d59f80fe7f37ac5cf83cabaf20b04fb1bf579d19d1085e5416242ea73aebd909

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
9e9846bf28c50c3c98a1efa50f80b6da

SHA1
4989ee01090133c153e1dcc6563f59827630d9a7

SHA256
75f5439a85b530536e6297eef382f289bf72eec9865dfe65ca761d27147b5ffb

SHA512
b3164134fc73f1c1cc56c11598471342d3d8c1ff059cda6539b191b7c29f826fa16881acdb811737657a0ea19b6145943f17ce10fcf4e51e8e9847657d1cc52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c20630f32b8f890f8330c2f18e2db869

SHA1
521a43def78e2583558a5309f7d36773af504ebd

SHA256
edc3ca7959a1503c691561167b44ab3501e2b539a5ba3f6049419fefd478aea1

SHA512
94288b7ec1c2ce24f05e9f0ec662feab4d58023c90a2a4ef8198fbf057c2825712137c17ecb248d67f3d8cef04e11d8bfbbd0d271cb0561004ac69e825c56d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
786f405ac10eb5c8f0014f9ce28cc132

SHA1
7d773ad1b7151d82f3f0c642397ecc8e5c3e2bb2

SHA256
458b488140d45db460029e7f07111ac192857fec6ab9bfe73ad16615d8b0a41a

SHA512
eb6b98bb936bb2cae758d7214df85fb3cd557cca568e70e109e8ae5d2e7627862768572a45f21a74c29d41ce2313a2ebd0805625b5168f504e06e3b6620e6b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c29a9b7af668365475a296494f5af93e

SHA1
5c6130c4cb786cfb02e7269aa5dfe1eef4905110

SHA256
07ca8d1c5c7c7fb620892be69004d674935c5678f4b3d6e52abc16966d6466a9

SHA512
cdb94a85785288c2f56d698b291acd27d934b54fec59be6b893e638dc6d5c56143e9966a578a51cf8c588746a3ec02b7e5bd7133ee93baa1d6cf610c1ea5bafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
13e4dcea143681e079da111bf43cbef5

SHA1
77a602f89a83a25b30b50401d713be3c36c1170c

SHA256
0804a53ba24cb1e8a6d5e7d825209aae69abe9be53f680320943d935ba75fcf2

SHA512
ea01d810ec90a971c8fe8005a130a1799df07f6d6162dcb7fb2f9cf8410511ffd112724d478ef710ff4974c5ceb9e7cdb4437172a1f21b4ae23b4c4a49e92bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6b75cd22566bd1e798a357e86e7e6b29

SHA1
8771226c77e208bf391853ef0b8c1aa5eaa58ea0

SHA256
2f01a7a44c66e9e63d158633219003dba36a5d81ca224e03d549d2fa0c3b3786

SHA512
53ac46c6591b772711f013ba12d5f9d88a974c382fbf556b7befa4c7a3fdf94d4a1086ca2d7f819da64de763244b16d129d541a5e54f8ec6599283646e06442d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
5e5ff95b25b690f7541e6875586dc41b

SHA1
31cad960577f92f93073d33c7b28ffd6c19a5526

SHA256
6dee29c1be0574ff6fa08040c9b5d500ad2de98cf0a768375c54a98da9b61d97

SHA512
006209d3a38d93268c910b33d56d7e1d0a9b781e7a0729058b3d2dd3957b1503dff936c3c4935eb3f1f7f9a8368c498fb7013be0dc382f3647102c3404826695

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
e31c4f8c05458104c288dc3264be346d

SHA1
b5d610a3eba076fa0d01c07b9c7b015370a10d09

SHA256
93d5871a640e581f685a64a1551b4da29070700f9cea13dbb061a9e3b498f7af

SHA512
1013cba3d1017694b0dcdef87cb9d9e423b3ad32524766c027d8e328874ca7bcefe2120032df11702240bd0c7b90b9999b3d75c62295481b9f62176dbd8de637

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
bd2fbc68162eaae76167584349593324

SHA1
fd900f503d7ef3af3123310f4e63b71ce6b25ab4

SHA256
7c3c960462abdbf77efee44e7b3be1b36405e4f7896cbe4151cb2f2dbeb1955b

SHA512
a0bfd730502eea49c4b3dd65f61e9d5fe4787e9eca4f5a45fd1db54685c9a33a776361f2c4f82f23bd2dbb96f6b5104f383688c80d2f2d351e2a78edf5354cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
17a840d86d2d51368018cb856ba260d4

SHA1
4545a710d8f0968c92f93b14604149fd027bb72c

SHA256
aa254c82e456d593e6e26e89858e20c5e79ea0201368b0b8269c90379cc3b315

SHA512
4e60129600f4ba65a7e1fdd885312c110706d443dd3717d4ed438530ed3cdd3836731a72cfa1c02253b22e40a51e5bad09d1f3bac57642f00f2fe76fe7177402

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
4a51963bfd818e27d5bcf5983651ed13

SHA1
b158412fe80d050f4ac08775b01d0593eeb0578d

SHA256
7518265ca4bb93b780dbd5e71b4cfec72219b6b180c44da4d5cb918cce8e6fe5

SHA512
63a1473ac2dd6da46fe069e7f861b69a6e26bd920a83e1abe32c9fafcc835077e0ddf4e9e616e1d69f111fc68e4040d1ff4d514b2f9d608871646bec3004000d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c3e0f8855cf055bff2ee9983f0e08dcf

SHA1
2271e99f88f5ae431641f09b7e536532855645a7

SHA256
557def1814ef5ed013672d823da63b84fcd2d6b5cf2ebe4d5e4a1fbef1bace9c

SHA512
9c9c9014822d18919a0a4dbd1dce2cf5c5efd39c2856e61c319128a12538b399058a0ed84f80203f5eb90e9449dba931e9baaa3860bab98bd845f824239d6201

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
65d3274d5a1c281dd0a9cb0d9497553c

SHA1
4fe39264b8d7405bba3cb9c0d802bda678549fe8

SHA256
0461f16ab58837a64a8813f039a338ecb9843a12853e74cbe73da14c76ae3781

SHA512
6e82348c624eb7657527c755150801bd1242f8ec03e2cfc983f731db1fe273b0b4ed65c3409d6ed7a68723b032ef4a8d7575158e6636094aa60f93495bb746cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
04eaaef68110f01cf6f8af9b0ee46bb4

SHA1
883b3e81fdb35be9bad84c3559ac40d83b56c438

SHA256
6fbbcaabbf3e7af9cb6fb066c5aed25e71ad45e2a7c0699969c297de36845fdc

SHA512
883f983b6fac7ab9b3452ce5769dd3c0fa976b21e8c3ef7a84b76d8711271738da550384fe4c182627a536b0d1d925084d304a856243cd11c4323eaebf40ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d02244b3f43e59ef0dd1b9bafa5f1b93

SHA1
fa67fded409aa3e693e913bbf9e574d5c3668d6b

SHA256
cae0d9ab1c54080247b5351f9fb5afa252bca183ef5417a2833b48db0f3244a6

SHA512
4db8ddf7c53bb255f13e837fea5bad57ecb43f75175ca3541ba250463732d89400f8b586f093f80fb582171052358edb04a24fb7a0baa2f60fd59fd1acddbdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
2f4e8c5e5419e173e563584b8221e375

SHA1
5dbca3810f6719b45dda06276146aaacb7835026

SHA256
c44635e0ccba076f17aacd9d7f9b2377cb833017bcb4d35347209dcb4cbe93fe

SHA512
a2d2f308f30382a01d6dc3c797f3cd6dfe78f5a96d6f9c23e7f687fbb27503f08d81b713f7b4ec2e01b27aaa9cddb9dd48927f1a8777e479137dd95fa9c85973

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
199d5c08b3f3d099615c997552a4324f

SHA1
491e1eac5ee70af85546c093dd147c1737de0084

SHA256
644493cc580aa071b21d55bd012de7828192ace683c670f6ecd9458d35335f78

SHA512
412450663cfff82d41191fa82510f23cbf9b68b4c0d53f5c288a60562acea66f079e96573479977848cf80686ac5dc3a83810319ae43268a4e2302edf5b9da0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
48acc49d727f30a8aa0e1f5b629b048a

SHA1
537fc435014bd44b753914c4cfde7db8ca685c45

SHA256
a7c3673e96bcea8cfcc9f74b8a0fae1ae7f47d44a98c2d7a6fe3334c7651c424

SHA512
a3015bfd3dc65d49e2d83a290a6000f9e07a6beba9e651f144c579118679076c652d3bf95473c15305e9a5922a367059f03934799b7f493089b84dbd9509e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
7b205a59b1d072c40d98543a44dc24ba

SHA1
a4cba5eec31055aa8b459bde3391ab279ae0a4e9

SHA256
f974b0b84646168d437ef493623a8004bd47ffb90b71e558640f3e93b6592dba

SHA512
744dc2b4a8d76eb97b43de8bae462c136dbc6b89ab054dd94aca40d50a824ca338c970a0faf4ac9d6d2db4aaf98580afa44d4b30b5e7145982afe32e7397709d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
c6e57563bce075cb57f346a766108851

SHA1
ea9ee20ef0e2e852aa1d7fe896e113d849f87a17

SHA256
5167333ca8de9ebd4ccf8b23327891df0c4fe89fe331cf891315292d8f2d0049

SHA512
d5a1094cf0c166c657c1c7ca3b194e763edae4c0cd5628cf117957e14526984814d21189ca7da52b33fe15f08e6c914ad8e945df6a833542bd655fb96978e9c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\qegz9N.cfg
Filesize
1KB

MD5
0df01ae11025d152518aad406f6b283f

SHA1
219a9ab033d03a8746bb83977bb3211959497e50

SHA256
785e9c1a84806e2228283857dfef7e24edf57e9e99b578d6a96cb9ab9afc349d

SHA512
24d6fda84de8b9c2ea72f969f2f4579489bad2388aea357a8e85871038989d0af7e65b0a9d8c0d8458de991d7019b16ff4bfda6a1d7b4fed97d3ade093d9e694

Download Submit
C:\Users\Admin\AppData\Roaming\java\java.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
memory/644-128-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/644-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1284-0-0x00007FFCA34D5000-0x00007FFCA34D6000-memory.dmp

Filesize
4KB

Download
memory/1284-3-0x000000001B1E0000-0x000000001B286000-memory.dmp

Filesize
664KB

Download
memory/1284-2-0x00007FFCA3220000-0x00007FFCA3BC1000-memory.dmp

Filesize
9.6MB

Download
memory/1284-1-0x00007FFCA3220000-0x00007FFCA3BC1000-memory.dmp

Filesize
9.6MB

Download
memory/1284-37-0x00007FFCA3220000-0x00007FFCA3BC1000-memory.dmp

Filesize
9.6MB

Download
memory/1284-7-0x00007FFCA3220000-0x00007FFCA3BC1000-memory.dmp

Filesize
9.6MB

Download
memory/1284-6-0x00007FFCA3220000-0x00007FFCA3BC1000-memory.dmp

Filesize
9.6MB

Download
memory/1284-5-0x00007FFCA34D5000-0x00007FFCA34D6000-memory.dmp

Filesize
4KB

Download
memory/2604-42-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2604-61-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2604-44-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2604-43-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2604-48-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2604-52-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2604-53-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3588-57-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3588-56-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3588-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3588-63-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3780-65-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3780-64-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4748-47-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download