cybergate | c5b3ad6c03778d32bc852e5577633d96916e4e7f0ad9b5aecebfec34b8763ea3

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Size

689KB
MD5

d17dbb12376ad0277ea46dfad27ba480
SHA1

fb69c76dd088d31ab944c369ce7e4616577f6713
SHA256

c5b3ad6c03778d32bc852e5577633d96916e4e7f0ad9b5aecebfec34b8763ea3
SHA512

3fe31875a2533fa0f82b6dbc55530442220581f388b31e4d25b20dc972daa393ef4fb433719607722ec868ecccf985f8df899cb243cc15f1ccae85c47ecf7f2c
SSDEEP

12288:yKSf/mIapmwkHnnQwJU4YLvTuKIfjFCdthK64EoXcYtCeKPwgCErTIplIKMUG:dk4pmwknQ+UG5fYRoX8hPLHIplM

Score

10^/10

cybergate qwerty discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

qwerty

sanek1804.no-ip.biz:81

192.168.1.2:81

192.168.1.50:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
opera.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4W52810-7G84-M6UN-X7JV-ONEMTC185N65}\StubPath = "C:\\Windows\\SysWOW64\\install\\server.exe Restart"	server.exe

Executes dropped EXE 8 IoCs

pid	Process
12120	server.exe
2452	server.exe
6356	server.exe
7460	server.exe
2088	server.exe
1796	server.exe
12036	server.exe
11452	server.exe

Loads dropped DLL 20 IoCs

pid	Process
11784	explorer.exe
11784	explorer.exe
5828	WerFault.exe
5828	WerFault.exe
5828	WerFault.exe
5828	WerFault.exe
5828	WerFault.exe
11784	explorer.exe
11784	explorer.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
1220	WerFault.exe
11784	explorer.exe
11784	explorer.exe
11784	explorer.exe
11784	explorer.exe
1796	server.exe
1796	server.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2196	6120	WerFault.exe	32
5828	2452	WerFault.exe	36
1220	7460	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe
1796	server.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1796	server.exe
2196	WerFault.exe
5828	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	server.exe
Token: SeDebugPrivilege	1796	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21
PID 2752 wrote to memory of 1264	2752	d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe	21

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:588
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1508
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:1772
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:14228
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:664
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:800
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1184
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:324
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1040
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1132
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1204
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1168
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1852
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:472
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:11784
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:12120
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\SysWOW64\install\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 272
        6⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5828
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:6356
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7016
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\SysWOW64\install\server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7460 -s 272
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1220
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\SysWOW64\install\server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
      - C:\Users\Admin\AppData\Roaming\install\server.exe
        
        "C:\Users\Admin\AppData\Roaming\install\server.exe"
        6⤵
        Executes dropped EXE
        
        PID:11452
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      PID:12036
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:6080
- - C:\Users\Admin\AppData\Local\Temp\d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d17dbb12376ad0277ea46dfad27ba480_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 272
      4⤵
      Program crash
      Suspicious behavior: GetForegroundWindowSpam
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
604KB

MD5
c1aba47859e0302ec017d38f12d2349c

SHA1
b061a3049ebc09e8aafa18fa9bacd2acf6c80655

SHA256
f63a724789675aa0b44bc8e923c2d6f6b7522c96073c0762cb15af8215fe1863

SHA512
560eeb9c22fff8d5575e5db13f016d5cc988757240cf0553e0d805b248bf863430791571c39364ecffad32f8b4aea3345c6054b0d62d6caa857d1f94939f9e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
604KB

MD5
f5d3993b40ee4c2bb72b67c474273335

SHA1
e6551719432fa4bdcf528bfcb43aec062610335d

SHA256
00b3e4882fa4383f18f5bea069124871730781248498f8fffd77a55d43768678

SHA512
08410c8b95fb53ca5b6596f72d01f81f901ff148a810f099a2c2c68da48d4c9f667c0d782aca70072a270449abb568ca0f7e1e3012060ca89f268a145ae7d93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
605KB

MD5
c7d03e3919fe0c65cbda6fd509e06674

SHA1
02b086a6f1974d3588164babcef3fb12df74da68

SHA256
f32fac59d2e4e11e56e530fdb5ab129ecfd31569de43a3970cecc7b125a33ed4

SHA512
325fe7fd26c7411c298788575f7b3c184b6504ce2ade00ea9f0dbbd2fca0bf8abe09ff887d16539a678b76e7fbffb95b759ca0edd59aee70d5b21b26ba4c76e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
546049ac5b2f89c88e83475600385245

SHA1
090cf465bd349af90819d941cf737603b194e589

SHA256
4a3b908ec95f12ce7890d0dd78735f88223d157fabf00722685cd051e43c1e8f

SHA512
cfea14b7d1f79bc317e6ea7028e76968ac60aff36d56ad14fe159fef09257cddb99e0770297ea6d6a294cf681e764c4afd0c3c47ffda7d09a2911ce9e8aa0ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
305b20933ea8380a454dd793307e6caa

SHA1
cc9e4d01d5596240b0a11064e5c2712e7b541a98

SHA256
05541e67cdded5461489d33a5e29b7a92ff444191f733afff62bf2b0f3d09a60

SHA512
156855475e118648bc31a2321855bb1da244338c5310b8694922da162862cbedd73cca0ac2771c9173836fe1f50b1c872eb8d07a8b7b252f715eb9eef23af1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2301f85808f20e6142ed124ec6ce4e76

SHA1
eae24b48b5a7ab6c96f5c322d164d877814fa3e9

SHA256
71dabf885c92bb61fd46c9780289f93e418742fc6e6f0e86629cf2d1fb46566f

SHA512
c4ac30a557c49455562945c354db38c8f287edaf71982ec2c2e572dc2e03fcc374182a2075f7b8342d95a6d12a6cdbd3f530429c52ec603f8f5a985e34781234

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
522584a355a9fdb0c6e04e1c5afb8f01

SHA1
4136052e8029a22418d8f030139ace0d1d5fad45

SHA256
5f2efa5a54343983a2f3c8a6e85b3fecc623a3e35c5239f303f628546941f4b0

SHA512
4641ef6547957bfc15357bb74ece106b160f2de2d7745ef94f743acb48b4d8b916f2badf59c35fc3a54f55cdf735fdf52aa97522cd8b79c7b44adc39faa54b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d7e0af744015849ca834ceaf0cfff671

SHA1
79a23421cea1b4b9f54a79d0d2a1c6beb90ae18d

SHA256
8d6844c0e9235b57cc6ee27f5f66e229984fb7c17e4faaa238dde5a31ef35633

SHA512
43000054387cf79137929370c86a84fca580926afd3cedb8dea53966f4d02d032d3ca40f6a4f949435b67b3555989472767c16c2ccf6c087e19e82b3c0901dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2c56942e00ea3c96dd134271449bcb0

SHA1
b26cfaf3ed6a73b565ed53f96869952b01e4516f

SHA256
d1aa83931848bd15b5a89eb60310c17d362e507df8ea9cfb9c16b3852531b4ac

SHA512
7283690243e2b6dc8ed0ef80cc8cd7b3a1862518a6e70a7a53f598fe0dab62b54e8982af33a45ba6e230eb0803dc894ec5284feff5f0da1d810e4eb4b40080ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
541e0ae7adca1bd85ad22272f47cf1a3

SHA1
1fbb36ac3a9b6ddc4907f27a3ae84f6eda9dc57b

SHA256
a1456e10b36661781a8e85deea6cbf06761ca0700ec2974e2d44a908f6b36f23

SHA512
fc6af3979647d0fe52f2aeedb46dd7e26763ebfa11bf85e8450dba2a2941ca8f6a791b5dd317b59538e39cc710b0ab3effa04b80bd378947810f96bf2b825a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
150f8f75820d8c1c9fab75b9b8382cab

SHA1
504854414459614e6c5079fa18fdeb32e21ce350

SHA256
1660b86c9e635ec2252d9be747c7c6852d1296c5e4869a7daabef4be34127c23

SHA512
8853d5012ae8f37a5db7c9370829a2129f79b20433a043adc1ec4ba1173b8a916b9bd074e2dc35c4337f760fb99f231840b8f0cc238c318828fa377d1a184fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
31b21528946801a1f1d29044e86df97f

SHA1
2a7cb914cd46f50746204b4873c7590daf8b2ab6

SHA256
2b768ff28b5ffdae75282452540cd4f9310f4c1edd060a903e6b13feeedab0f1

SHA512
97fd8921b54201e5a67aab937f6717a7a5cdd8b4e2bc94ea53b2c6d1ad1165b6954cc5d2208235a21c4029522c23d4c805f54025baf91c25742603779fcf604c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
536ddeaa824298e20f5726472e223569

SHA1
3ae4d2930b0044b08e277296416ae225c5a70097

SHA256
f9c90ffffeff9e56f1bfecbe535bdced870f6667cac14b0774ae36f5c5db223a

SHA512
39ef8d3322ee8dbb22a23b27e0b3c64c33966a7cb95181691a90c731133cb59d0f8c840127b5b02c801eb6e29b2e497989dab0ac02ef0e1318ed07fab810f9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5293e2460ea4e163a6a52da4658353b2

SHA1
c305856e4c2d239455b465990c2284c2f5c52842

SHA256
2b15c8ad2d2a3c768cc12690b9c4cce3f7afef4815892679594f416866b89390

SHA512
0d41c9fae89a41c10cf639a3d1cc70430fca4a35dcde5f8e7fe90b1e30b59b3bb357b5cb9b2e3a1b185efc5f7b9bfc5838cf46b0851d81a859eb16025ab82fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a373da52d91283d99958e74db7f6f9d

SHA1
43e5d6bf5c602f80124d88d0ddaaf270ccf827d6

SHA256
a95268d38da01b75cbc1676c96aece6fadad1a340bfe5eed3293f9f566181cce

SHA512
0351e07c133488460cdd7868026a16efa2c17a0353ca679827394125224a76a04191c5b71813a2c33751c4e8b6bd5b00830073f7bece5856c745e06991d85c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73852b51bc44c23d8991ff3497f74500

SHA1
d48ce08cc8f65366321948323148b074532b32cf

SHA256
5cdde88aab38fd39c435304efaee916402d6e44a4ac3ac07587f6ed4537f24ed

SHA512
c13b70f123a920877379309e37dd6e8012d63da19627ca5278260196801e7e14f9d5f2c1eb9b2c935196da4a10066e2c52821cefe6d50da9cff05e9cefa397c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6817049c65464759b7a87375ad9fda3

SHA1
1116327e4bd6e62d7a0fbe4cd66884e060a4fdce

SHA256
d28631cd1c3b28c01f3e18c22a0ba91bdeb2d78c3693542938c548767c834ff2

SHA512
81c0350965c5a8c6d201c6b4e681a8097b2edc8f00d102cf0d954aac4fb6073bb2317d93c2706cc470de76ae863e3a9ed14697ca9d3b40c63a226ad53e33d93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c51808b208025310929b307441319bb5

SHA1
7fb591490715f0cb8043e7f326c3d5c7c45e5479

SHA256
d108b31b6b41aee94720670d9d8eb6185ed59053fdcb69d1de8553306d2f74f4

SHA512
c6cb6f3950083c518c8dd80f3ce149a929a3cebd6498966c9b51fe50d14dd39d7a97478714bb60d5777752d4f3ec256a3c6da975086971f8ab034a350f5a9f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
78cc6b91ba4bc8b10e81ee53773991fc

SHA1
db8262ec8e75a0d129d2fb1b73fcb1d4690a8fae

SHA256
d439fbd5807a076bcc82b30b063ea67476f6310b9ce4852cdd7856d635586e8e

SHA512
928ea14a94a7fc749abac3b4d62d0d907c0537cd5890bcca1ffa4302a007b497546047453ae080990a697772163de6c07673c7f0e47840f3f9f3ef13587f1a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ea74c89cf46dc44d55c1025ba7e7cb8b

SHA1
19858bc24a8492fc90664cfebf8b1124db84d9a7

SHA256
b0efb1c237d9f8d2ce4aa2e71ab99489229e74aeb7390cc2e8a0c9b818fc3ac3

SHA512
394f46ecf58257e648f26c7d6c6eac5eead9e6645059e8f44e1e27365612d0ce6739278d24c4a82fd7bd6c5a269d108e3c09a479cf8483d2ffefc95a61f29c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7c612bb11ee02cfe8bcda663c989317e

SHA1
f7c45d4f5e9bfa1e087f6db5ca046c3d83393748

SHA256
75f3866a9eb71e7781d987b0b992077d6e46dd8d16b8d8b8e221fdda7fa46d33

SHA512
e0da201af65739cf7f41c94334c2531d9147de154648366a143d4b16661b9305ab8786e87caf61f4f3ffd4205403dbbab9973ca2407cebb788df6a167d9c3add

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5566592d5cfd1b9f5834ba3e3e31b60d

SHA1
42f36ed03762fcd7bd0868c33012694ea8ec6dc4

SHA256
0720652e8aa8647d289b49fde6418ec4860943b727020ab01a2a89b4d2454013

SHA512
ef70d89df6f79ebab20c1197187845053a9fb0906a784b5c2b57453ba3a66008a36ef0f76fbae372894c25652df0fba856f34dfa05e4c71f0e8146913ba2a514

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d1411da5da2569eb4ee0003807ea091a

SHA1
f44d579d49271b634cf6259bbfab8ae9728b9377

SHA256
867b759e7bf6a60cdd228a7ec711b032edff672202525e13431913e7d14dc202

SHA512
7ba5afe65dc3a65a65f32923480167cbe49f75e8487fc4db000f221eee2d6aaf0930995a8d0531c1ce55911d44e98208d99a92e12fdfa6850cf5e1012b79f1be

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
689KB

MD5
d17dbb12376ad0277ea46dfad27ba480

SHA1
fb69c76dd088d31ab944c369ce7e4616577f6713

SHA256
c5b3ad6c03778d32bc852e5577633d96916e4e7f0ad9b5aecebfec34b8763ea3

SHA512
3fe31875a2533fa0f82b6dbc55530442220581f388b31e4d25b20dc972daa393ef4fb433719607722ec868ecccf985f8df899cb243cc15f1ccae85c47ecf7f2c

Download Submit
memory/1264-5-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1796-32834-0x000000000C760000-0x000000000C815000-memory.dmp

Filesize
724KB

Download
memory/1796-32828-0x000000000C760000-0x000000000C815000-memory.dmp

Filesize
724KB

Download
memory/1796-30873-0x000000000C760000-0x000000000C815000-memory.dmp

Filesize
724KB

Download
memory/1796-30874-0x000000000C760000-0x000000000C815000-memory.dmp

Filesize
724KB

Download
memory/2088-19559-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2752-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2752-1-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-4-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2752-2747-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2752-2748-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-6040-0x0000000000220000-0x00000000002D5000-memory.dmp

Filesize
724KB

Download
memory/2752-9391-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2752-9390-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/6120-6061-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/6120-9392-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/6356-16164-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/11452-32659-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/11784-32650-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-18404-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-12786-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-12783-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-12785-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-18405-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-9395-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-9396-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-22770-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-16174-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-32651-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-16175-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-16173-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-16176-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-6016-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/11784-2710-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/11784-22586-0x00000000088E0000-0x0000000008995000-memory.dmp

Filesize
724KB

Download
memory/11784-2696-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/12036-30713-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/12120-9398-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/12120-12775-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download