cybergate | b1a3c03cc36efebc04639fc91d4a480c3ffaa77e21fbff2c522c47b420275242

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Size

332KB
MD5

c26dff584da6fa4945be74b82f5fbe2d
SHA1

779c1d4bcc756796fcf8af5cb0b098203aaa8f4a
SHA256

b1a3c03cc36efebc04639fc91d4a480c3ffaa77e21fbff2c522c47b420275242
SHA512

5d8e1d09f2d2ce3b62eb6db52835f7d2a35525f43c3632ec91b5baeaf5d6c07bd3c7cda1c73d5bff5c3253eeb5b20f7b1dc94e8c9269459a02d943d5ae0ae5e7
SSDEEP

6144:NwXsSeyekYXEdR8RyGqZH2XA6+/4UWtTS/FB6UVcYIOcRu5+B:NwXQTl0d0yZWUwUWtG/X6gJcRu5

Score

10^/10

cybergate mrbombastic discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.18

Botnet

mrbombastic

mrbombastic.no-ip.biz:8000

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
winlog
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
gonzalek55
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\winlog\\winlogon.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\winlog\\winlogon.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C5EG22-OU27-Q5DF-I4Q7-SMY606WT134K}	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C5EG22-OU27-Q5DF-I4Q7-SMY606WT134K}\StubPath = "C:\\Windows\\system32\\winlog\\winlogon.exe Restart"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C5EG22-OU27-Q5DF-I4Q7-SMY606WT134K}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80C5EG22-OU27-Q5DF-I4Q7-SMY606WT134K}\StubPath = "C:\\Windows\\system32\\winlog\\winlogon.exe"	explorer.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000120fd-3.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
1984	winlogon.exe
2824	winlogon.exe
2708	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
1476	regsvr32.exe
1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2152	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2152	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2044	regsvr32.exe
1984	winlogon.exe
2824	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winlog\\winlogon.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winlog\\winlogon.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winlog\	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\BI1I7JC8Gl.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\BI1I7JC8Gl.txt	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winlog\winlogon.exe	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 2000 set thread context of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 1984 set thread context of 2824	1984	winlogon.exe	38
PID 2824 set thread context of 2708	2824	winlogon.exe	39

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120fd-3.dat	upx
behavioral1/memory/1476-5-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral1/memory/1464-7-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral1/memory/2000-10-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-17-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-19-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-12-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-20-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-22-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2000-26-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral1/memory/2360-31-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2360-35-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2360-37-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2360-29-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2360-38-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2360-39-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2360-41-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2360-40-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2000-42-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2668-598-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/2360-930-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1984-958-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral1/memory/2824-972-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral1/memory/2708-980-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2824-986-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2668-987-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/2708-990-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	winlogon.exe
File opened for modification	C:\Windows\	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\ProgID\ = "free.BG08iJ1ijADIlIFl01LgL8"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{20A80AC3-CA63-4C97-9009-2FA7802E0005}\1.0\HELPDIR	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\Implemented Categories	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\TypeLib\ = "{446C607A-D2CA-4BC5-9A69-053B2D198576}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{20A80AC3-CA63-4C97-9009-2FA7802E0005}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ = "PotGo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid32	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\TypeLib\ = "{20A80AC3-CA63-4C97-9009-2FA7802E0005}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\ProgID\ = "PotDll.PotGo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8453F58-57DF-4390-92D9-65431054C820}	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\InprocServer32\ = "C:\\Windows\\SysWow64\\BI1I7JC8Gl.txt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{20A80AC3-CA63-4C97-9009-2FA7802E0005}\1.0	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\TypeLib\Version = "1.0"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo\ = "PotDll.PotGo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid32	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\BI1I7JC8Gl.txt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\TypeLib\Version = "1.0"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\TypeLib	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\ProgID	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ = "_PotGo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ = "_PotGo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ = "PotGo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{20A80AC3-CA63-4C97-9009-2FA7802E0005}	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\VERSION	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\TypeLib\ = "{20A80AC3-CA63-4C97-9009-2FA7802E0005}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\free.BG08iJ1ijADIlIFl01LgL8\Clsid	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\TypeLib\ = "{20A80AC3-CA63-4C97-9009-2FA7802E0005}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\TypeLib	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\VERSION\ = "1.0"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\InprocServer32\ = "C:\\Windows\\SysWow64\\BI1I7JC8Gl.txt"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe
2824	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2152	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Token: SeDebugPrivilege	2152	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
1984	winlogon.exe
2824	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1476	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	30
PID 1464 wrote to memory of 1476	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	30
PID 1464 wrote to memory of 1476	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	30
PID 1464 wrote to memory of 1476	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	30
PID 1464 wrote to memory of 1476	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	30
PID 1464 wrote to memory of 1476	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	30
PID 1464 wrote to memory of 1476	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	30
PID 1464 wrote to memory of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 1464 wrote to memory of 2000	1464	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	31
PID 2000 wrote to memory of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 2000 wrote to memory of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 2000 wrote to memory of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 2000 wrote to memory of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 2000 wrote to memory of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 2000 wrote to memory of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 2000 wrote to memory of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 2000 wrote to memory of 2360	2000	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	32
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21
PID 2360 wrote to memory of 1248	2360	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\system32\BI1I7JC8Gl.txt
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2668
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
      - C:\Windows\SysWOW64\winlog\winlogon.exe
        
        "C:\Windows\system32\winlog\winlogon.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s C:\Windows\system32\BI1I7JC8Gl.txt
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\winlog\winlogon.exe
        
        C:\Windows\SysWOW64\winlog\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\winlog\winlogon.exe
        
        C:\Windows\SysWOW64\winlog\winlogon.exe
        8⤵
        Executes dropped EXE
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
10854a9ed1bfcbdd98cc83ba2b5a8f33

SHA1
f75ca2b598303db39210b0e9e057aff840f9ff8c

SHA256
2cdf5f73281e29e9781258f29e57565a086c71a338bbf5be36dbd70d2d12d610

SHA512
3f7d319cebb8bea1c03d2d06d71edb0385a4ccf5adcf3d0ce6409681be271410be1ffdaebf4187f0d4108120208490d956317ac9e820c178431f822391b7bfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
7a505edefb4463e4f057829a74be2a86

SHA1
d53cd2d68f213516924d6019a4d65dc3d1081dab

SHA256
447b0073c12bffd612dfabd484ca57795831ba3cb93b8216e2ea7ef8e0f12f16

SHA512
209fcbd970625db8195630767693c095843a5e0d3a1a17b5c20ef3350de62078cdf490a13844e6817dbecceaae0de347a161df64aebe9771700f9314631ea987

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77a63206f85c2783d75d799044348b96

SHA1
fd930e69da7f6d8aa0fdb2384a8877d22c59c918

SHA256
e8ed89abc255aba3aca58f3ebe24dc4a8f882473b1b82145cdd63c9b4aeafa54

SHA512
5f28ae6d7343f87f0001880f8a4e5b143a59daaa7d36875e59a958ef686ff9f10d4c7b881c7b8eac3b04d29644c19b6bfac7025fb1d34232cadf4cc249933468

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f61466300415d02fd27f285011da1690

SHA1
03fe8c41e35be427d654727c4b0ce937f995e886

SHA256
9b5da337d542d5f105cd67c7bc8bdbd224c7f7b746190c09bff90f99af3573ca

SHA512
c941e8577517b0722ac32842f4af92bb11ddbd4b021afa0b100e2d95aba6023a7ab54ba00caff606db9177ab3fb018c213399b2702aebf1d625849bf5060332f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f70087bfa8374eaf8f7b75ee9501bebf

SHA1
4ea53512c23f7a3258e84d46fdced619d5d67a83

SHA256
447666efaf991d76c98d3c4780d4d036897388fbc7834bfde99d7aed71f18d99

SHA512
78bd59103b5d2cb0d81856120e7a1aaa4cdaad632e72f86b08178e68d1de92f55a3a2c3264048e318d946169d3439a2346b7e194eccd5f4386b6af24b7a7e58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d75cbffe3c13080a24a56a8a2524423d

SHA1
20b70aeb4c57cdb352db913e7d7b571fb1796dfc

SHA256
b7a2b1e43838c4224459d2f223c1185b2c93e2b9c5b5b26565a8a90aafe59b2d

SHA512
5e4884461e1396dff83f6dfa30180ac28e40eea12c3d48205c1b83793a90f968caad7e60c3ba1da34a8ab1bf8685f28524bf7e589edffb0d54283ba472eb89da

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
592f56d78aa739e0fdef4958e25a03f7

SHA1
2df00248b8b2d894953d04b7827cfa0c11d43d5a

SHA256
73721620c8f649ecd0e39f6cbe63547b603418c3b72537a4b2779fb69a2285c0

SHA512
43a6aaa77ad04d975e7814b0a64a121881b938ce76542e38db13b2a04a4cdd559fe1bec7af365c9561f473137742d5e92ac0d636b57ece31e458aa8d407d1bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
27e4d55692b85c7d4bd2ea7de037d7b9

SHA1
b5f506c48b4c2a0887acbe0c5221ebb1b563ef61

SHA256
d82f3cca69a02872f1d45dd3eb87a192da0c8876d5a2de72b5d2e95767ee03a2

SHA512
8da03fced2e077bfd7b66f6e432bdeff88d6d0f96252537119623b336f77b4f497d2f5989fb101cf5c31746686528de0b45f7a0305cf09b6973ab2361292be9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d51f88a36a3a0fec5d1682ddd58b312

SHA1
88936cba8b2b7d506581745eb79c7105610f26d3

SHA256
7d634654f4987ab8f5599f0d2473d9511a00ac08601c9177348f6d39c47cdf45

SHA512
77e5e27d6c4dfa88c1bd6e669be41f68e73e8221cec1767931aa8006cc1115f8a5bb235d7f3ca3529547644949484aba1ec64ccfcf55579ecb7a8c4294ff9241

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2485b9601332032dde3f6f812535582c

SHA1
10cc28ce535e6b4764ab435a49a8e67e7b6c8671

SHA256
894137966fc075613c2aaa732675553877884d09b8c8d8813bc01b85de770c16

SHA512
ae41a846f8ebf9f1d5ed757fa05386a80932965bed9c51d4db6216beafb9626425bda52240addeea6f208bedf986c12b1915ff0c3cc1a54aa3c0862360f172b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3fcab2da3bd138bce5c1153d7c2f8f37

SHA1
f917d830610400b8b4599bc21ede62efc7ccf89e

SHA256
6e2b8e61d94970bcd9904de21db4316570ab8301d96521eb19a71390a6720e00

SHA512
c973ff9f05753ec1b0d15cc4f49c0f6bdc5e561f3d8ff04537d50473ee41d7c17acd29e51a024bef0322cb704720a03a7863096089fe3c1cf43d050325687929

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8fe850cc0b87d3bb7e2fb175fdfbade7

SHA1
6d5543e3af6aebb51937144e5911c73359e6161e

SHA256
78048e20f61ab78da603245d2c5fb295d3833301f9b1d0ae380b00d6daefcb1e

SHA512
2de6986734d2efe82f8af1bbdb02d63856ac0062e4c7d22377ba7d2384bfb9fdf95f2034aa99a92f919f8758c1f0405dacf33f734ac178f4c1e043a73683ea3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08f569b26575b66db78d748011c350a0

SHA1
65d0123aba4a6f1274242f41528db19c38e7d069

SHA256
b764476064100d3c8e876379dbcb11d44120c583647c1d5e716c99a9b52bc35b

SHA512
bc56c480f97ac40cd7babea2f6a65005b16183a29bf069820c48e4d15c1e817800b0e0273a3ef6c586c142cbbd3e3fda26277d1e7f6e0d7f11b81edeb04f88c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d1b16ef8daa4d661482afd651c56f549

SHA1
7df30d6a64eb813868e76310902739cc03796e06

SHA256
b72c3923b05ead3968b72610a63e600ea5418a425ce54edf3e262696d62dc788

SHA512
50650b493d80ec7d6f1b989b34d6d7847d34c62bb1382e8cb4364e35a1b90a90aca76c846c2a3b2d2cff712dbb644c9f767d48207c7f9f5cf706dd2d68ca68d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b841ba3408c25323b7496e135c19d607

SHA1
6376f109224d71e810f2cb1e50e05119e3ddd561

SHA256
07e2d8461acde7f253b4ab68563deee4ffc65dd3bf3a923a4db74502873584a1

SHA512
33ea5e2db62d8499da67afadd5993e212db2d521b0aa8a34bb190f89e49dd17cd46371632687ec82a8200d9a5443777391e74b85084d72573458f147fe2c88e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9877e11cb05d8c0c1f5b1126a575eb17

SHA1
0e2fb77621b6c9e320e6517b548b3b3f892f0782

SHA256
911eedb854d0789bdea92c38868a73e0bc1749fcbaeefd39b44530ada71bf434

SHA512
ab982e45083a2a9125d9c2fbd5e3de915408f16de4211306074b1add8bdc00df37cb4a1ca72682007d358d13a9a84836e99761e6c7874e85182a4dc9658c338f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
47d0b619efebb3baa6f5da5d3fc72694

SHA1
5d74b00eb9ffecd76f5fe14ab42ba6e1f814439a

SHA256
73ee403b8b7c2e73a41e0ac1b1cd62eb8c2203af05c0e28f90b4a103a0dc5bff

SHA512
9abcf5297598c87317639b44840d30774412bb940663f1e835ea197ad93427614db39cc87d7b95ed02ed99c90d56c1dfac726e159fa0465414afd845ff5dd6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
58d1efe333530c0889e6f03aec9c17f1

SHA1
baf51642f44c5743d9fe770b4b874f2194be4f43

SHA256
684d89a79f8127fdf346044b6e9f2bbac5478c3f9dba5970a9a0c65fdf53e612

SHA512
169a4175454f82f6d2b696c05512cae23c95f795688bcac0bcd618bc68ab34e6671371a26eedaabfd6a2527fbf8c9f94dc3ecdaf514e5bb74bbf0513311f1055

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1abab65dcd046617bed6c7b2ee21e0df

SHA1
d48e014f646c790da914a7b995d44305d74bdc2e

SHA256
8280978119b75b85aa453c081d278d0f6f09f1de37557c74c1d87e86f149ae30

SHA512
1a2383f8e0ec243fe5b20ed2754c09b6742ce261e8c55b53f51e8e1724c49665c2fecd2e7c8cf18a766ec13d08fdd204fc5beb00a00d0480362b7b6dec995f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3937dfa3a119e35271a66b4d804a14a8

SHA1
6ed32de10a5cf59335e41afc1783c06bc5844e84

SHA256
661a61a6ba820d5a4ba5af10312f5d6d242a9ddc1d3696693153648bb3fd9f48

SHA512
8568b0660a7c0406f66a4db940e217a0ed47e07f93b51c208d0a445a015f9e7af231c53d489f49bfa79fd9cc1b28fe8d8463c6a86f9e14a37ab97712a4771d2b

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\BI1I7JC8Gl.txt

Filesize
9KB

MD5
fcf62896f7784ff1782257d01bb5c605

SHA1
46d320602c12452ced5a8874ee22ddb9fd000aaa

SHA256
83e3f2278e5827ddec15fa7ef2acec927f6a2853b442308e6e807060ac79fbf3

SHA512
74dad8fb7d452e7567242b7b642715fcefc9340a70bad5f454f86564e2e9f776c89e3e7df71e828019849171cd5e3b9e803e06909fe7e9c3024a4fa1abd37484

Download Submit
C:\Windows\SysWOW64\winlog\winlogon.exe

Filesize
332KB

MD5
c26dff584da6fa4945be74b82f5fbe2d

SHA1
779c1d4bcc756796fcf8af5cb0b098203aaa8f4a

SHA256
b1a3c03cc36efebc04639fc91d4a480c3ffaa77e21fbff2c522c47b420275242

SHA512
5d8e1d09f2d2ce3b62eb6db52835f7d2a35525f43c3632ec91b5baeaf5d6c07bd3c7cda1c73d5bff5c3253eeb5b20f7b1dc94e8c9269459a02d943d5ae0ae5e7

Download Submit
memory/1248-47-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/1464-7-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/1476-5-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/1984-958-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2000-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-26-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2000-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2000-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-27-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-39-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-930-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-29-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-37-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-35-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-31-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-40-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-41-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2360-38-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2668-987-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/2668-433-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2668-598-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/2668-291-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2708-990-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2708-980-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2824-972-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2824-986-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download