cybergate | 1abaa961c69588ca545e4c99db4ca1608ad1ff561b5f347a9443ac1a334b65bc

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Size

344KB
MD5

fa70ad775a0edba75b6a32507181b2ce
SHA1

463437d5b036f92fe9aabcbd530b10bb81c3c962
SHA256

1abaa961c69588ca545e4c99db4ca1608ad1ff561b5f347a9443ac1a334b65bc
SHA512

a137cda7f31a15021c0076bf8838063023b464e74ce8bd8a580150a694a7605ca886984a39477b9e1d5a35eb0e485359770342e386620d02a974bba5ad815a9f
SSDEEP

6144:ldYGe6dn2u9DYRcfJyv0VYHsnHu6zkzITbKV1v37NAXsJDrPd7qgvBo6eJbqo:lOGLp2u9DBqKO6z8aK/p2K7d7qgvvKqo

Score

10^/10

cybergate binded from hf discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

binded from hf

seireiteiro.sytes.net:123

Mutex

0BPJD5O2W8HKJ4

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
microsoft
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\microsoft\\svchost.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\microsoft\\svchost.exe"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\microsoft\\svchost.exe"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\microsoft\\svchost.exe"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe Restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}\StubPath = "C:\\Windows\\system32\\microsoft\\svchost.exe Restart"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}\StubPath = "C:\\Windows\\system32\\microsoft\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y68662F1-8183-CT25-BTP4-06E76HX4V335}	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2948	svchost.exe
2460	svchost.exe
2568	svchost.exe
784	mario.exe
1060	svchost.exe
1128	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1624	explorer.exe
1624	explorer.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe
2568	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\microsoft\\svchost.exe"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\microsoft\\svchost.exe"	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\microsoft\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\microsoft\\svchost.exe"	explorer.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\microsoft\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\microsoft\svchost.exe	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\microsoft\svchost.exe	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\microsoft\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\microsoft\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2948 set thread context of 2460	2948	svchost.exe	36
PID 1060 set thread context of 1128	1060	svchost.exe	41

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-7-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2316-4-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2316-8-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2316-10-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2316-9-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2316-13-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/2316-648-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2316-791-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2460-805-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2460-1140-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1128-1183-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1624-1186-0x0000000002FA0000-0x0000000002FB1000-memory.dmp	upx
behavioral1/memory/1128-1189-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
544	2168	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
2460	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1624	explorer.exe
Token: SeRestorePrivilege	1624	explorer.exe
Token: SeBackupPrivilege	2568	svchost.exe
Token: SeRestorePrivilege	2568	svchost.exe
Token: SeDebugPrivilege	2568	svchost.exe
Token: SeDebugPrivilege	2568	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
2168	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
2948	svchost.exe
2948	svchost.exe
2568	svchost.exe
1060	svchost.exe
1060	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2316	2272	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21
PID 2316 wrote to memory of 1240	2316	fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1624
    - - C:\Windows\SysWOW64\microsoft\svchost.exe
        
        "C:\Windows\system32\microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2948
      - C:\Windows\SysWOW64\microsoft\svchost.exe
        
        "C:\Windows\SysWOW64\microsoft\svchost.exe"
        6⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\microsoft\svchost.exe
        
        "C:\Windows\SysWOW64\microsoft\svchost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\mario.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mario.exe"
        8⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\microsoft\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\microsoft\svchost.exe"
        9⤵
        Executes dropped EXE
        
        PID:1128
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fa70ad775a0edba75b6a32507181b2ce_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 204
        5⤵
        Program crash
        
        PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
234KB

MD5
0a42c0ea7c3713bef41c0cea20896273

SHA1
2f04b4d4928e0fc2b2622d2c6375b1364b74b625

SHA256
cb050bafd30778aa8e3f78ac2dbe789a8993a8e7a2bf2d1e530f729f7f314c1b

SHA512
d14926a697eaae1d7c0cab16a16f29cccac217c889355f43f85a1e4cf36b282da7b332a9216507a2bd7b455193743ff57cd848cc1ba475c65ece70afe9e6c3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
234KB

MD5
66005b4ca2b23e04da132214983eec07

SHA1
b8a99a63f11445a8a976cce481a0f5ec946f6501

SHA256
2e465c8f6f28e61dd1369ee4c75f77bf78574f8a4ea35fb01773a9cd93d37f46

SHA512
588e2475a94ce492b53e96342b091765aeb94f92f5e2fc7ef2f731eb8ffa82a48d60e6eaa27bdbaad9299e996226686e2f94695177a23f50479989748c3b7f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4384b3e3760efa90d8d67674ea9b0724

SHA1
34ce667d68db2a77cfaa2efd9cc05f777639110f

SHA256
33006a5135974698085dc860bf9de8ff3d053f9e14c010ec69811f8f4082f903

SHA512
68de2172b81b5067511b6230732931c030db59f14a29c25d6be5827be8ea25432d57c6a2f3315df1f5b67559e270e870fc46cc87d23d2ce58e83a705cbc1903f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2e337e0406446800ec99fd3619734d11

SHA1
3100e5e05ccf22f407c020962295cda9b4a7ad89

SHA256
2e1728b5ff1f45f2de2ff9c3fe57c7b0491631be5666162896a7577021977c9c

SHA512
fc04373f1313591dd2d12fecfdaeeee63e054a28635ec3e3085dcb12e42eba7736f3987553e4039f7a1192b896af33bf9923d35921d4fef3cafe2d0c871d8bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e0aef62cf29f2ced00037f9be75cd2a8

SHA1
36606758fd2a35952b4d26123a63d71dd03a2e45

SHA256
2b2f4613675217a8b5979f5f03a992b4778b5aaefe371e14bbc0505bb4768f97

SHA512
502e7532f566375a7119a36a65d98dd379e0e57d87f23f1d301bfe6ca25d64bbd01cf2d9ad3741fabbaf73c0103ff083556600cf6657a6a07a8744231a2be812

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
afe02c8ba03178d93004d10a2e337760

SHA1
ab4ee997dbebb0a25daf3923d9201a994c91e655

SHA256
7d84823b83aee139d1a7ab2b071572092ff199c8bd06782e31ee990926138312

SHA512
a3848f45fe04b295a0f667530b7350ad669583d21d73e9f10d5672b9eb6b866104ae71fd2feffafd7c206d3482ef779311174c7e7c107e396e23898e337b4c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ef3b4d1243127d1fbc9c15ef0f84958a

SHA1
b649cfd2cb21c48c0dcc8eb959ee88ec1f1649be

SHA256
edfd140d76cf22fce827b397fc0847c05b04b1452a9f118a5da83959ca6d83ef

SHA512
f4bc1d09b6a1b5fd27c4a4464f5c68cb04e8f363fbca18de9845330497e1fc6c24b6962ba85ab13a0e5ba79fe1ab31d175c18870ee3878555ca14582abdb5c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
db81b7061eaa73b9b821f3c3b4ec1e92

SHA1
8674888e34d1c2d353613f21b1368799d7200e7e

SHA256
a9c5ab6be115a98aca4ee5cc6f9018ff119138e139e27bc549f3f553f262b45f

SHA512
2bc8507ac228568dd5b58f074a6e93250ac8e17c6d741da3bce58d346e59b08c9603e0c840f3a1e942fda8399321d4bb02d2eb9450ea8c302e6c53876865a234

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3d18c8caa1a54fe3465c233936cf399d

SHA1
28b2fe94007a7ffe341848267f6d2ec2c7dbe2ac

SHA256
e1a50ba818f3c47786730305da42d1be86462c27199ff5b2675e44cd897f18c4

SHA512
e9338554bba40656140b2c6c87c9d3b462e51d5098565865900ac4c27a4a46016c4d19e1438d6276513cc0981e55266c3bf0d13f9a26ce78036741bec2aee181

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b2e015ba119bbbaa231b2282e4fafeb

SHA1
a9cc1a1fd1d299e4651609883d43a7ca473b5322

SHA256
31171a79599deb00e6d19287825eb8d2d3f58850c11ceffe9d184ff938ab3a16

SHA512
fcab5d25a8023b3ec4a85b271370d49de935503dc35cf3230a846400309fd5161271c90750373f33312fd1b852350e0c904e6ff41c62337a5264ded6eaa90b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1517031627b0c2b31f9147ea2f3a04db

SHA1
085930bdaaed33ffff23507d4631044fd216e768

SHA256
7afd850ac18a9cbfcb6162889a5b6c0aca404ba364e4f071c3428615ba273cc7

SHA512
84e4402c9a82680a607a7a92ee9ea41d4f259286f41ab2595e6defd66b56e82e8ec7ed0ff070fda577a16591f32040c1a49fe2fab2220eea59f57a6ff9b088c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
10f843023b143beb8bc5c45d8db1bf79

SHA1
14572670fdeedc4fe3508a800b9be9e43859dc46

SHA256
f57bfdb02a658ad2042e416e78ff276e21ce7acae7a54479e6edb183921a65b3

SHA512
eb89ceed396fd89a8cab17b8a8db9c48a9f5152e662140bf3f1f3e96a5992586f124738516b24cf6d686989dab20d29a899ccb3020cbea7c68fc7c526a81c943

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a673d3f25c5df8100b1df25815014a62

SHA1
bb44cf4dcb1875782bec029d0fac2c9406f2a897

SHA256
79ef3e1a7f19cad97c7dee7cee18e40b2596908a2579456b59e357209566ba96

SHA512
d638e8d486eb8da076ea224963328ff34bffa68c0ad492d1951a5455c1021e6c80be68ae34310a7bc5950a8ff30b562a67af44102411e12b9633291357efb768

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
58ad6aee3cb22b7fc274e82e130d709f

SHA1
b898b09615668c15f1fe7a9ac557b4fa284ea7f2

SHA256
bdfedf0c8ac2f6b34eb50e78f4bda10d12ed98c38ee000b479ea0f39b2f99789

SHA512
ae2de5d6fe2322227a9add6cff500e0e8ace611aff7936df5a723a740351ea95900d0ce9c80ccb75a6a416175947911109533708728ff474817568674f107df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f474d7d8af240140259ff12ca9c7e22d

SHA1
1bb8e570484f491deaf146547fa22a89983ec338

SHA256
7be92bb3a5c2d4d6aa6c55d2efb76178a870c330545a24938917b97bd16801cf

SHA512
796be5436b51f7f15d8d972e0aa82f9130c2334ca76bea626f5f156f93cf5d5a21e8e118d7d2a5d54ef833ea9f31905cf4dcfe5335896629059904b7ee169159

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dd918645cd8816a85b3bebcdf61a7201

SHA1
967226be93729da61b6945e5de1704ec392a33b3

SHA256
ec08fb556c4affedd0d7a4ec1ed57a0d5323dffc9f7a924de38735f121a62f77

SHA512
68844a22fde89d5d1cbe6ca6018e0faa419d748eae42cd6584624a7a411ac497e415eddfbde8ea742026d6722bd7c8984c02f1ca925b4d65c5d01bb1f578531d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e20ba25918900c2ef8c0bb3e2d7f7bf5

SHA1
66c7a6dbee3ed45f04a2da43f8f9d2f8dab97091

SHA256
88fdbfc409f09bbf0b34b8a7392382cbc880588ef12204e9ec3e92b27e422a7a

SHA512
2d73bd7c5e1202caab27fd745874d4a44be2e65d1f6cdf28df9959c437ec1f32d90cad85396c8f19631a9e447298e1ab8f2a2bd70c8b4ba26e88c69c0fb754da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7b5a1174b2946599dffe7f059b855973

SHA1
cdee2b5c60892f976fd758e770fc57c1c2c8e8b1

SHA256
31733a914e8f84e4d1e532a04c285381504f69852dde81d1121dd13bf2fec6a3

SHA512
834d3f73a563e047269c8fd8b7b50c80906442206b08e3e62c40dbeb330c15edd7913bf60412453c98e40ada380aff83b8adc7f96bc4ce5fc35bd673dd530bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7a038f66b1e3f28819ae272fb6a01538

SHA1
db8a3b6b97d044dfd58f81cb57e1a4a4c5093c72

SHA256
55cce3c5b7d204249b252de35e00b6696d1c661455a4e13c6813556be49b58ea

SHA512
404a16981de0541a69511b007c8788cf500558ba9321bdcb8678559a82c9c04b59b4d815e73241d2c5027b60c236270a7ab2cb6fda398c47ab64f65051d0b1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8654a92ff35b84325e3f77e262247c35

SHA1
406a35c9c0c4f8fb1d1161964d08e88b5ece8411

SHA256
8043d0b6735a4c95c098a0e0d3f396a4287b89421baf83ed466459740ef11937

SHA512
2fa1a64f699a5375c56a02e6b226874b92c14a1a45e198c2eb2dcc3b753ceaefe7f37fc09d9aaa95af49bc576d764c1472f69c9829506ebab8aea4ba74916cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cf0c58736239f6d0a025e584f8b19808

SHA1
5171472600f08db43bedd1367834c97b7beffd4c

SHA256
32826b676829077ee6e7bbb083e6a01a9e500074645670616d89964ccf70040d

SHA512
4746f6f9125c68432474e1a2f59a2e584900ddc16948c2cb9216244f23a0ee0b7cf5e3a6b97aa3381c7463f02d129f80162d49a0f3e801de28eccff881005717

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4ea28bb4817c01262733a20f0d5448ec

SHA1
6a0df7555485031b10875c3649acaa8fb7da7bac

SHA256
8f986134aa8f65e8a5f8384ba1a8f4435f73a95cd0d5da35f99f1f44b2d4bac2

SHA512
6336c75ab9a2188d5ae49a8c0b5a6d6bf3a677fe393c1e963d379b15884f4ef4fe83f8a85661ecd524f305e033a04e8ec01ae12c20c9d01267d8f41543e7d398

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6b6e5e653892ede1096b2adf52f4e92a

SHA1
ac7e857cba40cfe883a7f5992bdac4e8af778379

SHA256
8598b4565ff994a320bd434fed72020b922a86cfd6efeed573c8850a6204d32e

SHA512
6a3901ced542ec8c8b02a6bf568d8f76d7a84cf3a932bbe56427a28abfa195724384a75d2a497c190b627652cb0068c3700d33bc8b495d9b82a1294128092237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
882b7242fd35cc5aec6cbd05b99a5e74

SHA1
0198545c981adced2d29a91a728daa2b3ca677aa

SHA256
7c5b0794f47a6edec48acda0829553bf078e7b97a2915af329f84dba265be4c2

SHA512
5aedfd8540c50e7324d2fc49851a5738150f997923b6c456d90094efedd560a1eb3cb9b2677f4aecb0ca16db3f10cff7f617070e7d9d93028ce5190a780937be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d789386e724f280af809cc96ea6bbf8c

SHA1
2e4b75e5ad6c0cea3a887acdd0f0a9f64b260ed3

SHA256
14182006825ae22bc7d4cec57b6f63f6dcaa8dbf26cc143303138733342ea204

SHA512
387f0d124a0e0cf1e3b14e286ce40f52f4b723a317480198c6c644efd9dc40a674904f130244b535252993f719fa0dea5873e9ae3a5459be00e2a962ea0026ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5d69fee2fc252246adef574ed10969ce

SHA1
c7d8471d5c052825fcd0f66033a1b35e666ec443

SHA256
7d07fdb461eed1f736a97905311e676f0516947ce193b10f459fc6a524ae1e45

SHA512
43a2bc5634b7e07d6329dd599a4269f616723feca61ba51a237e165aa3dae5dff41ca8d682e9f7d90d97967d689ef26878477d9b6a8ce2717eef3bcf53047d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1cf47d381f86e834470971abd1061507

SHA1
17edcbf123c48ed68846c816a853d5309f61df3e

SHA256
d823415f83ebc2a3b0d50ea2b2af0259d82676f303dc4173030d77a3b52e0a7e

SHA512
7b8fee89f3957f9200b7f653aa40f59bdd5af36119b89b68f05773163ba33c28ac85e9900cf94f4c427391428cac7787b22b8113ff94cba68c68eff3a184f1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f4d12318d6b866346661a1354740cda3

SHA1
f53c0c8e1433756894ea7dfe98fdbfba370df94e

SHA256
969b9dcf08c93c7716afd54844d5e592e5274fca1aa4c3596ccd93c6d199327c

SHA512
e176055619bdc8bdc9fb7f2dfd215b51740828b102c2739c8eba6c2288082770f58fca73937324be2b2c7f0f4fc30151e67fa0a5836ae89d23dd2e042fbc2c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5834923211fb138ea5ef66e08cac1430

SHA1
ecee504e559d89c5614ff62cbc6b1c824b672c55

SHA256
d86037e48c6ab3bbb98b3bfd63d5aa88b882f1c9c2693332d0c4d867937e2da9

SHA512
f069236b9b3fbe4bea50d893fa95657c511d938efcfb139343732c07dde041ce62b6f3a490b39aa27f84f67467aa47a5a366a13d4c18542fa254f6ac33ad7a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e5f077f6c84680ffe05d4b0be716e569

SHA1
ec69cc0db16b4be558bc6e51aadc1973db00ea9e

SHA256
ee814e4c6e3a2c6433af7c35e3dfa33cd8c1db94b3bc3112d086bec257b1e61e

SHA512
02285ebc98460d4d11830a2ced980947f1ba251384f15084c75798f54d2a2fc347ef0c6668c1f54c1ed177d6266d908c9038da07581dbad6a888b33250fe3355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1badbcbe978220b3346d53e36fa24758

SHA1
6e7c1c26405633fc36b3e0094592fb46ffc8c246

SHA256
c318b60f0c092e920a3fda7b91766bb56686f6ce1fd03900f8bf8ea8660a5a99

SHA512
a0b1c89dc0746c73cfb9efed051338665a47252fcba5b4058ccf095db6e6cff34b71cb5e1481cba43a6813af68798cf235599d3424204d4bb497b987cadc3f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
716b815fccc534c9b1f7d3221fd978d3

SHA1
56a5e40438796a467281cb1111cba5df484ae6ce

SHA256
f86b1f730b7c49b6c4af217c6a50f428cfdc07e6aab7d9e46abc8240d93bb9e0

SHA512
8bcb4e8c9099abc7307f6561e45c6e9b475dd9db62bc1ba413a7657c36da946fa93d77bdd4e17575a3b82e587f31bd02b5bca32bcdae67659add26c809219376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b79f9141ff8c89ee53e7708b84678b12

SHA1
b0076144c0c04dab00de83975048d89794479cc5

SHA256
c91f1a919202194771e3ffabbe7efb7fbf50f4e875da00b06bffeb27e33e0081

SHA512
bcccf2d5a1f94d58e00899b09692f936484d4c0a0931a7d110fcfe43b4a6bec8a848cde5c73320a01f36884d46cdf5f2ab2af40bee71d89e9a5345711265d094

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1f4ee7b89220b5099053470f745d85be

SHA1
f134f6e2464a399db66882ab1684ee28fdb8a795

SHA256
84f50096a3959bc69b2a096d1fae613767f42714c7d96c395af8f7d327ac3840

SHA512
e657816b0fc9eb1b5b841aaf73c3c7e0db22eb2639cc2226bcdb33b70dec7bddc2b32853450d463c2727c5e5d3e9bcea9e300ce69f04e11e132e99c186f828bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
40ffde09aca2d19f3f9b29aab30148f5

SHA1
bba9dd7485b847660f84487fe4e6f565241ec823

SHA256
7110d60442b83fe7bb639cbbbf9d5e1a8b39e95678e2c645ddd10f41ec203b8b

SHA512
43989a6759ddc043e3bb1428d5e176aa3539413173cedc733ccdb3b284164229deb51cb8d9b6c0061058cd86c2ea847dab7a9862b21d4f978fa1a35e3d674e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
32ecb16889059e3bb2a0c3f88b931629

SHA1
7d3f98d95e71f516219e001224960e2042acc513

SHA256
6b14d48b00898dfcfaa27b0aaf5bd4593980f671af0f6af1b1e403f1e950ceb0

SHA512
1a4cdcb70d515b121b2df7f86ad6408150b412b6b11e443d090fce8c2e4ef03d8726b6cc60edda236f32fb8e44f4b7d07007a4a57d1904183f073fbf7fc7e8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e228378f3ed668190514978d746cf2cc

SHA1
6164ba7084f89da396c763ec4fa5f86996d2cd5d

SHA256
17604cc081099ecbbe6b48ccef993b2f250e4acc813c3b0a55e7ac86d64412f6

SHA512
9760ae5b70f733c6fe4f98cc305d36fcf2913328ebd1a942a7e014ec2f53838caa5191367a6eb95736ceac06980eeab61f3255a8791d7e847feb73c32f21e011

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
392ef05697011bfe43e570671a912d7d

SHA1
943168b50b04db1e919caff2a653ecf85d1bb9dc

SHA256
3430923a9dfa5cff546c9e7179ec81704df5c84f40a1ed1f85503230c2c7afcc

SHA512
d26ab5eaeb00050bb1ce05acaeb232432d1f32770141b7803cb9ff842015bb6cb8397d2384095663a8520f308765ec3d0218f96f09a354116f75419b3b562bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bc1a837213b29c33dcae4a18e4e82eae

SHA1
449fc7fd1144bbf271e5eac9f0498a3312e9aa6d

SHA256
c884e02be94a93d97f8d6bf1b9c1172ba30cb7fb5779311aca9aef04a8ae4b7d

SHA512
2fc9ac57043b48c40a4d415f0e1dd0a72abd3765067fcd624712ab2f888b3f24a5f31e27f27c707416783dfb819f6fc1011c759b376e5ea6ece7175d92edac54

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\microsoft\svchost.exe

Filesize
344KB

MD5
fa70ad775a0edba75b6a32507181b2ce

SHA1
463437d5b036f92fe9aabcbd530b10bb81c3c962

SHA256
1abaa961c69588ca545e4c99db4ca1608ad1ff561b5f347a9443ac1a334b65bc

SHA512
a137cda7f31a15021c0076bf8838063023b464e74ce8bd8a580150a694a7605ca886984a39477b9e1d5a35eb0e485359770342e386620d02a974bba5ad815a9f

Download Submit
\Users\Admin\AppData\Local\Temp\mario.exe

Filesize
9KB

MD5
a97e253bcab27df8af63e387816fb38a

SHA1
1ea5bafa644e842a7bf29c616ec39ba14757397e

SHA256
b3cad04ce2fb5c14230f864f1af859326115a68abecebbda3fb59d9dc280a936

SHA512
5917d91c3854eaa6eb6ff448d7fea8894c87c9f2bbc04822bdf67bc1fe19fd9add76b11ded62f82eb1c1ed654fe82a8ff5d576da47bc0c9311a8b8dcdc6b44bb

Download Submit
memory/1060-1184-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1128-1189-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1128-1183-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1240-14-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1624-350-0x0000000000290000-0x0000000000511000-memory.dmp

Filesize
2.5MB

Download
memory/1624-798-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/1624-797-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/1624-1185-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/1624-1186-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/2168-583-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2272-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2272-5-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2272-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2316-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2316-791-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2316-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2316-8-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2316-10-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2316-7-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2316-13-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2316-582-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/2316-648-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2460-805-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2460-1140-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2568-1191-0x0000000005820000-0x0000000005831000-memory.dmp

Filesize
68KB

Download
memory/2568-1190-0x0000000005820000-0x0000000005831000-memory.dmp

Filesize
68KB

Download
memory/2568-1175-0x0000000005820000-0x0000000005831000-memory.dmp

Filesize
68KB

Download
memory/2568-1174-0x0000000005820000-0x0000000005831000-memory.dmp

Filesize
68KB

Download
memory/2568-830-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-799-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-802-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download