2870809385b8b0635cf379a910328c12eace7b4e8ee3394fcf6489c5ca601430

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2025, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe
Size

684KB
MD5

9fcfc575178cf4f15f0697cebfa8381a
SHA1

2211be63d08f2d2c35ce2d12e42517c3e8630756
SHA256

2870809385b8b0635cf379a910328c12eace7b4e8ee3394fcf6489c5ca601430
SHA512

df9e19a52f39bfba02df844e4db1eedd02117f9c3036f9bcf5574a9e084a5e71e0bfe66d21d7cb051b45b1f731e36d48fd0b9880904f4b90bff6ed4155f9ddf6
SSDEEP

12288:sVJeAEpPVFFgMWm8+tfBmr6N8Y3aFQ418Cc:VPVFFgCVom+1R

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	filedrop1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\microsoft.exe"	filedrop1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	filedrop1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\microsoft.exe"	filedrop1.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{P60C4S6C-7E43-J80V-7I45-31VRO8VEW7Y3}\StubPath = "C:\\Windows\\system32\\microsoft.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{P60C4S6C-7E43-J80V-7I45-31VRO8VEW7Y3}	filedrop1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{P60C4S6C-7E43-J80V-7I45-31VRO8VEW7Y3}\StubPath = "C:\\Windows\\system32\\microsoft.exe Restart"	filedrop1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{P60C4S6C-7E43-J80V-7I45-31VRO8VEW7Y3}	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	filedrop1.exe

Executes dropped EXE 3 IoCs

pid	Process
224	filedrop1.exe
3492	filedrop2.exe
2576	microsoft.exe

Loads dropped DLL 1 IoCs

pid	Process
4004	filedrop1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\microsoft.exe"	filedrop1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\microsoft.exe"	filedrop1.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\microsoft.exe	filedrop1.exe
File opened for modification	C:\Windows\SysWOW64\microsoft.exe	filedrop1.exe
File opened for modification	C:\Windows\SysWOW64\	filedrop1.exe
File created	C:\Windows\SysWOW64\microsoft.exe	filedrop1.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-30-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/224-33-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/224-90-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1420-95-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1420-185-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1704	3492	WerFault.exe	85
2132	2576	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filedrop1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filedrop1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filedrop2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	filedrop1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
224	filedrop1.exe
224	filedrop1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4004	filedrop1.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1420	explorer.exe
Token: SeRestorePrivilege	1420	explorer.exe
Token: SeBackupPrivilege	4004	filedrop1.exe
Token: SeRestorePrivilege	4004	filedrop1.exe
Token: SeDebugPrivilege	4004	filedrop1.exe
Token: SeDebugPrivilege	4004	filedrop1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
224	filedrop1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3492	filedrop2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 224	3432	JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe	84
PID 3432 wrote to memory of 224	3432	JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe	84
PID 3432 wrote to memory of 224	3432	JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe	84
PID 3432 wrote to memory of 3492	3432	JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe	85
PID 3432 wrote to memory of 3492	3432	JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe	85
PID 3432 wrote to memory of 3492	3432	JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe	85
PID 3492 wrote to memory of 5004	3492	filedrop2.exe	86
PID 3492 wrote to memory of 5004	3492	filedrop2.exe	86
PID 3492 wrote to memory of 5004	3492	filedrop2.exe	86
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56
PID 224 wrote to memory of 3540	224	filedrop1.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fcfc575178cf4f15f0697cebfa8381a.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\filedrop1.exe
    "C:\Users\Admin\AppData\Local\Temp\filedrop1.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1420
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:836
  - - C:\Users\Admin\AppData\Local\Temp\filedrop1.exe
      "C:\Users\Admin\AppData\Local\Temp\filedrop1.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4004
    - - C:\Windows\SysWOW64\microsoft.exe
        
        "C:\Windows\system32\microsoft.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 580
        6⤵
        Program crash
        
        PID:2132
- - C:\Users\Admin\AppData\Local\Temp\filedrop2.exe
    "C:\Users\Admin\AppData\Local\Temp\filedrop2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\filedrop2.exe
      C:\Users\Admin\AppData\Local\Temp\filedrop2
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 488
      4⤵
      Program crash
      PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3492 -ip 3492
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2576 -ip 2576
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
9d3e2f8319d18801c58082fd6aaf98cb

SHA1
72cb0821e6be71865d84b97edfe3414979608ce7

SHA256
457feaa0b2dd8ebd3da65ca99405f7f905747c3158be5a1a8dfeee78a2a72fd5

SHA512
6cfaf5ef5d6e84ec052737f3d5ef08abb7def3b0f257e7666b92efc7e3d42cbcacf88c287bff4ea77dc2d43a5b990fb04a92ce1dd615156883760bddbf7a2b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
51d784a95e37f83948ba4063333605f0

SHA1
f11f4a85e4c989ded1121867ce07277e3bebaa31

SHA256
c4d7aa9af009abdd8530d27fdfc14cd48fe11d6d0c4259d21a6f7e5929e32181

SHA512
9c62400ae83214b6f18773cef893bcf7f24380313763304c7142e239529e76c9067dc78fc67b31577d6e50430fbda8ff1568878a35c2b751b439cab91a241710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cc86e74f2ef69e0dacfeaef5c6539d72

SHA1
8d6ca4f04d211b3d49326654e9dcd143f67f0395

SHA256
434f1b917892fd358c021a8619225c684c57bfa12edccb41b5847403863c1961

SHA512
ef7453fe04458edf9bc429e4b394bddc29d2c59214c3ad1106e1f214262e689fef688dbda8b5aa8ae64a8db3cd52a1e8b4bacd725804c601312943eae509be5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ddc999f550c55468434d0bc8e86852f7

SHA1
afbd6464d02a7cc9d7747e482eea4064dd62faef

SHA256
c42db0dd5165957af163e551681465f37f445c5faadfac1d4a4d9b4c139262ee

SHA512
57d37416e7c1df81273b4d5b62e150c9f593c083e8a76376cf5123813d4b656e14a9102d11aafbadcee241a9610e585065d85993341338bcc588ac276ed039a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
78818188316462ed1be47b4ffe16acb1

SHA1
20cd58c42250529bfb9e995ddadf4a2037922fae

SHA256
9297d0d1b20315a584728ffa626895920201410a83518108c01076fa2f2d02f0

SHA512
ee2409d5ea83a4d52e62c866b9d156b37834023b1844cab0e64e9f7fa40bc163b6841a9699cc33f3fabdd6dc8b6269afa3f1229c5f47121f7d5c5d6e5bea257c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
be20d2ab81c283b82c7f764cc8719e74

SHA1
8d7ce6e773188ba663e5e9986d960f9bcb37181a

SHA256
f80fb9232907c0e69518fb5f687be6606a5884e8655e3a4bd1b4f97b2a55dfd7

SHA512
3ee5e2c12ae4ae50289e63ff5a1a95c279c4ee042e7ae0b0949b33281e9c8c5e6e4e5ec61346c53aa2926ddad702e09a54cd523adb5dab56f988d423ba19fbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1efe6e17fe7389791b2c8e4c1d5a0ae0

SHA1
53ee99415f30e3d4eb83ff1e3800e8e249f37713

SHA256
e5e8503e4f2a1ddfebcd7f653be64ea45f7a7fdbba6e49329102ace1cfd779e2

SHA512
da4a99e8ee8bcc3916fbbb081b5879a1973084c4c3ab663aa1118ba1c2dd83cdb8016abeb9c721fe53bb1af5b5770cfd1d88e461d816248683c63524ef9cea7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
713e420dde0e6294e7e17b927fbd0a4c

SHA1
930126fda2fcd797448e0f43acd1d6c522722dc0

SHA256
6fa555962790f7cabf98f02b88318c5e77e2948a319abcab9f57d17b50294ba8

SHA512
ad8e524a90203c39f470e5b7655758f7249a182eea9eea34746e6f043a2085287e2d6ea7d41b65c62bfe7217f1cd81bea93efa3627244c57973ed856a092ea38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fc86b84f8a1b5e34c79d70ec64089f4a

SHA1
040ae8105e011347347d42814a826d1e163fb76d

SHA256
419a9e08f2ad2db6e3f2546fd76e4d93c8ef40db98c297fbaca6a2b9d8ff6659

SHA512
b31fca71576f03d873f31a80bae928518a8c52df0a1ad741c64deaae2c10d5ce8c0b05d7ce493c688200f17446a3be391789d883eb95e2985048899d3b3c05f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ace67844dd244d25e8245b6ae7b33989

SHA1
d6048e6e46cbdc898bb05aa842cc7f16a02115a9

SHA256
ae45bb3023f0468aef3d08dad3346258f5aecd32c403423ccadb026253878cb6

SHA512
6894872fc90f81c857855d48e4f08119ee239e5cd025908b7d7392f32850e1e24f45e23faea19e9df8869326e7cd031d6db700378405e8d2bd4113e3a91a5fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3f4125ddbcf24d732604a965b08dbdcc

SHA1
0e7a3ea38e5888033186e5a73c0ddd0d626de591

SHA256
f167b644e05fa2272f6b2c947a064821a27d6092a1d169a1d12c6550c175fd4e

SHA512
0266265e3c8c5e9cc5143da0a90e319a80d2122a2c708670b0bbe829237e53df70aac280d260ec43b2f8d6777bbeb1fff42c8d0f3f8053eb975a20d9b4f4b692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
91a7463511174004c14c1ad1e8380d95

SHA1
04b295460e984894bf0f759b07fa28a73000ce72

SHA256
32ff18f7b0353efec011f9a65e5ad3c122c8d44c50d60d3a73dc399a4f408cc4

SHA512
fa1d7c28db536080f9c3eb7a03031d5e56f5f46afacaff3a1d0b0e7757fbd67b373ccf0ac3a81cd3fd9c2a93acd7ff2ea8b9be812130eb7431c2dc8dff5089db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
63ad35092acd65fb7fa8071ca3a70200

SHA1
a1020949d8f2a25ca9269dc4e288bde99031f73b

SHA256
15c7d1d0878dd91bc57c47413141e81cc1bf7a12c06a694309332db038eb2af5

SHA512
73a1e6290bdf2bf55c59cd5207275dff1f3afe855e21fee14bd711b58c8c4bc2d8226149f44eea2670516abe7271f926638038afb9912c66a3d14d54e69c0576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
18542dcaf0ddf57bad1d9345acca35a7

SHA1
7934705f9cb902417b4bbf0fa242c06c3046aaf8

SHA256
87660f572b973057e03236d2b0e7385167b6eee53cf549b25cfb5a65ecdc50ee

SHA512
0ac0283c993f2bfa33ef27d4aa1ef8929c5422e97bc81bdd13ccb2f3048c09a3cbe0667f8b58796caa104b0bce050467735d0863d2c9f9806845555c5219daac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b3245d85f12cfe5457505823898a8704

SHA1
4e95eda3a7a5430b724348e52e59532b0a1958e5

SHA256
58965f68ca97649586cfc3413798d4a44f4ba365383aa3b96789445f70d71b81

SHA512
928734e806a72c6d0bca95aa7cc417d05c3e21ecc84317313b310e2305ed2c29008aa8890aca12bbfb211e508fc7914e8e6d965a9d7c24dc0a779956a200b0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e4d776cb2dabc5c12486f0d35cd8338b

SHA1
f4447b49766a90807a483b9885e132db28950f9a

SHA256
f54903b11754173a9e390e201669a2e8bec38faf47e7ace0e5b1cee04d7c7fd4

SHA512
eb68260e00ed825eda9d4d8853e93bae2e5339a77371e09b62a18e6b27fc8eba52d7932a99b2522532747a7743cf80f04931df794342e5914f046a4305810de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f538bb75047648f5ef513aee3002cc9f

SHA1
aa4d8acec0ba33d2bc87e39e734e7f5a1979a591

SHA256
57365c24b8f0bf2bf615ed1a71a2a0277640a2b26694adfeb2c61de7a0dc69d6

SHA512
62583a4a80a7555fe4c6c9c4b59438426596ec48810c9afb476c3924a5501872ea7a6f6f31eaa38be888c4fd27734a9f52e43ea922568548f01db2686e047c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
839687b4fdea18448ea932605aebc622

SHA1
a3537d10fe7709be291061fe50313ee385086d7d

SHA256
613b99d112069ed1800c914d401b31d7f1b9f7eda3c04f82a6d576e0bb8bc118

SHA512
ce4d11de9fcccf8481ba8d212797a5ebbae9e223d53daa1b9a37d88aabb5574cf779ef5ec6fd71cba19c111cdb2df7bd1892ca392ef403fa4e049d35103b77cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
45f69e9d5685e8396eecc51232323da5

SHA1
fd9150704bfcc1ffb3803359890a7b0af9718ea3

SHA256
c39b217b3b32d03fdc1214207f356f94c6d39e0b5c5ef555f5d8d975c70a0e8b

SHA512
642a7b70f06fcd368bf80ed420e0732f5a69876d4983949097c092d7f63afd867514e787d86133b9c041eea5c9764652eeb4deaf90cf19ec6f371258cb394dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ecc69fee280731c45064f10c943eadc1

SHA1
fa12959afdc61e985eaad5b8355d857d6425f4ba

SHA256
06591a926102b7e5d1d2c415d68553f743c5424cfd61ed1a8df382551423c643

SHA512
603cd8243e0f47f0349c43cd33064350997c0f7fe09dc55a8c5654067d538e808890d2fb18d32859a395987aa0ff1ed58300e7cf164e02a71183315e6c98ae61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d62e862992895fb43bda654f0a78fabc

SHA1
08d9e7353464c279219fbfbcd7b9226477d60ce9

SHA256
d040332f4df09af940912321544d3ad297e3cd8278a92132efe241111f3c18ef

SHA512
f81fcccc94e560aea2bfa0022d266b226006243908c89cde4a7966b6159f8ce756423d779bf820af3b22b76c418d9e5a7d9a3cdc3bb970aaaac0910c5747e85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a42c29aaaea060560bf40fa2b341dd5a

SHA1
bb9891973115295d09ed045f69a1e1a0eb0fd2b5

SHA256
23e6a121248949014f8b7e68ab85436db8fe45f8983945cb01410cad90c563ae

SHA512
c5ee0fafe92f9e7a8401516dd90c09e4df8d5baa5223acfc702231f5916430bfa715b0432176d9a1413274ce5df4b3adc34835a43f9a97f3b21dae78473ddadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7c194bfdc4c35ccc0c53aeba4e69b1d2

SHA1
5db1e53474c12955beb80a4d0eadd1919b927200

SHA256
afaff69ac1ceb2046756fed65cedd442011dd57b9fec6f434e482a68020d1795

SHA512
db0327af4a4a975657b898f5c06f2a5ef300388919107489107c1b4cffcf3cc9348ae38f14f587ba858c73b3da35d96f27625d0e9b733f2ad1991c7393d82239

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ae09e9bd7d4f09d617726ce50d7006fa

SHA1
3cf4d0151ca50029a82ca7904005fe13ba500c8d

SHA256
0e4ef56326c9500288c45fcd263cdc69ee6af020030e795e884963828092c1cf

SHA512
0c6c12fbec65700cacdcf3fbb4aa5d484f9083d7bfe75f212d0034336879c7ae93269698a33c615e395ddba9af2124e9c546fd5178663593c93f5897c52b0001

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a1e3025cbfbeea257c8ac4261fc09a5d

SHA1
7420a8add662fd61407fc9c8ca4272d25b73dae1

SHA256
033747dd90a81f1c0484f33a23fa9ba6afa70a98e6e3f559be36ddc93ebc9f01

SHA512
0c50ebe8cf8ced09d41d38bcfc46989c3f1dfa0bea9e29bffb4194f215ab92286d92ab2556b211cca86a93a541e06dddf083250861aafdd1d7a9aca82358c1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a4c396ea776c8ad8f71a4b40dcaf6c40

SHA1
59c6146132503d9ce795aeea2e2e8988bcda1dd2

SHA256
9d655df6ee416d87d7b14c3584cdd50fe77fec04a111202a899291eba07893b3

SHA512
01bd5fdf2d6d8a17e892e2de3c9e086b493439c8f90f4b5da4e5c4e39320d4bba9ccc92f432f3860149074a857e0e69c426bd36469722caa0e783c1b4f0819f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
663f8fb05248cca44f88c0c61287baeb

SHA1
ab7ed199bd04d30e51124dfa32d918e0289b17f6

SHA256
c86adeab46abf51b49b068142fed8305556d74388dec06d941056b1f6f9bfac2

SHA512
4540dcfe425731715d94f0322d427300e345e7b2ca4802076e0a6a29f303410ed81e49e1bb36c93bd583bea18701d2e0644c0f908f915398488ffae3fa532521

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
42f2e7724ca0a4984e87e20d935e8c10

SHA1
5614872e553d85cbfb40985a643a81afbff5c063

SHA256
23ad8274274e3a8fb7bd8e5c364a9fad6ec0ea5bd086cd190b9201794cbf3305

SHA512
4cfe6ed37afae8c9a8acf136c1510d28267b3faddab0d3b85bf3e8b96cb0bebbefea89fd63f339e4982e63b53491f825766a5d7c3c4107191e123d5ae9d78c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
630245e0a76262a7f62c5a97a61ced10

SHA1
204780291556f8ca9e333d938a907b86d64c5073

SHA256
b55056c81a566eb5a3306a318de83ea50d4b6ea78cc19531bb3d18b4ae17d50b

SHA512
8de04ec136289c592b49c7570f9f86e5421d1fe424628034232038f9822b02336894e849e254961451bc77fc8e7f51e40cdfcd443bdcb68f957d11a04428c54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
383cdbf5ce6e3a5b83d99a8b3394433d

SHA1
a6c5b03bdb9ba151969bed0bf294e5dc33d07afb

SHA256
d2485f535f9a5e2b6286ebf107696ae6d65a5906533d96739fd7324bfa38c38c

SHA512
039bbaedc4e3f7ae803976058eaf3662d836ed83fa0b50ecfddc4a613561c49ec3d91ba32fd2f9285dc0ab067867ff6e0d17b03ce3013c56f80856d4a63fd9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e544863784b54310c9c4ac4c88842f59

SHA1
03f999d5411e0817b0b311c3d063072a3b57735f

SHA256
cc99fdd6bf363740bec36edd35822f3f98de45085980fe6324b23413d9f07915

SHA512
cde8808befc1fc72414b48cc8cba90e2e9d274a692950a36f8376d856b8622e3a8fb8b73b3c98eed5a6fc02c3d056d3ccfec0cf2edeb7ed24fb6ddbd8281f696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d52dad75e1eb917c999ed78408a9aa85

SHA1
49d3d3c7acd183bda181fae6bdf591002639ff55

SHA256
072ca3d7e0044752d79376ab1183545c4df21a58e29b97e77ad4d00882b81fbe

SHA512
b8f8cf836cb1c82899a038ba47c4c1a563495e4fcace4625830ae3361298df9d50c38d15dc42438bfcc869ee1b4ce9fd49e8048630d7d963442be92c4d15a3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0510d0171f94c0e4d19afefc0bb9670b

SHA1
360e4638527d5172b0e953d1ac23b4dc393215b1

SHA256
168601bda542a38417ccc45c7dbb7562c1750606f0456630f5339c76fa08009e

SHA512
dbf276184de616f5e16b2fae6f3b4daa2be85aac8c05c230de0768511aaac4b8f9f7e49bbe97c734e331efa2abfea8e4a8b749ac815e8f7bae73a45ffb2a489e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0721d21d80994bec11592f56e1703565

SHA1
45b3885b591150de7c21b57dcbb9275faf22a856

SHA256
eae35b0d60b268310514d32bd9c08946342838371431630e2b4e08dfc6a37f04

SHA512
f087d8cab34cd0d08601024d91e2475de50eae68e3d5232e613d03882808da37f6453efe6de6eb0a9925c37e2d631aabf46a11bbcf58df465baeaeaa7853d324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fe53cdc2120944aebe66c3f5877d1195

SHA1
bb56ab8b3e9e2bc8499165efb74bdef38de8a1ab

SHA256
3294044c121a705c82066dffa5b3d0c28d26dbb1470d1257c52384404b7bc75f

SHA512
84e717a090422d18c1f05682ec972f7c24e2319bd49d285b6cca41a0601cf67087da6e15762347945c1ad7b5812541c31d33d167ed3988f8681f5af5db639867

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
13a6b5fc26e738bf5dd178e0b30bb384

SHA1
e974efd06618752d2c5e4e128c79926f81031b1d

SHA256
d7343a460faf48dc030795892ff0658559ee067a5d36bb0805ee5242053ffebe

SHA512
a43b512912f889faf8204e2fd5d939d0d9dfe957e9f9c5caea677f58b21c96339da09dc6a6fd65e6c9421ee283e4a6e8bcdfe27e0975702747e57134ae6bba4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e72e4846e726fad114212f6c8d77c45b

SHA1
309021310ee22ab30900c64233c9c24f3a1e3c7e

SHA256
57587b9363422409aecf0b27856631464093c7e132f50efd30889e83391f3231

SHA512
1e75397b3e846fcad2ef2484b55743755edd5d35ec8332e8d769a125cfde8d70ef8f82809c9b04351b797e07f228ebe7e892d32bf43de85148011b8808292923

Download Submit
C:\Users\Admin\AppData\Local\Temp\filedrop1.exe

Filesize
296KB

MD5
1043921545f834b1424a384b7cee5ad0

SHA1
cb85f39e15f388d8a9bdd873055a08cca6b42898

SHA256
e8b90c9891cebf44a488c3ecb481f282986c254a8ff88097b407b49fef225926

SHA512
3929bb6ea743bf97f97e72b511a9a12a3be5a3e79689a926a5dc657b968f9b08a427b50fcb97b7f878a3da83708bb0c165965f229056a86f9220625ae4bb5f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\filedrop2.exe

Filesize
36KB

MD5
3165b0e7a65d41e5345a3f40b0866b7f

SHA1
ee799b63cff6514aa0d4d3d4e9213e9c093210f3

SHA256
2234337ffd8542b3366050664732466c5fa5afc3a4be7bfb092d97ead6cdd474

SHA512
70299f062e996ee50ffc45c9d5bad53d36aa09cb2bf8c223c5605fda56fc1dc42566ddea831742889383aabbb63fbc8d42678b263efd0959a1e2b0f71282dc18

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/224-33-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/224-30-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/224-90-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1420-34-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1420-185-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1420-35-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/1420-93-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/1420-95-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3432-0-0x00007FFFF3A95000-0x00007FFFF3A96000-memory.dmp

Filesize
4KB

Download
memory/3432-1-0x000000001BBC0000-0x000000001BC66000-memory.dmp

Filesize
664KB

Download
memory/3432-2-0x00007FFFF37E0000-0x00007FFFF4181000-memory.dmp

Filesize
9.6MB

Download
memory/3432-3-0x00007FFFF37E0000-0x00007FFFF4181000-memory.dmp

Filesize
9.6MB

Download
memory/3432-26-0x00007FFFF37E0000-0x00007FFFF4181000-memory.dmp

Filesize
9.6MB

Download