cybergate | f6de350a5105b2a50e65307c5b905a8d44828e5c85c1792a23681107c2a1e19e

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Size

2.4MB
MD5

237e4f4bb75b4cab5abf054d61a5f8cb
SHA1

b0d95494681c03870f3dc0bf1b0e5b4c1de8f4f9
SHA256

f6de350a5105b2a50e65307c5b905a8d44828e5c85c1792a23681107c2a1e19e
SHA512

a7f5c7e08786307c7f9b0d59c58820c7fdef9a4769f2eb35d5e9bd0bc2ae780d8a7d3686de0f75f242fef0393b797359591592f2ec28c8569e90041ad6b803d4
SSDEEP

49152:kXXWX/AZS2qy3EM9EBn98WDhj9k0Hj6fNQeevvzXkHGgYXwUhzdSO3cbt:kXeA8zy3D967l/6FQeorXWGgswizdrch

Score

10^/10

cybergate darkcomet discovery persistence rat stealer trojan upx

Malware Config

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe,C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Engine\\iexplore.exe"	1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Engine\\iexplore.exe"	1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1.EXE

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EKXA20O8-568E-64D5-KJ2D-46P5UDIDJ7T1}	1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EKXA20O8-568E-64D5-KJ2D-46P5UDIDJ7T1}\StubPath = "C:\\Windows\\system32\\Engine\\iexplore.exe Restart"	1.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EKXA20O8-568E-64D5-KJ2D-46P5UDIDJ7T1}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EKXA20O8-568E-64D5-KJ2D-46P5UDIDJ7T1}\StubPath = "C:\\Windows\\system32\\Engine\\iexplore.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 9 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsUpdate.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe

Executes dropped EXE 19 IoCs

pid	Process
780	1.EXE
3700	WindowsUpdate.exe
4992	iexplore.exe
5224	1.EXE
5580	WindowsUpdate.exe
2392	1.EXE
5476	WindowsUpdate.exe
4576	1.EXE
4852	WindowsUpdate.exe
2116	1.EXE
1864	WindowsUpdate.exe
792	1.EXE
3508	WindowsUpdate.exe
4044	1.EXE
4924	WindowsUpdate.exe
1340	1.EXE
5504	WindowsUpdate.exe
3920	1.EXE
5828	WindowsUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
5516	1.EXE

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Engine\\iexplore.exe"	1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Engine\\iexplore.exe"	1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\WindowsUpdate\\WindowsUpdate.exe"	WindowsUpdate.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
File created	C:\Windows\SysWOW64\Engine\iexplore.exe	1.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	WindowsUpdate.exe
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\Engine\	1.EXE
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File created	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\Engine\iexplore.exe	1.EXE
File opened for modification	C:\Windows\SysWOW64\Engine\iexplore.exe	1.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe	WindowsUpdate.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdate\	WindowsUpdate.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2880-9113-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2880-11882-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	4992	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.EXE

Checks processor information in registry 2 TTPs 36 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsUpdate.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WindowsUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WindowsUpdate.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WindowsUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WindowsUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WindowsUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WindowsUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WindowsUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WindowsUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WindowsUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WindowsUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5516	1.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeSecurityPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeTakeOwnershipPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeLoadDriverPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeSystemProfilePrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeSystemtimePrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeProfSingleProcessPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeIncBasePriorityPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeCreatePagefilePrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeBackupPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeRestorePrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeShutdownPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeDebugPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeSystemEnvironmentPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeChangeNotifyPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeRemoteShutdownPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeUndockPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeManageVolumePrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeImpersonatePrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeCreateGlobalPrivilege	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: 33	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: 34	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: 35	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: 36	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
Token: SeBackupPrivilege	2880	explorer.exe
Token: SeRestorePrivilege	2880	explorer.exe
Token: SeBackupPrivilege	5516	1.EXE
Token: SeRestorePrivilege	5516	1.EXE
Token: SeDebugPrivilege	5516	1.EXE
Token: SeDebugPrivilege	5516	1.EXE
Token: SeIncreaseQuotaPrivilege	3700	WindowsUpdate.exe
Token: SeSecurityPrivilege	3700	WindowsUpdate.exe
Token: SeTakeOwnershipPrivilege	3700	WindowsUpdate.exe
Token: SeLoadDriverPrivilege	3700	WindowsUpdate.exe
Token: SeSystemProfilePrivilege	3700	WindowsUpdate.exe
Token: SeSystemtimePrivilege	3700	WindowsUpdate.exe
Token: SeProfSingleProcessPrivilege	3700	WindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	3700	WindowsUpdate.exe
Token: SeCreatePagefilePrivilege	3700	WindowsUpdate.exe
Token: SeBackupPrivilege	3700	WindowsUpdate.exe
Token: SeRestorePrivilege	3700	WindowsUpdate.exe
Token: SeShutdownPrivilege	3700	WindowsUpdate.exe
Token: SeDebugPrivilege	3700	WindowsUpdate.exe
Token: SeSystemEnvironmentPrivilege	3700	WindowsUpdate.exe
Token: SeChangeNotifyPrivilege	3700	WindowsUpdate.exe
Token: SeRemoteShutdownPrivilege	3700	WindowsUpdate.exe
Token: SeUndockPrivilege	3700	WindowsUpdate.exe
Token: SeManageVolumePrivilege	3700	WindowsUpdate.exe
Token: SeImpersonatePrivilege	3700	WindowsUpdate.exe
Token: SeCreateGlobalPrivilege	3700	WindowsUpdate.exe
Token: 33	3700	WindowsUpdate.exe
Token: 34	3700	WindowsUpdate.exe
Token: 35	3700	WindowsUpdate.exe
Token: 36	3700	WindowsUpdate.exe
Token: SeIncreaseQuotaPrivilege	5580	WindowsUpdate.exe
Token: SeSecurityPrivilege	5580	WindowsUpdate.exe
Token: SeTakeOwnershipPrivilege	5580	WindowsUpdate.exe
Token: SeLoadDriverPrivilege	5580	WindowsUpdate.exe
Token: SeSystemProfilePrivilege	5580	WindowsUpdate.exe
Token: SeSystemtimePrivilege	5580	WindowsUpdate.exe
Token: SeProfSingleProcessPrivilege	5580	WindowsUpdate.exe
Token: SeIncBasePriorityPrivilege	5580	WindowsUpdate.exe
Token: SeCreatePagefilePrivilege	5580	WindowsUpdate.exe
Token: SeBackupPrivilege	5580	WindowsUpdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
780	1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 780	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe	87
PID 5028 wrote to memory of 780	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe	87
PID 5028 wrote to memory of 780	5028	JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe	87
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56
PID 780 wrote to memory of 3420	780	1.EXE	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_237e4f4bb75b4cab5abf054d61a5f8cb.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\1.EXE
    "C:\Users\Admin\AppData\Local\Temp\1.EXE"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\1.EXE
      "C:\Users\Admin\AppData\Local\Temp\1.EXE"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:5516
    - - C:\Windows\SysWOW64\Engine\iexplore.exe
        
        "C:\Windows\system32\Engine\iexplore.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 588
        6⤵
        Program crash
        
        PID:1448
- - C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
    "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\1.EXE
      "C:\Users\Admin\AppData\Local\Temp\1.EXE"
      4⤵
      Executes dropped EXE
      PID:5224
  - - C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
      "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:5580
    - - C:\Users\Admin\AppData\Local\Temp\1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\1.EXE"
        5⤵
        Executes dropped EXE
        
        PID:2392
    - - C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
        
        "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5476
      - C:\Users\Admin\AppData\Local\Temp\1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\1.EXE"
        6⤵
        Executes dropped EXE
        
        PID:4576
      - C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
        
        "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\1.EXE"
        7⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
        
        "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\1.EXE"
        8⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
        
        "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\1.EXE"
        9⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
        
        "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\1.EXE"
        10⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
        
        "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\1.EXE"
        11⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe
        
        "C:\Windows\system32\WindowsUpdate\WindowsUpdate.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.EXE

Filesize
289KB

MD5
3af2b44b21c26db54d9bc11148ebde3e

SHA1
577c4779ab70eb89a65f6d69df962d5616a0eaac

SHA256
3a63764b909021ff2cad4ed341928b9a275d953e5122ed9746acadf4c55f9403

SHA512
1de250176851a1899eacc5a5123f0dc9c94f34b94630c0a91ba5d574e27362e0b2867fd786805bb79360d9d046ccbcd6b69b2c2d52522f0e6c9671e2ad3d1328

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
283d74a118e0dab98f29bb9ea07b39b6

SHA1
52df27e78325e8307f962b3c406c4a9da478c1db

SHA256
c84222ed4d387ddead52ba50e506919bd22add731c7cddfea9f4936d3d1497c1

SHA512
88ab7d24901a5f39c1a2cf436f37fab4ba18636f934154b2aec6158d4a39e9c84c04cd71bb6c01b8696741ced3e8fb279b351c2bab4112a5acd07ab077ac688b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0aa70bd24104189b6abdc581b0783dc3

SHA1
06a7621bb73863d66a5f1b64710bd6e1944ab671

SHA256
3166d334fff1a582084a9f482dda66503463122bf7c50854056a817f2f9e8b4b

SHA512
ff80e745d1f28e5fbf8534788fc05509980c5ab3d5ace263a82c403f95c69695bb20d02c7675f6b51729de85875e642d734b8dc0d53d209e3da0c30dcb3b8466

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e759891dbe21aa3613bf83c99fed9163

SHA1
6d4242a11130d65ab21d197915542e1cb04ee308

SHA256
c1db745380ec3ef94dbd0a1d7fc1282eb29e9bf1485b4a94b45aedbb8bd7bbbe

SHA512
17ecbf4c7ebf6b0beb2b9969948433dfa08122dbab49b709a3c75eab577072a7fd1b8134e6a987a946e4dda16b4fc524841c83a1de07f6c3b788b9eec5caf05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2ac3a50ad31b51ba8d8097e977b0bb0b

SHA1
828ded4d3480e1e3be4646081deaa9304eecfa94

SHA256
af3e1fda7932e3a29791cce9f316e9892a5bb3129a90c1d911d2ab397fed711b

SHA512
26401cd7e6e29f4bdcfaac802e8f2b3533caf77c1a1dbc241e69a2c53c7d2ebaa71ee0f5af68544975e18aa15e38effb677341713bceda19318ed7edd9eaf9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1ec7d123cfc8ad233b47811b701c8965

SHA1
e090d41f3d98fea17df289cdddc1854527b062a4

SHA256
e98c08bf4f655cf4ff1af25a1202b37c5470a9c313bae837eb55760e30e85a0b

SHA512
87c68c3ed3ee17cfa560af665d9e0b0e900b92cea1e7668909a3116a333e5329cce945f79a2326f019d0d017f8777b18336d0bffdd9435c834cda04094ca1df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1aa1ce9cb2f206a8650b08dc81b86821

SHA1
b00fb7a372637a74e869557c16d463437641c649

SHA256
41e3093cc72e444f917fd0edd623f80384270a0384984c33dacb06eb6c0d65e2

SHA512
3cf2245f6039ea540293230b61dfe71fccab5f0cc29280275118e15bf59b461735576021e26ec784fed7930fde76809966db71a711f0f446fde5926535932594

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a011be19db5ae8300b0a3d96c3d9577c

SHA1
cc86acb723b9ecb8d39f514e7775778f3cfd4b55

SHA256
2e386fc82d8a96eb29fc141ea8c9664ef03e1b35a12da604c1a21183fc76e775

SHA512
b7e620f80b11cc778aa3f913ce19088337ce4f664ab3ddb5f1985223b5da2390bd676d057475aee5f4399050cc7e941c40ba0cc0eca10d5cacadd47e466693ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
34c3fa7b5b87cde2c59e815b46101f1c

SHA1
33035c610aa59a0cba0e0c150abf15463c2d6ad0

SHA256
6c38097954479b8711ba76448e9b683fa4606fec2326c7f3519912f7bf884963

SHA512
95c36e4c272cde27c169db0a47d77e273fd4a5c2dc8753d4a7b1254f5ae2b231d974e940699f8f72b0ed7ab93b34ce6e0ef494e616dcdf83e75f9ffaa187dee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
da1c3ca6e757a4047dad4cfdbffbb6fd

SHA1
2eb5e11fb7019ef56d91a231d0f4e8fac917b0f8

SHA256
ce05bda97cb345f1fb715a0fc6e179ae95b46d185ec965c016bd9738ce22ab25

SHA512
019c136512e4321bb0944cc4483a813208e8db1bed84ad13df433959a48e9c63a2e4f6fd57bb698986b2001b53544de9ed0b92fa38e45d6317ff4b98614abd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b7599b34df91851874ee9bdfa696d17c

SHA1
05d36185d4350993e5a7f2ed2525951ca82e99a8

SHA256
9b5ff54c0125780377988ae8da453f212a218b8a9a8a8050626d6ccfaa32a2d6

SHA512
f9c8f088a4119e25ed606a1d920d509c5cae192731e2f9df22506d3af051e6a547c1ff2f983f327e8e1da9973e70a55f263d38e5434b4ed115f792002169d00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7e1198368bdfa4256045e0cf081ba8a3

SHA1
662aa70d4ea1f8c6a1e880d6afe85b6ff27dbe88

SHA256
bf1fc545fb678749938361d00cecca85397296e7e88ea08ed48f5d959b7607ae

SHA512
c9890636aa8a138a817953d2bdefce2a77da9e59e56e1d0f87960cb7f3e1174b44cf3dff265e09245afcbb5dbfeab114ad372db0114366c201c9f5d9ee3c2d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b0e7e38fd159832bac8f58b4e5ef918b

SHA1
e2c75ca033ded2a65b979ed8d68fa6b21838a405

SHA256
5276a625208dc2e0f2940b8dad7837ad990a25a93ccbf22027bb71a42328a4b9

SHA512
2e80d1edbf4d12c7d83de9983948cab7d78d2f25b55776134cd17deceebeabbf98c8bc2ec2b7ee457344521e9eb56ec6610478fe4e2422a98aabd826cb06b951

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cb771e6a090f8a27ea5891f03a777667

SHA1
fd0f1952985708af704c20d1282f5c92de5add46

SHA256
d11f58298c8f2c3e6d15431d2ef8ebe4de4574929b4d74f3d6f546c5b4641f5c

SHA512
ff47bd592b3925c1eb65a3360df9a7c467a4e2d55c75685f4a4f19cf439d58b52b956dbce8d4addb4418eee8f493a32d17cf536628fbc3580ca808c28d9bc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e91eba01cb3ce70fa25eb7e51e6fb1dd

SHA1
2468b7d8e64618f8b09aec74fe922ca9fe537e96

SHA256
caec9d26b151c81ccfb9eb9275af2592d7091823653606338402debeed05c9cc

SHA512
5b0edc194ee8eaffb0c9f73af95ac48534627b5bf0817fab7d7cefd1d8116008a119bdb53aa9e25159420c1cb9b5a11552c4643b5762bc8cf6820b5673b1cfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aec231e784bfca7d0cb2f76d65d92b53

SHA1
670b30d41edb1f31ae92dd90dc74eddbe356533b

SHA256
b1051a685c4cea52fab52540857fa83b88b498c32f6a3bb1b905a3f5f0e9646e

SHA512
01388419b68f084a16df50bd7ae26b812e85d50b2c13c7feab096e5a49b5b1c732f314feb6d42d6ec08e118fdce0fb7994b1da4f206dc716d6f2b2ee9f93e1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8a1f91fc158c1c92f92530ea12f20c6a

SHA1
ddba18af8cf7cd6df5c8ba393dc651461874cf10

SHA256
32fbddba0fda1f24ca0b2d40a7d3641b9662dfaabc777e84caf891f7a823607e

SHA512
c55ee6ce39986d1ea2c128b2c1fa20399adad7d74740af4c917a58929527d56a7add1b1bba347d2b465587de258ee1d397c27d6bf3db789db73c3b737121cfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9b00c44bfddfb3ffdda04f070113c606

SHA1
4d76a2c96532903d5826c23252d7402c91ee04de

SHA256
ffcb033fe950361ca04558ca1396fe1261f87842813d7cb6acc76570580bde86

SHA512
8230e7ea51ad68bdd4b069d4b439028739bcc7ef445d4b3fe4cf30ec008ac90301295a7f3c6e5c37764cc31f6c668a52c0833098cd97a1c4375c93459c5ada94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
60f8257e92c8935b5115da780bdb197f

SHA1
2caad0589b5547b9d87db2de3740ad2d3e435f7c

SHA256
a8362357e1b0071b735512fd57fd576701f95025675b98ea1489b386cfc86c1e

SHA512
3b07913b6f436421f87f8fd0997a45180d4fa398971fa45b7df1fa54adcc4619f6473b727929fd01ebd99bacf8c7842ff42b8fce9ed691a21290ee64026d13e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bb99569ccf0ca6025dcf7898732973ee

SHA1
e17a5c94be22e7e4c81514c771fab24830050e30

SHA256
7d146f5b685f5e1915aa502eeb73b47d74fed3f4e9d0420f217806158154c74e

SHA512
c6ae33ac1ce03ad0008daca061a1ac21bcf35e1d983062b634bd8a3406938a74bc1232f113927e1ead991a69196a7486b87068ced63d39c1dcf1be55365f10d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6f0e097cb4bfccd023a939a91cfc2d70

SHA1
76606bfe80e71633197da39e522782d91a554527

SHA256
9f4f41fe85cc11ecd331b4ae3d64a45751f7b61ae502f6405ea3687dba648d73

SHA512
60a21f6476976e3e2b695d95c3d9b213fc6c8dbcdb9e917364f2df0624c2f3a8f78397eb40d63430aca23d7b829d53a9f6b102944c1c17c479c37c494d69e146

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
41e942421e56d36ec6374cf482d69e16

SHA1
2a964e686d158895b109d51ac50866f37f1d540f

SHA256
3d848825081efc1f7f3d8ca91e93852418098db91cb908bba2bd18a0232bd344

SHA512
1df97bbac4bb22ef57ede53625033bf55e0ac049795bd9da2e110b8cd39f7f5664634ca1103df9b34653b31a27500ce071c160ceaedaf8a6ad514ca5362c5c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aadc11efff3455d3b00b0605d2f42a9d

SHA1
1faaffa7167801321305b48dc7bd165f02147d43

SHA256
92fb4f2eed486b378d29c295553d31ac9195ba2cfadfd985dde8db3f97f9553c

SHA512
d786659bb14f34cdff160a8eeca871970e3e45afa9913e469d5ce9918aaa055f84667f066f32b952e63268a9522b53931b739376d96f1280f86f11ac83a9032f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8b2fa67a0fe26579116a7269868dde6c

SHA1
70f8a947d7fceb8bb977151ddad33c746b8e5368

SHA256
7bf03570bb65dee049ca971c5ecb86c2769ae0a5843bb9bcfd2c6ffad42a7b54

SHA512
f927888fac5fa2edde393aed4decc0af4009ef0fe134c1a503286c7ce931e2783f59572b32c640aac150f654c6c7f7c7c34022decc1d633b171afba08307dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0d54cb72aff1f0328fb88edf9c9a7bd9

SHA1
9589356eaacd9e930dea5c206ac69cc0ed1320fd

SHA256
4a10ca552b10a395bbc0521e470020fb99208c71dfaba3f5dc49ad5727180876

SHA512
7790d861d4848ef74eb87357c3c34809bb2fe7ebb93dc735a2e430e6cb8e8f4c5b2cf5aa35eb00c15788010f269ab603506c68af39f30d399b1121d03de19ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
05abc5595235361cd4d7ef3825999b28

SHA1
7327e0a7378e1d0bd853f4fd1c9d0914d3e3ab1b

SHA256
d33a90a82035dbe5f7822b3eb60b448975bc3a364580abe59afdb62afc3502e6

SHA512
31e70c0bd175e8e621ae001400f397daced14c1b858b5f994f89b794f382cd2d93ce211fc312ecedea6bccb466db00080cfe743289d0523f6442b382fe5778ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e1403364a94f964a7befc43cb6e8608

SHA1
3d408e06276bd3a8a444dee0dc484c0d381a7268

SHA256
c3c25b4ddf9ba6252b6837296407dd1421bd1e8ffa2d787de552c5603691565e

SHA512
1089740a238da0e76a4c0c34514af398c25622a9a932f6b884a5fae5b788f1a6c8a6b72d004d4409dc175e4b38fd020eda077ad1ee86c3bf1d01bb079effc34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1335972311153d6f5a3e20ee25f65656

SHA1
c87878cf881f337dd59206dda6aa4e17e3b64ab3

SHA256
0b1fbccbf5098556bbeaf57576926dc2b20ed44da41583df5f81ddb3f0a705ef

SHA512
e3e00b6acad710ba14b077c770f1d7a6e3c8642de080c9f09493e1623d3858e6f5d3383b6cb8502af8c1b4632342f8fd7c83728f020ecc568cc81cf2275135c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5d4103259e7813d41589396ea17443a4

SHA1
f272a1080e39026d8347b8e856b96f8330c77f14

SHA256
47bec36c9e4901807da76b87b22acd68fa5d9078d1368a3522bd39f383137ef1

SHA512
68d898976d689292842d9e27421566eefc31c93cac03383d8b5b72e0206d86b2929940ff8a787317e8f467e121568a91d2c28c46a2cd86ec771b9ddc7580a530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
17e7858d8a5f160e6394c506d87e3233

SHA1
c48df01b9afa7fc5fc14e6e5a19026034aa35bab

SHA256
8e2318077ea99c6a9495d6fabfae02e16230911dd3ff055b808e9ce961222f9e

SHA512
f08a25d09140c451bd35c01574c4166d85cb8fa068e9f2ebd5b20d213be0d675901e1db8be60177392b26c39a4caf86185fc0a7ed7eaa13210c00776c738d217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3d2f8de2e797703070257549f77a17e9

SHA1
963b2dd487679bd76b80da8a8a4a0359bc49fd03

SHA256
1fa72827a653e41646bd41a547305977f895879e40dcd57124c268ecbfaec017

SHA512
ec2470b4d4b393872a881e3e625acdc035fa63f55cf6f88ff0f317ee81726c79753602d517cfa4620adc2c54bc21d158c49c8b2289592e690c65c9f21449e98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ae0936f0ddbbdf2606846ee30ea41e59

SHA1
fd99e098ad50c1e5595d082ddd64a7b41818eb9a

SHA256
aedc7eaf712bd132750b1dfb38c66f48376672f3db8973a82285b0ab2c5cc01a

SHA512
e7239567ffbb6a179364345d8b4cc065a2b623418a9b62bf2dd80385422919398d7b33fa9596a7ae9323ef123e40cad9259b435c9d1547b6ae54cc6ea5a65468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8aea3116a875c8b2e29a3218975fc498

SHA1
ad288c46e59ce3f51941ac48b2c1b3ae8777c38d

SHA256
f36277e7f605e6d5975e3516fc69f2041b9c780fa75eb63278e1ff18266bf6b5

SHA512
ae422f7f6875f00b636ddfbac34c28b6d73e29c469f19824676ab1aa2b210a1278bb8a7938f2802d7fcd33e6be0017a7fd6bf29c4c0f8867578dec4bc389f920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1f7410384ffb2acf0d45929c20578aee

SHA1
cb574536ddd2125a2161fa1eb24cd775740b5e32

SHA256
7450132dacc62c40d4073351352983068dea707df874966a8de78bcbbd89d919

SHA512
d589dacbfb36b5abf2757a0f913b6daf6919fb1bb529851573b93889dd0f2eaf09d0f93cb5c2637ce933398900868048c685e24759858f0e13dbc57b374710e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
eeebb8c23b7fb7eb40163ee292b7ab05

SHA1
c1835d175b36287d15fdd0d41ff2eb1c7be96059

SHA256
d6320088c08482e5c40296746d3becda4a915288acb506d2268b867b70e854ae

SHA512
1f77710777d1b7a12b55c0bd1fa3c19f1605de9a3e64b5369cd709ddc791f0a2010fcfb2ff62c6575d15bc696e329d15320a7225b90df7ce2887c07f52889c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ac6fb5f2a880073052bf793759a02236

SHA1
b3c04f578b67858d7eabd01220c65dd06db47d8d

SHA256
789ca4e99283c15b2c35838e789e9a0d272eb2fd5a5339dc7fa4d9ee8aecead4

SHA512
d763ed972a3af28fad7cbb0f796d59c68620125de5764da92d91ca93c7f160955bc417b5094bb3d89fded939ae2a118241e9ae9f8c331f83fcbfee876235db2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9485bce39f2e2da026d10ccbac64258c

SHA1
fd97fd2233a47c065fc28d4d8da9cee1015ee45f

SHA256
8ba19851a675180f72e81c0cf532ccca3dddb5e9167a523164c4a7377d33cc93

SHA512
066ff11e7c909d30e9ee8b2a50cb909bd71dd96aa642ab5234c7369d72685ac667d890341314a89327fab03a5f53c3bfc128a270fb2a86cf96519168984d7470

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7f465b4c458a10e0c04b2077f9b49561

SHA1
417dd475cdb84f494c9adeb5da640c79defac29a

SHA256
14a144f01b83563d2305ec0b890746280238b4dffc0fe366588e38b814bf7419

SHA512
569ebae425880e9c0ff9e50b17f0e6b56b900ec4f8d63078090aeb36cdbe422dbda21f0a60babcf42183d870a5afd5c2016b47d03effab1015a44d1993953196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c5650b752828b54538315e3f583e44e

SHA1
7c7c82cae108730ebddad237f52236742fb2db90

SHA256
ebba144f7e1205500897a28b87c793cd252546b8cd0fee96c7ab58b3ff8c9a01

SHA512
868d144fe36ea4c1f30038fc2722f827619544cdd76b96a54b1f2219851e1882332fef599ebd0f9478e3490d07d9245bb5d0b671897fea250ee9a2ebb9c4116e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e81f92d88945ca13a851e74fd578a0c2

SHA1
543f99d597afd40bde1b3e6a264696e586b027d7

SHA256
dc7f86bbf4b0c254c149c1cf6bdfcf0e2938dfce60cf0a631b909f9e3dcb789c

SHA512
16be9b6de2bcaf9fc3b881f2665d094c66b91a4c151f33b5f6cce5224789aa3c7dec27d982ef6690b6af039df124e9e50761e89770cf7104ad0beb0b4084b0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c301f8b25dfac71ba9bc7496ef24491e

SHA1
2f21ee3bd656cd637e28a69476bfa7fcf874103f

SHA256
4e30a9c4739ac455ff90ce73d5b3029abd0974d28cea3cb8c834f08abc1d9c14

SHA512
67854412c0cf126ec02d40429e5eacc0d1b0f4b94f9171a845b10934c57055fad1a5d63e966940a85e8ddedcb746f75481f7b6f78b412d1f786c50315b0fbf14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1977b08e3788a15c06546a0a3ef91f3e

SHA1
a500d4ef72d65ace2a57e96098160e112d9c3e4a

SHA256
963bd3a06d980562770f86246af66193b9c88febb0c27e33e000becb6949ccb2

SHA512
fb52b9c956373f02f3d479efd54037aaaa29a827491009cec4290052b5245854e3df86812022c2f7cdd1fa6c6911686be7c86ec9ddd68951dfa526ce6c09fbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a0e4a0ed5be25a5580830e8969338384

SHA1
3eac80e4a33d00a6bb4ca66c7b0e716cdb40f575

SHA256
314fb47b639369cfd25bbb1ddb10ef202de246d560d409e8c718537f53572f93

SHA512
c30c12aeec636a98f8750da96dc10fadcaaafea769ff3099609ede3e9e4b5750d40dc311bd03b6892116192c6e952a378d5efc4f8f6a416ba32cc2467ae5a929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8f7a2d935cba7573da848508fd67baad

SHA1
7d5839d22a679ccda3000cac70d3fd9249e1083d

SHA256
7ed4434c1e0c805a14263219e4580ea3fdfa11ac5222adc4cf99eaf73b2e24f0

SHA512
2e4c149ea09e830d6a2408e0983fc89a9c0eab7621680f29ffaa595680b72c95f64de6e88b455ed27083113c61b004dd9516b12863b3b04acd3afa7f0af7ebbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9caeac94ca8d2db04e7683eb2fd04ca8

SHA1
d047a222e1daa60b0b5fc67054088818eb2f888b

SHA256
92c06994e54a81e4e232dd6a6a20afc89bb85590ba9de68522e6a80516fde6db

SHA512
cab706c68e68f758aab78b46bbf6e235ade95e10396c1b222f0d50fc2c6464af37fa2952f3364b74254326ea2e5a4ab758dfe1622a1835f9641d9a5d0dce145e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
152029c4914bb4665ca5b07b2b55e37c

SHA1
f0c416039ec7c88c1d9e5a2490638aa7245e40a2

SHA256
f5622fe6b2ddf985143eeb038c050c1dc204018983f081f70d96789651000613

SHA512
e0c12f99548a437cb8e4dcbde091e774909c73d86817c72104cd2aeb0681e58ea3a5eeeefadf0ea4c952753e021c7516843da5b32c1c52e218979bafd8f69ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6441063fec82ce89489a0b695deea649

SHA1
abeb45998c56e070f90baac096fe811752ec8bc4

SHA256
1cd4dc5a9c15986fab2348c788f49e2788ba82b0fed38ad697be80a19ddf4deb

SHA512
8fa8cc8d4f27824c157f83c846dbb66f71059d5718881fc4bdf4e20672d2258cd8ef8ed9fff4ddef0d7c6665bf602951c90f14a959a38478a57db5ff289b2fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
70d87c3924bcccfe1f38d7ad29e44d2b

SHA1
75dfb3a0b615764efedab5597a8a0e9d264d2e26

SHA256
a46be6b1927e82d8bbe04b7bc85b6e1bd8da72aa0283a976beb371a996420eb5

SHA512
d13c5d4fa29ce8e3732225e2c76fb5df833d4eefb91a1867e33bc2896a90053e8186fd29ca6e2f30265d9596388b5b2e71e63be1f33d7a89b6e56b3949e24c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d4b00408443bf86596b8d545f3b03c8c

SHA1
5adfef277937cd304cb500f82170c51e221224a5

SHA256
f2fff91b527b515debe2cb79c2059e437eb0bd8c1894114b2a8a60dc17cc90a7

SHA512
59bbd79ae4ecd0651cbdce22d7e5e8acf6bd673e52f3470fa3aae36b96aed22c526e7292c44edc324137111709c899889ab118715e40a91c26a86c0fb8476501

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
84804cf27fea24ba7f0d76c65cf6c753

SHA1
7a39b29f94af1ef824aeb9247300ee45f05d87f6

SHA256
74cf51ad488752118351417f81e6be93388623bd8c9cd0b1d52ff59caaf38de0

SHA512
22cc03e11393441107bffeb3fd504467ef0135d168e1d1a5dcf9e6fdbd7a0d4228bc4458ac2f0d08fb2b99ddd8c800036900d1ec333a58c3e3facb89ebc694cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1d56a88af4b56f97715b808f7a6af65c

SHA1
499dfd27f448d09cd8c94ed6de9f72793b65d6e5

SHA256
deea6157d5e99ef04963e8161ff055cc9bb32a412e9e0a7afb8225f678fece4d

SHA512
97bd2da4c6cbbf5900af911edf2c9de247cfc676ca8e9747a818c66bafba0a7c2e52bd56ef086a6af81f30a6a6d86b83b7c32a471d595a817dbfa8cfa1dc56d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c3be7408f4f62cc798447340063420af

SHA1
9291e5f188231935cd627d7289c408df377391bb

SHA256
2c9caf80dfd702dbe2d0a986b25b100b409e57f230b8f9df7d26a86d41257e25

SHA512
8b443a1ed932bba379a5aea3b54c052b10b3fce09f24251f9e375cd3039a6a283264a31c3b4a5f89d197831fe4399cd9b7971036542c5f97d5aad0e1f5a9c449

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a262f4c4c2ffe8b9c2f10e4d0ba631b3

SHA1
403b0f3f5d3dddc8b377cc345356a02b7814a41f

SHA256
e57f7bf567bb5df4bb12d66c273f68f5d8c4e4f46e94e80f56dd05eee3a87947

SHA512
35998a3deeb64eb5c8b49499debd5dbf4502f4717b4255ea59c554d981b8b0a353b48a1e06dd086f692fc6b20d462caa8231f75f45837d9e563f655bc3f2f118

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0444f64f4198459aba9387abad0e01cf

SHA1
9bdbfec989d287f1e7df3b1b67bc01a29b636a23

SHA256
f36b0a783d2454a64f07d5c3a5f270244a5d8df5b64851eb04089664f39ec337

SHA512
896ab23b5c54f6119c3515a99dcba22bc95b2cde3f29da9bc66be7e099265b90d884a6266c5539739cc8ff84fc916e3d086497d9544bdfb6a62be3d6d4b9a3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ae935074cbc49e04e2e4bd15e2622d9a

SHA1
df8d723ae7a9613f0f15e71226add2e010e88101

SHA256
b75299e83a6cd841b3e83dcd19bfd4d08da796c82d38da5997224dd82fb8331a

SHA512
7ce4350ff24bfad24e87f46678dd188c4379deab230bd16d754657cfcf030dd2978c9b826a8c2b9961f6dc8a7c6ed6e67930acf1e9690992fcc88db0c7eac7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d15e3f9f8b6d420eed83e77fe83a748f

SHA1
47db9c2270ed9668f8ebb00d0a210d79cea5782f

SHA256
2d0896e35227e027a5f52f97a9c82461d7bb7adf36b06682bfb7c2e39a0ebbbc

SHA512
aba4ba686ea86599f473370eaac6c21b0ffd783ad3215d1c9ae0eae355dff3d5bb77d6ae4f8255f90d946aab49758eca6a9a87a4809df5117ebe74597fbd5e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b21dc6623711fd9eaaefed9475cdaf4e

SHA1
85fcae7b9440d64670222dabe6e01fe8a2da6436

SHA256
bd03300dbca3bbbc9f33250bd9075e2cdc599ae2ff8e090b8878e91a90a05a33

SHA512
32b56a5b5c69c4994765337e52f6fd318bd4a33e3e1ab51db15a3381d491781dc606f9f9334b7e18522a51ec4f7e760a54aa843a73b28e2718145e02883fedd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4349de7caedbecd33822cfe8c56b15c3

SHA1
428398faaa080945a7e0faa2bab2f0ae237465e9

SHA256
e399be898db03a0b9003674d64431c187a8fbd94979b29c5c2822c251a232991

SHA512
cfaccffe622e9751407d2b093b33ee706d8925747546484df899354082102512798c833ec4e0daf9c3f1f0e1f67c6bbc448ca50da43cc11e8e6c440142dda9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
705c7c9ed8fcf14b2aea5c33eb0b7213

SHA1
3a581472bd32419ca18eb36c9cea9aaa6bd023c9

SHA256
3c96c0a2bc8bf2bfe5e1db8891d3d722bea6734195bb9f5b4aacb147af3cd976

SHA512
e98b1998e74300ae0e86a10944aeabfab37c6a6d9227f5e8ff4da2f5d85df2ae53feff1d2b1e429a21755e7d6eae18419308186c56d2cb87e4efa01e3d17ed31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e57c28b71f482f922a3ab4d3ec461ef7

SHA1
ac173bb40700bf71f69e5afdde31beb02e537678

SHA256
f810e484100d9334ea46e2ebae558ef5ab2b55685334d54641bdf2d398f16027

SHA512
4d25f00501846b5fea6cf242d767b8878ae03229285d7ff8e4c8f1a1cea3ffd636cce60b6c80ae4e784f59f925dd6713d330c94da33be0a23698a095648ec306

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7a5a18b615aee504cf9a9a308ebd53a0

SHA1
37172037c9ccd96a9335b2856b2d3d35f466e6c1

SHA256
97ed1e8004930669198529a5c4487a9400d7f2a9047e113bea1a45d236121ead

SHA512
4bc439dafb78cc07bfdbbf67b3fe35a778d2b6568c3577099a7c8327a8a564aeda52d6f2c8c221a4aadead96ac2df9a946e389064fd03b1ad66dcf3c78b1c300

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d836e3602215b9a010eb0f30ddb024e6

SHA1
0b67c4c56d8272bbcfd62a80d735d6cfdfcbe22d

SHA256
8d04ce6ac1c5e3e84a38e3f0f333da8a765407c144bd37b6190a9be808c610ef

SHA512
4344cfa98a6878ebcfcc25427ab84bcd37def93154624d6ba6bc0d2e627ea05f64739cb73db6a819bb52337f013b3a19a3048db019352db0127b524a4533d162

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
86a0280dc56f358ac5e4a21ec02bb422

SHA1
404637a162ab0a1eb051fde7a708e75139c57a7c

SHA256
f71212fb835930931c320d3eef7fda7eb439a06a17a95fe604f659be59aa0137

SHA512
bee2c9d47a6d0516979a425a50d04a09df1782c38440b70f0ac656e24bae01ba49b7554a6767bb088a230f52740101fbf7259bfe37199c019240438849dd15fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0407e76784bf48937af4047b9dd9abee

SHA1
1d25f3c9a01c0c1a7e7f2ca3a8d36d7b919b9a0d

SHA256
b2aae4fb6f4e8780b4c49aca942141c63c2b6496bf8b8840de4bbc9be81ca2bc

SHA512
9ce7f004c231edc139a0d7357e169a5fc1c2697e2da5a7d1498e5ee0b6b48956bce5159f2bb07d9dc5170c25d91fe9c75dd8072234a78b2a591861c3a11d809b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7ae1eee17abcb124d0846feb700698af

SHA1
02e875ddf77d015879db0e131b4327f85c789335

SHA256
38cece9c515a7827e9a3f7081a3c6630c11e916342219e752a485af26515644a

SHA512
fa1e8331dfb523fa905c78e18f645f16795be62d1c6b869081772d47d522eefb48138e4b5bb3f1069c2a2fa5db6c31bdd216ec9b36575f12599f37b72e1d6654

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ec3d1a5d54be32183b5676befbd8d97e

SHA1
f3fef01b997e76ede3f6f8b3d51007a1f4fe772d

SHA256
72fc0d399524a36aa411d2b925c84925eb6fcd012b279c3afc993cb603265b85

SHA512
d78702d6ec6f3776b764701dc400d9237670814ccd80ad33c30aaf1e60b1f2de7820233badc54b45bdde9b0881908dec250ad0c083808a2b71607efcbf83474e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d3fe9933fdb15a70e255179139f05714

SHA1
23cddbc09c3c89c2695c8579c7e7d7e617deaf0c

SHA256
33c88a43a3303a4221c4de4a0f8b12d5eae9fb5976b9a55b51eb57ffa7e38707

SHA512
941a78c00bb51851aee38908b768ef3d7bd2415e1e74a5b5e63352dc840d927bd3579439a628c3039a06109da1d74df66bc54717f67c72de1d29be06e9960e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d87402a6162cdebcec65af5dc347c0da

SHA1
983198c1531ca1c35d5de4cf861d0a0f38a63cd2

SHA256
ef1a318d400c205efd154410a9ee77ed50862539e740d9bb1e8f8d9b4ecf6c06

SHA512
bea9c760ec3ce6a385f41b37fa8272cc0e726ac7c8a4d72a6e9d8317338301d4b8e774629c9d9e13124de4210402609bfe3e79eedbcb46fc72d6429a44911931

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2d4c0280595f45e99ba93f3c7441808d

SHA1
916f265f2cb5521aaae53894f5588bf64eea7fbf

SHA256
02d07b7170e44fe762d3ab76d8198c39a988e1d3b4ea0d3458fafd3f5ac4124b

SHA512
bede84cd0025dd3dd2e5aee751cece86c77135d854a84e7ff722d0490bb47736b32174c183a316207ed8698ed6f3d9a206a346aa4300fd07f5f80e725ed1d77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a3b620faf435f2495a0299f779f36d97

SHA1
bd71bde2400c447f87c858b815ca0bd6629e77c2

SHA256
99b367ec1f91606d936ade13c4eb6917ee6e9f0b61d8fdb08e40ce4e4da656c6

SHA512
559c60ddfa21927665249aa01787b8036cd1ff6190d252423063d4aacf9a18f5c1d77a1e3fdbfc65a699b8e4b7b9f68e15972555f37eeedaa7dc9789eb1dff4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ef8ee2c859288d60d21676f1961dceb6

SHA1
5480892bc18221027f9654db4c5dfe2ddb7e2472

SHA256
401e7a13ad5a8ed898deed1ca34eee3cc0a10d1a4b316a621a326f5ccc8cf55d

SHA512
521e8be551b67cfac80f00f2da215c14677cd0f5580effb7e4dfbf9b5a2cc00e63e8bc976c63ae97074cb6313829be180d49c2f6765df0859f16650ed19d3f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
11ac9524c6ec21d0c6b978a6602dd744

SHA1
e348662b712f10b587964505cfbc6a9db644fa2c

SHA256
daa2b1ed6c12ab2354dfd21d024402bafd02fac6dc2943cb74296662b3058634

SHA512
7583d103fa1c87fa657550df984cb1f9b167694f754b7c137d1c583d1cf062eb1ac27791ab5cd3a59c0abfbd5335ad87044a66a4d51814c66c5caf1f4da8bd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0fd499ccc6b16044e04fa71f6329bdc5

SHA1
f40f032783c96d196d79a23a4390258c14f4e319

SHA256
9fb7845610e0b83184291469c709f17842e1e3538ed626994767232b259f5ee3

SHA512
7d56c01fdca9c7d927c2643efac07732d2fe7bfd6507e78dbf85f4875c7d740a3df12ec26cfc58f4fba77d01d25ec0cf0b8f21a1669d9651c6c93de14c81658b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
636b61606e078266e567bfb05b6579ef

SHA1
b565b032002acca34585bb84cc4ec58b03c5bbe7

SHA256
e7fb4321cb17f5ca2abb6d956f16b3ebdf2dec3330e6b64d4cbfb16f3015b33b

SHA512
86d36b2c767a2dba97b49c726f5ce6302c63fe1f2f2b23d33652c377794ca2ac9098655620df460d3567cf23d2af1cf72d1c0938210ca6fe00664fec9331f2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1ac57bdb0436095dd5e505aa507d7a15

SHA1
a2b89a7a29694fd29fe12dac68851ae1952baaba

SHA256
5b0cb67a20f4aa884863365c551ce9a726777993c2deaa3ee92f5f44fe5de4f6

SHA512
332ec5a91c81577350e7c6fb7a3634a57229879d527b7d09cd10b7f57123abb8f9e25356285a1a26fff881f11e3c993a3c0d482efdcfe7fa243378dde7a5aac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ce58fb05babbe3fc11417f67bc3f52c9

SHA1
40ed4b261d317f6c657cdb835f322f86f7447bae

SHA256
ca08108f61779c424231d544029b889c213b5432b037f66d7cb74e66daac7709

SHA512
44951e0ef9b3707c266c7cbe0b89e5c5d06945d3ada08519909361e5ddb597dc0d8ff8a02a64c9cc3578fbabaf26b5cd297a7bfc80ac28b95483cac4e6a947d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8bd6097179ae1868ffded64719752559

SHA1
18ef5af7e8bd7b0294205a32c0f034d9167ea2c3

SHA256
7a68445755abc91ee7f2f9b42a66a0bd016c3b37c3361301fb35f94be4be6147

SHA512
5b896d5d485d220017307f278b38e9775ccd77167a9e362802943ce22a739cad98c223b7957e3bc678407ed522a349944a96e49c064dada87e8902fd249cf98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fc1f86ee3bf23167f2b8db6f8efebe02

SHA1
768a860bbf06164ec4800ee3dbae565534d7cc1b

SHA256
cafba69701ccbddd159babe9e680755875c3c5f9051d0b7e7e17a1be54b7f9cb

SHA512
4fa09084145028ab2001eb4e266b4a8e683f2434bdaca2e5c19c16839a8ac25bd22f1b896302aad4ed595f646abf86fd4d57771159811f476fc803be9bec729f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
13eb83d8b77c652218df2c5869e7cfcf

SHA1
24b24675f5ece6fbeb1e9eada54785b00d35a12a

SHA256
a5610246c2e14a03cd2c419824a87516c1f2d8041b589df4365b1a4ee816ec73

SHA512
6255004a1d4c970401fc9deca6a2e8e4c883f1993d81f8cf0c1225a4150cbb9f5c94652c56153d7f180bd36f3ad60e147fbf9b5c679a3d9f3ab0f559164e4b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f0833a209120dce071226f3517329d20

SHA1
383612e97b9823b3d260bd86f8e220a64ef1e39a

SHA256
6a233aaae7eb81d78e4c148cc14f5df63e4491f8d6ee29f0d57d11243a5f3b0b

SHA512
c7e55677f4a0777199f3191326adfa31bb56ad4c41e5f2cc730f70ac1fb8857287875fda3e593382e6a9d3a82f4b8fca5d9ae7092d1bbe2045f9334f91d1df0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c1e71d5691a6d62fadc0b65ad4e0e76

SHA1
d2549a210626dd4bf38b255344ab086d3f8dbf77

SHA256
19949c87a09844473967742d5aa2cd32dfc5c12e2e22813a82330643486622ff

SHA512
dd26d1eef4bfc3f8eacb1b3ff0e6289505a47a25ca5a91aa08f8e804cc9ee68604be7d85e98f376462f3ea7947e3ebebd19691ed7494934dd76f5d28da76661b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7a222769edd7fa02bc4d78c3ea36eee0

SHA1
7473c38cc066cc5dc28143d540028e1f9579aca5

SHA256
a7e6accf5fc683aaa24cbbc75d8d0f0d2df65aa1c27596844a096a6b8e1558db

SHA512
230f367432759c3ae454a5607de4c8c2938ec4346e6d17f1417f084fa6f7498f2447d35e4236062837fddc041a4cb2f04e269627480a99a73d2170887e183bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
52ebbc95e48e32b14b83f050d2f49d29

SHA1
8d882edd2d8854f1a35d6df1e9525eaf44a0f7c2

SHA256
68516ed3fbcfcb2b86f4eb5304ea8188c444a1be859e0a7b1448243e80f54ee9

SHA512
17f756655a75b27abc02d57c16c92bd2e40e9408188da5702f74cc01059ebe26bc55bf62fe651c10842a6a2242a1b569549e1265c094cc7379d581cd8d096476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6f0ee2f123eccadd27b2720305359f2d

SHA1
475734a55235be831dfd7e9e87704a928a590a46

SHA256
4d4691cd9353279fd4d5a6376593ce3d1126ba1239a4764bc8eb882467746c27

SHA512
b15ce98d0c0af763c1e63568458a8bcc81e91ef1ff3a24c9bdbaed1f3ddc41dae63d53a694f859a2577e66a564a95bc390de1d369d06d9d51350f8e926cbd068

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
458c0cd8723f3aeaa1446c9159f8e040

SHA1
eb3d1513c5c4e8c5d11dd25170257b73a9b6e188

SHA256
be146f292537a0f57658d5dd6418370c596ded61ad34ccd14ae1a0d476c9b259

SHA512
19cb12e5f2e29725506726bbe33a179a2d7e9e2995a77dceaa6082608dca72d9ec7d3180b487cc2e6b5b437c32401cef8ee74b77bd91e7cc1578d60a4aebbb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
054ba59058560439f37b55d0c495fcc6

SHA1
ba8592851b59f48ab3394f55e3ed34eacd1ff061

SHA256
f36835297bff874f0c27070cbe7556fe05c1a0f146ca9d6e57af25b01403c5db

SHA512
5ccef0085529eba428334fc7755ce3353b572565fed93b3ac5c819405b7e47d9d8b8b2bea3e2f6ebc87d846be76e5478f60b989103c8adef85863b1f92f832ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8e94a3e81e5cbebc92d63c214dbbaab6

SHA1
cc263e27aea100a0fd205f233e1af23d42eb4285

SHA256
06cb4fd304a2839b37d6f7bcb55bcc7f6f91d6404484e00a19a3d8891901523d

SHA512
3c897f0b4a766a832513e9dbf068bb34b6a5a1bb2f41020139725f6436a763515d9bbd161859684375cf46ba89e1a1ace0a55fef24d4dbe387740f4bbdb17394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2130a26828ce2d1ffcb567a4466c4a18

SHA1
cce541c81c2de8de12cf9d3033a08dbe1a7e4cbf

SHA256
53684abad694b679229562cbee4ab628bb036d1252177152b95d7db03ad09203

SHA512
ef8aded8d445edf2f1682c8dac2b6dd865ad3b512740bdbd28253bae4126518f071aaedebc8fe05d33e91b2e46068e68a0b03bb42cc89725abe05f0d3422d640

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e7d610ecfe318f4c4d6f3523b59c3f3

SHA1
4cb4c4b44aa51a768fb70f07c39ad8c10cb8c824

SHA256
81af28e685cf48463f8f30c820b9997bde265036cce4daede3ee84510b72e983

SHA512
68e1fa520c8ad14b4d2712fa3b4aeb189fe956ff5270e5515b673ebb535c98a084b297d0b7785a7928c1b4bf0ae9c7435eeeb32d11b1876286b457c5f3644857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
25acec424d17f32a350122f7aeb0b39b

SHA1
10d5f3ac437de372bb5615f2012c79961e97b856

SHA256
75e3e032922a3bb539b6059db6c68d58371ff74f5f9093f7bab3791872c00241

SHA512
5ad82119fde861090a037c246bbebf008840164d97ec0bfb786122a66014dce64b5ed32c66d3f47bae11964281c6c13869f88948b8cae277dd93b6c65c6e6965

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
05662f83fdda4f185b7ed0a8d4c7cbd0

SHA1
86f7e24ad55da6d9ccea754ddc9fe32c432d631e

SHA256
b9d7f00c4871ef3134edbce1086253bd1798208fcc9ca68c22ffdabbc36e33f9

SHA512
2b9b2e81c6d4d47a1e23301bfa2c0d612fa08f2f508f8ba014a89ac540689efcc06a091771500cec99e46db54b76b4de175d4229572af545dc55f85b21b017bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a8ae9d8a830d7f6b63e3d0ce1e8a75c7

SHA1
ef16c58a18faa4ac8d969a8729d77b346a71c911

SHA256
de59e3ec28052480f5f3c2e191a7e2c26a2cb13431f3df78973fcda0b9c35255

SHA512
780c3dc3559ee0f0163c7d4cda10b8d45a835fccbf9f4badf347ce70de6f3d571d0920660a58233e83772bcaf5cb81c038da43dd1366791527ebdb1dfa984e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d3a97c0681396f008f7d6856e4cf596c

SHA1
ce67ce81cd5ec87b420a8e1dbe1e7ffc2457f11b

SHA256
568f943d2e8a327886f024e3e48dd8ed28fb75bd0659b8bd3cdbed607c528d4e

SHA512
6c1ad2c3c94f799f238cafda555481c35aad8cc4b8a240cdd7c9db0501cb8f4316f068e75e49c3c389f294cd6b90fa4a4c56ffbad8d14b27a8c249070cbef45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1c8799ff73e529be2bc31cf280584e09

SHA1
f1f23454c855d2306a24edc75a6a1c04e4c17926

SHA256
8046d0aa2505d540dfe90a825dee9cbaf27c88767a6b3daab1e1871993f7771b

SHA512
857929f412b6516b3bdd0a6a0d13f39bf4415390d720862299f1d120dfe61e67f582e1db8926d8589bc852c02be59252e2211332aa7ea57532b35d2748538e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
117f3182bfbb089c82a3659355ca18d3

SHA1
c7f7904a24b2dca2e6452774d4cf17fbe39f13d1

SHA256
085f4ea11292c92eed33460f5482d3ffd855c04a58aedc7649d6ac04f7cf92ff

SHA512
cdf9fd6e223c75a33520efa8fa83a8e834c29d2b734993e2eceabb9bc27fb64a81f0e91c2073e44efcbd80ea6489959fba13015ebefde4008a8832ad8252f0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
572c07b4dc40ff15d070b1e2a72307b1

SHA1
31e9beac676ad57015f5f7bb3d5b5eea64d5a6a1

SHA256
25d6a2a69a86ec814e9efa108b2c8be463f9f9266db6edceaffb021087e81917

SHA512
c8a854cd4a43e6604332b11f3316903822e9a5769e0dc8466f31e80e116cdf8ecebdfffa2525674c5a9ae447cde106ad96ec263bd35021367397bbbbbefb6f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
19f308e5cd440e8df64aa13fa4a6d4a4

SHA1
3793378205ed1830b9aa51b1eb3da3d1a62a2d20

SHA256
569a440b11cdf2cc724242386184694d8b9f6175808ceb6f2bd2bce020cfd757

SHA512
1c40577641cd56507b1a47b338ae2794eaaa5d3434ebcece18a8e25b0aee67fb48d3a4d9a6064f53518791c2004f0e1cc699de4d715379dfcbd0d2abc9994519

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
53042a6574acd7c345d8a98d14d857ba

SHA1
c6df653ecc5679801467542ff1084c6218128da0

SHA256
f5e5634ed9e89394608cefd082944ae3ac35a2ad26de1163365573a216ebd4bc

SHA512
9ac6355de724d279b848832acd12ccfaa7fdee285b951ad967659fde6799b783b37344c87e6a760d0ba4ff1832cb21f5b16e61870c43e284d5942f39e0d23baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
370529708b47d18216ac6287e1832a58

SHA1
4ddc11e268451b3502651e1f5a7c7f9bb0241648

SHA256
ca75f59c96a4cd42a7e0c1f42f194732a382f9da7db75b9bbff0d331bafa4319

SHA512
6fc8ecd85d98035773c8cd10380a97e71492d149a1df07079e33f37095497e335a94577f8723314a3e32d46bd814c83d71f1a5d1a4030f5be60376340fffd251

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
318e50b157b135b75b9414ae487c342c

SHA1
70a76881ca7e6337a4f890ce9e3813df304dc943

SHA256
32ce1170b5caefc32a25bea51bb5f4c90ac76199c1aedbeca03267aeb1653791

SHA512
ca507fb668a58aff697c10dbd1cd0fe8de5c1e84d7a062fb5bf38706cb7535587e2471b3051706917e720f9548938481141d14ceb5a514590b72427d1d59c152

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
04b42f500f8007e7c2cf03ceb71eb6e9

SHA1
df6e3f4aa4c33dfeb982d103b62b28d84a5d6873

SHA256
8191656e7e90dbfeed947048ab180ffdd754c6f31e186f0b3210aaf85db7b20a

SHA512
7df50f1a493cc671f6184d680079b395363a4a8e225b7fd24f2e8e7e4e78f8f11793c653bb793ef3fbcb80e7428da1821dbf1d803a1ee46e5883d0f2c2ec3256

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\WindowsUpdate\WindowsUpdate.exe

Filesize
2.4MB

MD5
237e4f4bb75b4cab5abf054d61a5f8cb

SHA1
b0d95494681c03870f3dc0bf1b0e5b4c1de8f4f9

SHA256
f6de350a5105b2a50e65307c5b905a8d44828e5c85c1792a23681107c2a1e19e

SHA512
a7f5c7e08786307c7f9b0d59c58820c7fdef9a4769f2eb35d5e9bd0bc2ae780d8a7d3686de0f75f242fef0393b797359591592f2ec28c8569e90041ad6b803d4

Download Submit
memory/1864-33768-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/2880-11882-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2880-9054-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2880-9053-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2880-9113-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3508-38847-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3508-38099-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3700-13721-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3700-12736-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/3700-9124-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/4852-23718-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/4852-28765-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/4852-28184-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/4924-43902-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5028-43-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-9004-0x0000000002BA0000-0x0000000002D40000-memory.dmp

Filesize
1.6MB

Download
memory/5028-9007-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/5028-9-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-57-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-9005-0x0000000077DA4000-0x0000000077DA5000-memory.dmp

Filesize
4KB

Download
memory/5028-9002-0x00000000030A0000-0x000000000315F000-memory.dmp

Filesize
764KB

Download
memory/5028-9003-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-9001-0x0000000002450000-0x0000000002469000-memory.dmp

Filesize
100KB

Download
memory/5028-2788-0x00000000029F0000-0x0000000002B93000-memory.dmp

Filesize
1.6MB

Download
memory/5028-2757-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5028-1-0x0000000077360000-0x0000000077575000-memory.dmp

Filesize
2.1MB

Download
memory/5028-13-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-2-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-23-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-3-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-7-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-11-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-15-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-17-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-19-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-21-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-35-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-9126-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5028-5-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-9070-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/5028-9006-0x00000000028D0000-0x000000000294A000-memory.dmp

Filesize
488KB

Download
memory/5028-0-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5028-25-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-27-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-29-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-31-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-33-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-37-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-39-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-41-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-45-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-47-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-49-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-51-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-63-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-53-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-55-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-61-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5028-59-0x0000000002DC0000-0x0000000002FD5000-memory.dmp

Filesize
2.1MB

Download
memory/5476-23193-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5476-23726-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5504-48963-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5504-48687-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5504-43901-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5580-18658-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/5580-18456-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads