cybergate | b79e761ce51143bfe9779c5073aeda83732d1b47239deaa2203401332b1b97e5

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-02-2025 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Size

383KB
MD5

2191aa25ba21d2df923c08e98a8b93c8
SHA1

a1c4ec863b681d5ad2cb8ce8a2890048c685bcef
SHA256

b79e761ce51143bfe9779c5073aeda83732d1b47239deaa2203401332b1b97e5
SHA512

691d565f8f651639e29bbefa525f1fdd706bc1a1149e511c2ab3889293f8ee8ea6df9394141dbd8a521eb81ff876458387f5eb4ef10091425717b600973e3e35
SSDEEP

6144:q1EQTgUL6EoiCXrSB+uffAAg+NuSSuzIt8l7E17fgets8WxpqZTHtHkGOWvSBA8l:CFTgfiCXrSB+uffAAgYNSHmEQ/q9tbO3

Score

10^/10

cybergate mp3 defense_evasion discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

mp3

casy2000.sytes.net:10637

Mutex

FGO0H0F68R47Y6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
vics
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{X417JS03-14H0-8U0G-FA3O-24438BBIFRM2}	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{X417JS03-14H0-8U0G-FA3O-24438BBIFRM2}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe

Executes dropped EXE 3 IoCs

pid	Process
1780	server.exe
2996	Katie.exe
1760	server.exe

Loads dropped DLL 5 IoCs

pid	Process
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
1780	server.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d-x10bc = "C:\\Users\\Admin\\AppData\\Roaming\\dx10bac\\d-xdiag10bc.exe"	Katie.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Katie.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 1780 set thread context of 1760	1780	server.exe	34

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-8-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2460-6-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2460-4-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2460-12-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2460-14-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2460-13-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2460-18-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/3000-556-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/3000-608-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
624	net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe
2996	Katie.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3000	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
Token: SeBackupPrivilege	3000	explorer.exe
Token: SeRestorePrivilege	3000	explorer.exe
Token: SeDebugPrivilege	3000	explorer.exe
Token: SeDebugPrivilege	3000	explorer.exe
Token: SeDebugPrivilege	1780	server.exe
Token: SeDebugPrivilege	2996	Katie.exe
Token: SeIncreaseQuotaPrivilege	2996	Katie.exe
Token: SeSecurityPrivilege	2996	Katie.exe
Token: SeTakeOwnershipPrivilege	2996	Katie.exe
Token: SeLoadDriverPrivilege	2996	Katie.exe
Token: SeSystemProfilePrivilege	2996	Katie.exe
Token: SeSystemtimePrivilege	2996	Katie.exe
Token: SeProfSingleProcessPrivilege	2996	Katie.exe
Token: SeIncBasePriorityPrivilege	2996	Katie.exe
Token: SeCreatePagefilePrivilege	2996	Katie.exe
Token: SeBackupPrivilege	2996	Katie.exe
Token: SeRestorePrivilege	2996	Katie.exe
Token: SeShutdownPrivilege	2996	Katie.exe
Token: SeDebugPrivilege	2996	Katie.exe
Token: SeSystemEnvironmentPrivilege	2996	Katie.exe
Token: SeRemoteShutdownPrivilege	2996	Katie.exe
Token: SeUndockPrivilege	2996	Katie.exe
Token: SeManageVolumePrivilege	2996	Katie.exe
Token: 33	2996	Katie.exe
Token: 34	2996	Katie.exe
Token: 35	2996	Katie.exe
Token: SeIncreaseQuotaPrivilege	2996	Katie.exe
Token: SeSecurityPrivilege	2996	Katie.exe
Token: SeTakeOwnershipPrivilege	2996	Katie.exe
Token: SeLoadDriverPrivilege	2996	Katie.exe
Token: SeSystemProfilePrivilege	2996	Katie.exe
Token: SeSystemtimePrivilege	2996	Katie.exe
Token: SeProfSingleProcessPrivilege	2996	Katie.exe
Token: SeIncBasePriorityPrivilege	2996	Katie.exe
Token: SeCreatePagefilePrivilege	2996	Katie.exe
Token: SeBackupPrivilege	2996	Katie.exe
Token: SeRestorePrivilege	2996	Katie.exe
Token: SeShutdownPrivilege	2996	Katie.exe
Token: SeDebugPrivilege	2996	Katie.exe
Token: SeSystemEnvironmentPrivilege	2996	Katie.exe
Token: SeRemoteShutdownPrivilege	2996	Katie.exe
Token: SeUndockPrivilege	2996	Katie.exe
Token: SeManageVolumePrivilege	2996	Katie.exe
Token: 33	2996	Katie.exe
Token: 34	2996	Katie.exe
Token: 35	2996	Katie.exe
Token: SeIncreaseQuotaPrivilege	2996	Katie.exe
Token: SeSecurityPrivilege	2996	Katie.exe
Token: SeTakeOwnershipPrivilege	2996	Katie.exe
Token: SeLoadDriverPrivilege	2996	Katie.exe
Token: SeSystemProfilePrivilege	2996	Katie.exe
Token: SeSystemtimePrivilege	2996	Katie.exe
Token: SeProfSingleProcessPrivilege	2996	Katie.exe
Token: SeIncBasePriorityPrivilege	2996	Katie.exe
Token: SeCreatePagefilePrivilege	2996	Katie.exe
Token: SeBackupPrivilege	2996	Katie.exe
Token: SeRestorePrivilege	2996	Katie.exe
Token: SeShutdownPrivilege	2996	Katie.exe
Token: SeDebugPrivilege	2996	Katie.exe
Token: SeSystemEnvironmentPrivilege	2996	Katie.exe
Token: SeRemoteShutdownPrivilege	2996	Katie.exe
Token: SeUndockPrivilege	2996	Katie.exe
Token: SeManageVolumePrivilege	2996	Katie.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 2484 wrote to memory of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 2484 wrote to memory of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 2484 wrote to memory of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 2484 wrote to memory of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 2484 wrote to memory of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 2484 wrote to memory of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 2484 wrote to memory of 2460	2484	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	30
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21
PID 2460 wrote to memory of 1200	2460	JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2191aa25ba21d2df923c08e98a8b93c8.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3000
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
      - C:\Windows\SysWOW64\install\server.exe
        
        6⤵
        Executes dropped EXE
        
        PID:1760
    - - C:\Users\Admin\AppData\Local\Temp\Katie.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Katie.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\nt.bat" "
        6⤵
        
        PID:712
        
        C:\Windows\system32\net.exe
        
        net view
        7⤵
        Discovers systems in the same network
        
        PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
438KB

MD5
a502ec88e6b635d7ae93332ed398459d

SHA1
81d5003ec2ef5ed3181b553f0fe161569e4f60d4

SHA256
e75091acf2ff9585be596b494c875df1269a599ccbb5479396009190a7000475

SHA512
54b2dd2a80d867d6537164cc68b1c729f8b23910c409dfa5991aff17d92485af2ef11bc2ff65736c8e5a5266d0fb5a42f4767ed1a4d57ce0995185697c1d1a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
586c8c984a032b1d69f1394187c65d96

SHA1
93e1a25beae69c208855ce40f0ea50f11db2d0ba

SHA256
d1b669f94e7c92172ef986c75966b6b6d98448e0d7cef06ba9ef9e113e63c2ae

SHA512
5e8ba49c4aee927764fe23c548d5ccc060543b611a0fbc6ff29e3afd2865bdfd1fae1ff78eb2b467f448c79ce0c1684ab0fe04092397768229bb2c5a9a5a7ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3ba0ae7603e87a0eada73ad2f42e4def

SHA1
38a90fd65c3ad636db8b9ef3eb0d394f5f211f1c

SHA256
33e20c127b53ac975c50bf4274b1dd8ed689ca3ae74d9d94d2729a04cc0f06dd

SHA512
7cafd19bdff13807ef6487a6671ba02d70a75a135c7114842ba233f94795ae8fe636061c0c374ecd32dc03404e7e9e2069549a69c88006af38a0b33e7bd7f9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dbaf5ca0c412339bc1e99a061fd69925

SHA1
4b31e0d050df841a3fe0473483e96d03fd00d218

SHA256
694acc99ec1f009bc0194f1a676cb7807110b8324624f0af6dcb10a51694aed2

SHA512
6e430ce39568ed52016602f0cd7f79718742bb68e3044dd4c91b8eff947f09d6da0022123de9a0b27f2e263e121453ab6c43c85efc39d31b1c48c72970c18afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
317f588a5bbf28adbde0db9b27dda028

SHA1
c37a5970176ddd25788219b67079695d3d51ba25

SHA256
b10d7a46594a978e7c9d4663c52cf2f0106e02d342da8fbbbb312499f2ce4ad3

SHA512
3adb97bc825276c4b23ca240dede820372525ba76e1ab9cff68cf7d5b78e0501d746bcc8537d50e4d0e4aeba9e3403af882e99a064daefa8b8b9cd315163d744

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4f0b8c02da85cda4864d4f739fe62920

SHA1
9f29a4009fa657dd060e571fa3e315e5b9a3f70c

SHA256
69fe5f867d07c841d346563d9cd887b5cfdbecb0bde31e16796d345efc6811c8

SHA512
15e91c643b8019c25f4cbddbbb9915e0545637511795185f28ec333061246aff1b1cb82f73af2f3f98be33fe212483f2c57e9ca5c6e129645b1811b981e88537

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
452cfc3e6fbb0937b74fd59ee258ddee

SHA1
4fc73a98a7677f307e9143e611bc495a8e73f008

SHA256
1a4c294661ee9366b9dde8585bd84166f8fa967bff22eb72b1b3230882df9b06

SHA512
d4d739443530d43381f1e36b7ea11a8e7eaf80b4437bd12107ea20a9be87c4892afbb982aedd04b33a06425940af532f0c09607fadda551f61b926376880846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e9e5782214bd7fc244ff91af26f61e6e

SHA1
1f0525bad2419b6234c05a72c97c48597884ea25

SHA256
6575b8a087ef7b0dbddb60e5d58b04c00fc850458c6c8a36bb3a947c26484c57

SHA512
8e5295ca5f8219792713a2cd8336caa855f7c2a96f60eb1e74e02779b98ab5cf2f88705ad5e14f6f9f651bb69f44015ecbe20536b8673083a2bc4c0ca68267c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d216fe1408896e19f54bb212efedfa83

SHA1
f6a8a11823e66c9cad55e65811a7d4aa5ff8b6a5

SHA256
49c8e41d954f561996a1dbfff43e7db827a47a867b04ef30c720ce2f1cec1eb0

SHA512
dbe020514ab0c4f5a2a95feb364ceed889e2a79ff62fd9dfa30361e9ff9369adb95ab3daf9b92051b02aaf6a34d49bb2db1d81bd14ded90a2f82c5d1bcc04fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aab4c08cb9e42f0f65b3856931acb6b2

SHA1
ff46b50f012dcdac6519c53f9bf8ec6e192a1972

SHA256
5abb303f203c5af008877d8ed72706d6ab5d052214931491d0fdace743a9b956

SHA512
3c0899792a8ff2d50a25e048662e0ddc83890c192e2b17f310a1fdf1176412d55a0fd70ba79c590d76b16e3737f7fed2dd3c17a50120cab7ab1a9e682c609f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6e078825c42243c30321be287b14069a

SHA1
93eb6c4826197cef143ae4ca5f6f10a5b29d1ec1

SHA256
865fd6161c892f06ac88ffd24e391685622c7abda0515cded7bfa330f37fde27

SHA512
1b4cf5d273928a3fd0d736c422a67eee8181a7e07a4cd90cda096e548c9eb9208b9653c90081753615e0c31837782b48fa9b9d7c555464ede619e804eafad31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aef2603dbce6d6ea1f6e86c644214e4d

SHA1
e2381343d105da78a2b7c612253df7d0f4d71163

SHA256
4d483598616fe08290a1985476925955e819f04a4bc557704142e6fa8ba15a84

SHA512
cb12691aebd26482f6e6d7ad5a168843da1aac6c638564f1c13b506dff457dc3691378606e481b474eb27706186b29cef1295c12ebfcec8ee39eab1f10e42203

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3ad8d321b20d82907e009ecce653dcd4

SHA1
73367a5524fe9fa1a38b9ff905c3fe648a4cfa67

SHA256
db79ee5bf46f4ca3244c5f320aca730c1763756492e9d37d601b8e18c9f0c7a6

SHA512
3e4756a8a47095b7c5eda54424ab447edf7d10dc68a4f11fa2d8d09a8b4f654fabd729da3528623cdce4295b5ea1ea5112a19a85b3758b47c3c42f37cb51f12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e4d9d58478e10f03f6e30358ec779dd1

SHA1
01ca561ae83c6492e65349a01bd7b4e4b69973df

SHA256
2d77701484589549ad5d83d41531d34f8817c88dc30593bcd87a7dc479ead69d

SHA512
13ff42dd2e3447cb0037266b98c893cc69eded1219cdec194532b7498762c532787c8b5f82cf829844e30b4058915791a0933583a6356b11dfe5b765c6e5983e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
59d8fe8eb307bf2984d2be6da3a1787a

SHA1
964ad02c361fe4d16cf619cee6b9d09cfc3f541b

SHA256
7577cc27207f9c0af19bfe3d7f5f74d3c14259c66c03d590219b8d509f073d71

SHA512
e16be098a96844a1d73fac740335b68cf08c89c161e0be9077f9eb14d2f09fa96d981969a002026dc46560625b915febd7479810ab2d29ee398d75d17a4bbde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5c5798dbf910a44d1fd2dc7cf47a8a53

SHA1
45999be34156b002da3ae24449ccdff5f1aeb769

SHA256
3f6f9f9bdb59474f7fa58e70bbf14084d79f73eb1f9279d67563382ce83a978f

SHA512
1c1e9c5ff00d35a049bfe5cb956bc4842ae0862a0f66be6acde06dcc9ca4599cff5f1bd8c1aad9046c4e9061aa0dc8ac94e611b80d9b324093faca4a5a57fd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7f9f58689b20c2589d0f65c61b1fd2b7

SHA1
4f7192be21c3885a450f6c5d6acc33461baf7fe9

SHA256
1d57437bad1796c85bdd92f7b38bb18d8311917b205d7f40d03a8cb34658a7cc

SHA512
513d1c1b9f142e07d3515d95a2f39c01f92408cab9a45be089a87bfd674c43868e425e6e972f53a91430442972b62f4cf1477df459cabd848a8ef63d3fdfc942

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8710f9ffeaeba34fe616f1d7b78ae4b3

SHA1
38d821a71939e22d71b725d891ffe2303cf6168f

SHA256
a4f498a1bf48c5fcf6be6f20c34bead7469a1e42d94f5a2af9ad9280e996364b

SHA512
c30642091f26576c6990b2dae5cebbe2f14694fd9b6f5687801c703ac6ffcda4ddc208ed38a1b08af743e0bc440e55fb7e8302c88e833de265b8a74d71a69444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f517db51783a2eb36e830e60fb283e10

SHA1
0239800d315879386d858ee43f581ddc192fecd8

SHA256
10ac1ea19dcdeb466f08a8fe133cf816ee6389ed2fbb098f3e3bdd35c171be3b

SHA512
29f30d0b5b1dee22fc5e6ea3656794592ab5ec464bcf7a9157c8664b3d53967b0a6a729f33a1e35a23d19b009bd0b60e15e6b7f637c0608a65db012bcdfcface

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5bbc7d3ef81f609148802a369b2836a4

SHA1
5a691e114458e135120ea9eb9113c70e7b016a9c

SHA256
5dfe42d1e9f666d9f93ed51d62e6d713c6eceda2fe21e79fffaf6048c0d8c420

SHA512
47538e7d826420de33704af441cb54cc7e8f5160a6ff614ff8f0d194cc7e7e802c63a6a6ebc0fa34ed35ba866bc4fda63b7e3825c169542b02526bb4aa132e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4dee9d9f83a26a175ee4bfdbed2901f7

SHA1
4de3300d608bc7f0ce6512a3e740caa68240c358

SHA256
2498908864bb652222df2425eaac53a25fb415379cf78368499d1861025a2af1

SHA512
cdb35633f8a0834070ce6cee50b6dc0ff025768d90fa73087295b41ab8118c0098dd6b30ca574bf285308340d23c267298c979df879bd01db23e84a2dbba83c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cc7d7db364fbc840592070b1ecb75fb8

SHA1
54a65837b2f87960269dd2bafae4d9b85a57bb8e

SHA256
24cad0b90e6c53ace4279965d23bfc672374df3b7ce27e4a3f3e84bce01fbcdd

SHA512
d79ca9420f2322e49785e5f7fb4f2b36690b5a6071fee998df4ff528000aa3f8aa7f093e3583b12e43792e9bc7d103de1f34b1d5673bdf0c1568a9779838c091

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6e0281a39ef664d24b600b75b21accdd

SHA1
4529b8cd07fd25bc12cd8f45d421906cd399663b

SHA256
3e5bbbce43cbd53ec79eaa830b9f166032a93c3067a8a622e90a0375c5e8eaa6

SHA512
b7b460293cc1ca5859fac0be08c36af6dc60cfc1e11c3781ce4a91c64c7a09218fdc5f3efd2146c2769cc90117e40ec52e6a7c9cba1ce472b069774738a13f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
543a8b86b57c2615092bf4d64fc88249

SHA1
ce8d179bb3d6a764ca593e7ba248de3e4639c80c

SHA256
30a9aa1d0c045fdbbf4ae6e2df4fb25a48b9f9e3375c7fcd0cf6a23d38e584ee

SHA512
4eb4414afd34a772fe9ac11237b568891c523c85cf351bf16235cce83e62d09fe98f701c229268d51ff5a1c56033e00fefb3eeb8cdb78dedbbb6ddf8a1af7c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c97463f31b9954b60cbc265178463d7c

SHA1
4b1ae822e8a1f36adbf8ece2f4ba9a9ca5425335

SHA256
c071d3758ba2e9966f05219a9a49bfdef3ee90e1581cf570877e05234b30e6ae

SHA512
2da9eccca4e246cd093227d1abadb79674a03f077c5b8d165eed2128315581213cd8c0f005f261fcba3348a2b3785ecc8aaeb3a3b53e1338e06c5469faf07e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fd828ef1758615998b7b736608a2b5ae

SHA1
85f485b9533168a2faa46262d76edfb7c7cf5058

SHA256
d57be8f2446de9920a207e7e696ca51725f7c0432411691ff4c544c22725f0f8

SHA512
8c0471dae1e1fe2bab21e33f3e5872397c526852b7613fb1ecd5bfb366bd291151d1791a3b65a8571539d84f84e3ec96762b5019790f300ac92fdd5b78e10058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
accfe52d9af48f1ffe2b1e4b0f2eaff7

SHA1
82d76c8e4d5b951329f971a48fa44041a81f6548

SHA256
8054f53b447477ad07562b93aa80f7453c82231e46014f620e88e9381798f181

SHA512
2ab1ceb6865734cd82b34ca1c97b6c6286e2a670b8e3c2fe706424fd4cc8fb162c8ed605dfce137c312c7a402215b158fdff6868a505d49f157c4ff09fc0cd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
89928f21f42ebe163b85a209e2bc7d7a

SHA1
78177c1c4342699b6403627841e054738fba7323

SHA256
fc01f7cf7a5bb49321d5f280141103055595e974e0cba2a5dc9a488c8b125b4c

SHA512
93f6b580c1ae6423f684ad75b94b385b1de0c7b56768b48d37718ffedad47432abcf789614dbdc3bb9d9dfb26696a18822b6879f2cd30047663ac957c7e32fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
181ac4ab1d53c5e2943ea33667a20e7a

SHA1
bf372c98112022e7f34cef081aeb7115bf7d56f3

SHA256
b3ae582e6dab91d9f4629e463ec800a114e39de1141c49f89985f3e4f556f3ff

SHA512
4fdb9d3ddaef74d6cae036b895a7c3b225673776883edd8144d103429a19f9629c3ede85ac997bba3f4722f42c95f78855c1fad0b0470013c4901033891efb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3fabccb417fefe5889cd84a1d84930a7

SHA1
25f0f39f96b36965ea39e74b422f94d2428c089f

SHA256
24b0e78295872fd136052cf900b4cdf50adcd72920ce2c522cb3cc90c987010f

SHA512
61db5bee2268f8dac06baf25115de4dc0ff1f091070b500634defac81d5fabaf56958f677b78139d5cd1e2ade09b82a590d1841fa1a56a40ca5e86e28a30eefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e9092158f9709a3b130a2d2f7999bc06

SHA1
3830fab39a754b2bc891f86dc285ee512044433d

SHA256
2f7410c20959e0699a1229feb0bd0f338d8114656d77b65d00d85030ed0ee39d

SHA512
9b9c701d7897460f892d87cb22395d21851b5b33cfa829e9c533ee33914a117d19172baee78fc43b9ab18e92c61a633de0047d8634753a363218b520971e90b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a5be125e3e94a4c00d8f6f0ec953918b

SHA1
2c4c9a111547b1c2f988d0c210bb549ffc286416

SHA256
bc2d1ed57b515cab019acb2a3a6733e66282d419827d3b0d601e079c298dc9cb

SHA512
8f5f80d4637262c5de5a543f58c524dc0649d62c29cf5ae54618bf944b53015c3a8ba81d5c950135fb90b7c0dafdfbb6f44a8bfc488a153f4997e5c858b8c290

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aa756937e53cfd37341f8327f4da87d7

SHA1
f1d3faf06082575cce61200d0afd4b4f90d2815a

SHA256
67c35a16fd6cfe199ec0873da8de9d49c42240319e2a42063846968e71ec6140

SHA512
9a563f8ccc91f1416b4b85dad749df861df145b8be5a20bcee9646ef6de9693db89c3c269f0a8c235e2d20d837c880b28d30127a44ab9ae968f6eda4aeb3dd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e4665016acd806aa549a75efedbfbef9

SHA1
7cc2e432687fb74f59d7ab6fb0e4a0c4d2b7517f

SHA256
b1a17f614073c305a36c4c87cec7090b2d3f43b50aa717a8fae866602ddebc97

SHA512
dfa95deb4f835788bd16711e054aaede1b9d16825bd61456e0a5115c68637f3931b072080eae8e5963d18d70ae4b9e32b323f76e5485f28fdad2c6967a6ad93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1545b481d031f8a496b4f32e3380d23d

SHA1
111272481b8ab65616598fc10ab6f99da2ea1622

SHA256
41c1e2f6a8847ac7e414a8200df9a42e8c0a13332ea8946ddc892cb26a3a1c91

SHA512
2ac6ff9a035874d2c5d6441c199056d852d02fb4d64399c91952ce9b0c9b465d8ba9604fd04520e3d320f4b4d4f8e6e52e68d0e96a1ea0a172ade3840d1c91da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9c46b1f4c36c713963ebf481b368f5e5

SHA1
1d770a64f750c593c60f71d8e88357b892638c17

SHA256
1ddea705fe77c63864bb71856094e9ea5240bbe1b02576f37bf0aa6ca98b7fed

SHA512
2401f8dccd9e2717393d2ef0107374909daa902757de8661d8e9e473da9576a6300568a8b5728834a84ca240479ca6f452e0adcacec54d28c0789b446609ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
80c2677da3b6a2c6a711792b2f63dc54

SHA1
f009f90ec0488f4f78f2654e5d163524249b8a12

SHA256
b67e561e35e96f27560da0e9f61758f8378eddad17354bcd6e177212c729a68a

SHA512
3c07a39b12576db7207f8c8247a2084241274b20b745ae79dcefccafacbddc82649c82cb9644d365ca5a6d2feec455e97b18460076f348fef693984f2ff9290b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3a3f736a53656dd7a0f9392ded6402d3

SHA1
2b7e75fd2c679829395989afc1e3ca5fa5fcaf2f

SHA256
6817ce4327fa512601ad0ffebb8fd9f516f5e700f749a2f5d63211808587c7ac

SHA512
6d12253a75e6e9d3550b396dfc378c4c3ac8658ac94af970cc8e63ffd14d58275665b80bd0bdc7a09e615ed3d517b96337c684f01cee517f86b860a4ea07dd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
079632f6625e60e6c38d9533fe0ffa8b

SHA1
e8023b199dd5fb1a55bff81254f02f08620720e8

SHA256
cb323f353e6ea27dd2f6bab9bc62a3833288d43ea08b62ed5fcaac319bed38de

SHA512
1a9a1d81f6459add3bbc603894c4c7da71cacbd368260722bf4f24dbd2e60d626ff82e4c607c793122fa8080dd0205ff781f00567ee45c63cf63754619f67303

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
21b15667eee6cffdd48e6c15883a02d5

SHA1
01b67b32fe7c1b0161aa8eadbc1794cf25547bdf

SHA256
f17e63d7bc771fccdda60e1cd33509a93b05ef3b664b7bf144623a58d2500fc3

SHA512
b1eba2b0021a7bf68c5e599ecff925e4c7c1a954a509ec14059c85d34f78b5d8a25a5fa33e08d71f0385e59d48de37363d99ae83695dbc72614fee835cc9e9b3

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\nt.bat

Filesize
614B

MD5
cb02b37d41817c85d15beaad347e9cdc

SHA1
0cf2be6c5cf748f6e360add0f00171f17f1dae7e

SHA256
e558067c36d61a2440225ac6acb734bf16fe525b000923e364ac67890d3e224f

SHA512
84762a916ee24d99cbefddfd76ea94de3f90a411d97eaf676b56ff8eec19ac11ca39dfdb9a1407454e55ac516be255b3f164307c9810cc22dcb24773f88c4f5b

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
383KB

MD5
2191aa25ba21d2df923c08e98a8b93c8

SHA1
a1c4ec863b681d5ad2cb8ce8a2890048c685bcef

SHA256
b79e761ce51143bfe9779c5073aeda83732d1b47239deaa2203401332b1b97e5

SHA512
691d565f8f651639e29bbefa525f1fdd706bc1a1149e511c2ab3889293f8ee8ea6df9394141dbd8a521eb81ff876458387f5eb4ef10091425717b600973e3e35

Download Submit
\Users\Admin\AppData\Local\Temp\Katie.exe

Filesize
213KB

MD5
732319bf183fc9f958712a5b1b035f88

SHA1
a0d33229f43804276d51b5e3a8997bd075a0c645

SHA256
048eae60eee4d05caa49e50add4ec1e732d67c07da7b138bc891303c649921ce

SHA512
5dfc69b6171259e0e37757087a0b4363be920514f7f11edcde7f49357e253212d6727114088043e77a62e3660e3c15de9c91c7c59d5760ddd6393c92ccd8658c

Download Submit
memory/1200-19-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2460-12-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2460-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2460-18-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2460-3-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2460-14-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2460-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2460-6-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2460-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2460-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2484-1-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-2-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-15-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-0-0x0000000074271000-0x0000000074272000-memory.dmp

Filesize
4KB

Download
memory/3000-608-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3000-264-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3000-266-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3000-556-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download