cybergate | 8c7a2c8bca19717a11b3c63dfeb76d502c2659eaebecdd03dd64f7d8e300a9b7

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2025, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Size

480KB
MD5

74e581bf0271af158ec7092e58e1fb3b
SHA1

b99375f2ee37c2b361f8b1ab83a97553620e42b7
SHA256

8c7a2c8bca19717a11b3c63dfeb76d502c2659eaebecdd03dd64f7d8e300a9b7
SHA512

2b96e09ce9ccfc1ce75a178380144829631b71acf88c5e033e02b849e8e64876f7dfc16fb3413dba19634064e1abdc03cb5f41e8863d27aee081eb8a8c5eb71c
SSDEEP

12288:GyPm5yUjlzdG+g05KUjeQmVkE9QQPavpM:GyPm55lz4tbCeQmVn9Q6i

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

onlycryy.no-ip.biz:82

Mutex

QGMUWY63DK5LGW

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winlog
install_file
Winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
System Error, please restart your system and try it again
message_box_title
Error
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DNE578IT-6B6O-8M4P-3T2C-OFN88NH233T8}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DNE578IT-6B6O-8M4P-3T2C-OFN88NH233T8}\StubPath = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DNE578IT-6B6O-8M4P-3T2C-OFN88NH233T8}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DNE578IT-6B6O-8M4P-3T2C-OFN88NH233T8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DNE578IT-6B6O-8M4P-3T2C-OFN88NH233T8}	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DNE578IT-6B6O-8M4P-3T2C-OFN88NH233T8}\StubPath = "C:\\Windows\\system32\\Winlog\\Winlogon.exe Restart"	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
2672	Winlogon.exe
5716	Winlogon.exe
1804	Winlogon.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/6016-0-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/6016-4-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/6016-22-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/6016-66-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3816-70-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3816-69-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/files/0x0008000000024246-72.dat	upx
behavioral2/memory/4680-141-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/6016-140-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/4680-179-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/4680-180-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/3816-182-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2672-253-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/1804-271-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/5716-272-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1964	4680	WerFault.exe	88
6040	1804	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Winlogon.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
2672	Winlogon.exe
2672	Winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5716	Winlogon.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeBackupPrivilege	3816	explorer.exe
Token: SeRestorePrivilege	3816	explorer.exe
Token: SeBackupPrivilege	4680	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Token: SeRestorePrivilege	4680	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Token: SeDebugPrivilege	4680	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Token: SeDebugPrivilege	4680	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
Token: SeBackupPrivilege	5716	Winlogon.exe
Token: SeRestorePrivilege	5716	Winlogon.exe
Token: SeDebugPrivilege	5716	Winlogon.exe
Token: SeDebugPrivilege	5716	Winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56
PID 6016 wrote to memory of 3468	6016	JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:6016
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3816
  - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
      "C:\Windows\system32\Winlog\Winlogon.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2672
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\SysWOW64\Winlog\Winlogon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
      - C:\Users\Admin\AppData\Roaming\Winlog\Winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Winlog\Winlogon.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 580
        7⤵
        Program crash
        
        PID:6040
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4648
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_74e581bf0271af158ec7092e58e1fb3b.exe"
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 156
      4⤵
      Program crash
      PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4680 -ip 4680
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1804 -ip 1804
1⤵
PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
b1504a87a425566117f796e0fa03f0a4

SHA1
f7b869958d3d232203ac42f64b1cccd654011f1f

SHA256
5403ef46bcad53584065b36787f106d8d0830a3cb0b3ef5033a2c9964aefb5b3

SHA512
69577f6e805fbe7c67967aad99a5fe63fa13bd69176778c405d9d4c0cafc103a9eba7e3caa9e6fbfb4888efe4f3f1880b6497d979288bf3985496d2295941193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
8e13c4b6f8d94fee696a099744d9812a

SHA1
b984c6f372bc56ae6c3d85f207c888c768180b56

SHA256
07164a836c31c632258ab966e202d5fb0f3f681903f51802e248bb6a939d45e7

SHA512
ec39e500b98f6c3d753f8b321a13589eb2e7e0e2074a565b23871535498879a3ce0f3872f6e8948ef854e83b00551482f649437e1d117d1877707db64dfa2548

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
87269755b9b3a046485fdae8d96b252c

SHA1
2e9cc0015d85f671336333495faa15437c7ac2ab

SHA256
13d2839e2a085d7afd43c1784bd0fd06eb5e7241ff994fe5c72ae51f17fb5546

SHA512
c1458c1155fb516986ad96b9c18bdef7eafdb5fe01203a04e521022859e7703f51c893de0ea6a84fdf687959f61f44afe586915c74713f0f59be718520510e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6e8ac13107fa1726294b1a3002b36821

SHA1
9fa4b741501d6d8dc4a8d1f37e202d3294a4681c

SHA256
d99ac69c3dc266b1e78b93a5e616d5217e2f4a8349cf696eed5da88808522187

SHA512
a64342d710f9ed366d502f0dd05816e7486f14e5c17129c102d25e4cdfcf65f25afa20dda19705391074738d830311f59ec5251168d0ee88cf5631cdacc0b2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
53b3e3f0b874c5f9e52d35b4bdc91cf5

SHA1
9a58cd18136f81b05ba4af48d7ed9871062181e1

SHA256
1586357210d53159cb86bae397104cb04a10debd5b675ba78ec1f7beff10f8da

SHA512
b58876f17a63c7f76df76cbfdc24079cf66e5c4a071bafba9921081bcefd2605672eabe396653556185cc58b84fa13fe273d4054d012a22ee143c0aad0800d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e4e785a41044629759a8643e694f8d03

SHA1
73b0a57f37dcb02d7d03f60b3fcebd9318df0955

SHA256
4b5889e47bb38d24980474f3993677ac5d9b1e822432dd12e83f31140c11bcc7

SHA512
c8c403f04fa25f622dc4133a0769a5e18f3e827a08a9c5eb10f9575ddf365ef1e4b6517c85feea0ee46aeb567100620050d601834fb4ab68fdf62cb90beb0391

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
eaf77267001d459c1002fd67a6a08592

SHA1
c2c3740f7e3d0d6a52f3f6875ac5b180e6a52c81

SHA256
a1bd13041db424cc82836351ed28b07b64baf4dd6a4c374a42e7e22155a6f558

SHA512
83aa0dfad18b79d68a37c20556de57100995bc1ed5be36c44fe9d6f4c8a85b6cb6457b071b80f6add1ba5d053d68c65e8b5f4b1e00f89c5ed92d870fcefb2cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7665c73834365f8833e1bbb453518773

SHA1
8aaf45af530f0b0686b5dc1cea3245f5964d8450

SHA256
465e93f42356e3d47c7ad50b2aa8be0746ee0e2b8b7f07603eade89816d1e7a5

SHA512
536da107ec4e77c0a18ac1e93fa475cf9e0a8e8685d8224f3311e30fdfd0e8fcdd4f6e0b7c72cd3cd9889b1887f0a651aa53bd108012b82ae88f7897c9f40be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ec7b0de10e7a66919404356566d9ea11

SHA1
b17841c8045273c6d7a494a339c60b05d063279c

SHA256
40417d46717a47675c7104e65f5d91fb1bb4bb8d439a9d9f7d26c4b7f7bf4672

SHA512
f6dfa25babaca58365915b2d78c6c30d69d1c36d180e4bcf1e5806389a4b968865b12462922516922c5fa0678f325103537100efb80c73a64a32756f8f4fe352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2eca7857883803cf6773ccff1feecc00

SHA1
402f2a640bdddc5fe162c494f5c6c28b9f2a4a0d

SHA256
af67b485fd35bb6376f744870c56c85598d4eaccba4a76979c02865563fb49ed

SHA512
563723bf4b2a062a35d6950d080692aee9df4e81c99fdc632d7c1f8076b12c46e611dc321fdcc7a05b6288e44e61c261dc47c272dff331c059d7087baf307643

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2b8cf79037ee957b0b84d395108f5b26

SHA1
a3ef5f12fae26f51d67641205e3a652d0727b8f0

SHA256
b0fa618c62c231f69a2db0902b60175c42fb1ba8966fb895b00380cd0b3a811b

SHA512
234da37809c86d670936df796588244cbbd336e89b7a5ee87354970fa257c87941801bb97a29e869f0fdb894f7dbb26f3f3a81f5c56e17f0187b38a51a71b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
45f4b9079fbb2ce09cb5c79ff4b30cba

SHA1
90320dcaa0fa2b68d9fa6c04ca0dcc75dba5291a

SHA256
f0fa24192fa488343ed70e2164234ee145f5d56e186b2c66a6e90158da411bb1

SHA512
1c6226d1759c339851bff99e00af08def32dd7e8aac2889dd425f4042cb1abdafca9ca2efc39564f2ed95e32e9289998f087d760efdac404bd4f2fbdb81af41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b7c94ee3aa526b01d4c0682cc2860fde

SHA1
1771a214a8626526eceee2a0a12312d85d1becfc

SHA256
8ddab02f304f7ee7fb9ffc71e807b49098faf107263c8ecc40e1bd71e15193b3

SHA512
629bf819fd6eb1a1377dac6afe304e1f591bdd6cd319138d0d1993b622793bff9211f974cfdcea90667161fd6c0f1784749c2980f5aeb8f2fdd7be8aaef9c606

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5523ef64fa46d524c19e9705344388dc

SHA1
1514aa209618c57d4ebbc7d8a6180b69af8068fc

SHA256
5b6d14b16c8f6f178521151f9d11668b15a14791c755c1193071535b279d975c

SHA512
61888ef78bd053b2e41b1ca54780171239b576662e1358dd45ca3e5962ea05043d5bfa649c8be015925070ada76ca78d21c8653dc0b81c2655898b32231b209c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1cd16b66fa584ef71399145914d0eb35

SHA1
648ead60a6506d05fb3d0822c085598311126c18

SHA256
032cf7d836f0a860a8f53efc9538e0a9a7fa4c8abd305ca89434ed9cdd03516a

SHA512
278eb98cca9a34a35e95afaff83225a923cbdadab269449a38c33f489e47881109e8bab878a33b37130b86d33cf5cdf0bd10a15619ac70537609e499f24f2637

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ae0378d9fbf23f08cf13a40581d94eb1

SHA1
ffe3909e732817be01c45f961ba04f4f11d44bb0

SHA256
ad6f7871c7fdc74a7bc1c8c40759520c716ef29440b68684b7ca0d53bf033fca

SHA512
d5d15f1272e8a88c9309c99fa942c120d7b4489a4eed78beaba7f486c79da782aeaacf3c98a950826487423a0e061eea53e25859ef13050b20da7f72a07c0bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4332b4a22de2dfe5ec8c76dff6f9bb1e

SHA1
521c6ee71ef7c0fa9ce1b09e7e6b44a8726bb96e

SHA256
fa24173de22f1ec3e4eff163329d180627e11932308ad248e53caff277390a35

SHA512
aac23868a98448fc3cfc9a19a1da6fb713e1a9bc1d0d67d1386bd976047d19fdcfa00e7a4199a9e30f403b35404fb6a1a1376ca6a16a2225d599436d7efa6e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a1315a824f5e9ca1a3bbb99dedbdc4fb

SHA1
fad2944904520dcff03adfc213170566af21af83

SHA256
58140181a7dc131bec9588117117dfd2aebe57716deca294e19996d7cf20e00b

SHA512
fa1f6ce213c027a3f504812d841a7f790bd605872b17da4061741f1089f9a2ed1bea35bfd65cfad7ba81befc4dbf953bd8df4f210ccf7f030a3603685495a066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
45646d66bb6a7df7dd14d1d27173df8a

SHA1
b1b97fec6f3310c059ef4c32e7633d2047b42126

SHA256
ca299a74875773c8d1a054f50c3dd7cfa909485fcd7f8b1bc06669cd8bcb372c

SHA512
a91f8a88a4831956393147871b6c338fa8e68cd5d56e32235267f9897b8a881d7dfc04100e82c7ff3d11305c4a7a979db17032a473ee1df33abaa31c1ad9fef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1fedc4441c3e445d77473fbec5ef7367

SHA1
4a96f4037a6d0d0f8c17995d33e7c4f30813345c

SHA256
7252c77d1e68c14c42cc329808571ce888193d3e407d03fc33fbad3e799f2127

SHA512
38242320e2961a99846e68af622a61e535ea9832aa27709c1d1ffbe92b607c7f8142688a17910ef5704321777719cd4acf323c0b4dfcce27c5623887bd5897b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f10ed5ce7ccde8e659d67a7ce172ffeb

SHA1
18447b1f69b94f650a7e3d0527b701f96a30698f

SHA256
84a3def934ef03d4a5465a973f5abee282d2786d0e5ac706bae5255567c5dc44

SHA512
7624a822e3faf7138cb2bf878b28287dd4987e55e685c0de4519e527cfcac700010e3318e8159e3e03d174cea0573ea3f08fd92ccd8bcffbd7f771fc25cf8e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0ee42db6fec099d2b3e5128ff32287dc

SHA1
7a78229225ad8346f5620dc1bc4c057f9554f2b8

SHA256
39d4da181810a67aadec793178eb9d03ee00580e5695cfd622f26416242485b4

SHA512
d3bb5f7d5ef75844655ccebc5a7c7589829cb282cb90d7eaadbffd08e3788cc63a4e0a3c213f099d1c5b72498ff13d325d8a2a3918c5c54a98beffa57706e40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1f113f1470a568e2e9e12d05e06ebdba

SHA1
1239abaaf886959336639e4beb194eb6d4bbcfa0

SHA256
1d06ceee6dd97bf7bc98eaa3fdbdbc71ccb7da25d51c5dc2de8f257b6dada9aa

SHA512
3cd11061ae75a495183f9f1895ec1ba4db2d22a32af922da76c323da2204e7014d17c19704ef9719990588d52527045b93c1291e2207208b055bc12f9129c47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5d3fed7172b1a8901c1c83ac2bd9c9dd

SHA1
9ec4d522b914ced3e4164e9e80234cdb7af4d80c

SHA256
9d69768e265e529fd10c183a90c18545d4abdbcdbd0ce78e57fd7918b8e20d1e

SHA512
39de35f3fb57c757198567a7c2623dca4fb0b23103e013327986cf907a63f840b11b064ba987bf004b4d4358598c2762168de80dacdb0f96691dfdcd6bbb48f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
90ee04fff4c815565ebb4982c3d71567

SHA1
f7665224ac90543b74531d780ae93eb0d2171532

SHA256
b77c1728bf186b0cb80b9c530ebe680230b83289298efe3512ad9f79849db07f

SHA512
4ff5aa5678c31a28bcf8f4a65e0d4642fc572da04e5b1c271067d99d94195096040592a2738d249febafca604b8c3dd4728a361a7a26f9c5090dc33ba1b3989f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9c5b94d963ac0802a9ede40f710b5f55

SHA1
05db01dbc18d97cddf47c9badf623f88a307f316

SHA256
1967fc6a02179663e314211195872a26fb9a584c1333bc7b81bacf121da5bd1e

SHA512
c018c585a29e673478aee717235ecf41032e2c44ae7fd06f34e1a3af204656514d37a8b41f43500c76df7032d52e834118a2d551b32a8c9ab1c83d4d2dc42eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
421ee93d5a666cba4ba5fe6aaf501bd7

SHA1
a4d3cd8d71e3b5560effba5490aa46ec4375620e

SHA256
0708b26a22a54b9fcf189eaed15f8048ea2a43ff2fe6779445887bab941a7b95

SHA512
624d4aedc8dc7bf950050f5d64bc9a64f276870f8074a3afa567f786030427a637f37fc6398542d2fd6e87c62e93f605bc3f90c17cb0837b066331b127f85f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
41eb99a647ebea3b4ca9c54aeb0bad96

SHA1
0f26d5677adda731ec70ee40f423378a3a3ae8b2

SHA256
5d5858a28b943265dce65b3a6fc373cb82783c56f0235781698e816700c92b51

SHA512
e856b75401a1004549f716de97734b24db99da0067113592276d6a2cf51f0cdfa6f4e936c5a2c036903fd7d2b656543fa5bf1c7277e44048cff5d14b4ccc5a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ec52452c8fee712afb9b682d2bb5107d

SHA1
d31d7bb90369b57eea4389e0e3ba7dd07bba897f

SHA256
3d78300ba3522d8e1cac5e4836e2d451bdda8ee3f3e720eda3177162d6696cd1

SHA512
ef14705c6e1b3c7e3eb918f7f2c03a0b4db881dc58b7fde68e023b4d169821738230cc68fdfdd581a8a8c8319467d672ee5e4b9c0581ad3d8a39db0ac9532497

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f50aa6e8e47b13898fe3d1232c308271

SHA1
33410d4472d421dfc49c45571fc995765678c438

SHA256
d571d2b6836a3741e996e312cbb444be19de6351f0fbfaaadb0803afe11b5743

SHA512
b4d8265d7f26838482f4e579f432277bb06dedf2b01a0a266c73a930fc9499f0b936345dcbfeb8df00a4195768954203089c0b0d41eaa1dd48ef84ca9ccfff48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f67832b20e53c42c00221ef6e2412b6e

SHA1
dfc11669583f29eeb4ebb2e788b6aaed5bc617dd

SHA256
e449cb5af10b86f2ae113a7e8ba3f1266b5ed7dfb956af451dc1832bbc7a6d51

SHA512
8d1b64f332a14724ef08edc754dae8abee8078399707fbb9c3e4e713297b0e6e8f2dda3eaaee1ab78ae85122d0eef7640a139e70502314f51720e4ac841f30f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
220e790764cafd838f65e4e05c871d44

SHA1
b8fc074cb3febd01379b6203f6b5d3c7f316ef54

SHA256
70e9d02ba01c57b7428047141a9cdf5a4423ba31c6d27fe368146e1e8b71edf6

SHA512
556147c9d7bb38c5cfc7a9dca9e78ae8a9e7d461a4e66e7331f22edb935dcc6d41092b76193f0f3f1c4b484b8ae7409f174db56d2471df85648a04e5f7524e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
74bcd3c1097e2d7ad36e03eeccdd7d56

SHA1
8a33ae1c256930e0971eb9b3935f901538eedb41

SHA256
fedcbfafc042f7f07d86232e75100ad71a187bc4e5d802262639aee31a8552be

SHA512
000fe3ba6cf3d85dfc8540d588a1a607015e94691d6d684a3cd6365f1319e35c35a42803f26afee90a5ac8b839295ba7b42c95fa221ec7a7161826120da80f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2946865a44ee17d6a00b9fccde9299e5

SHA1
ef792dea66fefb6836fd5c99bbbfd11a405a056d

SHA256
35d1be7e2e9a6fb320047e944c78343a558d4be51603e11b4f39197a5b54b1f6

SHA512
3eda4495463116424c497bd9ff58d302f8fa69edc6eeda9a7b58c7519a4908c756b85e80efd9ef99b28f4c51b16fa8bdcd2a5a6ac6d40b9cf96f8c188813f988

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6932686764d3ba5dbcda34fac247e545

SHA1
e4f718470b93223924e30fa46fe6c98eca1e7fdc

SHA256
e005bd773524cacd42b19b045af53fc169d4c175ae1957631b076ee21c3ef704

SHA512
5701afcbdd07fcafdb8f2a3b40f84d98ea8f39aa1450c42f86a9517969125f6a81a89dd99e9dab5a303b35aef956bc814bd894f781ec868c6999b54c110261de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
17f5fa95d8f423fdaa18fdb43ee80544

SHA1
47bed9a0ec182d351396363005b8d23501521b37

SHA256
81c3108f89c4823b807f9a7bac29657e848f5195bb1635ad722a60579c024b0c

SHA512
d361f3719c6fe0a81ac90623be0c8473e8b009a3eb974454454b28bf14580019433f3718b70e2d211131ab8f0647534fb558750909a031e092803ee599543555

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0021f6ba17b67d650a9793cac4d2e77f

SHA1
eea74afd9150b3c17e1567208d4f05d4981c8bc0

SHA256
c9eecff3ab032927fdacbf83a309888089c7cea69b92441f320f285213b931f6

SHA512
f0d7737f4443678a5fd277289f0de42e6b67cc2b4ce5ac1205420f07f1aa0b5877591980556a567cef32082f5fa81fb370da93f38bbd5c57922da70dced7238a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1b3547610b7c4b96d5fa009b88424bc5

SHA1
3690ea274bca6c5159f1290f0b9c706af4791e13

SHA256
88b6cdbd997d7712e986c5adcf3a2d5f6646d41b0ca28b1ddd03e2b9a16db6e6

SHA512
1619d1144bb3a9190f8e476f2eb2b79b4f6c36361ab17b7a97cc5748defbcf334f8620135620999a5cf0c30ce10ab6435891fbc1ef492e9e17f2567c93c6c38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3330d5fb83b2aedef005e5a7d9de51fa

SHA1
0fdb0104ebde48da9262c9c01f1bdc6c7ec4fe51

SHA256
a6661da27ab28e6587ab9570a8ecd685ef147c5be40ee33e40ce8d2aaf9d9646

SHA512
3b8924b2f7c421f7355595f9853e09f03cc1c538943a3fff623f875b47b0f8885553ed97dba2e88712c4b441b9c9afedd553021f4cc54357d6d0c012f8b44601

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\Winlog\Winlogon.exe

Filesize
480KB

MD5
74e581bf0271af158ec7092e58e1fb3b

SHA1
b99375f2ee37c2b361f8b1ab83a97553620e42b7

SHA256
8c7a2c8bca19717a11b3c63dfeb76d502c2659eaebecdd03dd64f7d8e300a9b7

SHA512
2b96e09ce9ccfc1ce75a178380144829631b71acf88c5e033e02b849e8e64876f7dfc16fb3413dba19634064e1abdc03cb5f41e8863d27aee081eb8a8c5eb71c

Download Submit
memory/1804-271-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2672-253-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3816-8-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3816-68-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/3816-182-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3816-69-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3816-9-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/3816-70-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4680-141-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4680-179-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4680-180-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/5716-272-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/6016-66-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/6016-22-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/6016-4-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/6016-140-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/6016-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download