cybergate | b7423f2872345adcdfbd5973e7d12dc270b74300d6ff4d59b1886b23ee418965

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
Size

488KB
MD5

eab7049536d2509bc3b948248ef195c9
SHA1

ef7411a0b453a57b4d25cf9920f6d00ce3be2cf0
SHA256

b7423f2872345adcdfbd5973e7d12dc270b74300d6ff4d59b1886b23ee418965
SHA512

8acb89524da36bcaa3ff5c2f4c45e371b1dd13aca9ac3691335871d2af6120e1bc1b4581fdfd35352f8448fcc9a1edae740541f23b8cf87b7de87d4d240283c8
SSDEEP

6144:TmmWFCUb0HmCjWLqQoZySpPg98D5tLYW5cWQY6ZAF4aSuLx5HLYGLKvMgAI045lf:TmmUbCmJL/jGA3I6SzS2xLdWkgAIV

Score

10^/10

cybergate cyber persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

Epicloot.No-Ip.biz:100

Mutex

Y6OT2PQA5BXKU8

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
There was an unexpected error in the proper
message_box_title
Error
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exevbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38E4M5N-MS4D-8X3A-B7S0-1K3TYOB6P24K}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38E4M5N-MS4D-8X3A-B7S0-1K3TYOB6P24K}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38E4M5N-MS4D-8X3A-B7S0-1K3TYOB6P24K}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38E4M5N-MS4D-8X3A-B7S0-1K3TYOB6P24K}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	vbc.exe

Executes dropped EXE 2 IoCs

Processes:

eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exeSvchost.exe

pid process

1728 eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
1516 Svchost.exe

pid	process
1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
1516	Svchost.exe

Loads dropped DLL 6 IoCs

Processes:

eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exeeab7049536d2509bc3b948248ef195c9_JaffaCakes118.exevbc.exe

pid	process
2168	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
2168	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
1684	vbc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1908-595-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1684-900-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1908-1056-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1684-2028-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\PvQVdTyIIGLipwbnnDHKCapiSzDXzESOxLkkMUgJcIfxXxJDVF = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe"	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe

Drops file in System32 directory 4 IoCs

Processes:

vbc.exevbc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe

description pid process target process

PID 1728 set thread context of 2424 1728 eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

2424 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

1684 vbc.exe

description	pid	process	target process
PID 1728 set thread context of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe

pid	process
2424	vbc.exe

pid	process
1684	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exevbc.exe

description	pid	process
Token: SeBackupPrivilege	1908	explorer.exe
Token: SeRestorePrivilege	1908	explorer.exe
Token: SeBackupPrivilege	1684	vbc.exe
Token: SeRestorePrivilege	1684	vbc.exe
Token: SeDebugPrivilege	1684	vbc.exe
Token: SeDebugPrivilege	1684	vbc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exevbc.exe

pid process

2532 DllHost.exe
2424 vbc.exe

pid	process
2532	DllHost.exe
2424	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exeeab7049536d2509bc3b948248ef195c9_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 2168 wrote to memory of 1728	2168	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
PID 2168 wrote to memory of 1728	2168	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
PID 2168 wrote to memory of 1728	2168	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
PID 2168 wrote to memory of 1728	2168	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 1728 wrote to memory of 2424	1728	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	vbc.exe
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE
PID 2424 wrote to memory of 1180	2424	vbc.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\Documents\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
"C:\Users\Admin\Documents\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
6⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PvQVdTyIIGLipwbnnDHKCapiSzDXzESOxLkkMUgJcIfxXxJDVF\PvQVdTyIIGLipwbnnDHKCapiSzDXzESOxLkkMUgJcIfxXxJDVF\0.0.0.0\Sexy Selfshooter 4Photo 115.jpg
Filesize
24KB

MD5
559c071859d6a57f7522f0306e825880

SHA1
51950388f9e981274bb94bfe22d80ea58b583b3e

SHA256
66d9e1dc1c5d098629fae2cc2ec9b12e592c89d2b44aef2b0e6c864584fb28ee

SHA512
43e5b8a460b88ceb9bebcd82ebfb924dbe45ca44580bd1d99b8b9e3e78163471a63c793a12f8d8b45079c3a5e1124991de7b6a1c0748ec33d18060e85d91912b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
6d7656ce79ceb485c44b7f400b46192d

SHA1
4ce87bf06d443bc3826bc33253b7b2cf31dc232f

SHA256
c76b3a77c3ad2c2a2022835d53f8a7f33030fec908bf26c1433837e37af7c5e4

SHA512
79b1c98c185c49ef552738541057b1d48854fd2fa58f8299c364105724f0bd5970c2aac6085ada4a8ee20b698b4f87d131b1b796c31b5156e1d89516b7859352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
16554a60fe2242169ef3563453dca783

SHA1
a3cae5b831381c70ca6ae9316196907b2c6c94bf

SHA256
b0cb8e646c6a009f225322444fd44ed3393c626397db5d2f4e0bb0c2d89e63cd

SHA512
c98523cb0a3da7dae03aa087044ba56199560430595a0f2d0ef29154a7e39b60e5c81f97950771cb003124e08cf50b8a6865ccb2e185184cacb3e508190ff2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
bf109b56d240c2546d2f335f0ea9269d

SHA1
dce346529e092fa0a93067fec1aaed2fc2448a01

SHA256
8764435098f3077e74929f20087e5360f6250132eb5708c7cbb655092f49ece8

SHA512
968a2c3806b7277c98c8acf729b55cf783043cd4fef27750b0e975ca5aa8472e1d42887619c9095a268b58b92437317923b9e88f546823d6f28fb219fb0dd12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
9ebbe63439c56788e767d91461865aaa

SHA1
816127876d12efae920b724541ae023bcf39040d

SHA256
1de1e6957c3b86c4ea8afffc4aaa050b0f554830e8164ce7fd242720ffd75f78

SHA512
8a13e769899ff2d7d03e3a1da17dfaf9820270994ae6e23455103bcfa1291adc41d53a980674fe51c5bc032f009f62d9291999219ec2a173f6ebb7247f93854f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
cd7f34ab31f04a38bef28b364a048e03

SHA1
e213a3d3110c533b289e1951d1b4da6ab7ebf2ff

SHA256
b03894163845a69e06b0ece7cde462382306467908e6d2276e31b7342c061946

SHA512
edb96ace9c9d7abe27d84660b8fa78c51bb60e2189d05069304fb17e5b92663bb5cc850f62bf86e041022034743f1b42296123e9826dc39a215a1e5344c1674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
1c9e9ab9c0639f8aa5cd38211437382a

SHA1
b8c3de7b476eb05da8bc31ee3d30fd588adabb66

SHA256
560359d3cb364a6bdad444dcfab1e64d7330cca5e011b746ec9a39e3b05da22a

SHA512
b510decbf5a6b9a2d711dfc78a11d5789ec48fdfe4f5a91eafc3361f2cc4a1ad235a2b6dde4f6740e1a31f41429ac30234249ca8fdfdbdc03176686875a0aaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
05a6181be7bd8c1e77e93c6f84defe11

SHA1
c384c927a9f554767b317325ae41998ab8b1fb27

SHA256
04646bfccdd255093df6a51be00cc1e88bcdf0ed49e54f12bc6e65d59b34efc4

SHA512
1b95c3c69712261f96d76adea0b2fcee6a96ff8a1ffbdcf910c256a93069785dbfe0bd8d93f6dce7bfc4788007f67328b1b8ad5ab01780772264fac09e210681

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
0e6f46af200c35521eaac905b5ff76e3

SHA1
6134aeec227a510e0ddf28d7864c94ababe2ff70

SHA256
2fd266f90b85c4ed0005da1d17fe3ac08204e9ad40be1d92ff05755e5dc8b9ba

SHA512
98adab454055ea8489d9dfccd80bb6044491d93256c50b2672e7d19bc90bf9f0c39057b82e2934b3ccb83473593a2663ce95bc2c5c8c1a5f10d3caf3df653fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
c5b4e393aac9347dffde8f6224fa00eb

SHA1
f195595f7a082af1fd8bc0ab22d96facb33c68c3

SHA256
2c479617bdff0a017eb864956cd7229fde4a915c8256c3517915d6c8f4e12208

SHA512
3a015258baae21037acf4c73ff76145e43718e5e1ad63de95db7e12ed207b6bfbf2a24e72a7beee6f54c3c0fcdc1be8699dce7a3d8355c2a02268076099b457a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
4009e207eb004561186d5e4c57ba4b77

SHA1
707c03dce8c6f578a78ef7d8e5f8473900b87c27

SHA256
a90d433b6ec2fd93e0079596b8f2f3bcee4610a2744f032fb0e3204fa956e5cc

SHA512
bf2c251170724a7e068110ba8847c1852af876019b2348ecb116adee772fd5fe3c0f1461153334ce618e035e10f6eb7c011c426cfd8a1c7d6c0f98554de9336f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
997c975b2cf8ec178d5e19955385fd49

SHA1
b8612b32643dba481783488ac35680c003817b47

SHA256
2d56bd653013634f4863485fbb2065ef11bace1f0fa8345b5a973ab4b94aae0d

SHA512
1941b4cd39d45e102d5980a9552461f752bf6bd3012de6e3c4a1cb1c603c9a22332566265bb50c240bdc0c85f62c21953322d67db497eb260724ddbfa7959396

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8547c61ab5036f64940e88a4d08cc251

SHA1
ff8da5c9c8b058aa73355f4adc96b1ffbe47d7c1

SHA256
634614fecb3fb8187939d9d088da72d840cc7a9ef91e9a631519a0e1a48ac998

SHA512
37924a975a86aa5b58555834d9fa9c579bc790281f2be586f2111bf9c9e8ac2141121af2030259537ca86310d0979bac35b398bae6d9d735b40be389416c44e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
da11cda9206a0f8aa738543b912e4300

SHA1
1ace1596bf7b2a5f3a4b00a948fe7391bc2363b7

SHA256
b6e07db35933f910e8febf758d080bbda481ab8a57f56a6afa413795d2504582

SHA512
84d45e1c7e8011583cca13b94fde1393d00a869a5478e3ae7763e8bedafc37903c7a3b96c6be938da593ef6f2c4effb4aab9f7d7f0e4c48b888acc3a4a666fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
91f7a280c6bbb099f811d1c75f6323ad

SHA1
326a15895d9ee089031eb7cd2b792553a70876c2

SHA256
e1a8068772da44513cf84acf6e7301a23fb7d4cf6b6c8a177fec7735e7b873d1

SHA512
8e5167be084bef4411c722eb026f58d9a5a968db8ee3789b4e60c2565912cb4d403cd84a2a87ae04d4aedcb1126ad2c7f642c642879d78c247ee0487a90fc4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
4f9b0f5e452dea49c7303830df4f1ba8

SHA1
36c39932edc45626aea6961d40eaf6809464d9bd

SHA256
c1c8ed124537fcd1103e5118fcffc2804c1ae510436ed603bff664d6203a5010

SHA512
793df8fa1de24c9ed125eaba2b47fba8a228294d596804d4765304c481c896094fb80b21e4f8481488c80546f609637888c7d7263846e24498fde24f900b20a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
f46e940cab3d2c12a1e3b80d9e564826

SHA1
1815a24d7b43a495420057c984d19613ef3395c4

SHA256
d9ea625893deef8d1bd3cdb1298452dbc411520542c9e8757fe86a6990702700

SHA512
1bd9295569f13ae9f2b176ccba1ebaa66a404bea68744d8c413ed565957dddba79e7a9d532443c34dc03d11d3b3ac5503cb31d6271465cbd5d04987cfe2ee0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
aac725612a6156366816939fa8d3b9ce

SHA1
6e06e3172844a8f7a8a4ce8558dcd743940bf3b4

SHA256
c248015c19f2aabdb53e0b2f06644faf664cf9f6be58281b7cc39400c6972a85

SHA512
43bdba342e272b7f9d958ac39a6951276c9b9edc67e6cda9892570eaede9dab51667954ed4410f8ad509f2007f915ee011b81cc486646209505de72a463a96f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
12f5edfe33f5f7ec30eb275cd0edcdda

SHA1
d392d86dab80271a74ea0af421ba9843636e05e2

SHA256
800d03a65cbb8408abda374cc9d91c8edfdeb92b8e6f639bb6bd8db39dc41b52

SHA512
2309063345fb8b25ccb83ae7c73e9625ee5839a1ea2a8e23bd6c442aa6a719c498b2f3aa1e2f99072f752bf60b3365cfe34c82483a842be750d677baf4620c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2d6216136015865e5f081559764992f8

SHA1
6bc53f64334baa9a526eb0e451c2130c0ba6116f

SHA256
fe9aff9410b882035ede392d66449e03787bd107b0e0b6d1cfb3ac9002c3a82b

SHA512
38724b32660d063462283929348d54c75d5bfb7e7402175a3d18a22f92f8e79f4054aa8aef8d7c6ccfdae49f6321f55603b59e95b90ae97767de511f86568dd3

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat
Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\aclui.dll
Filesize
17KB

MD5
e99f74ae594c1b373fa0d34193dce208

SHA1
3933f949724a6702e0038295287a39c53592b11e

SHA256
1dbb3b418bd78abb49d583f2b9cea6b20fe9fece0a59c118ddf104a672e29ebd

SHA512
355a2a3955e0f50b0c41a24589b9283892689faa61aea6360a1b762f5f2f58166c579b37dc0b003e716c1dc760f1931b73faf6fa3e2b21f8571dbdf5ee37c030

Download Submit
C:\Windows\SysWOW64\WinDir\Svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\Documents\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
Filesize
488KB

MD5
eab7049536d2509bc3b948248ef195c9

SHA1
ef7411a0b453a57b4d25cf9920f6d00ce3be2cf0

SHA256
b7423f2872345adcdfbd5973e7d12dc270b74300d6ff4d59b1886b23ee418965

SHA512
8acb89524da36bcaa3ff5c2f4c45e371b1dd13aca9ac3691335871d2af6120e1bc1b4581fdfd35352f8448fcc9a1edae740541f23b8cf87b7de87d4d240283c8

Download Submit
memory/1180-62-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/1684-2028-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1684-900-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1728-24-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1728-56-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1728-26-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/1728-27-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1728-28-0x00000000008A0000-0x00000000008A2000-memory.dmp

Filesize
8KB

Download
memory/1908-349-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1908-595-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1908-351-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1908-1056-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2168-14-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-1-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/2168-0-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-44-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-901-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-50-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-48-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-46-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-55-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-42-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-40-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-38-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2424-58-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2532-29-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2532-36-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2532-899-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download