hawkeye | 083f2d70fbd1a5f5290660c128124798e94c641fb54a4f2611a9d7edd64a5721

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Size

4.9MB
MD5

f71924ce90b3e49a4e586dfcad1cdfa8
SHA1

cff90e897e6d544178c5a3f291118b3544ee8615
SHA256

083f2d70fbd1a5f5290660c128124798e94c641fb54a4f2611a9d7edd64a5721
SHA512

b588cb26f559ca8586811d132c60048fda6551b90202e5853dbd86820f0e6836ac0b77ba12a051ff435ca4a8d5ab7938cad6104050a3f4ab6be285f642ed6c6f
SSDEEP

98304:Bis3mjKl5B3UjHXKJlijcFK4eqsWUGdmHgUOdWopV8BaFn9Cu4FK9zAUjd:f3Vl5VUDKJPUmBUi2aFnMu4K8ud

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.qq.com
Port:
587
Username:
[email protected]
Password:
370782yjm

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\order list\\file.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\order list\\file.exe"	reg.exe

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4100-27-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral2/memory/1264-46-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1264-48-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1264-49-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1264-51-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4100-27-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral2/memory/2920-55-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2920-57-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2920-58-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2920-65-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4100-27-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral2/memory/1264-46-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1264-48-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1264-49-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1264-51-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2920-55-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2920-57-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2920-58-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2920-65-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/1772-66-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1772-68-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1772-69-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1772-73-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/524-74-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral2/memory/524-76-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral2/memory/524-80-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exewscript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid	Process
4100	svhost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
30	whatismyipaddress.com
32	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exef71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exesvhost.exe

description	pid	Process	procid_target
PID 1712 set thread context of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 4556 set thread context of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 4100 set thread context of 1264	4100	svhost.exe	108
PID 4100 set thread context of 2920	4100	svhost.exe	109
PID 4100 set thread context of 1772	4100	svhost.exe	111
PID 4100 set thread context of 524	4100	svhost.exe	113

Drops file in Windows directory 3 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\assembly	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exef71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exesvhost.exe

pid	Process
1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe
4100	svhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exef71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exesvhost.exe

description	pid	Process
Token: SeDebugPrivilege	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Token: SeDebugPrivilege	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Token: 33	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
Token: SeDebugPrivilege	4100	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid	Process
4100	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.execmd.exewscript.execmd.exef71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.execmd.exewscript.execmd.exesvhost.exe

description	pid	Process	procid_target
PID 1712 wrote to memory of 5048	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	89
PID 1712 wrote to memory of 5048	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	89
PID 1712 wrote to memory of 5048	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	89
PID 5048 wrote to memory of 1288	5048	cmd.exe	92
PID 5048 wrote to memory of 1288	5048	cmd.exe	92
PID 5048 wrote to memory of 1288	5048	cmd.exe	92
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1712 wrote to memory of 4556	1712	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	93
PID 1288 wrote to memory of 3696	1288	wscript.exe	94
PID 1288 wrote to memory of 3696	1288	wscript.exe	94
PID 1288 wrote to memory of 3696	1288	wscript.exe	94
PID 3696 wrote to memory of 4620	3696	cmd.exe	97
PID 3696 wrote to memory of 4620	3696	cmd.exe	97
PID 3696 wrote to memory of 4620	3696	cmd.exe	97
PID 4556 wrote to memory of 3176	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	100
PID 4556 wrote to memory of 3176	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	100
PID 4556 wrote to memory of 3176	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	100
PID 4556 wrote to memory of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 4556 wrote to memory of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 4556 wrote to memory of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 4556 wrote to memory of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 4556 wrote to memory of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 4556 wrote to memory of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 4556 wrote to memory of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 4556 wrote to memory of 4100	4556	f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe	102
PID 3176 wrote to memory of 1396	3176	cmd.exe	103
PID 3176 wrote to memory of 1396	3176	cmd.exe	103
PID 3176 wrote to memory of 1396	3176	cmd.exe	103
PID 1396 wrote to memory of 768	1396	wscript.exe	104
PID 1396 wrote to memory of 768	1396	wscript.exe	104
PID 1396 wrote to memory of 768	1396	wscript.exe	104
PID 768 wrote to memory of 368	768	cmd.exe	106
PID 768 wrote to memory of 368	768	cmd.exe	106
PID 768 wrote to memory of 368	768	cmd.exe	106
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 1264	4100	svhost.exe	108
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 2920	4100	svhost.exe	109
PID 4100 wrote to memory of 1772	4100	svhost.exe	111
PID 4100 wrote to memory of 1772	4100	svhost.exe	111
PID 4100 wrote to memory of 1772	4100	svhost.exe	111
PID 4100 wrote to memory of 1772	4100	svhost.exe	111
PID 4100 wrote to memory of 1772	4100	svhost.exe	111

C:\Users\Admin\AppData\Local\Temp\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\order list\mata.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\order list\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\order list\file.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:4620
- C:\Users\Admin\AppData\Local\Temp\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\order list\mata.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\order list\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\order list\file.exe" /f
        6⤵
        Modifies WinLogon for persistence
        
        PID:368
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      PID:2920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
      4⤵
      PID:1772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
      4⤵
      PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f71924ce90b3e49a4e586dfcad1cdfa8_JaffaCakes118.exe.log

Filesize
493B

MD5
4ec0dd0b9cffd03dcdb6c036a0ce7c27

SHA1
7d34a509ebb63601470dda33c5cfb6d8efec1cfb

SHA256
80752dcd2ca638d14a56b8a4d115a3a05270e1aaaaacc56f154a1b8aada50fcb

SHA512
dad84a89f16dda19d8dfee0955c6ded4b27d34b9f58bd549017ffdca0614049cb3a0964374bf7bf911ba7a7187d3a6feb3b6d5cc7add54f294b470dfe387a833

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt

Filesize
727B

MD5
6771d4dbabdbc3c434570d956c179b39

SHA1
99c56f8cf4ec459f6b25f621082886d83398c8ff

SHA256
637b501b7aab707f1778c31c39f37c4f0a2335bb11030d2e004e49be3e83676a

SHA512
749b64e4aa7dcb11683839589764dc7b6cd51ed08d6086189a33cac65f55976dd04f5133c56cba50a5e0da1d950f9b8bbab4aec6f459adc0f455094260462ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\order list\file.exe

Filesize
4.9MB

MD5
f71924ce90b3e49a4e586dfcad1cdfa8

SHA1
cff90e897e6d544178c5a3f291118b3544ee8615

SHA256
083f2d70fbd1a5f5290660c128124798e94c641fb54a4f2611a9d7edd64a5721

SHA512
b588cb26f559ca8586811d132c60048fda6551b90202e5853dbd86820f0e6836ac0b77ba12a051ff435ca4a8d5ab7938cad6104050a3f4ab6be285f642ed6c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\order list\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\order list\mata.bat

Filesize
70B

MD5
12fb588729977f17add4e0f761889009

SHA1
483c1b1bd0548fb0abfc3316cf0236410aa5f683

SHA256
03b7339514489ed2e17e632865de4d9c91047ae8db0d4d658fd554ee2952381e

SHA512
c3422674f565abbb23685d0024dc8fa1a701a8b4d74c8b20b9c0cba6427f35a2211d7d4dbb0e2ed144615274d51b84af8f559e18f137c7b0ee4cbbe0c51873c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\order list\mata2.bat

Filesize
246B

MD5
d1c2f44434eddee4c26c3555a0eee550

SHA1
986a3a4c06082b3327c022b7113ac371d8910c8a

SHA256
e4f1eb08866ac53220f8b5fa27e7524df70317d41b26dcab4513436ac62f81a2

SHA512
947bdc541dcd94770ab2258c618a4fa56e83e34b67928766d5fc042b817a4e5fd270bf9385a1a4e1c4b82683ee7f6339786922d4d9ab5b576027514ddbb7eb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/524-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/524-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/524-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1264-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1264-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1264-49-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1264-48-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-0-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1712-1-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1712-2-0x0000000001870000-0x0000000001880000-memory.dmp

Filesize
64KB

Download
memory/1712-43-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/1772-66-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1772-73-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1772-69-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1772-68-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2920-58-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2920-65-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2920-64-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/2920-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2920-57-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4100-54-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/4100-53-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/4100-52-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4100-38-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/4100-34-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4100-33-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/4100-32-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4100-27-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4556-11-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4556-45-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4556-15-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4556-12-0x0000000075490000-0x0000000075A41000-memory.dmp

Filesize
5.7MB

Download
memory/4556-14-0x0000000001BD0000-0x0000000001BE0000-memory.dmp

Filesize
64KB

Download