cybergate | 2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
Size

301KB
MD5

fd60ad05941f2bee3dfd05c976bc2eff
SHA1

eae3af05983d5e47ebb3f228f98517f9a3806376
SHA256

2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7
SHA512

b16dbd2bb8c169bb5e772469f2bd98947e74dd7c30a1899b3416da6b2c967c6644baf97f138192b725e343233ec10c4b2516c889b7f0e302f0161392052c522b
SSDEEP

6144:tmcD66R7M5JGmrpQsK3RD2u270jupCJsCxC:4cD66DZ2zkPaCx

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

mise1.zapto.org:5210

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5VA86RD0-3W22-6R73-7QS8-ODE408423R68}	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5VA86RD0-3W22-6R73-7QS8-ODE408423R68}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1388 server.exe

pid	process
1388	server.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4404-59-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1152-64-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1152-67-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1152-68-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1152-575-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exefd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\server.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4420 1388 WerFault.exe server.exe

pid	pid_target	process	target process
4420	1388	WerFault.exe	server.exe

Modifies registry class 1 IoCs

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exefd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

pid	process
4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

pid process

1152 fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

pid	process
1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
Token: SeDebugPrivilege	1152	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
2⤵
PID:2936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3940

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4080

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:4368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4584

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
2⤵
PID:2968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3180

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
2⤵
PID:1452

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:2800

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:4848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:1136

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
2⤵
PID:764

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:3584

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:4324

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:2180

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:828

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:2320

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:3060

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:4452

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:380

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:4508

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:4172

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
2⤵
PID:1428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:1328

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1036

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1228

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2020

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2448

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3232

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe"
3⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
4⤵
- Executes dropped EXE
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 564
5⤵
- Program crash
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3616

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1388 -ip 1388
2⤵
PID:4232

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 681302964ebf453e8e0d779b1c5642fd QkEPcMDFf0i7ac2/CIzsAQ.0.1.0.0.0
1⤵
PID:3352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5072

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
240KB

MD5
40bf045a90c5af86f363d052477f951e

SHA1
ff32c907dca090c8e3cba347708964cf213bc4a9

SHA256
bf3afb0a67cadfa0f7cd76d91da74b80bfee530c5a5ac266c41a7ccde4a77104

SHA512
2518a062a9141a6cd9e7216217f89f496cecb81688939664dda7067dfb52ee92fa8e0bc6f956f32c2542a10cbb2a2a374999d4ac551cffe8e7f3a43cb2291c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
1023e0ffca3c554bce8a5006dfaf16ab

SHA1
71b6c29e88a7417d3993ad9ae6ac47455edc9d46

SHA256
487cea35d8e94e078fcd8500afb382dedfd2e2b97fa94f2858fc50bc05601aff

SHA512
3607f0a4efd88f0b36adfac63c42f0f7d3b9c59010f73f41e83a338480eb70b087fe4cec0a41ce3b7b3e69f8ebbb8fa6aa10f19bc0ef8b531ab20f00dc891f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d850110327de35422695a8525226f0ec

SHA1
7802b0c220afa550f682182501d0e9b5d1af89c4

SHA256
b4761afcbcd7bd7fc678890c2eadded5bd74496c1e15b6cc68cd9d0dcec39062

SHA512
7124c9e609d373370e4beee4372fb2ccca45836e46658b9256985520048c797298c4be5bc2e3d28761d7e84e0a6479d46114870dfc21b5811afe51f08cc3088b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
351e07048840ac5ca6cf00d5ce52dd6f

SHA1
2d1f973b185a058e2ed626bc4f5b27b7bedabe7e

SHA256
8a7abeb475285b0d4b21b79017dafd55f0b94a3c5e8ec406183ca0414a7b8fcb

SHA512
c0680d49da57f3a1d926f9811287d98f28955a2ae9112c8a6e963dca7774234207a3d7bab42d93a61834334b15bb4c5570ee0d0967b02d5a19e03dfea57d7391

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6306f1c8dd43d49c356faf4e80074318

SHA1
75b79d031e1bdbc0f126d12df14370b1f7d83b91

SHA256
64db5087f21e4431c5fc4c2fc49ac89020b390ced14b0ccba3258991b5302b7a

SHA512
d353920c33c3e363065aa38abca40449a70e6fe57333770f5fd7898dfc913764212a29e053296edcd4ef06968fb8578f23a9ed98932928b9ef7ee8607055b51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
132d20c4b9bcef08badb2e3b8853a17a

SHA1
c98d4f1b2e09f9c65206595d61fcfca4c5c283ac

SHA256
eb414e8319e117f94582fc14fdb8ae075df1a64ffce74d248931cb2e77bee3fa

SHA512
35c2a57583655c3f13199e6b9f2cbf7f8de5b36aef0da067e3a7b161da007e0e01e35c5e67eccd5dab5c04fb0601946f33eefbcd64e730ae6bfce46e481392fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6c23a8299977a34533d12840c875e9a1

SHA1
d09f3336add89da7d21775d1f9161beabaefcbc2

SHA256
c1d98d505911d64982e3fa57c935168d84438a7bed1316d943514d5304a97a3d

SHA512
7afdd12b36ede4be3891dcbb197226b61d2d68e7fd97e5302a4752e82de898f9f6514bace7fe74b552daa62986cc6ad17a9bb5c813fad55fdc45587bb0d8fa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
db0f22a8ea8ce5955c1755ffebae74a8

SHA1
d17e343970edf1494b64f04bb69e945ad51267d3

SHA256
b429b9d7c686c11b5d8a301da753792a5d748a732da363fef65ce33d2c4e9544

SHA512
2eda830c1cf5de435885393542777d134b69f440f2a774ad6e7a966aebe2e436dc0f8259298e4b9ffbb69baf820d85c44ca6aef9c8654179b090e9997ebb6602

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
96c41ea474b5255d400a4be3a23ccef2

SHA1
54d36e91e748763e8816c3ccbcfa444928c141bc

SHA256
984e52144e570e23ca939c4bb771766aa7bb92bfb6aa1bb08dd4f7cb27c0d90c

SHA512
b61ef7db9dc8d61cd66f7d3bb4bd6c7bc589970df239f62d1c044466a28a68cf6cff12c104a73f1264d061a78e9400ac02c5033884db3da51c240a427f0a2ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
6ad93990f1ee39cb9a312a8d3e847424

SHA1
d3411ba661d91739ae9a41e4533992416fe24ff6

SHA256
cc963f9b2e0d2f002caa6a7438ddd9f0341518ddf518713a05438d8b401a0259

SHA512
102d384bb013f8fc556e4223a39896924a35a40bbc9219e4f09b8be2bd8780e42eaba5f5d5d7824c8b621a2651770f59f5940b89062170e69bd4e658fe121e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
016e5104945f67769a62c15ac5b3d867

SHA1
0ab3167bcd34dde302e70698abf1586f7f902595

SHA256
3af6b48fade70cb47832f0cebefa7857dc20b7ac805f71b641dc8b5314c5dd38

SHA512
a5b09e51e7c4f0d6e914254465318f91bbffdeca3b0137feb94572d2d5721fb842a01be38e09ebbd6e4e7bd08572444c170c7bee5cb607ce9d8a990a5ced7ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
528c30e1d1347c2c01395b83924933d2

SHA1
ee5ee048d7fb597ec6f4701c6b25d8f41b72f9e6

SHA256
1063c0da8c861b66cd38ce1dc85a635ee3501874f248a43db4344d6b64c321c3

SHA512
b8db265a4f5b18175d9480df93694c9fcc719c7c9cbaf6b0b5dffce2048ba18c73677b26e204056894c6b67d5b61779991fd829291cef71ba832370003a4a4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
892fc721f259562a132c096eb807acee

SHA1
053f445ce0266cac3842cf1d2edfd31ebd554d1c

SHA256
1b6cf228db17f10b050a366f90e459971abc28d969ca13d72d14f182da8e6584

SHA512
ece5b6c5c650057a76baadf5bdee0e38e95e7ddccf7b40f3bc34bb13fcc354c53ff4dd6a0ade4ee483aac1e6a418a02c8732e00a1ced6ed880a0bd54289adda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
2164c33f7f6444950cc38d14cf10970e

SHA1
016b85aeaaa5dfe13c69e10851bf85463c82c798

SHA256
070aaa5312339c0c1baa2dd6a7dcdb73919bb29cc920ebb47687572b4b0e59cd

SHA512
58bbca70ea1fe14e009451e1a450bf9b0341728cc0890cd910d9c803b77aafd65cc7fc5f432844d312ff75d5ca72190455d5acb433dd2529f0467b1bf630a43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
d176f6a5ee75b483ef9461e9754332c5

SHA1
8e2357cc49c50c1f76ad517ff06ce7a23b19d5b0

SHA256
5f74120e3c286d92a6227cb10d297014e254d1de189cefccf19ecf7511b32a33

SHA512
120b8a7546109c01d840a9946ea1d9c0671edc58dffb74a4aee7fffb026535f8e8087c6eef8595be357fd630d3f9ad4461b64920962f0013940a5364689e968f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
2fc581dd4d9a0e74a1468ac56646e634

SHA1
6d4f81ba3d6fff834815c344561e50139afc02cc

SHA256
298708be31ed1228cc8899e777e1c0f5cc0bf59226853ee591e30f713ea80fc1

SHA512
6aa28222f52b18b4b978cc0caf2dd6a25e5d3a1fe1adbfd46a51ce11778e094c68fcdffbdc1300555577ad8e2a8a9c1b742c50612ab18cecc9e2aacc74f75183

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
25bf3b84b377874470022c402048eb88

SHA1
286e2f4deb80587ea42eda4ba62db61e03597308

SHA256
bab2f4d2c10b50f3fe361e715f7773cc2c5ce234da53128d802336fa51043b4b

SHA512
078dfd1dc8e43d3636495600adf7843d93106e1fb7f0858cc30e24ed9aab6b8eba61fa63ae2ee8c757e183b70479ea73121ad05e7c564169efac9f91193c1496

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
ce2749b0c218bd1567d02f953e611854

SHA1
11f0f324d7a5fb2fd96cd9d833e72e97b81db436

SHA256
ba89dd609a99c8b19f70d79af1fae06e13c6b1b9e653c32855f8d304afb40361

SHA512
b038839b3a2bba223fb09c4d1087f8190669fa3c26d262b3e4a565bcaecd2908b509556ec66f1511f1f63c45910525d5eaaea672d8df56c17792fb181c6cdd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
Filesize
8B

MD5
f4bd459d494100e139361f9968059a63

SHA1
f157b3e4efddada4d730232713a092e2cecc7b36

SHA256
b19d9e5212d35e0ba4618ee79d24b32180f6642add507848431794b37e69b637

SHA512
4acde9e47f22377a137b92f839273a20de1cf3bf6b2cd08186f76178a85b9970ada9275d90044e7d9c158180bc5338ef344c55d0ffc5bf9c18312af57288b2e5

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
301KB

MD5
fd60ad05941f2bee3dfd05c976bc2eff

SHA1
eae3af05983d5e47ebb3f228f98517f9a3806376

SHA256
2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7

SHA512
b16dbd2bb8c169bb5e772469f2bd98947e74dd7c30a1899b3416da6b2c967c6644baf97f138192b725e343233ec10c4b2516c889b7f0e302f0161392052c522b

Download Submit
memory/1152-68-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1152-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1152-4-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1152-64-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1152-575-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1152-62-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/1152-67-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1388-390-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1388-388-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4404-65-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4404-59-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download

description	pid	process	target process
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
PID 4404 wrote to memory of 1152	4404	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe	fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe