Analysis Overview
SHA256
69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42
Threat Level: Known bad
The file 0081117561dbbe476ca7c53d931272eb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Loads dropped DLL
Checks computer location settings
UPX packed file
Uses the VBS compiler for execution
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-22 00:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 00:50
Reported
2024-06-22 00:52
Platform
win7-20240508-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\windows\system.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\rOaoWnZdErpjCyVqQVSdgvRSblgKZsMfaPuEFDIslsXkjzEGxX = "C:\\Users\\Admin\\AppData\\Local\\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe" | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\windows\system.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows\system.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows\system.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2964 set thread context of 2556 | N/A | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1793508553-352905866-2062955186-5258329257991145025581625121570511284606176835"
C:\Windows\SysWOW64\windows\system.exe
"C:\Windows\system32\windows\system.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-421556289-82603964123529799315784425791803808245186761579-1484572417-232962919"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
Files
memory/2116-0-0x0000000074371000-0x0000000074372000-memory.dmp
memory/2116-1-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2116-2-0x0000000074370000-0x000000007491B000-memory.dmp
\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
| MD5 | 0081117561dbbe476ca7c53d931272eb |
| SHA1 | c63c2af8e87297fa66b6fdd8898b50b64a0c2e23 |
| SHA256 | 69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42 |
| SHA512 | cee68886a6d82a16e992bd68e33453d23f71c615771a6ab38a3a4ce691d69d16b4e85fb0c0a2d15443f1920ee686e33d19a49ed87422648eba321fd907a27155 |
memory/2116-15-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2964-26-0x0000000074370000-0x000000007491B000-memory.dmp
C:\Users\Admin\AppData\Local\Twain.dll
| MD5 | 2153e2d85da316a0fe302227e0f9af88 |
| SHA1 | 48b334c27d604ce7d89c9c825d211d26427176cf |
| SHA256 | 645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0 |
| SHA512 | 647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac |
memory/2964-16-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2556-33-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2556-37-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2556-35-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2556-43-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2556-41-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2556-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2556-46-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2556-45-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2556-47-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2556-44-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2964-48-0x0000000074370000-0x000000007491B000-memory.dmp
memory/1176-52-0x0000000002D00000-0x0000000002D01000-memory.dmp
memory/2556-51-0x0000000024010000-0x0000000024072000-memory.dmp
C:\Windows\SysWOW64\windows\system.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 6e4f978fe3aec19ca9498551e93678d0 |
| SHA1 | bd74f4186eb34a6ec0bafc64617968c872079bad |
| SHA256 | 81e6cd1275a3df0184b02fcdb5bcb31d27bf56c8f22e7f62bd1d8a2bd1140308 |
| SHA512 | 57448df1f3f494c2f3f1d7840ac2ee766f0ba2295a5a10fafb9c5560f66a3c17646a6bc4e53b928b999d8a00b78a83cb9b09686cc04e0a9df336d036037797f9 |
memory/2556-972-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a3a2e3f09fa7ee0330ef356f5d00f5c8 |
| SHA1 | 3d4a2a240bc7a85c5e648a7a10a823af8592a0ff |
| SHA256 | 5df5bbb4ff3e4650ea86ffd53e20eac6be8b3bfad693f2db666a92da7fdccc0a |
| SHA512 | 07bb2a186b8b548535e99cd91d0e5c05ead29e72732184f71045eb380b3c11a3256ed9686f3fb7fbcbaff1b7dab30fdc34a580c82fde0b44c7093be6ac71f352 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6513e10a5d26a4b9af1cc219379d3932 |
| SHA1 | 57774645fe2d760d0759b885328d9572a6acf767 |
| SHA256 | 00d0d445b3534106abf6f2a2ce0f485f523035fa4585d0cc7922c6aec36e61c4 |
| SHA512 | f5e5c5b66145fe3be3d1f03d8a51aa44a3716221c0ecdd596d19849c905be1a9b85359c017bb60d7f1e0aea054785de70929871f9bbb7c4cbc404229ea06956a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3605d3cacab0677c0cf4c8f712beae0d |
| SHA1 | ae1c8b4c5347f9a257ea88574251b169550ecd4a |
| SHA256 | 3eff209ce8462413158b2d643d7daa17cd432d41923cb9fcce4a5201dc6c91bb |
| SHA512 | 945ba0f6e57fd0dc92ded78bc1dadb6030e5c01f9b47c24de5382404e735f89eb55b7660d98b88818cd51f5fb60f83c3f9ca4e004df30019365786b846f69e6b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 394c4c99d33de21667a4362729ec6a45 |
| SHA1 | ae14afaba223202f85f9c0ace3b8d495c2bf0c36 |
| SHA256 | ba9d07f4b2ccbdb5dead4addb899792efbc85284af12d093c0c80a3666ab6aed |
| SHA512 | 622c41b396058a655bf8f8399266b1caf15996b11ee948348b194dce5fff45f8f7286a43e3878dd8380e9cc6b6ca2a95a7115331768da7da066961706fde6415 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | abe16d92b9e6feb2098a22f95747028f |
| SHA1 | da99cbcc0cd0ac7acc5453234d77a00ed24ea7d3 |
| SHA256 | 4d5c5d4702f1347c2411260e9ce9ea43089316071a25545a9c0266cb405763ad |
| SHA512 | a82ea2a7be3a8bb41db8c90660f94e94e2953e762c429c2edacaad60d7ecbe3d6b2e93ce52116f9df887cd6d7e5006a15fc660ee26ba1d912a67e3ac0f6b89bf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b7e9b7c2773d1ba8848d001e6a51446e |
| SHA1 | 37195cdeb982a726582a212843a21e830a21d392 |
| SHA256 | f207f7f2d5249cc1a1f79198fba39907592867d3dca334932bacf5744692f42f |
| SHA512 | 7bd4e9ac9f2820407e4b522c403eb728c67a25d8cfcbee1e139457db60a0d53e080aa6f93396d9393a64c109b37bb1b48870b733f5e9009dee75797595da8dd3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c521edbff8ee66a2c4a13a9b9fd3bf7b |
| SHA1 | 5ee01bf076c6098db51a9eba89fc8d52493ebc54 |
| SHA256 | 7379331c883aacfdbdc436a0bbf37dd8dd4dd66f85e299ad987321d9a042e9fb |
| SHA512 | bf7e6f2460371b82d782a9050f457e7558ac9535fa69df93a6c6d52eea69b920f38e93c1ac3fd16c459ecb82b00048df765505fe47c5b99c6a158612e56f779a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 65a1af38189c50777abc38e95acd0141 |
| SHA1 | 4ea2671bd0ee30647136232b5a3d8fc42a9d2b8b |
| SHA256 | fce96eb675da522eff8d078967bb45522c1dacea353cdc42ee13b934da50cbab |
| SHA512 | c7b891fab45e4e5763d53e35624868a84e5a570734d7177e158de02f913efbeddb1f50b9fd2aa893b236a7aa3f9730a4bf19f6e2fdfd83bcd65d3debd9301c07 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | dfd40db1a5ac4e47f785fee37d988f4b |
| SHA1 | f8e002e340f9ff96d58299deda2a8ee9ebf9d4b8 |
| SHA256 | 68f24c47110fd079e05f1a25f46e2b3445b868076892e0d9a2c6ddf6bad8652b |
| SHA512 | f89a000716aca411f77614b43dc579709870ff32bfde38638e1f255f8a01db211ed783306f1ac83e33f6a246823b5bd705de303e34c04c407c341f1247594264 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 52487f67988b549e9d67c87966c44ad3 |
| SHA1 | d3847e3b32c9dbf4fdbbfbe1f8314680ae8f7faa |
| SHA256 | 59f314dfa2dae8dd5fd3073bcacf2c86401d6ea192811ee1295e3c206d9f1c0c |
| SHA512 | 485f29099743132f3e43a95c85bfb0d908cbb826b3ebdca00ff2e8cecca2d4170540835963d9bc035affc687d31a1f223db7547e221662b7e1f0edc8049489df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 00:50
Reported
2024-06-22 00:52
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4G3XAL46-US40-57D6-Y00B-EGLJYBW6HX58}\StubPath = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\windows\system.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rOaoWnZdErpjCyVqQVSdgvRSblgKZsMfaPuEFDIslsXkjzEGxX = "C:\\Users\\Admin\\AppData\\Local\\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe" | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows\\system.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\windows\system.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows\system.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File created | C:\Windows\SysWOW64\windows\system.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3620 set thread context of 2420 | N/A | C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f911383b43e33a0fa1835ba8709267d9 qmyr5G8v2kOMZjPweHxrtQ.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\windows\system.exe
"C:\Windows\system32\windows\system.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/3060-0-0x0000000074EE2000-0x0000000074EE3000-memory.dmp
memory/3060-1-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/3060-2-0x0000000074EE0000-0x0000000075491000-memory.dmp
C:\Users\Admin\AppData\Roaming\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe
| MD5 | 0081117561dbbe476ca7c53d931272eb |
| SHA1 | c63c2af8e87297fa66b6fdd8898b50b64a0c2e23 |
| SHA256 | 69bd0504604bb8f94928e0bc4d710639f23d99ddeedd7036c8d6d19d26b6cd42 |
| SHA512 | cee68886a6d82a16e992bd68e33453d23f71c615771a6ab38a3a4ce691d69d16b4e85fb0c0a2d15443f1920ee686e33d19a49ed87422648eba321fd907a27155 |
memory/3620-16-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/3060-19-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/3620-18-0x0000000074EE0000-0x0000000075491000-memory.dmp
C:\Users\Admin\AppData\Roaming\Twain.dll
| MD5 | 2153e2d85da316a0fe302227e0f9af88 |
| SHA1 | 48b334c27d604ce7d89c9c825d211d26427176cf |
| SHA256 | 645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0 |
| SHA512 | 647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac |
memory/2420-36-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\0081117561dbbe476ca7c53d931272eb_JaffaCakes118.exe.log
| MD5 | 600936e187ce94453648a9245b2b42a5 |
| SHA1 | 3349e5da3f713259244a2cbcb4a9dca777f637ed |
| SHA256 | 1493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d |
| SHA512 | d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964 |
memory/2420-39-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2420-40-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3620-41-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/2420-42-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2420-46-0x0000000024010000-0x0000000024072000-memory.dmp
memory/4524-50-0x0000000001010000-0x0000000001011000-memory.dmp
memory/4524-51-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/2420-49-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/4524-110-0x0000000000090000-0x00000000004C3000-memory.dmp
C:\Windows\SysWOW64\windows\system.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 6e4f978fe3aec19ca9498551e93678d0 |
| SHA1 | bd74f4186eb34a6ec0bafc64617968c872079bad |
| SHA256 | 81e6cd1275a3df0184b02fcdb5bcb31d27bf56c8f22e7f62bd1d8a2bd1140308 |
| SHA512 | 57448df1f3f494c2f3f1d7840ac2ee766f0ba2295a5a10fafb9c5560f66a3c17646a6bc4e53b928b999d8a00b78a83cb9b09686cc04e0a9df336d036037797f9 |
memory/2420-181-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3605d3cacab0677c0cf4c8f712beae0d |
| SHA1 | ae1c8b4c5347f9a257ea88574251b169550ecd4a |
| SHA256 | 3eff209ce8462413158b2d643d7daa17cd432d41923cb9fcce4a5201dc6c91bb |
| SHA512 | 945ba0f6e57fd0dc92ded78bc1dadb6030e5c01f9b47c24de5382404e735f89eb55b7660d98b88818cd51f5fb60f83c3f9ca4e004df30019365786b846f69e6b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 394c4c99d33de21667a4362729ec6a45 |
| SHA1 | ae14afaba223202f85f9c0ace3b8d495c2bf0c36 |
| SHA256 | ba9d07f4b2ccbdb5dead4addb899792efbc85284af12d093c0c80a3666ab6aed |
| SHA512 | 622c41b396058a655bf8f8399266b1caf15996b11ee948348b194dce5fff45f8f7286a43e3878dd8380e9cc6b6ca2a95a7115331768da7da066961706fde6415 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | abe16d92b9e6feb2098a22f95747028f |
| SHA1 | da99cbcc0cd0ac7acc5453234d77a00ed24ea7d3 |
| SHA256 | 4d5c5d4702f1347c2411260e9ce9ea43089316071a25545a9c0266cb405763ad |
| SHA512 | a82ea2a7be3a8bb41db8c90660f94e94e2953e762c429c2edacaad60d7ecbe3d6b2e93ce52116f9df887cd6d7e5006a15fc660ee26ba1d912a67e3ac0f6b89bf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b7e9b7c2773d1ba8848d001e6a51446e |
| SHA1 | 37195cdeb982a726582a212843a21e830a21d392 |
| SHA256 | f207f7f2d5249cc1a1f79198fba39907592867d3dca334932bacf5744692f42f |
| SHA512 | 7bd4e9ac9f2820407e4b522c403eb728c67a25d8cfcbee1e139457db60a0d53e080aa6f93396d9393a64c109b37bb1b48870b733f5e9009dee75797595da8dd3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c521edbff8ee66a2c4a13a9b9fd3bf7b |
| SHA1 | 5ee01bf076c6098db51a9eba89fc8d52493ebc54 |
| SHA256 | 7379331c883aacfdbdc436a0bbf37dd8dd4dd66f85e299ad987321d9a042e9fb |
| SHA512 | bf7e6f2460371b82d782a9050f457e7558ac9535fa69df93a6c6d52eea69b920f38e93c1ac3fd16c459ecb82b00048df765505fe47c5b99c6a158612e56f779a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 65a1af38189c50777abc38e95acd0141 |
| SHA1 | 4ea2671bd0ee30647136232b5a3d8fc42a9d2b8b |
| SHA256 | fce96eb675da522eff8d078967bb45522c1dacea353cdc42ee13b934da50cbab |
| SHA512 | c7b891fab45e4e5763d53e35624868a84e5a570734d7177e158de02f913efbeddb1f50b9fd2aa893b236a7aa3f9730a4bf19f6e2fdfd83bcd65d3debd9301c07 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | dfd40db1a5ac4e47f785fee37d988f4b |
| SHA1 | f8e002e340f9ff96d58299deda2a8ee9ebf9d4b8 |
| SHA256 | 68f24c47110fd079e05f1a25f46e2b3445b868076892e0d9a2c6ddf6bad8652b |
| SHA512 | f89a000716aca411f77614b43dc579709870ff32bfde38638e1f255f8a01db211ed783306f1ac83e33f6a246823b5bd705de303e34c04c407c341f1247594264 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 52487f67988b549e9d67c87966c44ad3 |
| SHA1 | d3847e3b32c9dbf4fdbbfbe1f8314680ae8f7faa |
| SHA256 | 59f314dfa2dae8dd5fd3073bcacf2c86401d6ea192811ee1295e3c206d9f1c0c |
| SHA512 | 485f29099743132f3e43a95c85bfb0d908cbb826b3ebdca00ff2e8cecca2d4170540835963d9bc035affc687d31a1f223db7547e221662b7e1f0edc8049489df |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 31e4d2c862b871b61db87bc03f589769 |
| SHA1 | 1c852eca1eebf9c81f8047efec441f289752bb84 |
| SHA256 | b6c425b7eee323c5f0fb95f2799ebd899a452a06b6f11a452da520d3534854b4 |
| SHA512 | 754ca63fd525fce808ff2f5b5ec15dbad28865c839b4293bc1c743f10a075cccd952a925d4e2b4532daeb530d0aea966cd480381e3ea62755897eecb7f63bb4e |
memory/4524-1311-0x0000000000090000-0x00000000004C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e9ec478b7fc81ff30afb964e2a1884f3 |
| SHA1 | b1407dcbe742612cc00eee8ba007bd9195e66161 |
| SHA256 | bc6760c5c1bcf6d6a782e3b7303394e9c2ba626f32193b8a7224172f766f57d5 |
| SHA512 | 64e70177ab7f01ee5bbc0154a61385542b6375fa05e9b2fcbf294893dd6d5d57a0be86ba11188392745a638d379a1a6f4d5b9cacf1f91bc815fd5bb957adc522 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0dde77501aa3545e82e2cef328bcf917 |
| SHA1 | bd22714f0f21d4806c0a45c5651643a07c95d7fd |
| SHA256 | 102d07742517b2fe6e4f12d27b08416a2924ca7c4b62c851dbb1dfa1453cde4c |
| SHA512 | 462506aa4a9ed9a72b4a997297da8b33851463888926de16c2a669cdc85f7c2e662fedb2a1f4cd8a7e26695c3a0e581b5cda2f9e4e3c708ec920403154007acb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 70dbb774adb0f58d86e7c6886f9ed949 |
| SHA1 | 9e66b77663266b93222b4297efcbcda129077d6d |
| SHA256 | 8be020a2539cc9129f8472e6a7d7b9bb4b595459d7b0ddf3c85effd963073999 |
| SHA512 | ae92825e00add36262c5333c711a45ecc90d65a3bf3e945c86c410d44c1dfdaa7c975bcb6bc0432154a011602ea48e8beed8d7e23935ac38259e94296c8a76b3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 47d49e4018023b366f56a8e63c8e6b18 |
| SHA1 | 8400098f1fb7bc65a518ba214904a18bc7565ca7 |
| SHA256 | 74448383710bae14f755185dd3e62c8a70fd3fc6a5ac91ccb79e76312e43b4e2 |
| SHA512 | a875f2c40b666e1ea587812a7d83aa48c8238f2dd58823b28c3fcd3a4f5e7d43da8663195a63fea6b79d37cbc9061aad0b6a6939a05a2de21c1e317a30408255 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bd0d26cb524800b461a048de8981fcd4 |
| SHA1 | 8f690b33aea03370d3bcbde04dc087852fe3b3fa |
| SHA256 | 083bccdfb94f5e2950d39664955d1496e057cea9c2348bae29bc10cfb65637e7 |
| SHA512 | ffc7ca07d3ba5325ebf693cb7c919381378b0c242c30f957d89ede2b7dabe1053834d2419a3debead28e9d9285de62ecf1eb27ae2f50226b74b51ff3a0ed5bf2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2149a1e3d51b2f22dc529da60b300370 |
| SHA1 | f1c8d4304d5885b5439fa34e4aab8a52735117e9 |
| SHA256 | 4e1e6cf042bf5b5fca54178d20f34ae799b881cd7660ac2ee5f2befe3bdbb3f2 |
| SHA512 | 6d46b24226fd884db0c224f41a073a5a1bcb2caee58dc4b1fe0dbe373598859c2c87cf561e1f0c78f659657d7332d9dae216b604b90e09387ba9f68cafebed6e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0652ef583b4d5b0b61082e5b85117ef4 |
| SHA1 | ae8eb9f4f4891d14464d4b673b0717cfc04bbc8b |
| SHA256 | f7a42bb071e7728debc67375a8a65880e8471c4f24b0ac22f07ec84ae3804fa7 |
| SHA512 | 634a28a6fd30fe63f12ee47e4076283fa50f9a292b780bae17094ed0d09e137581cb8e5440e8d29999deb052fd4e4227dcd487811ab03ad207ab2d1cbbc1c812 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6fbcc8811c16666e889495fd75f1ecc6 |
| SHA1 | fbfc9e56e5451f095b1a52b52306bde260c73d2a |
| SHA256 | 5faec1cb9679012db719b6ea962140e934888e67d5a439fd733274ca818e69d6 |
| SHA512 | b371d07baf558a7166339b558b910cb642f8907572af39ae342c0805a0615586714709dc3592e57361e22ac5546ab363eff5dd6bcf9b192e110d4d1558d44bf8 |