cybergate | b7423f2872345adcdfbd5973e7d12dc270b74300d6ff4d59b1886b23ee418965

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
Size

488KB
MD5

eab7049536d2509bc3b948248ef195c9
SHA1

ef7411a0b453a57b4d25cf9920f6d00ce3be2cf0
SHA256

b7423f2872345adcdfbd5973e7d12dc270b74300d6ff4d59b1886b23ee418965
SHA512

8acb89524da36bcaa3ff5c2f4c45e371b1dd13aca9ac3691335871d2af6120e1bc1b4581fdfd35352f8448fcc9a1edae740541f23b8cf87b7de87d4d240283c8
SSDEEP

6144:TmmWFCUb0HmCjWLqQoZySpPg98D5tLYW5cWQY6ZAF4aSuLx5HLYGLKvMgAI045lf:TmmUbCmJL/jGA3I6SzS2xLdWkgAIV

Score

10^/10

cybergate cyber discovery persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

Epicloot.No-Ip.biz:100

Mutex

Y6OT2PQA5BXKU8

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
There was an unexpected error in the proper
message_box_title
Error
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38E4M5N-MS4D-8X3A-B7S0-1K3TYOB6P24K}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38E4M5N-MS4D-8X3A-B7S0-1K3TYOB6P24K}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38E4M5N-MS4D-8X3A-B7S0-1K3TYOB6P24K}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38E4M5N-MS4D-8X3A-B7S0-1K3TYOB6P24K}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
2392	Svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1048	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
1048	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
1576	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\PvQVdTyIIGLipwbnnDHKCapiSzDXzESOxLkkMUgJcIfxXxJDVF = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe"	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3012	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1576	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1576	vbc.exe
Token: SeRestorePrivilege	1576	vbc.exe
Token: SeDebugPrivilege	1576	vbc.exe
Token: SeDebugPrivilege	1576	vbc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2748	DllHost.exe
3012	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2268	1048	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	29
PID 1048 wrote to memory of 2268	1048	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	29
PID 1048 wrote to memory of 2268	1048	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	29
PID 1048 wrote to memory of 2268	1048	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	29
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 2268 wrote to memory of 3012	2268	eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe	31
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20
PID 3012 wrote to memory of 1208	3012	vbc.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\Documents\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe
    "C:\Users\Admin\Documents\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2228
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1684
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
      - C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        "C:\Windows\system32\WinDir\Svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PvQVdTyIIGLipwbnnDHKCapiSzDXzESOxLkkMUgJcIfxXxJDVF\PvQVdTyIIGLipwbnnDHKCapiSzDXzESOxLkkMUgJcIfxXxJDVF\0.0.0.0\Sexy Selfshooter 4Photo 115.jpg

Filesize
24KB

MD5
559c071859d6a57f7522f0306e825880

SHA1
51950388f9e981274bb94bfe22d80ea58b583b3e

SHA256
66d9e1dc1c5d098629fae2cc2ec9b12e592c89d2b44aef2b0e6c864584fb28ee

SHA512
43e5b8a460b88ceb9bebcd82ebfb924dbe45ca44580bd1d99b8b9e3e78163471a63c793a12f8d8b45079c3a5e1124991de7b6a1c0748ec33d18060e85d91912b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
6d7656ce79ceb485c44b7f400b46192d

SHA1
4ce87bf06d443bc3826bc33253b7b2cf31dc232f

SHA256
c76b3a77c3ad2c2a2022835d53f8a7f33030fec908bf26c1433837e37af7c5e4

SHA512
79b1c98c185c49ef552738541057b1d48854fd2fa58f8299c364105724f0bd5970c2aac6085ada4a8ee20b698b4f87d131b1b796c31b5156e1d89516b7859352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
570813e5c601fd3a93b7b65edf16e47e

SHA1
93204caec0999d6fa0595a60f533ebc06395a3c8

SHA256
7e8f571f9a0c32b833a1e62722c5dcf977c7ed52989e7cac4c9712a3d2f24c42

SHA512
89a26084bc3f13a38daf7887ec3d7aa6d47bed85559ec36279369e3acba92d8e6fd8b4ea9bc1cf44014a015581a8892ebf252405190bef2e8e99cb162c382413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b5ee39b2f3c358ec0b43ac7817b1dc14

SHA1
ccde8f96afaee037f5a047615015de31e28f2427

SHA256
065543554a8629e77893c1d8de2b04073a935efef9262cf01a88342bd8571c8e

SHA512
aa9eac9d1a65706b82d5bc8ea48dfc2c091f5994904c453c8cccea903f361ae0edecd646d32be6e45de32f13261525664d2de7e46ef1eb32872d0d60c35acebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2d6532f68b7334405265e4b5e0eb621b

SHA1
12bad4e66fe3783794dfb320fe91b9a21b05008b

SHA256
c307f484fef0f0d63ffdef42053ce9611a1ce09c64cea4545a0195450332edb1

SHA512
946815a528c03fb6f5299d6a39297d7bd6fa6d5018a090aba9e4f748c9960e7db15225dc135304f23f5461432a260774a9d0097af2d2ed5b1eeb48e6ddde73fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
03efedfafa27b84e852643ece2b42d89

SHA1
0bcc94e17e857908a91528a8af128f5a5fd4ce19

SHA256
717a5fb59526863b5e983f5c4f840a9f08823e080d9837c592c0b37cbeff8684

SHA512
fe20f77d0142ba053ad4d2502e94a754e35eb669cbfe61e462c1ca5cf30f894f8fd8a78a25ceb87eab3ad3f85287d9522e2b2127d9b8ac134428fab61e385333

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
50c2c209e9389e8ac4edd9fc8a3beb3e

SHA1
91b6bf0e6365effb98af1bab3ca27ea8d6126272

SHA256
6e942f226d547ca38b1f1bddbb98aa2318973aeab8e770a67bc96120818c0bdc

SHA512
dfbf06ea242ae642ac03e9062ac521e2572bbe43b585682cee69b0986c5180d549656059179c2ec36aeb8b8399a2dcbb9faa1748dd6b93e6a923f5d486ead663

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
43bcd075cbe537eb15f86bc6a855ce62

SHA1
f6177a8851d54ff9c5bb489ebb44823892bb2039

SHA256
ac81bbb7c63fd54534e3dfac4a584b77e5c1ad19e68b9e0df61245122f57f562

SHA512
a75c94082123da5e5f72be30ca1d7990adc6028531f94c4426244842a75cea35448181bc3b8a3fb560997fe6b77df3f632a1f273db4ebe7710eb7d0e67056295

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f2319ec217c2458e294cdd7b0c06aa80

SHA1
a80d4fe7a5ca6b5cb33026d068601eef3c75e30b

SHA256
ae1069f6945fb8af55182ff709203e6b821d89420ac83b1630ad4f6080fffa8e

SHA512
67f104e66381fe3b3cc8272d8920eb43e687de3864d33241052d3954055d816a2bc660d7c3446e445fa44e696341fb6f08b450eb7244e039c758c7e6419ff21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
908d07cb8bba9563110e07edfbb21c74

SHA1
5146ec78f84b6bd5a7ca31430daf0ef43b3080c4

SHA256
a59a9777ff6f81a8ef542421643023f47e4b35de58f900c2c6f283a8bc5a5a0a

SHA512
fbc24d2f2404ff88243eff0155c94af00460c7d819985a8012834c31ecab5c794c9c5b5094896b0339e7ddfcf5725c99cf73f21514d488a15fc46eb133e7ebba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6a4f00e73b367513188aeaf1d607075c

SHA1
454d89e4f96e285e2588560745bc4baffeed84cc

SHA256
d278c00035813acfd7562c7bc23e1ddaa1294bdc0f8d3e7b6a6907ecfc5d6db9

SHA512
5466a2d51f52040f7375af4d163565fa0144e0541a9476dbc05c620b596daebfb7330fa358ee1f41b1b51857aaa2c0a146f578c1cbe9d00c508fb71ac1229477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2fd117e96459a99cc3429cbcecee143b

SHA1
fb909bebbf7a6a1fe14067721603e365aeea64ee

SHA256
46fd3e4326e23afe17f1611ee8d409d43a9aa9bcee1a8efcef57e5197e5e4946

SHA512
4e3a9020a52ef97e3a2e38f1bc200a519e6f18312696c10f403cc0b7abc23282808eda0434b53c2b8000b7eb55a76f730bbdd8c9b5f8505edb69f5afce44021c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
762c64bfa0f889d7e0353398be8f62a2

SHA1
17ca568969861665515a0e67666f891cdd807d48

SHA256
4a3212dfb908fd5ed78c26b4c6dbd999adab2ae1203aa884466f90275f0c2fef

SHA512
8de2a5927c1a41631c0a0f14827f83e244eaf1d4cf11bf027eeff48dabdb13925897ee88544e5c0b36b60e5d55e07b9f4fb0f9f3e195bf409394db5c112b5053

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f1c138b666057e02aac168dc9fbfedc5

SHA1
fadc2b6042ed8b775f763b1ee89e3ce0160b1592

SHA256
f91f4d0de15739ab6fa1663ce9379a4b32f15ace15be33d91241d3b661fe65d6

SHA512
daa7c02e7ffc777123848e8636df2be079fc62c0204cd0bfba5d60e04534df3e140cb80e6d44c2f71445b87886eddf90e565b1d26651bf19fd7b258b693b657e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
803296a9609a71eba0abe10218a8a45c

SHA1
b5fbc4697bedb5a065f6d78e3be39698ccdd1a85

SHA256
b2a537167af746f0756b8d4ab43e529d50a50b26346381f511ae3d982c4ce26d

SHA512
a901b32a1c0200df875eea6d108b74a7f9013ba274a9aa3a934fb7a86baac5ab8bce76da086acd00834050388b23436afe35050b320935c11bb02b4fb49b42e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b4dc0d88997fec639a9b9ff589356bb8

SHA1
8b32ec0da13cb7c359a4800e4ac7531393d17770

SHA256
12967eb79d7fa8058ae2f52ee1c9d4201deaefbd880223b17d3f0720702373c1

SHA512
46ba1e96a4d9b7b12e19901f3329a20f5e6ff08b50467b430d002dbcfdf08c565e220843e9f8c5a1e4f70ff6f285ac6f917f8e30de5c4518b6959e0517ef9f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f0fe7edbddac938331c388e739b96d5a

SHA1
25e599d082c439fe719364e7a5a46b8ebe4f3e31

SHA256
72a78aef6155832eadd6599941bc6c870e63a0512989f6fc94f5eae88661cc92

SHA512
f3b818e9ae63dedfb5f9c609d1a3b0571adbec4217f7d8b49aad074ae83e95093d05e4d71ed0fed4b1684e5f0c30f13a909a0e3acd596794b3db2ae1ff324384

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
985c040ca7997bf5577e91558b120518

SHA1
82adee786e4a0e22155925c6ccdb75b66bfad94c

SHA256
32a154660bdf0bb97417bc59e6b848d02cfe385e811930a7a84d7aa37bced560

SHA512
dec9fa77e4aae422f1e6b777a43ecd27ca540e9010371f785c743cdde5dee60d30c4b0211d75dccbcf675a5319a44548f6981e51647aa376a3b8fa96d30306ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4f5d353527612fbbb2b68eaa50f31999

SHA1
3755555a18cac51ba4a30f90c705f802b78e83d5

SHA256
6859e4e3778ae0d3a438de908dd61217cb058dcca909430c1b092d4ce11efcf0

SHA512
c1f38dcd2516534adcd23dbbde562decce8e04cdf5db85c2129b0f5fdf2c4d433ed4cf77cd6a9629447085df66c6f3b8590323a8ca8b41beda23431a3a3b956e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
15171ee04feb2b7a636620d3444c8365

SHA1
a9c8fcf624afe4b2ac251cc3c68d61f3ba859ee3

SHA256
52100ab84fbcefb109af2970cb0f7586dc87944b8991b03b763f3cd02f88d748

SHA512
d18dfc89dc5d2fc79775cbd043887acf633ffa4b3e2865683fa8a44214e8a56522459f57f7d3b5d7fbd14ad437ee1d609f7583920eb1fd0a1ae8b6d025693b83

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\aclui.dll

Filesize
17KB

MD5
e99f74ae594c1b373fa0d34193dce208

SHA1
3933f949724a6702e0038295287a39c53592b11e

SHA256
1dbb3b418bd78abb49d583f2b9cea6b20fe9fece0a59c118ddf104a672e29ebd

SHA512
355a2a3955e0f50b0c41a24589b9283892689faa61aea6360a1b762f5f2f58166c579b37dc0b003e716c1dc760f1931b73faf6fa3e2b21f8571dbdf5ee37c030

Download Submit
C:\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\Documents\eab7049536d2509bc3b948248ef195c9_JaffaCakes118.exe

Filesize
488KB

MD5
eab7049536d2509bc3b948248ef195c9

SHA1
ef7411a0b453a57b4d25cf9920f6d00ce3be2cf0

SHA256
b7423f2872345adcdfbd5973e7d12dc270b74300d6ff4d59b1886b23ee418965

SHA512
8acb89524da36bcaa3ff5c2f4c45e371b1dd13aca9ac3691335871d2af6120e1bc1b4581fdfd35352f8448fcc9a1edae740541f23b8cf87b7de87d4d240283c8

Download Submit
memory/1048-0-0x0000000074A91000-0x0000000074A92000-memory.dmp

Filesize
4KB

Download
memory/1048-1-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-2-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-14-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/1208-57-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2268-25-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-15-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/2268-27-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2268-53-0x0000000074A90000-0x000000007503B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-28-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/3012-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-51-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-52-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-48-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-46-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-44-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-42-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-40-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-38-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-35-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download