neshta | 8552021656d465e82680be25a4ae3ab8cf8992381b39688f49fe24193808584e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
Size

550KB
MD5

7a2801b71758aec43059f0083103377e
SHA1

b5dcfb4b2f229d8b50644bb872ac1991550f4cf7
SHA256

8552021656d465e82680be25a4ae3ab8cf8992381b39688f49fe24193808584e
SHA512

80da76e0d8ed6b9f2ab7dddc0b70530afd165735e26fa64a437c1105cec7d0bb41cfd5410222dd5113a984fa32e78780c2cce7071f808ff65f5ab9aa5b82c876
SSDEEP

12288:QP0N8Pu4xHFGx27cGrAbhfTYawhJdxLs4Kr4Tu/:QP0NNWE2zrAbhfD4Vs4n2

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-10.dat	family_neshta
behavioral1/memory/2452-116-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2452-118-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 3 IoCs

pid	Process
1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
2284	Launcher.exe
2720	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Loads dropped DLL 5 IoCs

pid	Process
2452	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
2452	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x001600000001866f-2.dat	nsis_installer_1
behavioral1/files/0x001600000001866f-2.dat	nsis_installer_2

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2720	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2720	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
2720	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1736	2452	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	31
PID 2452 wrote to memory of 1736	2452	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	31
PID 2452 wrote to memory of 1736	2452	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	31
PID 2452 wrote to memory of 1736	2452	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	31
PID 1736 wrote to memory of 2284	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	32
PID 1736 wrote to memory of 2284	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	32
PID 1736 wrote to memory of 2284	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	32
PID 1736 wrote to memory of 2284	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	32
PID 1736 wrote to memory of 2284	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	32
PID 1736 wrote to memory of 2284	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	32
PID 1736 wrote to memory of 2284	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	32
PID 1736 wrote to memory of 2720	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	33
PID 1736 wrote to memory of 2720	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	33
PID 1736 wrote to memory of 2720	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	33
PID 1736 wrote to memory of 2720	1736	JaffaCakes118_7a2801b71758aec43059f0083103377e.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\Launcher.exe
    C:\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\Launcher.exe /in="eJaffaCakes118_7a2801b71758aec43059f0083103377e.exe" /out="JaffaCakes118_7a2801b71758aec43059f0083103377e.exe" /psw="952cbe682fbe401aa537c6a61cf687b8" /typ=dec
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe
    C:\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe /path="C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\eJaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Filesize
380KB

MD5
3a9a176d410d4c6a510af88d2e0a2fa1

SHA1
4893510bde239d2c3bd5f8a57184889b4033710b

SHA256
b9e84b9bf1eb47466678d80109d1d43838bb788d5b82a3c6ab484806e0c4d134

SHA512
310f1f05645ec1ae402940e5dbffe9c3e57022310b1d27e82bb9e37cc14b68b3245696cda7a4a8f4d6d9cda57116e12fc553b7dcc4d2a2047eae36e5bc407b2e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Filesize
510KB

MD5
c70dcb3f025a48bac174c94b986ff958

SHA1
710cfacb6c97915787582188606c2d2f8fa6cba5

SHA256
5437690d33f36b5e6292db3000872462110770dec5db5f006e3a9e1be3869017

SHA512
a89ebc4acc5f18b9602d2357eec072240cc424d4f9b6f1630dd730db879f806db35bb85ad987c3f8fa163e11c6b92cd4f5c81eff539ea6155b2b32e0d82e0af4

Download Submit
\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe

Filesize
380KB

MD5
0b863a091adf59a623070bf14678b0df

SHA1
33fb240ba289b72b2191c8a5d508627ee7239926

SHA256
8686bce4ff8edf25b0f928c197d727063e6e0c17e3ba2ad12d852cf0f502665c

SHA512
c30e705e543a98a8648ec598bc0444b79158632288d141c0720b751f437576a5a0b421948c06035d620d15eb4f3634d9a3d5985f750e3b4571327a99fe0ecd1e

Download Submit
\Users\Admin\AppData\Local\Temp\DM\JaffaCakes118_7a2801b71758aec43059f0083103377e.exe\T4pi3VEnjXXtQqz\Launcher.exe

Filesize
104KB

MD5
59160334f00327274ae72fb674d80f9f

SHA1
adfa4abda4e90321a8ee1acee15b5f6899a2489b

SHA256
7364476ff2ce59a2bb878eb09efe51e0bea948ef0ea7344410777d43feff8a70

SHA512
4a5594903e9ca0e9fcaf55a3a3ddc8895134bcada923dddf4f9d1d47b9bebd75a3e83a5bdcc97dfba19aff11b14c0fac8529bdc71c2f0ccdc2a48e1f31fc749d

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD396.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/1736-17-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2452-116-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2452-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-37-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download