cybergate | a39b8da727ffc57b6041c0541dd99403b3c0cd9c5ea1e5b9d7f2ff47f13083ba

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Size

441KB
MD5

1fcb1a649415ffb9e1251ae36243edb6
SHA1

b9e54ab8d6ffcf386b35554fa45291e87c0f4f99
SHA256

a39b8da727ffc57b6041c0541dd99403b3c0cd9c5ea1e5b9d7f2ff47f13083ba
SHA512

303863d331ff1ff53b6edb5eca0919f1895c28f839441638e4010332bc6fbbcb36d1cde277612f8b03c49980a564b388cf6aef0c1fe0afbf4cc2a88673833f33
SSDEEP

6144:ZHalw9yxcx8J5uybal9CJig2df73ADCq82yY9+9Qc7OmXwkdPivua4jORLcgCY7B:RpyqxKMybOtwL79vc9Xwsi2rORs3I

Score

10^/10

cybergate zzzzz discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.0

Botnet

zzzzz

esam2at.no-ip.biz:246

Mutex

6332F08D06F2O6

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
iexplore.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234567
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 62 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe Restart"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y8BH438-SFN3-Y20O-SV7A-P7S5FHLS47YW}	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2448-6-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2448-5-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2448-4-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2448-3-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/2448-8-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1708-558-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2448-561-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/1708-566-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2412	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1032	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
572	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1548	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2152	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1968	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
604	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1964	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1744	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2016	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2076	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2484	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2372	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1732	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2392	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2808	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2828	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2708	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2616	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2596	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2160	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2296	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2816	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1820	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
1644	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2844	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2952	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
2344	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
856	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1708	explorer.exe
Token: SeRestorePrivilege	1708	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21
PID 2448 wrote to memory of 1196	2448	JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:572
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:604
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
7c4422ceda2be4843828ad1dc3542be6

SHA1
2fdfe398161871d1a610ba8c57a42e6fe4d7d566

SHA256
89a4532806e101577e01f1fb50c63222883b44d7b486dd220fc480f1f2aaaa87

SHA512
4c57b0454a4fd99b3c401408e60a27d3df78fb1d57ffde6f513e4e23a85dbe3ed0c31fecb338a521caafdd79c19cf1e6a306e5be617747c5c1262f3521464d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
13f68be25a37c8f93e3a97b55cb7acd2

SHA1
d22206a061a12fce73d88a532e532e01245a7365

SHA256
1d86f8a1f9683a10985830ea992a5bb64ea121f80e8e376a4fd1dbbf670ba5e2

SHA512
333ccfb500079c9d9fe73864fd9412e2f3f380f816229fba0a6603172489b991e74d7a934a394614a4a795e303d87105b0558ae71180eed217dbd85392a92493

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
d5724658a8b03473ab6bf3b601fa1e67

SHA1
d7394c76dff3f8e25d956d315b3df10f741b50d6

SHA256
e72eda755732ee8403045a75c7dd504b28adb47a5e6169e4f9be981a41b8406d

SHA512
70dc14bc348374c02a6a9e1e6e707b569589f4d150759da6154bb6a13e6babffa97fd6553ee9787f278cf16b4b23b930f3f2f373da07468a165eca7880ab35a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
b15046fa6d077061732cae4965ce7019

SHA1
de60aa3d9e98ced562e8d846625974f7a74da6d1

SHA256
f3c5251db01b6a9b460ae64dd43645f697feaf5a4e322e1843d9170e21016d39

SHA512
271493508385b408bd9a9008fcf0d756e52e027078921be8afabeb25d60024df0c18b30489081ab1e212dca53eec5590c17f7cc721690da9ef19df690f34198c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
33accb55a1fac10fe2a995cb09d8f769

SHA1
24e0c5ae4c465ee1173fa320487b26b28f2c9e37

SHA256
497f94fa4a5d864c4d016a272945f3a4010182e331ce0c9af184a95f278e7fe0

SHA512
a7bd781e17813f5873fb89c32340437b0d517554647b8b793bf33b8815e8e908c548e66b312420d90f9a6f371f57f469754eb20a6481e31f4e428b000765e8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
e19c325a4c3b925247da41c6d31ad5d1

SHA1
2bbfe2e4f9739b0da53b592115fdb83fa6535719

SHA256
3b6651c0a559f755fc810d81678a8f712e03df356c8f78547d3a4363af30ebff

SHA512
0f27834debff4369195054a58d6e2370955e878e83573b351eca57fe3365dd8f17f4379c223e25a67e41862dbeafa506a9023c0290445650d47e0ab553094d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
72acb91fa8cb7fee566c7c8880192174

SHA1
2f5bb84d01a9cadb14c0c721eda26615c2272884

SHA256
73b5f678795edeff8c8901c1d895e0e8bd0bae07f995ea6c4fcb64fcd1bde8ca

SHA512
25bc15d09465522a9238affed85234fd0e700983ba6dd3682c2c68d092cab7ad8fb847cda9eeed90f5a94c93de84154164a0a09c1fccd1f669578210e8d63b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
f2d323eddd299eada1867574d888930a

SHA1
e134cbc57921efdaa59baa6c1f25c49c592c7916

SHA256
a0860fa99a5222c4880afb288527bc69536b3612361fdace2fe7bec10b1dfe50

SHA512
bbc1419c4b595b88ab0a5436fa9f77a766ff731f7373adec4f320f7812a44a0d4668f4f836f2d2d2ac5317cd15c87144e9faea32c22ee2340b5abd0ec94e36ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
3a499825e7516f669d225ef3bf09f4a3

SHA1
f58af08584bb2780ed92fa98d960de40bc44f6c9

SHA256
57cc1eec5b4ead1bb072b99664fb462c65ffc3bfef623af0f56a9b784b8d1aec

SHA512
e1a0378b2fa255178ff649563bffe1cad2d76085de08b562eb0a7ba40efe69bd04f064c0d20228473774ad6c407728353c81f667216ce7951223e90cb758c298

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
43ad11e15e8765b61eabf234d1996f8c

SHA1
9e3081e71d668a07e7258f17b61f92dd7bb2416f

SHA256
4bd65d8bd8f30c8e4c022ebd68514c2835a74937c86de7a56145ddef3ed62cf9

SHA512
8b56737e29d83b75b9ad34c80f48d28ce4077178c526a407eb38236c71c55e60beab523a0a81c2a030850ab696c1a9a9b5ef67ff48d414f8d055cd6fc4e54953

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
8045510ca36f13de92b150a2bc8fe5b5

SHA1
495a122b8bb6e181f35e292c348fc7e7a5182ad7

SHA256
d0434367329b13abfb91b4f1f9bfa7ee217719c09c138f28578e5cb41444727f

SHA512
4aacfa6576a66678c9e106cb2e350d80db45e94236067d5aca3815456f8e73f90f860432c6150fcafd35511cf1a91491079136d96a6725c1254815bc9c40f7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
c33dc0398b9943a2bfb258b84e41651e

SHA1
a8d7488bf738ccf3bb29844c626dcf44b3dfbd45

SHA256
3ba9c621b48908328128ecd2168d2e69bd0c9b28333624b454fbd1856eb3b444

SHA512
062f2ef2c1c84f0d93694b08fe0525a4694a6923491533d774bb1f9f221fba4785bb5a983b129c85cec79611d894fe9fcb21cbe8154a8c9cb6867a2108441ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
4a5bb735cf3d8116fa06e00927849beb

SHA1
b0823c659151bd7f4f336fbe095b701e633266ef

SHA256
623a44cc8852299f5e381a3d21c3e3393bb9036f6fd21d8a94dc7b8309cde273

SHA512
bd1c052424106048db7fee87088f78203c8dc9b4bcaa2c0daa66159629c7e296aa9178514640d8e27fbc562af8be16206d75aa7dcf90382e7687d078cf1101e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
519e0b4bc068a1aafc4981f5ee4e3297

SHA1
994e6851ba65beec1cf97893837a93329fccb76d

SHA256
eecdaf8b965631544ff030c04f18b0095b6c4d4a1ce8d0e9179f87e07ae141d1

SHA512
96e3e8053c18aa9f7f611ef74c7f182dad901a7e67cfa3ec53d5745b93c49f9c3834022ffeeb9f9c00bdd127befdfd5f9a00db3e6db06a25755aeb6f305a6d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
b9e4cd46e3dfdf8a6a23b16c79c02edd

SHA1
9bd542805549476f799c23907739b0e212a8cf4e

SHA256
1cb9491db80f18382ab853a2084aab645f432fb4835e85229bea33ea09651d86

SHA512
44a235f8d66a3a8a5627a77941f2324f5cb60969f79005ec3f426373bd56c7501f415d6a633ca988e68cea422ed33d07331c50acecf6de80d0cec16a56fa2609

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
9f09982df9f2fd7783beda6dab357ba9

SHA1
fadbfb180047ff4173eb24d799338bfa1fc80aaf

SHA256
2c7b0d0940fb648596cf1edf7da5acc063b1954c5355030ac33e0da1e2f5d254

SHA512
1420a42f5ec4cc2c9e54eb0f00232bdbded57523e704b81744fe954302aa787d2c4c30f0cefb3c531b6ceebdee864d49c60b03bdfbf0e122b01fe78dad5b2b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
3f21bb6c646e5c287f24139de597c3f8

SHA1
060b19c0b2cc29b3395aff869c497409fe9d59cd

SHA256
ba9ae1a494c9af0191e3a41c733cf6e222849b2413ab802dba379d3eda3d5c4f

SHA512
3e20230db9ecbcaebed58cf39fbcd5dd394b428876cfd53afc7ed62d5cfdcc09d8a3a0d3e50f20e10da7354993b29f657779d6996fbc19e07ff34593d69e5315

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
3d19509bf09454bc224df9ef3752a222

SHA1
fda483833f09b529365b0a00b517ff2751f7f631

SHA256
0b5db23415471328609e015755811a121b9e5e7d25ed33f7c997a139d034866f

SHA512
25942ec60b04aa270bea2d36a6cf9636e44fd9ecc792220ea4ed9c4495ae9c5f0b91548d046783266fbf79e90af6eac2244aa1589212b068cf1ad3f7869f7ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
4ff6c9cce70ba91b5a824f644dcafb35

SHA1
54c071265f61b58f5d3a613d6fba31f590ec346c

SHA256
badac4f9b5641132bfec8dbe81ac38c6d7e1211d8fa5e443a77b08c387e3874e

SHA512
5eab9b705eff6c9ec07ad6acd89473964eae3956b2bfb8567f102094dd0c4fd061a7aef173edb2522b966b68a449bbb635d86a643bb161ceb7ad426f6c2a8c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
23365f9975ccbf247fd6da381c9d9ab7

SHA1
e0e87dde262b22aa37b1a70309510357300d5091

SHA256
732f3f81f883da3e1caed0cd9cd406313b2d72452afa49337a629b5c6944d4ce

SHA512
5c6686a4d60cbfb738f3f75a118cdc43e803026cdd2767fba4d8670b76ace3b146e3ef868dff1ee2f6b7e8cbda473717f1d393973b4c924aae4c6e04c9cb448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcb1a649415ffb9e1251ae36243edb6.exe-up.txt

Filesize
542B

MD5
977096560ddde8da1cb4c7713e700f3f

SHA1
e7395e5f3f5b68372bf09a397ae6fbf0217a7c06

SHA256
225c50d962949cb3b7ec8389a71b73d6b4f00ac89cf955a48be8c77dd312a6b1

SHA512
d363ca693fe64d273f467ae3b697cc8d3c3f3366edec640bdd2705ee8a677e8cab3552aa811faa85c3e5207fc25e2006603c99b9fef43581033859c87b2be72e

Download Submit
memory/1196-9-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1708-252-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1708-273-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1708-558-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1708-566-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2448-8-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2448-6-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2448-5-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2448-4-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2448-3-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2448-2-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2448-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2448-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2448-561-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download