cybergate | 4d57ba405d4a5cb79e5417dce2f8c384ab9255be860f90c6da3ecd4399b625cc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe
Size

444KB
MD5

b2af1ef050522671b1fc06b49e203368
SHA1

7d3819af1ebce6a39afde76ab3c02483651ad921
SHA256

4d57ba405d4a5cb79e5417dce2f8c384ab9255be860f90c6da3ecd4399b625cc
SHA512

4fe7f76c408663f42c36b1fb4d22b94be259b2bdc370d0debc35e3af4b982314129e21b569e834dfb6c97e6a520821938a54ea2dacd3222e83aa4fc7885bb68a
SSDEEP

6144:FUkIZmwJA3mck5QM12zUnuCK2ckP7LbhXIPEw+MUBKLJT8S9m0HLrzq:ekIZmVc5Qu9nuCK21PnbhXaI6JYc

Score

10^/10

cybergate pknetwork discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

PKNetwork

pknetwork.no-ip.org:43594

Mutex

P4I57C123C6J3N

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Habbo.jpg
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Habbo.jpg"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Habbo.jpg"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{T6RX5JJT-0FQ4-48AA-OQ1E-LO3Q834K4IX2}\StubPath = "C:\\Windows\\system32\\WinDir\\Habbo.jpg"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{T6RX5JJT-0FQ4-48AA-OQ1E-LO3Q834K4IX2}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{T6RX5JJT-0FQ4-48AA-OQ1E-LO3Q834K4IX2}\StubPath = "C:\\Windows\\system32\\WinDir\\Habbo.jpg Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{T6RX5JJT-0FQ4-48AA-OQ1E-LO3Q834K4IX2}	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe

Loads dropped DLL 4 IoCs

pid	Process
4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe
4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe
4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe
4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwzDuTibLtvQsxLIqEddFNaCVBZqRqCvOxUEPVRctIQRbytXYF = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe"	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Habbo.jpg"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Habbo.jpg"	vbc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WinDir\	vbc.exe
File created	C:\Windows\SysWOW64\WinDir\Habbo.jpg	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Habbo.jpg	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Habbo.jpg	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4272 set thread context of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3552-46-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3552-45-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3552-106-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2316-111-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2316-200-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3552	vbc.exe
3552	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5112	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2316	explorer.exe
Token: SeRestorePrivilege	2316	explorer.exe
Token: SeBackupPrivilege	5112	vbc.exe
Token: SeRestorePrivilege	5112	vbc.exe
Token: SeDebugPrivilege	5112	vbc.exe
Token: SeDebugPrivilege	5112	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3552	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4272	5108	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	83
PID 5108 wrote to memory of 4272	5108	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	83
PID 5108 wrote to memory of 4272	5108	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	83
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 4272 wrote to memory of 3552	4272	JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe	84
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56
PID 3552 wrote to memory of 3520	3552	vbc.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\Documents\JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe
    "C:\Users\Admin\Documents\JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1624
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe.log

Filesize
319B

MD5
600936e187ce94453648a9245b2b42a5

SHA1
3349e5da3f713259244a2cbcb4a9dca777f637ed

SHA256
1493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d

SHA512
d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
b71815663a4705316e6d3abd561a5359

SHA1
b59509ec0383bf7a206e251e21c8a9379d5595cb

SHA256
39f0ed94b75baa604998053efc43eb587ee5dce35ef3a71918387ddece9fae3c

SHA512
201495c02373ed8bb4253f691fb670ea8272a7f38b258f944b90c8ae852f2f1c2950c87058591c6698f8df6444833b353a228ab1ef82f17fe0f11dafda9e9c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
acd65a6a546e60bce9e3e21e53002ac1

SHA1
1c942a2304de93166850474cbd9975c4b92059ae

SHA256
9910023e8e90d749326b573a5f7b718fecf16d884b5fb64976d8453b87105629

SHA512
4450548cea2a409962bb40d5bb343446d1e1c9c6bbc1a3b8ec0b7e228e69057ed8b725ac5d6ee1a4cb29e3c5a53190a3ba253080b699e1e2f3c1f56f04b63b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9b65a9a66a8510defaa18a16b7cf0799

SHA1
1ed6ec32d6ff4e5a5109471f26e0ada13f5890d3

SHA256
5e358855d5661defc56d0290332d8834ec1ef4cbde11a0f72a85daa1beafbefc

SHA512
ce8430e5492824e1d195016989d141a783bdc8887a46acc812bc24200cb34e4a2abad52dd38316aefb6c95cd13852496fdffd3f885e15451c62ecebf3db475fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4ec6a6d940f1c2ed35219d9013f323c9

SHA1
dbd3e60883824c8c63e47cd520c785bc45b81bc8

SHA256
b3866d3c54bc50ea34159cb0e6775ed6a98b1a74bd3acc94e9ec27c9f6ccd4cf

SHA512
0b8864395d137e391c3ca8984a964889a373e455f3c4b94007b6e9faa4c6318a4fc882fad600ad8f816b1ce8bc3a33ad5d334218f89a221b77ceb1cfeb5ed986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1fc6248d11c4d0bb4f669d9208491325

SHA1
71e6c9f7c07f9b7e639c806f64608d88d1b56608

SHA256
7366795b363ec19596dd3b478b291250432036791fd1c105c8d58ea482bfbeb9

SHA512
e825857266ff584295f07892e48da237e4e655f18298441cd2d17a62ff6b3f35113694a57e46cf619857f9a0f69b82377a5e3cb779df2bd314a3aca63375d9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b38f8506c5138641af430194e70bf1bb

SHA1
33de96f8b29376c6c6579d4feba5a59be3643f66

SHA256
ad1d90e6a2497ffa38c5f121fd4255d7ffb5ad3fc489d68a7838fa7674f5a832

SHA512
c9aa9aa3986f4db7ca0fc1fdcf80b11b5eeb4a48dddfead8455096a5e130d4192eb0947f5a93e7171a666ffde1b0c7e26f8eaba3e6fff6de909ecc8343f97bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
60a0d6fb1dacd06da08c8be0bca428d3

SHA1
a8e315bd48e46f912e0cdeec846ec68a08d2a2ed

SHA256
6b996383185c03a1dd56c83919e99cd45f05b2b3b0052a2e4a87ea2330be0eb1

SHA512
6758863c7a5f61f7c4aaeb09bee982fc024b862028774aa7bd09d3eef7d0e28eefd5e118469913f4be171a849e9be4a0ef65a19da08b5b90b1894b6893e01946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
109b0e054e4238befb73bdba31fca61e

SHA1
59d7ab38567e574e8c5cc33f9a3f405c4e7ca977

SHA256
bc1943f1fb8580f54ce19c9985b6156b388289d67845a708544265bc190f0714

SHA512
a543f0c485cc5b645f7515c2947cddb4d7fb89b790e3b786cc0ec09cf6bde1d27793d10580c9221fee7cde83df8dc3d4b645d5c05fe89357e073ef0f6757fa25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
501cf6ab995af997f041d6059d31f39d

SHA1
43b6261f49c2099373497a9f132a2173ba2c3b47

SHA256
41afa05abc62f5d943bd625a4a7d7d59e4a6f01e83cab167b9769ec7fd2777b4

SHA512
81e9ab543d4b297f65b3f833f330baecb524fcba544baec8aa4d5d446d18abc846697f17aba3ae76ef10ac9fb767464459059e906b93b46265586778fa6da994

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3033d8d5498d44c6d23245f2b8b84fb5

SHA1
48e4cc9d04d534bc732feb639d380545144a2257

SHA256
19ed14c0e9e57904014eb958b5bf2c096ed1a15a086c7559e2ebd320fd253491

SHA512
50ac8c84402c20a442a756cf2a43fc0a1acf8d9952563435ef2908cb04051eb4e9f16425e49393d19371edb9876bd230672524762f1b6276920d37ee3ff18530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7ef41a669c11ab3e17edd103257c0aa1

SHA1
45f77ecd8ba717fe5498917db8ef620c7db03ab4

SHA256
5e3a63fdda0df134dc5f726ed2a3dedb60f9932c3477fa590b5cafa4bc94e08b

SHA512
a10dd4071ccd1002f82dfafea90b4045e650ea63edc5a6b225b32f3be1cbd4946e4a681a7d8aff8289833f68e7116ea446e6fa495459e4adf538efe1d028558e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5d5927d36fdf557bc4b18cc10d514b86

SHA1
32d8da98eaa35f0480903257e8ebcb39b6180a0e

SHA256
7bbc861bfc90bc3d5803b39e7684c336f1c2e9315374582ce65580c0db33cb52

SHA512
faa79a415832e0c3ab4e0dde9f99c8db518bc584988b7290d1c09116739e9c15f5782e70d5937ec29f1946f8c926dd97be6d0773d8f75ff712993345ef9b3222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c7dfc242cbc9f4b75ba451a7f85652d9

SHA1
d756db2348337c6370e65371dfc2ed6240c917cd

SHA256
e7034d5a18c88254d92dfc157bcfb44306cfd9702f150cf8e481c005ca807bed

SHA512
e0e105e8f3eaec2c7452a696e3a0e7ec34acf18172ebf29785c2480f7ecd26f332c6166c43030c19919f0f8ea5a425f64510b8df6f00404fa6e71bb377b17125

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1524aac82e9b6bb71e7fed3f8afdcea3

SHA1
1f8fdf8ca660eed6be87a4d4efe20d192b502b1a

SHA256
27703c7cf772a715d1da52b2eacf73ae44c8cbb044a7bcee4efd389e799ae4e0

SHA512
7ac71c45de3fef992a4feb37da6470440ff4dc9ddbb8575b07a15748aaf65e6889e83d3f448c2be79beca55da7e5485bb94e38213035a168cfee44b5ab142810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d6c2aa071ac4fac0c98d89194040c9c0

SHA1
15adbde48926c0b031816187190dd118c8d87bc5

SHA256
23a4e3ffa1c2dab17067011b8cdb78812fd6c105d5fc30ead35401418a0580d8

SHA512
f3e9335eb7f016f15b07b9142a3bb79de7b4214a451f6b0e586b3540f3ee04dcb20dd85fd8261a72e62292c8ee859ea6d615ac9e3b107d0544b99f5e64212124

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3e71a747d0912ec89e743942940c159a

SHA1
7b5029eb237596921f38c27417e8ee1cdfed2e70

SHA256
6df651339db766cf40f6ab7a72a840a6f7b899fc53a0bfd4a360ea4531b523db

SHA512
4d46270b61b11eaa10119f8315d4da4fea9a5940f7f22dfc2f0648e833ead7d362e9bd5c4df4b3a4ea25349b32bdbdfe80f623939400c80590665064b990f465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0547b91c98179215700dd5e59429de2b

SHA1
ccfc2e08113da092a2e285f48d592cdcd52fc531

SHA256
f85c6b1ebb64179f1a656b3212a8b925a72bb9fc7d5a1d1e1a3dfdc81af17704

SHA512
2af5df741405dfa48ec14d9e094473036324930647b8249b18f717180de36c6648e8bef2f01b8953e87c9f0ea5aecc1314db265c09539b7a86907b768e963c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2ead740d57e3b4d1786400bd488b29e8

SHA1
8f32858999a46d1b551839cc9b1cd9c7b56ae524

SHA256
3fa9c79253a6b81f236913df7f2a0b9183e2f3e3350b746a644e962c5a46a923

SHA512
fa3894977ba7be19a6f242f2bf02cda259f571e88a239224b619de5f9237937f3f52038c57c3f6ec2a65bd0b2715d42f9b9c4b46d5ff9c2d0e9d5bbb7419a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fb0ec386423b9d100c984b89c7b2dce1

SHA1
a8832dddf4c24b67169845adf5c0e2c375130e84

SHA256
95281b41065ed2a62ffcd57f2cfbe4882e7b3e3de8f2b82b7fd3d3673edd18ea

SHA512
1bc6d087f0a3f0749d95947cc1a5a8391fc5a0501847adb99466de2bde2d579e8d1a06e403e22426cde3f09d2795e418d026d4d9296e87e8cd5c9fdce61b333c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0e1d5470e655467fe1061c6962aa7f78

SHA1
0ea6fbcaa1fdc9bd5e36ff38ec76d6dbf68392e8

SHA256
3c9ea71e23474b74ee57eceb2e57ec396c9383b7c83a99e9224c32ee9956b2db

SHA512
a7b63098698f0f82e19688d1b4d3cd6b72233da4358d15250c80a4d7f0680c8db47c788a48ad5c1ed5d0fb8a25cccedf244e207816521e78d5a54cf016f86492

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6aca123edd1f02539aae83c85dc448eb

SHA1
c40f9bb67506d4d1919063c42db02da25eb93ef1

SHA256
1bfad0aa3258ad501fa85bf575ab2495af97e37fecbfce739c5e6db4edeb031b

SHA512
d542e68cc47c48298389deaf7c33d3968782dc5a58257f88ea12eafa8842651baa09ca45ebc29f9a4866ff9282c8c51e61e306849a310d2b0b921991282edfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
98c9b6ca989beecfd1ce0c9029528929

SHA1
42da1d9ddb2fb86e17dce447880bc279478f0335

SHA256
a802ba2bf56a3cac862608db74f01b773ecf78e9b699cc03c7cd8c3bbde400f3

SHA512
abd2a504b563598738eb8726e9af50f3412b01bb01481536260f0315f95e9d2c909f7fd46660c3a5522c67c01c647fb506dc0e1a83911d4641d31402d2878040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
95df8a7bc99611a4f3aa7a7410a03eb6

SHA1
ca687f87637450eeeeeac7877f77cd7c4c1737b7

SHA256
db531643034b912d024f1c78affcef71d7b232b615c0ac1d27e5304439723c60

SHA512
ddf282a74152c38936cb0e2d15608b9e0e5cd18891ad17ef384690f0ecce778f9289c78ac4d01305ff4215c468ba7d2dbea6204c57e9ee97804a4a6ab73127a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f21736ca1254b049f56bfe85e33752bf

SHA1
ff38ca29d0e98dc00ffc4695670a1085cb050531

SHA256
4010c385b6d2b4eb80f55b46acc6b7bcbc0c8d197e51da42ae6d5e0fa9a7921b

SHA512
c563a3cf1386c652e77d42af43cbcc00dc9fc42da91ac9f96932f5359eb4f5796a8e2bbfcf49e29a7468b74fd27bd2bdbebbb9fedb00714bb17ab34982abfde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
997a4d2acdb822185c3906781cc6a33b

SHA1
0941dbc80e647f1383cd4a1702ff8d226c2a5961

SHA256
63776f8de4c1621cdb77848fc8026dac64ebe3742837648cf48d458a344e6efa

SHA512
9ccff6c88351072c7308f7572deb911e58c50ea6bd4de2b9ed67a6d9f077ab07b42f1ab5d92a20b2f9c8aaf15f262d0ecf250c6a4eb60f96ad86c5ea09ccbc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2ee7f0318f2137c90e750c97ada10289

SHA1
af3582d906da936030b920fefb080906acf9d0bd

SHA256
0e43f3cdbeba2f616b3b4e16877b5418e47c5391c929b377abf8a9fa26cc7553

SHA512
81ab261595da1402c22527ea9c795223a7a9734c87ebb2545b0c1bf63419db01fa8a0192bdd981247d2c143eb128970d6fac0e722c966f9b370d3a53afc6fd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
36d481aa4003f268775121c4e6cbde6e

SHA1
831c11f3a3a1a16bc89c8b9812faa2e3338958b2

SHA256
4176309928a2f80b968b09a0622a54ca2e2a053722aad611dbad48f345e77f30

SHA512
8b1c59b58f392d677708983651dc1c0749123095482625c20e4857ab81c30f1900dbdc0b13fbfb339694e025dcaeb6bc7da580776b451856dc71ff51bc167f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f138e931152c4e1f61c39dc39edc17fe

SHA1
d9d7d9e8ba58f0be6b6c0e3116df42995331471f

SHA256
640750704437fe276a7c4c277fdb188828dea4b2b7ff59c97fdd73ccc0bca986

SHA512
2356414cf7dd44892da27fc22049d5768ee594956177e21eafef5b3421eb4a171c5f42e50bbc8acb1b49a03a48ff66f286044119595a5dd1152d723b4715277e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9a953c284d71146d33889b4977ebe31f

SHA1
b042e1174f67b6cf0dd969903476816f25fceba6

SHA256
b60181d9935cd34c8cd03cf3a7ddd1d9537f8497b1c06d7a5f57d1318ad4305c

SHA512
cdd7d3c30dbd8d0d7256b29be87d6ccdb66581d9d401294f3a837a267a0890869300275b0643488f9d0d02005a6f775a08ed57c6713871d0ecd499854e218156

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c89dcda874e53e05db2412e985913510

SHA1
a8328e9192466a2a4d75940633077fb4f8730924

SHA256
7795784b4505a5788f21c8dd4bda61221a1336b2ceded4129e47f2183d2bf920

SHA512
1ccbc69ac26d00106eb15f06ea52287723aa581e65a919baf6606d5d438efc36e0308c5c16816d6892ef0fe87802272fb6ba5a07f4b7e2e5365dc3279d1724a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0476617c6235587ab1d9a74ce5db7ffa

SHA1
3e63584a3d13485e2c927690c6fcf1e8dff3faeb

SHA256
a54ae1d51a1e6d57c1ca7eb73b1b45793d44bb914957a3ebea1b75a67b18813a

SHA512
0edc41b64160502cb1345864ca11e690b4cfa74c39ac5bc58bf685ec5a495b99aee26f2a85ec50d4e197598a76ffdae5bbb2098aad8d43f4d5de844605f2682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f5183bed252c9701477e9f70a52d8c46

SHA1
64a3502bc30cad5d02f2b14aa28a0f2f7c5030ad

SHA256
6a481a0b51ba759bf2664936c540c1108cb9397f4949b0c073a7ef4adff7cae0

SHA512
bf93a215dbe0970036b4a9601c2620dea569bd64fda4d308a56b1e075c773af29046f4af6601797162c7ba06a89c733fda6dd0d925110a40a65f8471be7257a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
904605716317521b383240b58955fa19

SHA1
97e9d7ef980d269d133396b9ab51922a8808c0f8

SHA256
25538adb079ed8554053041a50ff0afd54669427ff5f4096c9c487af3d47006a

SHA512
ef65d8f3b6238d6e5bd08d56d5871705131f968a45520eb097f2e9be5c6dccbed10fa1fe902b125eb351b616325f54688983f82c02bce02a329300c5896be0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c7ad9fb68f9ee0a991cac12cb3aa4a85

SHA1
6a88332f345844f6f50d4b0df8a252d5a7361c02

SHA256
0c0493f300369875ecde6f996eb855dacd7712984f0eda4e5d44e07587d7ecb9

SHA512
7d60d6871a180088391e07f09175ccf4c8df87ea0b976a82e54208ec59b7ae9c876488afa6227c6bde886351776d4e7417b321f49adc72938036075f6da84866

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
28fc3af1fbfe717e1e49881ca72b86f0

SHA1
846b7d5cf157ff15c1d02eda74e1cdbc63de3688

SHA256
b32d475e903569e6e3cc6fa3f2a253c1f586174dc62d1a61a15483a0ab091de5

SHA512
78316dcd1aa900881b4573c46b4c1945f4db8181bb6705d000db56688904381d1eda96afcdb23920f001499ef21e2af6ae512482e535465b555e7b15c561969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9cc391cbf08a319bf12da635e1780527

SHA1
81151e1206770f728f70f64750ff25a3622cb13e

SHA256
38642499f3770cf2044324a0595af9418dc2ab33353e779476d8b490435b58d4

SHA512
51714c74dddaf142d8f8752f6a9e7274eb45540cf20c27927093080ab61b2aa7ff809819ecd3f3df77306d049c129cd3236711fdaf92293c54606d0e54abff5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
42d27b88970b9def185c48b1dcfa716c

SHA1
7a396ef77accff2c8447e5e86539ca68fa40cc5f

SHA256
32dcb8a2a2762ed0b78e9dc3a670897acfb78946521079113f042ac16b8bd1b3

SHA512
2f0d97ddbe7e6f6c9ea90f5d78e566502db825ff0e3002c5ca73c9482230eacafb90e4fee177cf7d53f5d6b141b80e1322bde359ab14e09dc62d3511022d0c82

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\Documents\JaffaCakes118_b2af1ef050522671b1fc06b49e203368.exe

Filesize
444KB

MD5
b2af1ef050522671b1fc06b49e203368

SHA1
7d3819af1ebce6a39afde76ab3c02483651ad921

SHA256
4d57ba405d4a5cb79e5417dce2f8c384ab9255be860f90c6da3ecd4399b625cc

SHA512
4fe7f76c408663f42c36b1fb4d22b94be259b2bdc370d0debc35e3af4b982314129e21b569e834dfb6c97e6a520821938a54ea2dacd3222e83aa4fc7885bb68a

Download Submit
C:\Users\Admin\Documents\aclui.dll

Filesize
17KB

MD5
e99f74ae594c1b373fa0d34193dce208

SHA1
3933f949724a6702e0038295287a39c53592b11e

SHA256
1dbb3b418bd78abb49d583f2b9cea6b20fe9fece0a59c118ddf104a672e29ebd

SHA512
355a2a3955e0f50b0c41a24589b9283892689faa61aea6360a1b762f5f2f58166c579b37dc0b003e716c1dc760f1931b73faf6fa3e2b21f8571dbdf5ee37c030

Download Submit
C:\Windows\SysWOW64\WinDir\Habbo.jpg

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/2316-50-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2316-111-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2316-200-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2316-51-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/3552-37-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3552-38-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3552-41-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3552-40-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3552-46-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3552-45-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3552-181-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3552-106-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4272-42-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/4272-16-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/4272-18-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/5108-0-0x0000000074992000-0x0000000074993000-memory.dmp

Filesize
4KB

Download
memory/5108-1-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/5108-2-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/5108-17-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download