cybergate | 15719cbcea92389bc979dbd679015c5c5c90b9d2c056dd66a6298eeb7820adf4

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Size

460KB
MD5

ee75c900a53c9f6fc2f20d3fcf3d7dbf
SHA1

0b6c81e3fa50f65576fd61bfa0184c0009fe7cc7
SHA256

15719cbcea92389bc979dbd679015c5c5c90b9d2c056dd66a6298eeb7820adf4
SHA512

8bd8dab60c0f71f5565148e7ad10ef8cf76c49a2439f6f781fa88431d4caea3b7417df557895eae81c9c6dbb42c81a3c4da8d03b489e16ad54db7a1beaf6136e
SSDEEP

6144:E6Mmkxv1C/EAU0tUKjLIxdIqWI7yFH5VCYhFN/BIbinx/0OyZuS4r3c/SyYPpr4f:Bav1C/EA/mjO0Z6/0LZV43ypCns

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

Cyber

testingman123.zapto.org:400

Mutex

66342XR86Q27N5

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
csrss.exe
install_dir
Java
install_file
java.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
hahaha
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Java\\java.exe"	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Java\\java.exe"	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Executes dropped EXE 3 IoCs

pid	Process
2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
3060	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
4108	java.exe

Loads dropped DLL 4 IoCs

pid	Process
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\Java\\java.exe"	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\Java\\java.exe"	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2816-24-0x0000000024010000-0x0000000024071000-memory.dmp	upx
behavioral2/memory/2816-28-0x0000000024080000-0x00000000240E1000-memory.dmp	upx
behavioral2/memory/2816-25-0x0000000024010000-0x0000000024071000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\java.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
File opened for modification	C:\Program Files (x86)\Java\java.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
File opened for modification	C:\Program Files (x86)\Java\java.exe	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
File opened for modification	C:\Program Files (x86)\Java\	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Token: SeDebugPrivilege	3060	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
Token: SeDebugPrivilege	3060	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4108	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 1316 wrote to memory of 2816	1316	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	83
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87
PID 2816 wrote to memory of 5108	2816	JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
  C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:5108
- - C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe
    "C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
  - - C:\Program Files (x86)\Java\java.exe
      "C:\Program Files (x86)\Java\java.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetProcAddress.dll

Filesize
13KB

MD5
d0c1a1acb3c657b797fce8cffc9b5f63

SHA1
005f864733bb63d5088353b19caa32dd866ecd14

SHA256
56be4e8a1c29a65357c5605086846d509c8334e98e222e9bd2c67c8f9b366a77

SHA512
dcdd37665d67e5df572c769c6ff5b9b398ba09edbb72d6760fdd9a1ad20602f458bb087cc8ebb34c1ebe197c9c0108ee9bc3f2a46de6848f163e8d414b12632a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
221KB

MD5
355ee876c7d5656b5edeca118ba2ad96

SHA1
2a6a77ebea22d63d8d4fce9c909214eeb33c5ee2

SHA256
9c3345d9b61434ce79d5639cab5da5028c67764b8f1df76d0eaff7ba765a2047

SHA512
f98342e038b9d5629d99d756847abd4a9d01b12e8663fe90418d15542f108a640add8e80704b8e647738fbf97f7f28c1a46b127b25fb86fcb3ef77e2fa237910

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77e8b406f3d2a545e1c5e4bfdf60f3fe

SHA1
21d966d1eafef9b54d182fa8531628fa97ffc61c

SHA256
97a1045e808c8b08a3d4c5a2d5c7cef926060bf12bcda4390d64a04452c39ba9

SHA512
04ecf4a094d4d583f7977bc624424def51f040977626ac5d87e3466282c08621bc58d83438e6b3bd4fbc0255d376c6b6051f88cbbe4113393ad322341c000cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
12fa6e21bd06a9c72b948f3937ed03da

SHA1
6d85224ea6674ce7ab070d21148cd19a27c370d4

SHA256
f9cc9d81fdc7f627e49f542adfea5e5d965b6feb48cf67446819450fa6f5c1b7

SHA512
0278af9ff2fd03adffd3afa1d4559c1a66aaa504ec82601ec3e4a13679efcfb470e4b92bfc59365b5278e01e18edda68c8b13f8ddffe5c4a2d15928b9b957466

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0e8fc956e5b2dd5ee935aca62e5414ef

SHA1
92587d31df830cb8595c4c55cb6efe58a6dd08bd

SHA256
6f099f3d84facbed841eee819c322b65315efd4847e115bb55004c16062913f4

SHA512
08c4f79fbb194ff5eee266903c7a7f332ed98203a1512a2c1e76703979d4a3ddd778a64d7e0f34c01568f5b43831ad904be6cd9ae2da25510d2f34053631ce1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
79608b714f15bcfaa21c3ccceeda610f

SHA1
819a46ac0d399804773b613b9e5685cdb77394c2

SHA256
51c98dd83ad30e4510a0522cda682da3f50c86315d1984a5dc632925e930b374

SHA512
af0955b821ee328cc2bbb877158063a9da8ed92a6069cfbd95c00856ab05dd8e88d41162709520312b46af608d308b17f5be15437e0d95c00a95e248f246537d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fab260324088ec4f9a253b2f5d915ff7

SHA1
b3995472af05373a1320b4b683b2d896db1ebd4a

SHA256
d94cecf3573992bbd25af1db17d7b551d752745990ac7cab197531bf49e79edd

SHA512
728bfef612da1b3c776cf0d7ac8a215482e9cdc82613d79d6a31a15219537063dba2be1c6d1da3cf3e519dacb4530557cb7ebe72dc9a5504cc24217c36c66cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8accedc301dc5e531620cf19304312d5

SHA1
4951f7d067777ef3c86c754580dded22023a4d6c

SHA256
3a809eaf0eee342d5966f91a1fb695e8e6ce77e10cf00a4e17b1111e71e47650

SHA512
bfa2ee477b1e3c793ec71b8f7e5af7d78ca6703bb01677fb2ebaa1827d94134944f816913a49ff30875a9bae3977d40392c51147ff562195e081553dc2974509

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fa96ef295fcaca1c9b6ae310b79222f2

SHA1
7019222acea47e4e189a0dc712fb2bb88fefac9a

SHA256
eb1f4283dd86589ce86cf1d879697870598947cac54d89a286e99b5422d83320

SHA512
e2c407d439aaf4ac651593d713017de623e6f8461808029dc0fc9effaddbb5cf202a3f2b522ce20392447afd6eaf9f29aeb0468184b2c4bd6e8befa172755554

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
17f7b716ecad7d08c7cc0097e6445ab1

SHA1
41cfbb6ff697c2c996164d88c3d88654edd87406

SHA256
33267f45ca6ee5e487dabd86922acd1920476578ab816fc1a623e3c07bdc24ae

SHA512
e6db5faf9ef6e88a5ef707c3bf9828162be213bf0793d968fd4115e0336c6ab71fe749cbc10657686cfce8999015b3f70df29d07b6b8821ecb3d6d24ce3e6307

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4bbbdadf4b636b449784fcc1138e1253

SHA1
ce8437211642c8ef7cd3d9161881ea42fa0f2eeb

SHA256
0b5d4c73d6caf3eb3bfc6c3c8ac77e035190aa1ea106c4eef2e81e7854352df7

SHA512
044a9e30e29e521ce508e705009b575e1155b08173c02e86affea4fdc1113d8424a00295157b30256767a86449eb53a18410bf44236fb10d8bc7c7ece978aa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c71c14fca8bc048fea16cc9dcad18201

SHA1
d77a588e650d4ba090270a4275ff21746bb56399

SHA256
afd71ca866c3d2e8277407c1d2dd892ffa89411cbe1a2e09f1b7da731eeb9525

SHA512
21d4d6130a7a363d7e74903398cb3f3ca950d34dc98d8b3c80c2e36a2c55c321b88ccca985ff28a66d0c35b15a4bf5250702d44b27b34f0e43d7c9fc35f1fbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
af28868c8afbae7cdf0d9d81fd889e47

SHA1
eb23eb8816d72c49d1b2f3d1377f0209a27a90b6

SHA256
1c3cf13bcbe6ed181d7b934f3039c4f46322970b4ebaf8f07b7d28a65c79a005

SHA512
ee09b7d4c0f175b079d6d20722016a60901627229194805ffc46a6e7b486e08435dd8bc45685c2b743b067446f0d4e5a9bbb73ef4dd852f7e7de581fd5b5771e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d06b9c2306561022f46e7b501706c9ef

SHA1
f2d876805358c93a4572c2dff37fe2e532056600

SHA256
cc5389b94f9e823ab2ff275645665031eb0520f7126d3ae88a2de737d19b441b

SHA512
4a8a9e3c2ba63bc13c249be059392731dbb00b5734da21fb4b2c31e78bd14fbe19c656f59f227216233484aa24182ce7fdfb985052a6cf38d13d73136735ade3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b24cb4beed1f28ac591c4639bae42291

SHA1
566082e1ae8e112f1626a9fd3eb5db729441437d

SHA256
f03ff057abbd5be393c4117f56d47727be1c818506dfa2d7c3be8e4f6540d8a3

SHA512
ca368af5ae64f705449f9c4dac0c57d659af42fc78059e36a05514dacc88f484844322ab8bd5d43afd6dbcb0a6b82ecc66034bb7a34a865827dfea5a8cb5c4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
138bf2162810804e85d2aad2acaed216

SHA1
5e3b781f9a9f5d0bc74b34fbf35db033a73dca9d

SHA256
89fa2885a27fb7308ce8d7be9e14e912b2099bc7e4aa98a47af5dbb194ff5ed0

SHA512
9e190e1c218240ae0ea0efe2b0bbb285f89608ccf0de4d8820a08bcb961d44589aa034c2a3458d107c32882fec173fa6e215265e3148657a102738f71e9ca45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
63e196b02aba612b8702d14fe8dffdb4

SHA1
8f949d99794437e55a0cca9e94dec357403bc02a

SHA256
21bea2ed8d3875ea85141502d95174c10d5e4930358142fc7cb9e8d7f0aaed6a

SHA512
b141e4e118764d7246bbae0924beeed01da24a59488cebe203947d28390a9520173523aed5fc3738654fcb23704c31229832fa42a9a99e483deaafb83004a2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c25bcbd24fc8822ea7b52990969b15b9

SHA1
2f56e61fe6b215c989c659b54d3ade0409d0da25

SHA256
2801e3f44f4719575ba685ecaac8040d18d4b82f044b10cf33189ec196f16b89

SHA512
8c3e8fc0aa798acecf2b8c4bea884092f09ce2284d0bc803f8722f311e4f08ba3f249a95aa75615662e8c322325503cc14b8a115a3fa5c68d2c4be00acf0ee5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
52f5051b45098d419c3f2f3ae296c7fd

SHA1
8645c41c5596b01a4d18dd12915b7920f18e55cb

SHA256
b122527da6324d3d8e328e36b6a19f6070a87b8c6607635fe72b3168454c3c64

SHA512
b839ffa9bd0f121131e77801ad91efada519afbecce10646cb3b26e7a510717826636ae55ab6ae57db52ec787e49e645827c28d69add11b7138ba4b0ffb792f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e883727d5feada1b91fce3f333d7cfeb

SHA1
59da19cab461fb592fea9e6f25d9e7d5dcfc5089

SHA256
7c982336e72819b68d9b2c26ba4885f8a7118b396d6adba43578c76a81f58a07

SHA512
8bd846b2c4cb86c86a2cbb552d2c00ffc48b469b266c69cb7ca93dae7e2585ffbb6b66a93a7dea1ea43e94238555b2f2409ab2cad9517c88f8522d6e0f65d2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c24c43f6a0908b16be0540fb8bbd175

SHA1
ef831f449ace82c36b8edd61b856227b934c8389

SHA256
a151de0681257f36e8e950ab334f2d581659f20f4d9112477221e7a82722a384

SHA512
b4bc40e1d943ca64227658272db63c603f242362fda45d7dadd1afe3a40060dd0fec3c9befd9bceeb62038ca54fb0e6e3629f8a6a6c157b5324a3a9d90415f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a975a1edb46958c6fa0f96fe5d40792f

SHA1
a14c757e3c1e094c99a1a38317edc808635a4116

SHA256
b329b388e848075562b71b02a412def7f85055a0f7f800647b8cc761ca028221

SHA512
482e9753310980e52312a03f019e1ff674aa0608dac94d3549d2676c3186ecc009c49d78adf58ceb020de9838d141b6b04e87c0ac24be1167155179ef9feeba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a6a571ed887a6be0f238ea8893a8d8d

SHA1
1808c6e626751dfaeee55543c5bab17b79c9dfeb

SHA256
0d9c9dee25436cfe7ac17c1eba8e27d7de941fdcf046961fdbfc3d867ca2aaa3

SHA512
5e63169d8d2adbf4813a828811188d3144f7093d1dd47bdab1174f5d698ce1942d346ca1275737a396d31e299ea82021f8e5a02cbfb5d3b0e656939162d37eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5ab46f0692cd5623f334f6e385f6aa7b

SHA1
46f6c70580e7e263a102731acf734da3b4136184

SHA256
94c1ae1248592209dc25636fdc83d0e7f6fab99181165a08bac3455778c4659e

SHA512
dbabaddaf6fa639116f39b743334a793eb2b704de28803946a149024cae0dca0179041fea1f20d5c60f4bea57534add4578e27d57d22edf0cb830da1fab43111

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dc19155de3244be2fb5bc1e77ba6f286

SHA1
2589e9fc9fb2e12677b53af857e950ed90e0687a

SHA256
43013cc081ea85f0886753e2f8609a228be196db6ab2cb56537e071e87dd7aec

SHA512
f4e06b770941652fa0d6345e874ab2ad6666c05d572e3fe52b3a3217c8466ed2e5178917c16bbdbb845f208eb0e130a5317e92f3ce180f21b401f98712cf0f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9b786bafcbe3c44e2bfc517877d794db

SHA1
817933ef563da34676cf444a683f691a0b338dbe

SHA256
91702f57a058f93828dffdccec94f0143400cd0c705a89b511f437e93703df19

SHA512
9ee21b7d587276f7ef48cac68db3da34043437e4fe319f40ff8c01dd743cf3eed77974054d86719a5656ee7812e520904f7232e1f3d46a9b744835889901bb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
de0ea1a9dd53b40e2e58e305e8f8eec9

SHA1
65d90226ad9f690acf5380d38cf623c94a4e7e93

SHA256
6661cded19a5065ed9803444fb2c59812dc8adf50c9f2a9b04a7d111dba08e7a

SHA512
576e32a8b373adf608c08698aeb42dd880abfeb8ab7398365c62d0dd73fe2845f437a7cc56bdcfead448694738d3b8b780773cbe41b476396091bb006eb66b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
364d515378491b8a6ee69f3b2305ad8f

SHA1
42321a176c5c561c197ba1cdc6ea04a634650cd5

SHA256
4770dc1959ed903b9cb1431fad6682e8d46f56d22b744e76c54ada9d12e74a7c

SHA512
de8392f98db79365e4b8c69778def3b0d95db7cd1f652f4b8ffdb76363a802f14efcd2c3ef216e8bebb6808812aa3de8dc4fe3fbfab08597de72caf27c5409f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
044810bf16ada628dfa93d8000cfaae6

SHA1
01e7dfea8a92a5d2650e41d0c66d281078c325d8

SHA256
a97a0642607c6783783bd22741d06096de14c0b2e1758c5da0dacd68ddcb2c85

SHA512
7bce45aa86e748174c0d15e8c546c25cdaa4df3cb3c2ae7e64f7f9b5b41b5906c56ec4b53335305d5fea8029872a0e34efa3c3f8c5db4a79f5c372b993acbf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1e9017acbd4be426ec0d05f76d5b3130

SHA1
f886b00f194e3c53ff0e7e047ce4fa7f04430d66

SHA256
41f1691075770cdc8e0a60b1f8c4768d1d19e4be640494a8ef9384a349fadb1b

SHA512
e25dd90b2ef0a9b0182e072eb3c2e0a9ad0a81d4150de363b8c98e142c53a0de34a27591264fba86919a97a97d1b8575eeb42af9a807f0ae12c466d61d483217

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8548260e548fc40102860c1393f6ee85

SHA1
b1a8074e2442e519bbbcf2121f90d4209d08af39

SHA256
a9826b9a9ee3205fb36f93420a41b0b1aa7b9109e46eb78c3bb3897bd6695c35

SHA512
ef6fef86399ac8ffa1c78533c44b641bb2ee9331cd82be622453f04f66be49e587b8baa86190d9f4f41452bb70350241e89ccb9a121f40f6093441a4b203e880

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
94774c66fdb180bf074c797e9d16cae9

SHA1
af98dd0916c98879c5ba7a9b4e6f71b03a4953b2

SHA256
2f294779e2ed6ab8270b62b52ebae42d29fe857abe2d3cf74cac79a50e5597d1

SHA512
162bcdf52cdb0ba00a0633a1947194d1694d324f7836f32bfb505cc29dc96cf6a585e2e52b6b1416b1484981d6a13891bd83515650ed9acc6a5f4adcec38c1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
99860df257e99965673ddf9c89f0d197

SHA1
cc4da0fcbcb68a7054bd6d39f8af64d125dc62c3

SHA256
a7f836912f8aaa8b95677dce81d41709d64fa393e7bd7c3754c6a761c6205913

SHA512
bba58aa9454e4f0e2eb7147e35baba8d344e5f11a68dbbba5da0353a863850db281a14bffc518f08257ee3609d1a04daa6d763b0435063d24fa6dc3db9eb71bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e8c311f1798eda86ab6e8a5525d1a0b5

SHA1
aaeac4b6e80a8e8c59752fb99c3c893ce49f6e6a

SHA256
bfd65f11f14eb057bb6b345cba7e1c4764250baa049db5e89dd9d057b54a470b

SHA512
5d9e9616648f7b78d7324b2f9acbc81412b16518c5021f5d7c67c66fee15e8a52cf3c7146dcd774a8844268fa0fa2eb26d878142e752348d4de85d5e8d447452

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
290847f2949fceb360789dbc4f4b6e9b

SHA1
16d6de005ddb7b2a98fa0d971e251dd6e68bf76c

SHA256
18ccc8884001c304babdb4fb95e7de7bfcad7168807fed142409efb3263774ae

SHA512
82f20841b0fb9203b210004f2dd88a2ab49496a8d1786177822060fdf49be2e1e69758e5412dcb20061ed055cb58f70d4d8c10c2dcd3ab00ecc1911f2afd0fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4a6aade72ff689437fa4b90895011726

SHA1
6498d4c7b36064c3cd4a7775a10b7602dacd54c1

SHA256
a4d574943f2082e1d344df1b15d0e11ee54554a53d9a8a1c21bbae7b666ce351

SHA512
31537535e95be4df5a004cf851c14cb81b5dc655135de2abcac555284ae7fc06c7d2044f9a7eda5522d5bae3966c403ffa73ab7dfc02bedca756db3beff7fa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4bcc78d714217321488c5e8e42ffcf20

SHA1
27adff38d8601b790fa7c9701a6cc750fdc36a95

SHA256
52568c128e72f5b879e4a3f08052a5e9876b1316a1230d715e7c7ae5be5e7b9a

SHA512
1e9ff76ce74fdf6967d7d6b650838f3b28d3bd5bff1c5fd5c78be8cf0659c35264cf9182bfead99a2884a5f97e8903ab057bb6c3d8028426ea85c57dc3e0ed6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
10a529287bbf5cf0ab0148de47185fe1

SHA1
976972c267e9ce1c58398b386ecfad415218322f

SHA256
e9553965bb3bb24bc22ca0a22211e47aeaee94a99ace7b3be87ba0f663291458

SHA512
d2a54626cc82ec5a625095a029edc56984bd270cafa7e2701eead1aad9348129d8cef72eb1ada6d9028669938de4421700bb650108677f1454822d924a538b25

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_ee75c900a53c9f6fc2f20d3fcf3d7dbf.exe

Filesize
16KB

MD5
fc22d7b35bedf3c3e772f34e8adf3065

SHA1
2c7bb20b5801ad806fd9c71a46984e8d39a9e22e

SHA256
811d3f67e5086db6a77a37df881d6199c5a601848c87713f41eed373738010aa

SHA512
85dc6e7147968f843540af667f7ccdf815d0b192a1670879cccc74a6fbc3a3e5f32724267b455f0688f912528c1296a8d79ce357645401783478b043ad4e826d

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1316-71-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1316-93-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/1316-0-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/1316-2-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1316-1-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/1316-119-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/2816-19-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2816-28-0x0000000024080000-0x00000000240E1000-memory.dmp

Filesize
388KB

Download
memory/2816-25-0x0000000024010000-0x0000000024071000-memory.dmp

Filesize
388KB

Download
memory/2816-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2816-20-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2816-21-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2816-96-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2816-24-0x0000000024010000-0x0000000024071000-memory.dmp

Filesize
388KB

Download
memory/3060-46-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3060-29-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3060-30-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download