cybergate | 69cc9738a57b4b140c699f87a3b5b796ca416a43564a66d9508e1b997d306fe5

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
Size

384KB
MD5

6091eb39413879761629682bf0ebb73d
SHA1

34ce2414b712963b76a6c2e48f0b570a5b54cbce
SHA256

69cc9738a57b4b140c699f87a3b5b796ca416a43564a66d9508e1b997d306fe5
SHA512

f0cca6901b54aeddb0b41013ab0d591acf60dca19a2ed9de7300badbbe6caadba1b1ede0ab5bea94a6040bf6d771eb954406f22c2230b10aaa355c89af28e924
SSDEEP

6144:/aEbTgoTZyxqg9ndExh72oklBUIkwgkFU48/qF9FLAe8dRPdD7lLQT58vHnoeWPe:rzpGC3klBUIQ48m7LAe89lQlWnoeme

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

hackerpool.no-ip.biz:81

Mutex

56AMB166SEB28F

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V2K64IM1-ORI1-228K-E2G7-AV477V1OKQ55}	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V2K64IM1-ORI1-228K-E2G7-AV477V1OKQ55}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V2K64IM1-ORI1-228K-E2G7-AV477V1OKQ55}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V2K64IM1-ORI1-228K-E2G7-AV477V1OKQ55}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Executes dropped EXE 3 IoCs

pid	Process
2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
4936	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
2448	Svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe"	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe"	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2352-33-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2352-37-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1944-103-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1944-202-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1652	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4936	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
Token: SeBackupPrivilege	1944	explorer.exe
Token: SeRestorePrivilege	1944	explorer.exe
Token: SeBackupPrivilege	4936	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Token: SeRestorePrivilege	4936	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Token: SeDebugPrivilege	4936	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
Token: SeDebugPrivilege	4936	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	Svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 1960 wrote to memory of 2352	1960	JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe	89
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55
PID 2352 wrote to memory of 3396	2352	JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6091eb39413879761629682bf0ebb73d.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Roaming\JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
    C:\Users\Admin\AppData\Roaming\JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2812
  - - C:\Users\Admin\AppData\Roaming\JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe
      "C:\Users\Admin\AppData\Roaming\JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4936
    - - C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        "C:\Windows\system32\WinDir\Svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DNS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4944
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /flushdnsipconfig/releaseipconfig/renew
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
cbc38744eb82d9b5a3dc347973eb6e02

SHA1
f998c79cf25142df4e01dec5ac54e7fb91852b3e

SHA256
bf008b6aa09c2ae1a0cc8476affcf4cd12f6db3909edbbd2ce0a62698721e3c3

SHA512
fcb40400acd0168bfc0c8097be03cfe3362fa1a1e86b96d53bca3c42c9cb4fee0b0a585d1732da59d0a4eecd1b8c21ad0c5a9b2955342e10a2d8f22c1ac5e0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d096e4868b6f35c58ba1034fdb675ff7

SHA1
e3a14eebdc599a734c1746cc753cf46216468b9f

SHA256
bb086c8885c1efe0ef1df0ce112751ea7329a55271ade4ba6203f054985955ac

SHA512
7992617208fee906b89955df827ddddc64260b274fb7322c01ad7d547c295d41ab39487e4ed2c19a855f0c6c98c85b362e34a7b1769555031f506f07d89985fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2b98613718d9aaa9032113d3de67a8c8

SHA1
eb55c0025132888c42e311931ef824423311983d

SHA256
c085f6d733b7c7c49c92953608fc24ddab06f44f2a96e07ec0db983bb3b1607e

SHA512
e7c631ea49e8b5ec6c3b37553051d1d0c1399398ded5199e83b9790427bb7981023c612a40b48f3bc4c64567fb4e0c4977b92be77cc56f7740dbcd03d1d035c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
11fc6a1b008a1a107bdc16d28bf14ead

SHA1
9f9333f489becc7bd6ac436becee91469fcb25b4

SHA256
b37638b40583eb05f7e521e592797a74785a1e8ee74a804b5ab80b90eb6e79a0

SHA512
b1b5aea8a8e446e255089d6b4027a90f1626806d438e4f3e8463497fa02adb9bdb1ebea5c9ba1349a0f4b35fa973c3aa0799b6144a186a06bf1ffa0d810f4a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fc996743dbf4c5dbba1816c855269674

SHA1
a0461b02682262717d335d0320746845fc054cc5

SHA256
9616ab74714a0929eca8a6e355389ba4bb91611d4b73507ca93964e8e3fde84a

SHA512
0e1a629838c80ac38bda445dd06cb50dadbf8d45e8892038a1cddbafc4db5200b3f243e2dae4163d78d4d5afdde0d9cf5f0b347ffbc9e113acfc15a5a3522bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2940ee4385c4320a516fe349ca6ddd76

SHA1
ed9bdaa96cf18069b036ec101ba7cf77ac01e64d

SHA256
7342e00d0f321972d270dd6af4598328715a5710b616a5fe3e7e40d089d5d42a

SHA512
c03d586a5a6b72b59920057dd034576db2f7708190f57cb4b062d43f25b1c8fc74a04fa15f526c6411c3fda65e70dd7cde3a6b2f5b72eb43c332f3ce435f8a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3277a3181b5e57846cc341d9a9c15848

SHA1
e68f9d88f1a1ac66afc69dc5779edaa5651fc67a

SHA256
0752a5fbaf1f4f2e9ccfface5a8e99058f4a3696fc4167b5bd29915cf7daae0c

SHA512
b0e9f2a88dcc772762fa2edff87bdc786c4cd376b3b324a6adb1529a5d4a7b663543e631445a8814a4ddffd66b03a5bb414010963337af7cc1c158b260a8b6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8034640b7fc72d399df34e871fba1427

SHA1
339440e986254a1ae210bac1c36a7cc7f84eb0e3

SHA256
6ebb36967b12bceae216e2559af15d2b947c3177272584cc8e6771c38e1df253

SHA512
7f701bc934d64451cd0e7f48f5c242bd31a00f454f191e79e436fba5519913dd5191415f349c909e7677d9c8a5049a4ea12e28e20e31b639a606c9ce7077ed7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4c71c8e31c464167a9e8c2411c295315

SHA1
2d9e3e6c235abc9418613b1af789c0bb050cfe60

SHA256
7dc16b6bd45ecbdf667b7b27ed04584835193207579a5f3fcb5fbe2a4464cef7

SHA512
a0de18704b6d89c2858be9af76db8b399e21bfec5d6b5c3608c7ada0c60ea63bbc9ca53d646e78fd177f71c7edfbf45348361b8ca68a7ae6fa7f35095caa31bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f41f3f85d577eaae299e0b05b6b37bb2

SHA1
7eafee008693d072c562c5433149a1366ff6dc92

SHA256
586827fa4e604401e978e87623742068d5bd58c573b2de99dd1e7281aa0fd104

SHA512
424930cb4e93a18195c4a7080c4ac44e1161fe7a197d986bd01dcb51238ab41cfa1a6793aba6a636dbca8febcd23a2f0913e65131155bcdcb143668959f88252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c013479395649e0602349c222a488f6d

SHA1
7b1833cf7b2cb8067198dd88edb4c30b44c1c574

SHA256
985a87f315d99bc75ec27ba1bff89b98184fcee5db1cb94ce3153c9a92b99bca

SHA512
5d768dca448cbcc1125381f6f156eed806ddcfc851ea73c9a12e3b7f0688c0848ec8cd3695c33bb6e153c3b8c7e26ad1d0a249a02181ca815eb099c9c70b9a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
efd7b40f1a4a0e44bd5e37e352e790ff

SHA1
7b94fb1d0f8a2de47bba47a6f99917c2ae7efab4

SHA256
c733d945b732dca5cfa34f9f32251878e6de434cf7135966df52910487f566d7

SHA512
1ed737c0585912edd223312a220051543bde2fedc542d688c65e53fda5e4f3f0ea48cdfce01ab885011e9030e05f25a40e7c732d443d43bcfdc8f4bf5ec6aed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8c95804c9c8a1096cda641bc25b55e04

SHA1
b72141570056e35315e994745d460bf0eb5f83b5

SHA256
90632ee3d4e03ae690442cf24855d2745c32fbef2e32410bc372b801fb1d93aa

SHA512
6d4d792acef5141d085c81cf17a8a6cd0946f4cc90f171be976e920eb684da0fd4737d7f5fbe7650f3994e2fb248b3ff20046db659b5ac38e70deec99b1ebfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f64eeec4fe613b59bcaf3ae2d4d2bf00

SHA1
6760d3d8d7cfec7b92de10a3dc908196ae4c6b5b

SHA256
780d4dfeb867f1909fd6215c4e35d13acef448aa7de4812c5cc0064f3918828e

SHA512
0f7404de8a25d2401357fdc602d64c872f5cf21056064c1dc45b9fabde6248449a772f237de905a7977d669f4364f17fe1bde9c84aed111bd77eeaf13d22579a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4f48d4221d76695f1d7c46d2287625ca

SHA1
608e7a8bf2cb32e293f0df66de7140e0c6fa3d8f

SHA256
9b06876947d44c40251471ec1c1a90fc632fe43f9f683db58d278bc79f323686

SHA512
1de01baffbeb4096f8566dd2ef8d2a6b88bef1c3416bf7e4a1f312e5a8915ada0e6fdd7430271bbb3d5689066806be729e5d9d3b94f311a3b03052fddc231e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
81f80e062cec12a5a0aee97f1041ddeb

SHA1
dcbb4e73524459b945cbe4c4324171ca29c82eb2

SHA256
ce2742cec93229710f8adfda667be9f8d6098d0ea036e99ac9ec28b4b32371a1

SHA512
55a02504dcbad9f38ca04c5a12af6220aad362eb13e649adfe8454821c35d6014e9171c327b7cff2334933ff450583f7ff2a483709ff870b2495273547beb797

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d56e4d4b8b992be78fd26e94192d6d7f

SHA1
7811f6d3fbbf9d7b87711bbe38babab301fcda5d

SHA256
cdd2213426d44f75f6cf5208a483614ad0319f40acb9affff77a6b30082ca386

SHA512
a474f487eb3d977cefa699b992a216513898ad43c03ccb271f57833b212931d648dc1d495ac90b8b3cc448cbe9a44a5bf3e3d0475ae2238a5e3fb51b366615a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e1119537e7283ed03d35e697440df2bf

SHA1
67e218deb814e68572299eae781056b3c995a71a

SHA256
4d45dbbb2d3ae0f3ba11b2367db374b09a4e66479b5707be603cf8b6a1ba4bdd

SHA512
2481ffbcedaf4421238a94752b7a05722e38a9ee9b5d2da409698f0755d4590d6890de6463abb8c6de97a60fbfe803294f7df657f5a1a8ec4bf992826149daf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1c84e15ea96d2beaf5330769ee01219f

SHA1
a76f913afef55561d40490a39f90f17965b56a38

SHA256
da42b437eb28b14b6a8ef021f841b01b15a9fb94d729ec8a71dad11c5c0801dc

SHA512
bf417c3ac17da087ab91d57d1bbd3983288627c9bb49f5c41f093d992fae8c29e33d63d775e8b9f9e6bae8435219f67793150fbec3c8c19cf9992bb1c93b05a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7d711f0cb49baf67f228f5b60a7d7e0a

SHA1
22b5c71e09e1d5d61921aae328914373b7762d8d

SHA256
fec8d5688709e48b2f9817ca529e3000f45cc33675f1e487662e7c36871633bb

SHA512
08403320e055b5933075b6fb21af78dfb5ee3e927ebbfb9b045373895ec42ee9f223ed4620290f181597d92f8fbb4a86bd7345c84e58840ee60184ae0acc9d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
90baa750e667ada7a313e6d6141d6331

SHA1
97cd190e4aef888ad5feebc818f335e6cf89351a

SHA256
65ec801f12ca1938934385b0ab7bb270fab81ca11744121e0a6f4ec09616d827

SHA512
658139a92cf21321f77923830f32f649db05920f276d254dfbb47be00cdc814b2176fc9a5f30b29e96973751149a8e90097bbc94c3fc283ee467d7c515efdaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
591a1f9a0f7b6a0cd9fea12bc6e5a88d

SHA1
df646af32a5f0a230050ef9e5b01707d3f76bd38

SHA256
e874d6a0536a0253d611f390b3e8a77091f1c8c81c4afd640cc9ac2343ed7391

SHA512
b32d287eff9c64ae3ee8cfd2fd14ec829fa7fbd6e35c99b67fbafbf07b9a5bae3c1c95e240654a396ddcaee804655c666c75222506790bd0600141893a9da764

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6a7955205a97b54d4ba3c34d8c887d3b

SHA1
90573c23f45526305a9b611d7c7d0438941182bb

SHA256
436aa450c28762be67db3bbc60f5ecaf3b215a8f141665bac9c1a8f06de37e41

SHA512
270189212892ccd9d9685a188390f8b9b8f527d47726a20148533f5fd57d7e982abbf0b1b98f89f6283b06621520dcf0a84ca430fe34ed68a3efe8fed2cb35d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4ac5168ad6393301eec74a12d8006cbc

SHA1
013248a98cec536be9667a69b05ce15e857a608b

SHA256
3c052d26b9b51aca555d2c08b410f2c6d6bf14c278281e1f29d5d637cd4d6f39

SHA512
8df037eb98475d63abeeafbecbeca859f8833e9ef5c72237837f0b22dab3d5edbe75840651ee2dfeaf6e6bf6737576f4f573722f0fb67a5a2c1df5510519f518

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3593b8d544891a8bf96c508c5c1bc001

SHA1
0ad5b4a63c768594d050f3517833a6b3b7614f67

SHA256
51a0f8587f371de6be7adf55ddd7213d3e13a6a1ac6886ea574da004d7df325d

SHA512
9c72749bbc04250f62e0e570844f94447abb4035f3fbddac8bcbe493a1453ac638d7bfcd3c562c0b83ff0b5c28c4e7badf296c53b4fbba8d766016b1098811bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6886227e8ee840cb9b0c4d834dbf2ac3

SHA1
6ca5ab14d0c2afaef92db3a82707e91df777050e

SHA256
d77e48d74fc2b4022821558362bb8a684adfa67f0bfc8a4a501b03be7f50a13e

SHA512
78a17629593e0b42ab54068a062454319b185291aabf1fa8921984284fdcaa3afd3e216afd7a3113f62d4646b0c88e2518d1ffedb0d0ba325c3bc4945227c6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c93a19978ab7cea5bc6a23243c7a831

SHA1
4532ec54df22c1518849166d06d5960f53510377

SHA256
a2e5f74d0ab349f03a8fa4d2dcd7d9f7c1439ca3fa26022e130e0c0bc5c1d524

SHA512
36112b4d24150c6a837b1df7883fa5a72eeae4a7460690417bc194eb4db61d310cc12a4d0894630c050457637e0f4c5f424c68ac8f05c48809c5df70278383f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0ea01d08aa496cfcdd1389058b0860e3

SHA1
040f74fd9e090d89f55147329ae90fd931518817

SHA256
603be80cff66d6df85563d869e709cac0c8c57f08f08bf0d82386fee2b229f60

SHA512
3a18e2a6c6318ef464690ea2f7c64c380eb5a447805c0582b80052b3c2322c668aa2b2d46eeee7056c075e9449f55552d067a8f88d80f9d696095470d0eb7f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1c38246c3d49f379d8dfb8d334064e57

SHA1
dd1365b8cdc1377e0712cec065cdc2a53f0efa87

SHA256
560af2d9dc3d2f8250187155fcc63354406c00bcdc381716818ec4b30cb71aed

SHA512
41003209a3b0993107ddd8aa38f5cc0c7a04c2844d96e82633ab145dd4734a38540779b16035d900937c739dabf8aa9f71543b7cc6b98b73b151ee2fe7aeb11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9681237b27bb2d5935ab076afbe0ea25

SHA1
737f58fd8bea3db1e3a14e68b86c06f7e2018cf5

SHA256
d1fc95f212bc94b0fdd1e6fe0ee545c27f58b81755c25eb435c50884cc66923d

SHA512
7a7604c9a575890b32d7bcb426235d737a9ccd2971d63fc4e0a11c9d1ab04f372348871eb0219f6c94743c89fa9a1a3e3f4dc170e6d1856d378de64f3f04ddb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
684091f4ef5c9f44c2623d01f4c9281d

SHA1
9e9b3c6ae631c3a27a1b204996906c5788145f2e

SHA256
f132b4a48d8b02e3edba32bc011a551a14b477d90519a5d8a24b6f72ece831ee

SHA512
b11d9b9c3d25aa98d24a4b96a37d667877f6bc663b554a776d3ba6567eb481e14062faaad2add3ef82a027ae5ca56fa2401f6a8049c31ad6386d5fbb859160aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b5328c8a1db4cf7f1ed259a7b97f2018

SHA1
2e1a5d8c7fd83171fbc306b587c057abbb5c48d0

SHA256
610b15a171970403f2e797588907276ccb7fc4cd0d847425ff1beec2dd9190d2

SHA512
7b21d5d72f9ab8747f5c0a3d2077a3e0439915f9bde8066e3f3f3fad2506095407032439659491ac0af8ff4a805cf5d911300ac638ba1c7fbc3e1874334fbead

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ec9ccc5f3a23e0a67d3aa9d947ac1c9f

SHA1
2394635e09cc4af00f5f1c3547ea2c150e5470d3

SHA256
325fa13511ca2d3903d935afae2be6964417e0fc4cfe03eb3a8a9cdc627c2cce

SHA512
814883f59e54b14ddcda634b19545d2feb4273efe7f622eb7bc009141d889092aeff1cd5c4a2633ce4e781d2d0755cdc08aa85db221a9c4c96c10ca6476ec825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0f58b7f5f14c9e083a7924b2f8ee8fdc

SHA1
f2e76da98d1e5e89404433db867ad4a678581bd1

SHA256
67b57483d8c2405c02fdff7f1d3a38b6bcc045978504d9467b73d8664c0997cb

SHA512
43ac088fc7b3f096f0e108d45b6aab1d02d5baaf7cda75eddbdcb20c19710c450e44b33c1d36afe50ad42a52d8abc663f1ea76195eb7ef21200caca814283a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a4e55dfeac302dc459f74f47bdcf8e51

SHA1
8889bbe58d8d6b6138c2ec1405b1aa8654c3aa70

SHA256
4792c92ca923aaf83ff605dec99d9456f669800b32728de543b76dde4f71f4ec

SHA512
bf2ef3eaf64dbdf01dc4818b730230b8096af542d17dc11a2a50e4844776c9282712506f0d900bc2de82c1ad4fe89adfb21f6371924d6d4b607266940600ca11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
97f7766231315f1d78599f53e28af24c

SHA1
a188348049d0fc0b29b53e91e3c9476c112c216d

SHA256
41332b5d1e5fab8045a4f86648adaf503d462dfe3fa4c0427e6960d56f0b20ab

SHA512
020d9e5a2642f04662212c7ab5a532ec650739c208c571c71489743664f84f20b554f02beb701aabbba12406995e440afcf5483a71577a4684e543aabbeec418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6f9e8ad3ce240d916fe8fc4db2ae1dd7

SHA1
0e3d1dddb5e30cc698ba7a1b2806d3a727d18d85

SHA256
ee02994ded8a6f2f927d094a789f22dc6ea6d20341ae01a8df13c1e2a7aa16fe

SHA512
d8d50b40017324b721511f9db9c33ffca13ee737ccecd56eabf1286089c30b3fdb6ed3c37d8f9cba3c95644691e128f950654c006eff713fa8f14724467185a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNS.bat

Filesize
47B

MD5
4b403bd7ff6fe021fcf3ecdd2c029f87

SHA1
890642fc02dbfffd5d3aef0ec652fa636a48c3ee

SHA256
267c9197388ab6b34c7516e728a3529df2b7aab5029588ffb47540bbe651f654

SHA512
3bdef29cfeab451d45182420bd179f9450a0da5c842992260a420728e212635f90cc1f394687c8ac852ccd8caf529e9bdb4aff24e2d07f6705594931b3ef5e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_6091eb39413879761629682bf0ebb73d..exe

Filesize
16KB

MD5
315f828d5f45724a38f8bc1a031dfaae

SHA1
49392cb5093810c8de4f8c9f0aa5b9fb34e36013

SHA256
7df137fa4574164811ca4a3653af7eaeb614235766eb3bc3496760f45dc1824a

SHA512
97ba0c429b935cf6fcb83f14710eeb7c8fb083af33f5d4ae9ab60a6a6f62cd91844cf9c08797a4bdee5d440f9370563dcebbead25820aca8cd37c69744c13b29

Download Submit
memory/1944-39-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1944-103-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1944-202-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1944-38-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1960-45-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/1960-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-195-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-0-0x0000000075212000-0x0000000075213000-memory.dmp

Filesize
4KB

Download
memory/1960-11-0x0000000001090000-0x00000000010A0000-memory.dmp

Filesize
64KB

Download
memory/1960-56-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-66-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-2-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2352-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2352-10-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2352-37-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2352-8-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2352-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2352-109-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2352-179-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2352-33-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download