cybergate | a7bab2f5ab3b534e3126cf8bdc66d10a1179764f9658377f2575daa4423cbd2d

Analysis

max time kernel
145s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
Size

600KB
MD5

b4943099fe4e83616bbdd720193c38c9
SHA1

10bc9ec59435e1ca2293b6a2cea36d7a73b833f9
SHA256

a7bab2f5ab3b534e3126cf8bdc66d10a1179764f9658377f2575daa4423cbd2d
SHA512

9801dd6e09b8f4b523266fa333553d8314476877a70d10469a06d4afada3f8a34443790780b0e444504f303698eb403e34e3c76bbee4ac43213b6764956ac4db
SSDEEP

6144:VooioLwSD3EEZeJu39lvMC5PQv1xL/YnWYovoRxZmACoyRvJlN2MvJ7Iw84EYQ9R:VDioLnyuNtsaWYlN6R52MFfMYQ9

Score

10^/10

cybergate winshark discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

winshark

winshark.zapto.org:100

winshark.dyndns-home.com:100

winshark.dyndns-mail.com:100

Mutex

257X8071OP128U

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
.//
ftp_interval
30
ftp_password
taoumek
ftp_port
21
ftp_server
ftp.membres.multimania.fr
ftp_username
taoumek
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFO1NUV-T1J8-B81T-XX3H-58Y2V444JQ0W}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFO1NUV-T1J8-B81T-XX3H-58Y2V444JQ0W}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFO1NUV-T1J8-B81T-XX3H-58Y2V444JQ0W}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFO1NUV-T1J8-B81T-XX3H-58Y2V444JQ0W}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFO1NUV-T1J8-B81T-XX3H-58Y2V444JQ0W}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFO1NUV-T1J8-B81T-XX3H-58Y2V444JQ0W}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe

Executes dropped EXE 3 IoCs

pid	Process
1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
1624	server.exe

Loads dropped DLL 6 IoCs

pid	Process
1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JyemnlqcVcGTSimpgGVOxfiDfjxIcqdQqNMoWnZdDdoiBxUqPH = "C:\\Users\\Admin\\AppData\\Local\\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe"	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	vbc.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\install\	vbc.exe
File created	C:\Windows\SysWOW64\install\server.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	vbc.exe
File created	C:\Windows\SysWOW64\install\server.exe	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 4500 set thread context of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4568-55-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/4568-59-0x0000000010480000-0x00000000104E1000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4948	5488	WerFault.exe	102
3976	5488	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4568	vbc.exe
4568	vbc.exe
4668	vbc.exe
4668	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1472	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	vbc.exe
Token: SeDebugPrivilege	1472	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4568	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1932	208	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	89
PID 208 wrote to memory of 1932	208	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	89
PID 208 wrote to memory of 1932	208	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	89
PID 2692 wrote to memory of 4500	2692	cmd.exe	92
PID 2692 wrote to memory of 4500	2692	cmd.exe	92
PID 2692 wrote to memory of 4500	2692	cmd.exe	92
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 4500 wrote to memory of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94
PID 4500 wrote to memory of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94
PID 4500 wrote to memory of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 4500 wrote to memory of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 4500 wrote to memory of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 1932 wrote to memory of 4568	1932	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	93
PID 4500 wrote to memory of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94
PID 4500 wrote to memory of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94
PID 4500 wrote to memory of 4668	4500	JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe	94
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56
PID 4568 wrote to memory of 3516	4568	vbc.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Roaming\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
    "C:\Users\Admin\AppData\Roaming\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1528
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4280
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
      - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
    C:\Users\Admin\AppData\Local\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4668
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3876
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 976
        6⤵
        Program crash
        
        PID:4948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 980
        6⤵
        Program crash
        
        PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5488 -ip 5488
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5488 -ip 5488
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe.log

Filesize
319B

MD5
600936e187ce94453648a9245b2b42a5

SHA1
3349e5da3f713259244a2cbcb4a9dca777f637ed

SHA256
1493eb1dc75a64eb2eb06bc9eb2c864b78fc4a2c674108d5183ac7824013ff2d

SHA512
d41203f93ed77430dc570e82dc713f09d21942d75d1f9c3c84135421550ac2fa3845b7e46df70d2c57fe97d3a88e43c672771bb8b6433c44584c4e64646c1964

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
2d73427e4010ce4fcf72b5652e5a7c7f

SHA1
12a96ee98c53efb8d572a17ee399979892ebec4f

SHA256
6c969a963a64e29b642cd0e6396c1c66e686698bbb91c61ee5fc88c632472b5a

SHA512
4fa43a96fd4f995ae8dfe23dd39bb44f9fb6a9a837693b0cdb256fabb7a1db31a8d35b6a9b897ed48e08a6d46a621eda0eb1896c2f490404ff422d9e1ce51c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
adec3284f972b6b674e3fa3afdea8dbb

SHA1
3115a8726c5b29ef4b52818da9e78d58c35db90d

SHA256
48867db8ecf3ed8672f7af2edcb693318efee30a4ef5563d798aa0a325508c44

SHA512
48a62b7945954e81fbd90b82aeac13a603cae5136101b31c57ef9f56a2be243f4b7e4050ec08f80aec6c3b5a4beef5f13a46d04aef4db9e3cda678decf939a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d5efc1aa873078196d7ab213eb29e4d8

SHA1
1b7c2ce854416e8300e28f0df2f5e04ee54adfc4

SHA256
1e7ca2a513bd763704634dc4225e48d0599cffa40635692daab40e536f586d1d

SHA512
4dc0fe32b13b783f3db8059b8ef851426fc9af2077eee159c06d00b27900209f8e343cfeed63ea0750cb8be5d099c7fb84782d1212be02974e9e7e7c47e8c2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a7608d2546d18e66cead051c044e9759

SHA1
75c2684989c6874ddb5dcb48c13153b21888208c

SHA256
67f31750bb20a7f066079ac7e904e07bca65fe5e9c6509ee1d164cb75d93796a

SHA512
612fc421af7c12c5170a6e834494ebcb0c6fcca1fad3189235cf2bed882aca98bea9ab81b83ccae9ba63a47e1b65319ed13ad197b01c6695012cc3dc7c81430e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9588381f47d11dea52d636b2dc9d05bc

SHA1
018f4992d982e341f8a3c986aee3c2a8f1415050

SHA256
ec534b919ebf19695de70646ea52d801e8924ee0d91e23ad6d76f2764cfb6ceb

SHA512
67664028fca7bc1b7c798fb896993ad5c5917c75fa9edce2fc796895e2d05bdaadbcb9cdd8f0ffc92ef231e20b07bf9600609df24746ca654357cda1724cf59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
592c9fafc3ad0c322114536e0c84fcba

SHA1
2c98585aa4430f9c8d36bb16a82e00cdcc7faaa3

SHA256
7b9dc354503ce4c94e778a14b5749e92443c2b8505d5b752c3ed9ff21123f26b

SHA512
2d05491f5ec32a07efff2fd73beb5cb2e2615151986942dd17b010806596b7438fb844eec65a14a9f62f04213ed72e0dae5f93988d9702234d4e0811fd08a813

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2baf78b9ac957adae2aa5d77d17f59ed

SHA1
00f50c6e14da5b8e1eaa9e7001699a56bc6bb12d

SHA256
5befd3e179097fdc84b1b17ed2a936a0bb38bf54b2176fa3570735913dcc35d0

SHA512
740311440db14b9bcce4cdd117b6bbd177f6466bb6229b89ba82d744871106cf351e851b606e80d37462043bcfb0054b0fba967b0251b1a85cee284e02cb8087

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9e4b45b0b2ec4bf1c4264a4d310a5af6

SHA1
c33b99c25bf8166d54924fbde7faa3b34fc7a44d

SHA256
ffc51fa13920b70f94a9886bdd249b235842b984ecb641376bab3d9360138161

SHA512
07710871e708f7f0be8c4a039efbaa89a16faee340cb2c063118b506c2008075c09fa6c162d85a150e64c3490e0d3eeb40fd00633d47e46f74133eb02da290fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f1c55351e5c4c859353260c8daf42434

SHA1
66a9f13f7efff5fb4c206cb70a52329a5f1e9bf7

SHA256
aa130147b914e07646d3f3f98e601a305e2bbbc0e5498b7845e9e7001d009302

SHA512
1447603c9eec82b3e23b642ab985cfc217612986815e8d4912c2b6906224ad88f75b03be509660464a6342c75b7397a4735bbea03a89db53fedc648d2bd71618

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e34ea1325bb0d37531ee0dbb89a3ebdc

SHA1
c0956bee290def2fefa2b967cd6f0a75bbe9c1d6

SHA256
2028b1457ae0e8a962e6f224c3db625d08b7fc720c0b56c8cbffdc774156793f

SHA512
569688507e2a449610c68d6cacc2c06580b14065f0fb3a429504fb67aa034bbabba6712f9bc8eb01a5fc900c135ec971c366daff2e5d4b95580070e41c828830

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2ba66aefc7d0db125fe009330883796e

SHA1
1725272add7b97d49e01591371335387dbdab06a

SHA256
3993db52a18c9b56e93f0dd714826a0b36c8b850b0099c5896cabb92edfe7f79

SHA512
6a3e32e81278a1c19d79d2eac06b8d1f853056cba4e6ea2d6a85f40a06a213215c5bb3dd1810d4e47bdfa1e2ea22aed5bc5d3bb6a58cbed8487584a310c50a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
94fda5e5fe340564e5fb312600b7ed39

SHA1
46e4d05961c5ae98faa3c2fb935de186dae72336

SHA256
f128e1103305b132a6980317fe00c8ec21f22a02084dcde6244daf1bb90a1f42

SHA512
16021f8fbd036be33da78a3eaed35b7d7e4b4b6c5c1c0d6218df02524d522fdeee62ccac6afb6d01fb404b47a904e5d0225eeec4031956f450540c44bacdd012

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9213cea4dff7c611c0b9289d2e649371

SHA1
6036d6944bd5f0cf89b72f6530b34afa395c0ce7

SHA256
35fe5fe88ae7bc9c6a67d2a0fe1588cf5d0d33f979541059add92acc2b0a61c9

SHA512
89e2868c0f13b1850b0b1bbce19fa6aada8deaacd076bbc5cd9c05eed9c020f14fe1f65092c9f65594dbc5b05d2afaafc4e8f0a480178a2a4e7f88e87c7945d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
054bc62ee44336f599231f7e8eafc6f2

SHA1
94a9f88cd1352f7fdba7b12680163503996e8626

SHA256
296f71c4762acba9748375b7d91570cd28ecf85d3e4306f94e4d71e742288ee7

SHA512
5a9592ba7a76750ebb71cf93d5fb4de43f028d275e5ec21bb141e8721cff4581b0cfee2efe04ad2661b99a62792b44a8460483890765fd3880d42ce8977fb152

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0f8d6eddf1b1533ca4b59d76af18acbc

SHA1
142f9a9a19ee27f72bc0d5efd682609841b606b2

SHA256
9294834d45d0a39f9e7b54f97b9f8f4e09cdfd55c0a34726cfa453b75332b195

SHA512
121e6b50cc83aa6077b70c11447a8d0b2625e69fa0bfa82e19430e99d9c80720e89a305e7ba693b602a586f0857e9b71038cd64d0336cd6f429cdeef6efd629f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a7e7984b9d03cc115ff6643842428e28

SHA1
812252c47bd1d4890484bd9b520b6f928536f4b0

SHA256
bc1a6dab25e6c8639571b7d0370d23bfd8d8bd76fdbdb51b2ead84eec171f6a5

SHA512
f6eb0232daf4c25d6a16efa6ead63acb9408c400c96fbc6e9def93cbe44f6e1ad8616e67e15a4508a6290e35f2f95c36fc8cc1fe8e23aaa874f80a5ee3d04304

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ada9344943b6efb942f890e336a28e80

SHA1
575e9039c8d4f3e5710fc5cfaa95000e74ebfd9b

SHA256
819d40e7bb1a063a6697adc0a290eb9f93327550c4b18897a26a81e171e2e896

SHA512
802b3da7b00080086c3747abd675d1eec34425c0992a8aa7827ccc8d8975ecd2298879cb87f52574c77a627d22d211f88f31e1c67bc613cc7a3e767b22d1e755

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_b4943099fe4e83616bbdd720193c38c9.exe

Filesize
600KB

MD5
b4943099fe4e83616bbdd720193c38c9

SHA1
10bc9ec59435e1ca2293b6a2cea36d7a73b833f9

SHA256
a7bab2f5ab3b534e3126cf8bdc66d10a1179764f9658377f2575daa4423cbd2d

SHA512
9801dd6e09b8f4b523266fa333553d8314476877a70d10469a06d4afada3f8a34443790780b0e444504f303698eb403e34e3c76bbee4ac43213b6764956ac4db

Download Submit
C:\Users\Admin\AppData\Roaming\Twain.dll

Filesize
18KB

MD5
2153e2d85da316a0fe302227e0f9af88

SHA1
48b334c27d604ce7d89c9c825d211d26427176cf

SHA256
645b30a3ef5cf05ad0df575fbbdbc05387b5493ce1778935b60d98681fea7bc0

SHA512
647b0b95622c2e9086f072ccf110371b38953619b4cb6697e259165ce12e0dd1854bc6351abb8f693d052d730f8790d72929a8c822a26ac369c372478c1e4fac

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/208-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/208-19-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/208-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/208-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1528-60-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1528-61-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1932-50-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1932-33-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1932-22-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1932-18-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-46-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-75-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-45-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-41-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/4568-197-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4568-59-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/4568-55-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/4568-51-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4568-52-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4568-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4568-48-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4668-287-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4668-74-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download