Malware Analysis Report

2024-09-22 10:12

Sample ID 240418-ftaytaca26
Target f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118
SHA256 66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a
Tags
cybergate ragnar persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a

Threat Level: Known bad

The file f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate ragnar persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-18 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 05:09

Reported

2024-04-18 05:12

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\minijuego.exe" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\minijuego.exe" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3V5KY680-T4NG-B05C-866G-VUT51D453OY6} C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3V5KY680-T4NG-B05C-866G-VUT51D453OY6}\StubPath = "C:\\Windows\\system32\\install\\minijuego.exe Restart" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\minijuego.exe" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\minijuego.exe" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\minijuego.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\minijuego.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 1884 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 1884 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 1884 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 1884 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 1884 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 1884 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 1884 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\minijuego.exe

"C:\Windows\system32\install\minijuego.exe"

C:\Windows\SysWOW64\install\minijuego.exe

"C:\Windows\system32\install\minijuego.exe"

C:\Windows\SysWOW64\install\minijuego.exe

C:\Windows\SysWOW64\install\minijuego.exe

C:\Windows\SysWOW64\install\minijuego.exe

C:\Windows\SysWOW64\install\minijuego.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2156 -ip 2156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 860 -ip 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 576

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/1884-0-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1064-4-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1064-7-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1884-6-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1064-8-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1064-9-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1064-13-0x0000000010410000-0x0000000010475000-memory.dmp

memory/5052-17-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/5052-19-0x0000000000400000-0x0000000000410000-memory.dmp

memory/5052-18-0x0000000000570000-0x0000000000571000-memory.dmp

memory/5052-79-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 1e6e103853f388b3f17e694463df6a7a
SHA1 5565bf1249914cc90a4175f9618b7347199554d9
SHA256 e2d34973521f592e924b3039a23c787b5fc9befb60a999e72e444c66043e0852
SHA512 5ec8c7d190a89137a54455951d48b4f97275c518bce1d2bdc794589320ff5ffbba233a6108f24f75b4d7be961fd483b3420b471a798d1bff5386223fcf776e96

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Windows\SysWOW64\install\minijuego.exe

MD5 f753d0e1e3c5b7540a76a27c27b9765a
SHA1 73b6a4020d07f4d0a2a1352b504436bab24c990f
SHA256 66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a
SHA512 acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2

C:\APISETSCHEMA.DLL

MD5 2f03490092c032392fb6ff635222b9b2
SHA1 77e86c4677b8670474bfb2dbc60a47e3b340a679
SHA256 951e57ba594507058366321ae29dc117cde9d3801a0535a704db4c7762690c81
SHA512 f2c0a9cf67ec21fa039f8930c260258dd93066a747c13e8a9d7f6fe947ac9b75d30c8184ff03fb87e23cf717c32d917bc05530763edd3dd645bf12c7b655f81b

memory/3320-106-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1064-103-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2156-121-0x0000000000400000-0x0000000000456000-memory.dmp

memory/548-123-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3320-125-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2156-128-0x0000000000400000-0x0000000000456000-memory.dmp

memory/860-131-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5c11fbc41fd240fe5b681e7d0d40adda
SHA1 733dce4772edabd61011acfeb47094c58a5ce22d
SHA256 a1b96234467b833cae2b53f4b3b41b46bf2d82b87b6ac11adfed0d38a970a85b
SHA512 42eba2c73bff630288491afa40a03be7ee9960a085d07124aace8c53105877fafa4cbc8b4f133a5fff6ecaa17c394813186d9c056dff2daddc68f334b75f3960

memory/5052-148-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5145bbaa726c65538a266a0683bd695c
SHA1 10fde0a45c7356d538be644cf64d2ccfab5d5134
SHA256 8565af8445ff55420d05a68fbad41a321f34fcaab0bf11b9a956a10761b8f5b1
SHA512 08772f8fa1254a5f45d4d60be613c8711215582498718b0c8207c29456fc757e38d50739c1ad06fc29b508631430794bd239067dfb043171462bb75d96affc8f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5a23f27ffbf53695978e91ee33220980
SHA1 0a55f2c011eec29c48847204c5dc916076a7b0bd
SHA256 8dc61feba7fe0db9ae6b531a73507695b38c04a4a11c972038012ac15517edbf
SHA512 66a6886208fb07c3b5b24d1cdb6651de1e51e8e995cd12999594fa7cea4f4830bbafadfd2b0b11f49509c27049392ed5ee7b2fd5dc880a124cd1ea5fc01453dc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 21980d46d434ac697d188b4b2a8dea43
SHA1 b20ed107c9b0d44b82b3268446b238be3faca93c
SHA256 87840b94b29efd53e28b184cba12ecc481fa0ed58213c522e5eba6eff1729c94
SHA512 b1ce10e8ca96b272aa804d23bc0b24267ac290f5cc77b769699a0a07b498c36c8c0ec4b3c2f85743cf29459db9253082e698dc57a0514cc45154fbfde61bc42c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1a78c0459f09f67500da5c247c008f8b
SHA1 42574550d16f268b3de0f4a0f6c60f4c776d4775
SHA256 44302ff254833c7b66539ba226fa90d8c41825bd1ce2c2abe6a4be4bee5f810c
SHA512 cedce245cf2261105e3a9649849c9de32a92c99bc751c46ee92ec9ebc07dca1b2416cbf899e11fbc75086ed83deb25778554b62fc337612cb0dfcd65e9829db6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 083105f437b6b182f445cffbbf384a13
SHA1 cdadc187c0ea92a27d9dd771e272661369cd3590
SHA256 c543008b3d28548a7aec14ec9915d2e475b8f22ef83b691591f93d45a7bf8c5f
SHA512 9e433d33691e7f1db1e04381bc4f62b8c96e3acbb96fd95b4fc57902ab81445996864abd55660cee3df60d589e22cdac305c5abb4e7788e2e3ccd5d5f43e27aa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c63f939231508fb607a8323649f55aeb
SHA1 36d864d521de89fa9a64f459f5c2fa9dbaa9544d
SHA256 2385c3155f1623ec17c7dd0a73ee7b199b13355f02b79903358a043deaf3cdd3
SHA512 9cb8ea0f50cef15dd3d34d41009d264935342a282684dbaa494a705a3d12b2012a88feb460c3497239ab5114f5acdb9ba433b388b1f9b76df9a82b8a00862821

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 35d69942f761a4b68a378e4dddfee15e
SHA1 9b7f4204a882dd63c7c0f3ca10f72950b7219923
SHA256 eb236f030bb33c1c32c0fac5494000c6323f2bb3f708c61faf4a6774b37d4288
SHA512 89a0ea8240b8effc3875169ee15dc70d12d0d6de9c20376fa32f3b3aaa3a3f24751a848a853766c620423f7d5b4d0d1860a77a52c6dae4eb7a34ea9447423c83

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0cde17ce7e84a0cf35a4518ee4fbbf63
SHA1 569475596a7a0f14afe9688e1a06dc8e87054302
SHA256 d0a378d488b23f510268a356c9f74840a4eea38c81c14761db04b86a996c1895
SHA512 54329d18b77cadeb310e2631124f0c0cd92a6d74e81a109a2357f0a200f8e28252ca7524d3f39afdb7284dc023544d4930f8b949c7e889df8b9284d7d2ff5505

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f128a4619a125d459bad1c1a1ea275e1
SHA1 df36cac439ab50d793b7a254afc12cb2e8eeb1b4
SHA256 fed1a5efaade1591b15c4afe343eadc37aed47379b441b4a429f5ab1ac7e5002
SHA512 4935302ca20273f42402d29e1a1b9f1cd291a9697737b2829a50524d7f84c66501a7179ade3de81dca49f5a3a3e59fcbd3f24403d80b2306e85b81b8d249c283

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 905da612e5934dadb5dd85724fdb8d6c
SHA1 fa857eb43649a4f609e811fdda156a972f1810a6
SHA256 e4bdab48bc44b44b193c16a5dbbc931062dd04d584d47f479325ff73460d09d2
SHA512 4e526a6580dc9da1802b3dd4a9e9d99ad9ae3c1117ddb619a549ee31ffc558ec263e7ddbd3cbe8ea21cd726170d551f4e7795475557e846d62f785cec186570b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 46b4d6c91cb4256e40452c0f05cdd227
SHA1 de20ffb510618536527b9f87f4f2136a3104c883
SHA256 9d4fba4bf33282beeb41318c652c7def96b27c8ef4e6c0cecddaa79522e5716a
SHA512 60f7f917403849c1ffc39a016034b1011c582be45358918a63dfbeb02a120d8fad58b9cdc3d5d1fa775f885f3f2047a198318b88ffa9e0de7085c48a279af702

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f366a273b4abfffe7ecb2d5f71c4aa52
SHA1 ce9ff950184d853beda71eccc741c0e59ee779cd
SHA256 867e04c04e7281a9948804f774e0868cbf935a3e66aeda911e245b7232963b26
SHA512 862d4f1d95f835dcce7d9317f09c360fde1ba0f3b021351226ad1702452078e653cb77533edca24030a0c202244e0fc26843ba28d29acbf5dd4542dc9b711d79

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1b7c64bde8f2b22f1b84fc016be577eb
SHA1 d40ea254b95e4c3f363592166bcc3c689d0ab331
SHA256 8b496197420e5b25f9776944f51fa9650cec698c204f028e0aeb1e4bda981b8c
SHA512 ef66f0648a0bae756827b8d89a673a18f800018a69f71793b8694b11f9f5a82d2ea750fde4157644d2f14b632d2fe2f4900a239541980677dafb79e971eb6e0f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 92f76ff720d1b50a8b8b26ae8392ee35
SHA1 e14de148fd1aca213674959dcfc772804f3221d9
SHA256 a80a450479486a879a5223e55d771ac71ed3393400ee12021148f2a72e4705e5
SHA512 9e74191396bed0e6021aee20e57863520501ae16d2753b6c50b581656e19f1549f6b6cb39e8fda85ce79550775c549744a5607fe90051a97b86bed54aee836b0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cce3b2a6a5c20054f7bed5f71bf3d347
SHA1 17910c673fcc4677cea57df1e5fecd575de055d2
SHA256 67537c128cb65e7342a1590fdbccd8507f7ccdc8ebf212d8b2b603c65acaf437
SHA512 d75ea609a0ab934211dd2d9a1291fc7a2a1cfc87eb92f13d94638c3bae30fc620498a3aa6b924e93d83687005919a23ee18f36260a2d388005e8348a54a86c46

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6a1262077ad83a7f4df16008d67a0d6b
SHA1 575aa400c2efd7b2c5dea68ea635d32d7dea3cbe
SHA256 054689aacc24bf5958a8524032c6c0ab31d1f1786ac67ea9faac77bd61e9b1a7
SHA512 fd33c27099959e2dca7056551672cb6e9f36f6b91dfbd0fa91e01ddbda95d337b17a2018fbdab3b59a92f6ddbfd05700dc27b986afb3a0174a02787f49e77cc6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 56b58579e8940db03a2b425bc4699f32
SHA1 5d2952e370f395a51628986907eb340a1d621d96
SHA256 b575c7bafc764031bd3fde47ea7f64152aad5430aa2d6ea37ed170782e83a746
SHA512 b018a86189857cd4c3daf147e68c532beb1d90089451b17a83d621a27d392eab60ccd768b046bf3e2e2db7aed36aeb714c7c4abc88c16467e47ddc103d797a67

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 05:09

Reported

2024-04-18 05:11

Platform

win7-20231129-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\minijuego.exe" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\minijuego.exe" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3V5KY680-T4NG-B05C-866G-VUT51D453OY6} C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3V5KY680-T4NG-B05C-866G-VUT51D453OY6}\StubPath = "C:\\Windows\\system32\\install\\minijuego.exe Restart" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\minijuego.exe" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\minijuego.exe" C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\minijuego.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\minijuego.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\minijuego.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f753d0e1e3c5b7540a76a27c27b9765a_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\minijuego.exe

"C:\Windows\system32\install\minijuego.exe"

C:\Windows\SysWOW64\install\minijuego.exe

C:\Windows\SysWOW64\install\minijuego.exe

C:\Windows\SysWOW64\install\minijuego.exe

"C:\Windows\system32\install\minijuego.exe"

C:\Windows\SysWOW64\install\minijuego.exe

C:\Windows\SysWOW64\install\minijuego.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2548-1-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2548-4-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2552-5-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2552-9-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2552-8-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2548-7-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2552-10-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2552-11-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2552-15-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2304-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2552-26-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2304-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2304-33-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2304-62-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2304-325-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\install\minijuego.exe

MD5 f753d0e1e3c5b7540a76a27c27b9765a
SHA1 73b6a4020d07f4d0a2a1352b504436bab24c990f
SHA256 66b00c7969870f6f39f15126c654e0859297412ecfdd3481965426cf5b4df70a
SHA512 acbf48633d332c565deca1d4a528119b0547e336bdb56616722db32df2685383ff130b5d50bb4e89eb673cc07b5b663c66335a894c37b6b3245807c3ee158aa2

memory/2552-335-0x0000000000710000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 1e6e103853f388b3f17e694463df6a7a
SHA1 5565bf1249914cc90a4175f9618b7347199554d9
SHA256 e2d34973521f592e924b3039a23c787b5fc9befb60a999e72e444c66043e0852
SHA512 5ec8c7d190a89137a54455951d48b4f97275c518bce1d2bdc794589320ff5ffbba233a6108f24f75b4d7be961fd483b3420b471a798d1bff5386223fcf776e96

memory/608-347-0x0000000000230000-0x0000000000240000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/608-362-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1580-364-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2552-361-0x0000000000400000-0x0000000000456000-memory.dmp

memory/608-342-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2304-372-0x0000000004960000-0x0000000004970000-memory.dmp

memory/2552-338-0x0000000000710000-0x0000000000720000-memory.dmp

C:\APISETSCHEMA.DLL

MD5 2f03490092c032392fb6ff635222b9b2
SHA1 77e86c4677b8670474bfb2dbc60a47e3b340a679
SHA256 951e57ba594507058366321ae29dc117cde9d3801a0535a704db4c7762690c81
SHA512 f2c0a9cf67ec21fa039f8930c260258dd93066a747c13e8a9d7f6fe947ac9b75d30c8184ff03fb87e23cf717c32d917bc05530763edd3dd645bf12c7b655f81b

memory/2696-378-0x0000000000280000-0x0000000000290000-memory.dmp

memory/2696-383-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2304-386-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2496-387-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1580-390-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2496-393-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8651ea22eec86b2a0d876f2ff7e82486
SHA1 34927146e7b2c0ceed3a78b3ec5b06d1cd81c186
SHA256 3eb18892ebce877b373b8b20e166a8d2b0372e87e4091d80aed6f15011906529
SHA512 cfd114ac61c2604a22c6e4e4867784b05b05d480b213ad614d69e1224649f77a5c7324356491f032e87e2896662152c5473b7f0b3d365749c379b92bdd7e82a0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 46fddd811286e911c3852d98753e59f0
SHA1 7941a408cf6f0c4647d8e6c4d4564a7ba5079f2c
SHA256 faeb7b9abc48c01f1d1680cd4dfab0a2669eac75b7083c236689a1528d7a00d3
SHA512 6a1c2086b8e6c0216d35c9532279f03da4c7b73dc504cfc509722aca52e9321c1e8082acf6590c46e96fad7b973fe954299582bc2a5048491da9b44d80d013fc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84da39786084be457504a490dc731347
SHA1 882f69dc3331339df4da101de2c11c3f6d50d07d
SHA256 d0a22dee4b5672c5f37fe41b129bf091b54cfb975dd956ec26d35250a2076030
SHA512 e84060a17a107ce0a285f2aedfe692531251b7dc1f6a8cce3856ee153c6a491b0f67c369d3ed54fcb6ad0bf2ad34f4fdc66b6f5587f4b84f6ac9acd454760ce9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d1eec83ab34f4876f55cd23736f52f83
SHA1 a561db8f74f3afa91fcbfc58ae1316d132615427
SHA256 de0026b70bdbd5039dd30533b4060000c0858f0ba40331583ecb356e364c998d
SHA512 268dece1f04b109436c08f2b4ba5a186f2fd6391a9250da917aa98790f58a603e43e1c062cb5d09c183da188eabe08663ddefafebc0f31d6c03f99869adb53ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0367302cbc2b15c9a6f15e80fb67145a
SHA1 1dfe39e67c817d30d20a04e139c98df8a453ed47
SHA256 09333fd0a4f5ae01033a0a40020ddccb8945d5b677626332e9ba94901760da50
SHA512 5820a22c600e3d7c83a6bfa5a06266b67b788ffc6dfe251f327ab19565540bb47a96d415a36a0ea993a3c32717d6aa323b675694e18a55e1796455475fff708d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5c11fbc41fd240fe5b681e7d0d40adda
SHA1 733dce4772edabd61011acfeb47094c58a5ce22d
SHA256 a1b96234467b833cae2b53f4b3b41b46bf2d82b87b6ac11adfed0d38a970a85b
SHA512 42eba2c73bff630288491afa40a03be7ee9960a085d07124aace8c53105877fafa4cbc8b4f133a5fff6ecaa17c394813186d9c056dff2daddc68f334b75f3960

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5145bbaa726c65538a266a0683bd695c
SHA1 10fde0a45c7356d538be644cf64d2ccfab5d5134
SHA256 8565af8445ff55420d05a68fbad41a321f34fcaab0bf11b9a956a10761b8f5b1
SHA512 08772f8fa1254a5f45d4d60be613c8711215582498718b0c8207c29456fc757e38d50739c1ad06fc29b508631430794bd239067dfb043171462bb75d96affc8f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5a23f27ffbf53695978e91ee33220980
SHA1 0a55f2c011eec29c48847204c5dc916076a7b0bd
SHA256 8dc61feba7fe0db9ae6b531a73507695b38c04a4a11c972038012ac15517edbf
SHA512 66a6886208fb07c3b5b24d1cdb6651de1e51e8e995cd12999594fa7cea4f4830bbafadfd2b0b11f49509c27049392ed5ee7b2fd5dc880a124cd1ea5fc01453dc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 21980d46d434ac697d188b4b2a8dea43
SHA1 b20ed107c9b0d44b82b3268446b238be3faca93c
SHA256 87840b94b29efd53e28b184cba12ecc481fa0ed58213c522e5eba6eff1729c94
SHA512 b1ce10e8ca96b272aa804d23bc0b24267ac290f5cc77b769699a0a07b498c36c8c0ec4b3c2f85743cf29459db9253082e698dc57a0514cc45154fbfde61bc42c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1a78c0459f09f67500da5c247c008f8b
SHA1 42574550d16f268b3de0f4a0f6c60f4c776d4775
SHA256 44302ff254833c7b66539ba226fa90d8c41825bd1ce2c2abe6a4be4bee5f810c
SHA512 cedce245cf2261105e3a9649849c9de32a92c99bc751c46ee92ec9ebc07dca1b2416cbf899e11fbc75086ed83deb25778554b62fc337612cb0dfcd65e9829db6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 083105f437b6b182f445cffbbf384a13
SHA1 cdadc187c0ea92a27d9dd771e272661369cd3590
SHA256 c543008b3d28548a7aec14ec9915d2e475b8f22ef83b691591f93d45a7bf8c5f
SHA512 9e433d33691e7f1db1e04381bc4f62b8c96e3acbb96fd95b4fc57902ab81445996864abd55660cee3df60d589e22cdac305c5abb4e7788e2e3ccd5d5f43e27aa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c63f939231508fb607a8323649f55aeb
SHA1 36d864d521de89fa9a64f459f5c2fa9dbaa9544d
SHA256 2385c3155f1623ec17c7dd0a73ee7b199b13355f02b79903358a043deaf3cdd3
SHA512 9cb8ea0f50cef15dd3d34d41009d264935342a282684dbaa494a705a3d12b2012a88feb460c3497239ab5114f5acdb9ba433b388b1f9b76df9a82b8a00862821

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 35d69942f761a4b68a378e4dddfee15e
SHA1 9b7f4204a882dd63c7c0f3ca10f72950b7219923
SHA256 eb236f030bb33c1c32c0fac5494000c6323f2bb3f708c61faf4a6774b37d4288
SHA512 89a0ea8240b8effc3875169ee15dc70d12d0d6de9c20376fa32f3b3aaa3a3f24751a848a853766c620423f7d5b4d0d1860a77a52c6dae4eb7a34ea9447423c83

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0cde17ce7e84a0cf35a4518ee4fbbf63
SHA1 569475596a7a0f14afe9688e1a06dc8e87054302
SHA256 d0a378d488b23f510268a356c9f74840a4eea38c81c14761db04b86a996c1895
SHA512 54329d18b77cadeb310e2631124f0c0cd92a6d74e81a109a2357f0a200f8e28252ca7524d3f39afdb7284dc023544d4930f8b949c7e889df8b9284d7d2ff5505

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f128a4619a125d459bad1c1a1ea275e1
SHA1 df36cac439ab50d793b7a254afc12cb2e8eeb1b4
SHA256 fed1a5efaade1591b15c4afe343eadc37aed47379b441b4a429f5ab1ac7e5002
SHA512 4935302ca20273f42402d29e1a1b9f1cd291a9697737b2829a50524d7f84c66501a7179ade3de81dca49f5a3a3e59fcbd3f24403d80b2306e85b81b8d249c283

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 905da612e5934dadb5dd85724fdb8d6c
SHA1 fa857eb43649a4f609e811fdda156a972f1810a6
SHA256 e4bdab48bc44b44b193c16a5dbbc931062dd04d584d47f479325ff73460d09d2
SHA512 4e526a6580dc9da1802b3dd4a9e9d99ad9ae3c1117ddb619a549ee31ffc558ec263e7ddbd3cbe8ea21cd726170d551f4e7795475557e846d62f785cec186570b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 46b4d6c91cb4256e40452c0f05cdd227
SHA1 de20ffb510618536527b9f87f4f2136a3104c883
SHA256 9d4fba4bf33282beeb41318c652c7def96b27c8ef4e6c0cecddaa79522e5716a
SHA512 60f7f917403849c1ffc39a016034b1011c582be45358918a63dfbeb02a120d8fad58b9cdc3d5d1fa775f885f3f2047a198318b88ffa9e0de7085c48a279af702

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f366a273b4abfffe7ecb2d5f71c4aa52
SHA1 ce9ff950184d853beda71eccc741c0e59ee779cd
SHA256 867e04c04e7281a9948804f774e0868cbf935a3e66aeda911e245b7232963b26
SHA512 862d4f1d95f835dcce7d9317f09c360fde1ba0f3b021351226ad1702452078e653cb77533edca24030a0c202244e0fc26843ba28d29acbf5dd4542dc9b711d79