Malware Analysis Report

2024-09-22 09:49

Sample ID 240419-tcahlsgd39
Target faa50433618118a8a0c9374f32dd88c5_JaffaCakes118
SHA256 b353a404e334c48566590d1dc25954f0b7629331351c84198fa546cf7d329e7d
Tags
cybergate bandit persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b353a404e334c48566590d1dc25954f0b7629331351c84198fa546cf7d329e7d

Threat Level: Known bad

The file faa50433618118a8a0c9374f32dd88c5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate bandit persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

Drops file in Drivers directory

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-19 15:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 15:54

Reported

2024-04-19 15:57

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\Drivers\\av-SE\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\Drivers\\av-SE\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\Drivers\av-SE\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Drivers\av-SE\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Drivers\av-SE\install\svchost.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DTDKO27N-BNER-F7JR-7GQB-0R1LJ2O7MGIR} C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DTDKO27N-BNER-F7JR-7GQB-0R1LJ2O7MGIR}\StubPath = "c:\\windows\\system32\\Drivers\\av-SE\\install\\svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\windows\\system32\\Drivers\\av-SE\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\windows\\system32\\Drivers\\av-SE\\install\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 1976 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2536 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kompis.no-ip.info udp

Files

memory/1976-0-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-6-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-18-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-24-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-22-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-54-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-60-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-62-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-58-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-56-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-52-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-20-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-16-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-14-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-4-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/1976-2-0x0000000000340000-0x00000000003B3000-memory.dmp

memory/2536-57578-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2692-57611-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2692-57612-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2692-57888-0x0000000010490000-0x0000000010502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 374b9272396295d22fb6433fd5f64383
SHA1 8f15cfec5723101ae75deafdcb3aabfa43d9e685
SHA256 e430b0b41c25ddc02a8538b1dc18b2dc38803537146704bf413e8d1d6212fabf
SHA512 431024472e9a27be99f855149cf5d15f857419d6987750533c417fde155cfb3d919ba2be0e743b9e69bb3dcf592d885b33f2b1dc5222b0f3c664f3892a5c3036

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

\??\c:\windows\SysWOW64\Drivers\av-SE\install\svchost.exe

MD5 faa50433618118a8a0c9374f32dd88c5
SHA1 a659a600ed3c95eb5cb22e5a5b48b9566267a454
SHA256 b353a404e334c48566590d1dc25954f0b7629331351c84198fa546cf7d329e7d
SHA512 26389a8c3238ffabaf6a6763ecf3e8bc554573b5c4f3f19ad7c4966c12427343167cbb59abb63bce3acd751a4b0f41dab432911edcd17db3b92f66802be7a3c1

memory/2536-57913-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 123c44d774f035c4b5917f66e8d22cb1
SHA1 957d5a17e69f349f90f08b74f5303928822a357c
SHA256 952d1b946cc7f70597fd9b5d910aa5a088de6cd297002d8de38ab60571c4b067
SHA512 d0f05226939e1b131c6f03fdd960f210874ba349e4c222b8f456c087388a9cdaad5666454acf80fcb0b1a6929f52f4921a55f33ee17d4d543f64a1631ef52c6f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5561ecb65b17608ea9020c7e7b11dea9
SHA1 449f404d8e8c319fe428adc0dc2f522d995c81e2
SHA256 38a057259ed299d899abc4d48fcedea235b9d7681991673a9c049cdeb0fc9c07
SHA512 5de17a5adc5cf8fe60782b5c05360d0aac808fa09fb3a35b88cfc8fe08bfc37ba227d44d5f39bf26f7c224a15cbf1412dd9ea723b0974a570b71c3a21db3f271

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3c46e44ee94a2d1b44f915f9e86d8918
SHA1 bd1dfe4f737f693df5cfa6d42aa55d12279344ef
SHA256 dddcce444221ede8fd8d324e8ef5a58e9241ea492b0a05bf0eb6e4f832ecf2a9
SHA512 73f842eed62e232bf0097de88617485699cbaa95a24dd1dd973f3818e366abac75ea7881291de6b97e0a52ddc6ab99e316974d6d6f11aaeab16a657b23fc3d77

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2ace0fabfdf9f5210472219a8e84c514
SHA1 06cc00d816c38371967dc7912da87a7930ab1b1b
SHA256 bddb3e885ff92e67f638b74784c1386dd8dc454c59f89dec620a752976305a3a
SHA512 a4ce16f1bbeac9573ddf764a78288ea08f090ad37019bb30152d35a8f9ab17d1652a6b7334d5fde3a9d1917b2ae100c98b9bb2e50d280ff6f80ccb6a11f78ff8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 517f17fecbd6dd9fd88061f1e5ded48e
SHA1 c7b855a085b1e06f66024b95b84ab633f4941df2
SHA256 5188406434e90b1396057ce3e1aaa2c39b734f434ae1da4a6e993feeed96ed5c
SHA512 dd280c3732aae474c9f7e79d36ae927b125920ea18b6c0a873b6dba9cb3258ad6cdf4fc18cdf76e92c4d49b0a1ef1e691615ce42e0b30f4fbe89c1e224a2f1f3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d578d0d82bc8df8d9cd55b3bcc385f86
SHA1 ca35a98b7dc9c3ffd81a6917a70fd1c27bbcc942
SHA256 9f07fc93538faaee044d17f62c8160329e3e687fe78b1a658279d99312633bd0
SHA512 f557e1b9222c4e97a50a8a0b81df805aa159794b792aaee6b66bd865a3bc6bd127eb2bb4c46b2b9a7f58e7a7d97f896b995152ccb4a6c364316cea728dcfaf23

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 169ad45cf0b5841136366790c8e8f7df
SHA1 5f57153d446885105133c0836838f75a7863b810
SHA256 dc286eb00f47b399d6539158b1bfac54afaf29ab24f31f87f98975f51ea0fc04
SHA512 3d63c45b909744819df1804b95d784d18d3cba57b1bbc39d90132f0d7408accdc95ef71d4799fe3dbe103ff9450436de380428d60dcdb00f7943d7a637aa9804

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3f0abe9e6cbd3e9752c98d63bd79a3a5
SHA1 62cc76bacb74f990f6dc5bf68ee0156f843f52c8
SHA256 b0d8fdff5b566c2d27fbf8ff815e64795e82879f236a32d12882743016b6afdf
SHA512 6ac8fb3f7796ef5956ba91390479c040b9d4404dfc5c5aba3d1ff997d01b5602f09c0e38564028204fa62d4cac7df0fece11626612b55a1ddc405cbef1890820

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d2ff3f801dc8e9864eab5207ab09861e
SHA1 6ae70179e39b59a6f66e991b6e8b7989f6607f83
SHA256 c2cf8696cb523fadc7239499b4150dbc5720039321cfbfa12b75a7ae096bb466
SHA512 3d831e4be48f29e158e9bf758cf21197f745d83028bc640459349f29a645664344cf0b1063032f3c7cacc661d126ab9b1506f6147997196791e6ca75372ee5ec

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3987030c9cf3134ebc5014533c071be4
SHA1 6e541b2e0675ac23d7e122b05b89c8addac55ce2
SHA256 97ce0fb47a61331408e1919b89fb2c769a2759deea314f01647bd2ffcfd55e88
SHA512 9d8337856a9cc0f22318c57688b59d242ca9ffb083856ab13427d3987235b1172052b52de451492eefdbcbf411fad0bf3ba62053b59a89b102802098c2e47557

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 10017a13a30968483e4fa195c2c0c12f
SHA1 4662d26c8b6aecbe4a9a2baf36744338e59e498d
SHA256 6852909fa4ac921b63b5917071ca682c6e229ad3cd55941b084d187e3ae170b6
SHA512 7eb781e2bbf31526140b7817b56ea70b86153bf7fe2c37404bd14741ed1ff6ffb11ef6a54fbd1b1736ec45d93de961510d6b2e7ea83151246fb10cdc24c305ab

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8c41a3cc31d434f5805dc2acea3c034c
SHA1 3471350d01c58fdd2763d442551708f73c78ec58
SHA256 6a14f3f2cc23e2fe968a4eb9d9a6fca700118c98a42f3bba6e4165ae3b6e247a
SHA512 25c519d5894f1380e9e6eec013582534a464bbf88efaa1a9d1e1c1cd48306339d8d6b3a803d5368f34f576fe42e06456544dd0fc4cc6e3bac571be01d74b7831

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c342302c621502c7e7de314ac007e1a8
SHA1 d3a714ce3c0c9d11e228cb43ecfe69c0695e75d8
SHA256 715d81659816db75547c4ea007cd279e3170711d43ef3936677034276c805a28
SHA512 9f558e5152e52c7863b261fc8546040527c7a12733db33ae314ae3b6c8414409ee9ae4e132c2e6784374c875fc47823837b8c052f12e5a83673bd13a8aef8027

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0e3e1ee54de2fd4019a233ae7f73b41f
SHA1 b47d4d058dd8eedccd7ff5d561b9d66577627715
SHA256 20200181e4b118e55b96ee3e6ad229b8de92e4378d8ed0f29eea37865f832dfc
SHA512 fb52ec66bcc9f483dc4a9dddab09a8f647832153fdc55d16307e2384af7f766706dd76bb13a23767df72991bcd26345846688dda5b497a3a4f84894cb33b2234

memory/2692-58778-0x0000000010490000-0x0000000010502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ff00f2e78b1af897249c49ea562a4616
SHA1 5849f5ecb454d632882d2872c02189e875baa81e
SHA256 6c7497e01d3863386f2fbe8a80403ceca30fcb3bb06dde0e49aa4d1fb8bd8928
SHA512 76b8b5dd242889cd39294acacbff05bf4f9052bb52d451f1cdcde25fcebece25b1f02bef638fe9187976546e047d16b147ba04f2f3b4612e79d4dbbae3c67f20

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1c6fe4f6341e869bf44c4a850581e017
SHA1 033f32f25ff325e1a3108c53186132dd4b2490a2
SHA256 4915bb7287938044b732c78272aacd44bda30fcde782d82a80a6f0606ea8749a
SHA512 5a0cb51729aee268b5b6637ee839cd92d04966e17f8026e0859cd813838992a3f8474f4eba1a9a64d44110178f162509869eb05b80b03c7eeb1337cf397607d2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9641d5e35dc58bebeb588793368926f8
SHA1 62d2ad2349e945d56ca509dbcc79aead86fe1421
SHA256 cdbbd2f92d321e331524efb023078ba48580ddc86cbebd17fe9554099b3e1483
SHA512 811922478190b8da6170c978ea43834bcf775f860687c2192ed3726a8e1f403ef61b1683412799ff51928e5f890fd87d849d2a9b4b02883d7b80fc49cfab1231

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7d9c4ca9e0ea3f5f7ccbaca3e81ce745
SHA1 380b7ace562a1ee66be38065ad6cbb95f441cc7e
SHA256 c6ab94a8968851dda2bba3444918fededa5ee0a0188bed9e7a9d591f05c3d066
SHA512 5a18cb781187c47a77bd7b37d0f5e856e0eeebe7eafecd32866c303df6cbdc624d1b3ede3318e074e1d0f38d81e99272599a99f2211e0ec0533d0607ce8470a4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dcd49e0f781c8aee1bce32733c6e134e
SHA1 6be2de93f64f4891d98f246918354b5c33e9dc39
SHA256 40dccedf0697fbf83c6171aefbdbdf7c17f9197944959f7159a2b072a5b5a885
SHA512 03e59c11354a574306d5ed0badfe3fdda4c300d580a5ad45ea64bfe8ab00657570ed97d5f32d92c05beec1858e82c6adf412959355b035d9e7837b9de7e6880b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 222ee1427703af39a53d8080ac2ad6cb
SHA1 8b9f37d959bd2076ea317d7197d4d4c7bec6acdd
SHA256 458a5ea3365344b211c083a703439664b147140365d2b665e3197a60e1451e91
SHA512 955c4af9903ff957f3bbac1dbaa3b6389c0a5681d82731088fbeeeca56789ef4c4ce2906413d55d130e471f96829eb54f6283b8b2fc4fc09c1b0bb6d6543b83a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cf1823a954839d5a3483f56dc8d46af3
SHA1 6e3a0cb113be976b9b6a266759cc5a9f7ca72d1d
SHA256 dc2ea9453f295aa76348ee982ae177b0e6cb6a7f2bf8b458f4061bb1db2f6ed1
SHA512 4605dec87b50acad9be195b83d932f5ad94083d8370ab95785573fcbe7f2a1d32c72c9fe079287c3cb16fdd166ef47f1c1e6e9e39bdcd491e709d74b27cbea0a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 77075dffa01a9510983c2ec772a4df75
SHA1 552cd9156a8f91aafc99fb22706c9f4c247eb8b9
SHA256 cd69d9c1910744fa5453334d72bd150395d243e7e0d8414be633b88cc58ea922
SHA512 269048599db6d864f7e934f9e1f49f95dac7e198089bfc662b7c6175a5d9ccaa3f6d1839eef413cd40c71050e956db54ca768c30e64ef2d978a6ada458c6ea77

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8dd0fac1ee2ddc560d309b66d8433844
SHA1 d65af717d452e5a4ca6f61e1206a35c03e411755
SHA256 9d83c9b4da2ffbff81a12db13f17c582f1f7a09bcda95acee59541b218152db4
SHA512 042be1702cd6fe33652a1e143b39830f5f7ee2092d3f6229b5749ee4a2a48876c4a7525d099487615440d6860a5a8012dbc387711b53ab99af11686c9d051928

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4e1dc318a62fe53de904c60c437bb70e
SHA1 018ac883380bde712176ba1b37824190e2fe65fb
SHA256 fbcda71d422164f21ed8cdf5c66df10639fc5764689b1694863fe8f6d54506e7
SHA512 290cfe9a7c09b7418ddcc168d2c3cda9b68138f3357399179e5afea1945bc788656db1b49ee75a0650f0dcfbc7e9d987c36a0af155c1400bd2e1ef2aa64bf206

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ee1a4894ac764509fbc62f70e7000e67
SHA1 0eb9b2d0abc32db44d8f1d51abc5bc9f267af87d
SHA256 69aec20084cf1669d5e544a82da90b8ab1f860c6aff498c56c7cfe0f334d5343
SHA512 05bcd8c2e19f4dfed6def4eb28887403aa15babc89a3734d707b9e439f5e2a61834bfc665df9527b24ec815aafdcc18aee4a422f2e73ea1692baf84c75190251

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 eebdf5d8e4ba03da4a811f0140b30cd1
SHA1 d394ae453199224de7a6554b1623c654e4d3ca36
SHA256 c8950167bc7e8c09fd13b9f96dde2a9a330be4ab40592aec0b0995357f99a2f0
SHA512 9033cbf9e428c4753441358d16942cd485bbbe4666a0271f2cd4d7dc3d215ee32c15d7c61ecab327dd39cc72a51003e2f3f068c7da92a035a67d9b95076cdf96

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e03a1c706c50a41ea60f171ee647d45c
SHA1 614b22ed57ee760463f2ba35f647b3a2cc863f0c
SHA256 5adca166b54e6b0b74419370fd58698076a92bf2bb58f7131f709cd5d7417aa4
SHA512 a92f3ccd6c945ed0679680d35d8997e4449024b69f089d7f2c8f12688858dcfb0b0edb2dbacad11e5c079635490a254df041f61ea2e33ae45094405e9c10f939

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 788cb2b5b1cd9496da6ae2d85af8f851
SHA1 d31d2fe3b970b99363119e9a8fe071d6007882b9
SHA256 8aae15c171edd867639a1b169ada473ab17fa4b5bb9b58ec9eb819bac9667401
SHA512 19f74b232992d77fe3f4081df6ac2f3c711d61733432ee1e657f292bf132e08eb1dbbe9ba57b1fb4b0e034c0664df1b48b4029cb37bc34703091414d02216810

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 63ad278a9f55958f98ea1db5ee0b85ef
SHA1 d5534dddfbcd0ceb77990f86888988dfc677b16e
SHA256 46b4759a4f31b0e644f9e8f16742109e5f4a34090bf88d62813128769ed99d26
SHA512 4f769919971a47573f372c9be513c56f7a221366293a0cc85027480f881ab0a1711990fcf0699fc6080696cfbf1df0b30ea4b2032cd1ec4c636acf79323bfa20

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dc60e8e519ec2b393052fda4d866f331
SHA1 d01c292de467bdc92cbc9b210711125c8bb39bdb
SHA256 4797299a10f8584968b420ce75359002dc827026b86742eb752f336efa2f8e7c
SHA512 d062fe38b2bc9c25a345818c528b6df625045bd5cf0a4e38d1a701bba7b9d10a5943821a9df068654aa4190075e93da958b8e78dbaf3d310243e951fbd702928

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d6113fe03dc7662622c907245dedec18
SHA1 e34d6c908dedb8a16893e112c964fcb0af22dcab
SHA256 46d3e231f91a971f67477847ab45dc1446379b2d241621805130f94e3397e4fa
SHA512 d7998cb4d4fe096c73d83b98ffbe1232f5afe1a18038261db8ce735c64158a2837b02515d97a4996fd046334d992fe446434dabfa51f832583fa80ac8a68edb8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 feaa2ead1377b210e514c5236fd73afe
SHA1 542aee1a8fac583b4c981b958a1edab6af3737d8
SHA256 25d94787db268120042391121c2f6a03db30a71459a86910ceb6420bdcfff349
SHA512 7848a58c6bda06c8e2752fd7ad8eb5eecd4474893c95310358f562d837659d8aebbf26eac2a76d0181264002ce15615c8b44b099fd68907ecca4271169d4a6d7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2cfcf3d1b457ef9eaf56dc904c97765e
SHA1 30573274c8d045c748cec3876b1955a28fde4631
SHA256 fb07d4c8a332be7803905c1c9462ae160cc504a9e654af5419550bdb533593b3
SHA512 0af94c73dbe523901219fc8902308a6dca865bde98f2e603190aa7a19b7127a4345e2d7676632cebfb83a2ce8205264ed25a839b9e3584316ffb76bf133b88a0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b1b5708fc3642779cdda8ffe2b9910b
SHA1 58a0c1c2ba5d7e00b929e69163f004032512ce66
SHA256 3dfa40b994a122c467a5c65109f9a067662d135c24cd842d7165443b21fd96c7
SHA512 aff2fd62124630ad6804f86f91d1920516237bdf10b2b77e79f896f11e8bf4e12724dceba895085e21a9b131501e5ed2b54ef0d7b30fbe1622543cabe92c4036

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ea1132d3fc51f323dd836a52b4ba3249
SHA1 0317aadd53f80d0fe5a0d47d3987f152c6951e3e
SHA256 1ac2ffa6aa50979e1b4d693451e45ae8b3bcdf8798814810ebb407e016bf4d5f
SHA512 82f6755b09669945f13c400a41ef28871242194016ec625adf16546cafe3829d95ac3a499456902108d39e908813b26be761e11288e49cb8a4f20e10974e308f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 53615be3b892e61842cb81eea0154a95
SHA1 c8958ca8164c4c7d89e04580df198bd0330c006b
SHA256 478db23420734e18aee7676fbe7c3969519d94f6c15bd11ddbe83cf97ff68847
SHA512 13f3f08bb13f976229c40f6b680cf49f4c1cafe3934cb5c8f5ff334645280826240f2c0cefb6942c61983e614bb7a08a7f3fb0bec82bda2576dba80d1e650c52

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e6ac5a9b3db91ab34b47cf149180eead
SHA1 4e601493bcbde4d5f7d0017d28d03e5be7929c90
SHA256 1e278197159eef92580678749ff64b90869ffeddc85e27cb749c99da78f25c2a
SHA512 cd71d7f9cba63ff0fd3827c6e922b7e540a0b0dde8dfa6439d4cbdb3e793c5bbea6a0249a0083a4763c3aeb7bfd5c07847ede1971e67f95ed23fcbb07fe4facb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e055595b8d1ff61a89b19590be1dc20d
SHA1 584d4f4e406c736d84f5c151e04cf38a6cbf8f0e
SHA256 3627d733ad9f7e652e3b8d858f7eba528219ec0726b1487e9a2be157c7b20623
SHA512 2e6191fe0021694d952c59838aeb1b5b1c29495d51a684bafda2decfea392306f759085fc8c2dca064fd79488e91d9f4af80bf4d00eaf95ea050fffbf7296a7b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2a8c37684f49ce5e8b3c0637769ef80e
SHA1 7ef448a189dbf82a47395b96fd25743db8e1bab1
SHA256 9d5aece2bb5de4beb82329c992b42e7dca6f9768c6bbb3a22575063772f3d872
SHA512 427c52f9b1b5792fed82ebca94480b3fe07597ae1f58ce1107a1fb59ef3af47dc7969d481e40288b1a7cd71eae954c137df8632c7d71d8ccb5fcf5e7b100d8eb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 15aac3be293f59761be4bd2dc4bce1b5
SHA1 953bb91067b6cda1f470884392124857bfde70f1
SHA256 4bbcec16a3dd2826defabfeda038734ec7de729cfa6348ba631fb9258212c9a7
SHA512 f0f204f0086914579e997d6d44056a27f42d8a5c221163a49367490285713d07517a2b3c1414079f0f7293f46a4f1c9701cf5768f50f16f624a8db357960f56e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ad82d39f58687ce70139f1f8be54b1ee
SHA1 4013e3bc31b7b49f85b5220f907ff49d3638c349
SHA256 ee5434dbb8f997fe7ff9b6e5920991f33e8ccc85534bc116a3bdae94d15cf3ac
SHA512 7967eb5ce6bc1642449f0aaa5d56c6a4e5c2e41848ac7148e35d4a886d2996c6dee0b1a9acb9949e9de0dc6a4b724fe14e18d45dd20b95842fe4a17fdb847962

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 32ee4d99fbe71a0b6ab9cbd362c04f8b
SHA1 287ccb40c34f10953b89e27754fc338359b8bbdc
SHA256 a53f0e594992ef0956103d359771c74f1e2cc5546271cd800d5a65395840ce66
SHA512 28a03f12da22654f8042cf83dd367fc79e36c769d0cf2ec7b7adefbf86aeb5bcd4998a8b0513ba852e3cba2d5a2a36df07f249fc23478677660f9cc2615c209a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 763de9420358ae6dfeb8f4a90a80f3af
SHA1 4f5b811bcad9c66661e955a47cd7302198b84beb
SHA256 5da721b818e433eb774b97c89eaa67e063906800611aaef56c9c40fc6bb8baeb
SHA512 72b45d218c78db8dac978d479fe6f00af2e39e5a8b7ac5aed612bb54037ac9f75fd6a0a6fc527a61029a49c11b3178a3d50d0c4e400bf475f945c546f000dae8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b699d79ad3a1356499b66cc3240a6937
SHA1 cd6f36cb951cf2709cc617e11ce1a2842eec44b3
SHA256 52604030e69d4702fd19fc414b6db7714f183f4b46ca1220c181f18b6eec3ddc
SHA512 3f03cbdfaa425cd2507fb243e7b676e6ee18f88188e4fa2765287acf9cf475e55833efd750364f617d747be63d354aade6d084a7842677debe1dc35e6699b4f2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b09752dd5a4e2f6c1e3cdb732942d3ae
SHA1 07ca242d102e3459c1e571696be19717ce463efa
SHA256 e5d112a8e5634c2605eece6422b9d1045faa4bb0276c010e74058849a8f7e06a
SHA512 cb725cc2e7e0fd216fd73b133b0959ea2919888c38f5b34ea03df3b99d39f56a48fec8395013bdd5167e4347ee6999d515e29be1d2be8460332bf2067751af0a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 23805c1d04bbed374c152319de4ad777
SHA1 b2075bd890467c29c0e30144afd6a3252addedb2
SHA256 e0e7c6054104787061264128e4caae89067ace57899022b6f10286cde3755359
SHA512 bf6d8bf43f349a28f9a11e11eca9ecbb60723a519ca72c71c14cee94e8077e610d7e30bd2f2b0f913cf8bc7936e0335b862e3092492b5c4f3d73d4b808148e49

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cb1a7a66d045affc6d03b4ac485f49bd
SHA1 15c881222a924a5bca9d57fdf9f7510e35d07aeb
SHA256 d382ee31966a828e2d98fb6e62e38f001cc11e573f8c2ef03714cd11f8ef4bdd
SHA512 7a095d12e388aea763cc3a08fbe45f0be3143c8b664621a052f5629c350464d2675d45a6ad80848fb4acab42f0c568aaa209f6e6d3f7f44543b43e95cc372de0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5d7eb48a6ca55faf5f5916d51f1efab7
SHA1 04ed2d26aa0f234d13a32317727101664498bfe9
SHA256 607774e7c2e43ad028b23110701dc5888b869559dda18b52adaac33f49d29ab4
SHA512 f262ba09e8fd0218ca69796fc13aef5f5cfd00261f50502bc7d7d6422259407db576919176921a4ae193614c9982ae8acae89cb4e8e21e042edfb1e76f235cf4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f43e3528fc1965184817460787ab9f49
SHA1 58fa8b900fd9b2a2855363ef60ef1b82f35a7f3b
SHA256 102003a31134a2bc8c61270b79c0bd47e2ccef431c0fd809828ac269f1f31172
SHA512 c5fdd36c59f4472b94adb22e3cf83963d44f9c809ff4e03453ee4e317f58f21289356bd689d5b46f02397b9da21b1a03c780b8af5833d7bce7acdde66b01f637

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a1519ecdf5fc7e734ec03cd8c6aebcb0
SHA1 3ea1e90dce71a15d6972138871cab4cd4b81e023
SHA256 9dcfde935ea9f69e1705ef9342498f49dfc44a220308e754b008fef8f24c92de
SHA512 771cd2905cffd32061220ae3a11d09b38999d2617f21a4958ee17caeb52820d9687678d11a88078119bfaf61c3db6c3acaa53085e6f996964d04fe3da6ea6a1d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 eff01d0a98f893081f84642617784140
SHA1 67bc0909eabc0bfbc606b4c08036b586d0b39383
SHA256 4211a23a72a9d5a7a7981104ad514a787bd5e995a8742500b9e208fb3ab30bee
SHA512 3914ca6e266e470c853a53ff092b8da3e2485491dcf151011d8791565355c76907939383c68e99b5db29ed18c4f5d0170199a3d322a2c98bc7d163321f8cb8dc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6998ae53a71ada98ff048c828ba2766f
SHA1 a2262b68499dcfca007bf6b71f8a184d47a04a07
SHA256 647c6a60387e2e8b8ccbee3238c6974764d36374ad2db26e1fe83f2ffed3e475
SHA512 979b8b47c4e1e61a498207d40475ef02bdff5583899010ffa1008899a0bf6f469e180a3982fa0d74239d3eacab8e78cfa4c4b47531899b4e7f605b3a46f5afa8

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 15:54

Reported

2024-04-19 15:57

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\faa50433618118a8a0c9374f32dd88c5_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/3080-0-0x0000000000400000-0x000000000042F000-memory.dmp