Malware Analysis Report

2024-09-22 09:37

Sample ID 240619-x63yssserp
Target 00250311304ad33d540e7a77e434d861_JaffaCakes118
SHA256 7ffa743e4091ee4dbcc8232b89e5a60350f99c391dc2effb9a2082eb3ecda66d
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ffa743e4091ee4dbcc8232b89e5a60350f99c391dc2effb9a2082eb3ecda66d

Threat Level: Known bad

The file 00250311304ad33d540e7a77e434d861_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

UPX packed file

Deletes itself

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 19:28

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 19:28

Reported

2024-06-19 19:31

Platform

win7-20240508-en

Max time kernel

149s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system32 = "C:\\Windows\\system32\\explorer..exe" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system32 = "C:\\Windows\\system32\\explorer..exe" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I3XL52YB-5AK7-1RD6-KU7N-D75B57WAT5RH} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I3XL52YB-5AK7-1RD6-KU7N-D75B57WAT5RH}\StubPath = "C:\\Windows\\system32\\explorer..exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I3XL52YB-5AK7-1RD6-KU7N-D75B57WAT5RH} C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I3XL52YB-5AK7-1RD6-KU7N-D75B57WAT5RH}\StubPath = "C:\\Windows\\system32\\explorer..exe Restart" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sistemawindows = "C:\\Windows\\system32\\explorer..exe" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\sistemawindows = "C:\\Windows\\system32\\explorer..exe" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\explorer..exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer..exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer..exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 1068 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 1068 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 1068 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 1068 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 1068 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 1068 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 1068 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1660 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 spy7100.no-ip.info udp

Files

memory/1660-0-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1660-2-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1660-4-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1660-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1660-8-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1660-10-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1660-11-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1660-13-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1660-14-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1660-12-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1184-18-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/1660-17-0x0000000024010000-0x0000000024052000-memory.dmp

memory/1752-221-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1752-266-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 36a4b8b6d4397ddd2e5e69bb4c85d335
SHA1 1558a5ba1df42f06f796576388c655c88c5d774a
SHA256 e3ef93117ee7c303dbdf2ffb65ba9e4804a4407370aa3720516bd3078767223c
SHA512 44c6b5bd915dd4bfc963de681a0b4914cb919f29bb36f0c9e1abc9986f53410184f8684e2cfef3b38a9600f9c035682a761b8988d6913c887dfc458580db2a5c

memory/1752-445-0x0000000024060000-0x00000000240A2000-memory.dmp

C:\Windows\SysWOW64\explorer..exe

MD5 00250311304ad33d540e7a77e434d861
SHA1 8bf361b1764c2ede5d723d284e4c868369fbe5f6
SHA256 7ffa743e4091ee4dbcc8232b89e5a60350f99c391dc2effb9a2082eb3ecda66d
SHA512 868f276b9a2ac38be81dd3404a187e0d29115b3ab9de8b9483ec3aedd67ea8a9dba7142043a3e5c641cfbb4a743efa5c8773d84ea0d0a9c443c8ff84d58a9169

memory/1660-714-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2724-717-0x00000000240B0000-0x00000000240F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 4362e21af8686f5ebba224768d292a5b
SHA1 504510a4d10e230dcd1605ab3342525b38a10933
SHA256 b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3
SHA512 f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

memory/2724-752-0x00000000240B0000-0x00000000240F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:28

Reported

2024-06-19 19:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system32 = "C:\\Windows\\system32\\explorer..exe" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system32 = "C:\\Windows\\system32\\explorer..exe" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I3XL52YB-5AK7-1RD6-KU7N-D75B57WAT5RH}\StubPath = "C:\\Windows\\system32\\explorer..exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I3XL52YB-5AK7-1RD6-KU7N-D75B57WAT5RH} C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I3XL52YB-5AK7-1RD6-KU7N-D75B57WAT5RH}\StubPath = "C:\\Windows\\system32\\explorer..exe Restart" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I3XL52YB-5AK7-1RD6-KU7N-D75B57WAT5RH} C:\Windows\SysWOW64\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sistemawindows = "C:\\Windows\\system32\\explorer..exe" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sistemawindows = "C:\\Windows\\system32\\explorer..exe" C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\explorer..exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer..exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer..exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 948 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 948 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 948 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 948 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 948 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 948 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00250311304ad33d540e7a77e434d861_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp
US 8.8.8.8:53 spy7100.no-ip.info udp

Files

memory/3104-0-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3104-2-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3104-3-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3104-4-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3104-8-0x0000000024010000-0x0000000024052000-memory.dmp

memory/544-13-0x0000000001330000-0x0000000001331000-memory.dmp

memory/544-12-0x0000000001270000-0x0000000001271000-memory.dmp

memory/3104-11-0x0000000024060000-0x00000000240A2000-memory.dmp

memory/544-62-0x0000000003B30000-0x0000000003B31000-memory.dmp

memory/3104-59-0x0000000024060000-0x00000000240A2000-memory.dmp

memory/544-63-0x0000000024060000-0x00000000240A2000-memory.dmp

C:\Windows\SysWOW64\explorer..exe

MD5 00250311304ad33d540e7a77e434d861
SHA1 8bf361b1764c2ede5d723d284e4c868369fbe5f6
SHA256 7ffa743e4091ee4dbcc8232b89e5a60350f99c391dc2effb9a2082eb3ecda66d
SHA512 868f276b9a2ac38be81dd3404a187e0d29115b3ab9de8b9483ec3aedd67ea8a9dba7142043a3e5c641cfbb4a743efa5c8773d84ea0d0a9c443c8ff84d58a9169

memory/544-66-0x0000000024060000-0x00000000240A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 36a4b8b6d4397ddd2e5e69bb4c85d335
SHA1 1558a5ba1df42f06f796576388c655c88c5d774a
SHA256 e3ef93117ee7c303dbdf2ffb65ba9e4804a4407370aa3720516bd3078767223c
SHA512 44c6b5bd915dd4bfc963de681a0b4914cb919f29bb36f0c9e1abc9986f53410184f8684e2cfef3b38a9600f9c035682a761b8988d6913c887dfc458580db2a5c

memory/3104-67-0x00000000240B0000-0x00000000240F2000-memory.dmp

memory/3104-122-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 4362e21af8686f5ebba224768d292a5b
SHA1 504510a4d10e230dcd1605ab3342525b38a10933
SHA256 b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3
SHA512 f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850

memory/1796-125-0x00000000240B0000-0x00000000240F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

MD5 7961aa44b77e4af4dc41a54a9dd52330
SHA1 54cf8c8da28e5fc35793e579130451316636edc4
SHA256 e8361817d3a179b11f7f2bd18762ad2cecb35f0997d6627c3d0a0fde812c1fea
SHA512 aa943e100c6aba2a82198d348193f7dea0e29549dca4fc0381b38a65da3f2faf45f0d592e108d43e4f04eaeb810b940fca1c386d1a5cfe4f39f23dff5df19b65

memory/1796-166-0x00000000240B0000-0x00000000240F2000-memory.dmp