Malware Analysis Report

2025-01-02 13:06

Sample ID 240702-2v8gcstgpg
Target 1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118
SHA256 f7a49efc8138abf52ac7b067e40e9813bc4ee4b7fb02adf4004f0c755e073f0e
Tags
cybergate ======== persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7a49efc8138abf52ac7b067e40e9813bc4ee4b7fb02adf4004f0c755e073f0e

Threat Level: Known bad

The file 1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate ======== persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 22:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 22:55

Reported

2024-07-02 22:57

Platform

win7-20240508-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BT8802P2-81C5-MX74-O168-J11XFGQ21W1S} C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BT8802P2-81C5-MX74-O168-J11XFGQ21W1S}\StubPath = "C:\\Windows\\system32\\install\\microsoft.exe Restart" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{BT8802P2-81C5-MX74-O168-J11XFGQ21W1S} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BT8802P2-81C5-MX74-O168-J11XFGQ21W1S}\StubPath = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\microsoft.exe N/A
N/A N/A C:\Windows\SysWOW64\install\microsoft.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\microsoft.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\install\microsoft.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\microsoft.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\microsoft.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 2960 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3068 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\SysWOW64\install\microsoft.exe

"C:\Windows\system32\install\microsoft.exe"

C:\Windows\SysWOW64\install\microsoft.exe

C:\Windows\SysWOW64\install\microsoft.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3068-0-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-4-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-12-0x0000000000400000-0x000000000057F000-memory.dmp

memory/2960-15-0x0000000000400000-0x0000000000601000-memory.dmp

memory/3068-14-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-10-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-17-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-8-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-6-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-18-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-2-0x0000000000400000-0x000000000057F000-memory.dmp

memory/3068-16-0x0000000000400000-0x000000000057F000-memory.dmp

memory/1204-22-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/624-265-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/624-327-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/624-560-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\install\microsoft.exe

MD5 1dc2b5caa7e8df4e8532ea3e2f593ac6
SHA1 93acd3c37d5b4b4ec8e420d3b810ff1b08698890
SHA256 f7a49efc8138abf52ac7b067e40e9813bc4ee4b7fb02adf4004f0c755e073f0e
SHA512 4af46cf8b0cfba311bf180539ed807da1ece11ff3e2770a86564d9c815888acf575c27709c2ba78a3a97b7f3a6c46cb6961996827a4eb4242609a8a3f449c7c8

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 909af5f86c3fe13c7d3d831e8dd00b27
SHA1 c28adcf0eaa8b394ed2c20f03689aa184c58a967
SHA256 f3066033cd1a18c9c5afcf654f00307c741cecfabe6f85524ac58f32c81a1fc2
SHA512 f8882eeac259b7f66d58974b370de8ddb5cab97981fdfc2ed19e108aef15985d7284dfa4bcff832d03607e28eedbdee787b934d5d9c1b5f4906d911e2356fdc7

memory/3068-892-0x0000000000400000-0x000000000057F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\îêñàíà 537.jpg

MD5 244941811abee398ad6e228b7f06279e
SHA1 62102f4d6eb86215cfea365d78f41fdbf5f65cc4
SHA256 73d029ce6881763aee60c1fb2365a1bdecffb4ded835ef2d77cd5be4618625ef
SHA512 eadefbfadfad51bedb758fb1c3b0624d703972d792bf01047ea431f1f38664410d60e305ec7c120d8c27c16fb2388e1369b3cf9fe365cbeb97c4c9b24a540003

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a58712108337d7ae6039dd3ccb32cbac
SHA1 8a7d434c270d13f7167cfc574df1481902d59e54
SHA256 cebf22be4426716deb2df8eaa442da9a42d1c913d3da5dd66ae67280b6df974c
SHA512 265408cc1bf443087bc9a0411c4ec23119cd401dcc7e0b9d7b7dc3e3d18b2033c3bc51753263c0559acde79190fef6f6e03214a5e86592ef24ad63bb38271fbb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 38adec4176886420f9b19e4431f012e0
SHA1 5fcf4511046908d7db4fac75cb82af4b90ae6381
SHA256 bc87074a245b39213884a3a3368290c68baef9beee9121266e25438f53eec975
SHA512 4e7620377fd6467b6f90a9f6d84f5f9c9c0c4d02b70b1f4414b9df2b3f69f513a32647ef7ae1073309e10c2f1af0b4d1074cea0b32cec96271bdc39a24229559

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7ee7471623775628af15cc67090de684
SHA1 8455e496339615f56c4ed0d7b3ab5fd1fe85de2b
SHA256 7b9dc6e36351bbe550b868a623fcbe2f6e952ef6d3c854c58cd7121f03af8212
SHA512 b3140c3d651b8a14e2429d1b2745b920c08d9923701954da2c8338ef8249975fac7e9e04a228161f72995feee568225954146368923e0ba787bbbc70b434a683

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e420ca4c055092fa399c597686b608c1
SHA1 018ac1fd3a1ab386575dbb7a0ba59fc4460fbc59
SHA256 c71614992626b35ff016e7eb57a6fea29b9ec5fdfad3438c6ecfab4a21a12ab9
SHA512 21adf72cb573567afc51585a6f524b7d5adfe86817a9b2243e32f3f505183cd3c98091d2029d38180371520eb8205f53dfe76f10fc708c1f0f7dcd053c6fcd82

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1d3b1971d25ca20c3a665caaee55065d
SHA1 d0a7cbe0525997abe0b240497af2d9948687b7ce
SHA256 8c4630c7501c8a2fe231f367cdfde641142da56ab05a6b9b2debb03b83a48a43
SHA512 150482aaf0f4f1eeb2635e5bb6249fdd387a72c185b0c23ff0211e2aca03ded1b9ee5b67ae518ba9084768e40e8aab79c52230e4e5e4a9e92a46a2e59bfa843f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 889708888c362006dde7cb4d8635a655
SHA1 3815d091ad5e5ec79a55f2e59272d39f2f42f3f7
SHA256 b46905b0029f7d7d431c9c9353cda6910c05c9f3804e253ab93e718edcaf131a
SHA512 7358af6101e280caa507ccccb2a742dafe7ea5947d92308f76378bdf3ec20759b67c05073d1de3b717b63f4e65891c4d1437b8ce46edac9969320d44322469b9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 19ad9d53fb6f07f9572a54663b339301
SHA1 1e46e6a78ab0ad91ae9fba6758cee961783199de
SHA256 0753d6b0af481b98b5eadb628db9eafb7e30602b6ed600eac692baff563ef77f
SHA512 f6a96eb46259c95190236be46d75683f69210409b3112cfbfc0ac2f7823b7f3446f2a86283a66f213ecb8116d93d0e2d03db5967a3f88a038bfd75f9f0fc0ebb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5e8f19979c38c59918b057d833c5bac6
SHA1 14fd88df77e2c811c5a3c9dfcfd663698f00ef42
SHA256 7971d34b24f6c8f027e0d976e9e2184ef8e0f3ce3ef4e7fe7e7291b6096017b2
SHA512 9c55e6294eb27acabec351c2c2d952a4f13e6a7bc70a0a4792cf09198cf0f858d4712f0c57a1b6739de5cf64335028264aa52e13ed5c9d90ecb23bf52aa9ac98

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2f6c9b3181d564bba2c1faf64e7569c1
SHA1 954f5cef1b115cc8872fd6a37abf5ecc5f084116
SHA256 b0650898f3f57ad04206250edcb492858b41f92dec3300a9dffa58a40071ba58
SHA512 25136864d76a27e5e4ce6283624f181bf8f36efce41020c7945df4284aa58a95f8b857518fdcc550001e5ed58fbe454d51feda7c6b479abfdec295aa63ec86be

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3b4864673665b3a5666384582e027046
SHA1 ed2b0298eb2ac64e10117d4870eb597323d04acb
SHA256 99c8b4195d55de8cffed596d160482f1a0eff01d02c5859b747e24779b9f91b4
SHA512 d440c7b9e70f540f92cba41229e6db00e41f3da5879c75f901b7e99cc2e100752088c1e322570556b92de1c59d6be043b8cc3b04b04623a6cc7aa8145e461bb0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84bc5fe2445e95b58581022684ee46e1
SHA1 c1082f73302eba6e35bb447ea79b6138796da805
SHA256 bdc39b7c44ac4cc8811fece87e3c0807fbbd07e8d035a69c11972ff9dc01d3ed
SHA512 fff9a8c534dea445722b99f5c024bdbd88e5a3a4eabde8ddd0d382306e84f601c44662914c57997be43918900be3fa508853d0b9da6294803054173e35c8d050

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fc1685ca991f3f693c3ecd7693d5b0e2
SHA1 2542d54b7602c29a0b93689ba110b321f8497876
SHA256 63d76dc3fd45deec7490fcca692702edf23a556ec657fccfcbd12d85afb7deaa
SHA512 18f50e44c98d25b8827d016d20f75dea93a108525d3a613167e4243bf00cf03d8049ccefa3865b99950f56e777fff69d5f08940d7f37619d3151d2c9387cdfe5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5cfbbd015dfa6e1a24f826f54df94d1b
SHA1 9f11a2056758355d31acdcc92c16df2a04ccc660
SHA256 f3f87e720bf6b0de97ea3c3f2c3a146c411129231679fdd4e82c99ed4f749037
SHA512 4e20e8a3ea63177cf610a8297cf398f44405ef99f27208aa103c44b881e695edbbbb7a57b6b784578e6766de911234e2ed6bf02aaf9d5208592a82aee8256e79

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e852d87d0690163278a2a495c1e33eab
SHA1 bb3ddcbc2284690a88cbf177e1894444dbf6e155
SHA256 e658cae64e767a1d1a59a4c31fa50895ca2a2dbc154ce7b4a35b3493278b60e2
SHA512 e4a8da0fe103eb1a000e7d76022a84a1f0310f5fda8d6d7e2030ba8022ac811bb0793f803b3b4da830fbf47622192ae4013abbee3619d0e5b076361b315de6c9

memory/624-1728-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 081218aae367d8786d9b8bbb75bde031
SHA1 c3a80b20b331216a5953181997e94dc7d28c7e5e
SHA256 244265bb4fa62671027dae8498361189c5940d781235cea81e2e285aa8561023
SHA512 e6a4065866cd691a1d14cd6a46f89ab93c8382e04eb4c0ee0f152f00b7ac7acc2e5df2dcc91460e3f526864a740bb84be986126bf7f63f8ac374b6c7e68720fe

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b8f77d4953929a480e1129edcc04880a
SHA1 9a4c58c110883d18e6ec28348a2716c271a3ce43
SHA256 f98bae1611989ca7724a5e5e6c7f43cb26b45f10ee300b0b712991e5aa9ab403
SHA512 cff873dd51d40f60b9d66a841770435179adec9f62d8dc2d4af34972007c75f85e591827c91fa58ce9d51d224c044e202e1e267b410d02e653beb0dc0a68c8a6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e60d82e27ac0c064719999d12a39baf6
SHA1 cbcfaf7700f79b6235923ab3e6a54d9eee2f4d8e
SHA256 15ced2ce4c96cda631368b9f72c49d7093954b987cd23e4b7161988916018b1a
SHA512 66c1b9e4fa4012578c980bb1953bd0a043be424d6c150ab4a77f7e9c4f38f250b697e0178df7ac8c06995d81e87e52d7e6abc7a3bafddab79dfee6a60cb172c2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3ef87c7fb03e495224c949fb56ed50ce
SHA1 98ce3262ca6290eee6e2fe2a8f594ba102bda23b
SHA256 24b09f3b08d38533abd0e94175344ea2452e33c25730308a4399ccc2fa1f0403
SHA512 842c688acf542fecb0f3f68448603a357486f0466da0c87d850f72f4ef89e244a1723ca356a51b8d06a3b7054427a0db590a84b5f729176eda93ce856b95d80b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 394de820d0b60a03fc5ca353fe86863d
SHA1 2db4321405aa32f697bb56ca1b66a3dbebb8cfa1
SHA256 9efd3893567b76c7ba9dd1385b54b48fd3a383dcab76cdd82eea756da211e2dd
SHA512 f8666f93d41b573b20d71e8f47a42f4897d26846bbd6740def290060e68f3152144652651ec32d5c5b82a33ef8ecbe45520132921d3b658f6505b7c5dd450c90

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 22:55

Reported

2024-07-02 22:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{BT8802P2-81C5-MX74-O168-J11XFGQ21W1S} C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BT8802P2-81C5-MX74-O168-J11XFGQ21W1S}\StubPath = "C:\\Windows\\system32\\install\\microsoft.exe Restart" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{BT8802P2-81C5-MX74-O168-J11XFGQ21W1S} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BT8802P2-81C5-MX74-O168-J11XFGQ21W1S}\StubPath = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\microsoft.exe N/A
N/A N/A C:\Windows\SysWOW64\install\microsoft.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\microsoft.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\microsoft.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\microsoft.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 5044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1796 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1dc2b5caa7e8df4e8532ea3e2f593ac6_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\microsoft.exe

"C:\Windows\system32\install\microsoft.exe"

C:\Windows\SysWOW64\install\microsoft.exe

C:\Windows\SysWOW64\install\microsoft.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1796-0-0x0000000000400000-0x000000000057F000-memory.dmp

memory/1796-1-0x0000000000400000-0x000000000057F000-memory.dmp

memory/1796-3-0x0000000000400000-0x000000000057F000-memory.dmp

memory/5044-2-0x0000000000400000-0x0000000000601000-memory.dmp

memory/1796-4-0x0000000000400000-0x000000000057F000-memory.dmp

memory/1796-8-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3828-13-0x0000000000520000-0x0000000000521000-memory.dmp

memory/3828-12-0x0000000000460000-0x0000000000461000-memory.dmp

memory/1796-11-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3828-73-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 909af5f86c3fe13c7d3d831e8dd00b27
SHA1 c28adcf0eaa8b394ed2c20f03689aa184c58a967
SHA256 f3066033cd1a18c9c5afcf654f00307c741cecfabe6f85524ac58f32c81a1fc2
SHA512 f8882eeac259b7f66d58974b370de8ddb5cab97981fdfc2ed19e108aef15985d7284dfa4bcff832d03607e28eedbdee787b934d5d9c1b5f4906d911e2356fdc7

C:\Windows\SysWOW64\install\microsoft.exe

MD5 1dc2b5caa7e8df4e8532ea3e2f593ac6
SHA1 93acd3c37d5b4b4ec8e420d3b810ff1b08698890
SHA256 f7a49efc8138abf52ac7b067e40e9813bc4ee4b7fb02adf4004f0c755e073f0e
SHA512 4af46cf8b0cfba311bf180539ed807da1ece11ff3e2770a86564d9c815888acf575c27709c2ba78a3a97b7f3a6c46cb6961996827a4eb4242609a8a3f449c7c8

memory/1012-145-0x0000000010560000-0x00000000105C5000-memory.dmp

memory/1796-144-0x0000000000400000-0x000000000057F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 38adec4176886420f9b19e4431f012e0
SHA1 5fcf4511046908d7db4fac75cb82af4b90ae6381
SHA256 bc87074a245b39213884a3a3368290c68baef9beee9121266e25438f53eec975
SHA512 4e7620377fd6467b6f90a9f6d84f5f9c9c0c4d02b70b1f4414b9df2b3f69f513a32647ef7ae1073309e10c2f1af0b4d1074cea0b32cec96271bdc39a24229559

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7ee7471623775628af15cc67090de684
SHA1 8455e496339615f56c4ed0d7b3ab5fd1fe85de2b
SHA256 7b9dc6e36351bbe550b868a623fcbe2f6e952ef6d3c854c58cd7121f03af8212
SHA512 b3140c3d651b8a14e2429d1b2745b920c08d9923701954da2c8338ef8249975fac7e9e04a228161f72995feee568225954146368923e0ba787bbbc70b434a683

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e420ca4c055092fa399c597686b608c1
SHA1 018ac1fd3a1ab386575dbb7a0ba59fc4460fbc59
SHA256 c71614992626b35ff016e7eb57a6fea29b9ec5fdfad3438c6ecfab4a21a12ab9
SHA512 21adf72cb573567afc51585a6f524b7d5adfe86817a9b2243e32f3f505183cd3c98091d2029d38180371520eb8205f53dfe76f10fc708c1f0f7dcd053c6fcd82

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1d3b1971d25ca20c3a665caaee55065d
SHA1 d0a7cbe0525997abe0b240497af2d9948687b7ce
SHA256 8c4630c7501c8a2fe231f367cdfde641142da56ab05a6b9b2debb03b83a48a43
SHA512 150482aaf0f4f1eeb2635e5bb6249fdd387a72c185b0c23ff0211e2aca03ded1b9ee5b67ae518ba9084768e40e8aab79c52230e4e5e4a9e92a46a2e59bfa843f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 889708888c362006dde7cb4d8635a655
SHA1 3815d091ad5e5ec79a55f2e59272d39f2f42f3f7
SHA256 b46905b0029f7d7d431c9c9353cda6910c05c9f3804e253ab93e718edcaf131a
SHA512 7358af6101e280caa507ccccb2a742dafe7ea5947d92308f76378bdf3ec20759b67c05073d1de3b717b63f4e65891c4d1437b8ce46edac9969320d44322469b9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 19ad9d53fb6f07f9572a54663b339301
SHA1 1e46e6a78ab0ad91ae9fba6758cee961783199de
SHA256 0753d6b0af481b98b5eadb628db9eafb7e30602b6ed600eac692baff563ef77f
SHA512 f6a96eb46259c95190236be46d75683f69210409b3112cfbfc0ac2f7823b7f3446f2a86283a66f213ecb8116d93d0e2d03db5967a3f88a038bfd75f9f0fc0ebb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5e8f19979c38c59918b057d833c5bac6
SHA1 14fd88df77e2c811c5a3c9dfcfd663698f00ef42
SHA256 7971d34b24f6c8f027e0d976e9e2184ef8e0f3ce3ef4e7fe7e7291b6096017b2
SHA512 9c55e6294eb27acabec351c2c2d952a4f13e6a7bc70a0a4792cf09198cf0f858d4712f0c57a1b6739de5cf64335028264aa52e13ed5c9d90ecb23bf52aa9ac98

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2f6c9b3181d564bba2c1faf64e7569c1
SHA1 954f5cef1b115cc8872fd6a37abf5ecc5f084116
SHA256 b0650898f3f57ad04206250edcb492858b41f92dec3300a9dffa58a40071ba58
SHA512 25136864d76a27e5e4ce6283624f181bf8f36efce41020c7945df4284aa58a95f8b857518fdcc550001e5ed58fbe454d51feda7c6b479abfdec295aa63ec86be

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3b4864673665b3a5666384582e027046
SHA1 ed2b0298eb2ac64e10117d4870eb597323d04acb
SHA256 99c8b4195d55de8cffed596d160482f1a0eff01d02c5859b747e24779b9f91b4
SHA512 d440c7b9e70f540f92cba41229e6db00e41f3da5879c75f901b7e99cc2e100752088c1e322570556b92de1c59d6be043b8cc3b04b04623a6cc7aa8145e461bb0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84bc5fe2445e95b58581022684ee46e1
SHA1 c1082f73302eba6e35bb447ea79b6138796da805
SHA256 bdc39b7c44ac4cc8811fece87e3c0807fbbd07e8d035a69c11972ff9dc01d3ed
SHA512 fff9a8c534dea445722b99f5c024bdbd88e5a3a4eabde8ddd0d382306e84f601c44662914c57997be43918900be3fa508853d0b9da6294803054173e35c8d050

memory/3828-1020-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fc1685ca991f3f693c3ecd7693d5b0e2
SHA1 2542d54b7602c29a0b93689ba110b321f8497876
SHA256 63d76dc3fd45deec7490fcca692702edf23a556ec657fccfcbd12d85afb7deaa
SHA512 18f50e44c98d25b8827d016d20f75dea93a108525d3a613167e4243bf00cf03d8049ccefa3865b99950f56e777fff69d5f08940d7f37619d3151d2c9387cdfe5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5cfbbd015dfa6e1a24f826f54df94d1b
SHA1 9f11a2056758355d31acdcc92c16df2a04ccc660
SHA256 f3f87e720bf6b0de97ea3c3f2c3a146c411129231679fdd4e82c99ed4f749037
SHA512 4e20e8a3ea63177cf610a8297cf398f44405ef99f27208aa103c44b881e695edbbbb7a57b6b784578e6766de911234e2ed6bf02aaf9d5208592a82aee8256e79

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e852d87d0690163278a2a495c1e33eab
SHA1 bb3ddcbc2284690a88cbf177e1894444dbf6e155
SHA256 e658cae64e767a1d1a59a4c31fa50895ca2a2dbc154ce7b4a35b3493278b60e2
SHA512 e4a8da0fe103eb1a000e7d76022a84a1f0310f5fda8d6d7e2030ba8022ac811bb0793f803b3b4da830fbf47622192ae4013abbee3619d0e5b076361b315de6c9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 081218aae367d8786d9b8bbb75bde031
SHA1 c3a80b20b331216a5953181997e94dc7d28c7e5e
SHA256 244265bb4fa62671027dae8498361189c5940d781235cea81e2e285aa8561023
SHA512 e6a4065866cd691a1d14cd6a46f89ab93c8382e04eb4c0ee0f152f00b7ac7acc2e5df2dcc91460e3f526864a740bb84be986126bf7f63f8ac374b6c7e68720fe

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b8f77d4953929a480e1129edcc04880a
SHA1 9a4c58c110883d18e6ec28348a2716c271a3ce43
SHA256 f98bae1611989ca7724a5e5e6c7f43cb26b45f10ee300b0b712991e5aa9ab403
SHA512 cff873dd51d40f60b9d66a841770435179adec9f62d8dc2d4af34972007c75f85e591827c91fa58ce9d51d224c044e202e1e267b410d02e653beb0dc0a68c8a6

memory/1012-1475-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e60d82e27ac0c064719999d12a39baf6
SHA1 cbcfaf7700f79b6235923ab3e6a54d9eee2f4d8e
SHA256 15ced2ce4c96cda631368b9f72c49d7093954b987cd23e4b7161988916018b1a
SHA512 66c1b9e4fa4012578c980bb1953bd0a043be424d6c150ab4a77f7e9c4f38f250b697e0178df7ac8c06995d81e87e52d7e6abc7a3bafddab79dfee6a60cb172c2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3ef87c7fb03e495224c949fb56ed50ce
SHA1 98ce3262ca6290eee6e2fe2a8f594ba102bda23b
SHA256 24b09f3b08d38533abd0e94175344ea2452e33c25730308a4399ccc2fa1f0403
SHA512 842c688acf542fecb0f3f68448603a357486f0466da0c87d850f72f4ef89e244a1723ca356a51b8d06a3b7054427a0db590a84b5f729176eda93ce856b95d80b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 394de820d0b60a03fc5ca353fe86863d
SHA1 2db4321405aa32f697bb56ca1b66a3dbebb8cfa1
SHA256 9efd3893567b76c7ba9dd1385b54b48fd3a383dcab76cdd82eea756da211e2dd
SHA512 f8666f93d41b573b20d71e8f47a42f4897d26846bbd6740def290060e68f3152144652651ec32d5c5b82a33ef8ecbe45520132921d3b658f6505b7c5dd450c90