Malware Analysis Report

2025-01-02 12:36

Sample ID 240703-hawghs1fkc
Target 21650967f198dfcdd32c6b4387d75a51_JaffaCakes118
SHA256 2ed7b7d258601438a2f188ebebcd406d9d43748c3c79279038e62bb61c4334e4
Tags
cybergate 1kax persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ed7b7d258601438a2f188ebebcd406d9d43748c3c79279038e62bb61c4334e4

Threat Level: Known bad

The file 21650967f198dfcdd32c6b4387d75a51_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate 1kax persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Checks computer location settings

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-03 06:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 06:32

Reported

2024-07-03 06:35

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GGN24612-6M52-74T1-V1L1-21QW4R07S6O2} C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GGN24612-6M52-74T1-V1L1-21QW4R07S6O2}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GGN24612-6M52-74T1-V1L1-21QW4R07S6O2} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GGN24612-6M52-74T1-V1L1-21QW4R07S6O2}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2540 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2540 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2540 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2540 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2540 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2540 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2540 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 5076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 5076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 5076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 5076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 5076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 5076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 5076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 5076 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.111.227.14:443 tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/5076-2-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

MD5 21650967f198dfcdd32c6b4387d75a51
SHA1 7860833d961ed8e68bb506d5f6ef5bb854b387b1
SHA256 2ed7b7d258601438a2f188ebebcd406d9d43748c3c79279038e62bb61c4334e4
SHA512 dccb305ea7d5115d256d4170f35c77ad0f3c37caf09db3813606385db506fd528bb6c2a9b0c38cca0493d6e67ef6abe51bad643eb5eb0553155fcb4271d84fd5

memory/5076-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1740-8-0x0000000000400000-0x0000000000458000-memory.dmp

memory/5076-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1740-13-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1740-14-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1740-15-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1740-19-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1740-22-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4048-24-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/4048-23-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/4048-84-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 fb097ef39ee3397e4726029cbfa33c28
SHA1 7a9dc73f7945f3ee9f9c934af2fb0d4fe2128827
SHA256 9784ae7985cadb8249ae6b51d50e42362473053da454d2a82ad4443acd1a8b7f
SHA512 532863117d67e179118e09e74bb03f85b15f23c078372d92ff0735994e77af49fe1daf0fba9d418f7ab6d83d4c1e9e895acd443a4e1fc310853e7480d32f4370

memory/1740-156-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2976-157-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 adc848bf41fcb6d60b80be2b20b4f8bd
SHA1 3d7694b9d33b962a6a1f5575333760a8e7937157
SHA256 ddd1f0df5c618b549e68136e09ea679a80cf2b335eb75ed39b3262679b82e408
SHA512 3ed9ab55a607804c389ac858ac95d8d706b1fb7b576b7c4c8e910750507c02c7c1d2d4de98a45e85bd1e5ecff4ef9628f4baee13a644c1b9eec34e49d541155a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f5d0b3b61b467d7b07cff1b07b7f1cf6
SHA1 fb1b65ce2a230348b0f447c6d56085b5d2291548
SHA256 19438404eef36770d1b8f924b4264b487994fb4481df23c3a3d0e5ee0bf0d624
SHA512 c20af9803bba6aab408e375249041aed756ba09fdc34ba3fdce7ca335f5ffc66f05450dbcb53b72273fa59eb2350e6ff8cd6500bd6654c473d600cb9726740c7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed25bc9d4b9142dc154e5d3b44e0a646
SHA1 a23eb3ecb5a57410d8511acfd1faa0548f52fd61
SHA256 8f3d1fc9566fa68fba9a3cefd3f9f5e7b9750009c35fbf060216066b67c0bc52
SHA512 72b90185f64a3d21e5ccf31177d8b964c25487ec39f91d0c749de55c2e3eaf5c5840d41e125cabead9c1050eee312cf2ed37f7ed80dec2c83983befd7a590261

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e5f0e07656c56300cd1ac9c045a81bae
SHA1 f9353ee3ac1a82f1abda9743f2bacaa0fee7a331
SHA256 50e791de56f4c97fc68ba1d79d2f4ae3880dc892b702b47a832e0285b652c652
SHA512 b769217f9eb2447a14f43762a31b16e2bc59d35483106d3c0bef99cbdaa0ef42f309bfc2fe717de137675a938d305d7c12e615c894763b8f0e378c14f19b0583

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1bf16f8fd43f88ff434cb3c3b7975e0c
SHA1 58914f6131fc5aefef3ca402601ee11f1fc2ae95
SHA256 6fa3269d54c12f828f569913217b46d288c7ab4690d7b8fb9ecf0d311605368e
SHA512 c469abb491da2d39b1955b059b9b69cd492330dbcc70d01e7fc6cc71d60928d8c0505e60614ef24d5131222d1b712c7b14455b3c3e7a265fca1255c5468249b5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09a238ab1a1fa15b363fe84016737cff
SHA1 c98b9ca9723471457100a319b383afc04393543c
SHA256 47ce9eaa364d7a882279fe4181c94e5db25bd0aa08a840c2c94986ce63523fb2
SHA512 436f4929262d7ba8948a0b853b88a1dd566f9bf015927f6d81704ed11eab24d58836955c339e7faa370b61576e72f63ee73cf5b9e4b1a5468c284a02fbff4b29

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f385d6298a3c5d7f4013745c9be0da9e
SHA1 6cf9979dde39fc8682753f641f6dbfb9b315adcb
SHA256 7dc689f6dffc88220474b5de5647b8e4fca8c3a12561876ee3a6fd4fa9c3aae7
SHA512 77dc9acac2c660881e1747f254247551f2c52fc54b53f281b7324bbee3f9a26013f3580b205e1a4fb15f466020d92c23eafb5302d3f1780074b58443c1e5fe60

memory/4048-785-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1addaee59a010815f1930316650a1ab1
SHA1 b7ae8546777ccd209ee5f520bd48da5dead2d313
SHA256 bf1339b21b41639ec9f3a75fb1296d6110bced31d9a2d5d06c8a6fb53558cdcc
SHA512 999e7f8c131a83af48cf8830e9a4e91e8c3b8febe361d7317da0dc4f0f6955715310b9259048b84e1cc90c6ac20119cfc5a46c18475124f8fbde65728b99e49a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fabfdc27b3aea547efcae8aad8661a9a
SHA1 dd1094c0c3c0c9898c3ed2e9c5e8c77e1611f614
SHA256 b1f47a10dda668317b89609dcaff23f0a641749d0fd45986cd247ee0d9e9d687
SHA512 9788dc3b0a5d665e782696fb5562ca9e989ca671b539491f2c62146c53428075646b7e58e05cd56e08bdaf95c7eefed3e8abe5dad51efdb6be358ccd2fc49510

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0893e81d0fac229f6cb55e3cf714e73b
SHA1 243eefc8efa9d2c3e7370b199e152392974b6696
SHA256 a9fe8a15502f3446161abe7e4f4db56fd13d5639c45e5ec860c1990ba564de85
SHA512 706e23ea61de907979acf3765638709d8265ecee5f7b60929c7dafff36f87ee3a187e33210d19c502d9f0d2ca0abdbe15fb509277428746f1207c95c876b025c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d2617c543acbd8b88b1b73e628ee25fd
SHA1 1cf75e0bd0f70b2ff59887d67f4ffce5cd754ac9
SHA256 504ec191d54fbe2adaebe9a2418e292bee4a67823d35a6528a5f494285820144
SHA512 ba0137e74fcdeae335b2842b9c88f2fdc5c95ff4cb89607a714830812948b6b9f94333144f93bb91ee23f6e0f708037f546040c7e0ee316b5501aefd52f7ba09

memory/976-1179-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 169cb7198d7e2822c25d65c011da59a5
SHA1 f48706ec2779bede3476296dfa08e6e9c0d4b783
SHA256 2b52df05f3b1bc8e7d242144464662a9c36aed0ae6766311405eb07c318b8b66
SHA512 df57268a78bdeb5f772ed520f6ce0b94b0910cd9abfd6a5126c58538a73533cd81dfc92acf5446b6811152b4274e9721cfa2e3a3deeb8244eed024a766c49608

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 efd9fe096de716b1725b06651fd86f5a
SHA1 b3384e23fd08d4f365d80893b98486721ab14220
SHA256 accb52605dffa08acd51a1f9e983c1ca95b680a55c776bef0e75bec436f8bd47
SHA512 97244ce184dfad380d0cbc1d126b34c40071c4e6f80247422f879ce19bb70a1b6b01b0da76f572ae5361263af88f29eb732fb146fb51a4ba3a022df2447c2cfd

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 50dd1afeb488431d9e26da6c1138dd41
SHA1 379e901aece1a4700b10fd7591dde524405ed75e
SHA256 fc5412eabd49d7d289031b649ac8739d524d2c400e0c60b8837930d44951a6b6
SHA512 d30f650cc684148f9332e34df96200740ee9691a05dbf41d106f7e5e5ab98639eecb922847cf172685b7378ccfc2ab496d06f0079b7f194fe56e0e3b05c3b6f8

memory/2976-1474-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e2074a6332543f5e74a270ee6aad6d77
SHA1 e28ee6505dd6b1954bf641df648b589827f83b6e
SHA256 9607426904ed03cf1ecc7aa392008d92d2af10100552842e4756e0308d471e10
SHA512 963dea0f15deb86eb804db92fa7dc1b124364ad59a5848714af7487a5bd6927688b346ef3f7be7ca96ce14cb9c61b0f05b1e4735e4a45c241d6b4b9b8f68afdc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8618755f0351fed6fdca1cef0d6dd5b7
SHA1 0a36a34b318d29db08446cd5615bd38a508bff7a
SHA256 49ee05cad6396ac55b0163d4e6933b4665fb2a41953d11a7702e9ee486b76812
SHA512 9a6468c59fc7b7a59bce3c084b8aeed04741a737a513b555c92649719993be2c1f2d71fcefd65f89dbb7db515d045d76b86a040294aacb51b0e2b84bc28ac5fb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d378124399d212c91b5d36d99e020a8a
SHA1 03f2f30b1c79164c8068dc6311dbcf7acc2bb9d8
SHA256 7a3697d77a35682dc45dd8240125ee95cf4b8d751f2507d2c1846270c9a6f19b
SHA512 4f6cc55e6c1c9d6df28b06644c2c581a01b7b9df02898f35a699237463e267f6c93f817a5dba04af42ccb952f550b025abe64566f868238e735e6fe481485d24

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 06:32

Reported

2024-07-03 06:35

Platform

win7-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GGN24612-6M52-74T1-V1L1-21QW4R07S6O2} C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GGN24612-6M52-74T1-V1L1-21QW4R07S6O2}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GGN24612-6M52-74T1-V1L1-21QW4R07S6O2} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GGN24612-6M52-74T1-V1L1-21QW4R07S6O2}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\install\server.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2944 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2940 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2940 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2940 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2940 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2940 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2940 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2940 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2940 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2168 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2940-2-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2940-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2940-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2168-9-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2168-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21650967f198dfcdd32c6b4387d75a51_JaffaCakes118.exe

MD5 21650967f198dfcdd32c6b4387d75a51
SHA1 7860833d961ed8e68bb506d5f6ef5bb854b387b1
SHA256 2ed7b7d258601438a2f188ebebcd406d9d43748c3c79279038e62bb61c4334e4
SHA512 dccb305ea7d5115d256d4170f35c77ad0f3c37caf09db3813606385db506fd528bb6c2a9b0c38cca0493d6e67ef6abe51bad643eb5eb0553155fcb4271d84fd5

memory/2168-23-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2168-17-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2168-13-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2168-11-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2168-24-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2168-26-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2168-27-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2168-25-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1200-31-0x0000000002190000-0x0000000002191000-memory.dmp

memory/2416-274-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2416-324-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2416-552-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 fb097ef39ee3397e4726029cbfa33c28
SHA1 7a9dc73f7945f3ee9f9c934af2fb0d4fe2128827
SHA256 9784ae7985cadb8249ae6b51d50e42362473053da454d2a82ad4443acd1a8b7f
SHA512 532863117d67e179118e09e74bb03f85b15f23c078372d92ff0735994e77af49fe1daf0fba9d418f7ab6d83d4c1e9e895acd443a4e1fc310853e7480d32f4370

memory/2168-885-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2092-887-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1011eb0bee3404f6605aaf4eb353295e
SHA1 23c88b61e7ecb5d79614b3960f29bbd27e7c6d8a
SHA256 cb98b72601b1826ed2ddf262fdc3e42a89c4a585c3b19891b6258440dfd3db43
SHA512 bab4acbd80741daeac8b3d5a0f0bb84345b3149faf43355af330860fbb807dbce7b856cf475c368f8b3e34f6f220e0daf9cb4ab9ff50c0610f51b47df5d8e377

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 adc848bf41fcb6d60b80be2b20b4f8bd
SHA1 3d7694b9d33b962a6a1f5575333760a8e7937157
SHA256 ddd1f0df5c618b549e68136e09ea679a80cf2b335eb75ed39b3262679b82e408
SHA512 3ed9ab55a607804c389ac858ac95d8d706b1fb7b576b7c4c8e910750507c02c7c1d2d4de98a45e85bd1e5ecff4ef9628f4baee13a644c1b9eec34e49d541155a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f5d0b3b61b467d7b07cff1b07b7f1cf6
SHA1 fb1b65ce2a230348b0f447c6d56085b5d2291548
SHA256 19438404eef36770d1b8f924b4264b487994fb4481df23c3a3d0e5ee0bf0d624
SHA512 c20af9803bba6aab408e375249041aed756ba09fdc34ba3fdce7ca335f5ffc66f05450dbcb53b72273fa59eb2350e6ff8cd6500bd6654c473d600cb9726740c7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed25bc9d4b9142dc154e5d3b44e0a646
SHA1 a23eb3ecb5a57410d8511acfd1faa0548f52fd61
SHA256 8f3d1fc9566fa68fba9a3cefd3f9f5e7b9750009c35fbf060216066b67c0bc52
SHA512 72b90185f64a3d21e5ccf31177d8b964c25487ec39f91d0c749de55c2e3eaf5c5840d41e125cabead9c1050eee312cf2ed37f7ed80dec2c83983befd7a590261

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e5f0e07656c56300cd1ac9c045a81bae
SHA1 f9353ee3ac1a82f1abda9743f2bacaa0fee7a331
SHA256 50e791de56f4c97fc68ba1d79d2f4ae3880dc892b702b47a832e0285b652c652
SHA512 b769217f9eb2447a14f43762a31b16e2bc59d35483106d3c0bef99cbdaa0ef42f309bfc2fe717de137675a938d305d7c12e615c894763b8f0e378c14f19b0583

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1bf16f8fd43f88ff434cb3c3b7975e0c
SHA1 58914f6131fc5aefef3ca402601ee11f1fc2ae95
SHA256 6fa3269d54c12f828f569913217b46d288c7ab4690d7b8fb9ecf0d311605368e
SHA512 c469abb491da2d39b1955b059b9b69cd492330dbcc70d01e7fc6cc71d60928d8c0505e60614ef24d5131222d1b712c7b14455b3c3e7a265fca1255c5468249b5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09a238ab1a1fa15b363fe84016737cff
SHA1 c98b9ca9723471457100a319b383afc04393543c
SHA256 47ce9eaa364d7a882279fe4181c94e5db25bd0aa08a840c2c94986ce63523fb2
SHA512 436f4929262d7ba8948a0b853b88a1dd566f9bf015927f6d81704ed11eab24d58836955c339e7faa370b61576e72f63ee73cf5b9e4b1a5468c284a02fbff4b29

memory/2520-1360-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f385d6298a3c5d7f4013745c9be0da9e
SHA1 6cf9979dde39fc8682753f641f6dbfb9b315adcb
SHA256 7dc689f6dffc88220474b5de5647b8e4fca8c3a12561876ee3a6fd4fa9c3aae7
SHA512 77dc9acac2c660881e1747f254247551f2c52fc54b53f281b7324bbee3f9a26013f3580b205e1a4fb15f466020d92c23eafb5302d3f1780074b58443c1e5fe60

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1addaee59a010815f1930316650a1ab1
SHA1 b7ae8546777ccd209ee5f520bd48da5dead2d313
SHA256 bf1339b21b41639ec9f3a75fb1296d6110bced31d9a2d5d06c8a6fb53558cdcc
SHA512 999e7f8c131a83af48cf8830e9a4e91e8c3b8febe361d7317da0dc4f0f6955715310b9259048b84e1cc90c6ac20119cfc5a46c18475124f8fbde65728b99e49a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fabfdc27b3aea547efcae8aad8661a9a
SHA1 dd1094c0c3c0c9898c3ed2e9c5e8c77e1611f614
SHA256 b1f47a10dda668317b89609dcaff23f0a641749d0fd45986cd247ee0d9e9d687
SHA512 9788dc3b0a5d665e782696fb5562ca9e989ca671b539491f2c62146c53428075646b7e58e05cd56e08bdaf95c7eefed3e8abe5dad51efdb6be358ccd2fc49510

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0893e81d0fac229f6cb55e3cf714e73b
SHA1 243eefc8efa9d2c3e7370b199e152392974b6696
SHA256 a9fe8a15502f3446161abe7e4f4db56fd13d5639c45e5ec860c1990ba564de85
SHA512 706e23ea61de907979acf3765638709d8265ecee5f7b60929c7dafff36f87ee3a187e33210d19c502d9f0d2ca0abdbe15fb509277428746f1207c95c876b025c

memory/2520-1618-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d2617c543acbd8b88b1b73e628ee25fd
SHA1 1cf75e0bd0f70b2ff59887d67f4ffce5cd754ac9
SHA256 504ec191d54fbe2adaebe9a2418e292bee4a67823d35a6528a5f494285820144
SHA512 ba0137e74fcdeae335b2842b9c88f2fdc5c95ff4cb89607a714830812948b6b9f94333144f93bb91ee23f6e0f708037f546040c7e0ee316b5501aefd52f7ba09

memory/2416-1654-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 169cb7198d7e2822c25d65c011da59a5
SHA1 f48706ec2779bede3476296dfa08e6e9c0d4b783
SHA256 2b52df05f3b1bc8e7d242144464662a9c36aed0ae6766311405eb07c318b8b66
SHA512 df57268a78bdeb5f772ed520f6ce0b94b0910cd9abfd6a5126c58538a73533cd81dfc92acf5446b6811152b4274e9721cfa2e3a3deeb8244eed024a766c49608

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 efd9fe096de716b1725b06651fd86f5a
SHA1 b3384e23fd08d4f365d80893b98486721ab14220
SHA256 accb52605dffa08acd51a1f9e983c1ca95b680a55c776bef0e75bec436f8bd47
SHA512 97244ce184dfad380d0cbc1d126b34c40071c4e6f80247422f879ce19bb70a1b6b01b0da76f572ae5361263af88f29eb732fb146fb51a4ba3a022df2447c2cfd

memory/2092-1796-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 50dd1afeb488431d9e26da6c1138dd41
SHA1 379e901aece1a4700b10fd7591dde524405ed75e
SHA256 fc5412eabd49d7d289031b649ac8739d524d2c400e0c60b8837930d44951a6b6
SHA512 d30f650cc684148f9332e34df96200740ee9691a05dbf41d106f7e5e5ab98639eecb922847cf172685b7378ccfc2ab496d06f0079b7f194fe56e0e3b05c3b6f8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e2074a6332543f5e74a270ee6aad6d77
SHA1 e28ee6505dd6b1954bf641df648b589827f83b6e
SHA256 9607426904ed03cf1ecc7aa392008d92d2af10100552842e4756e0308d471e10
SHA512 963dea0f15deb86eb804db92fa7dc1b124364ad59a5848714af7487a5bd6927688b346ef3f7be7ca96ce14cb9c61b0f05b1e4735e4a45c241d6b4b9b8f68afdc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8618755f0351fed6fdca1cef0d6dd5b7
SHA1 0a36a34b318d29db08446cd5615bd38a508bff7a
SHA256 49ee05cad6396ac55b0163d4e6933b4665fb2a41953d11a7702e9ee486b76812
SHA512 9a6468c59fc7b7a59bce3c084b8aeed04741a737a513b555c92649719993be2c1f2d71fcefd65f89dbb7db515d045d76b86a040294aacb51b0e2b84bc28ac5fb