Malware Analysis Report

2024-09-22 09:04

Sample ID 240725-1r1fxazeqe
Target 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118
SHA256 b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6
Tags
upx cyber cybergate discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6

Threat Level: Known bad

The file 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx cyber cybergate discovery persistence stealer trojan

CyberGate, Rebhip

Cybergate family

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-25 21:53

Signatures

Cybergate family

cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 21:53

Reported

2024-07-25 22:00

Platform

win7-20240704-en

Max time kernel

147s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\server.exe

"C:\Windows\system32\WinDir\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2312-0-0x0000000000400000-0x000000000052E000-memory.dmp

memory/1196-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/2312-3-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2784-247-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2784-260-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2784-534-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\server.exe

MD5 7162f99c0ceefc19c88816af9e8dde09
SHA1 8cefb5d035e2f31de72c227217d180356e1e9b55
SHA256 b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6
SHA512 ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 6524fca5b80b5de75d75b92a1a092cc3
SHA1 95e3fdf049f8633a07d9f3f28d5b73ce2fd709dc
SHA256 8c3713637e0f6671a910a4162de97fb2b4aa0b5c05690e42d45957fbfb4cb53e
SHA512 467a8d5bb5e388c8b7d8a1c8fe8a32e9156b133859d40fc0d0ecfb92242d50239cf7db8dc78f19d22925d5873ae0de1728c93ce37c00d465501a9b48a58486a6

memory/2312-558-0x0000000001F00000-0x000000000202E000-memory.dmp

memory/1348-559-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2312-866-0x0000000000400000-0x000000000052E000-memory.dmp

memory/1348-886-0x0000000007100000-0x000000000722E000-memory.dmp

memory/1348-889-0x0000000007100000-0x000000000722E000-memory.dmp

memory/2552-890-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 40f506e7ce59ca438339bad7b5ce88f1
SHA1 d5eb89da786448164a5addc9ae68ad850e18b87f
SHA256 8f1958d84ee094b8616a530dc906190aef8593cc5ec06abe3892c2d32f631e7d
SHA512 31a71daa9cffe7ee44d808deddd525b629ab2873c084f0cafad9a3d5dfe4bd22cbfcbe4786f6acc6ace924c04d2ee0be8887a7a1db2e96cf4c17fbf98fecc406

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 db458e4172f2b2ba19fcf2e1265e314b
SHA1 5fdf21ea18545649a57f33f5d2f9f0fa0691928a
SHA256 da1f6041f96d43655538850ee9edaf09b633cb9e092d1644f7082d7926121f5d
SHA512 a160aefa0082c822d42236d4e4cf6a41a8dba14005e99da0c8a914817a75412fb013cfa1090a34779fee7e5dd9121ed3932bea895d8a1320963082f34726102b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 44c7120057cef1c8abf2665833f55d9b
SHA1 385f662a68a58cb47100a6c45c02038a9978a1b9
SHA256 a126869c1d2e3a8da406417ce5a8c9648e46f30002442619c6feec026be95798
SHA512 5a67f1cf758a5a0065af5c66becc7fa39350922aa40f4ca8d929f837e0edded4b55710f8ea2f3fb01f82bed4557bb1d2173544755649fc03e4bf5dccade22962

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f616a84e5c2a0e3fe52b6a6f7167a9f6
SHA1 4e8b65374bbb87a496817bbc584b6e54ac7b8461
SHA256 c85d918dad4c7e664d44926ef2728e1c96197a7ba425e63761981615a2985c11
SHA512 c460d6b0ca9f7f353f0f5ad7cb3e0f10384ab56f82fc39acb3f4eb81d2ef80e5c4c527ee252872e505980642c5f9d3d5d7e8cca431cbf2285efea09ce72b3f8c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bfd3ad42e1261e182d9316641b38c00b
SHA1 f19312a2960b19380f98e2f072e7267846e650b6
SHA256 c60b15513049ad49236598563d4a6795a9c8bf00e1b8f56b293811831e607ad4
SHA512 df07780e70889927a89daa21f056580b950d0fb6c964be9152fb90f758f01c0cae661fddffe92ca722031a969ec249965f63e40928bcd71e375a9d3bbe420ca7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 838668465d21ab41bb7c7d1bb254c0e1
SHA1 7e7fce7f736a9771debc7e484d9443e10e7d5456
SHA256 e05723a73dd0b741b71e866f277e0ff712f597c5acb8b1276c5a24e9f382a7b5
SHA512 33fa4b1d2f83162b16826c4bd97bca32369aae84f3edcd0fb728921da7f50aa73c2a7079e8809a699a33c9838d419e88fed3d88bb43afb08855dd7605f1232b7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2ccb9597929ef690ec885522e78d7233
SHA1 23df45c074311f61570b432beb6e8839e14c5537
SHA256 4a36f00676e25e4f67a8a65637d43241c34cdab0d115626232f234e4f9702c4c
SHA512 b3083a5c2fbf52f6c7e6e70068495663c9a5baaf6ccf3669afe1a76b6c7c2a7a930e84c66cd1afe6e342cc4eee80133f7989442260afbde91074a6e627604c51

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 16d86ef1995919c5678f4e0f01fc2235
SHA1 d327649643f7ec606c37125b6f57e8178eca52b9
SHA256 605a21f244b900fa76d58af5bb045be4182a9692b4b7fd62ab6e32272f7d373a
SHA512 d8cd8494edcfa7119ea4dc81b6534229d705d19ae7324b21c58f5c8906c2277d74ec26da756c70a6d9d3389e8f2c83de2c8fb9903cddddb855bb8f4226ec5737

memory/2784-1452-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ec54e6f99ec3cdb86e6bcb71ae068b08
SHA1 10003b8499f0e6c69e6548fd81053dea7d57de45
SHA256 56d3b3ac8bba1254ab75c19d4ea6869fbd4e73fca9d2fe0aacf9c262ebc4ced9
SHA512 a2da045f4ce2e35588620b40db827f7d84c6a4b5dce5030f208a0e02070ec2542c104c5eebf77e21707c752ce6f87ad14fff6ee692ba1d2ccfaa1a93a7f8599c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 382f59def667d4ca86f9ae5057acacee
SHA1 31e95d034baa2bc5a6b79ff227a2ac93c42c0c08
SHA256 10c24ce50e0bb56391be7267aaa025e3eaa921ae9b73651c08d3b632c10623b9
SHA512 735ca899b605beeb99502b2b6250df8a006ff9032d534d007ed25d660eb04e2385f74ca60064a67c6822a553f08efadf70571c429646e8acca15c27040972a42

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0046745063100bd31bf915a9c0c3bc40
SHA1 feb995853e106f298fa57c9bdd54f7bd145cbb1b
SHA256 37aca4eb14b0debd9dfd5454191ca759e0fa6e5e8418ebd3dd46e943764231dc
SHA512 6b6837c9b4e108b81e70b6d253006aede2b8529075d5892fa2e7a77fb30a1fc912b5cf3dcd092c8990a44a280132ccc21c9484e175b431e2c0d27c0cf7fd3777

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4a364a0523d9f3869e00902d860e598b
SHA1 76d7da1582b953b92340614f07dd19901869fa97
SHA256 a3a9cbef0977cbb93c382e61da0011b0c1b20c05b01a596a8b9a543809108dd2
SHA512 038b704b76c648aa485ca2d9f725bfb764b55fdea54c53f021c16970d50305488ae43503e018b83c4a4354c75009a41764a6f66ddb4c8957ddfae09bf4d165f4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 14b9f4e7cf9fa4024bf8d57c410db595
SHA1 a7a8bf59e439ed83179e33ad3463c93d1f093f90
SHA256 3e9fc31b3e977486665b40aa454c3fe3043a577eaffbb7d754a15d1cae83a0d8
SHA512 b8ec84461317c9b52fe5e916e3934dc33a1c60ade806e086e2c3d65edb41aade04ecc2fa0112b3e778681a3bf4bed5d73613acc239f001d5453877de4c97be7a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d32978ca54948369ddcea653fcd183ca
SHA1 bc5fcf4595b8ef8071a1be69abb5404437218f94
SHA256 c2db9e9db96947f0b3fd4a447e1470abbd56ec163ee59c17c96a26cdec20f521
SHA512 6f8a8ba957d6cc5ec9a4d38f9e3abaf908fd60ac623eceb23eae52da6b36a55b3e1b53266718dcb9b5094eb1e79d56ee100f98201728de103e8ad0675f61c998

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8908ad11a84cc33c9e0913c6560ebcc2
SHA1 905eb6eacf19b4d1a6c1cf286c91103a31001c97
SHA256 5600c12621a494b8d5728bb52bab2e59c7cad8284f77327f93c1304706dd25e1
SHA512 78b6ce07a2125f5b7d517293bd14198401529f7049bb2a9b0bab470cf97fa450ffe199bfa6c3aefb4f4a4f0ea5a6b9fad9c9927edf1a06d1068e25febbb00214

memory/1348-2026-0x0000000007100000-0x000000000722E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f8b6a6871b77727fa1a0d72f08b71cd4
SHA1 aa5b5925180e4c68b8a63216a9c5033c07e2d1c5
SHA256 0d948dca2f8affa24b9debd3a4d7377e93eda73caa0e94d77181212fb832baf9
SHA512 f95f418372ff21e138cee22e3af8ae5c513599fbef727626fb4d9bd9cdc4fede46bdea90e43c963d721ee2203b073e9d907dd79c5052758cb1f971bbb6c490e7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 baf1f5e7a8663446b6da715d2312edea
SHA1 842e3ff0c0b5ff356dc5a750e05a0eae03f02285
SHA256 e72ed236c4aa947d400e69678e06f91fbba2172f11df4eb949dbca7eed2d77c2
SHA512 ed0c7b1575cb5c7f1258cb0738f40f266ca9077c7ce6b7423352e9e9518ac6ba52442458a5049bb453d2c5b13d149cee004e8be306572baff2b7d00f1c5ad321

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e94d1b2383458caf3b4b31e0b62a7b26
SHA1 a26c093e9276798f40255f68395746ce44502dab
SHA256 fa3cc5e41d38fe7dcddb31951f05b4bf61587cc48c5d685f6f325575bb05bf15
SHA512 6500b3796af9d8a5a4310af04a90a84ae951861487d3f01191845606dfe8c6af29d83c2a25c48a29256df348d7e90cdbbe530a6259518810a29ea0858147ab68

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0fe4dfcf31bbc0bc2e53a74d6270ef25
SHA1 27d41a031f37d5f202ce77c48f4f7e3ac8a498a1
SHA256 d160b186213132d4b75441049eae69841cc7dbf2c6684697fd569e5fcbddd4a4
SHA512 8d4f4454b00646239c271a9f9cbaa5893e504cb6dc9c44cc020fae6cf3b54ceb26efc37413fcafbe509e621742660345ee8de504df7845b591257d1cb44c5dc1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 771c5a17eb00ab5d591814e6db300a49
SHA1 36bd7487fcb12a9f18a9a9a5dabd3b7087b89f5d
SHA256 cb8d91ffdf53a089fc893ff2270a3be3ed33a37dfcee1a8678ebc1044d4f59d5
SHA512 ee948c440d3a2f3342f97fe0dcd459cc4a79de21f43e3f766c92209a4815e685fc34bcba3deac9fa495b55f0234bcfd6b98340bb976660d4ccbdf18480c1a598

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a22ffc3c84f98e28499783b78abe2703
SHA1 8cd37dd9f7ced78a9b2294d01e8cc5bade4e2f03
SHA256 4fd9322a359b0aa25038f279ebc6cf79099e6295023d633834be4ce2feda4985
SHA512 45cf07923ae0063a1aba2cb743c700be9121b3469c83baf37393c7faaf73b27e0babaf8b23384c85765a12a7b7827be06ce0114f47f102c6021819e8ff60b6b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 21:53

Reported

2024-07-25 21:59

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\server.exe C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WinDir\server.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\server.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 908 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\server.exe

"C:\Windows\system32\WinDir\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 336 -ip 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 580

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/908-0-0x0000000000400000-0x000000000052E000-memory.dmp

memory/908-3-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3584-8-0x0000000000650000-0x0000000000651000-memory.dmp

memory/3584-9-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/3584-69-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3584-67-0x0000000003840000-0x0000000003841000-memory.dmp

memory/908-64-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 6524fca5b80b5de75d75b92a1a092cc3
SHA1 95e3fdf049f8633a07d9f3f28d5b73ce2fd709dc
SHA256 8c3713637e0f6671a910a4162de97fb2b4aa0b5c05690e42d45957fbfb4cb53e
SHA512 467a8d5bb5e388c8b7d8a1c8fe8a32e9156b133859d40fc0d0ecfb92242d50239cf7db8dc78f19d22925d5873ae0de1728c93ce37c00d465501a9b48a58486a6

C:\Windows\SysWOW64\WinDir\server.exe

MD5 7162f99c0ceefc19c88816af9e8dde09
SHA1 8cefb5d035e2f31de72c227217d180356e1e9b55
SHA256 b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6
SHA512 ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703

memory/3132-90-0x0000000000400000-0x000000000052E000-memory.dmp

memory/908-139-0x0000000000400000-0x000000000052E000-memory.dmp

memory/3132-140-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/336-159-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0c37b884998b4f2680618bb9e02b6e8c
SHA1 f671f62189576ce2d23673e9464a38925647646f
SHA256 c369b7fee9c4905fbb4e017fe37e61d8552f21464ccb2e143fed27fadd1a4ccb
SHA512 2c6406fea40268e2340367de0df6b1cc96a76e7fd3305c87fe12ee2ed953bef19957890d687380c581ed9b40501fd40e536dc80f3040f6ae84fe5c73fcf1d17c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3fe4dc1b01d3a515ee04e5840867c380
SHA1 4a0ebe4fbf737162870800514ce85f42630927e5
SHA256 41b59bc94ceb900be9c925248dc50cf3112d1f1f9563abc1c856ee1674765c6a
SHA512 67bd13c2ae79f1e68c909305954ef570102567c32cfc6a31328e924fe74850ca17e73a6e2ca0f8f53474a3223eb3ca155c8e79686d82b4bb1261268716b8d60d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8f2b8f46959a0fc5a7409d7041c700bb
SHA1 7f37376a8ab0e522c846ee9603befb886957582a
SHA256 b35324aa5cb112dcbc5feedb49101437f08f8501e8e78f705d316de95073c2e7
SHA512 71e5073adcaa6c33872433413295a0d0bb306ed8abdb7d3b0176eae4f45659ebd63b5a2fefb83addbc7468b5d995a73dc851533a01c16c81352951725fda1a7d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8b3f49f4ed73809338ad084d8347573a
SHA1 29a6f2624e7924d13d44ced908e02659f937c470
SHA256 67ac0f3addaef9a9a02d944a81dea35766c6d3349d26e08a00edf15df624e5f4
SHA512 9b121de67559e97e596d9596265a2bb5c3acdfc00c82fbc97cc0224b933575dad7f08802c627e30d258be1210b588ad5e5e3ae8b685763fbfabbd72688aaba11

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fcd5f81ebd2680ee2fcadc3902ff52f6
SHA1 fba7758ca010548a149fe7f21bd8fd1ef4360424
SHA256 da15662bcc474eba53d66e10e3eb6b45fbf50b373d35de36b589d2b08a849ecf
SHA512 c5fa2ab95ff78d7c58830cf8c9d4f0c6a01c3275541a376ae340a5b7043dfe33ad6bfa0361b5e23a6859a7b1469460855497dd70c1928f2b1c5a8249681768fa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fb56e7595dbfb6522ccc0223103b5014
SHA1 3173e52033964c0dbb20dec2a7b46bbc7cdaf409
SHA256 f05b6182964815ed8fb91f1dc1cc384074f5475ca9c17bd9e73f58acd4159474
SHA512 62726206ef090bcaf792466fdccb34c3aa978373305316295dfed583b1fb6e22db0f1fd3be6deb79c90264516fc338803554c758fbb8c842006c9ed6918a48d3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4a4a966a0e796455ae8a4f68ea51fff8
SHA1 b5de545a78005054ef82cf07215519cf8f241d2f
SHA256 1ba82f4e30343e7c6169e46e868b9f88ab822ff4b0b38e53914bf3fea0d62667
SHA512 eabe111b0bb1469716ebd66409c93dfe15a7f68995517a77a934b5b5d35469ddc630447075577b06e23d210280c35d88907f710437c3f9a68bc24d1705013ee9

memory/3584-802-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 cfaf3499d220322bb2b98757fd465345
SHA1 dac7520577e090a280ee02de4db27ecb3e4e5553
SHA256 d2a0a2fe606e100b5b054a362ebe0afbc99f1d8523a398225633dc50f3b404f8
SHA512 6e6cfdb3552011120bb3786bf0ab75ef2088f4f6d052b12bf5cb712f3590e54754a8d7532d94b855ce62b0ef5cec0be57d69b8429e9b4431a254976b85bd5f5d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 470df2065e75242b2f47860d24da4154
SHA1 8fff7f55dc75adfc57c4e55e50f2f0c628548702
SHA256 b5598c201925e63b323d8341bf06ffa6d19f6fb0674c2bc294f4da743309a83e
SHA512 70470d488d0f584f56d2b50549b868d0d62996283b4cf053d00b055f967b2560dcac4aabe01edb13ddace3734263a966c0d2eb4988c110690008d28e39bf3336

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a7b96efffff719e5071e85b841e59817
SHA1 c2bf5fe32f5c8071ea698b8f45c1b977999faa93
SHA256 e6d97f9fa3ab10fb6b487cc18805217dcf13267458cd79e8b7e3401295426ded
SHA512 b3374de212b182c4bcfb923ba8a429af6070559e51ac0eed80775d679b9f5f2fcbdc847a41745d0627e11a0cc9f7eb8d3421df772973970d2dcd93110a4def18

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 00fa157213063c051d123991413fd266
SHA1 5607462969483b16af54931f3cb1e25d4c07ffd9
SHA256 8cf244f9dd379d76659333b0311ae7c83455fad5de7b6da835d7fd6ab717f4f2
SHA512 e152f5294715782a1be10f3acfd48fbf80f6009e7695aaab985745ee70e799416e1dd2ece011f2ea2ba13f9b233837f5bd0c25741de558b453dfaf673bc834ef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5a7365d6492ff6a81e3b603a2bb38bdb
SHA1 1dbc141f3a3b56e6f75084407be88daa33c1dad9
SHA256 8b59fcb1347e838e1d727e3fd88e0a4a01faab67ca6715fb423126a2e6bb7fb8
SHA512 1361b743a3edc37889a41d5845aa1c3dd110212e1bddb3ece1311b9bc0ecbef4ad2d912cffb0eba486fe828708151cf68227e68437d26dff0e0e5e8026b5669f

memory/3132-1256-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b6ceae1698a04082f8f1128d07e45b8d
SHA1 84add7fb9afcb9f378c4885577d974ead4d468aa
SHA256 062f402b1a06585ac49dc2fcd7451e511ccc57581f0c36ec7d7d09cbb9057998
SHA512 5d9cb3767a13f3ea76465042c173f2c3fe9225973df0d095fdf3246fd865dbc9166dfa04ba92ab3850b80832bbdcfcad23af035a60165395316e88b8c840f8af

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ae40f691de87e781b1a342ff6d410ab4
SHA1 4adcd7a605fc681186f0058b15907069350facbd
SHA256 231d2746b08abb99f4bb82f7993e3ca7ff29b7ac4d04692ac39fa67e2a8091ae
SHA512 ef13b209a621c7f2cc66e45721ad180af6a5b35190e7f702bc8d29b301b5576270024325cd66ebd2740719dca67373cf4dc45448510547d87bb72a58f3a42125

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e5df670854fdf57fe8f36f545e98da30
SHA1 e38acb2fd8eeddb7cc88f2db306c32de9596a12a
SHA256 10e8fc2d7d0024d93069134577256b20b8521f4ca13ed97bc4f6da2ffbd26392
SHA512 b81d78e6442afa7183ad16419b4ec0ae9d9bfafb70a7283d83cb97b37519e2fcbf3add3bf458e7d73a8e1852844b2e1f82120eba80ec37230831ab7f0dc28602

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b2b9b05a72d812925a09cdc9da51a04e
SHA1 61bf4e8ecfe5fb5f2d7971891abed41ea38f0770
SHA256 3897791dd8e56b3b3c2875dbae24d8eb8779c1d00a49015ade4567ffe462ef4e
SHA512 bfc95f6c29dcc9e640944cc22c237b2b08824bc148c874294b5c6bcf9cefe177e4a8c90535c867ad3c165df58d3355ac6dc816e9ba6a5280cc3eb4b5a21bba76

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f9ce5a5b87d55727edceca3c9c7a3185
SHA1 03c807473f28445a0ae1b6f97ba54f3789161f08
SHA256 38eb3e5342b3278f95aeeccf70639ac3a948b0e5899de2cdb23700a0523ea4a1
SHA512 1dc1165f222739982c095f9aa200f54e7e3b664e92dee677cd8f1356fe437a2ed910e65676ded9f91219ca1b28052b0e55e81563ae3c7e6507e28d5fe3d2cf41

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5f6e5734a7ddd91f0705dc0e83346e28
SHA1 0c50d08b8916124c049f4ca105a6973e3a144874
SHA256 9bc6c1457e8709f6d7eb9f8bcd86165686d282b627b41d5c050814660d3506e5
SHA512 ddceec376c17ba8fdc9a946a3c49a67444e3057e75642ba2c188eb8570d1f7c0803cac52205c18b2f8d0165b5710a8770987f083d21c63efe661884cb9bd658a