Malware Analysis Report

2024-09-22 09:05

Sample ID 240725-mlxwyatdrm
Target 6f3836931b74da275c0da23ba896c234_JaffaCakes118
SHA256 f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156

Threat Level: Known bad

The file 6f3836931b74da275c0da23ba896c234_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

UPX packed file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-25 10:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 10:33

Reported

2024-07-25 10:43

Platform

win7-20240708-en

Max time kernel

147s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3} C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\SysWOW64\WinDir\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2992-0-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-9-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-10-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2992-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-5-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-3-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-1-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-11-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-12-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2992-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1228-16-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/1308-265-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1308-263-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1308-546-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 4ad25343faad756fedcbde96eb9e07bd
SHA1 6a0a20811193fbfda51e22a1f5c7419b05f9d336
SHA256 bf9e5d321132f7544f0a078038a556255c30bc96e03f474d2c36ce781c439a8f
SHA512 4bd8f0244c7d1bae3c5fbe65bb3225fd8a628a6dc96ad8bc9012245d1e5cbd66328967acdb23ed680bca61a35a6993d2437a7b04cc209c656226c642c4055e28

C:\Windows\SysWOW64\WinDir\Svchost.exe

MD5 6f3836931b74da275c0da23ba896c234
SHA1 c92bb5b72e557d6da806321ec9b02adaa7fdad8f
SHA256 f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156
SHA512 abc5c087429f8872c889ceeb615e3df4439dfafd8a53b5c60d245aaf21692a5ec084d0836ffa4b067cf2993d0fe74ccfc016a6ecb9c2815d69f6c6f59d31da80

memory/2992-876-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed91ed0c991a291e3fc22fbc68bca9e7
SHA1 9bec6b60749deeb77658c1ebb7a4b7cbd332da3a
SHA256 70b97550ebe688938767182f1e1e74f62f70c36f43b22271d262521715f63ce9
SHA512 ef91375f46200a26710984e3b75d3f6e1575f74e7d120d79405fe7a776cdfda9d75b1a04c84fc63a6ed8c3fc0c4063c0dc4a9a3ac753191343d8f8fbca6f13ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0cb6a74cde8a9d9a88aa838b082d30cf
SHA1 cd947281aa6a273d918f92e85188d1a740b1118d
SHA256 7798dbf2f0ae5d47e769ac63337fa32d6a15d08eb90657bbe039a493f1125e95
SHA512 d363a6a2dcfd6ac3681f45a66aa73bcd8ed01721c79998ce4cb7fbbe9dd8eefc6d98cca00f050a08ebea81d9809bdd2727a0faf34139da883684e3c045d502a1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 45914403cc303387f919f3ef255142e6
SHA1 2d90e0b0afded36ab6b814533b70b4eb6da17924
SHA256 52eceba7991be47e636d3d3adfe030e0ec50a3df6b6b8f4919e928fdf8ad8cf4
SHA512 267a96cecdba8b51279a007dff63bf69a9f8b1c8ba736707cf27af04175b84dfdbb7303a2590a6507baf62942aa59880788f0dffb1e662dc87e14e03da099ccf

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fe16f783aff60ed6941665f28e7478c6
SHA1 69fdb5bc3a32f75a5b3e484d69e27cb218180c63
SHA256 aabe9f609eb335de67e543db351a71ac8f8dc0ef26cf1b295e31138d4213a5eb
SHA512 b6a845d86698f85214a8a008ae967e9626ca7eb1e1e7ed848f3c57bf5196846c03a24e9db99ebd870e2a35c90e97f625ebc14cd8728a6b54f7c393a6c64c946e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 45bc754a263581ff8c4ee99fa6c0a9f1
SHA1 cd68423f0507b7d06ff35fd77abd913c7d38a093
SHA256 953a8c1f33dcaa65e260b73b131ce48877b8adcc024bfadc1d26c16819928f23
SHA512 3c69ac1b5ed4c40d7326c998c5744eae68e559a4490e1c6b96f57ca8b3d0897a80108e48e1c05691d169a9035983e6f3d577f67c0459eeea232aa51381cfc389

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 937e0d045f79c6ff540b9d41387ced77
SHA1 c6b697171c9b1959b5df524cec78e1af3fab1171
SHA256 4b7b57f2cb16d5a70ff5894e779beb3d1b2769835e6f6c002e2e4f1a28a43ca2
SHA512 eeacd723ba180391406a5348095c88fc15b4bf119adb625d561e215c1af6c07f31cd25abfae6532cd839ab93af54b4bb4e7fa452d27a4d4d559c67f62b3d032f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 74b43dd320eac9d1c4ca725a4203cd9c
SHA1 1f519027f25556ce477a9f7f161eefc0bbf0286e
SHA256 739aedaed13eb3d993f87225837c13b8dd9d6182377c57fd892300e03f3e01f8
SHA512 23a2d706085db9dd2a381e5fe12c218556ea97258719f5923995c7accd533674b3fec33b4f87224f037af3943ef0f5c2d271b2842505c56f49498102591afe6a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 200d99b3439f620937b446f067e247ce
SHA1 b265f5e6ccee538d1b1e12811275a485b851345a
SHA256 f28b7aa05408485ff72a6840d35c62d052c3b2d25eee472e2fe5a6a48ae43932
SHA512 f2512079394e262e663d7115e29eb671c8738fbca193eb7c009ea2e0e26dd07477b793a0183bea675e1609fad8992bb272a9424658693bc7a55844de2bd95185

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3772ea5b9fd4bd602fff440f00f146c3
SHA1 bfd8f277175468d2c2366c0b8a3929d25c085a5f
SHA256 602d16e820943123907f9fe83629f9a32b09db4952192899700c7cdf277d4b14
SHA512 36201339a309023b80cef303765207c3a2a251a2ba42ad6cca2ad8a0ba8131c53dcc8cd67ecd058a0d32e8a07b505be5b0692f5986972e31e89fca04cc25fb6a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 602221439ebf56dbf880c824f9ca76b0
SHA1 8d09c65cec4f0b24dc7e238478b608ef8f208256
SHA256 a8daa187ebcc793aa6fe986099c07c43d5256a910c961c55aec7a13a93e656cd
SHA512 f5a73d68a56251f8b50dabee89dbd7017e51b6ced2701d459102b414a831de5078ce10e186a7f158beea1c7c9ed38e4329465e46ef46b42691b029f86d1591a0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a44cea083e82b47c5979ff8d4c453ab2
SHA1 fb8063ce01df61ebb41f7676d4ce4a880bf071d6
SHA256 d02a4ccc8a351301445f8b24dfc4a8c356cb9845693dfe063e13de17af2e6860
SHA512 66cc15e8cd525f0e560e6ba474cdb1d6f0501c6560309b2aa772829c0b3b1a97005f6a6632261dcee0576f8b7acffa67d3178ae86ca3f7fc14f6c95683e5efe5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d8791e7098ccb9a21718067f6b1a4036
SHA1 1d944af9024a172fe4f7e8ad5fb2712b80ebbb1e
SHA256 e8889491706a1f4c765f13a8a13b85bc31601fddd8dead96385d049a2535e65c
SHA512 928cef228302bd8ec4b2b3ed18241a06e7730a1d9c0fa77c9d2ffc2acd14ea3b16ba4977791b0cd13fcde288b41d1a3ebb2df4de476e4e2a7c3767db016de6a2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3008a029921e405098b55882234e4965
SHA1 f471edbac44f200b97b8f7fd733c894de2082dd1
SHA256 8cb2ae1c62ebaeb9d12771b4b2c3d0e06da60fd3118f42463f6bc4648a4f5eac
SHA512 f5a0d0a96531ca832412291e33924ad7df5746a5edfe59bec761c3f82a66baf5ed55a37556502c620f3663aa4a4a648a38b1db87a9199fb704298170c9152fd8

memory/1308-1529-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a0393d01a6d37a5165d723f94a7f35a5
SHA1 1ef6f75a8bd818f7288a7cd4388135ef9d8b00b9
SHA256 50568d4a9323acecab96e692a9bf01e4a6507adaa03f4fb9766dbbad6c6031a2
SHA512 6217d99692e5bb2a58fbc27e7ebc8e182cd8d0dfa46a879259856a25c36673c7e23248193cc6d6c696ae1dfbaa42611ee914c85721296d9fe6889b0ea58564e2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9a6212e54a4597871c1700d1ec7ee9ef
SHA1 f7af5f6d93bff9f29a51924dcd98c7b42839a30d
SHA256 c9e0ef635282359d3953405c9f7ff1affa1868d72abe77c7308712a86321e247
SHA512 1333a153bb2071d51848238a7b06bfee72ca40f00ad49d0db4a3483e88cc3637998c17b1c8a959f0b8638e3b700c95468ad597205fda6de88a059472e323ec02

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7619702aeefec1a2135f7e72b44cc87b
SHA1 0fc8aface0ba62ffb5b232fb97ce6423bd4de85d
SHA256 4706a9ea57c9774554e65a63f77b8c831cb87f10b57adf5ef1c88fe84d25d6d7
SHA512 02137d4bd484855c0029f2d51eb4cb1c970a32b4383f273d8a72b05e3905741faad684071d085e6f9dd92cd8a280a5fce54ae2a5d313608f05dbd6cfb36df006

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 95b382184fd7bdb4e8059bcca7f1db60
SHA1 550e921244cb9659f783d9a9cd3dd3e5c35c74cd
SHA256 91b144208c8f063b44f88fb057466660a8a6337dd28c66c1c61bbc257c985205
SHA512 0d06fa81a15ff2319aebc969351f4fe6aa6c5b1847c2ae0d024cdd1b2c4122a6e61c116bebfe78aac104be10ce576747e0d09dc882ba4074b8711c4ffaa89eac

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 66431af0c7928e9ef5e6166fd8b1b1f8
SHA1 802455eff9ce809d0f44c56110869c0b63500caf
SHA256 5ab3a9790b330638dc2a6999c8691662374a547fc656b953d676493508d69b1b
SHA512 142253813e6b06d75d113f993e2773f1e4729c62ec519f7a4a302336586ac1533737e0fb17e933f44da6d42cee1b0e76cd52d0212970a1bead0e283cb49a43de

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 99f99464cd72ab411285f6a50479b6d7
SHA1 ee623fcca68e5f33278241f919cdcbb704ec820e
SHA256 da4e334e2f9d5b5f4a1ad7b1d70cf23307c828dd497f55d0a19d2f2a7274ea03
SHA512 18588ff94d36941c6a738bda0ea6c4474d54d63d5f8236384cbdba67b5c623c5a6e7f81f1e7fbc94a52b83b0fdc5b7318ea56929b5d1197d2baea296790c943d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2b15b8c8357f9d9ca8c3e81302a79d6f
SHA1 51cbcb5ae3d971bea1af297373848588e52e38d5
SHA256 d03f674dc142b94189b885ffe2eb01e4d92479e0906b96cb254d5877f8532b0a
SHA512 6297115aa81230badddd1cda656d9b0a39fcd2ad74de517911e1c927d85206a072f8bff9ea4fc92b2013a036c4799adaa6bc594a380577cb3e126c6124b00fa3

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 10:33

Reported

2024-07-25 10:42

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3} C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GM0H1P4I-ESRW-DC58-AD5A-FX61EDR83PS3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 1324 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6f3836931b74da275c0da23ba896c234_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\SysWOW64\WinDir\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2816-0-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2816-1-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2816-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2816-3-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2816-7-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2200-11-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/2200-12-0x0000000000970000-0x0000000000971000-memory.dmp

memory/2816-67-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2200-72-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 4ad25343faad756fedcbde96eb9e07bd
SHA1 6a0a20811193fbfda51e22a1f5c7419b05f9d336
SHA256 bf9e5d321132f7544f0a078038a556255c30bc96e03f474d2c36ce781c439a8f
SHA512 4bd8f0244c7d1bae3c5fbe65bb3225fd8a628a6dc96ad8bc9012245d1e5cbd66328967acdb23ed680bca61a35a6993d2437a7b04cc209c656226c642c4055e28

C:\Windows\SysWOW64\WinDir\Svchost.exe

MD5 6f3836931b74da275c0da23ba896c234
SHA1 c92bb5b72e557d6da806321ec9b02adaa7fdad8f
SHA256 f6c4965c3db1a15fed240f6e9aa0373ab93cf55c0447968e9027b600feda1156
SHA512 abc5c087429f8872c889ceeb615e3df4439dfafd8a53b5c60d245aaf21692a5ec084d0836ffa4b067cf2993d0fe74ccfc016a6ecb9c2815d69f6c6f59d31da80

memory/2816-141-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3632-142-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 18b7f42e98f37b3a6cddacddf1536a95
SHA1 aa57b695062605ac773fa7211174794fa1421049
SHA256 3db76988244abdf9aea7df1e54627375723cc0d10e2675742cb1e7a6efb1f331
SHA512 aaefdb5761b347cdf5a6901a000d3cb33a1f8fc1039af455035d4048a0d8bbb051b7bdcc7dc31cb63ade3dacdb948fd5a0e172ed39dac63fff1714fe46ba6750

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c3caccb28d55a5235f15762346dd8154
SHA1 53ff40868e0d9cc415f9af935feb287480c90bc6
SHA256 2518b3d64da31c91f80f16ef5f48d304343c40d827bc0f97dc9a6e8c517764a8
SHA512 d9d4cce069a1944a40649a8b1cccc02471fbfdeef349d75ab5bef5a02a6698d787fd1a998dd0e4a0c583e63cc3385c06a68832fb0b50030d15ceb05ec85dd45e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bb3af1bdc428c106d87d3c68b1e3114d
SHA1 fd88023734f75d3b86145df418ad12cfe1faafe5
SHA256 966367de8358b40b7a92137dfeb3d86ab13127917efb78639ac9e86bdabefde7
SHA512 bae928d9c746226acc3524c563568ceb5abf3b702ec97d393de6866668b587cac38718694464f644a8833bed74dade2c1227dd99bc3347e79579dd99f615fff3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f87689c627359b9729898069ccdb34b0
SHA1 fcdc34a99b7755b9ba4b4755122503276ecf1762
SHA256 0908f8b44d468badaba014aca56ec1a98f5f96afd25149c58030d962e75188b6
SHA512 de36b43aa0d7914afe152b81a0c297d6ece6818531b0c6698cc4c52e246bebedc870b9727fa5e41c3b4c50f12fba33feafec11a0ed63296bd76b241c27b51cfe

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 399749b3acf1ca110b6fc3eb815f19da
SHA1 045bf6f6d833df0ee5d35314653ec9e00e620036
SHA256 da843b07d962d1a212bdc5f2942ae93a1b7875a7a0643e8dcf18e8eba21e0354
SHA512 db946d4b2a95516ae91d6d172eaee81ad4dcc9221e1b3ab71ab25a13e32a3805eed5f3752b45d8b88def88a67ca9ed360cca7bba141be143f0149f011fff1df2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b8648e44cc3c09f747edd0326b372715
SHA1 52c205b925b9f153398425fbb73781661bcb91c9
SHA256 25c9854ea3bbcfe6104cf151e758527a50ebe37e1d80f4722ea601241105a25f
SHA512 def326152b374154ca48d800e1b78edbd560343413f799001fec066fb7d5140c8c7c5a0b90470a739d2fcb21ab0087677eaba70e11012937c11b3b422e53a56d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 74a7a14333faef1fa8d4244eae6d2c25
SHA1 d70bdbf6a95bd7b09f4b09676c569cf40a872b76
SHA256 729dd58c858563c50eaf812e08f95760103bf74d5e14aef1cb73ad6f0e1a2187
SHA512 4e2b314111a6d126b85376c036eb3953352e5f33947dd5bce67f74d9b6f7b5c7773db3f1ebb5b94127ba3791fc9fce578d81b23b91cdf73f9a7f4fcda8761d65

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c170086e536cbffd557ee85b37d9a357
SHA1 ccf8ee4801bcd9d2a098378add785284c9ec3275
SHA256 ae1e6f4e751137284e68aeaf3302339780127e7c8c48fd4209050aaf4b4f29b0
SHA512 55e54feca07d5659c967894d60cec7b36d59c28ed346b03a28e3b6696fe7aad2062413d172ef9616e1459a9985379a617ff4318926547b6e5dd7af429ba2c4be

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2f66e88632041499549cf8cdc497c067
SHA1 976088a57f70b1fb82d056dbe97bdb83fa2e0800
SHA256 a395fcba7f9457ad739b0aecd72604bbfabc284bac610c99a7f080e000038d70
SHA512 25694dc3392242c2e9157f44d8765efdae75951b397e231d4cd7d439d7b45097692c5f91a31e27c0dd7bb68b11a15b0350bd7c6e15c0be342a225290dec848ef

memory/2200-1007-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed91ed0c991a291e3fc22fbc68bca9e7
SHA1 9bec6b60749deeb77658c1ebb7a4b7cbd332da3a
SHA256 70b97550ebe688938767182f1e1e74f62f70c36f43b22271d262521715f63ce9
SHA512 ef91375f46200a26710984e3b75d3f6e1575f74e7d120d79405fe7a776cdfda9d75b1a04c84fc63a6ed8c3fc0c4063c0dc4a9a3ac753191343d8f8fbca6f13ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0cb6a74cde8a9d9a88aa838b082d30cf
SHA1 cd947281aa6a273d918f92e85188d1a740b1118d
SHA256 7798dbf2f0ae5d47e769ac63337fa32d6a15d08eb90657bbe039a493f1125e95
SHA512 d363a6a2dcfd6ac3681f45a66aa73bcd8ed01721c79998ce4cb7fbbe9dd8eefc6d98cca00f050a08ebea81d9809bdd2727a0faf34139da883684e3c045d502a1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 45914403cc303387f919f3ef255142e6
SHA1 2d90e0b0afded36ab6b814533b70b4eb6da17924
SHA256 52eceba7991be47e636d3d3adfe030e0ec50a3df6b6b8f4919e928fdf8ad8cf4
SHA512 267a96cecdba8b51279a007dff63bf69a9f8b1c8ba736707cf27af04175b84dfdbb7303a2590a6507baf62942aa59880788f0dffb1e662dc87e14e03da099ccf

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fe16f783aff60ed6941665f28e7478c6
SHA1 69fdb5bc3a32f75a5b3e484d69e27cb218180c63
SHA256 aabe9f609eb335de67e543db351a71ac8f8dc0ef26cf1b295e31138d4213a5eb
SHA512 b6a845d86698f85214a8a008ae967e9626ca7eb1e1e7ed848f3c57bf5196846c03a24e9db99ebd870e2a35c90e97f625ebc14cd8728a6b54f7c393a6c64c946e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 45bc754a263581ff8c4ee99fa6c0a9f1
SHA1 cd68423f0507b7d06ff35fd77abd913c7d38a093
SHA256 953a8c1f33dcaa65e260b73b131ce48877b8adcc024bfadc1d26c16819928f23
SHA512 3c69ac1b5ed4c40d7326c998c5744eae68e559a4490e1c6b96f57ca8b3d0897a80108e48e1c05691d169a9035983e6f3d577f67c0459eeea232aa51381cfc389

memory/3632-1464-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 937e0d045f79c6ff540b9d41387ced77
SHA1 c6b697171c9b1959b5df524cec78e1af3fab1171
SHA256 4b7b57f2cb16d5a70ff5894e779beb3d1b2769835e6f6c002e2e4f1a28a43ca2
SHA512 eeacd723ba180391406a5348095c88fc15b4bf119adb625d561e215c1af6c07f31cd25abfae6532cd839ab93af54b4bb4e7fa452d27a4d4d559c67f62b3d032f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 74b43dd320eac9d1c4ca725a4203cd9c
SHA1 1f519027f25556ce477a9f7f161eefc0bbf0286e
SHA256 739aedaed13eb3d993f87225837c13b8dd9d6182377c57fd892300e03f3e01f8
SHA512 23a2d706085db9dd2a381e5fe12c218556ea97258719f5923995c7accd533674b3fec33b4f87224f037af3943ef0f5c2d271b2842505c56f49498102591afe6a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 200d99b3439f620937b446f067e247ce
SHA1 b265f5e6ccee538d1b1e12811275a485b851345a
SHA256 f28b7aa05408485ff72a6840d35c62d052c3b2d25eee472e2fe5a6a48ae43932
SHA512 f2512079394e262e663d7115e29eb671c8738fbca193eb7c009ea2e0e26dd07477b793a0183bea675e1609fad8992bb272a9424658693bc7a55844de2bd95185

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3772ea5b9fd4bd602fff440f00f146c3
SHA1 bfd8f277175468d2c2366c0b8a3929d25c085a5f
SHA256 602d16e820943123907f9fe83629f9a32b09db4952192899700c7cdf277d4b14
SHA512 36201339a309023b80cef303765207c3a2a251a2ba42ad6cca2ad8a0ba8131c53dcc8cd67ecd058a0d32e8a07b505be5b0692f5986972e31e89fca04cc25fb6a