Malware Analysis Report

2024-09-22 09:07

Sample ID 240726-mlh3sa1hrp
Target 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118
SHA256 c22c1fa3026533b54721a281740553b94949bfc3f57e5d79baa87cb7b2aa7428
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c22c1fa3026533b54721a281740553b94949bfc3f57e5d79baa87cb7b2aa7428

Threat Level: Known bad

The file 73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-26 10:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 10:33

Reported

2024-07-26 10:35

Platform

win7-20240708-en

Max time kernel

148s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3}\StubPath = "C:\\Windows\\system32\\Windir\\svchost.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3} C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3}\StubPath = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\Windir\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Windir\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3032 set thread context of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windir\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3032 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3048 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Users\Admin\AppData\Local\Temp\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\SysWOW64\Windir\svchost.exe

"C:\Windows\system32\Windir\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3032-0-0x0000000074C21000-0x0000000074C22000-memory.dmp

memory/3032-1-0x0000000074C20000-0x00000000751CB000-memory.dmp

memory/3032-2-0x0000000074C20000-0x00000000751CB000-memory.dmp

memory/3048-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-21-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-20-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3048-16-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-14-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-12-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-10-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-22-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-24-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3032-23-0x0000000074C20000-0x00000000751CB000-memory.dmp

memory/3048-8-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1628-277-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1628-276-0x0000000000090000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 73aedd41e459b29f23cc8d2fa37aa5ec
SHA1 7fb95ab8cbb422f0b2fb21cbc0f8e4b604320db2
SHA256 c22c1fa3026533b54721a281740553b94949bfc3f57e5d79baa87cb7b2aa7428
SHA512 375ca3fdd017252f5127cc5a2826031b7c3bb631f6c7a36c2004e9bd32f3d41c1f27c7494dda979b6a47febbddeb7a44188114549120f4d809d929db432f785f

memory/1196-28-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/3048-27-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1628-568-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\Windir\svchost.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 0796ecd84a279dd9736e29b468b06640
SHA1 bdedfa9d8de20669beb6d77d45350a0b9ade33e0
SHA256 1462060ec0e74ddc2f951921b1e7c22cba22cf5ea4721da856ea4dda40ef9e2d
SHA512 0c0ce807a982f3b3dbf921f1c55f7bcbe141d873b4fa967addf10e89bcde85741e6d40c74210690de242eeb71eecbc06848b5edb9a1b0fe7f2d87535a456dabb

memory/3048-900-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 093783f4762996aad2832b95a882dc4d
SHA1 db8719232169a897e483997cc3d8475d8b178860
SHA256 2584328369b7e907b7606bbebb7fb0b6558c7a43649cdb6452e71b0076a0f79f
SHA512 0b4bf9e453d09ae8fd31c792e57d25d3df1bb5d4f5a28b794ced56e2b088fbf9bd1c8a16768b85b64f179b32486c0ac44669f3e57ed218e58ff6342763c61217

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 77568e9c7215d27ca542c1ad329c4305
SHA1 923cac74876bbebf239c6d047435ffdec0e1eca9
SHA256 2ea4b1f2053c3e3a2e3fffccf26ee784bcb204affb1d52fe9ee69b91884823af
SHA512 5ce44f2b6421f239f139b3d2020b63f96f08536247be9f752eb772836c011df12981498cbbc375e9d7044f653c473ec885fb1db5e9639ad308626c6572150f21

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 38463a623cfb4f0e57690fb3c7220912
SHA1 ba981fdc7f5a11f581fb90613cb796c05a011a00
SHA256 5f5cc8b1ae74a1d25503e5a49042511b744a4b0b16017fd773cdb4a1fa3c1763
SHA512 6804e148607d970bf8bf33b41bc184c9be308de063076548c5d2b2ac14ece74a4d2a65551effacf3de4e32916eaeab288507af41b8122ee61c9dc5d5c955ed09

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bde3a94aea69e5611e163ad15f0cad02
SHA1 3413daa99b2b3e09ed532db6ebdea0bca1f1bceb
SHA256 fab4e62c2978bb4d2f924d3e1147903d91f0b987a69c5995735aac3f3d39cffd
SHA512 17a08d0bbb6daa8f05ec60c111e4488f4cb1260d281267744c98a7567e04705f7c6a23f6e4a3d0fc9a6e809694f7fcb3ebeb21d71fc26cdf1769c78015145454

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e76e235488b7bcafa677e22b380694bb
SHA1 233efb35b356047a33f0aba83abbf12a4ff80222
SHA256 948f9d9a01778c82c6f8487f5cea1b7897f228f0f3c84a5ce862f9c46fee2a7d
SHA512 3ce982c270d6abd22bef91e49efaea7b79e6d73d2a83ae8b24ec3c2979efa93ea54223327bd2d3182a4add211ba13463cbe3325b3d0365ba33c901bbdf8fb783

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f20f5f68dca6acc2f9ec7cc8631b72db
SHA1 71e8489c58406eddc3e297f631d5cb31ff2b8868
SHA256 7ef5651b372b856d3d6dc9c5778885f8f823014ddfb2250948f3404ea1c13ac2
SHA512 e4248e76b4e4641eb88779f76e848947b1c73a5d2ca38f0847016fc7585f2b47988bbf1596bd6b336665303ed191135a2d888ad1fc3b202eebe0b73ba6b0b5ea

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 36df706d0576b429b1a99ff0b86fa3c2
SHA1 2518429e4c54e85a9677982cf6a0c98391c06e56
SHA256 fc9c0fe705c764ce3df67ef18834c8884d2623efae6c558d8a98d2abd6770549
SHA512 d22f3f94cf7d0512db94f4c400ee828b603f77f474fb1b941a166719889abb4153111e5b73e491cb13acf06b04bfeaa54994efcc11ffa5d61a2bd32d6cbf05b5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 94a06f2c637325779220a85adf824a6d
SHA1 1351f65f322da0cc9cbf2307bfa150ee7c30a350
SHA256 c82550ffbab7f470738d793e198618a5fc0ecf546c3059d7c5d2dd4eb1adf7a6
SHA512 05ace48fabe5ded80fb6417c7150bcf282195b9d88bd9e1832aaa2d3c69821f68156e37e2d5dfdcdd77f74d4c9586c6fc855b93e56e8a8c1b9bd6c5a6c560b9c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84f0d8fe7a1f0705695365c5092fb278
SHA1 753c8f9617c116a499271abdf0ed94114fc46f0f
SHA256 4f7f7b4e73bb63d1cd4f414f74a9936b7dc9ca7373db11b8c1c835022656db0c
SHA512 fdad2f23bbdecd522be507a34e52e51e6c79a8a0751259c40f57535b7d96cdadb6dbd908f37ae0193a8ebec9a60d7254520603820e2e05f140f369c266973996

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6780323fa1e94911d6dabbe560f98fd6
SHA1 5f99a28b3368d57d1594c61d4e384874b56f9e46
SHA256 8ce56b5c034c94d2fdb831d862708606a4ac0ed94d8b8ccdb5fd5118bfaf4154
SHA512 5a26ab57307aad4aea497af7b92a3b8e117d8fe9f1cee4e8247241d8c5044de97f1f78950887f2cbe570258e51bb1c4b97a5d329833ee229d8a177a667cf602c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f91614edff4ba3436d80be8ff70bc021
SHA1 6e477db4c7db54cf2b14f6651dec8e3d285da1c1
SHA256 61f73d2683e05da23c52395dec85c96635df423f6dc1520fb225fae1a2979bcd
SHA512 0a7c3b6cdca6c9285f88f5f1ed237e776fc67cafe53879d2e20319c0f05eaef025fbd7055366e336f43bb1a5e3bea00128bf86cc508df898a7e3416d04659907

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 661e0c00cf06c8e69c73b97b1b311dbf
SHA1 9f7520fc80323645b2687f3940727ff9f0fa0640
SHA256 c99e6710a4c9fe12211765c2a0b612e02a924c09dd8cd9d80221ffcda343a3d5
SHA512 4ce593ad33f2a10f7e2cbce7e0477b0ffa80e4cc023058dfd067a8735474c793f9563b9e81fe1b354911a86c5a74ed9fb93f53b34b5fa844c87f6ce58310c92b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 97cbc3f6d2f0787875f12e6310477571
SHA1 d1ad0b2483b4d7896e545ab2fbbdc66ecefd29a0
SHA256 c77fe6003c277da521af7db13dc3fb519a4dce7c9727c6dd51c0d61d90b8a44d
SHA512 8cafc05254f1fc65361038e6667b2919eeeae960791b4a848b8f052d15230b1cbde0a00f68259b732451c0860f1265fe372e632baff7856dc84417f9b7d699a8

memory/1628-1745-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d404473349b33b0deed01c49f9757866
SHA1 04c545800a534e3fa6932ea88e444298351f9f72
SHA256 9e3e2f13d355ef4f998e4d060165525017349610b5f604ead655ab7bb2f0a803
SHA512 b3a6dd9d2087ca3bc5c0958598c92500d1ff94784ed6af2b8ab6e194092cb415a6c93f0a5d786ae6d6dcc3fa21b77d1f2491974a4f54e74239da4abd651fa249

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c58d222fe011dcf0c8c23ee3361dc327
SHA1 10a2c379d04012256d0d13732cad190eb1b4441c
SHA256 6f6b3f48a935c405371e763abc84568b43101f64b0b36c04804818d25b454b9b
SHA512 6753ab086d19e5648471995572a0c9cf2ae7333c85bc574ceaa96861e3e9bcbf4ae01cb97fd0000e158353570fd1df1db6e2f2c68825b0f840101ffadc949a74

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2d505e97058587ef2db0cb2caa1c4983
SHA1 62af549e9276702caa13a9d2961e85a6d14deaaf
SHA256 5fdc33d5803d03a75be5e03ec2d06c8e40aa7d169e5a8513f5aed868ae8aee3e
SHA512 3e1b45149d75b76480af20cae76e88f18732405772f9e1720180bb0e77972c178b262096c510860dc8e80ef6b51a02aefb4557e611ee00143132982c15c5a426

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ccb3ab5aaa3634e5976ab3d440e04519
SHA1 55eee6d065fd12f0f9d4e08041892b701541b0cb
SHA256 d88f4c14ba8fc6b751d733c18f80ede82b9516e1318a53d1e1d00b24d9f7d4a1
SHA512 f4111717e9db8a05caf42da744b04fc859f01950760d8d1610720df9f7c7c52e8871a64589b2f6433783bbc32bcc6aaa7ea68a9c363e2f061fa80b8986fb9ef3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5c37b54c289f41ecdce61545f339514e
SHA1 1b6badf18ba557cb8782e6dd8a5c4a892af79e55
SHA256 f465c870971cd67e7509635cdc11311896afdf54836ee760a30511932cc87f44
SHA512 f5661cf34fd6b0f18d7f4a0785038919c0665f8c6c8ec582b50c20c5a09d9148befbdf3af5977468853a7c196c7696dded6819752db1c04109f99027863be9d7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3b4c5e93fecfde76f5549f77a058785d
SHA1 fe4f3b130dfcbb14b3cabdce97625866c9df0ec3
SHA256 a09e280c6ed5be31f747a8717b5e80bc88041fdf27564b96232bbf52bab851a0
SHA512 a226338dabe94f564cf55a7a5a6e166ba4cd5fa6045cebcabe1d8f4d80b5e2889a4e05698ad182b00a91fc57c57dfd7381d3795a9d524f74e37c82d9c35c26a8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0895176df31d3708e3856d84137b8f8
SHA1 b6a0f8265a11a2e21fd12b5430ffdf12a31192f5
SHA256 5d4a98dc98afb4f7f8ca506bea75c018ef71462f44c14c6d9db9bd798d1fb102
SHA512 f46deba763980de0d048062d1f5ae70aa70d1b54f014b00f3357b3aceca05e56492a0839d80404afe2ae9a1bad9fcc1e5c33b7cfe7eb0e6246dbf85ef38607dc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 65e95752951503add2ab198da010e80f
SHA1 6fa9171602959dca1ccd8c8c20ca87a8ad7e6063
SHA256 923a71350676aecf74ac669ee0824d62d29925022b10724c19e80d67b8678ebc
SHA512 874fb98e0d8c6460b52c799290d3d32f7ab11b7f5dac15fe084bcad3f46d865fae1bf3457b19af87f7248e1c71baabcde8048b15a506a8a0dd3a032abaef7c83

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 10:33

Reported

2024-07-26 10:35

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3} C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3}\StubPath = "C:\\Windows\\system32\\Windir\\svchost.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3} C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S11KD7Y5-1Y81-LPYL-348L-IYIHXUEW8RX3}\StubPath = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windir\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Windir\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Windir\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Windir\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4888 set thread context of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windir\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4888 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE
PID 3608 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73aedd41e459b29f23cc8d2fa37aa5ec_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Users\Admin\AppData\Local\Temp\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\SysWOW64\Windir\svchost.exe

"C:\Windows\system32\Windir\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4888-0-0x00000000748D2000-0x00000000748D3000-memory.dmp

memory/4888-1-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/4888-2-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/3608-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3608-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3608-5-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3608-8-0x0000000000400000-0x0000000000451000-memory.dmp

memory/4888-9-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/3608-12-0x0000000010410000-0x0000000010475000-memory.dmp

memory/628-19-0x0000000000900000-0x0000000000901000-memory.dmp

memory/628-18-0x0000000000780000-0x0000000000781000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 73aedd41e459b29f23cc8d2fa37aa5ec
SHA1 7fb95ab8cbb422f0b2fb21cbc0f8e4b604320db2
SHA256 c22c1fa3026533b54721a281740553b94949bfc3f57e5d79baa87cb7b2aa7428
SHA512 375ca3fdd017252f5127cc5a2826031b7c3bb631f6c7a36c2004e9bd32f3d41c1f27c7494dda979b6a47febbddeb7a44188114549120f4d809d929db432f785f

memory/3608-17-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/628-81-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 0796ecd84a279dd9736e29b468b06640
SHA1 bdedfa9d8de20669beb6d77d45350a0b9ade33e0
SHA256 1462060ec0e74ddc2f951921b1e7c22cba22cf5ea4721da856ea4dda40ef9e2d
SHA512 0c0ce807a982f3b3dbf921f1c55f7bcbe141d873b4fa967addf10e89bcde85741e6d40c74210690de242eeb71eecbc06848b5edb9a1b0fe7f2d87535a456dabb

C:\Windows\SysWOW64\Windir\svchost.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

memory/3608-151-0x0000000000400000-0x0000000000451000-memory.dmp

memory/4456-153-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 38463a623cfb4f0e57690fb3c7220912
SHA1 ba981fdc7f5a11f581fb90613cb796c05a011a00
SHA256 5f5cc8b1ae74a1d25503e5a49042511b744a4b0b16017fd773cdb4a1fa3c1763
SHA512 6804e148607d970bf8bf33b41bc184c9be308de063076548c5d2b2ac14ece74a4d2a65551effacf3de4e32916eaeab288507af41b8122ee61c9dc5d5c955ed09

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bde3a94aea69e5611e163ad15f0cad02
SHA1 3413daa99b2b3e09ed532db6ebdea0bca1f1bceb
SHA256 fab4e62c2978bb4d2f924d3e1147903d91f0b987a69c5995735aac3f3d39cffd
SHA512 17a08d0bbb6daa8f05ec60c111e4488f4cb1260d281267744c98a7567e04705f7c6a23f6e4a3d0fc9a6e809694f7fcb3ebeb21d71fc26cdf1769c78015145454

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e76e235488b7bcafa677e22b380694bb
SHA1 233efb35b356047a33f0aba83abbf12a4ff80222
SHA256 948f9d9a01778c82c6f8487f5cea1b7897f228f0f3c84a5ce862f9c46fee2a7d
SHA512 3ce982c270d6abd22bef91e49efaea7b79e6d73d2a83ae8b24ec3c2979efa93ea54223327bd2d3182a4add211ba13463cbe3325b3d0365ba33c901bbdf8fb783

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f20f5f68dca6acc2f9ec7cc8631b72db
SHA1 71e8489c58406eddc3e297f631d5cb31ff2b8868
SHA256 7ef5651b372b856d3d6dc9c5778885f8f823014ddfb2250948f3404ea1c13ac2
SHA512 e4248e76b4e4641eb88779f76e848947b1c73a5d2ca38f0847016fc7585f2b47988bbf1596bd6b336665303ed191135a2d888ad1fc3b202eebe0b73ba6b0b5ea

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 36df706d0576b429b1a99ff0b86fa3c2
SHA1 2518429e4c54e85a9677982cf6a0c98391c06e56
SHA256 fc9c0fe705c764ce3df67ef18834c8884d2623efae6c558d8a98d2abd6770549
SHA512 d22f3f94cf7d0512db94f4c400ee828b603f77f474fb1b941a166719889abb4153111e5b73e491cb13acf06b04bfeaa54994efcc11ffa5d61a2bd32d6cbf05b5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 94a06f2c637325779220a85adf824a6d
SHA1 1351f65f322da0cc9cbf2307bfa150ee7c30a350
SHA256 c82550ffbab7f470738d793e198618a5fc0ecf546c3059d7c5d2dd4eb1adf7a6
SHA512 05ace48fabe5ded80fb6417c7150bcf282195b9d88bd9e1832aaa2d3c69821f68156e37e2d5dfdcdd77f74d4c9586c6fc855b93e56e8a8c1b9bd6c5a6c560b9c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84f0d8fe7a1f0705695365c5092fb278
SHA1 753c8f9617c116a499271abdf0ed94114fc46f0f
SHA256 4f7f7b4e73bb63d1cd4f414f74a9936b7dc9ca7373db11b8c1c835022656db0c
SHA512 fdad2f23bbdecd522be507a34e52e51e6c79a8a0751259c40f57535b7d96cdadb6dbd908f37ae0193a8ebec9a60d7254520603820e2e05f140f369c266973996

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6780323fa1e94911d6dabbe560f98fd6
SHA1 5f99a28b3368d57d1594c61d4e384874b56f9e46
SHA256 8ce56b5c034c94d2fdb831d862708606a4ac0ed94d8b8ccdb5fd5118bfaf4154
SHA512 5a26ab57307aad4aea497af7b92a3b8e117d8fe9f1cee4e8247241d8c5044de97f1f78950887f2cbe570258e51bb1c4b97a5d329833ee229d8a177a667cf602c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f91614edff4ba3436d80be8ff70bc021
SHA1 6e477db4c7db54cf2b14f6651dec8e3d285da1c1
SHA256 61f73d2683e05da23c52395dec85c96635df423f6dc1520fb225fae1a2979bcd
SHA512 0a7c3b6cdca6c9285f88f5f1ed237e776fc67cafe53879d2e20319c0f05eaef025fbd7055366e336f43bb1a5e3bea00128bf86cc508df898a7e3416d04659907

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 661e0c00cf06c8e69c73b97b1b311dbf
SHA1 9f7520fc80323645b2687f3940727ff9f0fa0640
SHA256 c99e6710a4c9fe12211765c2a0b612e02a924c09dd8cd9d80221ffcda343a3d5
SHA512 4ce593ad33f2a10f7e2cbce7e0477b0ffa80e4cc023058dfd067a8735474c793f9563b9e81fe1b354911a86c5a74ed9fb93f53b34b5fa844c87f6ce58310c92b

memory/628-979-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 97cbc3f6d2f0787875f12e6310477571
SHA1 d1ad0b2483b4d7896e545ab2fbbdc66ecefd29a0
SHA256 c77fe6003c277da521af7db13dc3fb519a4dce7c9727c6dd51c0d61d90b8a44d
SHA512 8cafc05254f1fc65361038e6667b2919eeeae960791b4a848b8f052d15230b1cbde0a00f68259b732451c0860f1265fe372e632baff7856dc84417f9b7d699a8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d404473349b33b0deed01c49f9757866
SHA1 04c545800a534e3fa6932ea88e444298351f9f72
SHA256 9e3e2f13d355ef4f998e4d060165525017349610b5f604ead655ab7bb2f0a803
SHA512 b3a6dd9d2087ca3bc5c0958598c92500d1ff94784ed6af2b8ab6e194092cb415a6c93f0a5d786ae6d6dcc3fa21b77d1f2491974a4f54e74239da4abd651fa249

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c58d222fe011dcf0c8c23ee3361dc327
SHA1 10a2c379d04012256d0d13732cad190eb1b4441c
SHA256 6f6b3f48a935c405371e763abc84568b43101f64b0b36c04804818d25b454b9b
SHA512 6753ab086d19e5648471995572a0c9cf2ae7333c85bc574ceaa96861e3e9bcbf4ae01cb97fd0000e158353570fd1df1db6e2f2c68825b0f840101ffadc949a74

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2d505e97058587ef2db0cb2caa1c4983
SHA1 62af549e9276702caa13a9d2961e85a6d14deaaf
SHA256 5fdc33d5803d03a75be5e03ec2d06c8e40aa7d169e5a8513f5aed868ae8aee3e
SHA512 3e1b45149d75b76480af20cae76e88f18732405772f9e1720180bb0e77972c178b262096c510860dc8e80ef6b51a02aefb4557e611ee00143132982c15c5a426

memory/4456-1433-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ccb3ab5aaa3634e5976ab3d440e04519
SHA1 55eee6d065fd12f0f9d4e08041892b701541b0cb
SHA256 d88f4c14ba8fc6b751d733c18f80ede82b9516e1318a53d1e1d00b24d9f7d4a1
SHA512 f4111717e9db8a05caf42da744b04fc859f01950760d8d1610720df9f7c7c52e8871a64589b2f6433783bbc32bcc6aaa7ea68a9c363e2f061fa80b8986fb9ef3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5c37b54c289f41ecdce61545f339514e
SHA1 1b6badf18ba557cb8782e6dd8a5c4a892af79e55
SHA256 f465c870971cd67e7509635cdc11311896afdf54836ee760a30511932cc87f44
SHA512 f5661cf34fd6b0f18d7f4a0785038919c0665f8c6c8ec582b50c20c5a09d9148befbdf3af5977468853a7c196c7696dded6819752db1c04109f99027863be9d7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3b4c5e93fecfde76f5549f77a058785d
SHA1 fe4f3b130dfcbb14b3cabdce97625866c9df0ec3
SHA256 a09e280c6ed5be31f747a8717b5e80bc88041fdf27564b96232bbf52bab851a0
SHA512 a226338dabe94f564cf55a7a5a6e166ba4cd5fa6045cebcabe1d8f4d80b5e2889a4e05698ad182b00a91fc57c57dfd7381d3795a9d524f74e37c82d9c35c26a8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0895176df31d3708e3856d84137b8f8
SHA1 b6a0f8265a11a2e21fd12b5430ffdf12a31192f5
SHA256 5d4a98dc98afb4f7f8ca506bea75c018ef71462f44c14c6d9db9bd798d1fb102
SHA512 f46deba763980de0d048062d1f5ae70aa70d1b54f014b00f3357b3aceca05e56492a0839d80404afe2ae9a1bad9fcc1e5c33b7cfe7eb0e6246dbf85ef38607dc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 65e95752951503add2ab198da010e80f
SHA1 6fa9171602959dca1ccd8c8c20ca87a8ad7e6063
SHA256 923a71350676aecf74ac669ee0824d62d29925022b10724c19e80d67b8678ebc
SHA512 874fb98e0d8c6460b52c799290d3d32f7ab11b7f5dac15fe084bcad3f46d865fae1bf3457b19af87f7248e1c71baabcde8048b15a506a8a0dd3a032abaef7c83