Malware Analysis Report

2024-09-22 09:08

Sample ID 240801-tz19vatdmc
Target 8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118
SHA256 0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b
Tags
cyber cybergate discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b

Threat Level: Known bad

The file 8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cyber cybergate discovery persistence stealer trojan upx

CyberGate, Rebhip

Cybergate family

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-08-01 16:30

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 16:30

Reported

2024-08-01 16:33

Platform

win7-20240708-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L} C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L} C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1000 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1188-3-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/3004-278-0x0000000000160000-0x0000000000161000-memory.dmp

memory/3004-299-0x0000000000720000-0x0000000000721000-memory.dmp

memory/3004-527-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 30ef56f1e8fabb47b170358d9c79ae46
SHA1 4d036a2bc18f68c4b841e7bad0f4dc6ea99f9712
SHA256 a620d8cfdf8e42c18c11f245470048d7bb297fa8358032675256edc1ab08c75e
SHA512 269c564171da5a0768cadcf8d16b04cb8586768754d5e32d6e7c5eef37d481d22490f514dfd70496051c6fc7735cd02d62091a7420ae53f4915f3d045433d696

C:\Windows\SysWOW64\WinDir\Svchost.exe

MD5 8136ac6572c5e8e6f6f85bcf92274bf7
SHA1 a34fd043c3f3370f1619c89614c44fc256024c79
SHA256 0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b
SHA512 c309fc0f95e49a790e924f234d310cd68aa89bf5fd390cf7c108e8629104ac5ab83294496703b316b5bb49d1f6eb81c3cdcc2810eae3f68e0f45c42431f668fa

memory/1624-857-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4437a23e1ae32ab467d3b8d24d6845c6
SHA1 5ebc0c1e0d5dc76b86cb7aca42fd714b342cacd1
SHA256 ac9c0f0abd61ed28c8f0e8247ffa77bbcedef156ca41fc0a4cb364e8c60643c9
SHA512 0c2e629d07379f38270a6287749e8f1fe6b4c211b18fbf2098c49a5bfd2f67589bad0ddc9dafdd0bda3d73e4ba4fe3bda0479cae1ff855bdf789b3393037b0b1

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b7b51eca6dced9a02dfeb26e0172823e
SHA1 9f0feb4cda74add4056ad2d2f02591998e370caa
SHA256 be20ef279bb935da81ba018483f33a57b70d460827ce281686c409de89f47f79
SHA512 927157829fbd0fd535c2f2e5c71ad5ed0da2396f5d106231239510ad1f990ebd6e88dd54ef254b541974c45cf06637782ced5080920fe2985c21132245abd464

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a342fe2d75cc0f0ebdbc44a3803ba87f
SHA1 5130f89abf2fa6de40f8b96364de15215261489a
SHA256 f38cdb256f2ccc8840b1d5dc8a24e44ef11549030a8fb95ddbad48dc9be26296
SHA512 ef5568e623b7f02c27b0c3447a2fa3d8840cb13f3ffc55173ccfa86cb08380ca9d45379738ff7d86698a7a81232dbc65d97c2ec6c662f6ac8800314e4808d76d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 adefe05a088283e7e6ec31d0d9253c6e
SHA1 403165a438ff1662279f57b9cba0bdb49689b48f
SHA256 37f27a032fcd1fe44f158065963279eeb40a3be191741ce0e9cdab4541f0a691
SHA512 b90f387c84a46e210f6faa1d5bb584200653147fd44c8c8c463031447f5656e4c7505f0475b5624bd0dfd9ec43288720bb2941b3911ec27042c20c674f81d3a9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b05dddbeaf6da4f15194038212ad84f2
SHA1 22eec39cf1a37458953cc8a6785d8cabfae3a8e7
SHA256 8af4120849f6ff52fadd489ec23c297dcde9bfd4f138e34711af60e553f2c127
SHA512 5fe9b9fa420603a899042d6e2c01f1b48ed552001d54a98f78a6ae36e02625573b39daacc629eaf4479f6dbff4d978d191e2c7cc1b469901427d94bc0480f5c0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8ce48817c6854d02abc6cad8ac089703
SHA1 e2fad68a5934bc016b068d9092c205a87e4f7660
SHA256 4d3348133188468f1ab7c706421854802aa9185aa9e7e76a976eaeff4b90449a
SHA512 2f82260ac33efdc5a1086674e008905ead41dfe2d92307ed42da39768581d0e47ce6f08b99d8205a88315409681d0c5a3575e8c87ff5900ccf91887c64cfa52c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 79b0a686413be35243fd0ed931c6bf31
SHA1 6bd81d514f35c085b4271f062c64e6d4f72983c2
SHA256 0ca08b74bbf98bcd93d9a827666d26e8662f5ffdfd5423e2459664a2205c9282
SHA512 4a679520293c8f479eb547757f0c50177f4659836b5510363adda518f43e7ea4bd3822842705f6f20a0498470ed2ad0d85763ec9591c48bb4564e4e59952b668

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1546315285d0b0c8841aab60f567787f
SHA1 b084284bbff07a7b2799c24b9b4f0fff48f5c6c1
SHA256 b52c2f258e78c1c31066ce1728c9b0cc3e739930e65df479671871d1055d887d
SHA512 844419bc12ba59ad33a986d2299e46d7df1f0346d623a3576c78542496ddecad5c530257bbd72ae24db384368ae441609c44e569a532df632aa3ce33d727eafb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 86f70b5f6429d23e8247af645bb13f09
SHA1 7b8add361850870feda854a6db71d4cd5ba7e337
SHA256 ed3a2e19370499877da0b400dac35d9ca5f8dfb909a72ea192d80732d92ad59e
SHA512 bfcefd46b998a5f7f10424bf35e3dbb63f02d9956e0e9f5eddd05ce270ad0e019d4d6da6f594cb962676018cb45b024cc8c4148277abef4c72e4d3e4d44d50d9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 132c5c7e4f19cfa216adbd37fa1123d1
SHA1 34981955a3e8f584b5ef0f57d880702eb9cb48de
SHA256 460834d36bc5c976e2fb3048adaeb2cb5aeb12acf1ef0db4f38b84cd32364abd
SHA512 0696a8be0918b8213132d91d25da84f77b4a054c45c7439486e81ded4f4630da1163565aa29c89290da1c691ad6305200801ce510a7597136e69f75ef2289684

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 573390e8bbc8f969a41b6a4dfacd35b8
SHA1 a2738062800234a66c1c8c500a2a9fec89126c52
SHA256 daf020011d03f4ce6bf6de5161965ff5bffa7703a1114f13401967b946634230
SHA512 24c3967652dc8e0eb4aca3fbdd3c945798ab3c35acfe405af816f23ed14ea0b6493382b8c861af13253b5e9351c6114169877e3bd1ad69daa87de70a59b6726c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 475a5f692959acb40325f491386813b8
SHA1 35a7acc8e41ea683cba554b89c7d338f69fa456e
SHA256 2d7aa6bb8ba30f1e94394db9d650505ecee207c05c35ecf2666526b09d4271ab
SHA512 997354a146f6f498f282323d6d9f171e597acb6bb5a2064795e8da004713ba5cd165ae02f348c3349b1480dd1a946f76acdb907cacad9350b0f94c9090d1cc05

memory/3004-1652-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09fe816e228d82bef96ec60d304adb57
SHA1 3e209c33045ed21dc1c6bbcab0130a45e47fca1e
SHA256 f2752d67cc91b8087c7c89144fa74c19590c0cc4c5be7aeb42e24c720a7dc245
SHA512 59fc744b271a77ad31592609ee7e09a8a6b4a457bac7f3f743fd63bbd0ef40a2ca92bbf3f16dbdc625dd5088648263cda168296758a2e2a4d80b0f5cfe315d0c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 97b50583b7f07b7e4c4e9bb36357729b
SHA1 a1958d209988ccf7c61d90d086451ace66a27cda
SHA256 9ae17e5affc7acd9b46b8fcd4ef29f92eb4cd9443017f2e08a55a10ccb9a587c
SHA512 79ec096cbe64debba10cecf93be1e0362c1f323134927650e5b5f9c9f7ae609a17befcc35062947219570ea9355c83855aa5b478bf006ac1757e51a7fb036961

memory/1624-1811-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bfd4c7b8d9980f5ed6f9be8eca4551aa
SHA1 80ce3ed7c9b3b094eee5e538fed04bcf1c56f216
SHA256 7279e7b6790c64968600c85e6bfefeeee4908c2777d88fa2b9909b42abaa4717
SHA512 e76749eb7ca6db3b0ab2bb712c4f0aa87c079573db3e678b8c7c2a4d7c01b78acb94ee71cf46900b707eacbb19e258493892c43932293ae8d94a3a455db3546b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 88b80dc7973c80607bbb0085adc62405
SHA1 38805b7f789c99d3a8496f5fc73e59ecd1e58413
SHA256 4c28648e66213e45adf42a073743fc97cc89a04730014d639a7f94335ffc1e70
SHA512 8554f44c410592ef22afa7d90ee9699a683056acf75cc48375e2c4c39b5be8b88a10f71ec2d68957eea356dcbdf7b139383ac025991d6e718837fecf02d13a26

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d99c1bcea6018746338142bb88c87cd8
SHA1 5471c3b03c53018de050a0556aed79b6026e0d1f
SHA256 9a0f52f5fbbd3ff1b0e586a8e61d0b99be04cbe0916f084c7dff371fb6d31b9f
SHA512 56efc8b3c322e00a54b47ef8c3090e115b23d35a37e4eb380f170766ee039ed46eaadce05fcb15affaa468e44fd03d7fee723d4be14199728be51616e7604042

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4ae05efbc9922e6f53e2ba6ae7378ce2
SHA1 c9fa3eb5e826d1bbcec75ac7a39a886f5cfc098c
SHA256 69172561a8f9043aaf0a44b755304508ca7d70091ef0c0fe85db22997dd92c6a
SHA512 c8f62667181f8f6b12e1fd966ab0f3f7541e49a5553dfdcae86aa2407e191cbdf0bc480ce3ad37a9d18f63719a2e4d95600aff00ff77cabc1514a3246139f02b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 08ae8ff51e6314940c4625aebe68fe0b
SHA1 d3a242430c2a87d28bdaddd33a4e9752a5c4e7e3
SHA256 5ade2f846116775ca12eb89b22f3690ef19f425f7645f6774905b2fdc82591a5
SHA512 125531e3a33b3325820c0c313e7ea362d4eb10fbb0e68c6659e314b8940dba7fd983f7693519ee2f78d552e00ae87f0ea1e9a0df220db7c788620a4fcabc0dbc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8c5ec02bfde96846dcb09f69cf1d992e
SHA1 5b6c5e84be3188099e47d956e1d91d9dfec31e92
SHA256 1e937708353cc0a9d3c55ee2d37d701f8d911953434db1bb125a55a3e422433d
SHA512 096128a47e81cbd447f53d9ea5aa7daf1e04a6361406baead14b4e4a89a0a2efc424eeb04a80ec8327d7932b2317006980e36b3da74394cb10e751a44552b229

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3083d31c60d668de994727573d50c28a
SHA1 b3b1be29b727b6b32162e64f03af3b02409693ce
SHA256 b761fd51c66625d970bf86c10260cbcf4f664903e6127b9d64eb09c25b9c1f2a
SHA512 743e6c28cba17f51a267b718523262f0bace47bd45a15ea5d1ddeb9b0f449d3e72a9c036216afd21b1a4005fbb6e213087fb87e094041d87a268166bef0f8540

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 16:30

Reported

2024-08-01 16:33

Platform

win10v2004-20240730-en

Max time kernel

148s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L} C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WinDir\Svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 580

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/5096-3-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3544-8-0x0000000000550000-0x0000000000551000-memory.dmp

memory/3544-7-0x0000000000490000-0x0000000000491000-memory.dmp

memory/3544-66-0x0000000003480000-0x0000000003481000-memory.dmp

memory/3544-68-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3544-67-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/5096-63-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\Svchost.exe

MD5 8136ac6572c5e8e6f6f85bcf92274bf7
SHA1 a34fd043c3f3370f1619c89614c44fc256024c79
SHA256 0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b
SHA512 c309fc0f95e49a790e924f234d310cd68aa89bf5fd390cf7c108e8629104ac5ab83294496703b316b5bb49d1f6eb81c3cdcc2810eae3f68e0f45c42431f668fa

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 30ef56f1e8fabb47b170358d9c79ae46
SHA1 4d036a2bc18f68c4b841e7bad0f4dc6ea99f9712
SHA256 a620d8cfdf8e42c18c11f245470048d7bb297fa8358032675256edc1ab08c75e
SHA512 269c564171da5a0768cadcf8d16b04cb8586768754d5e32d6e7c5eef37d481d22490f514dfd70496051c6fc7735cd02d62091a7420ae53f4915f3d045433d696

memory/2340-138-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b7b51eca6dced9a02dfeb26e0172823e
SHA1 9f0feb4cda74add4056ad2d2f02591998e370caa
SHA256 be20ef279bb935da81ba018483f33a57b70d460827ce281686c409de89f47f79
SHA512 927157829fbd0fd535c2f2e5c71ad5ed0da2396f5d106231239510ad1f990ebd6e88dd54ef254b541974c45cf06637782ced5080920fe2985c21132245abd464

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a342fe2d75cc0f0ebdbc44a3803ba87f
SHA1 5130f89abf2fa6de40f8b96364de15215261489a
SHA256 f38cdb256f2ccc8840b1d5dc8a24e44ef11549030a8fb95ddbad48dc9be26296
SHA512 ef5568e623b7f02c27b0c3447a2fa3d8840cb13f3ffc55173ccfa86cb08380ca9d45379738ff7d86698a7a81232dbc65d97c2ec6c662f6ac8800314e4808d76d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 adefe05a088283e7e6ec31d0d9253c6e
SHA1 403165a438ff1662279f57b9cba0bdb49689b48f
SHA256 37f27a032fcd1fe44f158065963279eeb40a3be191741ce0e9cdab4541f0a691
SHA512 b90f387c84a46e210f6faa1d5bb584200653147fd44c8c8c463031447f5656e4c7505f0475b5624bd0dfd9ec43288720bb2941b3911ec27042c20c674f81d3a9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b05dddbeaf6da4f15194038212ad84f2
SHA1 22eec39cf1a37458953cc8a6785d8cabfae3a8e7
SHA256 8af4120849f6ff52fadd489ec23c297dcde9bfd4f138e34711af60e553f2c127
SHA512 5fe9b9fa420603a899042d6e2c01f1b48ed552001d54a98f78a6ae36e02625573b39daacc629eaf4479f6dbff4d978d191e2c7cc1b469901427d94bc0480f5c0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8ce48817c6854d02abc6cad8ac089703
SHA1 e2fad68a5934bc016b068d9092c205a87e4f7660
SHA256 4d3348133188468f1ab7c706421854802aa9185aa9e7e76a976eaeff4b90449a
SHA512 2f82260ac33efdc5a1086674e008905ead41dfe2d92307ed42da39768581d0e47ce6f08b99d8205a88315409681d0c5a3575e8c87ff5900ccf91887c64cfa52c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 79b0a686413be35243fd0ed931c6bf31
SHA1 6bd81d514f35c085b4271f062c64e6d4f72983c2
SHA256 0ca08b74bbf98bcd93d9a827666d26e8662f5ffdfd5423e2459664a2205c9282
SHA512 4a679520293c8f479eb547757f0c50177f4659836b5510363adda518f43e7ea4bd3822842705f6f20a0498470ed2ad0d85763ec9591c48bb4564e4e59952b668

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1546315285d0b0c8841aab60f567787f
SHA1 b084284bbff07a7b2799c24b9b4f0fff48f5c6c1
SHA256 b52c2f258e78c1c31066ce1728c9b0cc3e739930e65df479671871d1055d887d
SHA512 844419bc12ba59ad33a986d2299e46d7df1f0346d623a3576c78542496ddecad5c530257bbd72ae24db384368ae441609c44e569a532df632aa3ce33d727eafb

memory/3544-759-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 86f70b5f6429d23e8247af645bb13f09
SHA1 7b8add361850870feda854a6db71d4cd5ba7e337
SHA256 ed3a2e19370499877da0b400dac35d9ca5f8dfb909a72ea192d80732d92ad59e
SHA512 bfcefd46b998a5f7f10424bf35e3dbb63f02d9956e0e9f5eddd05ce270ad0e019d4d6da6f594cb962676018cb45b024cc8c4148277abef4c72e4d3e4d44d50d9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 132c5c7e4f19cfa216adbd37fa1123d1
SHA1 34981955a3e8f584b5ef0f57d880702eb9cb48de
SHA256 460834d36bc5c976e2fb3048adaeb2cb5aeb12acf1ef0db4f38b84cd32364abd
SHA512 0696a8be0918b8213132d91d25da84f77b4a054c45c7439486e81ded4f4630da1163565aa29c89290da1c691ad6305200801ce510a7597136e69f75ef2289684

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 573390e8bbc8f969a41b6a4dfacd35b8
SHA1 a2738062800234a66c1c8c500a2a9fec89126c52
SHA256 daf020011d03f4ce6bf6de5161965ff5bffa7703a1114f13401967b946634230
SHA512 24c3967652dc8e0eb4aca3fbdd3c945798ab3c35acfe405af816f23ed14ea0b6493382b8c861af13253b5e9351c6114169877e3bd1ad69daa87de70a59b6726c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 475a5f692959acb40325f491386813b8
SHA1 35a7acc8e41ea683cba554b89c7d338f69fa456e
SHA256 2d7aa6bb8ba30f1e94394db9d650505ecee207c05c35ecf2666526b09d4271ab
SHA512 997354a146f6f498f282323d6d9f171e597acb6bb5a2064795e8da004713ba5cd165ae02f348c3349b1480dd1a946f76acdb907cacad9350b0f94c9090d1cc05

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 09fe816e228d82bef96ec60d304adb57
SHA1 3e209c33045ed21dc1c6bbcab0130a45e47fca1e
SHA256 f2752d67cc91b8087c7c89144fa74c19590c0cc4c5be7aeb42e24c720a7dc245
SHA512 59fc744b271a77ad31592609ee7e09a8a6b4a457bac7f3f743fd63bbd0ef40a2ca92bbf3f16dbdc625dd5088648263cda168296758a2e2a4d80b0f5cfe315d0c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 97b50583b7f07b7e4c4e9bb36357729b
SHA1 a1958d209988ccf7c61d90d086451ace66a27cda
SHA256 9ae17e5affc7acd9b46b8fcd4ef29f92eb4cd9443017f2e08a55a10ccb9a587c
SHA512 79ec096cbe64debba10cecf93be1e0362c1f323134927650e5b5f9c9f7ae609a17befcc35062947219570ea9355c83855aa5b478bf006ac1757e51a7fb036961

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bfd4c7b8d9980f5ed6f9be8eca4551aa
SHA1 80ce3ed7c9b3b094eee5e538fed04bcf1c56f216
SHA256 7279e7b6790c64968600c85e6bfefeeee4908c2777d88fa2b9909b42abaa4717
SHA512 e76749eb7ca6db3b0ab2bb712c4f0aa87c079573db3e678b8c7c2a4d7c01b78acb94ee71cf46900b707eacbb19e258493892c43932293ae8d94a3a455db3546b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 88b80dc7973c80607bbb0085adc62405
SHA1 38805b7f789c99d3a8496f5fc73e59ecd1e58413
SHA256 4c28648e66213e45adf42a073743fc97cc89a04730014d639a7f94335ffc1e70
SHA512 8554f44c410592ef22afa7d90ee9699a683056acf75cc48375e2c4c39b5be8b88a10f71ec2d68957eea356dcbdf7b139383ac025991d6e718837fecf02d13a26

memory/2340-1439-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d99c1bcea6018746338142bb88c87cd8
SHA1 5471c3b03c53018de050a0556aed79b6026e0d1f
SHA256 9a0f52f5fbbd3ff1b0e586a8e61d0b99be04cbe0916f084c7dff371fb6d31b9f
SHA512 56efc8b3c322e00a54b47ef8c3090e115b23d35a37e4eb380f170766ee039ed46eaadce05fcb15affaa468e44fd03d7fee723d4be14199728be51616e7604042

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4ae05efbc9922e6f53e2ba6ae7378ce2
SHA1 c9fa3eb5e826d1bbcec75ac7a39a886f5cfc098c
SHA256 69172561a8f9043aaf0a44b755304508ca7d70091ef0c0fe85db22997dd92c6a
SHA512 c8f62667181f8f6b12e1fd966ab0f3f7541e49a5553dfdcae86aa2407e191cbdf0bc480ce3ad37a9d18f63719a2e4d95600aff00ff77cabc1514a3246139f02b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 08ae8ff51e6314940c4625aebe68fe0b
SHA1 d3a242430c2a87d28bdaddd33a4e9752a5c4e7e3
SHA256 5ade2f846116775ca12eb89b22f3690ef19f425f7645f6774905b2fdc82591a5
SHA512 125531e3a33b3325820c0c313e7ea362d4eb10fbb0e68c6659e314b8940dba7fd983f7693519ee2f78d552e00ae87f0ea1e9a0df220db7c788620a4fcabc0dbc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8c5ec02bfde96846dcb09f69cf1d992e
SHA1 5b6c5e84be3188099e47d956e1d91d9dfec31e92
SHA256 1e937708353cc0a9d3c55ee2d37d701f8d911953434db1bb125a55a3e422433d
SHA512 096128a47e81cbd447f53d9ea5aa7daf1e04a6361406baead14b4e4a89a0a2efc424eeb04a80ec8327d7932b2317006980e36b3da74394cb10e751a44552b229