Malware Analysis Report

2025-01-02 14:01

Sample ID 240831-rapteaxbmq
Target ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118
SHA256 5f31f2824fe304f40be12dfdab2fd88ea0e2cc8f42acd04718c6e6ab71685528
Tags
cybergate remote discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f31f2824fe304f40be12dfdab2fd88ea0e2cc8f42acd04718c6e6ab71685528

Threat Level: Known bad

The file ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate remote discovery persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Checks computer location settings

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 13:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 13:59

Reported

2024-08-31 14:02

Platform

win7-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q1702V1Y-7G3R-30LP-SDT5-6QBC1TLC7T3G}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q1702V1Y-7G3R-30LP-SDT5-6QBC1TLC7T3G} C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 3040 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2304-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-18-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-20-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-19-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2304-14-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-12-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-10-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-8-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2304-21-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2856-37-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2856-32-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2856-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2304-28-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2304-24-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2856-38-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2304-95-0x0000000000400000-0x0000000000451000-memory.dmp

\Windows\SysWOW64\install\server.exe

MD5 ccee4af16376dfd1fbae0f422e982c3a
SHA1 32725d0610612c2782c84755ea3057ef3f621c08
SHA256 5f31f2824fe304f40be12dfdab2fd88ea0e2cc8f42acd04718c6e6ab71685528
SHA512 c9bdd5a79281f44e0241d246351589eb14b25a826fcef76e844a025c321daf476f15c18aedecb4dfead02a23f7301cef3db865e33b98f044b7928ab01fc12542

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 31caa896442d4993e8ea0a4eda6b45f9
SHA1 3f5c9fab1dde7debc09117491b523c256b640213
SHA256 b39f7e3a3285dde53e72bb05221819f4532fb8000c70147cb70a7e93e3689c3b
SHA512 258ec1775580c7d32ed9dec2a132674e96f995f11ad39d3af7c0961b06e8780cc8c18ead410db1b9e2ee73e35dd0e64812d27ef3feb433684dc2a90d4d48ca92

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2304-336-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2880-380-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2880-400-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bcba3ca029d59046554b22c21e565090
SHA1 1416d069f9f2f30fc3523d6f334c6943e8d966e4
SHA256 db4ac5b8345c25ba8c7c79082cc2876a3f6c17e1864bb6b51c20662a2325e2dc
SHA512 f169c55642cceb92c74de83f7991ba0f4f86f95d5d1177c6aa04af0a7a40ad9ad7fc3363509b20d80dee26cdc5f7563a980af21ab7c1564bfc40b16076a241f3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fa866b1de89820471351480cec1bb5e2
SHA1 cc26f4c25ed300c3bafb36c79bc939f2ed9bd648
SHA256 fead11324714f90cc55209e987d890ce0b230a3e70b3820589a71790040ac7be
SHA512 bb446af2ff37c4c8c2220d89453b975d9621a4711c338d8e8b24b2d8abb06f4e12b44c33a5584f6b0c76deda1597873f71a1bd4da4cff415b1cf6431d6f093d8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fdaaeb8412e87f8ba8e66771ee76ac9a
SHA1 ef325c5bd23e9ba6354a206ca24146f3a983d0a3
SHA256 3d8b51bcc0d233119f61d5b0e8e864ffe80f3b34bb290df405ec972ae0788ad6
SHA512 e2c635b8c97602109898ea13d54149b2901aa90509fe2b8951b3383c84ba9c8607cc2ccc6803f13725499cbac518d6581d866fc12ad50692c63f2d33500a4767

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 55127b140b850f0e944b1ab53857a537
SHA1 503a47a86ccde136f237dc4ab2125972e8ce9020
SHA256 6c71006052d562635fb316118a24555e316eb42998713cbfb7697dd757d0ff21
SHA512 01fe31d31ebf594dc3181112c8112e923ec5dbfad9baadf56505408fbefd1c0c5922e07ef5e95aaf39106fb5f20917c2d1b128de377141653f47e96a8a15a5b9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d5fee50055953c4e23ba3057006f0292
SHA1 6cd1919e04a0707396388392fff654e62ed777aa
SHA256 873c5aaee8fc5aab4a1bcaa4ce68a942ab2c622776184bc4b39b2d39e0923c6d
SHA512 6e7f831e94c2b8116141bebc699db5c62bdfcce0b50e2dc27973cb88a6bca106919ac6c610551e32bb8cd4eb05f52dbf00c7a0faafcf8304066963fc7f11b8f5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b1d99a75907d9f6ef22ba1047a7fe364
SHA1 a8b7afc7d4034b09ad8c8406371f4e4bb8b459f4
SHA256 4bb4514f600f31f5490350e53c52410df96ca8aea940724a86247657b8f52da3
SHA512 946fe7b706411e447508998ea23e2b2d77056609c9c9450c1a9cf249ace94df407754f9455786d8b0211bb5ca5fa3edaa42ee10cd3d9b794f73e90cf8a6521db

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 faa8a9a9b96a4969369953cd695800f0
SHA1 265b30e4d8c21b8d11163dde4b365eb7f25f2b1c
SHA256 2ac474ffc325e1bfabdb405c151b24960066e15e1da8ef81d44d108fce583139
SHA512 d7c689c3bc9681611954b94b5a1f5189e9b3f253f5eb1e1ce91c73a64f5df31a16016542c283adda979105c6e2fdc29db3536ccd7fb2c83b5a636b87e61836ae

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fb6bc6e93a9614d7a0a105d36fdcd759
SHA1 0e5e27407ed4f8412fd18cfafe1f96d9b28c523c
SHA256 29df028ab16b14ef69f858863863fb98729841f8bb38da7ed6b1e9a4a6b78ed0
SHA512 53bd11ea2eee30a386bebe546c1c4201715f6b3ce682fb15565f3bd5bc7898c3a0603ecb6a30a2e6248f226cba3604c05b1d5a2eef87bd92f507cab95d9d73af

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 afae8cc8e76456ef2c73ce8227df1bce
SHA1 8a21176e1f83cd3cb345b546a664a843b85fa22a
SHA256 f0a4bb5c4bc8935f85418234828467562d266e392ecc1c77606acec738593dc2
SHA512 5d747049042a451ee53db39087083e8a2c0ef53f0803396c98ff38298cf52044d808c5dd209525aacbc6c1058a1f8715a6b1834e3264e025e116382ec03279f5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 caaded6d1b474e1eca4c6092e6164831
SHA1 18745a9d5c395a546b71d3ed53aa8bf6169d797f
SHA256 9c474376d81beab7156cc9d2b2825c4c1559cb1ce8e27f7988cf0443bcb3a5eb
SHA512 790a076c0c3a1fae05a55f09de12537bfd11d8aa8b306394feccb0d635a4f098a32326045471b3ca4baea6c09b30350754ea53de7468ab99214720469281f31d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2fc887b88164286ebd7909a9b7a8c9fb
SHA1 335419971bd36b3eed7c79546e5498c507871281
SHA256 1d30a6e306bc628a092a5d5b6585823cf0cdcf4d82ece2e8c6a4af4c7b932b04
SHA512 4db03e18af10bd1d6e06b8eda73e1612c12297d92175469ba54ff125d329aa6167a6fb86be61e49167ee296ae15f06b576974454e8391bccbc804ac20ac0c1a4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ac208a6f4d8548701d57ef29c1ffc11b
SHA1 d95b2662003661d309ca98d1f99af15e2605adb6
SHA256 7e91e2c67f69cc1d296918c36e55807ba03167232b4eeb9cf9a9930b2220519f
SHA512 6df9340ea3872a8be759fd94dff7f0863450a9dd724fb6a8d95b54c2592929e17e3da1ffa0b3db26d501234bd8b655f6ab5b02a14fe56a868f33c04864f3d6d3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 daeb91fdc3b820b3b7af934ac0484b0a
SHA1 a701330a1f87b5a1d627540af2f77c9bee6f36ef
SHA256 852cf0bcf3d68b18da6a1c6ae4d23c66426c19f678dfdc8f17be886abde6fd2b
SHA512 2ba8024c671c1a48fd2d9881f43536a6fa4187680fb0f4ac17b57cd557fe0b448cfe9cbc62e727662404222d080fdfeae52d99844e110f46094a2365de7165b9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4ad291246d27110518578221f1cec6b8
SHA1 3acab1f76db750bb8d4f70fd827f9030fedb15ab
SHA256 b71fffbd78afd4b6111f639cf5a9487ea5b8df98ae333595e24185003e1f0ce7
SHA512 c5e92ccad0f61a46911f772715c00561524dd3a84498d68031a2ec9fcf55c0cd5bdba9e35152a448a66f7eaa13e70395eac841b0f0de330dceff42620fcf06ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7e5442d535ce4b50e13591dc9f1ccc43
SHA1 96e477059e6600e16c4deb3b65843c01bf682e51
SHA256 e40fc0fb963d2cf34c663f2717d0d8c993d41166c53aec9d351fb888d556d138
SHA512 a7250894b95930a8f5b6899b84ca4f349c4699962426ad840a0018c0ae738d36ba207ff532518709f0a51489e2700845b2f672864a2823ceec3286de18b0f624

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 16733b69e4218f4b5c477c586dde4e26
SHA1 547b65e3b30ad1df53a38147ebe99e2d13f70a66
SHA256 dbb03facfee68eaa281e59ec20cb04017163e79e091e1d7f9ec03e5c408b06e6
SHA512 06361a8763c8d196312bc605161748a96c409fb1d28b3dfb7122f876f5c5a3130521f91d1e0c4fec1d2979e1f6956a76ccdf2f865e4958d9f9aee0331d53665b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 64ffed629c5038e6af1c21c03550ed81
SHA1 430bc379315e26b531e0e849da172ec3306efb86
SHA256 9730bbb00d113cb9c7541098bfbfe4a0f21733d0c93fe3aa934b80f92520b314
SHA512 9150ac1f611ce5f0fa835f2ab512fa919997a5686bd2468fc35f3b1b0a069d934531fe8ed2c9c94a166dd7c9e38322220aa2f01d5a4d6ef8de112a268c68160a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f8197343040486e5283f7b81b3a29af0
SHA1 c831bb5d84cf95dd32abad0fae7f2a08fe4ecfc5
SHA256 da9c73e37f46e8dd2e2eca8cc6973a1b8fde1aea9addcdff99f3316f52c5f222
SHA512 d623b60ecf9087727c22358c9778638a5dbf359c8b554a667f95bdee91ba8a8b11dc78ef792fbeb8ce614d8ed1ca6a5d7ccbdeee471136bc01cd766e1c768052

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 06873e79aece2a0a3841a5be071c0705
SHA1 5429eae59296e44a92b0702d61a5b220863fd500
SHA256 8d824370208d7370a6500b8a6cd04a9d542c5c7f0d320616be412651db4614f8
SHA512 98cb4b0642eac70c774adf4ef76248069ef5e682526e26af7e3418e961a97ac51d2a3a063ba95537925963e93f8f89de5030778f381b7890ed853a287434e07c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-31 13:59

Reported

2024-08-31 14:02

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Q1702V1Y-7G3R-30LP-SDT5-6QBC1TLC7T3G} C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Q1702V1Y-7G3R-30LP-SDT5-6QBC1TLC7T3G}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4960 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 548

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
IE 52.111.236.23:443 tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4960-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/4960-3-0x0000000000400000-0x0000000000451000-memory.dmp

memory/4960-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/4960-8-0x0000000010410000-0x0000000010475000-memory.dmp

memory/800-13-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/800-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4960-11-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4960-68-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/800-73-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 31caa896442d4993e8ea0a4eda6b45f9
SHA1 3f5c9fab1dde7debc09117491b523c256b640213
SHA256 b39f7e3a3285dde53e72bb05221819f4532fb8000c70147cb70a7e93e3689c3b
SHA512 258ec1775580c7d32ed9dec2a132674e96f995f11ad39d3af7c0961b06e8780cc8c18ead410db1b9e2ee73e35dd0e64812d27ef3feb433684dc2a90d4d48ca92

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Windows\SysWOW64\install\server.exe

MD5 ccee4af16376dfd1fbae0f422e982c3a
SHA1 32725d0610612c2782c84755ea3057ef3f621c08
SHA256 5f31f2824fe304f40be12dfdab2fd88ea0e2cc8f42acd04718c6e6ab71685528
SHA512 c9bdd5a79281f44e0241d246351589eb14b25a826fcef76e844a025c321daf476f15c18aedecb4dfead02a23f7301cef3db865e33b98f044b7928ab01fc12542

memory/800-119-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fdaaeb8412e87f8ba8e66771ee76ac9a
SHA1 ef325c5bd23e9ba6354a206ca24146f3a983d0a3
SHA256 3d8b51bcc0d233119f61d5b0e8e864ffe80f3b34bb290df405ec972ae0788ad6
SHA512 e2c635b8c97602109898ea13d54149b2901aa90509fe2b8951b3383c84ba9c8607cc2ccc6803f13725499cbac518d6581d866fc12ad50692c63f2d33500a4767

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 55127b140b850f0e944b1ab53857a537
SHA1 503a47a86ccde136f237dc4ab2125972e8ce9020
SHA256 6c71006052d562635fb316118a24555e316eb42998713cbfb7697dd757d0ff21
SHA512 01fe31d31ebf594dc3181112c8112e923ec5dbfad9baadf56505408fbefd1c0c5922e07ef5e95aaf39106fb5f20917c2d1b128de377141653f47e96a8a15a5b9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d5fee50055953c4e23ba3057006f0292
SHA1 6cd1919e04a0707396388392fff654e62ed777aa
SHA256 873c5aaee8fc5aab4a1bcaa4ce68a942ab2c622776184bc4b39b2d39e0923c6d
SHA512 6e7f831e94c2b8116141bebc699db5c62bdfcce0b50e2dc27973cb88a6bca106919ac6c610551e32bb8cd4eb05f52dbf00c7a0faafcf8304066963fc7f11b8f5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b1d99a75907d9f6ef22ba1047a7fe364
SHA1 a8b7afc7d4034b09ad8c8406371f4e4bb8b459f4
SHA256 4bb4514f600f31f5490350e53c52410df96ca8aea940724a86247657b8f52da3
SHA512 946fe7b706411e447508998ea23e2b2d77056609c9c9450c1a9cf249ace94df407754f9455786d8b0211bb5ca5fa3edaa42ee10cd3d9b794f73e90cf8a6521db

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 faa8a9a9b96a4969369953cd695800f0
SHA1 265b30e4d8c21b8d11163dde4b365eb7f25f2b1c
SHA256 2ac474ffc325e1bfabdb405c151b24960066e15e1da8ef81d44d108fce583139
SHA512 d7c689c3bc9681611954b94b5a1f5189e9b3f253f5eb1e1ce91c73a64f5df31a16016542c283adda979105c6e2fdc29db3536ccd7fb2c83b5a636b87e61836ae

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fb6bc6e93a9614d7a0a105d36fdcd759
SHA1 0e5e27407ed4f8412fd18cfafe1f96d9b28c523c
SHA256 29df028ab16b14ef69f858863863fb98729841f8bb38da7ed6b1e9a4a6b78ed0
SHA512 53bd11ea2eee30a386bebe546c1c4201715f6b3ce682fb15565f3bd5bc7898c3a0603ecb6a30a2e6248f226cba3604c05b1d5a2eef87bd92f507cab95d9d73af

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 afae8cc8e76456ef2c73ce8227df1bce
SHA1 8a21176e1f83cd3cb345b546a664a843b85fa22a
SHA256 f0a4bb5c4bc8935f85418234828467562d266e392ecc1c77606acec738593dc2
SHA512 5d747049042a451ee53db39087083e8a2c0ef53f0803396c98ff38298cf52044d808c5dd209525aacbc6c1058a1f8715a6b1834e3264e025e116382ec03279f5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 caaded6d1b474e1eca4c6092e6164831
SHA1 18745a9d5c395a546b71d3ed53aa8bf6169d797f
SHA256 9c474376d81beab7156cc9d2b2825c4c1559cb1ce8e27f7988cf0443bcb3a5eb
SHA512 790a076c0c3a1fae05a55f09de12537bfd11d8aa8b306394feccb0d635a4f098a32326045471b3ca4baea6c09b30350754ea53de7468ab99214720469281f31d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2fc887b88164286ebd7909a9b7a8c9fb
SHA1 335419971bd36b3eed7c79546e5498c507871281
SHA256 1d30a6e306bc628a092a5d5b6585823cf0cdcf4d82ece2e8c6a4af4c7b932b04
SHA512 4db03e18af10bd1d6e06b8eda73e1612c12297d92175469ba54ff125d329aa6167a6fb86be61e49167ee296ae15f06b576974454e8391bccbc804ac20ac0c1a4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ac208a6f4d8548701d57ef29c1ffc11b
SHA1 d95b2662003661d309ca98d1f99af15e2605adb6
SHA256 7e91e2c67f69cc1d296918c36e55807ba03167232b4eeb9cf9a9930b2220519f
SHA512 6df9340ea3872a8be759fd94dff7f0863450a9dd724fb6a8d95b54c2592929e17e3da1ffa0b3db26d501234bd8b655f6ab5b02a14fe56a868f33c04864f3d6d3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 daeb91fdc3b820b3b7af934ac0484b0a
SHA1 a701330a1f87b5a1d627540af2f77c9bee6f36ef
SHA256 852cf0bcf3d68b18da6a1c6ae4d23c66426c19f678dfdc8f17be886abde6fd2b
SHA512 2ba8024c671c1a48fd2d9881f43536a6fa4187680fb0f4ac17b57cd557fe0b448cfe9cbc62e727662404222d080fdfeae52d99844e110f46094a2365de7165b9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4ad291246d27110518578221f1cec6b8
SHA1 3acab1f76db750bb8d4f70fd827f9030fedb15ab
SHA256 b71fffbd78afd4b6111f639cf5a9487ea5b8df98ae333595e24185003e1f0ce7
SHA512 c5e92ccad0f61a46911f772715c00561524dd3a84498d68031a2ec9fcf55c0cd5bdba9e35152a448a66f7eaa13e70395eac841b0f0de330dceff42620fcf06ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7e5442d535ce4b50e13591dc9f1ccc43
SHA1 96e477059e6600e16c4deb3b65843c01bf682e51
SHA256 e40fc0fb963d2cf34c663f2717d0d8c993d41166c53aec9d351fb888d556d138
SHA512 a7250894b95930a8f5b6899b84ca4f349c4699962426ad840a0018c0ae738d36ba207ff532518709f0a51489e2700845b2f672864a2823ceec3286de18b0f624

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 16733b69e4218f4b5c477c586dde4e26
SHA1 547b65e3b30ad1df53a38147ebe99e2d13f70a66
SHA256 dbb03facfee68eaa281e59ec20cb04017163e79e091e1d7f9ec03e5c408b06e6
SHA512 06361a8763c8d196312bc605161748a96c409fb1d28b3dfb7122f876f5c5a3130521f91d1e0c4fec1d2979e1f6956a76ccdf2f865e4958d9f9aee0331d53665b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 64ffed629c5038e6af1c21c03550ed81
SHA1 430bc379315e26b531e0e849da172ec3306efb86
SHA256 9730bbb00d113cb9c7541098bfbfe4a0f21733d0c93fe3aa934b80f92520b314
SHA512 9150ac1f611ce5f0fa835f2ab512fa919997a5686bd2468fc35f3b1b0a069d934531fe8ed2c9c94a166dd7c9e38322220aa2f01d5a4d6ef8de112a268c68160a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f8197343040486e5283f7b81b3a29af0
SHA1 c831bb5d84cf95dd32abad0fae7f2a08fe4ecfc5
SHA256 da9c73e37f46e8dd2e2eca8cc6973a1b8fde1aea9addcdff99f3316f52c5f222
SHA512 d623b60ecf9087727c22358c9778638a5dbf359c8b554a667f95bdee91ba8a8b11dc78ef792fbeb8ce614d8ed1ca6a5d7ccbdeee471136bc01cd766e1c768052

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 06873e79aece2a0a3841a5be071c0705
SHA1 5429eae59296e44a92b0702d61a5b220863fd500
SHA256 8d824370208d7370a6500b8a6cd04a9d542c5c7f0d320616be412651db4614f8
SHA512 98cb4b0642eac70c774adf4ef76248069ef5e682526e26af7e3418e961a97ac51d2a3a063ba95537925963e93f8f89de5030778f381b7890ed853a287434e07c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 84b112700ee9d639962619c4adb84040
SHA1 49c9d29941fbfbf5ef3f17c46efd86a8f49113a3
SHA256 c44b69de79422606c5751ffe3deea1919e67668660bb91988e7fd8d0eb44f400
SHA512 d16e9721026ca1da8054c87dbdbd4a8eb552b343740ab1551deaba5d98a3c3a25f396be483f9978be00e4791394248ecac5aa4b705b251c7dcb400ef48663028