Malware Analysis Report

2025-01-02 14:04

Sample ID 240910-kbddfawbnh
Target d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118
SHA256 b41ba7121c306936cf7ef9a834b0d81d8432e8ce6d43e406dff381142965ac4b
Tags
cybergate remote bootkit discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b41ba7121c306936cf7ef9a834b0d81d8432e8ce6d43e406dff381142965ac4b

Threat Level: Known bad

The file d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate remote bootkit discovery persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 08:25

Reported

2024-09-10 08:27

Platform

win7-20240729-en

Max time kernel

147s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C} C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C}\StubPath = "C:\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
N/A N/A C:\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1072 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2740 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

"C:\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2740-2-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2740-6-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2740-14-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2740-12-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2740-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2740-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2792-17-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-21-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-19-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-39-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-38-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2740-37-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2792-33-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-29-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-27-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-34-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-25-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2792-23-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1260-43-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2792-42-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3016-286-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/3016-288-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2792-339-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3016-572-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\install\server.exe

MD5 d7e1163e330ad9205fc1da6476656dd0
SHA1 895d3dda522229f5647c091438b5962901a312da
SHA256 b41ba7121c306936cf7ef9a834b0d81d8432e8ce6d43e406dff381142965ac4b
SHA512 425598727453113486eec90457e7a3794c3ce047639a7416feaeb52d37ec309dbc0a0470b6646fa2c6d5012e32d34c4f2650471b19b39382fe84487147b8c368

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 ae296e84f8e2e76638c47510a66ed83a
SHA1 01ff91cc1720f47dc69ceb765aee2374d996290a
SHA256 1aaa0ebf50b648ee7871ebfdf63e780dfb899db9625002eaf0c6c2fe6ce77736
SHA512 4d674b41c05b4bd818a4d68971bad7f9685e4aa1600804bcc08977b23b5765ea6f21ccd5253e84fa361738376cec077820016729c5b82027483fae500b4cb2d7

memory/2792-904-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/3016-947-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 debd4e848fab920e926ffd81e58794d4
SHA1 907a4f79b13af595e3e820fbeb7ff7ac3695a7be
SHA256 e5d5fd8aa8ff3dc6a568f723394ac3159f9d7ad4bfb11d536825c42b15ee411f
SHA512 2b0e5e483e5c69cf169e71ff43fa657a1873da515880a64e3ee4d84ff090e6b0b4aaafe4e34b966944de7c37999bc542f917a241cfd98924ebb8d394e079abf4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7bed1a39a403800f981a6170eb497ec0
SHA1 e9f84d85e818f3d006e7ddf9129e32c217a553d6
SHA256 ad5c0bc40bd6c58a4fe1c3f5fda8b53ad603ac797b617242f9a35c3ed6970a1f
SHA512 32544f996fd404cba3e223f7962e901ab9b498926a0c15f29acdb24c2f9fb40a5eaf7e1e9c1cac5189e4631f13bf9e3f8db3af5d6010a55eeb056fb51c8b76aa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b5afd4a21c561f856e58d9c28a053ce
SHA1 ecd55a53f35b0275c6c6e8ba6bbabab7c3b87dbe
SHA256 b46306b8f5422ad0f29cd802bf53d9af30f4e716a514a3d4538bc914764cd105
SHA512 f26e53c5fe9f122ff015bc2e16800d2c09da1b21affbf831a84594b6995c83cb1224ea55bb473a65df7b9190f93509a21ad99d07ad5c58edfa65f39a35a2800a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f5af4c94998a71a0b16aae9f9a2274ce
SHA1 6680dbcac83af7aae2326d9548a4c44f5f22488a
SHA256 a920a979be55fd22842ac2fb13fe336a35f137cbe8fefe842604990f784de4be
SHA512 ad969a9488e3c4391c0fbe474dbedaf59956f3b12114ef4d5172c890b456f66589f740af4cef0c97140fcfe9039a2ad44f0959191bdd1866d01d921310ea19c2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f839e424b0855a2623db46a87b5f7b48
SHA1 ccffee4bc0db3ebf0e5aa53cd48e74e605efb8cc
SHA256 39d8f475dd62eef94012fb4be3077379f23de7369149f7c737987db7fbf909c5
SHA512 d3422f44a7bc620b16ac9f60a9b45ee1ec3f31fb8e3567c47a8736d9d705ee453f0f730960368b59d34d9fc9c3eb51ed11789ebf7ba3569832d4671b7ca4cd14

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6368663095c7491df91f0dfe48f6c16f
SHA1 97e3fbac059f9b2404ad074d5bcb970a5676b68e
SHA256 1e95adffd54d728fd94d2072c1e1a9503b7cb34c21ff0049a525eb7346377172
SHA512 12d12349c3b9fbac6adb19514c4503200034246c9520c61b2952a686a411f59d997c2fcbfb252a9f7aa3db840a0b008867424e6f2b0ec082ed7e280ffedfaf8a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 05d0535788c1d8d62cbd9dbe4709cb33
SHA1 344f2ee9420d094ee3525fcf2a6ab28260f811e3
SHA256 2cf93f6c1a8e3bfae024dfea58624192baf7d38af0419f8df860dd0ee94d73d8
SHA512 58016bd6e5e3f4b5f66c9f4c2adac05ed9e73ca01f41489de027d2c070b6c080d2ee8311eb1dfb0a04767bbe8c73d5e91c3799b88e3263cf83e28d8d905ed51c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3d7bb69ef11e776049ef343c3ceb846b
SHA1 64714c1bf3bcf1eee573dbe94d87dedd2ca1fd3a
SHA256 01f98469cf15b5fa50507c765a5280c27c08585c3c1a290e75c89c482d2c4c28
SHA512 18a2198c6f5ab116bccc4f95788dc90d7adddaa63b34e27773637a65814a0c1855d8e148b7d1d7e6c468a6a6ecc46fc11bd69377e045c9aff57b1d02a5e517ef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6d9b0fc1aff2dd1d3c7b96fca4bc497c
SHA1 7602a4ff5846461095a028b039a237bc4f13ab70
SHA256 553eae0cd0e4ce2075d8484715a3b0273d7f728eb3bace8ebd344f624388f08f
SHA512 5134d9a9690063ca6c32b5956366f12883b020a1686316675e174f7fe3eb43f9aa64be6a93b628d9ce28ac2572e5312c24e2a2cab76e800ee1023c04e450df63

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed25fb6416456d7dc19b71b6cbcb0d14
SHA1 c65509564d2e600e38f0a2a77679f102c41c8968
SHA256 b045528ec2fb0e66c8e5100937d4d919400d1e377aa48eb19e3bf288944d7e05
SHA512 e1324c44a613bacf07c01b75f8c7fb32596ed31f4f904aa580f79f9dd1b8492b173e440d5943cb5084fcd43760545980a5a8c7615cef4e79aeb70e5325d7e244

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0b80680e809e4903afcd838fc2bc5b49
SHA1 adf2b6d454e7d9d1adf6c517f4737cd2a6e686b9
SHA256 4549bdf420c9f64bbbdb013c48ffad1e20fd928689e17e6d2c59b8ff4ff424d0
SHA512 987a63eb7ce241f69137e529d3668522ec76191f64370d6a9539826a9fc58317cf5dd1ab703735383562f3c0cacac47c6a8b4a3f961c220077b14dbe85a145de

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a1f38e65bb7dd4e40a6d143f269bdef5
SHA1 200601593f6f73ee90e405ae5fd4ea57d10bf05f
SHA256 894dea2e0e0d84ac0bbe04ffb97a7e1045e721d1d9c21592fa86fa95d1b9f4a7
SHA512 a64c76b791f412fe42d5013fa7880b9bcf9269a6e50efe3517f37b53dbf9d7580c1a92c35636bbe670ac31a56855524ff5af8bfe5d1e6ccfc41c2f1c7e7abee2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 756bf00593547db8e336a2e8708cec2a
SHA1 821533ab23fba6155895f34d27cfd2f0896f8cad
SHA256 e329dba899bdaf5e5fa1e87706c3cc22a77aae13954d70e50e4aaf95be1f275d
SHA512 19e67b03241822f46cfbf2a7f38343f0ec1dd10ea31c1cf8236d94c8f7c79a219e77ea0c1c6ded2fc2c304d95538accb441b7c35186f13ece102f8749a6fbdc9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0b471dcc364db215729728c7155cbeb
SHA1 0eb88da716b6c3c68ebe079cf39d3c7421e63776
SHA256 2c08053134fc15eb7f13137236c30fc2169de895ef06e4c934529df6714b50cc
SHA512 568ed1bd542f668e10ef560308d09e5d271047239a716d7a1856cb98642d3eb2dcbc1acf8f01d5b057c09c88c38c27f3ab6a430f2ec5a7f68f2305f70f34bfeb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 56d3c409090cf77440dc5e2285459a26
SHA1 ddd3622c47cf1f48bebf6dc5db98a87af22f0dd5
SHA256 f3c96dfe078f5ba2a8db1f8373da47af77aa60d2dba088b3f1cced3eaefd4219
SHA512 f20153994f3f550daf9b597e5b1319d117d621dcb1465f01d1905f47d34a5ad1257183a91824eb85c8d41fac91b6777af11707e0685e960b06424caa744905aa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4bf9a7f6f7603724e4cd0eb15ff032e0
SHA1 3278bb35c0c1009248493821297290bb82c4caae
SHA256 b604989438fff4e9987004f84dba5f6a7b6807e05930fee7b83348a87edf636f
SHA512 cbd57a20d7ef6252e2ad61140896f9c75be4db100faccd65223e56b4b322c579c2d4f6c0e8b5b4100e291cff1d07ffce31478122e0a0df1161b27d32caaf83b3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5122e72535e5021ea297609a47f9e9e1
SHA1 94440daf93b57f9fc2eaafff40699404b02d5aa8
SHA256 438698489461ab0c3b3de22492ec227beb4108a8212ff2f51d77dec803b1f3bb
SHA512 154e3f219478c55bbb82a353ef0ee4bd9b77a70ebc1f7a5fd3a0c958c2458e94b673418c783cc52a84b568a3d61e4b945d6b020bd22f260780371ebc6c8e0467

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 08:25

Reported

2024-09-10 08:27

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C} C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30RH53AS-CW87-J647-518N-474H5F04006C}\StubPath = "C:\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A
N/A N/A C:\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\install\server.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 4556 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 4556 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 4556 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 4556 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 4556 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 4556 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 4556 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 3044 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d7e1163e330ad9205fc1da6476656dd0_JaffaCakes118.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\install\server.exe

"C:\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3044-2-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3044-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1052-7-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1052-9-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1052-8-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3044-12-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1052-13-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1052-16-0x0000000010410000-0x0000000010475000-memory.dmp

memory/5068-22-0x00000000013A0000-0x00000000013A1000-memory.dmp

memory/5068-21-0x00000000012E0000-0x00000000012E1000-memory.dmp

memory/1052-20-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1052-37-0x0000000000400000-0x000000000044F000-memory.dmp

memory/5068-83-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\install\server.exe

MD5 d7e1163e330ad9205fc1da6476656dd0
SHA1 895d3dda522229f5647c091438b5962901a312da
SHA256 b41ba7121c306936cf7ef9a834b0d81d8432e8ce6d43e406dff381142965ac4b
SHA512 425598727453113486eec90457e7a3794c3ce047639a7416feaeb52d37ec309dbc0a0470b6646fa2c6d5012e32d34c4f2650471b19b39382fe84487147b8c368

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 ae296e84f8e2e76638c47510a66ed83a
SHA1 01ff91cc1720f47dc69ceb765aee2374d996290a
SHA256 1aaa0ebf50b648ee7871ebfdf63e780dfb899db9625002eaf0c6c2fe6ce77736
SHA512 4d674b41c05b4bd818a4d68971bad7f9685e4aa1600804bcc08977b23b5765ea6f21ccd5253e84fa361738376cec077820016729c5b82027483fae500b4cb2d7

memory/1052-155-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4912-154-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/5068-186-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/4912-189-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 debd4e848fab920e926ffd81e58794d4
SHA1 907a4f79b13af595e3e820fbeb7ff7ac3695a7be
SHA256 e5d5fd8aa8ff3dc6a568f723394ac3159f9d7ad4bfb11d536825c42b15ee411f
SHA512 2b0e5e483e5c69cf169e71ff43fa657a1873da515880a64e3ee4d84ff090e6b0b4aaafe4e34b966944de7c37999bc542f917a241cfd98924ebb8d394e079abf4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7bed1a39a403800f981a6170eb497ec0
SHA1 e9f84d85e818f3d006e7ddf9129e32c217a553d6
SHA256 ad5c0bc40bd6c58a4fe1c3f5fda8b53ad603ac797b617242f9a35c3ed6970a1f
SHA512 32544f996fd404cba3e223f7962e901ab9b498926a0c15f29acdb24c2f9fb40a5eaf7e1e9c1cac5189e4631f13bf9e3f8db3af5d6010a55eeb056fb51c8b76aa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b5afd4a21c561f856e58d9c28a053ce
SHA1 ecd55a53f35b0275c6c6e8ba6bbabab7c3b87dbe
SHA256 b46306b8f5422ad0f29cd802bf53d9af30f4e716a514a3d4538bc914764cd105
SHA512 f26e53c5fe9f122ff015bc2e16800d2c09da1b21affbf831a84594b6995c83cb1224ea55bb473a65df7b9190f93509a21ad99d07ad5c58edfa65f39a35a2800a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f5af4c94998a71a0b16aae9f9a2274ce
SHA1 6680dbcac83af7aae2326d9548a4c44f5f22488a
SHA256 a920a979be55fd22842ac2fb13fe336a35f137cbe8fefe842604990f784de4be
SHA512 ad969a9488e3c4391c0fbe474dbedaf59956f3b12114ef4d5172c890b456f66589f740af4cef0c97140fcfe9039a2ad44f0959191bdd1866d01d921310ea19c2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f839e424b0855a2623db46a87b5f7b48
SHA1 ccffee4bc0db3ebf0e5aa53cd48e74e605efb8cc
SHA256 39d8f475dd62eef94012fb4be3077379f23de7369149f7c737987db7fbf909c5
SHA512 d3422f44a7bc620b16ac9f60a9b45ee1ec3f31fb8e3567c47a8736d9d705ee453f0f730960368b59d34d9fc9c3eb51ed11789ebf7ba3569832d4671b7ca4cd14

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6368663095c7491df91f0dfe48f6c16f
SHA1 97e3fbac059f9b2404ad074d5bcb970a5676b68e
SHA256 1e95adffd54d728fd94d2072c1e1a9503b7cb34c21ff0049a525eb7346377172
SHA512 12d12349c3b9fbac6adb19514c4503200034246c9520c61b2952a686a411f59d997c2fcbfb252a9f7aa3db840a0b008867424e6f2b0ec082ed7e280ffedfaf8a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 05d0535788c1d8d62cbd9dbe4709cb33
SHA1 344f2ee9420d094ee3525fcf2a6ab28260f811e3
SHA256 2cf93f6c1a8e3bfae024dfea58624192baf7d38af0419f8df860dd0ee94d73d8
SHA512 58016bd6e5e3f4b5f66c9f4c2adac05ed9e73ca01f41489de027d2c070b6c080d2ee8311eb1dfb0a04767bbe8c73d5e91c3799b88e3263cf83e28d8d905ed51c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3d7bb69ef11e776049ef343c3ceb846b
SHA1 64714c1bf3bcf1eee573dbe94d87dedd2ca1fd3a
SHA256 01f98469cf15b5fa50507c765a5280c27c08585c3c1a290e75c89c482d2c4c28
SHA512 18a2198c6f5ab116bccc4f95788dc90d7adddaa63b34e27773637a65814a0c1855d8e148b7d1d7e6c468a6a6ecc46fc11bd69377e045c9aff57b1d02a5e517ef

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6d9b0fc1aff2dd1d3c7b96fca4bc497c
SHA1 7602a4ff5846461095a028b039a237bc4f13ab70
SHA256 553eae0cd0e4ce2075d8484715a3b0273d7f728eb3bace8ebd344f624388f08f
SHA512 5134d9a9690063ca6c32b5956366f12883b020a1686316675e174f7fe3eb43f9aa64be6a93b628d9ce28ac2572e5312c24e2a2cab76e800ee1023c04e450df63

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ed25fb6416456d7dc19b71b6cbcb0d14
SHA1 c65509564d2e600e38f0a2a77679f102c41c8968
SHA256 b045528ec2fb0e66c8e5100937d4d919400d1e377aa48eb19e3bf288944d7e05
SHA512 e1324c44a613bacf07c01b75f8c7fb32596ed31f4f904aa580f79f9dd1b8492b173e440d5943cb5084fcd43760545980a5a8c7615cef4e79aeb70e5325d7e244

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0b80680e809e4903afcd838fc2bc5b49
SHA1 adf2b6d454e7d9d1adf6c517f4737cd2a6e686b9
SHA256 4549bdf420c9f64bbbdb013c48ffad1e20fd928689e17e6d2c59b8ff4ff424d0
SHA512 987a63eb7ce241f69137e529d3668522ec76191f64370d6a9539826a9fc58317cf5dd1ab703735383562f3c0cacac47c6a8b4a3f961c220077b14dbe85a145de

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a1f38e65bb7dd4e40a6d143f269bdef5
SHA1 200601593f6f73ee90e405ae5fd4ea57d10bf05f
SHA256 894dea2e0e0d84ac0bbe04ffb97a7e1045e721d1d9c21592fa86fa95d1b9f4a7
SHA512 a64c76b791f412fe42d5013fa7880b9bcf9269a6e50efe3517f37b53dbf9d7580c1a92c35636bbe670ac31a56855524ff5af8bfe5d1e6ccfc41c2f1c7e7abee2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 756bf00593547db8e336a2e8708cec2a
SHA1 821533ab23fba6155895f34d27cfd2f0896f8cad
SHA256 e329dba899bdaf5e5fa1e87706c3cc22a77aae13954d70e50e4aaf95be1f275d
SHA512 19e67b03241822f46cfbf2a7f38343f0ec1dd10ea31c1cf8236d94c8f7c79a219e77ea0c1c6ded2fc2c304d95538accb441b7c35186f13ece102f8749a6fbdc9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0b471dcc364db215729728c7155cbeb
SHA1 0eb88da716b6c3c68ebe079cf39d3c7421e63776
SHA256 2c08053134fc15eb7f13137236c30fc2169de895ef06e4c934529df6714b50cc
SHA512 568ed1bd542f668e10ef560308d09e5d271047239a716d7a1856cb98642d3eb2dcbc1acf8f01d5b057c09c88c38c27f3ab6a430f2ec5a7f68f2305f70f34bfeb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 56d3c409090cf77440dc5e2285459a26
SHA1 ddd3622c47cf1f48bebf6dc5db98a87af22f0dd5
SHA256 f3c96dfe078f5ba2a8db1f8373da47af77aa60d2dba088b3f1cced3eaefd4219
SHA512 f20153994f3f550daf9b597e5b1319d117d621dcb1465f01d1905f47d34a5ad1257183a91824eb85c8d41fac91b6777af11707e0685e960b06424caa744905aa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4bf9a7f6f7603724e4cd0eb15ff032e0
SHA1 3278bb35c0c1009248493821297290bb82c4caae
SHA256 b604989438fff4e9987004f84dba5f6a7b6807e05930fee7b83348a87edf636f
SHA512 cbd57a20d7ef6252e2ad61140896f9c75be4db100faccd65223e56b4b322c579c2d4f6c0e8b5b4100e291cff1d07ffce31478122e0a0df1161b27d32caaf83b3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5122e72535e5021ea297609a47f9e9e1
SHA1 94440daf93b57f9fc2eaafff40699404b02d5aa8
SHA256 438698489461ab0c3b3de22492ec227beb4108a8212ff2f51d77dec803b1f3bb
SHA512 154e3f219478c55bbb82a353ef0ee4bd9b77a70ebc1f7a5fd3a0c958c2458e94b673418c783cc52a84b568a3d61e4b945d6b020bd22f260780371ebc6c8e0467