Malware Analysis Report

2025-01-02 14:03

Sample ID 240911-j9j37s1bkn
Target d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118
SHA256 d9faf6bdd1e24143662056d75b3e13539825fc9e62bf29ade39dd1747f1d4ddf
Tags
cybergate remote discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9faf6bdd1e24143662056d75b3e13539825fc9e62bf29ade39dd1747f1d4ddf

Threat Level: Known bad

The file d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate remote discovery persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-11 08:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-11 08:22

Reported

2024-09-11 08:24

Platform

win7-20240708-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F56Y487-PN07-XXPF-7O4Q-MFXD03JN7785} C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F56Y487-PN07-XXPF-7O4Q-MFXD03JN7785}\StubPath = "C:\\Windows\\system32\\appdata\\explorer.exe Restart" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F56Y487-PN07-XXPF-7O4Q-MFXD03JN7785} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F56Y487-PN07-XXPF-7O4Q-MFXD03JN7785}\StubPath = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\appdata\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\appdata\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\appdata\explorer.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\appdata\explorer.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\appdata\explorer.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\appdata\ C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\appdata\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2480 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"

C:\Windows\SysWOW64\appdata\explorer.exe

"C:\Windows\system32\appdata\explorer.exe"

C:\Windows\SysWOW64\appdata\explorer.exe

"C:\Windows\SysWOW64\appdata\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2508-16-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-19-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2480-17-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2508-20-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-18-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2508-12-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-10-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-8-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-7-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-4-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-3-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2508-1-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1212-24-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/2508-23-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1796-268-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1796-306-0x0000000000410000-0x0000000000411000-memory.dmp

memory/2508-325-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1796-556-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 026df7c729126df7a7b706386ca92eab
SHA1 777abedfd66330964f1bba9789fa23f02aa84855
SHA256 2edaf62d38f5e7a8022df47bb055a4346e275296426e571c4749ce26157ecf99
SHA512 16ccda88a3742995ae03522556303e356a20e14f847e7a05c0350f8856565aa82c812f711c26fd776780f76f3af24fd8ddcd2b2640ad2a4f7a0fde562fd3705e

C:\Windows\SysWOW64\appdata\explorer.exe

MD5 d9f3a19b955bdabcd81903883dec4dc3
SHA1 2b38c3f09ea23445a4dcc33453a2ce22f5110590
SHA256 d9faf6bdd1e24143662056d75b3e13539825fc9e62bf29ade39dd1747f1d4ddf
SHA512 0ebdad522b07c3b9038fc229ec0fec5497f7666851dbadfb3188ebd69f91cc34853e14796c9364fa21af4dcc1b7b8aeaabd98e01ee60b5f4714da3c13ec244f6

memory/2508-888-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1796-931-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7c541da56020dc7790de744021f478b4
SHA1 416fb273320c680281370dc934b74595d3fa1196
SHA256 66301f94945be8015edaab8230a74af468c6a749fb19a6651fc5a83b553d51ea
SHA512 de0c42347d6aaf10370f16d736ef7e2cbea8e24d01c2206ccba73916bbb4b0d1f52d156a6ea161029798771482fe0a18e8c5e1305beae63d7a7aa93838d58a0e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1bbbcea4debb0463743d34c247bc7002
SHA1 1b398cf5872ee854741f7f482740b10818197e44
SHA256 ade66a66309d38994ce884245704a367b243a1b1070a8768811430892ee890cc
SHA512 fe688f6ee090f079aa1b469a2be702c285fcae5815cf26b699b1786af0ab2a9722e0bdd0a0a90027eca8640f5a8c3259eba47cd014ef6e65804192ae89c4abdb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d9df9ebf4d6475ea0e70658fe622915e
SHA1 256e7ceea87e624d90de30d70f8d1900e9d5a421
SHA256 2b410773bf49255ebac2df449155d3d2d5e20b8a92c9a5ef6e9dd12ad3b808cc
SHA512 a02a5d5c4491dcfc7acb7345123644fc1615f2d18f53863af29a274df0914a7dafe76af0fe48de7ea04cb0f1c4f2f7f3656d4ff714d7915ebe28bd54dbc81d78

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 51e1bb1dfb59d46e4a4edaf03dd6149e
SHA1 fe4975243fdcb13d75e7890b875f5ed017134f86
SHA256 363fd11c481d74f3ad7be6a6cff16d29c3f27c8d3fd01f92c2ee979d11d3ee4f
SHA512 dd95c655ab2fdb54fc753e94d90401a8266333d78793779ba9b3a7dc7765ecff4f3a7589d9c72f09aeaf2213690708aa0756a3a81c23106821af08c331f74eed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7a95aa81c224ceeb7466dba040dedd41
SHA1 e8ccdf28f76734d451e21731e3606aa049a821b9
SHA256 69522e503ee2a10d3289169bae3ffc344f851f8a7104cf9dddb7b50e4b98506c
SHA512 72fe0140709b8b93623ddfe291090bc672b1d564c2f80928b21deefa4574e9a8b6e7d83aca018ffa1abfef4934b8b531f03702dd9ccbbb3af9b0fb4c40e1195d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1b50442877aefe12960719335d536364
SHA1 b924dca4d71521a2cf054be0d2fcf6d11b00bca0
SHA256 76f1adfa19c734a97b5c52e203d6eae0c1e6486296667fe870564901be10b34b
SHA512 5ba7b156b743ca9b06bffbb09d59896ceee889d35aeed5da213fc229b1c79cced8ba2ac11913dc296ec83e3874241904edb5b886ffb022dc80676b9250e96019

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dd6eeaeeee31a44aa53b60d509ef1907
SHA1 6ab93e261b5baefdd97fff995f003f6717a3950d
SHA256 e1700f29024752f226c9ceeb16dd5e02db9e101fce818274e86aaafbac93a741
SHA512 a12b422458a2a4d8ed81910c18c0bb7b6fa6c6f54d71f8cc93bbc88833ff1aa501864c3e82b86b6a0f339004f3599ba05fca18afc6daf10a6e1b04522ded0e59

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e1a6bccc528042de94a680b982410542
SHA1 9bd8376ed3adfd3cf0d25c9ab4c1dc505703f3b2
SHA256 c162654e4051bf0583e4ce650ff3970abf80428155a446dd06347a2a4caad6f1
SHA512 f7d27dd528c74c2d5d4895f514c634cb3d836dbe1412ff08789c636d30cd8899f048affac372fd73d09de54c305ac1fd5355912df686504f8b0cac5de802af43

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 93c6a1f705d60b08022bfb613f442350
SHA1 3d432315a91339b189c35472d95e356ab4547a9c
SHA256 0adc78f21fb7ad51e86099a2c6f95bbf9438c69a59cf4bb22c5685b495c26586
SHA512 1f660608bd7b9efffd7cd369d1e5313de63b50912bcf4da0a6076995552a6c55c0d41d86a08fcb9b6ad3bfc2688bdb6b88cae7ea07ce684477fecf20470ddf05

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 28a2e67ac82482279ecb5da9faf7174f
SHA1 7d07db567757337bb1e85e83773c5e6ef87e79e6
SHA256 82433c549b964cd7c9050bf41805c55e51313eb5a00d8824e3c8fd0d804c2ee4
SHA512 ae81682fca5caf8de387a65f8a654510855e52d1eadbf65539f0d09b6731121b8c4d70eeda695f22f7f4cd2fa4316c54448dc0175e5861718361ea8e4ea783ad

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0446a3f8893a5cb773a6f754e98c21a6
SHA1 cb999321a074df0b8f954c20f6bcc56e8163e0b5
SHA256 3ec8332a8928545edf7d1e2592b08a71997292fa3d0099e7c0bdb217a512fa8e
SHA512 6af2c92557cf616077f669f8e3dc4443797183accb7c5a824d558259be744db0f365b2faa14d6fd87b026b5667e377e517ad892d38a11feebb65c9c21d426570

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0195929dd339c5c9e7a1c16901da36f
SHA1 c27ec83fc4328058b16bb2839d4eda726097f49d
SHA256 8145ccb106a9fd67d93f3c0585b14c7b2d4df8a17b92fd03ef4e177bf12ef362
SHA512 6763262f1973030a23fe871b8f46cd6f07ce3ab56071e7767fdb77706137813596ebb2cb63d7d2e4d1977d0016e837c6818b3b0f2ac25cc2dd2fb5d9858dbc55

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 48a2c03584c35e305e4696eb420b60b2
SHA1 44f6885bb4db180b11fbf18744d05ac5884e4619
SHA256 be39395c8cb7f6eaf8b17a86de323d5ccd043d302d4e66e6e471e33546a77025
SHA512 d16883e1c7c1f21484c01f0fc072aaaf21290c0e414650e48eddf227aad777391ef59c3abe5f235209b1b2b19078041f8416e0ff02d147ea8e837b3b4cf29616

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c06c12083492bd7d045de618671b731b
SHA1 21aee354cb73bb0c4171724406dc1e6a60a5642a
SHA256 e414a88836077d3e8b7f66e88e7140c8b4753b91917ffbb3da7767d7628614ef
SHA512 c3f35151ecf4a6a18e41f9421ad08fec45ec6c8dfb07983d5639639a3a1fc82a13aaf6be05abac804d09d18377242d8bb35ecd5f50d73943ab21155e9b4a3dc6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ccce6854f42e358795d917cd43fd2ea4
SHA1 9c6c2710940216a93143d2c93387c700c4a4e80f
SHA256 8ae09285c9263fe0dc47bc5013cfa0e58fad5286707e0de22430f2c6c5679d1e
SHA512 817f0dd62997b5d0d50f2b94fed2ebd2e0689068cf22fd5f7786caa9c9234f08a0988111afcef03679bba9768f10f330e4d1794c63abe94af1d602e73849552a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fd13fd301bc3822c294b7d69d0149e34
SHA1 5c9ff9d4cb697bd80f7635ab7716839da612c113
SHA256 d0e793939766386c093926d1e0e438c28b5501bdd91ae19d955f5a09b47d2f3f
SHA512 ff083bec706586149a7d3ab6f52e6397334e1382653ed406d952a637a61f353cd2fb6f77c7d2ef2943a44890d008d345fd31389faac47381e8e6914186ec0eaa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a896911c5eda631311122850da4c75be
SHA1 6f5e22e2a6ac009fbdeff1e9c84dece5cb79a848
SHA256 f990b01f921b3fd7f856e1509e0655a931b0356e07942005e24d3e2de9c9fa9b
SHA512 d8ad07ed5fd8313c3a22d32a03f6f2179abfc4c8ff6672871adfa448453c4fc3842d7d85a71dfe3ea694137ec2d91b04d44a1c3a5e61b5acd67859efe4b3cf76

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4358f0dd29eea6e051dead88e0b43965
SHA1 8010d66b85b5174afb4f2f8648443610f0aa4b1d
SHA256 7c7edab335584465eb336a982fab33c8e715b2ff2907f52f403d2872e3ef4036
SHA512 26cc705b31d122e83fd94d6a0a646d7627085cb95668a7f37ab558ed2f340267d98e8455ffceb9e3d7bb105389f83b2253959d04326a19c407422106755d072c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 19184710f523aabb018012210cb4b9d5
SHA1 7f53786d7d6cbbeefc17052f83d9ea62daf54f02
SHA256 5fa359e3d1ab44a0ccc5af32119afe2cfa2c3833802cba9a6c81de04f67da038
SHA512 19fcb1be87380364ee320f1afda752dacfb91d204ad057416417520cdb636bcc4fa31efe02cb7ac836e25e1abc5b5d1391a0fcd018d59eb4811dfc1d26f54d70

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9106df26bb67a66516c468303cba54c3
SHA1 3ba14b009e56c26fdc2815e76d2a4c5d0780791a
SHA256 60ec5915018a80210517b9778ad6cb8f3983bea3d9dcf3b990b699622c4d077a
SHA512 6fff804f6e7825a88e3e4e1a56b4d33a9bd881bc814e05398cbbf6cfd7862f6ca6716ef738be9fa291e4c9159ebbcee79d654c6ac651ed5649eea7f5df9e1c85

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-11 08:22

Reported

2024-09-11 08:24

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F56Y487-PN07-XXPF-7O4Q-MFXD03JN7785} C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F56Y487-PN07-XXPF-7O4Q-MFXD03JN7785}\StubPath = "C:\\Windows\\system32\\appdata\\explorer.exe Restart" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F56Y487-PN07-XXPF-7O4Q-MFXD03JN7785} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F56Y487-PN07-XXPF-7O4Q-MFXD03JN7785}\StubPath = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\appdata\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\appdata\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\appdata\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\appdata\ C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\appdata\explorer.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\appdata\explorer.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\appdata\explorer.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\appdata\explorer.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\appdata\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\appdata\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 4908 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d9f3a19b955bdabcd81903883dec4dc3_JaffaCakes118.exe"

C:\Windows\SysWOW64\appdata\explorer.exe

"C:\Windows\system32\appdata\explorer.exe"

C:\Windows\SysWOW64\appdata\explorer.exe

"C:\Windows\SysWOW64\appdata\explorer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/2444-0-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2444-1-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4908-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2444-3-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2444-4-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2444-8-0x0000000010410000-0x0000000010475000-memory.dmp

memory/2444-11-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/840-12-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/840-13-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/2444-29-0x0000000000400000-0x000000000044F000-memory.dmp

memory/840-74-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 026df7c729126df7a7b706386ca92eab
SHA1 777abedfd66330964f1bba9789fa23f02aa84855
SHA256 2edaf62d38f5e7a8022df47bb055a4346e275296426e571c4749ce26157ecf99
SHA512 16ccda88a3742995ae03522556303e356a20e14f847e7a05c0350f8856565aa82c812f711c26fd776780f76f3af24fd8ddcd2b2640ad2a4f7a0fde562fd3705e

C:\Windows\SysWOW64\appdata\explorer.exe

MD5 d9f3a19b955bdabcd81903883dec4dc3
SHA1 2b38c3f09ea23445a4dcc33453a2ce22f5110590
SHA256 d9faf6bdd1e24143662056d75b3e13539825fc9e62bf29ade39dd1747f1d4ddf
SHA512 0ebdad522b07c3b9038fc229ec0fec5497f7666851dbadfb3188ebd69f91cc34853e14796c9364fa21af4dcc1b7b8aeaabd98e01ee60b5f4714da3c13ec244f6

memory/1196-144-0x0000000010560000-0x00000000105C5000-memory.dmp

memory/2444-146-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/840-171-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1196-173-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1bbbcea4debb0463743d34c247bc7002
SHA1 1b398cf5872ee854741f7f482740b10818197e44
SHA256 ade66a66309d38994ce884245704a367b243a1b1070a8768811430892ee890cc
SHA512 fe688f6ee090f079aa1b469a2be702c285fcae5815cf26b699b1786af0ab2a9722e0bdd0a0a90027eca8640f5a8c3259eba47cd014ef6e65804192ae89c4abdb

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d9df9ebf4d6475ea0e70658fe622915e
SHA1 256e7ceea87e624d90de30d70f8d1900e9d5a421
SHA256 2b410773bf49255ebac2df449155d3d2d5e20b8a92c9a5ef6e9dd12ad3b808cc
SHA512 a02a5d5c4491dcfc7acb7345123644fc1615f2d18f53863af29a274df0914a7dafe76af0fe48de7ea04cb0f1c4f2f7f3656d4ff714d7915ebe28bd54dbc81d78

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 51e1bb1dfb59d46e4a4edaf03dd6149e
SHA1 fe4975243fdcb13d75e7890b875f5ed017134f86
SHA256 363fd11c481d74f3ad7be6a6cff16d29c3f27c8d3fd01f92c2ee979d11d3ee4f
SHA512 dd95c655ab2fdb54fc753e94d90401a8266333d78793779ba9b3a7dc7765ecff4f3a7589d9c72f09aeaf2213690708aa0756a3a81c23106821af08c331f74eed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7a95aa81c224ceeb7466dba040dedd41
SHA1 e8ccdf28f76734d451e21731e3606aa049a821b9
SHA256 69522e503ee2a10d3289169bae3ffc344f851f8a7104cf9dddb7b50e4b98506c
SHA512 72fe0140709b8b93623ddfe291090bc672b1d564c2f80928b21deefa4574e9a8b6e7d83aca018ffa1abfef4934b8b531f03702dd9ccbbb3af9b0fb4c40e1195d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1b50442877aefe12960719335d536364
SHA1 b924dca4d71521a2cf054be0d2fcf6d11b00bca0
SHA256 76f1adfa19c734a97b5c52e203d6eae0c1e6486296667fe870564901be10b34b
SHA512 5ba7b156b743ca9b06bffbb09d59896ceee889d35aeed5da213fc229b1c79cced8ba2ac11913dc296ec83e3874241904edb5b886ffb022dc80676b9250e96019

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dd6eeaeeee31a44aa53b60d509ef1907
SHA1 6ab93e261b5baefdd97fff995f003f6717a3950d
SHA256 e1700f29024752f226c9ceeb16dd5e02db9e101fce818274e86aaafbac93a741
SHA512 a12b422458a2a4d8ed81910c18c0bb7b6fa6c6f54d71f8cc93bbc88833ff1aa501864c3e82b86b6a0f339004f3599ba05fca18afc6daf10a6e1b04522ded0e59

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e1a6bccc528042de94a680b982410542
SHA1 9bd8376ed3adfd3cf0d25c9ab4c1dc505703f3b2
SHA256 c162654e4051bf0583e4ce650ff3970abf80428155a446dd06347a2a4caad6f1
SHA512 f7d27dd528c74c2d5d4895f514c634cb3d836dbe1412ff08789c636d30cd8899f048affac372fd73d09de54c305ac1fd5355912df686504f8b0cac5de802af43

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 93c6a1f705d60b08022bfb613f442350
SHA1 3d432315a91339b189c35472d95e356ab4547a9c
SHA256 0adc78f21fb7ad51e86099a2c6f95bbf9438c69a59cf4bb22c5685b495c26586
SHA512 1f660608bd7b9efffd7cd369d1e5313de63b50912bcf4da0a6076995552a6c55c0d41d86a08fcb9b6ad3bfc2688bdb6b88cae7ea07ce684477fecf20470ddf05

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 28a2e67ac82482279ecb5da9faf7174f
SHA1 7d07db567757337bb1e85e83773c5e6ef87e79e6
SHA256 82433c549b964cd7c9050bf41805c55e51313eb5a00d8824e3c8fd0d804c2ee4
SHA512 ae81682fca5caf8de387a65f8a654510855e52d1eadbf65539f0d09b6731121b8c4d70eeda695f22f7f4cd2fa4316c54448dc0175e5861718361ea8e4ea783ad

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0446a3f8893a5cb773a6f754e98c21a6
SHA1 cb999321a074df0b8f954c20f6bcc56e8163e0b5
SHA256 3ec8332a8928545edf7d1e2592b08a71997292fa3d0099e7c0bdb217a512fa8e
SHA512 6af2c92557cf616077f669f8e3dc4443797183accb7c5a824d558259be744db0f365b2faa14d6fd87b026b5667e377e517ad892d38a11feebb65c9c21d426570

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0195929dd339c5c9e7a1c16901da36f
SHA1 c27ec83fc4328058b16bb2839d4eda726097f49d
SHA256 8145ccb106a9fd67d93f3c0585b14c7b2d4df8a17b92fd03ef4e177bf12ef362
SHA512 6763262f1973030a23fe871b8f46cd6f07ce3ab56071e7767fdb77706137813596ebb2cb63d7d2e4d1977d0016e837c6818b3b0f2ac25cc2dd2fb5d9858dbc55

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 48a2c03584c35e305e4696eb420b60b2
SHA1 44f6885bb4db180b11fbf18744d05ac5884e4619
SHA256 be39395c8cb7f6eaf8b17a86de323d5ccd043d302d4e66e6e471e33546a77025
SHA512 d16883e1c7c1f21484c01f0fc072aaaf21290c0e414650e48eddf227aad777391ef59c3abe5f235209b1b2b19078041f8416e0ff02d147ea8e837b3b4cf29616

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c06c12083492bd7d045de618671b731b
SHA1 21aee354cb73bb0c4171724406dc1e6a60a5642a
SHA256 e414a88836077d3e8b7f66e88e7140c8b4753b91917ffbb3da7767d7628614ef
SHA512 c3f35151ecf4a6a18e41f9421ad08fec45ec6c8dfb07983d5639639a3a1fc82a13aaf6be05abac804d09d18377242d8bb35ecd5f50d73943ab21155e9b4a3dc6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ccce6854f42e358795d917cd43fd2ea4
SHA1 9c6c2710940216a93143d2c93387c700c4a4e80f
SHA256 8ae09285c9263fe0dc47bc5013cfa0e58fad5286707e0de22430f2c6c5679d1e
SHA512 817f0dd62997b5d0d50f2b94fed2ebd2e0689068cf22fd5f7786caa9c9234f08a0988111afcef03679bba9768f10f330e4d1794c63abe94af1d602e73849552a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fd13fd301bc3822c294b7d69d0149e34
SHA1 5c9ff9d4cb697bd80f7635ab7716839da612c113
SHA256 d0e793939766386c093926d1e0e438c28b5501bdd91ae19d955f5a09b47d2f3f
SHA512 ff083bec706586149a7d3ab6f52e6397334e1382653ed406d952a637a61f353cd2fb6f77c7d2ef2943a44890d008d345fd31389faac47381e8e6914186ec0eaa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a896911c5eda631311122850da4c75be
SHA1 6f5e22e2a6ac009fbdeff1e9c84dece5cb79a848
SHA256 f990b01f921b3fd7f856e1509e0655a931b0356e07942005e24d3e2de9c9fa9b
SHA512 d8ad07ed5fd8313c3a22d32a03f6f2179abfc4c8ff6672871adfa448453c4fc3842d7d85a71dfe3ea694137ec2d91b04d44a1c3a5e61b5acd67859efe4b3cf76

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4358f0dd29eea6e051dead88e0b43965
SHA1 8010d66b85b5174afb4f2f8648443610f0aa4b1d
SHA256 7c7edab335584465eb336a982fab33c8e715b2ff2907f52f403d2872e3ef4036
SHA512 26cc705b31d122e83fd94d6a0a646d7627085cb95668a7f37ab558ed2f340267d98e8455ffceb9e3d7bb105389f83b2253959d04326a19c407422106755d072c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 19184710f523aabb018012210cb4b9d5
SHA1 7f53786d7d6cbbeefc17052f83d9ea62daf54f02
SHA256 5fa359e3d1ab44a0ccc5af32119afe2cfa2c3833802cba9a6c81de04f67da038
SHA512 19fcb1be87380364ee320f1afda752dacfb91d204ad057416417520cdb636bcc4fa31efe02cb7ac836e25e1abc5b5d1391a0fcd018d59eb4811dfc1d26f54d70