Malware Analysis Report

2025-01-02 12:25

Sample ID 241126-kfdj1azkfk
Target a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118
SHA256 ebd767714eaeb627c430dd1f29f7e3e54ce99fc1697dbc90f34404ab002ceb45
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebd767714eaeb627c430dd1f29f7e3e54ce99fc1697dbc90f34404ab002ceb45

Threat Level: Known bad

The file a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

CyberGate, Rebhip

Cybergate family

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 08:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 08:32

Reported

2024-11-26 08:34

Platform

win7-20240708-en

Max time kernel

30s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{34N46BCA-P311-2144-8GI1-I31RX7IT4QH3} C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34N46BCA-P311-2144-8GI1-I31RX7IT4QH3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{34N46BCA-P311-2144-8GI1-I31RX7IT4QH3} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34N46BCA-P311-2144-8GI1-I31RX7IT4QH3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe
PID 1452 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe
PID 1452 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe
PID 1240 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe
PID 1240 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe
PID 1240 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe
PID 2780 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe
PID 2780 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe
PID 2780 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe
PID 2780 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1452-0-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9AF8.tmp.exe

MD5 70b587b81f55269db181349a1b0a4dd2
SHA1 f75cc3c1352d5acd35de436969a7ca134913cc67
SHA256 5e7f8b8cf274709e45b0c26cbbbf899668659a49747ca29a9411de97cba68215
SHA512 1b0a66f79a36392494937f917048045034a9e16981a2c2c43e5b68a93d9ad7c0c66d4029864095076cba5584b43bd63148ad055a5c501b94bc911267ce35d3a5

memory/1452-7-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9B46.tmp.exe

MD5 b9eb469e1255121c399e785e0bb4fa42
SHA1 281035db917e25c4fdb54df26bc407857459ce08
SHA256 56cead34c53a980d0daeb27bd30125a0c1589626aeeac735c3724eb9b1a19ed0
SHA512 bc7cb3d907f2027c6d76e20dd7aa5c22e63c33a23c37871da51eb88a73d7c298c24d2e947e79ae9ea201744276188a81be54e324b1513cddcffda41939afa21b

memory/1240-12-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

memory/1240-16-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

memory/1240-13-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe

MD5 63976084b4c862f2b33edb5fc277b4cd
SHA1 b544ffd189a5bd28eed2f75e18ade9c1fbdce8c1
SHA256 4b5b33efa246df31b7e853667d943faed66ba15de74f0ed4f95584383fca16e5
SHA512 fd83abd932683e52e7b076acfaa485100a0c0dfa3843337fadfd4a9cb54de4938f26d0036562ad6c6439585b880b60bca0dc0c145657505eb3b6ba528a54168f

memory/1204-26-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/2816-25-0x0000000010410000-0x0000000010475000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 661fda20ad62cd2ee6f43c76349ad750
SHA1 1932f0a0a3882bdc0c1f98c7db156973629a0fa3
SHA256 9ebfea5ce30e55ff1e3fe5c05b29b2bf6cd85393cf8ef0afa331edc1746e8f5e
SHA512 0fea2582b81eb9304ac4dc8a0439148b039958b7102f796f4a689adc9ad3648946e16cad41137db8238168cb0700003ba1eaa9f6a1dda1e1f2e3b62d0eff63df

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1452-969-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7d1503b8ba121fa0e112eb80812fb30a
SHA1 c4e8dc94fa94426e13968bfcccefd3ef1e0da82c
SHA256 e9eda03c2700dc5d76ca847808dd3e0c44e7248aa91e1a003bfb0321cc388868
SHA512 e6608c78baf75598b5371d948f6e525c28863e8258ba54c338f2345562fea7d3e64c4d48cdeeb6aaea6abcedbe62be70a56c25498a6be5dd7096e5757d65517e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 19f5c030f9998620a2e5c33aa96224a4
SHA1 f5b2366ff6547a02d42135c37458f9de52dcb79f
SHA256 986e18e358cc13083c28ffae59cce9d3554001c12d829560ea18b930a4ba5f43
SHA512 06f618ea69dd7c87fec972cbd6eb9501984cd09fe1c4d102077d4c99bb8d4f884e85036069f94af5f3033a6d808ae5e8db8363be5d50b06ed95f200c879646a7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e777c711988d6f62bd60f551cdac8468
SHA1 55c08babd9a3c7a292218828b56ad45fbb59f2f5
SHA256 d2825d4d8787585cec6e35b2b7e475f1401738da5a106044512f772d3d65c018
SHA512 f7028d1d12c3538ee782959c739d39ba45a900889c41d66eb1071f15e9bb2725efe9030438c9ba5808a5162af611158d1ac5e71445298ebf03b6a79967ff75a7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 27eb6fac00c445b0e618f62d4df2e21a
SHA1 c067a12bbd202be1ed69ea7ff0fcb890546c8675
SHA256 97bd5bb9a614faae463eb829b8b676c6b82cdbd1526d85ae7b273ba71213388d
SHA512 c6a16a4362e886b38fed7ae9b8cee4738089651bf2099e4fbfc1f67ea229a3f475e552e7a909abd2b4ed915dc2b4a963f556bd4c6538e78a0806ee1451b7d4a7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6b3d530295212391bf721f3cfc280fba
SHA1 e0cbd764564d416d990b1266800d24bb4bc53112
SHA256 413c026a92dc0aac348668cf6bbc71f01c5343a0d89ff897a50c6845695bce1b
SHA512 a589cff48030aee8c2b7dc5d90d81a85f780fcb208bcc6fa0a95135b38d59fe3961a3a4a0a0ff980047bf7e3bfa588a1dc24e14a5c536b7e0ac9f01fe10c4fe8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3dcad518f478fb49722aea0a44ea859e
SHA1 77e17b9d31c5b8adc7ce67a4f639ecec302d51bb
SHA256 031499914a2a591de394e315b183c834cc294f2b2b421f9840e3ed1d86fa8ad2
SHA512 8b664cb667d3a2db075eb2a33e3c92c86b1e98ba02fd3b99be7a9e60abe93014696d32c0d0ee7b2f7eac1afcf7e9649def1618ca6aa91b545948f001e0627792

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8eb9be4a495704f30f9344a8fd1869d1
SHA1 b12ae1c0b376a1e16d1d507b4c13fc24b75de754
SHA256 4405e9a64acda2fc2e5f79620133aca968efdbaaa9b38650aa4d515c95ad8922
SHA512 861685330e39955a117ba42306120b4df607775a2165894f86a269b169f08cc754b59dffd1e6fd4552ef2f5caa7c9c6ef4145b87eac10e87b2c428f0390d1e5a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 baf6052fc8ec19f38fedddf1ff744a4d
SHA1 ed9b36d00e45d4cd41585013413afe2d532ccddd
SHA256 3aacd72fdb7d9645d67992ae5efd28ed90db90e82121094955831ee3ed3949aa
SHA512 c0f651f8c1dff43272e36955edb2f536709a739c5420e0ea489b89cb99a84a81a4b62b1171649ef6a74d2b70646ef52aa14602041227ecf6b404bf1be5e5c34f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 499053571e173878b31edda96d3eee2b
SHA1 2d246336082500f263d35d5f50462f862d9dc87c
SHA256 4454f701e7d8e3a57e73a5dc19626060f36d637c7f42aeb80e757442caae00ce
SHA512 0ddbb307f85a26291a1c9388a5d6e346dc0280c12f26f88f98cc322a8243dbc2dc3cca90120c8444d302c6a43902eb1d61759488947989ac3752dfa886e1f8b3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 51e815e8753da6b0cb58fb1fcbcf13b8
SHA1 3ae7230e823854367d633cea3eadeb123b06e27b
SHA256 6412bcfebaa143d08274ad9918ff6cf0c3fca8ca0d7827550894e5ddc57cc557
SHA512 147eaf91fe832c0c77251fa4e14db8fc98e413c08a31e708d121cda5a9d5e2937b4d8bf76ddab6a2e5719b166fa746189516ac6c89180e9c99c1cc8c66fb037e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6474a6a477a7fdadd0e54090175a0a74
SHA1 3b5787dd9f4b178c58380528ae2b1a69708c952a
SHA256 55e648e4da2f5ebc78cf0fbd5aa2099726cd9f5f1d2d6fee0a2eccb0543b0339
SHA512 6a14cb6ff8c9b6ba4796ca7b83109c5d3b132cd836766e9e0170083e277a0449977b98f420f7659d1a49c1054c5de56b7503772f84270b2c9b1a088d169e697d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e3e3283de638521c06ba586bb2d9833e
SHA1 46cdc85c76617535799027a837e839c61e22c3bd
SHA256 dd960fc48a6ea2b73fc5a5cc6cd363e2485b0a45ee4e890e7635931f43a04f31
SHA512 8121d3fe8524cab098590ed3adfc005b7f4e17acfc761ccae1e4c98f8e4b8294a01b3f71e6dc7521c1001952891714aed24b4a8392a64c388510459c832f9cea

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 23695b2ba72a55af184b278a4aa1fbf1
SHA1 76844a86fb1f93775227d750280de8f5381ca1ac
SHA256 42f4c3fad6412cb87c29aad6d237ff26ca8cbc2aa3b450997a3e7633863a863b
SHA512 7f54c7c5171722ea514a60ab913ac5d0d5c4c7357edb47cf3fc977967ef347fc7622939538e9d4df45e033f95a2324f3fccb2864d5e9e1852ca8a3299f3bf4c3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 540f39e88eace102879d2fb1ba6a1084
SHA1 da2c2447dd126a85153a1a40c5b7aba3bd07f5f8
SHA256 ad983b1e51325baed2c78b19680f7d2f3d7481670b5f33e943db0e0313e2e8f6
SHA512 a601c4fb0d0bf87d2c5e986acbd4512578013f62a7ca41b94d5b950e43b2fa32b68019d1141b570cbaf134945dfbca1c6a9150ad924921858137b59072e9f754

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9fd1e3af5ecb311a2b38ff6127e7e36b
SHA1 d87ab4010854444f470baed218954c1098564b3f
SHA256 d8a212fc27afc77436c47d0ed52cd164f64e7e43a39d4e01b26038560e0b2dbd
SHA512 6b31216d9fbe186988960b74ffcc295e2154de2fd3d60048b7c498ce74923677bc6b12c532fc864b2ae298459e1e5f97c5dde5c60d9ce955d09586290663ebee

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5e7901b2a37d50dce13a0bfc2430882f
SHA1 4894b51407c7bd7fbb0c631eb5c07f47d7e88772
SHA256 f8bd2c7d6f4a537e478dc88c349f4d201ca8a164c017527b40c5d604a95ab184
SHA512 7f7b0b32199337fc080884e1f54d8f0d28f911496cd42f3ebfb6531b21df45d8e93d2db34c76bdc671e096e00be0c3572a32701edd72b6d20d9152ec2fe90ce4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0294b1a8ab4cc8416595922e8a778e91
SHA1 e440575d28e070b2e228e92005a3d5146ef91734
SHA256 2b5d608e8658d481bc950064c246095a9f0686548847a9a120312551be5acb94
SHA512 83e3b97db29f8b6b9d19e2e09a003ed48494b7a15b90a705e0404c046ce846dc9f5220c61e8b3e61c165a1547607bc35398f8e33984871cd448e74ac5e1df6e0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e55148520f9bf8df9a58742dd5ee694a
SHA1 db8f02bbe7f1af6d06a8e38fa1fdb72feab4908a
SHA256 98b42ae797c05e55882a3f53375242bc392820f168bbe134ff116341f165cddc
SHA512 dc0e9672fa5d1e4f063c1193180e12040f86ae51cedb7b267f8384014e0b26f321c9e6e0cb33a70ed11dff821c318a6b705a2989c627a0c7fff534d0ac22b96d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 289f35be665528403c7a60994e8061a4
SHA1 76d7f543f236cee8d7d4f673c1a7ba6c565dd262
SHA256 acf33fe1ac658b318e06094d4ef2db95f848719c0f1cea7b0d0c5158d70633a8
SHA512 a9a163c40e70f866dd90a5ee5440265e61dc0483cef5c147916365fa710f097df82bb05309e180c0c9f094cc0bfca187bbebab0b4f098053d2c72b391fe88aa4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0bd96f53027b0f129ac0132dc8e4a88d
SHA1 10e149384734494b121cc65ff3dc58d05e08492a
SHA256 6edf4bdcd26dfd6c500b9621afa1f29dd1c1ec9a1d65ff826157c6681cbdcaca
SHA512 f9f7644e8063dc911cbca9d1bbba7a6342edf8466ff79f78ab0bda42294b528e049ce809cd0a09247b8a9b162be2d93e76f6f9b6a097fd3db6f106423263ba2e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f09624b46c1212381108adb9e4bac7e9
SHA1 2cb1e567dff3631cd621b5e2b949dfc631a7c3bd
SHA256 eeb1c950cc7041c1f8e8ffb1aa818db41dcdfcfe3d5d3a5b27eb7c57db932aa3
SHA512 8a070018115fcdbfecfd11b5a03a2ecbfe73a3b93acd3e208d9a470dd6f84613b340dc244df7decb4467fa9f733971fe45c8f8ca7a326b8cfc2e583b490ed961

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 08:32

Reported

2024-11-26 08:34

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34N46BCA-P311-2144-8GI1-I31RX7IT4QH3} C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34N46BCA-P311-2144-8GI1-I31RX7IT4QH3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34N46BCA-P311-2144-8GI1-I31RX7IT4QH3} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34N46BCA-P311-2144-8GI1-I31RX7IT4QH3}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WinDir\Svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe
PID 4872 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe
PID 1820 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe
PID 1820 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe
PID 2376 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe
PID 2376 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe
PID 2376 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0dffd0a644a6454364b5a466c99ab14_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1872 -ip 1872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 596

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4872-0-0x00007FFC18E05000-0x00007FFC18E06000-memory.dmp

memory/4872-1-0x000000001BF40000-0x000000001BFE6000-memory.dmp

memory/4872-2-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

memory/4872-4-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8618.tmp.exe

MD5 70b587b81f55269db181349a1b0a4dd2
SHA1 f75cc3c1352d5acd35de436969a7ca134913cc67
SHA256 5e7f8b8cf274709e45b0c26cbbbf899668659a49747ca29a9411de97cba68215
SHA512 1b0a66f79a36392494937f917048045034a9e16981a2c2c43e5b68a93d9ad7c0c66d4029864095076cba5584b43bd63148ad055a5c501b94bc911267ce35d3a5

memory/1820-17-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

memory/4872-16-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

memory/1820-19-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

memory/1820-20-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe

MD5 b9eb469e1255121c399e785e0bb4fa42
SHA1 281035db917e25c4fdb54df26bc407857459ce08
SHA256 56cead34c53a980d0daeb27bd30125a0c1589626aeeac735c3724eb9b1a19ed0
SHA512 bc7cb3d907f2027c6d76e20dd7aa5c22e63c33a23c37871da51eb88a73d7c298c24d2e947e79ae9ea201744276188a81be54e324b1513cddcffda41939afa21b

memory/2376-33-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

memory/1820-32-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.exe

MD5 63976084b4c862f2b33edb5fc277b4cd
SHA1 b544ffd189a5bd28eed2f75e18ade9c1fbdce8c1
SHA256 4b5b33efa246df31b7e853667d943faed66ba15de74f0ed4f95584383fca16e5
SHA512 fd83abd932683e52e7b076acfaa485100a0c0dfa3843337fadfd4a9cb54de4938f26d0036562ad6c6439585b880b60bca0dc0c145657505eb3b6ba528a54168f

memory/2376-43-0x00007FFC18B50000-0x00007FFC194F1000-memory.dmp

memory/3920-46-0x0000000010410000-0x0000000010475000-memory.dmp

memory/1776-51-0x0000000000890000-0x0000000000891000-memory.dmp

memory/1776-52-0x0000000000950000-0x0000000000951000-memory.dmp

memory/3920-108-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/1776-110-0x0000000003880000-0x0000000003881000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 e95d4f45fbb330d68c8d1a22c1fd2fea
SHA1 7b7c6ef23d205f34880efc0604181dd95443bd0a
SHA256 3947444521740b0e8686451c5b722257f1438b8ecf9b49c69844591c432ad9a1
SHA512 c225ad6f017f053ea90fe8fa4fa460d9f446fa1b829b839ab052e4bf97747e68fa83ac8a4b0fa3540c52872dcdebda0f6d38daacaf0200522768673a2ec45f57

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 19f5c030f9998620a2e5c33aa96224a4
SHA1 f5b2366ff6547a02d42135c37458f9de52dcb79f
SHA256 986e18e358cc13083c28ffae59cce9d3554001c12d829560ea18b930a4ba5f43
SHA512 06f618ea69dd7c87fec972cbd6eb9501984cd09fe1c4d102077d4c99bb8d4f884e85036069f94af5f3033a6d808ae5e8db8363be5d50b06ed95f200c879646a7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e777c711988d6f62bd60f551cdac8468
SHA1 55c08babd9a3c7a292218828b56ad45fbb59f2f5
SHA256 d2825d4d8787585cec6e35b2b7e475f1401738da5a106044512f772d3d65c018
SHA512 f7028d1d12c3538ee782959c739d39ba45a900889c41d66eb1071f15e9bb2725efe9030438c9ba5808a5162af611158d1ac5e71445298ebf03b6a79967ff75a7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 27eb6fac00c445b0e618f62d4df2e21a
SHA1 c067a12bbd202be1ed69ea7ff0fcb890546c8675
SHA256 97bd5bb9a614faae463eb829b8b676c6b82cdbd1526d85ae7b273ba71213388d
SHA512 c6a16a4362e886b38fed7ae9b8cee4738089651bf2099e4fbfc1f67ea229a3f475e552e7a909abd2b4ed915dc2b4a963f556bd4c6538e78a0806ee1451b7d4a7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6b3d530295212391bf721f3cfc280fba
SHA1 e0cbd764564d416d990b1266800d24bb4bc53112
SHA256 413c026a92dc0aac348668cf6bbc71f01c5343a0d89ff897a50c6845695bce1b
SHA512 a589cff48030aee8c2b7dc5d90d81a85f780fcb208bcc6fa0a95135b38d59fe3961a3a4a0a0ff980047bf7e3bfa588a1dc24e14a5c536b7e0ac9f01fe10c4fe8

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3dcad518f478fb49722aea0a44ea859e
SHA1 77e17b9d31c5b8adc7ce67a4f639ecec302d51bb
SHA256 031499914a2a591de394e315b183c834cc294f2b2b421f9840e3ed1d86fa8ad2
SHA512 8b664cb667d3a2db075eb2a33e3c92c86b1e98ba02fd3b99be7a9e60abe93014696d32c0d0ee7b2f7eac1afcf7e9649def1618ca6aa91b545948f001e0627792

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8eb9be4a495704f30f9344a8fd1869d1
SHA1 b12ae1c0b376a1e16d1d507b4c13fc24b75de754
SHA256 4405e9a64acda2fc2e5f79620133aca968efdbaaa9b38650aa4d515c95ad8922
SHA512 861685330e39955a117ba42306120b4df607775a2165894f86a269b169f08cc754b59dffd1e6fd4552ef2f5caa7c9c6ef4145b87eac10e87b2c428f0390d1e5a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 baf6052fc8ec19f38fedddf1ff744a4d
SHA1 ed9b36d00e45d4cd41585013413afe2d532ccddd
SHA256 3aacd72fdb7d9645d67992ae5efd28ed90db90e82121094955831ee3ed3949aa
SHA512 c0f651f8c1dff43272e36955edb2f536709a739c5420e0ea489b89cb99a84a81a4b62b1171649ef6a74d2b70646ef52aa14602041227ecf6b404bf1be5e5c34f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 499053571e173878b31edda96d3eee2b
SHA1 2d246336082500f263d35d5f50462f862d9dc87c
SHA256 4454f701e7d8e3a57e73a5dc19626060f36d637c7f42aeb80e757442caae00ce
SHA512 0ddbb307f85a26291a1c9388a5d6e346dc0280c12f26f88f98cc322a8243dbc2dc3cca90120c8444d302c6a43902eb1d61759488947989ac3752dfa886e1f8b3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 51e815e8753da6b0cb58fb1fcbcf13b8
SHA1 3ae7230e823854367d633cea3eadeb123b06e27b
SHA256 6412bcfebaa143d08274ad9918ff6cf0c3fca8ca0d7827550894e5ddc57cc557
SHA512 147eaf91fe832c0c77251fa4e14db8fc98e413c08a31e708d121cda5a9d5e2937b4d8bf76ddab6a2e5719b166fa746189516ac6c89180e9c99c1cc8c66fb037e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 6474a6a477a7fdadd0e54090175a0a74
SHA1 3b5787dd9f4b178c58380528ae2b1a69708c952a
SHA256 55e648e4da2f5ebc78cf0fbd5aa2099726cd9f5f1d2d6fee0a2eccb0543b0339
SHA512 6a14cb6ff8c9b6ba4796ca7b83109c5d3b132cd836766e9e0170083e277a0449977b98f420f7659d1a49c1054c5de56b7503772f84270b2c9b1a088d169e697d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e3e3283de638521c06ba586bb2d9833e
SHA1 46cdc85c76617535799027a837e839c61e22c3bd
SHA256 dd960fc48a6ea2b73fc5a5cc6cd363e2485b0a45ee4e890e7635931f43a04f31
SHA512 8121d3fe8524cab098590ed3adfc005b7f4e17acfc761ccae1e4c98f8e4b8294a01b3f71e6dc7521c1001952891714aed24b4a8392a64c388510459c832f9cea

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 23695b2ba72a55af184b278a4aa1fbf1
SHA1 76844a86fb1f93775227d750280de8f5381ca1ac
SHA256 42f4c3fad6412cb87c29aad6d237ff26ca8cbc2aa3b450997a3e7633863a863b
SHA512 7f54c7c5171722ea514a60ab913ac5d0d5c4c7357edb47cf3fc977967ef347fc7622939538e9d4df45e033f95a2324f3fccb2864d5e9e1852ca8a3299f3bf4c3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 540f39e88eace102879d2fb1ba6a1084
SHA1 da2c2447dd126a85153a1a40c5b7aba3bd07f5f8
SHA256 ad983b1e51325baed2c78b19680f7d2f3d7481670b5f33e943db0e0313e2e8f6
SHA512 a601c4fb0d0bf87d2c5e986acbd4512578013f62a7ca41b94d5b950e43b2fa32b68019d1141b570cbaf134945dfbca1c6a9150ad924921858137b59072e9f754

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9fd1e3af5ecb311a2b38ff6127e7e36b
SHA1 d87ab4010854444f470baed218954c1098564b3f
SHA256 d8a212fc27afc77436c47d0ed52cd164f64e7e43a39d4e01b26038560e0b2dbd
SHA512 6b31216d9fbe186988960b74ffcc295e2154de2fd3d60048b7c498ce74923677bc6b12c532fc864b2ae298459e1e5f97c5dde5c60d9ce955d09586290663ebee

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5e7901b2a37d50dce13a0bfc2430882f
SHA1 4894b51407c7bd7fbb0c631eb5c07f47d7e88772
SHA256 f8bd2c7d6f4a537e478dc88c349f4d201ca8a164c017527b40c5d604a95ab184
SHA512 7f7b0b32199337fc080884e1f54d8f0d28f911496cd42f3ebfb6531b21df45d8e93d2db34c76bdc671e096e00be0c3572a32701edd72b6d20d9152ec2fe90ce4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0294b1a8ab4cc8416595922e8a778e91
SHA1 e440575d28e070b2e228e92005a3d5146ef91734
SHA256 2b5d608e8658d481bc950064c246095a9f0686548847a9a120312551be5acb94
SHA512 83e3b97db29f8b6b9d19e2e09a003ed48494b7a15b90a705e0404c046ce846dc9f5220c61e8b3e61c165a1547607bc35398f8e33984871cd448e74ac5e1df6e0

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e55148520f9bf8df9a58742dd5ee694a
SHA1 db8f02bbe7f1af6d06a8e38fa1fdb72feab4908a
SHA256 98b42ae797c05e55882a3f53375242bc392820f168bbe134ff116341f165cddc
SHA512 dc0e9672fa5d1e4f063c1193180e12040f86ae51cedb7b267f8384014e0b26f321c9e6e0cb33a70ed11dff821c318a6b705a2989c627a0c7fff534d0ac22b96d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 289f35be665528403c7a60994e8061a4
SHA1 76d7f543f236cee8d7d4f673c1a7ba6c565dd262
SHA256 acf33fe1ac658b318e06094d4ef2db95f848719c0f1cea7b0d0c5158d70633a8
SHA512 a9a163c40e70f866dd90a5ee5440265e61dc0483cef5c147916365fa710f097df82bb05309e180c0c9f094cc0bfca187bbebab0b4f098053d2c72b391fe88aa4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0bd96f53027b0f129ac0132dc8e4a88d
SHA1 10e149384734494b121cc65ff3dc58d05e08492a
SHA256 6edf4bdcd26dfd6c500b9621afa1f29dd1c1ec9a1d65ff826157c6681cbdcaca
SHA512 f9f7644e8063dc911cbca9d1bbba7a6342edf8466ff79f78ab0bda42294b528e049ce809cd0a09247b8a9b162be2d93e76f6f9b6a097fd3db6f106423263ba2e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f09624b46c1212381108adb9e4bac7e9
SHA1 2cb1e567dff3631cd621b5e2b949dfc631a7c3bd
SHA256 eeb1c950cc7041c1f8e8ffb1aa818db41dcdfcfe3d5d3a5b27eb7c57db932aa3
SHA512 8a070018115fcdbfecfd11b5a03a2ecbfe73a3b93acd3e208d9a470dd6f84613b340dc244df7decb4467fa9f733971fe45c8f8ca7a326b8cfc2e583b490ed961