Malware Analysis Report

2025-01-02 12:25

Sample ID 241126-pnhwxaxmgm
Target a1eee904abb3c639915572bec0dc29fe_JaffaCakes118
SHA256 f5a962180342c44e0aa8bef3a9b608e41f55bb5a8dc9360e9b8d1510705304fd
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5a962180342c44e0aa8bef3a9b608e41f55bb5a8dc9360e9b8d1510705304fd

Threat Level: Known bad

The file a1eee904abb3c639915572bec0dc29fe_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

Cybergate family

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 12:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 12:28

Reported

2024-11-26 12:31

Platform

win7-20240903-en

Max time kernel

146s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TI1065O6-6AM8-V0VK-8W4N-0IH06W17325Y}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TI1065O6-6AM8-V0VK-8W4N-0IH06W17325Y} C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TI1065O6-6AM8-V0VK-8W4N-0IH06W17325Y}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TI1065O6-6AM8-V0VK-8W4N-0IH06W17325Y} C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Java\jre-07\bin\UF C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A
File created C:\Program Files (x86)\Java\jre-07\bin\jusched.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A
File created C:\Program Files (x86)\Java\jre-07\bin\UF C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A
File opened for modification C:\Program Files (x86)\Java\jre-07\bin\jusched.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 880 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
PID 880 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
PID 880 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
PID 880 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2256 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\tmpUI.exe

"C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

C:\Windows\SysWOW64\WinDir\Svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmpUI.exe

"C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/880-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpUI.exe

MD5 f83c617b55a53db1fc9bd68c9c732192
SHA1 464d5d47ee7e2218a89ffda0c71efcc86b9b6e74
SHA256 68f4238b31a205b4c2a5f4df6bba4cde5a4f77fa3c627ac03d5dda82d202457a
SHA512 fb777ce76c6793b440ba633a6867d44b19fda5cfde566be53c83e445668badb5c56a72062ba5152dfb602415bb1e39d27db1c4ff5ace6e9e6fda7986cbab04de

memory/2256-13-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-27-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-18-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-17-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-15-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-11-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-9-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-7-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-5-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-3-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2256-1-0x0000000000400000-0x0000000000451000-memory.dmp

memory/880-28-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1180-32-0x0000000002170000-0x0000000002171000-memory.dmp

memory/828-275-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/828-281-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2256-329-0x0000000000400000-0x0000000000451000-memory.dmp

memory/828-556-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\Svchost.exe

MD5 a1eee904abb3c639915572bec0dc29fe
SHA1 1d61e03327d1d2826afa57f1b134bab18095494a
SHA256 f5a962180342c44e0aa8bef3a9b608e41f55bb5a8dc9360e9b8d1510705304fd
SHA512 b8493a6c8869ed1c7f41d39ada905c4453ea4bdeb63885224450e09d5f97ae77c01b356eb0af1ec2503e6e6b047494676f10be7daff76e6366ef6ee261662f1a

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 9c0acb2153ed3e449ad4fd18bf927667
SHA1 37bc0c2badda44d9fc72404cdc1f4f31ff734cff
SHA256 fdc97112acff02b458e82bbe2df068dec21a5e1707f271509a9e1dbeafd5593c
SHA512 8a4783067881ea27169526bb2ada11fbaacb5862100e5982730eb3959dfa2ab17a691a5cc534393eca365fac9ca7d22a025b15860bf1dbcef766b4598d64bfa6

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2256-892-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Program Files (x86)\Java\jre-07\bin\UF

MD5 f253efe302d32ab264a76e0ce65be769
SHA1 768685ca582abd0af2fbb57ca37752aa98c9372b
SHA256 49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA512 1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

memory/828-948-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8c08a8fcb5c1880d232ab095a5ff96aa
SHA1 b8a050e636c1fdd3b08e7cb52b7bb6249fefa137
SHA256 ec3e4dd8e55dee5fc21985d80adf454109602dc70c8b070594e8d1c1c7a0cd2a
SHA512 77778aa08bef6add78532bca594b5152f1fdb96990a539c87da8f1e97033cc3679af415d3802cf9f8281ec687c981d361b440463385e2a31b68bb4264bf7fd7b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a1b1180d67a622287ad34f593bfd4722
SHA1 eebed9fd1a0f1453de4ded8f6e251b166862d8a9
SHA256 ff8d16a701692036e2cd590e8524a0effc2200f4fa0ee41380aac35d9b5e59a2
SHA512 887d99a324f3336de1d8cb6e626cc91c3aec584c08268402819b54d3619bb63836c34b1b3538435bd53f1ddf42a2811d8cd29a6c7cc7a9239a5fcd1653a7742b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 02f388db46b8681f51f60d7cad712d64
SHA1 554934ff606038b1937fb26fd46d06376bde4815
SHA256 74eeae13fc4ab3464211f1c340ef6b05b36e904566e0d565d25e9d42d92a242a
SHA512 67a16febf4eb87f47bb13c500db8efbaf0049189929291ef4da334258c28d02f0cbc7d71009f7de3209dfefd075527046f732fddeab925d9fd7e40b1cb942d97

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 daf1801391812d0c321d218e4535e28b
SHA1 c9776ccc26fa412014b70ca3cd2698dd94a6b93b
SHA256 ba7226e8cab001e919c4e3b746dca8af6660e1dddece27ea2703e83f0b85c1ee
SHA512 3f65f25acb27ef2f9ae17fb164a7c7ff2ad151eaa2b761fa76c8ea70adf65cd84c4fdd79212c565ae1f5029cc320432112a46a474ddccc5cba052bc041fc2efc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5b0d9a8feeb0694e0c1454e7ebd2a3df
SHA1 e3e5627508a96a23de99f16dea5e9ac07be28c25
SHA256 3167596025bcf9f5f7c2529bbc1d537113011164396f7046c938f96a39f21552
SHA512 4e84e9ef614f5a672e8a0cbc4d959838a69967185e06b3990f44c829f593a5c57bc9b6ce14770e073c198561786fc5a0c006f679f8f9ef28287d5859b422668f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b3812988c0b3ff4b75d5f40ac25e9ae1
SHA1 01262d9e8b2e99fd47dbbdf9702d2083715c4808
SHA256 5f00ae5e42a4c35d1a7aaa0a02297adef88ff9bb2d826e3ec5ca3d083cfa6d5d
SHA512 304554b3a809ea385ca3ae3621b8b45644633a22e01f3f2279e31b0ff0f1cf001d43ba61de13e78fdaf24ed955c63bd8f62aea522944255edb66c65636c6c5ee

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ff1b47228a25c41f87b65263703d945f
SHA1 5f79699929c4bbbd51684e29dc30c559245826ce
SHA256 3ad246759822a900c7ede91f5e9cff84019713fea0d9cff62cdfc379ef0018d2
SHA512 c9b62633ee17b546cbe5ff237f84eebe0db7acce89b03bde84c60aa73d9386305f8c5547d232765ff086adcb26a09f1cc377fc70fe0e10e2865d1d8cf6397b79

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 34cf9d30c6cf66eda90f985126530386
SHA1 4e5774f4a55b2242ed20020f1afeebd12e2e1d43
SHA256 daa8933dd743abe5a82ec6e7acf0fbfa451e67b2ab2c028c2756daf1640f38ef
SHA512 681fb524068ca666850b637d9290a6f208777d4ee7980080b5b62b6a1600830edabc79c04ab32a88dd08a741da85e540a3662da744b83aa0757ffcacf5f3110e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e137d0d657fc794cd6b41053dcc60398
SHA1 5e1505f50640198c14065e7ff08c3153a3688a6f
SHA256 de9e4933fda3deb7a977ca3a4bcc0d4829c712306d7ee76b9ab567d7d43e546d
SHA512 bcf863f524eec2c0567f7a22cdc1ecb98c9c572d97c1ac4420ca526b05e3cdb933ec6a34b478bf19d426d99634baf8d6433fc1b17a372084db7e4f924f6ad35c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3b764609ebbe504138b2e75e4068605e
SHA1 b58107cf55ea41dcbd6f2b709a8097c2afeeae9b
SHA256 7ac1de1fbc50de4c6b8a777c4e8cb4acd1f27052fbb22317dca052a415d9c46a
SHA512 9b703b1b8b5125cbe144f9044d19bf343601cc2f88ab91e3a32560e1dcfd63af2c65f69ccac9b90864aee2aed3325db0b714201b6d911ac7f67b971dab834c6c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2b29c096df82dc8a5e45befc42a5afdb
SHA1 4de0158455d736eaae610793c998eb4f462455df
SHA256 6cd857658862470f75ca4948bd750fa0b6124c1b9cfe7a73e2d9baa6c0cbcb1d
SHA512 d6355f37304cbe3ad45832ac62d3e2db3365c36b4d91baf80a9aa11de7503cf2fcdce1b86f27b3a71866d06ad03583225c7d54e8e9cd1fbc653986df1c0542aa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b4a23ca5d356c3391ce4ddd23119de0
SHA1 365852c739880380a10fe5c812c8f3691584d9a5
SHA256 6f11b999b2990bde80ae5b83b99d6ad626435f835ba31cb5c7f4510c265f88bb
SHA512 a1e2e54543c4376e7268af62800ce85e4457139e46171e91b8447902d34de1c7d37c74a54893d5730084f18a5f5dc7d7807cc9517715e733ffd48807e81b4e47

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ea8882d28fe59b2534caf6bf27958089
SHA1 c1b44de7e87bd97ac2a3bb85581d87a11817c1fe
SHA256 e144f4df1a7e5b3d0b589f64a29730f544426ebeb1541606a2e1e8700382e991
SHA512 495e677af037e0ed14f008f6fe0180acdd5364179e1284bcdbfbaaafd2be235efc420a96acba6d4c20c7ddb6c779bfc3b8cf72ba743b73923c70f6d59241efd7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b3ce60513144e0bf19389d04e64be2ec
SHA1 b06842cbc6d9b77e93308bc051bf7c175485ede6
SHA256 ec6bc1ffd4a68e1e149d9e3e5e73919f2fe22f511020173f8780bcf328593237
SHA512 bf642eb7999bf985ec4eb260aa626bd2a9f62d44bf71e3c474bca9096527c577c2d275423fdbb919a1566b09dc850e4d21e46bead38b4db40aea6161cbca0b95

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 546872e261ce628060f528ed2bab31f1
SHA1 591f594f564b6659a062f514395ca3a6585b7d4d
SHA256 a279fade5581c46b378047125e8f10d455c87ba61b857e382a80f2d932da27bf
SHA512 583e2fd70bfe17c6455f818750bba878f4a21efaf47ab4b9f929636dfa7e910e7f0a26baacf43933f7a8e60072bc3fb217c44f41b6fb7102c6f3e15a3bd7a3ec

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 47771ddc7eb2d50853a6bf5c4ab81c69
SHA1 9aae4f7058892a35bd9d4d6dae0a009e6e79dd7c
SHA256 9a58637d62ebe9025c5b5fe7148d79a067a41183adfd2efbc6659b911ee18b81
SHA512 972d068c84ebc190e6249fbbda5b5cd19027a4d0a5aaef93b70a05033fd484cfdc97911efc8e8fe5f24016a8d5e762de1d53fb5bb4428dbc10efa8c1bee4c403

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d98ca861713ec5612c6b7bbe5d565e53
SHA1 7fb2b96917b3878aa278497fbe44a65249b958bd
SHA256 bb0c93f271385e7f9fb171e535cac67e9f05da66810361d0533ba485d0a5fa1b
SHA512 9695755e73ba440b0adf57a88019a45e0a9c772cecc2455140099bf2660a0f9a2cbfc59ebc0c2d627ecd6ab921bc426a5c70f9d92668a73f1703c3d661e038a2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4d11d707610bca8953df41e2188b4c84
SHA1 450df516bdb73071227246ae8b00f9d7e7bddec3
SHA256 5212a42d1ba85b6bced289404f905e8433c46315967658de39b32c27f6f15db4
SHA512 b82765ccc6f8e7b7411244817a7baa06652730ce1dfc4a74f1026395ca167ad5000ade9878f0f5d03a1fe2333382703ea2c5461e4088a1a703850ac66d758b11

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 12:28

Reported

2024-11-26 12:31

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Cybergate family

cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{TI1065O6-6AM8-V0VK-8W4N-0IH06W17325Y} C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{TI1065O6-6AM8-V0VK-8W4N-0IH06W17325Y}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{TI1065O6-6AM8-V0VK-8W4N-0IH06W17325Y} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{TI1065O6-6AM8-V0VK-8W4N-0IH06W17325Y}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Java\jre-07\bin\UF C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A
File opened for modification C:\Program Files (x86)\Java\jre-07\bin\jusched.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A
File opened for modification C:\Program Files (x86)\Java\jre-07\bin\UF C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A
File created C:\Program Files (x86)\Java\jre-07\bin\jusched.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WinDir\Svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpUI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe
PID 4432 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
PID 4432 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
PID 4432 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmpUI.exe
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3704 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\tmpUI.exe

"C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1eee904abb3c639915572bec0dc29fe_JaffaCakes118.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

C:\Windows\SysWOW64\WinDir\Svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 876 -ip 876

C:\Users\Admin\AppData\Local\Temp\tmpUI.exe

"C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 584

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 udp

Files

memory/4432-0-0x0000000002210000-0x0000000002211000-memory.dmp

memory/3704-1-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3704-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3704-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3704-5-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpUI.exe

MD5 f83c617b55a53db1fc9bd68c9c732192
SHA1 464d5d47ee7e2218a89ffda0c71efcc86b9b6e74
SHA256 68f4238b31a205b4c2a5f4df6bba4cde5a4f77fa3c627ac03d5dda82d202457a
SHA512 fb777ce76c6793b440ba633a6867d44b19fda5cfde566be53c83e445668badb5c56a72062ba5152dfb602415bb1e39d27db1c4ff5ace6e9e6fda7986cbab04de

memory/4432-13-0x0000000000400000-0x000000000048C000-memory.dmp

memory/3704-17-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3712-22-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/3712-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3704-37-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3704-78-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\Svchost.exe

MD5 a1eee904abb3c639915572bec0dc29fe
SHA1 1d61e03327d1d2826afa57f1b134bab18095494a
SHA256 f5a962180342c44e0aa8bef3a9b608e41f55bb5a8dc9360e9b8d1510705304fd
SHA512 b8493a6c8869ed1c7f41d39ada905c4453ea4bdeb63885224450e09d5f97ae77c01b356eb0af1ec2503e6e6b047494676f10be7daff76e6366ef6ee261662f1a

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 9c0acb2153ed3e449ad4fd18bf927667
SHA1 37bc0c2badda44d9fc72404cdc1f4f31ff734cff
SHA256 fdc97112acff02b458e82bbe2df068dec21a5e1707f271509a9e1dbeafd5593c
SHA512 8a4783067881ea27169526bb2ada11fbaacb5862100e5982730eb3959dfa2ab17a691a5cc534393eca365fac9ca7d22a025b15860bf1dbcef766b4598d64bfa6

memory/3704-153-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Program Files (x86)\Java\jre-07\bin\UF

MD5 f253efe302d32ab264a76e0ce65be769
SHA1 768685ca582abd0af2fbb57ca37752aa98c9372b
SHA256 49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA512 1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

memory/3712-193-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a4fd972947b8bc84a63d8e996cf0de21
SHA1 fb5c1b34cac6db5a5b602ddebfbd07f3860f9130
SHA256 76a377ee7af2ca5fcf8dd9d46cb9c076942b13f70bbd8a20bad97935b5289a2b
SHA512 7bdea1efdfa5326d88c339d52d6ce3c87670da1727ecdc89ebd2d565ff468a6849f6452b04ff54b7c827af97b5a8bad3e8d9798978724f582f400fef44861477

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8c08a8fcb5c1880d232ab095a5ff96aa
SHA1 b8a050e636c1fdd3b08e7cb52b7bb6249fefa137
SHA256 ec3e4dd8e55dee5fc21985d80adf454109602dc70c8b070594e8d1c1c7a0cd2a
SHA512 77778aa08bef6add78532bca594b5152f1fdb96990a539c87da8f1e97033cc3679af415d3802cf9f8281ec687c981d361b440463385e2a31b68bb4264bf7fd7b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a1b1180d67a622287ad34f593bfd4722
SHA1 eebed9fd1a0f1453de4ded8f6e251b166862d8a9
SHA256 ff8d16a701692036e2cd590e8524a0effc2200f4fa0ee41380aac35d9b5e59a2
SHA512 887d99a324f3336de1d8cb6e626cc91c3aec584c08268402819b54d3619bb63836c34b1b3538435bd53f1ddf42a2811d8cd29a6c7cc7a9239a5fcd1653a7742b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 02f388db46b8681f51f60d7cad712d64
SHA1 554934ff606038b1937fb26fd46d06376bde4815
SHA256 74eeae13fc4ab3464211f1c340ef6b05b36e904566e0d565d25e9d42d92a242a
SHA512 67a16febf4eb87f47bb13c500db8efbaf0049189929291ef4da334258c28d02f0cbc7d71009f7de3209dfefd075527046f732fddeab925d9fd7e40b1cb942d97

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 daf1801391812d0c321d218e4535e28b
SHA1 c9776ccc26fa412014b70ca3cd2698dd94a6b93b
SHA256 ba7226e8cab001e919c4e3b746dca8af6660e1dddece27ea2703e83f0b85c1ee
SHA512 3f65f25acb27ef2f9ae17fb164a7c7ff2ad151eaa2b761fa76c8ea70adf65cd84c4fdd79212c565ae1f5029cc320432112a46a474ddccc5cba052bc041fc2efc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5b0d9a8feeb0694e0c1454e7ebd2a3df
SHA1 e3e5627508a96a23de99f16dea5e9ac07be28c25
SHA256 3167596025bcf9f5f7c2529bbc1d537113011164396f7046c938f96a39f21552
SHA512 4e84e9ef614f5a672e8a0cbc4d959838a69967185e06b3990f44c829f593a5c57bc9b6ce14770e073c198561786fc5a0c006f679f8f9ef28287d5859b422668f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b3812988c0b3ff4b75d5f40ac25e9ae1
SHA1 01262d9e8b2e99fd47dbbdf9702d2083715c4808
SHA256 5f00ae5e42a4c35d1a7aaa0a02297adef88ff9bb2d826e3ec5ca3d083cfa6d5d
SHA512 304554b3a809ea385ca3ae3621b8b45644633a22e01f3f2279e31b0ff0f1cf001d43ba61de13e78fdaf24ed955c63bd8f62aea522944255edb66c65636c6c5ee

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ff1b47228a25c41f87b65263703d945f
SHA1 5f79699929c4bbbd51684e29dc30c559245826ce
SHA256 3ad246759822a900c7ede91f5e9cff84019713fea0d9cff62cdfc379ef0018d2
SHA512 c9b62633ee17b546cbe5ff237f84eebe0db7acce89b03bde84c60aa73d9386305f8c5547d232765ff086adcb26a09f1cc377fc70fe0e10e2865d1d8cf6397b79

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 34cf9d30c6cf66eda90f985126530386
SHA1 4e5774f4a55b2242ed20020f1afeebd12e2e1d43
SHA256 daa8933dd743abe5a82ec6e7acf0fbfa451e67b2ab2c028c2756daf1640f38ef
SHA512 681fb524068ca666850b637d9290a6f208777d4ee7980080b5b62b6a1600830edabc79c04ab32a88dd08a741da85e540a3662da744b83aa0757ffcacf5f3110e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e137d0d657fc794cd6b41053dcc60398
SHA1 5e1505f50640198c14065e7ff08c3153a3688a6f
SHA256 de9e4933fda3deb7a977ca3a4bcc0d4829c712306d7ee76b9ab567d7d43e546d
SHA512 bcf863f524eec2c0567f7a22cdc1ecb98c9c572d97c1ac4420ca526b05e3cdb933ec6a34b478bf19d426d99634baf8d6433fc1b17a372084db7e4f924f6ad35c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3b764609ebbe504138b2e75e4068605e
SHA1 b58107cf55ea41dcbd6f2b709a8097c2afeeae9b
SHA256 7ac1de1fbc50de4c6b8a777c4e8cb4acd1f27052fbb22317dca052a415d9c46a
SHA512 9b703b1b8b5125cbe144f9044d19bf343601cc2f88ab91e3a32560e1dcfd63af2c65f69ccac9b90864aee2aed3325db0b714201b6d911ac7f67b971dab834c6c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2b29c096df82dc8a5e45befc42a5afdb
SHA1 4de0158455d736eaae610793c998eb4f462455df
SHA256 6cd857658862470f75ca4948bd750fa0b6124c1b9cfe7a73e2d9baa6c0cbcb1d
SHA512 d6355f37304cbe3ad45832ac62d3e2db3365c36b4d91baf80a9aa11de7503cf2fcdce1b86f27b3a71866d06ad03583225c7d54e8e9cd1fbc653986df1c0542aa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9b4a23ca5d356c3391ce4ddd23119de0
SHA1 365852c739880380a10fe5c812c8f3691584d9a5
SHA256 6f11b999b2990bde80ae5b83b99d6ad626435f835ba31cb5c7f4510c265f88bb
SHA512 a1e2e54543c4376e7268af62800ce85e4457139e46171e91b8447902d34de1c7d37c74a54893d5730084f18a5f5dc7d7807cc9517715e733ffd48807e81b4e47

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ea8882d28fe59b2534caf6bf27958089
SHA1 c1b44de7e87bd97ac2a3bb85581d87a11817c1fe
SHA256 e144f4df1a7e5b3d0b589f64a29730f544426ebeb1541606a2e1e8700382e991
SHA512 495e677af037e0ed14f008f6fe0180acdd5364179e1284bcdbfbaaafd2be235efc420a96acba6d4c20c7ddb6c779bfc3b8cf72ba743b73923c70f6d59241efd7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b3ce60513144e0bf19389d04e64be2ec
SHA1 b06842cbc6d9b77e93308bc051bf7c175485ede6
SHA256 ec6bc1ffd4a68e1e149d9e3e5e73919f2fe22f511020173f8780bcf328593237
SHA512 bf642eb7999bf985ec4eb260aa626bd2a9f62d44bf71e3c474bca9096527c577c2d275423fdbb919a1566b09dc850e4d21e46bead38b4db40aea6161cbca0b95

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 546872e261ce628060f528ed2bab31f1
SHA1 591f594f564b6659a062f514395ca3a6585b7d4d
SHA256 a279fade5581c46b378047125e8f10d455c87ba61b857e382a80f2d932da27bf
SHA512 583e2fd70bfe17c6455f818750bba878f4a21efaf47ab4b9f929636dfa7e910e7f0a26baacf43933f7a8e60072bc3fb217c44f41b6fb7102c6f3e15a3bd7a3ec

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 47771ddc7eb2d50853a6bf5c4ab81c69
SHA1 9aae4f7058892a35bd9d4d6dae0a009e6e79dd7c
SHA256 9a58637d62ebe9025c5b5fe7148d79a067a41183adfd2efbc6659b911ee18b81
SHA512 972d068c84ebc190e6249fbbda5b5cd19027a4d0a5aaef93b70a05033fd484cfdc97911efc8e8fe5f24016a8d5e762de1d53fb5bb4428dbc10efa8c1bee4c403

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d98ca861713ec5612c6b7bbe5d565e53
SHA1 7fb2b96917b3878aa278497fbe44a65249b958bd
SHA256 bb0c93f271385e7f9fb171e535cac67e9f05da66810361d0533ba485d0a5fa1b
SHA512 9695755e73ba440b0adf57a88019a45e0a9c772cecc2455140099bf2660a0f9a2cbfc59ebc0c2d627ecd6ab921bc426a5c70f9d92668a73f1703c3d661e038a2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4d11d707610bca8953df41e2188b4c84
SHA1 450df516bdb73071227246ae8b00f9d7e7bddec3
SHA256 5212a42d1ba85b6bced289404f905e8433c46315967658de39b32c27f6f15db4
SHA512 b82765ccc6f8e7b7411244817a7baa06652730ce1dfc4a74f1026395ca167ad5000ade9878f0f5d03a1fe2333382703ea2c5461e4088a1a703850ac66d758b11