Analysis Overview
SHA256
2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7
Threat Level: Known bad
The file fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Adds policy Run key to start application
Modifies Installed Components in the registry
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-20 18:36
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-20 18:36
Reported
2024-04-20 18:39
Platform
win7-20240215-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5VA86RD0-3W22-6R73-7QS8-ODE408423R68} | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5VA86RD0-3W22-6R73-7QS8-ODE408423R68}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/3040-3-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/3040-6-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/3040-15-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/3040-298-0x0000000024010000-0x0000000024072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 40bf045a90c5af86f363d052477f951e |
| SHA1 | ff32c907dca090c8e3cba347708964cf213bc4a9 |
| SHA256 | bf3afb0a67cadfa0f7cd76d91da74b80bfee530c5a5ac266c41a7ccde4a77104 |
| SHA512 | 2518a062a9141a6cd9e7216217f89f496cecb81688939664dda7067dfb52ee92fa8e0bc6f956f32c2542a10cbb2a2a374999d4ac551cffe8e7f3a43cb2291c58 |
C:\Windows\SysWOW64\install\server.exe
| MD5 | fd60ad05941f2bee3dfd05c976bc2eff |
| SHA1 | eae3af05983d5e47ebb3f228f98517f9a3806376 |
| SHA256 | 2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7 |
| SHA512 | b16dbd2bb8c169bb5e772469f2bd98947e74dd7c30a1899b3416da6b2c967c6644baf97f138192b725e343233ec10c4b2516c889b7f0e302f0161392052c522b |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/2336-2032-0x00000000004E0000-0x00000000004E1000-memory.dmp
memory/2336-2031-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2336-2088-0x00000000318E0000-0x00000000318ED000-memory.dmp
memory/2336-2166-0x00000000318E0000-0x00000000318ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 33915267c1ef3bbd0550b143f8d2bc68 |
| SHA1 | 7d11951b5ece4e421ddc56d040533e2b6cbdea54 |
| SHA256 | cf3f5d41a232ad7c422f1e05dc345f9b895a847698ae4b2a8e4e9499c6eac999 |
| SHA512 | c66d4abf6163c8122c867ba71dd0dc68904d58322c87ea4fadfb5664adaee3641c19790e57251d6945fadb4bd476d486cc4f0b943eebbb4807210991319aa2c6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d850110327de35422695a8525226f0ec |
| SHA1 | 7802b0c220afa550f682182501d0e9b5d1af89c4 |
| SHA256 | b4761afcbcd7bd7fc678890c2eadded5bd74496c1e15b6cc68cd9d0dcec39062 |
| SHA512 | 7124c9e609d373370e4beee4372fb2ccca45836e46658b9256985520048c797298c4be5bc2e3d28761d7e84e0a6479d46114870dfc21b5811afe51f08cc3088b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 132d20c4b9bcef08badb2e3b8853a17a |
| SHA1 | c98d4f1b2e09f9c65206595d61fcfca4c5c283ac |
| SHA256 | eb414e8319e117f94582fc14fdb8ae075df1a64ffce74d248931cb2e77bee3fa |
| SHA512 | 35c2a57583655c3f13199e6b9f2cbf7f8de5b36aef0da067e3a7b161da007e0e01e35c5e67eccd5dab5c04fb0601946f33eefbcd64e730ae6bfce46e481392fb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6306f1c8dd43d49c356faf4e80074318 |
| SHA1 | 75b79d031e1bdbc0f126d12df14370b1f7d83b91 |
| SHA256 | 64db5087f21e4431c5fc4c2fc49ac89020b390ced14b0ccba3258991b5302b7a |
| SHA512 | d353920c33c3e363065aa38abca40449a70e6fe57333770f5fd7898dfc913764212a29e053296edcd4ef06968fb8578f23a9ed98932928b9ef7ee8607055b51c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 96c41ea474b5255d400a4be3a23ccef2 |
| SHA1 | 54d36e91e748763e8816c3ccbcfa444928c141bc |
| SHA256 | 984e52144e570e23ca939c4bb771766aa7bb92bfb6aa1bb08dd4f7cb27c0d90c |
| SHA512 | b61ef7db9dc8d61cd66f7d3bb4bd6c7bc589970df239f62d1c044466a28a68cf6cff12c104a73f1264d061a78e9400ac02c5033884db3da51c240a427f0a2ebf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6ad93990f1ee39cb9a312a8d3e847424 |
| SHA1 | d3411ba661d91739ae9a41e4533992416fe24ff6 |
| SHA256 | cc963f9b2e0d2f002caa6a7438ddd9f0341518ddf518713a05438d8b401a0259 |
| SHA512 | 102d384bb013f8fc556e4223a39896924a35a40bbc9219e4f09b8be2bd8780e42eaba5f5d5d7824c8b621a2651770f59f5940b89062170e69bd4e658fe121e66 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 528c30e1d1347c2c01395b83924933d2 |
| SHA1 | ee5ee048d7fb597ec6f4701c6b25d8f41b72f9e6 |
| SHA256 | 1063c0da8c861b66cd38ce1dc85a635ee3501874f248a43db4344d6b64c321c3 |
| SHA512 | b8db265a4f5b18175d9480df93694c9fcc719c7c9cbaf6b0b5dffce2048ba18c73677b26e204056894c6b67d5b61779991fd829291cef71ba832370003a4a4d0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2164c33f7f6444950cc38d14cf10970e |
| SHA1 | 016b85aeaaa5dfe13c69e10851bf85463c82c798 |
| SHA256 | 070aaa5312339c0c1baa2dd6a7dcdb73919bb29cc920ebb47687572b4b0e59cd |
| SHA512 | 58bbca70ea1fe14e009451e1a450bf9b0341728cc0890cd910d9c803b77aafd65cc7fc5f432844d312ff75d5ca72190455d5acb433dd2529f0467b1bf630a43d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2fc581dd4d9a0e74a1468ac56646e634 |
| SHA1 | 6d4f81ba3d6fff834815c344561e50139afc02cc |
| SHA256 | 298708be31ed1228cc8899e777e1c0f5cc0bf59226853ee591e30f713ea80fc1 |
| SHA512 | 6aa28222f52b18b4b978cc0caf2dd6a25e5d3a1fe1adbfd46a51ce11778e094c68fcdffbdc1300555577ad8e2a8a9c1b742c50612ab18cecc9e2aacc74f75183 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1023e0ffca3c554bce8a5006dfaf16ab |
| SHA1 | 71b6c29e88a7417d3993ad9ae6ac47455edc9d46 |
| SHA256 | 487cea35d8e94e078fcd8500afb382dedfd2e2b97fa94f2858fc50bc05601aff |
| SHA512 | 3607f0a4efd88f0b36adfac63c42f0f7d3b9c59010f73f41e83a338480eb70b087fe4cec0a41ce3b7b3e69f8ebbb8fa6aa10f19bc0ef8b531ab20f00dc891f9b |
memory/3040-2798-0x0000000024010000-0x0000000024072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6c23a8299977a34533d12840c875e9a1 |
| SHA1 | d09f3336add89da7d21775d1f9161beabaefcbc2 |
| SHA256 | c1d98d505911d64982e3fa57c935168d84438a7bed1316d943514d5304a97a3d |
| SHA512 | 7afdd12b36ede4be3891dcbb197226b61d2d68e7fd97e5302a4752e82de898f9f6514bace7fe74b552daa62986cc6ad17a9bb5c813fad55fdc45587bb0d8fa92 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 351e07048840ac5ca6cf00d5ce52dd6f |
| SHA1 | 2d1f973b185a058e2ed626bc4f5b27b7bedabe7e |
| SHA256 | 8a7abeb475285b0d4b21b79017dafd55f0b94a3c5e8ec406183ca0414a7b8fcb |
| SHA512 | c0680d49da57f3a1d926f9811287d98f28955a2ae9112c8a6e963dca7774234207a3d7bab42d93a61834334b15bb4c5570ee0d0967b02d5a19e03dfea57d7391 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | db0f22a8ea8ce5955c1755ffebae74a8 |
| SHA1 | d17e343970edf1494b64f04bb69e945ad51267d3 |
| SHA256 | b429b9d7c686c11b5d8a301da753792a5d748a732da363fef65ce33d2c4e9544 |
| SHA512 | 2eda830c1cf5de435885393542777d134b69f440f2a774ad6e7a966aebe2e436dc0f8259298e4b9ffbb69baf820d85c44ca6aef9c8654179b090e9997ebb6602 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 892fc721f259562a132c096eb807acee |
| SHA1 | 053f445ce0266cac3842cf1d2edfd31ebd554d1c |
| SHA256 | 1b6cf228db17f10b050a366f90e459971abc28d969ca13d72d14f182da8e6584 |
| SHA512 | ece5b6c5c650057a76baadf5bdee0e38e95e7ddccf7b40f3bc34bb13fcc354c53ff4dd6a0ade4ee483aac1e6a418a02c8732e00a1ced6ed880a0bd54289adda6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d176f6a5ee75b483ef9461e9754332c5 |
| SHA1 | 8e2357cc49c50c1f76ad517ff06ce7a23b19d5b0 |
| SHA256 | 5f74120e3c286d92a6227cb10d297014e254d1de189cefccf19ecf7511b32a33 |
| SHA512 | 120b8a7546109c01d840a9946ea1d9c0671edc58dffb74a4aee7fffb026535f8e8087c6eef8595be357fd630d3f9ad4461b64920962f0013940a5364689e968f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 016e5104945f67769a62c15ac5b3d867 |
| SHA1 | 0ab3167bcd34dde302e70698abf1586f7f902595 |
| SHA256 | 3af6b48fade70cb47832f0cebefa7857dc20b7ac805f71b641dc8b5314c5dd38 |
| SHA512 | a5b09e51e7c4f0d6e914254465318f91bbffdeca3b0137feb94572d2d5721fb842a01be38e09ebbd6e4e7bd08572444c170c7bee5cb607ce9d8a990a5ced7ab3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 25bf3b84b377874470022c402048eb88 |
| SHA1 | 286e2f4deb80587ea42eda4ba62db61e03597308 |
| SHA256 | bab2f4d2c10b50f3fe361e715f7773cc2c5ce234da53128d802336fa51043b4b |
| SHA512 | 078dfd1dc8e43d3636495600adf7843d93106e1fb7f0858cc30e24ed9aab6b8eba61fa63ae2ee8c757e183b70479ea73121ad05e7c564169efac9f91193c1496 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ce2749b0c218bd1567d02f953e611854 |
| SHA1 | 11f0f324d7a5fb2fd96cd9d833e72e97b81db436 |
| SHA256 | ba89dd609a99c8b19f70d79af1fae06e13c6b1b9e653c32855f8d304afb40361 |
| SHA512 | b038839b3a2bba223fb09c4d1087f8190669fa3c26d262b3e4a565bcaecd2908b509556ec66f1511f1f63c45910525d5eaaea672d8df56c17792fb181c6cdd1e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-20 18:36
Reported
2024-04-20 18:39
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5VA86RD0-3W22-6R73-7QS8-ODE408423R68} | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5VA86RD0-3W22-6R73-7QS8-ODE408423R68}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\server.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd60ad05941f2bee3dfd05c976bc2eff_JaffaCakes118.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1388 -ip 1388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 564
C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 681302964ebf453e8e0d779b1c5642fd QkEPcMDFf0i7ac2/CIzsAQ.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.90.14.23.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1152-4-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/1152-3-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4404-59-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1152-62-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
memory/4404-65-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1152-64-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1152-67-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1152-68-0x0000000024010000-0x0000000024072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 40bf045a90c5af86f363d052477f951e |
| SHA1 | ff32c907dca090c8e3cba347708964cf213bc4a9 |
| SHA256 | bf3afb0a67cadfa0f7cd76d91da74b80bfee530c5a5ac266c41a7ccde4a77104 |
| SHA512 | 2518a062a9141a6cd9e7216217f89f496cecb81688939664dda7067dfb52ee92fa8e0bc6f956f32c2542a10cbb2a2a374999d4ac551cffe8e7f3a43cb2291c58 |
C:\Windows\SysWOW64\install\server.exe
| MD5 | fd60ad05941f2bee3dfd05c976bc2eff |
| SHA1 | eae3af05983d5e47ebb3f228f98517f9a3806376 |
| SHA256 | 2753c8b0d7cc891d9f9665e82cefcdc085064810ec8c0cb1988c36bbc0938bc7 |
| SHA512 | b16dbd2bb8c169bb5e772469f2bd98947e74dd7c30a1899b3416da6b2c967c6644baf97f138192b725e343233ec10c4b2516c889b7f0e302f0161392052c522b |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/1388-388-0x0000000002430000-0x0000000002431000-memory.dmp
memory/1388-390-0x00000000025B0000-0x00000000025B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d850110327de35422695a8525226f0ec |
| SHA1 | 7802b0c220afa550f682182501d0e9b5d1af89c4 |
| SHA256 | b4761afcbcd7bd7fc678890c2eadded5bd74496c1e15b6cc68cd9d0dcec39062 |
| SHA512 | 7124c9e609d373370e4beee4372fb2ccca45836e46658b9256985520048c797298c4be5bc2e3d28761d7e84e0a6479d46114870dfc21b5811afe51f08cc3088b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 132d20c4b9bcef08badb2e3b8853a17a |
| SHA1 | c98d4f1b2e09f9c65206595d61fcfca4c5c283ac |
| SHA256 | eb414e8319e117f94582fc14fdb8ae075df1a64ffce74d248931cb2e77bee3fa |
| SHA512 | 35c2a57583655c3f13199e6b9f2cbf7f8de5b36aef0da067e3a7b161da007e0e01e35c5e67eccd5dab5c04fb0601946f33eefbcd64e730ae6bfce46e481392fb |
memory/1152-575-0x0000000024010000-0x0000000024072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6306f1c8dd43d49c356faf4e80074318 |
| SHA1 | 75b79d031e1bdbc0f126d12df14370b1f7d83b91 |
| SHA256 | 64db5087f21e4431c5fc4c2fc49ac89020b390ced14b0ccba3258991b5302b7a |
| SHA512 | d353920c33c3e363065aa38abca40449a70e6fe57333770f5fd7898dfc913764212a29e053296edcd4ef06968fb8578f23a9ed98932928b9ef7ee8607055b51c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 96c41ea474b5255d400a4be3a23ccef2 |
| SHA1 | 54d36e91e748763e8816c3ccbcfa444928c141bc |
| SHA256 | 984e52144e570e23ca939c4bb771766aa7bb92bfb6aa1bb08dd4f7cb27c0d90c |
| SHA512 | b61ef7db9dc8d61cd66f7d3bb4bd6c7bc589970df239f62d1c044466a28a68cf6cff12c104a73f1264d061a78e9400ac02c5033884db3da51c240a427f0a2ebf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6ad93990f1ee39cb9a312a8d3e847424 |
| SHA1 | d3411ba661d91739ae9a41e4533992416fe24ff6 |
| SHA256 | cc963f9b2e0d2f002caa6a7438ddd9f0341518ddf518713a05438d8b401a0259 |
| SHA512 | 102d384bb013f8fc556e4223a39896924a35a40bbc9219e4f09b8be2bd8780e42eaba5f5d5d7824c8b621a2651770f59f5940b89062170e69bd4e658fe121e66 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 528c30e1d1347c2c01395b83924933d2 |
| SHA1 | ee5ee048d7fb597ec6f4701c6b25d8f41b72f9e6 |
| SHA256 | 1063c0da8c861b66cd38ce1dc85a635ee3501874f248a43db4344d6b64c321c3 |
| SHA512 | b8db265a4f5b18175d9480df93694c9fcc719c7c9cbaf6b0b5dffce2048ba18c73677b26e204056894c6b67d5b61779991fd829291cef71ba832370003a4a4d0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2164c33f7f6444950cc38d14cf10970e |
| SHA1 | 016b85aeaaa5dfe13c69e10851bf85463c82c798 |
| SHA256 | 070aaa5312339c0c1baa2dd6a7dcdb73919bb29cc920ebb47687572b4b0e59cd |
| SHA512 | 58bbca70ea1fe14e009451e1a450bf9b0341728cc0890cd910d9c803b77aafd65cc7fc5f432844d312ff75d5ca72190455d5acb433dd2529f0467b1bf630a43d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2fc581dd4d9a0e74a1468ac56646e634 |
| SHA1 | 6d4f81ba3d6fff834815c344561e50139afc02cc |
| SHA256 | 298708be31ed1228cc8899e777e1c0f5cc0bf59226853ee591e30f713ea80fc1 |
| SHA512 | 6aa28222f52b18b4b978cc0caf2dd6a25e5d3a1fe1adbfd46a51ce11778e094c68fcdffbdc1300555577ad8e2a8a9c1b742c50612ab18cecc9e2aacc74f75183 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1023e0ffca3c554bce8a5006dfaf16ab |
| SHA1 | 71b6c29e88a7417d3993ad9ae6ac47455edc9d46 |
| SHA256 | 487cea35d8e94e078fcd8500afb382dedfd2e2b97fa94f2858fc50bc05601aff |
| SHA512 | 3607f0a4efd88f0b36adfac63c42f0f7d3b9c59010f73f41e83a338480eb70b087fe4cec0a41ce3b7b3e69f8ebbb8fa6aa10f19bc0ef8b531ab20f00dc891f9b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6c23a8299977a34533d12840c875e9a1 |
| SHA1 | d09f3336add89da7d21775d1f9161beabaefcbc2 |
| SHA256 | c1d98d505911d64982e3fa57c935168d84438a7bed1316d943514d5304a97a3d |
| SHA512 | 7afdd12b36ede4be3891dcbb197226b61d2d68e7fd97e5302a4752e82de898f9f6514bace7fe74b552daa62986cc6ad17a9bb5c813fad55fdc45587bb0d8fa92 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 351e07048840ac5ca6cf00d5ce52dd6f |
| SHA1 | 2d1f973b185a058e2ed626bc4f5b27b7bedabe7e |
| SHA256 | 8a7abeb475285b0d4b21b79017dafd55f0b94a3c5e8ec406183ca0414a7b8fcb |
| SHA512 | c0680d49da57f3a1d926f9811287d98f28955a2ae9112c8a6e963dca7774234207a3d7bab42d93a61834334b15bb4c5570ee0d0967b02d5a19e03dfea57d7391 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | db0f22a8ea8ce5955c1755ffebae74a8 |
| SHA1 | d17e343970edf1494b64f04bb69e945ad51267d3 |
| SHA256 | b429b9d7c686c11b5d8a301da753792a5d748a732da363fef65ce33d2c4e9544 |
| SHA512 | 2eda830c1cf5de435885393542777d134b69f440f2a774ad6e7a966aebe2e436dc0f8259298e4b9ffbb69baf820d85c44ca6aef9c8654179b090e9997ebb6602 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 892fc721f259562a132c096eb807acee |
| SHA1 | 053f445ce0266cac3842cf1d2edfd31ebd554d1c |
| SHA256 | 1b6cf228db17f10b050a366f90e459971abc28d969ca13d72d14f182da8e6584 |
| SHA512 | ece5b6c5c650057a76baadf5bdee0e38e95e7ddccf7b40f3bc34bb13fcc354c53ff4dd6a0ade4ee483aac1e6a418a02c8732e00a1ced6ed880a0bd54289adda6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d176f6a5ee75b483ef9461e9754332c5 |
| SHA1 | 8e2357cc49c50c1f76ad517ff06ce7a23b19d5b0 |
| SHA256 | 5f74120e3c286d92a6227cb10d297014e254d1de189cefccf19ecf7511b32a33 |
| SHA512 | 120b8a7546109c01d840a9946ea1d9c0671edc58dffb74a4aee7fffb026535f8e8087c6eef8595be357fd630d3f9ad4461b64920962f0013940a5364689e968f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 016e5104945f67769a62c15ac5b3d867 |
| SHA1 | 0ab3167bcd34dde302e70698abf1586f7f902595 |
| SHA256 | 3af6b48fade70cb47832f0cebefa7857dc20b7ac805f71b641dc8b5314c5dd38 |
| SHA512 | a5b09e51e7c4f0d6e914254465318f91bbffdeca3b0137feb94572d2d5721fb842a01be38e09ebbd6e4e7bd08572444c170c7bee5cb607ce9d8a990a5ced7ab3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 25bf3b84b377874470022c402048eb88 |
| SHA1 | 286e2f4deb80587ea42eda4ba62db61e03597308 |
| SHA256 | bab2f4d2c10b50f3fe361e715f7773cc2c5ce234da53128d802336fa51043b4b |
| SHA512 | 078dfd1dc8e43d3636495600adf7843d93106e1fb7f0858cc30e24ed9aab6b8eba61fa63ae2ee8c757e183b70479ea73121ad05e7c564169efac9f91193c1496 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ce2749b0c218bd1567d02f953e611854 |
| SHA1 | 11f0f324d7a5fb2fd96cd9d833e72e97b81db436 |
| SHA256 | ba89dd609a99c8b19f70d79af1fae06e13c6b1b9e653c32855f8d304afb40361 |
| SHA512 | b038839b3a2bba223fb09c4d1087f8190669fa3c26d262b3e4a565bcaecd2908b509556ec66f1511f1f63c45910525d5eaaea672d8df56c17792fb181c6cdd1e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f4bd459d494100e139361f9968059a63 |
| SHA1 | f157b3e4efddada4d730232713a092e2cecc7b36 |
| SHA256 | b19d9e5212d35e0ba4618ee79d24b32180f6642add507848431794b37e69b637 |
| SHA512 | 4acde9e47f22377a137b92f839273a20de1cf3bf6b2cd08186f76178a85b9970ada9275d90044e7d9c158180bc5338ef344c55d0ffc5bf9c18312af57288b2e5 |