Malware Analysis Report

2024-09-22 09:16

Sample ID 240621-qtgfpswanp
Target 0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118
SHA256 632ead31eb6616726169f1978681c9d70083d356fddea6810aff8bb585063891
Tags
cybergate vítima persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

632ead31eb6616726169f1978681c9d70083d356fddea6810aff8bb585063891

Threat Level: Known bad

The file 0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate vítima persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-21 13:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 13:32

Reported

2024-06-21 13:35

Platform

win7-20240611-en

Max time kernel

146s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L321QCH8-T844-352U-35LK-53D56L03ISWT} C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L321QCH8-T844-352U-35LK-53D56L03ISWT}\StubPath = "C:\\Windows\\system32\\spynet\\svchosts.exe Restart" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L321QCH8-T844-352U-35LK-53D56L03ISWT} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L321QCH8-T844-352U-35LK-53D56L03ISWT}\StubPath = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\spynet\svchosts.exe N/A
N/A N/A C:\Windows\SysWOW64\spynet\svchosts.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\spynet\svchosts.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\svchosts.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\svchosts.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\ C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\svchosts.exe C:\Windows\SysWOW64\spynet\svchosts.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 3056 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1680 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"

C:\Windows\SysWOW64\spynet\svchosts.exe

"C:\Windows\system32\spynet\svchosts.exe"

C:\Windows\SysWOW64\spynet\svchosts.exe

"C:\Windows\SysWOW64\spynet\svchosts.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3056-4-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/3056-2-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/3056-3-0x000000000042C000-0x000000000042D000-memory.dmp

memory/3056-0-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/3056-1-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/3056-8-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/3056-7-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/3056-13-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/1680-15-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1680-14-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1680-12-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1680-17-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1680-16-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-10-0x0000000003820000-0x0000000003899000-memory.dmp

memory/1260-21-0x0000000002190000-0x0000000002191000-memory.dmp

memory/1208-264-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1208-266-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1208-556-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\spynet\svchosts.exe

MD5 0be5ab0b82e33f33c5d17f5eb30a9f53
SHA1 537b248b03493b85ca7d31eb3c081316f9c5356f
SHA256 632ead31eb6616726169f1978681c9d70083d356fddea6810aff8bb585063891
SHA512 c44adcd6123f1f71b38c5d840c829090bc5275ac6bb346f6aba0f19498cb1d269e822eb86219949b41f1146d844a0846d9fb21888951e6fcb87e5d48015e760d

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 90467c58bc1364bb0e37f68865c5fb03
SHA1 87764898570a37216f89a75e619bf56ac1e1d9c4
SHA256 e652e0a77456792f5568581e7451998679c793716fbd7dddc7fdc136bfce39d2
SHA512 8fbdd9db737ef1a2e41254b3b7ae86b898a1cc9e1ff4c0f6a6ef0a7a917bb5438eda4aff6741bf0a09d7b492f3189d5972d95fb748134f17d213d2bc373464d7

memory/2120-610-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/1680-888-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/2120-908-0x0000000005E40000-0x0000000005EB9000-memory.dmp

memory/2920-912-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/2120-911-0x0000000005E40000-0x0000000005EB9000-memory.dmp

memory/1252-922-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2920-921-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/1252-926-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7f9c94a3064b059a99c090c2d899e95a
SHA1 b135772244aa4f55584e62a68150841378beb4e0
SHA256 8828fa03091e77fda2b8aa170fef60b9dc0303ca53f26370598974b130062a1c
SHA512 527733a037a9b2bc14669013a27cf3f37578512324c2d013c1591a87aeeda05799c5268e7338733f197891bb345702b802eca1ea220b0bf157749db1c78fd853

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 07342f3921b2088c48096cd61318be1b
SHA1 3e54f3ea794c675f5da0f0f02420ae8026cd6b98
SHA256 29340a984bf14bf70a31cdd0ef22382cd11b4e7d94ac21de1e1f73e1b8f54063
SHA512 7875f4466ea680ee229c09c0965bea4d97d186be5d6e51b6602e307218a8051d040be76c230d910ff9f31310eb62aed517b98cbb66242426b990bd13c004b23f

memory/1208-1034-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 89991480932609dd2f343132b5f6ead9
SHA1 9f7a1e90d03e612344ca2940c748dd0687a27f0a
SHA256 e7d8c1df43a5a637706ad7ec0bb8f9d31ecb9e10115f55df25134dbd82950d97
SHA512 f4cdcbb022db93acf44cd9d018d0822064615d15d443c1ee583be8c15bf46c9fd5fb9c572dfba3ec0f8399fcf22ce8fbd0e9f941291674e87f1c1ea1681d5e49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aaa8b369db03e21164a6660103c3912d
SHA1 6028eb77bbe76c5c2cbf28245d29099dfa4e6de5
SHA256 ef2eac9829bc92ae8d7823232a7cdcb02eef3aa0a328f69a869d8111cc7c2974
SHA512 e005edb7ddff6404c37d4f0d2e5b69b845a28871e24a27335309baf546c09366562cfa69d00ae05bb08efe436a81947d1e03ec485e0ae4fc733f325a95c57fcd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 259d20a94215e98285962261fb140871
SHA1 3ff9e0943a3a1268794c6ab3d7651f41771eec4e
SHA256 402d8f59b3823a94501fad3477ddcf1e3db9fb702f1e996f853f380e5c901a53
SHA512 40c109a7a5b66cc376ff4e95dc7f7a356b70a0eedf1470a010cf98bcfa10cb98741e7405406972883094682ba67c5de3707874e66bec3d21e3225327f1c85b0d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 830aca5a3e0178917cd84a94a292ca62
SHA1 1dbd0be3b669da18903f7769c3963da022e3cf79
SHA256 caf33e7208824581c00b04c5bbef0c8a4edb18e8af2cf1a790dc80b0756766e2
SHA512 ca7abf403e98c5446cc272792be89e30c15faa7d566b8ef4d92fdfb37905402a5a675e72356d7b1c3f1750efaaeb7291f54db86be15a5c794a9aad45f76cf745

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7558096cc9e116a7205884a62ce6b1d1
SHA1 e0c209675652fdbe50e4327a07ca89c978a4bff0
SHA256 449f17aeea6a225738ed052175a8de02c725d3f20c54b47f0b94c573038a1f56
SHA512 af9ba3fd82c26565b42bb3dc9672e25adebdd0fd93e98f17ca87e738f0514bf049a2a30787e05ddb51167b1ac93c1b2d133055776cdae5e781d80c4441c4ae11

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55d4b6584d22de1beeb3ee666b83f344
SHA1 f9697c01abf68e885efb556073dfe23ed08d6a54
SHA256 fca0cefcb894a7ce414ca3f89f22a7fc6dbf6aaff45bfe29cfe69877e3112146
SHA512 cbf50c3ff9e0facd652ba3dbbc62d28fe97a0d32fcab9f3eda0fa9626ca3d02770b64e734ce17749dc78a48b17e8132547f4bafddda8e2dc72929cf4886bb6c6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1aba098336d131f8466df84b1fa8bb1b
SHA1 889f01521cb1468a7c95378b985fcb655543f0c1
SHA256 03564b1bdbf378f870d800b4a67bf036bc01a5a7d7777235a2287b62ed28f167
SHA512 f04d015cc3af9183d905b51fbff6b347baacdbb4453f46af0f6fe3e8b1e0c441e85c6b2871d013b4ecf56c1d86d32be635307af65b3c5b7235150d86d426bdfe

memory/2120-1407-0x0000000005E40000-0x0000000005EB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fb2f80decf59ab74f296625b476cb437
SHA1 34f76b76575fef105c516676b42d9a693eda2392
SHA256 863f7dc909558b2c4020b60196f2367888f603dcc00fcf658afa0314807c7550
SHA512 045a77d73838c73b36e6a827cd7c21a55445326cfe059bbb093d688de76bcf51330d40f6bcd4a8c16e246824ffaf9ebb7bf818885fea958962a0e7c5d92ae68d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1be789afa59635551403914a89769c46
SHA1 f4388f25bb56fec42ecaa85ec616b9007f97d2c7
SHA256 fe728988b8ee5192e0d875529d880ec24cfbfee9319475e29345849f7cca59a6
SHA512 02ea8225e9e6f51e28c8822f55a47e4af6b135d990366ef3378183898d3a7a13d108075a9723a00d7ac91ff0d15484cbd678fb427fa56e45a2f6bb0eb158f41b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bad34a7e566b5a9ba877661ed2aeda57
SHA1 c8ddf081882194dbefc4495b9ec5f6246a51ea08
SHA256 021dfab4f8c7d974ef407bc1228bb92740b9e08ebeb6a83fbab9eee16023a3a5
SHA512 10df6629d39f5dfacf69d5efda0cc789336e1b704767c561a3bb99fb8c2e91d282f1672da9a15154711477069070d762f375f2992d6adb436bffff274d54dc5e

memory/2120-1531-0x0000000005E40000-0x0000000005EB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e7ae39f3840db030da318c0d936c1747
SHA1 fc26f2db2d73a053b237db2c6986be9fa9bd2359
SHA256 27f4d833eddbc5c853993b6dcdc04d2590eab16f8a2e79c22463d6d19e38ab80
SHA512 e34a46b84da4699872ed8503e289e0dee1d4e679fe877a64ca202fd27581f450d47c8e3db4423777be5c5134515c332a1bc2bbc29e13527e319b1abbba353767

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ea792eadb39343f708e3ac2c326712e7
SHA1 1dae426e518cf0336cb513653d38b27d0aa144b3
SHA256 5ea3c1bd1a81f1b9bb8f2b63d2806b40952fb6cff67e30f98df7e219ecbfa990
SHA512 c11c15fa02b3d4fb1f533aa65dd155a3885dc190d4065dbd1c7398ccc1bf54d1a5c1b9c04dded4c0c8a134b2de931e564c44f6d37741d7e6bfad813c8229b8f8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ef12206692d8bcbd1f79b2a06ffd5b7c
SHA1 32e8dc90c54fe6e792c637d248f794b7f2109c9c
SHA256 7a5aab467920e85b39006e79b48bfcd2233726a1c10e25eb3a1df7d77d1795cd
SHA512 6dcfbe1058a1f90390f1f3c9ee514e04b5454d74fa12dc7ddf6c15d2f035cc6ce59cb79d17fc3cf82e95180f42fdf00d0308dbc9e195c5ce1ca72cdc2c1f47ae

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8f247de1941db3b54a3ba7cfb3cff665
SHA1 39d0fe7d172567357decbe171f6d60389a1e2492
SHA256 167069d5f586fcbc09237af0b033c45bf837df75b74edbcf14121da69cbb2b64
SHA512 d0edfab01a0d08a8133d62163a91f0639ddb9014570d4b0b516f073046ef72b17d40cdfc759a44f0d16c1503a93eb267ba60bc1412688b30233fdcba34493ec5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 61d10983e585cc9431d256e0d364ddc6
SHA1 e6a7af8203dabc0a9c90ae9c1e391e40838b1300
SHA256 44075bcebd63ac9722cc74b409683fc6ccbe65ebc7646738353393082ec57740
SHA512 2a66ec8259555a9be43f728d63bc30fcf9c2e2d495dc3b82b32eb3aa08cc6b83ae65a5f40ada177089cd75321af961e233a70788f3d8bdd596ee9a0e2fdadf78

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f3eb3a9a78c3deede1c04b257ff867d3
SHA1 e75522112a816d1abcca22f44be5d4ab9c6d41d3
SHA256 78bcb2e8410dec77e58c60df9dde77f9b7ecd14f073f13636a645dbd7014264c
SHA512 29a1331a879953f24e9fc1194ec868970442d4e0396a1f79cb25dd920f50eb90d312e460acbce18c6eb6c0fae66f12db0f1fd134dec8b29b45cfc7cbef72be97

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 13:32

Reported

2024-06-21 13:35

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{L321QCH8-T844-352U-35LK-53D56L03ISWT} C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L321QCH8-T844-352U-35LK-53D56L03ISWT}\StubPath = "C:\\Windows\\system32\\spynet\\svchosts.exe Restart" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{L321QCH8-T844-352U-35LK-53D56L03ISWT} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L321QCH8-T844-352U-35LK-53D56L03ISWT}\StubPath = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\spynet\svchosts.exe N/A
N/A N/A C:\Windows\SysWOW64\spynet\svchosts.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\svchosts.exe" C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\spynet\svchosts.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\svchosts.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\svchosts.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\ C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\svchosts.exe C:\Windows\SysWOW64\spynet\svchosts.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\spynet\svchosts.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 2220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 2220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 2220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 2220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 2220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 2220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 2220 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4968 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0be5ab0b82e33f33c5d17f5eb30a9f53_JaffaCakes118.exe"

C:\Windows\SysWOW64\spynet\svchosts.exe

"C:\Windows\system32\spynet\svchosts.exe"

C:\Windows\SysWOW64\spynet\svchosts.exe

"C:\Windows\SysWOW64\spynet\svchosts.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2220-0-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/2220-1-0x000000000042C000-0x000000000042D000-memory.dmp

memory/2220-2-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/2220-3-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/2220-4-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/2220-7-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/4968-8-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4968-12-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4968-14-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2220-13-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/4968-15-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4968-18-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4968-22-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/5072-24-0x0000000001740000-0x0000000001741000-memory.dmp

memory/5072-23-0x0000000001680000-0x0000000001681000-memory.dmp

memory/5072-84-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 90467c58bc1364bb0e37f68865c5fb03
SHA1 87764898570a37216f89a75e619bf56ac1e1d9c4
SHA256 e652e0a77456792f5568581e7451998679c793716fbd7dddc7fdc136bfce39d2
SHA512 8fbdd9db737ef1a2e41254b3b7ae86b898a1cc9e1ff4c0f6a6ef0a7a917bb5438eda4aff6741bf0a09d7b492f3189d5972d95fb748134f17d213d2bc373464d7

C:\Windows\SysWOW64\spynet\svchosts.exe

MD5 0be5ab0b82e33f33c5d17f5eb30a9f53
SHA1 537b248b03493b85ca7d31eb3c081316f9c5356f
SHA256 632ead31eb6616726169f1978681c9d70083d356fddea6810aff8bb585063891
SHA512 c44adcd6123f1f71b38c5d840c829090bc5275ac6bb346f6aba0f19498cb1d269e822eb86219949b41f1146d844a0846d9fb21888951e6fcb87e5d48015e760d

memory/2744-100-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/4968-156-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/4472-175-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/3112-184-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4472-187-0x0000000000400000-0x00000000004782DA-memory.dmp

memory/3112-190-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7f9c94a3064b059a99c090c2d899e95a
SHA1 b135772244aa4f55584e62a68150841378beb4e0
SHA256 8828fa03091e77fda2b8aa170fef60b9dc0303ca53f26370598974b130062a1c
SHA512 527733a037a9b2bc14669013a27cf3f37578512324c2d013c1591a87aeeda05799c5268e7338733f197891bb345702b802eca1ea220b0bf157749db1c78fd853

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 07342f3921b2088c48096cd61318be1b
SHA1 3e54f3ea794c675f5da0f0f02420ae8026cd6b98
SHA256 29340a984bf14bf70a31cdd0ef22382cd11b4e7d94ac21de1e1f73e1b8f54063
SHA512 7875f4466ea680ee229c09c0965bea4d97d186be5d6e51b6602e307218a8051d040be76c230d910ff9f31310eb62aed517b98cbb66242426b990bd13c004b23f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 89991480932609dd2f343132b5f6ead9
SHA1 9f7a1e90d03e612344ca2940c748dd0687a27f0a
SHA256 e7d8c1df43a5a637706ad7ec0bb8f9d31ecb9e10115f55df25134dbd82950d97
SHA512 f4cdcbb022db93acf44cd9d018d0822064615d15d443c1ee583be8c15bf46c9fd5fb9c572dfba3ec0f8399fcf22ce8fbd0e9f941291674e87f1c1ea1681d5e49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aaa8b369db03e21164a6660103c3912d
SHA1 6028eb77bbe76c5c2cbf28245d29099dfa4e6de5
SHA256 ef2eac9829bc92ae8d7823232a7cdcb02eef3aa0a328f69a869d8111cc7c2974
SHA512 e005edb7ddff6404c37d4f0d2e5b69b845a28871e24a27335309baf546c09366562cfa69d00ae05bb08efe436a81947d1e03ec485e0ae4fc733f325a95c57fcd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 259d20a94215e98285962261fb140871
SHA1 3ff9e0943a3a1268794c6ab3d7651f41771eec4e
SHA256 402d8f59b3823a94501fad3477ddcf1e3db9fb702f1e996f853f380e5c901a53
SHA512 40c109a7a5b66cc376ff4e95dc7f7a356b70a0eedf1470a010cf98bcfa10cb98741e7405406972883094682ba67c5de3707874e66bec3d21e3225327f1c85b0d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 830aca5a3e0178917cd84a94a292ca62
SHA1 1dbd0be3b669da18903f7769c3963da022e3cf79
SHA256 caf33e7208824581c00b04c5bbef0c8a4edb18e8af2cf1a790dc80b0756766e2
SHA512 ca7abf403e98c5446cc272792be89e30c15faa7d566b8ef4d92fdfb37905402a5a675e72356d7b1c3f1750efaaeb7291f54db86be15a5c794a9aad45f76cf745

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7558096cc9e116a7205884a62ce6b1d1
SHA1 e0c209675652fdbe50e4327a07ca89c978a4bff0
SHA256 449f17aeea6a225738ed052175a8de02c725d3f20c54b47f0b94c573038a1f56
SHA512 af9ba3fd82c26565b42bb3dc9672e25adebdd0fd93e98f17ca87e738f0514bf049a2a30787e05ddb51167b1ac93c1b2d133055776cdae5e781d80c4441c4ae11

memory/5072-857-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55d4b6584d22de1beeb3ee666b83f344
SHA1 f9697c01abf68e885efb556073dfe23ed08d6a54
SHA256 fca0cefcb894a7ce414ca3f89f22a7fc6dbf6aaff45bfe29cfe69877e3112146
SHA512 cbf50c3ff9e0facd652ba3dbbc62d28fe97a0d32fcab9f3eda0fa9626ca3d02770b64e734ce17749dc78a48b17e8132547f4bafddda8e2dc72929cf4886bb6c6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1aba098336d131f8466df84b1fa8bb1b
SHA1 889f01521cb1468a7c95378b985fcb655543f0c1
SHA256 03564b1bdbf378f870d800b4a67bf036bc01a5a7d7777235a2287b62ed28f167
SHA512 f04d015cc3af9183d905b51fbff6b347baacdbb4453f46af0f6fe3e8b1e0c441e85c6b2871d013b4ecf56c1d86d32be635307af65b3c5b7235150d86d426bdfe

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fb2f80decf59ab74f296625b476cb437
SHA1 34f76b76575fef105c516676b42d9a693eda2392
SHA256 863f7dc909558b2c4020b60196f2367888f603dcc00fcf658afa0314807c7550
SHA512 045a77d73838c73b36e6a827cd7c21a55445326cfe059bbb093d688de76bcf51330d40f6bcd4a8c16e246824ffaf9ebb7bf818885fea958962a0e7c5d92ae68d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1be789afa59635551403914a89769c46
SHA1 f4388f25bb56fec42ecaa85ec616b9007f97d2c7
SHA256 fe728988b8ee5192e0d875529d880ec24cfbfee9319475e29345849f7cca59a6
SHA512 02ea8225e9e6f51e28c8822f55a47e4af6b135d990366ef3378183898d3a7a13d108075a9723a00d7ac91ff0d15484cbd678fb427fa56e45a2f6bb0eb158f41b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bad34a7e566b5a9ba877661ed2aeda57
SHA1 c8ddf081882194dbefc4495b9ec5f6246a51ea08
SHA256 021dfab4f8c7d974ef407bc1228bb92740b9e08ebeb6a83fbab9eee16023a3a5
SHA512 10df6629d39f5dfacf69d5efda0cc789336e1b704767c561a3bb99fb8c2e91d282f1672da9a15154711477069070d762f375f2992d6adb436bffff274d54dc5e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e7ae39f3840db030da318c0d936c1747
SHA1 fc26f2db2d73a053b237db2c6986be9fa9bd2359
SHA256 27f4d833eddbc5c853993b6dcdc04d2590eab16f8a2e79c22463d6d19e38ab80
SHA512 e34a46b84da4699872ed8503e289e0dee1d4e679fe877a64ca202fd27581f450d47c8e3db4423777be5c5134515c332a1bc2bbc29e13527e319b1abbba353767

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ea792eadb39343f708e3ac2c326712e7
SHA1 1dae426e518cf0336cb513653d38b27d0aa144b3
SHA256 5ea3c1bd1a81f1b9bb8f2b63d2806b40952fb6cff67e30f98df7e219ecbfa990
SHA512 c11c15fa02b3d4fb1f533aa65dd155a3885dc190d4065dbd1c7398ccc1bf54d1a5c1b9c04dded4c0c8a134b2de931e564c44f6d37741d7e6bfad813c8229b8f8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ef12206692d8bcbd1f79b2a06ffd5b7c
SHA1 32e8dc90c54fe6e792c637d248f794b7f2109c9c
SHA256 7a5aab467920e85b39006e79b48bfcd2233726a1c10e25eb3a1df7d77d1795cd
SHA512 6dcfbe1058a1f90390f1f3c9ee514e04b5454d74fa12dc7ddf6c15d2f035cc6ce59cb79d17fc3cf82e95180f42fdf00d0308dbc9e195c5ce1ca72cdc2c1f47ae

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8f247de1941db3b54a3ba7cfb3cff665
SHA1 39d0fe7d172567357decbe171f6d60389a1e2492
SHA256 167069d5f586fcbc09237af0b033c45bf837df75b74edbcf14121da69cbb2b64
SHA512 d0edfab01a0d08a8133d62163a91f0639ddb9014570d4b0b516f073046ef72b17d40cdfc759a44f0d16c1503a93eb267ba60bc1412688b30233fdcba34493ec5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 61d10983e585cc9431d256e0d364ddc6
SHA1 e6a7af8203dabc0a9c90ae9c1e391e40838b1300
SHA256 44075bcebd63ac9722cc74b409683fc6ccbe65ebc7646738353393082ec57740
SHA512 2a66ec8259555a9be43f728d63bc30fcf9c2e2d495dc3b82b32eb3aa08cc6b83ae65a5f40ada177089cd75321af961e233a70788f3d8bdd596ee9a0e2fdadf78

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f3eb3a9a78c3deede1c04b257ff867d3
SHA1 e75522112a816d1abcca22f44be5d4ab9c6d41d3
SHA256 78bcb2e8410dec77e58c60df9dde77f9b7ecd14f073f13636a645dbd7014264c
SHA512 29a1331a879953f24e9fc1194ec868970442d4e0396a1f79cb25dd920f50eb90d312e460acbce18c6eb6c0fae66f12db0f1fd134dec8b29b45cfc7cbef72be97