Malware Analysis Report

2024-09-22 09:17

Sample ID 240622-dwq2pszarp
Target 010eed353174269e5671afbc7a18210b_JaffaCakes118
SHA256 5bc30db63db6b4957befabc80f89f1f253e681f3d87179fa2c3efd2199fe02c8
Tags
cybergate cyber persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bc30db63db6b4957befabc80f89f1f253e681f3d87179fa2c3efd2199fe02c8

Threat Level: Known bad

The file 010eed353174269e5671afbc7a18210b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-22 03:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 03:21

Reported

2024-06-22 03:24

Platform

win7-20240508-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH} C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH}\StubPath = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe Restart" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH}\StubPath = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
N/A N/A C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
File opened for modification C:\Windows\SysWOW64\dashboard\ C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
File created C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
File opened for modification C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 492 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\file1.exe
PID 492 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\file1.exe
PID 492 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\file1.exe
PID 492 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\file1.exe
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1664 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\file1.exe

"C:\Users\Admin\AppData\Local\Temp\file1.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\file1.exe

"C:\Users\Admin\AppData\Local\Temp\file1.exe"

C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe

"C:\Windows\system32\dashboard\2.0.14699.0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 www.server.com udp

Files

memory/492-0-0x0000000073FF1000-0x0000000073FF2000-memory.dmp

memory/492-1-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/492-2-0x0000000073FF0000-0x000000007459B000-memory.dmp

\Users\Admin\AppData\Local\Temp\file1.exe

MD5 8bcae1ee41d559ccba43a52e2d556264
SHA1 fa517415422ffe8180a1898dd9693e1d829dd207
SHA256 188bc912de9ba7a40183e69dfe79c3261cbada4afaeb8ece3b37559f59c49e8e
SHA512 ba800eef6e781ea95906cae47970b42100d8256210712fce958220bdc62bf566d650202b864b2a528558d88dc4f8e1f3181e0c3a51b3eeff24fe764b4156e751

memory/492-13-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/1188-18-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/1664-17-0x0000000024010000-0x000000002406F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 f660b1b97987bf6df5b65f73ae5b207d
SHA1 b7803c5b7354f9ec37234a4bca4a29b99fb09310
SHA256 56effe538a98d2f6b199eb4b6c8f152934bc6cbff17ddae3835506858a45250a
SHA512 39e6b93f996d3301c4d957a8fb4bb8c7ae502331680519e7457024f54048c0b03acb81feccffccc30a692106fb335f28002a649685d6bd116868db9a6012156d

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 00f2b181135cb806f0a946214298cfad
SHA1 0c9dbb4a1ccd11c77c5dbceaf4ac4a7b06a2e6d0
SHA256 68cda15e3242c18a9aad6e3c7b9cd40ff959ce432f3e6c6f605d1a065f33308f
SHA512 1cdf7cb9b118d69b63297dd21de10acf5a6b36f5dcbc93001f638bc17fbd6b73c508a06d033f87cdb8da5fa6065505e0ccd38924fa8e1d0729e9dbc70c6d2710

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 686f61cb9d5558afe0bca5dd37103847
SHA1 ef9c71c4364f8a1ab5d4dee87b0e0dbdbb8473a7
SHA256 3ebc07d6ba03a54f9e2c7661ac1a43cc85835a30f9329db703e3db0e4518e49a
SHA512 3cff83a9573296ca8c092b6f99f02d4eadb63cdad8a5472f15e512a03a7aa20cfe97dfbdc351398a4d3d9c5bde543c20fd851d52484f73cd36cdb70753b740e0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf9de356f990d34476c04dee62743bfd
SHA1 bca83fcc7bb39ed5481e1c40d0eea637c40c438b
SHA256 b08dd4d310119b97183a650258d5b3a9a336625d84570110cf1b815f2adc34cd
SHA512 d9e28d2e6c3e743cc46de1b65737886d9f99016f38b754862c8c057c17d39e798d959b926484baf9f86cc96a53d3276ebb9e217d856846daeb5f2cc7929320db

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 942b579d51ed5fb7d28659e716bb02b0
SHA1 411a0a57c865525540c3225a8d8dd7096bafb231
SHA256 54444326882a9ecde6e2312190e1c825ae9fb9e370af59dc0db386a5fb89fe3f
SHA512 fc08ca9a612fbecf58228c678eecb81a752dabb507b2afb864842dc9a37416ff6c94920d82c55d72953f021470597b6aef12f626730da58a3c32ce4770615495

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6520286ac73c78088e631be748003784
SHA1 9eec3bdb175828e9d9f13525fe801e4211fec691
SHA256 09212c15b3fc5871fdace3b1522cd3c96e0455d9943fd56ebaf106fdd45e4fb6
SHA512 81d7943d6f9e2131a124676fed104970173649baaa20f1f9b9f741aaecede2381894a3aa3b7a9e41bb6d05a551d0cd42dd05b18fc8ab3dac8bdb9adfa5f79c4d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6ab184769ef96baebcf4e621689493ad
SHA1 bcae751a2c89abd852d3098d7633a24f986ecab3
SHA256 d28c3b08d139566d61754f2022d289b6e217ab45f141cb437ca87a8457effcf6
SHA512 e44b25fbf8d9c40283489163da5f357ace3bdf01cc03edc8feee75a9ccc62902adf935a0a1fb04eba92a315135c1b402c1652b24c433cdbad9e65294074fe8df

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 28db5a56e5396275a238d39130934c75
SHA1 541a40e9228df2fb8bcf875d0751a7a28eb9f246
SHA256 356f14a115db1e971fb779aa31d1c1face19fe72e23a5b108c25fce3ef1572ab
SHA512 d5d9b26857e0876647e2e976897d44fda2266c24a7d61c5a46afe089e7206198ddb60e63ab4082f7dc567273cb3e6cd587f020480424bb9ce7b0b3e07841102d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f3875a8a14e755a2580803600ff2ed95
SHA1 30717780bc90105cec55d8e3ff975736ee50d513
SHA256 701357b5db8dc42e5f753f9c7b9ae2e33963d4491235587fd4bcb41b6bb7dbef
SHA512 c69733635521416170711b0abc21e01875f30e81643cabe47c6ed9ee1e813b5b03d40c7391707f359ac4aae22081977db04fee1770817aa533f849ec53c471a2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 988a0bed8f8723f423529f20202a5aef
SHA1 4c2cfbf36a6241501f7775061d874bf06c36787d
SHA256 70a9a4e5bd0ab1d7a0fe2ef04b8a92ee45b15baf19d6e2b74afe6f6a5960ba72
SHA512 4739b7dc27edbf08ab0d355e6280d36cd15660c57d3124501c42edc54bd39da3cd2f92a3ad289da866adcbdb677a8337f8c18b33e0f8fbbadf2a1932567b0d37

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 23bcf26e7e4e9f3b1d5eadfde1fda594
SHA1 a8871182f943fc86732109d8762d047f9113d3f7
SHA256 0f17af9ceda081ab1e719a163f0496995db9bd19622b7e65c324d49ffc79d3d3
SHA512 701b0c37732739e97b11155c48eed29b60652a632852c093639504da98a784420e0864009f090ea4669cb5130dd1a487efd49c111b7cb53db14af37a2a39d3c0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 69d433d37a8795bbf0aba308ca72e04e
SHA1 bc3be8c11eca640a11bdbf94c5acbba8a219d5f7
SHA256 3d91b4bb1d7b7a527f0035c9a421967876740792cfe9b183960e5a79585bd677
SHA512 d86804648b504911515fa48f2e54e9f160fc972b24843a44771daffd7350e329983067d91a98e01cf292406a18746659902d9b9292886f638956e1ead726c2f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 03:21

Reported

2024-06-22 03:24

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH}\StubPath = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH} C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH}\StubPath = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe Restart" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6PKP4F26-78H1-UAWO-OG10-G8J0M41MMYVH} C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
N/A N/A C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\dashboard\\2.0.14699.0.exe" C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
File opened for modification C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
File opened for modification C:\Windows\SysWOW64\dashboard\ C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
File created C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\file1.exe
PID 4812 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\file1.exe
PID 4812 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\file1.exe
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE
PID 1976 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\file1.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\010eed353174269e5671afbc7a18210b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\file1.exe

"C:\Users\Admin\AppData\Local\Temp\file1.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\file1.exe

"C:\Users\Admin\AppData\Local\Temp\file1.exe"

C:\Windows\SysWOW64\dashboard\2.0.14699.0.exe

"C:\Windows\system32\dashboard\2.0.14699.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4068,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4812-0-0x0000000075542000-0x0000000075543000-memory.dmp

memory/4812-1-0x0000000075540000-0x0000000075AF1000-memory.dmp

memory/4812-2-0x0000000075540000-0x0000000075AF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file1.exe

MD5 8bcae1ee41d559ccba43a52e2d556264
SHA1 fa517415422ffe8180a1898dd9693e1d829dd207
SHA256 188bc912de9ba7a40183e69dfe79c3261cbada4afaeb8ece3b37559f59c49e8e
SHA512 ba800eef6e781ea95906cae47970b42100d8256210712fce958220bdc62bf566d650202b864b2a528558d88dc4f8e1f3181e0c3a51b3eeff24fe764b4156e751

memory/4812-12-0x0000000075540000-0x0000000075AF1000-memory.dmp

memory/1976-16-0x0000000024010000-0x000000002406F000-memory.dmp

memory/3092-21-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/3092-20-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/1976-19-0x0000000024070000-0x00000000240CF000-memory.dmp

memory/3092-49-0x0000000075460000-0x0000000075A68000-memory.dmp

memory/1976-77-0x0000000024070000-0x00000000240CF000-memory.dmp

memory/3092-80-0x00000000039C0000-0x00000000039C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 f660b1b97987bf6df5b65f73ae5b207d
SHA1 b7803c5b7354f9ec37234a4bca4a29b99fb09310
SHA256 56effe538a98d2f6b199eb4b6c8f152934bc6cbff17ddae3835506858a45250a
SHA512 39e6b93f996d3301c4d957a8fb4bb8c7ae502331680519e7457024f54048c0b03acb81feccffccc30a692106fb335f28002a649685d6bd116868db9a6012156d

memory/3092-84-0x0000000075460000-0x0000000075A68000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 686f61cb9d5558afe0bca5dd37103847
SHA1 ef9c71c4364f8a1ab5d4dee87b0e0dbdbb8473a7
SHA256 3ebc07d6ba03a54f9e2c7661ac1a43cc85835a30f9329db703e3db0e4518e49a
SHA512 3cff83a9573296ca8c092b6f99f02d4eadb63cdad8a5472f15e512a03a7aa20cfe97dfbdc351398a4d3d9c5bde543c20fd851d52484f73cd36cdb70753b740e0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf9de356f990d34476c04dee62743bfd
SHA1 bca83fcc7bb39ed5481e1c40d0eea637c40c438b
SHA256 b08dd4d310119b97183a650258d5b3a9a336625d84570110cf1b815f2adc34cd
SHA512 d9e28d2e6c3e743cc46de1b65737886d9f99016f38b754862c8c057c17d39e798d959b926484baf9f86cc96a53d3276ebb9e217d856846daeb5f2cc7929320db

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 942b579d51ed5fb7d28659e716bb02b0
SHA1 411a0a57c865525540c3225a8d8dd7096bafb231
SHA256 54444326882a9ecde6e2312190e1c825ae9fb9e370af59dc0db386a5fb89fe3f
SHA512 fc08ca9a612fbecf58228c678eecb81a752dabb507b2afb864842dc9a37416ff6c94920d82c55d72953f021470597b6aef12f626730da58a3c32ce4770615495

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6520286ac73c78088e631be748003784
SHA1 9eec3bdb175828e9d9f13525fe801e4211fec691
SHA256 09212c15b3fc5871fdace3b1522cd3c96e0455d9943fd56ebaf106fdd45e4fb6
SHA512 81d7943d6f9e2131a124676fed104970173649baaa20f1f9b9f741aaecede2381894a3aa3b7a9e41bb6d05a551d0cd42dd05b18fc8ab3dac8bdb9adfa5f79c4d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6ab184769ef96baebcf4e621689493ad
SHA1 bcae751a2c89abd852d3098d7633a24f986ecab3
SHA256 d28c3b08d139566d61754f2022d289b6e217ab45f141cb437ca87a8457effcf6
SHA512 e44b25fbf8d9c40283489163da5f357ace3bdf01cc03edc8feee75a9ccc62902adf935a0a1fb04eba92a315135c1b402c1652b24c433cdbad9e65294074fe8df

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 28db5a56e5396275a238d39130934c75
SHA1 541a40e9228df2fb8bcf875d0751a7a28eb9f246
SHA256 356f14a115db1e971fb779aa31d1c1face19fe72e23a5b108c25fce3ef1572ab
SHA512 d5d9b26857e0876647e2e976897d44fda2266c24a7d61c5a46afe089e7206198ddb60e63ab4082f7dc567273cb3e6cd587f020480424bb9ce7b0b3e07841102d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f3875a8a14e755a2580803600ff2ed95
SHA1 30717780bc90105cec55d8e3ff975736ee50d513
SHA256 701357b5db8dc42e5f753f9c7b9ae2e33963d4491235587fd4bcb41b6bb7dbef
SHA512 c69733635521416170711b0abc21e01875f30e81643cabe47c6ed9ee1e813b5b03d40c7391707f359ac4aae22081977db04fee1770817aa533f849ec53c471a2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 988a0bed8f8723f423529f20202a5aef
SHA1 4c2cfbf36a6241501f7775061d874bf06c36787d
SHA256 70a9a4e5bd0ab1d7a0fe2ef04b8a92ee45b15baf19d6e2b74afe6f6a5960ba72
SHA512 4739b7dc27edbf08ab0d355e6280d36cd15660c57d3124501c42edc54bd39da3cd2f92a3ad289da866adcbdb677a8337f8c18b33e0f8fbbadf2a1932567b0d37

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 23bcf26e7e4e9f3b1d5eadfde1fda594
SHA1 a8871182f943fc86732109d8762d047f9113d3f7
SHA256 0f17af9ceda081ab1e719a163f0496995db9bd19622b7e65c324d49ffc79d3d3
SHA512 701b0c37732739e97b11155c48eed29b60652a632852c093639504da98a784420e0864009f090ea4669cb5130dd1a487efd49c111b7cb53db14af37a2a39d3c0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 69d433d37a8795bbf0aba308ca72e04e
SHA1 bc3be8c11eca640a11bdbf94c5acbba8a219d5f7
SHA256 3d91b4bb1d7b7a527f0035c9a421967876740792cfe9b183960e5a79585bd677
SHA512 d86804648b504911515fa48f2e54e9f160fc972b24843a44771daffd7350e329983067d91a98e01cf292406a18746659902d9b9292886f638956e1ead726c2f1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dbf475eb8989ff11d105aaefbfa846f6
SHA1 a32a3246f92fe9b22f3895fa1ecc1351a158cc0f
SHA256 c7cd14dc83473469ebd146079ef6639c6a120c416867329f67d2c438ca9bf7d6
SHA512 9bfd333b57acdf8d771721f437975d893ede5df4effa5c87d562a62bc566565c8bc99e94721dbf6bbd9b17a26727dd7f49c473bbe0fa8dfb60c93206d00a9116

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 babfb95ed56c23a785f5fb304b1037e0
SHA1 29ea78387eb55f4ab639149d4af4531785be416d
SHA256 04a2b210ea3ec125797239d89624ea83512645ad52647fb533c98607e5fd34c8
SHA512 b068f2a2e3edd86d09177a68097b624b1536baccad2f96f6b283105acd50fd24484149d93df3fbd7e03a31a384c3f6b9de99f9057915990b06c00effb99a1b58

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7f8c56649f2568b76bf8b7567857bf5f
SHA1 2dba119d99a3f2e4d2e2a3a09b69ec0e9ce8a0ca
SHA256 6bdd57aaa6cc92c7f073bbfe71a8a614c69d1e5b4ca32ad51856bfe888badb63
SHA512 748c6b3a05b12b23c203dff4277ff3e27b2342649017e242660997b61a242f804fb3c159f408d8802ecc1415db26b79999e70e19ad0e2c2c3a887429206b044d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fb43b1a720555e6977aaab5c78c0b018
SHA1 17f5f0db59020d6b07d509f641bdd952a6da7261
SHA256 1893547dad8f07fbc8462538d93b4b4b09131891e19bbd5d0371858128d04dc5
SHA512 6a48cf1538f3c7e49f8a7b2b9a86b4faebd8ef37d65f726e7b11e349b3ec10ec2800610f938bffb7786d0e63a492969a2908d4a370d594d076370d3e61b830cf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba74b92b6c84aca6f6afe41c73890c59
SHA1 a5780ff3cf2fac790a8c3b49626a60a0d825a013
SHA256 4affbdadc074644cfcbc8c12985eb9bf91781238b0c0a3b104d11f167bdd1cd8
SHA512 bf45f47633b4cacba37db3cb79227bbeac50d919d2f2a0ffc53703c8e65db293bd515bda73b96e6abe74fc70766a72740f035e205f97ee4852745280028e3843

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f79cc3a7573ae25f1e458da555b922ba
SHA1 9ab9379ba99fd7442db17e912d50c630e12d82ab
SHA256 780480a8412e2bf1558d97ff759cb43371262e8ea057bec6bcb3118763bad18f
SHA512 5baa8580281faf1aaac237acf17df335741e67c6b7456f70d84af96dfc8d41fee8f3441f189687a8ebb67d78a54fae0d9ffb69868b51f777d6e84614522cc54f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9900e1dd399cfb024ca19f9ad43f23ac
SHA1 b98b70a308ceaf9c2521560953e0d513ade016ed
SHA256 77165c060598db35e756919a8e7bdb8c5ce708ea18849d896a15dbbd60710e95
SHA512 7416d20aff33252021b1064904b342b7c3cedd714586ba3d14855192d391dd94b153686a706f9d0127e602f7626dff176b70add618d7544c65359062fc1c9de2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f79c99a30e8ed2560b17345ab6140953
SHA1 01faef56001839dcf7416998206303838694c7a6
SHA256 944c34552e2d2e4d20473e89e2e885ab9c45fbb5a7ca99222d2a886ba27bc8d3
SHA512 5580fb90c8eb50ce7bb81543d17af27d925c31679075b927b937480dc05e22d84ea81c3d6b3a798e6de3fc9cbe69532e980e16806abc00b616c1c1c8084595d6