Analysis Overview
SHA256
4904ab4b745b17310800c36e1af806f95882ef77dbdaff16a047d103fa4b6cd9
Threat Level: Known bad
The file 2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
UPX packed file
Uses the VBS compiler for execution
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-03 04:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-03 04:25
Reported
2024-07-03 04:27
Platform
win7-20240508-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Users\\Admin\\AppData\\Roaming\\L3G!T-Labs\\jdvs\\0.0.0.0\\Java Update.exe" | C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3016 set thread context of 1816 | N/A | C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14400791231545706166163584775414578438046498913741265369712584705469876341566"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/3016-0-0x0000000074B61000-0x0000000074B62000-memory.dmp
memory/3016-1-0x0000000074B60000-0x000000007510B000-memory.dmp
memory/3016-2-0x0000000074B60000-0x000000007510B000-memory.dmp
memory/1816-9-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1816-12-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1816-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1816-14-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1816-7-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1816-5-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1816-15-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1816-16-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1816-19-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3016-18-0x0000000074B60000-0x000000007510B000-memory.dmp
memory/1816-17-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1816-22-0x0000000024010000-0x0000000024072000-memory.dmp
memory/2744-41-0x0000000000360000-0x0000000000361000-memory.dmp
memory/2744-32-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2744-26-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1816-25-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/2744-102-0x0000000000400000-0x000000000051E000-memory.dmp
memory/1816-331-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | cd4b58653ca921636b52a4d8da7f9878 |
| SHA1 | 417d7ebe4d753f3c10402490ef89e52fe73e79db |
| SHA256 | 6a584a572d4c287e4b82018809729a4e04496e427c0566ca0a4e221b69cb70ba |
| SHA512 | e3c9ffbb611548669dba883a5dab610e72897cdbc6711ad2760a26d930e0522a1e58a880707055a0e084e56ee2ceb6d0aa18eeeaf7aa0eef07c8ba26e5b7845d |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e4c9f55178b10f1ddec25ac573a62fcb |
| SHA1 | 663a20268e3905753c2ca58baf58053d8ea9bb0c |
| SHA256 | 61b252a3029cd9bf7e524fd181cb59b50c10f24371316557e8416e4332bf02a4 |
| SHA512 | 684f3af624d0667213a94729dd9abb64a3d53e51d8218b98fdbdf69a70ab6e1d75c03cadebf28ed4abe09cf986ea7dac666b9083b9aa1e195549ebf15a056b03 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9da15d665d0d508669b2c4ef85532aa4 |
| SHA1 | bb4b9602e1afd207c8deeb688bf8c8a057fef88a |
| SHA256 | 7d894286556beabaa008bdf0d786f2b6b3bd2093ed5fdc8281a6f6cf90f2d337 |
| SHA512 | 31497d08052c5938e2062741a56cc37d4851dae86fc934a5d4e71b1bc74e1e3b79439f224ad33549cf76f3609161abc7e4420540cd91f61f5f959c34b78befbf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f50493395828ee9eb30f2d04811321e3 |
| SHA1 | f0ca756a017c7640d1ea1d3aecc319e689031df1 |
| SHA256 | 9a3c64d3024917c67b83e23d73e20f0c7f4cd6457ffcca4d1314b7674ac8edc0 |
| SHA512 | f28716751379962c97573479d3ad067fd50e5a1bad144fbb01ff31e8f4b2442973d11ba3b0aef65a1847c64d94e871d6a75c916131a6754f095f2c76d0425385 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cf53d88f35994829705f26a0cf396b66 |
| SHA1 | a244b6e918676e06105e097a39eadfd31a99462a |
| SHA256 | daf6051024c6b5019a3e5b760b81dd66105881ad239d9f508bc07c438bb526eb |
| SHA512 | f37e8e057c7908e273ee80071ca299eed9a6737bdd3a27ecb7fce7661fc601601a5fd6d742b19f9daf76f6fab06a2ca4a3d00ac64bf08b79a1753d887cf51b49 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 82fe60625713d0d8414e629ea9e4cff2 |
| SHA1 | 8710a32a38265daf84aad80f2c773e78a1ddc4ba |
| SHA256 | 738df9fd9383c4362953bd83b978d4df23cf4fab5abde1e033ed49b13005a379 |
| SHA512 | 451353e0424fd022f73519163372bf08c19c2a6ce284b75aead111498798258688f40d2e159bb55a9c74e2002d95b2945a4c9eca168cbb84743ce1937914b5bd |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 66742a6d829c0d670cda5342afcbe382 |
| SHA1 | dc347afe13b51d09a0e131dff73d7fb91fdc4abc |
| SHA256 | 7095e1eb729aabca4cb1aa99ab78b9fff8d730a5350572128073003717dfab7e |
| SHA512 | 96d5dcb2b9b3ad078812884d14a3c24f4923bf8aba0071180d92115120e532cce2cc0f3282c39ef4aa82a07f55b3451e1cc313b56fd76921cba73194d719e805 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9dea6404b277d11d6153829ab3694f70 |
| SHA1 | 89a1c6be190151e915e1c25f958c9694468205e9 |
| SHA256 | d64f0a5f578d23a1859881e459688f14d7cd011253ce3e09b84befee286f1434 |
| SHA512 | f07734bd6e2341f7c4090489ba523986919cb8529b13d0249c51f655b2c5a5023df1003a4d990ea95eeda95674e444b9f4dfcba2ff7c8a149087a84f1dac6207 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1fc18a69f489a686ab4fa6bba71f56d0 |
| SHA1 | 3c8625b867bc53db05b7cc804edeff2acb4b235c |
| SHA256 | a7363acc813270cc609494daef58889ed30c03ce04ee316684b00b8147fc8cdd |
| SHA512 | c46abdb445fe2b36b8c61ef0a4cd5c6f453cb9e541eb4cf62237b43ebc3c5554d9f3f68cf25d4405c2c4cc270c3ee130224e7df89200ef028582ae47e97f687f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 376ac6e1bdd07892be18111c885bb1ed |
| SHA1 | 6075e4d44404f2e1bd9dad92934c133cd7bf9f91 |
| SHA256 | ded5203eabe8a896150a95987c30bdf5d57ee1aec90c4958f94ec18c003dcc2f |
| SHA512 | e4a2046f40f8cf5b78007bc1d3f91b616ce1df4de0a15b6e90ca463f5ef4d6d559c066fa94a5a2ac1df0912f83c23fdd5419aae80c066b7a5c1603d48cbd02a6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 04a4535fa0a06890bbbc87fd9605ce10 |
| SHA1 | c8b864a02148e694e3c03496408a364957a545a9 |
| SHA256 | 0d75cc80fdc5861be143bc9a9eba6ad20bdfc571b6feb286e00c3bd05ac9ad19 |
| SHA512 | d691054434a1cec7e08728935637ee353efaa32a1d0b44156cd7f3d407b25534fb98c6872577106b0816863085c82721b7e3cb8205e84646b212d02af674075b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6a504fcf13331ed271d486da084c21dc |
| SHA1 | 72c7aed622a8a860b42ddde59fb08a058aef9d4a |
| SHA256 | b5dd2785b2c2f4437ed6e84c7999677113100a1dc5581bdc1bae50448aabfe79 |
| SHA512 | 0b3885cf71a46e57d7b4f5902a8e738ace0aa82345405af1b10d20f15ee96f1149bb84e15e64a35a55ec1c19a51a35c5837b7d512cfb2275e1f179f69e90ba60 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 31ef32dc1ee507ba086d07e71681c850 |
| SHA1 | bbb846bee9306fa0ba83abd63f42b096d30bee7d |
| SHA256 | ba0f2d645de6a005bfb76ea8b9cf11eba64a7a1ff933d3a98636dc4ff6b6e48c |
| SHA512 | a94fea04854292c3b727aa145b628d935e3bf6e87b70a79b79ff6cfd566afb06f97fb390bc32f6c85a2a4bb026c098ff365b0a6e1dd390e06051ff1e3cf044d5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ef376208500ef444cc20a07e8847e9f1 |
| SHA1 | 95852f2acb7fd2a677d858b694c58b95bc5363d7 |
| SHA256 | 4a6c8014f32e7741d47fbc90974479cb9559399ed0b5a91706b8d3556827d279 |
| SHA512 | 426e2de757e420aa643538c0bd8cd37b6579570b225716f2f5c561b64e4bbed5723027acbe9d54622881a14c01a48554946738e6e40571f4ddec60ace49f765d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 880fa727f5a0db594afe083b7199414f |
| SHA1 | dce2ba50544aca43b62d98fff18292e04f3e7b07 |
| SHA256 | 76c62bee12631921c8315374e9b7cd7669bda96db2e93d0596cf76e35a31640f |
| SHA512 | d4eb159c590667dc6d8a28a13db1d5553aff0aca9ecdcf738f9799a7350c0265684a5e06b263933d57a356af00447662b49fbfcf210d3f126fee9313c1e3050a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | dc1f74d979886d7ac2ac6cfb4e449feb |
| SHA1 | aa13858079cbd3a1b9c64be6c1e832a5b12f6a84 |
| SHA256 | 16d627a4c38dee0c1c993106d654a6281bbe88e4988f1081ce1d83f071cbd3b5 |
| SHA512 | 153a63163489dbc1152bf8e7ee8d0e3f09834131008d4c98f18808372d5f1a232252e4116c6e32cfa9f49d9193b1583d2c997727d3c6b8b1a355a1df1fa93fc9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5750edb34b8077ca99c7e91226e0bb52 |
| SHA1 | 53ea62a664cc691df17c65f2ccdeeb520a1afbe1 |
| SHA256 | 95e0092a50aec570fdbdb8c609b9741b6a556544fd66ff4bcd54e848ce3114ae |
| SHA512 | d51209a25f669c4017e4f92e671627e518da800c180ce62c7106468b572a2a771a981bab966f151d822d1a29835c29a73201b19fdab1224f094dbe52d3a32a2b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3a4a757dd62dbe87c28fdacfd11a92f7 |
| SHA1 | dba3882d60a936360407c692188fca687f355486 |
| SHA256 | a6bab715e95738d232256ad01d765bb149698f214d28cdc4a28c7a21dc36705c |
| SHA512 | ceba8d5cdd06de846eee630331fd6138cc3dd06a927e8f5a980d9b6199c52da4909723d29c4d9af0d1ce7a79236c8945a5e793c86436621b25f53fe237b4954f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 986d3bd450a7e60517b235166f32ba02 |
| SHA1 | c17baad281a9a0380539f98fde5984c05e97fbac |
| SHA256 | a024382983ddfa1a5db554ad95ef4572af86e8194572c6f1ee0584f169479bda |
| SHA512 | 0fb4c25706c7fd0f548761bc48ace740db89ead4ca84c1482ea20ac9809b50fb6e11be466e3c7f4f169094249b63cc0df6ab31caa50830244a7c3ee79d5d0e3f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-03 04:25
Reported
2024-07-03 04:27
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Users\\Admin\\AppData\\Roaming\\L3G!T-Labs\\jdvs\\0.0.0.0\\Java Update.exe" | C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1820 set thread context of 1684 | N/A | C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2111b6b063cb7cd8b63ca663d0b750dd_JaffaCakes118.exe"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 24e333555c7b101943b5fccdc32205a9 8AWSBPcZH0icEJtIpp9MBA.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/1820-0-0x0000000074DF2000-0x0000000074DF3000-memory.dmp
memory/1820-1-0x0000000074DF0000-0x00000000753A1000-memory.dmp
memory/1820-2-0x0000000074DF0000-0x00000000753A1000-memory.dmp
memory/1684-5-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1684-7-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1684-9-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1684-10-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1820-11-0x0000000074DF0000-0x00000000753A1000-memory.dmp
memory/1684-13-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1684-14-0x0000000024010000-0x0000000024072000-memory.dmp
memory/4988-19-0x0000000000690000-0x0000000000691000-memory.dmp
memory/1684-17-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/4988-18-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/4988-21-0x0000000000400000-0x000000000051F000-memory.dmp
memory/1684-81-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | cd4b58653ca921636b52a4d8da7f9878 |
| SHA1 | 417d7ebe4d753f3c10402490ef89e52fe73e79db |
| SHA256 | 6a584a572d4c287e4b82018809729a4e04496e427c0566ca0a4e221b69cb70ba |
| SHA512 | e3c9ffbb611548669dba883a5dab610e72897cdbc6711ad2760a26d930e0522a1e58a880707055a0e084e56ee2ceb6d0aa18eeeaf7aa0eef07c8ba26e5b7845d |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f50493395828ee9eb30f2d04811321e3 |
| SHA1 | f0ca756a017c7640d1ea1d3aecc319e689031df1 |
| SHA256 | 9a3c64d3024917c67b83e23d73e20f0c7f4cd6457ffcca4d1314b7674ac8edc0 |
| SHA512 | f28716751379962c97573479d3ad067fd50e5a1bad144fbb01ff31e8f4b2442973d11ba3b0aef65a1847c64d94e871d6a75c916131a6754f095f2c76d0425385 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cf53d88f35994829705f26a0cf396b66 |
| SHA1 | a244b6e918676e06105e097a39eadfd31a99462a |
| SHA256 | daf6051024c6b5019a3e5b760b81dd66105881ad239d9f508bc07c438bb526eb |
| SHA512 | f37e8e057c7908e273ee80071ca299eed9a6737bdd3a27ecb7fce7661fc601601a5fd6d742b19f9daf76f6fab06a2ca4a3d00ac64bf08b79a1753d887cf51b49 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 82fe60625713d0d8414e629ea9e4cff2 |
| SHA1 | 8710a32a38265daf84aad80f2c773e78a1ddc4ba |
| SHA256 | 738df9fd9383c4362953bd83b978d4df23cf4fab5abde1e033ed49b13005a379 |
| SHA512 | 451353e0424fd022f73519163372bf08c19c2a6ce284b75aead111498798258688f40d2e159bb55a9c74e2002d95b2945a4c9eca168cbb84743ce1937914b5bd |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 66742a6d829c0d670cda5342afcbe382 |
| SHA1 | dc347afe13b51d09a0e131dff73d7fb91fdc4abc |
| SHA256 | 7095e1eb729aabca4cb1aa99ab78b9fff8d730a5350572128073003717dfab7e |
| SHA512 | 96d5dcb2b9b3ad078812884d14a3c24f4923bf8aba0071180d92115120e532cce2cc0f3282c39ef4aa82a07f55b3451e1cc313b56fd76921cba73194d719e805 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9dea6404b277d11d6153829ab3694f70 |
| SHA1 | 89a1c6be190151e915e1c25f958c9694468205e9 |
| SHA256 | d64f0a5f578d23a1859881e459688f14d7cd011253ce3e09b84befee286f1434 |
| SHA512 | f07734bd6e2341f7c4090489ba523986919cb8529b13d0249c51f655b2c5a5023df1003a4d990ea95eeda95674e444b9f4dfcba2ff7c8a149087a84f1dac6207 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1fc18a69f489a686ab4fa6bba71f56d0 |
| SHA1 | 3c8625b867bc53db05b7cc804edeff2acb4b235c |
| SHA256 | a7363acc813270cc609494daef58889ed30c03ce04ee316684b00b8147fc8cdd |
| SHA512 | c46abdb445fe2b36b8c61ef0a4cd5c6f453cb9e541eb4cf62237b43ebc3c5554d9f3f68cf25d4405c2c4cc270c3ee130224e7df89200ef028582ae47e97f687f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 376ac6e1bdd07892be18111c885bb1ed |
| SHA1 | 6075e4d44404f2e1bd9dad92934c133cd7bf9f91 |
| SHA256 | ded5203eabe8a896150a95987c30bdf5d57ee1aec90c4958f94ec18c003dcc2f |
| SHA512 | e4a2046f40f8cf5b78007bc1d3f91b616ce1df4de0a15b6e90ca463f5ef4d6d559c066fa94a5a2ac1df0912f83c23fdd5419aae80c066b7a5c1603d48cbd02a6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 04a4535fa0a06890bbbc87fd9605ce10 |
| SHA1 | c8b864a02148e694e3c03496408a364957a545a9 |
| SHA256 | 0d75cc80fdc5861be143bc9a9eba6ad20bdfc571b6feb286e00c3bd05ac9ad19 |
| SHA512 | d691054434a1cec7e08728935637ee353efaa32a1d0b44156cd7f3d407b25534fb98c6872577106b0816863085c82721b7e3cb8205e84646b212d02af674075b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6a504fcf13331ed271d486da084c21dc |
| SHA1 | 72c7aed622a8a860b42ddde59fb08a058aef9d4a |
| SHA256 | b5dd2785b2c2f4437ed6e84c7999677113100a1dc5581bdc1bae50448aabfe79 |
| SHA512 | 0b3885cf71a46e57d7b4f5902a8e738ace0aa82345405af1b10d20f15ee96f1149bb84e15e64a35a55ec1c19a51a35c5837b7d512cfb2275e1f179f69e90ba60 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 31ef32dc1ee507ba086d07e71681c850 |
| SHA1 | bbb846bee9306fa0ba83abd63f42b096d30bee7d |
| SHA256 | ba0f2d645de6a005bfb76ea8b9cf11eba64a7a1ff933d3a98636dc4ff6b6e48c |
| SHA512 | a94fea04854292c3b727aa145b628d935e3bf6e87b70a79b79ff6cfd566afb06f97fb390bc32f6c85a2a4bb026c098ff365b0a6e1dd390e06051ff1e3cf044d5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ef376208500ef444cc20a07e8847e9f1 |
| SHA1 | 95852f2acb7fd2a677d858b694c58b95bc5363d7 |
| SHA256 | 4a6c8014f32e7741d47fbc90974479cb9559399ed0b5a91706b8d3556827d279 |
| SHA512 | 426e2de757e420aa643538c0bd8cd37b6579570b225716f2f5c561b64e4bbed5723027acbe9d54622881a14c01a48554946738e6e40571f4ddec60ace49f765d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 880fa727f5a0db594afe083b7199414f |
| SHA1 | dce2ba50544aca43b62d98fff18292e04f3e7b07 |
| SHA256 | 76c62bee12631921c8315374e9b7cd7669bda96db2e93d0596cf76e35a31640f |
| SHA512 | d4eb159c590667dc6d8a28a13db1d5553aff0aca9ecdcf738f9799a7350c0265684a5e06b263933d57a356af00447662b49fbfcf210d3f126fee9313c1e3050a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | dc1f74d979886d7ac2ac6cfb4e449feb |
| SHA1 | aa13858079cbd3a1b9c64be6c1e832a5b12f6a84 |
| SHA256 | 16d627a4c38dee0c1c993106d654a6281bbe88e4988f1081ce1d83f071cbd3b5 |
| SHA512 | 153a63163489dbc1152bf8e7ee8d0e3f09834131008d4c98f18808372d5f1a232252e4116c6e32cfa9f49d9193b1583d2c997727d3c6b8b1a355a1df1fa93fc9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5750edb34b8077ca99c7e91226e0bb52 |
| SHA1 | 53ea62a664cc691df17c65f2ccdeeb520a1afbe1 |
| SHA256 | 95e0092a50aec570fdbdb8c609b9741b6a556544fd66ff4bcd54e848ce3114ae |
| SHA512 | d51209a25f669c4017e4f92e671627e518da800c180ce62c7106468b572a2a771a981bab966f151d822d1a29835c29a73201b19fdab1224f094dbe52d3a32a2b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3a4a757dd62dbe87c28fdacfd11a92f7 |
| SHA1 | dba3882d60a936360407c692188fca687f355486 |
| SHA256 | a6bab715e95738d232256ad01d765bb149698f214d28cdc4a28c7a21dc36705c |
| SHA512 | ceba8d5cdd06de846eee630331fd6138cc3dd06a927e8f5a980d9b6199c52da4909723d29c4d9af0d1ce7a79236c8945a5e793c86436621b25f53fe237b4954f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 986d3bd450a7e60517b235166f32ba02 |
| SHA1 | c17baad281a9a0380539f98fde5984c05e97fbac |
| SHA256 | a024382983ddfa1a5db554ad95ef4572af86e8194572c6f1ee0584f169479bda |
| SHA512 | 0fb4c25706c7fd0f548761bc48ace740db89ead4ca84c1482ea20ac9809b50fb6e11be466e3c7f4f169094249b63cc0df6ab31caa50830244a7c3ee79d5d0e3f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | db8018de920395cdaab960c0d90dd0ce |
| SHA1 | 91f69526088b3aaae6da0159b192ce23da2176b5 |
| SHA256 | 93c37d992da10ba9cadefeb081f7de38242804277ac6d1028c2ef44b2f5581ad |
| SHA512 | 6799cdb73950f844e13f37aa42f9c64d3a425cd84f3ef8b1de594f16656844e6af2ccec19c93e016d73c16a2f43a25c88be7d57639a9219921004adf5ddff7cb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e3f36043940a11f291e66070d79e195f |
| SHA1 | d6074e364fb7045b65d72e3e2c73fbbfe45352c5 |
| SHA256 | 1dd25b544a894b1bf3eb5043e91fe714d7058aeb2af1bda462ca0213acf9394e |
| SHA512 | 250fe0c54f71bf7a01b5911779bf84ce227ec2a04da4892fa3abe017c1c056bde3a452240d1e576d1ab7835f773d13c0ed392180c2145fd53d71680da40e5302 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fafd6fc32a5388c01e0491924b061d72 |
| SHA1 | b012306b49b7919915e4c9e549be425b40a7857e |
| SHA256 | 8880f689a763bd2f02d84a54b5e54ad688eb0ff6280d2d64e38187b97f160a45 |
| SHA512 | fa3447e1574c50dfb22f0c38f1961e0a17b2384b3d4e66e6bfc3387b2d8be4d39db7431dfe16538b7d0a6d6aac55a1fc974d6a02f4b5eecc6c7f2970944fc0b7 |