Malware Analysis Report

2025-01-02 13:06

Sample ID 240703-eq62eawhnf
Target 2107bbb520699b9a545539a76ea9759f_JaffaCakes118
SHA256 ad95fef2ae8da6aaeef23bdaf9640d5c0ca36a586a7b2dcac172555b46f015b0
Tags
cybergate seedb0x persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad95fef2ae8da6aaeef23bdaf9640d5c0ca36a586a7b2dcac172555b46f015b0

Threat Level: Known bad

The file 2107bbb520699b9a545539a76ea9759f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate seedb0x persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-03 04:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 04:09

Reported

2024-07-03 04:12

Platform

win7-20231129-en

Max time kernel

147s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Win_Updates\\updates.exe" C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Win_Updates\\updates.exe" C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI} C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI}\StubPath = "C:\\Windows\\system32\\Win_Updates\\updates.exe Restart" C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI}\StubPath = "C:\\Windows\\system32\\Win_Updates\\updates.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Win_Updates\updates.exe N/A
N/A N/A C:\Windows\SysWOW64\Win_Updates\updates.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Win_Updates\\updates.exe" C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Win_Updates\updates.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win_Updates\ C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Win_Updates\updates.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win_Updates\updates.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1884 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe"

C:\Windows\SysWOW64\Win_Updates\updates.exe

"C:\Windows\system32\Win_Updates\updates.exe"

C:\Windows\SysWOW64\Win_Updates\updates.exe

C:\Windows\SysWOW64\Win_Updates\updates.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1884-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-2-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-5-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-4-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-7-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-8-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-10-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-9-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1884-11-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1400-15-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1884-14-0x0000000024010000-0x000000002406F000-memory.dmp

memory/1352-503-0x00000000002B0000-0x0000000000531000-memory.dmp

C:\Windows\SysWOW64\Win_Updates\updates.exe

MD5 2107bbb520699b9a545539a76ea9759f
SHA1 9aeee3ac6ae39a1aa6b5a2285ab4305b21b388f8
SHA256 ad95fef2ae8da6aaeef23bdaf9640d5c0ca36a586a7b2dcac172555b46f015b0
SHA512 d916bebda6eacd837f0511f1f158501fb3ac574549acf4b3f23b03081e91c986a358056b811c15db5d8fb9ba13a6d5fae7d676319f0abd0c2d898b544ba148d6

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 72770489be05211de1afa816cacb8e99
SHA1 b6dd8baaddf383048d61c30c82ab281fcf7d2e54
SHA256 f3ceb704b2f812b9c1e704b0e5c0688cf19de3b1cd897d27f999ecee79981248
SHA512 aaecb88f68bfc606ef8b6f2cbcb911e41b8ab874632bdd55525c6bb7b48ff6d5b6e3a7a0b8d956ea1fb377f10e3905f3c6f63aa96f7b61e899d5130a555150f3

memory/856-563-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1884-862-0x0000000000400000-0x0000000000453000-memory.dmp

memory/856-863-0x0000000024130000-0x000000002418F000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/664-894-0x0000000000400000-0x0000000000453000-memory.dmp

memory/664-897-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4797dc706f092c8eeeec204492df6aa5
SHA1 818ab6498bb442551cdc5dfea6d3b365b78d1ec3
SHA256 1359aec981421a9c1363486e3bd8177cfd7578ad42e44bdb8319cecdc894f85a
SHA512 acd8205fa4d132c0d464a76c2c9d3f9eeadffa3cc89e1883b6def5e4a1780844992766e72babfdfac40ed470262fa8aa8a92dd033449edab187cb82f0d5bdcec

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21026ff6aabf3fd2922f560848a6674f
SHA1 a5775b4dfccacd989b197cecfc6502ff1a172ef8
SHA256 52523246da41d4180c7410aa6169986448343591155a16596c08d35431568487
SHA512 9a24a4023a45c9559483380907cebe93c6bd19050e34f96c1442b61c29e992420c4749be52405a7331bd7196a8f4286ac0cc1324523a6c8ff1b8702bf84a4700

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c52892c89161f334960e38c1920f9b13
SHA1 d0ac1ccfeb8fab9cba2be645ce94fbc8df315fc4
SHA256 7779f895569bb5f7ee0abaf9118b2717a5b2879a91d1730e35b3f64cd33899e5
SHA512 8edb638bb1e09f237c9e3f81376a337b62cdb3c76b51db55c0a58cf29480239cd271c73c5bb66dd45985485d48850f6196976d1042af7f69253ea5bc3a0e3e8d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2e59b0fcc16abe2f44849821df4f7c0c
SHA1 18e0e41b7d125c2a00c18b7ff621a4c62f41be27
SHA256 503480f20f49d75a1ffe8601eabc4223e81e143ad202cedb6591ca7965783164
SHA512 63f8d4a945fe630c43a195525ab18f7dc52bea24990b184f331d0ca313e5347c5da7f9b3716cfcccb3e9b5f956aa6cdeba74d54b0c8791be99074de6b9f07d7a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aa107e518b3fdbd67e64925d0f9c2acd
SHA1 2c5d484c0b42c052e2c9c4e44b4e1f6404a685cc
SHA256 30b536d01e847354c17fe699271e08bb1450f82abf8fea6db44f400df33b6812
SHA512 3c12f22abbc8b125999f367890e6224c46f9f020e443c56ac88c064dd017aaee59d1d5bb82f971324c1fd58e422a4b8145c098db3e96bb51f2d1df123091b9fc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 da1473106d088a5b92027cb585b7a1e3
SHA1 b6146ff206626eafa27587e458375c30d54567fd
SHA256 44607042d6f35e787672aa0f544e03f17c4bc789814ba36824ea903e71fe33ac
SHA512 b2890436d565c00a34b88f466434f0b2feacdd8d05076ad272f44f7fc17a68d8af29f0dad3f540c1c924ce3adf2f52bdba9cfdfbe6e09d5a8cae4c5348fd9095

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 de7b7ca474c40fe917b6267fb95b4114
SHA1 11fec7a754c9f69e94c0fa01af3c5231dc0c1720
SHA256 c9c2cd12d0fb80907004482e90ebbe81eeeee989d35f0d360bc40feb20bacd50
SHA512 e2ab7a0b0ac0665ecd42c57d735ad7041afdadaab6b6e5b230f4f7f27a265e653c37998033c1fca87481cdc6b89358e8d5602940a27021e2416de1d11dc921d4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 085a9ca0eb62cbe56aed6896c0be70ac
SHA1 d475a11836c9ed4f33f85c083cc90a911c000c6b
SHA256 42857271c0557265816428c0a37b199582991434996aab38bb2e9a8cc9505642
SHA512 0b4f464eba9347ac7bc1dbba862c5d2e7a858159314f2be6e029f6356e956d515bc55e7bbfadec5779f1d797b439969258567d6f761d57a784ab0257facade17

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aaff3f7ea3175568ccbd63b1c7d4e860
SHA1 e3d232a2634bdeb40063c028b543b7a206f82104
SHA256 51062cd8f16df9ba5123b49b328793c0d5bdd24950dfd04cb89f57814628706d
SHA512 7c384accc32fe4ca59a296c9414d03856cd422e025b1b90260f46e931a6b4f65ee1563075fbb0c701adeb32f7433dec36b205960949a8bb44b21b038d2c773c4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e08674f6fc73126ea7cade8728a4be0d
SHA1 f2312fc4f03bc9c5512d3776d26824bf11e8f9c3
SHA256 e04b01a64124da6000e3ca5e56e07f5238d8fab42b4222723df2eee7577b7a58
SHA512 503d62d52b8dcdac1acdcfe4b0ae7cebb8279f30cad0a84a23d0b715b9d5425fbfa7e2cece91e30c12f3c2a05937862064abd76806f30ee3a7c3cb0d4fc78bce

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d96699c006fefd7b7b6d97006ef757c4
SHA1 439549314c1d44a1e8d9123969521de4aa2c564b
SHA256 db1e9706cb680feb3e10c9434ff73469de593db8c68409504fb420fec679b3ab
SHA512 904e4bf48ab106b39730676e144a270f41177e510f57988a3c1f837e6bf50072b49e153aa2a9d94dffeda66302b7b91ac1fd2eab934e5c9c859f7d6e88e7bf8a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d817396b709383a5e7581d7afe7011ce
SHA1 ce3789361b64836902c0e2780b544a36a9c60d5b
SHA256 a7dc168f568e3c10a0c6d518262c82329feea4048e2ff71d0be5c065c2cabc10
SHA512 0301a3f7547199f463f9524ecd78311f3a791e50fa60f473d0d6bb85d0a0c5006b92eac2147c535839ecb56aa3aae316c59b860b573f43d8b1a13b6534bf0bf9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9a57fda1ef3827219793043f15d9ea66
SHA1 0baa63a008c0637a2808e6db19693a4f464adadf
SHA256 fd740af55fa725ff620806730a50a99587c7c9dee86be469c79096ecd3848f82
SHA512 26a58828fb332635d10dc5e3326f52c342f3315c916f1ae488d907bf0feb7237cdb290d8758b10638b6d794cea37cb0b7565a6caa544f49232474fbacf74a40c

memory/856-1696-0x0000000024130000-0x000000002418F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aec92d467d03a3855ab5c6aa97f4ed67
SHA1 4190fe5ab14510d07ef8d590765b4276ebca1c4d
SHA256 8b45a1fa354dd1e89d0a4bf8c2c474a91f5ebb853cec49fd4cb305b6a403548b
SHA512 bf6ce7672e1602e77afd7f9c9b33c2b0ef69ba8566b410eeafe36b7c831c926049f2fb047f9b51fce8e77f633de0eeb213bbc4e270da1b9b507f7487cb60fb8c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f5eff4f567d472a7b189cdae3f2af1bf
SHA1 2c1497ead24c34c30c4fa68abbf92ec9e289c8f9
SHA256 34586a031659161996f9b88d835da32799acc52c29953177194816a54e4653e3
SHA512 e782e26143ddd57d77215baa67c895120e9f8e6a2d07318de64e041faadb8d509708bfbc011d4ba9b6b818ca586302c9a4738fa1c0edcf746e179b072da1f740

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b77217055f2bbcb220a2790a91dd9493
SHA1 c4ec8d32e7a28fa28b6de46c8fa8a9ad2169f164
SHA256 f9ce71b341c831a4a25c81cc605db145dca84a7da8d5654411aa795ed961f8a4
SHA512 7a884e611d02d2bf99a129e6d6399e8fa1d5f7dfe1b65e07ea8374cf188502570f0ff3bdfb174c607b950afc5fb56a3eb20d0edc3681a8fd046415d1fbb6b3f5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 74ad1cffbf156e68e7068042452e7273
SHA1 ded7e86086b86ab80ab8c0cd89fddd8f61981241
SHA256 47a91d7f6e3f3b7f29eed527c30207f031b228a6b1567075920a08148e5d1177
SHA512 19f198274ec37b90aea1f509a3c5c0ebc5cdd8f45d920dc76db2e267c991ac0e3cd2779942e57ed109824cfba55903c40d6fbc0421d383e893e8b33ced80d721

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7efbc7bb512e69ab8c104a5ba7f24849
SHA1 b9c5b0bb36e709ac4efe7d71afdbd93aedbc9f55
SHA256 3f63a83182d1e1a8947c125943b8a9886dda4e7a746d05a26b2945dd06dcbd5a
SHA512 1b9df761d7d0b5cf058055724eeb1c48e1565074a310504f51f1ac7346de172fe7069d3387ec5afecdba859af6d43157b114129d967b454e084ab6f6b5ce651c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b89da096ba08457f1ccc923411524506
SHA1 df040f1c847770828df2e8bfa0df3bee3514e2da
SHA256 2ef03315a7441c9f84a20f777f62ffce444b86edd989b41ab0bf589d59d03c0d
SHA512 ba026fd43710a58379414e63ab4fbeb209ef5be640baef15b9a4361c7beafb1d9d25712b24106d2f69dbd850a4d9b741b1716696b24f352c47c85c9101949402

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 04:09

Reported

2024-07-03 04:12

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Win_Updates\\updates.exe" C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Win_Updates\\updates.exe" C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI} C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI}\StubPath = "C:\\Windows\\system32\\Win_Updates\\updates.exe Restart" C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI}\StubPath = "C:\\Windows\\system32\\Win_Updates\\updates.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Win_Updates\updates.exe N/A
N/A N/A C:\Windows\SysWOW64\Win_Updates\updates.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Win_Updates\\updates.exe" C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Win_Updates\updates.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win_Updates\ C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\Win_Updates\updates.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Win_Updates\updates.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Win_Updates\updates.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 4908 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 4908 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 4908 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 4908 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 4908 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 4908 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 928 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe"

C:\Windows\SysWOW64\Win_Updates\updates.exe

"C:\Windows\system32\Win_Updates\updates.exe"

C:\Windows\SysWOW64\Win_Updates\updates.exe

C:\Windows\SysWOW64\Win_Updates\updates.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 592 -ip 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/928-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/928-2-0x0000000000400000-0x0000000000453000-memory.dmp

memory/928-3-0x0000000000400000-0x0000000000453000-memory.dmp

memory/928-4-0x0000000000400000-0x0000000000453000-memory.dmp

memory/928-8-0x0000000024010000-0x000000002406F000-memory.dmp

memory/852-13-0x0000000001390000-0x0000000001391000-memory.dmp

memory/852-12-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/928-11-0x0000000024070000-0x00000000240CF000-memory.dmp

memory/852-73-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Windows\SysWOW64\Win_Updates\updates.exe

MD5 2107bbb520699b9a545539a76ea9759f
SHA1 9aeee3ac6ae39a1aa6b5a2285ab4305b21b388f8
SHA256 ad95fef2ae8da6aaeef23bdaf9640d5c0ca36a586a7b2dcac172555b46f015b0
SHA512 d916bebda6eacd837f0511f1f158501fb3ac574549acf4b3f23b03081e91c986a358056b811c15db5d8fb9ba13a6d5fae7d676319f0abd0c2d898b544ba148d6

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 72770489be05211de1afa816cacb8e99
SHA1 b6dd8baaddf383048d61c30c82ab281fcf7d2e54
SHA256 f3ceb704b2f812b9c1e704b0e5c0688cf19de3b1cd897d27f999ecee79981248
SHA512 aaecb88f68bfc606ef8b6f2cbcb911e41b8ab874632bdd55525c6bb7b48ff6d5b6e3a7a0b8d956ea1fb377f10e3905f3c6f63aa96f7b61e899d5130a555150f3

memory/3324-143-0x0000000024130000-0x000000002418F000-memory.dmp

memory/928-145-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/592-170-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21026ff6aabf3fd2922f560848a6674f
SHA1 a5775b4dfccacd989b197cecfc6502ff1a172ef8
SHA256 52523246da41d4180c7410aa6169986448343591155a16596c08d35431568487
SHA512 9a24a4023a45c9559483380907cebe93c6bd19050e34f96c1442b61c29e992420c4749be52405a7331bd7196a8f4286ac0cc1324523a6c8ff1b8702bf84a4700

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c52892c89161f334960e38c1920f9b13
SHA1 d0ac1ccfeb8fab9cba2be645ce94fbc8df315fc4
SHA256 7779f895569bb5f7ee0abaf9118b2717a5b2879a91d1730e35b3f64cd33899e5
SHA512 8edb638bb1e09f237c9e3f81376a337b62cdb3c76b51db55c0a58cf29480239cd271c73c5bb66dd45985485d48850f6196976d1042af7f69253ea5bc3a0e3e8d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2e59b0fcc16abe2f44849821df4f7c0c
SHA1 18e0e41b7d125c2a00c18b7ff621a4c62f41be27
SHA256 503480f20f49d75a1ffe8601eabc4223e81e143ad202cedb6591ca7965783164
SHA512 63f8d4a945fe630c43a195525ab18f7dc52bea24990b184f331d0ca313e5347c5da7f9b3716cfcccb3e9b5f956aa6cdeba74d54b0c8791be99074de6b9f07d7a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aa107e518b3fdbd67e64925d0f9c2acd
SHA1 2c5d484c0b42c052e2c9c4e44b4e1f6404a685cc
SHA256 30b536d01e847354c17fe699271e08bb1450f82abf8fea6db44f400df33b6812
SHA512 3c12f22abbc8b125999f367890e6224c46f9f020e443c56ac88c064dd017aaee59d1d5bb82f971324c1fd58e422a4b8145c098db3e96bb51f2d1df123091b9fc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 da1473106d088a5b92027cb585b7a1e3
SHA1 b6146ff206626eafa27587e458375c30d54567fd
SHA256 44607042d6f35e787672aa0f544e03f17c4bc789814ba36824ea903e71fe33ac
SHA512 b2890436d565c00a34b88f466434f0b2feacdd8d05076ad272f44f7fc17a68d8af29f0dad3f540c1c924ce3adf2f52bdba9cfdfbe6e09d5a8cae4c5348fd9095

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 de7b7ca474c40fe917b6267fb95b4114
SHA1 11fec7a754c9f69e94c0fa01af3c5231dc0c1720
SHA256 c9c2cd12d0fb80907004482e90ebbe81eeeee989d35f0d360bc40feb20bacd50
SHA512 e2ab7a0b0ac0665ecd42c57d735ad7041afdadaab6b6e5b230f4f7f27a265e653c37998033c1fca87481cdc6b89358e8d5602940a27021e2416de1d11dc921d4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 085a9ca0eb62cbe56aed6896c0be70ac
SHA1 d475a11836c9ed4f33f85c083cc90a911c000c6b
SHA256 42857271c0557265816428c0a37b199582991434996aab38bb2e9a8cc9505642
SHA512 0b4f464eba9347ac7bc1dbba862c5d2e7a858159314f2be6e029f6356e956d515bc55e7bbfadec5779f1d797b439969258567d6f761d57a784ab0257facade17

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aaff3f7ea3175568ccbd63b1c7d4e860
SHA1 e3d232a2634bdeb40063c028b543b7a206f82104
SHA256 51062cd8f16df9ba5123b49b328793c0d5bdd24950dfd04cb89f57814628706d
SHA512 7c384accc32fe4ca59a296c9414d03856cd422e025b1b90260f46e931a6b4f65ee1563075fbb0c701adeb32f7433dec36b205960949a8bb44b21b038d2c773c4

memory/852-822-0x0000000024070000-0x00000000240CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e08674f6fc73126ea7cade8728a4be0d
SHA1 f2312fc4f03bc9c5512d3776d26824bf11e8f9c3
SHA256 e04b01a64124da6000e3ca5e56e07f5238d8fab42b4222723df2eee7577b7a58
SHA512 503d62d52b8dcdac1acdcfe4b0ae7cebb8279f30cad0a84a23d0b715b9d5425fbfa7e2cece91e30c12f3c2a05937862064abd76806f30ee3a7c3cb0d4fc78bce

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d96699c006fefd7b7b6d97006ef757c4
SHA1 439549314c1d44a1e8d9123969521de4aa2c564b
SHA256 db1e9706cb680feb3e10c9434ff73469de593db8c68409504fb420fec679b3ab
SHA512 904e4bf48ab106b39730676e144a270f41177e510f57988a3c1f837e6bf50072b49e153aa2a9d94dffeda66302b7b91ac1fd2eab934e5c9c859f7d6e88e7bf8a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d817396b709383a5e7581d7afe7011ce
SHA1 ce3789361b64836902c0e2780b544a36a9c60d5b
SHA256 a7dc168f568e3c10a0c6d518262c82329feea4048e2ff71d0be5c065c2cabc10
SHA512 0301a3f7547199f463f9524ecd78311f3a791e50fa60f473d0d6bb85d0a0c5006b92eac2147c535839ecb56aa3aae316c59b860b573f43d8b1a13b6534bf0bf9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9a57fda1ef3827219793043f15d9ea66
SHA1 0baa63a008c0637a2808e6db19693a4f464adadf
SHA256 fd740af55fa725ff620806730a50a99587c7c9dee86be469c79096ecd3848f82
SHA512 26a58828fb332635d10dc5e3326f52c342f3315c916f1ae488d907bf0feb7237cdb290d8758b10638b6d794cea37cb0b7565a6caa544f49232474fbacf74a40c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aec92d467d03a3855ab5c6aa97f4ed67
SHA1 4190fe5ab14510d07ef8d590765b4276ebca1c4d
SHA256 8b45a1fa354dd1e89d0a4bf8c2c474a91f5ebb853cec49fd4cb305b6a403548b
SHA512 bf6ce7672e1602e77afd7f9c9b33c2b0ef69ba8566b410eeafe36b7c831c926049f2fb047f9b51fce8e77f633de0eeb213bbc4e270da1b9b507f7487cb60fb8c

memory/3324-1276-0x0000000024130000-0x000000002418F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f5eff4f567d472a7b189cdae3f2af1bf
SHA1 2c1497ead24c34c30c4fa68abbf92ec9e289c8f9
SHA256 34586a031659161996f9b88d835da32799acc52c29953177194816a54e4653e3
SHA512 e782e26143ddd57d77215baa67c895120e9f8e6a2d07318de64e041faadb8d509708bfbc011d4ba9b6b818ca586302c9a4738fa1c0edcf746e179b072da1f740

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b77217055f2bbcb220a2790a91dd9493
SHA1 c4ec8d32e7a28fa28b6de46c8fa8a9ad2169f164
SHA256 f9ce71b341c831a4a25c81cc605db145dca84a7da8d5654411aa795ed961f8a4
SHA512 7a884e611d02d2bf99a129e6d6399e8fa1d5f7dfe1b65e07ea8374cf188502570f0ff3bdfb174c607b950afc5fb56a3eb20d0edc3681a8fd046415d1fbb6b3f5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 74ad1cffbf156e68e7068042452e7273
SHA1 ded7e86086b86ab80ab8c0cd89fddd8f61981241
SHA256 47a91d7f6e3f3b7f29eed527c30207f031b228a6b1567075920a08148e5d1177
SHA512 19f198274ec37b90aea1f509a3c5c0ebc5cdd8f45d920dc76db2e267c991ac0e3cd2779942e57ed109824cfba55903c40d6fbc0421d383e893e8b33ced80d721

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7efbc7bb512e69ab8c104a5ba7f24849
SHA1 b9c5b0bb36e709ac4efe7d71afdbd93aedbc9f55
SHA256 3f63a83182d1e1a8947c125943b8a9886dda4e7a746d05a26b2945dd06dcbd5a
SHA512 1b9df761d7d0b5cf058055724eeb1c48e1565074a310504f51f1ac7346de172fe7069d3387ec5afecdba859af6d43157b114129d967b454e084ab6f6b5ce651c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b89da096ba08457f1ccc923411524506
SHA1 df040f1c847770828df2e8bfa0df3bee3514e2da
SHA256 2ef03315a7441c9f84a20f777f62ffce444b86edd989b41ab0bf589d59d03c0d
SHA512 ba026fd43710a58379414e63ab4fbeb209ef5be640baef15b9a4361c7beafb1d9d25712b24106d2f69dbd850a4d9b741b1716696b24f352c47c85c9101949402

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e1ccbc1db49e45c12da6a0e54bf4e63e
SHA1 6dca2f96a238de10604b1b8aa3c4df2902840df9
SHA256 c15fc67217f051c8897f9ebe52d10928aceb02df6941a840e94cfb2106658ff2
SHA512 940981993fbe580fefd5261e5d0095dd60d8b8c2137f81520eb3f92f4482c78ce88b7befcf0959c9eb5a5eeb9bc9c6f10182ebb8ec9db24848eb7ab1ebe2fb49