Malware Analysis Report

2025-01-02 12:50

Sample ID 240703-m1247syhlc
Target 221e346418983460f083918f7ae5c8b1_JaffaCakes118
SHA256 fffed4b522cd8effd6914c90b628fdf705862c0954705bd1ad3bc20413de2de5
Tags
cybergate master bootkit persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fffed4b522cd8effd6914c90b628fdf705862c0954705bd1ad3bc20413de2de5

Threat Level: Known bad

The file 221e346418983460f083918f7ae5c8b1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate master bootkit persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-03 10:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 10:56

Reported

2024-07-03 10:59

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VK06AHV0-2MIQ-360Y-RXED-QB3DR020WLI4}\StubPath = "C:\\Windows\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{VK06AHV0-2MIQ-360Y-RXED-QB3DR020WLI4} C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\server.exe N/A
N/A N/A C:\Windows\install\server.exe N/A
N/A N/A C:\Windows\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\install\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 4408 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 4408 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 4408 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 4408 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 4408 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 4408 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 4408 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3048 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3048 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3048 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3048 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3048 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3048 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3048 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3048 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3024 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4672 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3048-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3048-5-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3024-8-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3024-10-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3024-11-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3024-12-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3024-15-0x0000000024010000-0x0000000024072000-memory.dmp

memory/3024-16-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4312-21-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/4312-24-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4312-20-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/3024-19-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3024-84-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 f3885c07bb0fca089e7a38c6df0e7776
SHA1 0d351c5f036b763dd1ee94110a9ca9639c7a9d3d
SHA256 f9c223a62d727ab28458f1eda6454577f2f38cc48be6e9ab4fb7d4a47d36b3b3
SHA512 37e8c84db2065e20d8a4f5a49e2def160ba8ccddde6982efc0ffb4f8b932715bc4fd64315390a0a2145adcf2db9f9d058abf84573eec925444f464c7df873ce5

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

C:\Windows\install\server.exe

MD5 221e346418983460f083918f7ae5c8b1
SHA1 8374f92bdea380cece6ca3c8757b550afde10985
SHA256 fffed4b522cd8effd6914c90b628fdf705862c0954705bd1ad3bc20413de2de5
SHA512 d212a3ae8c9cbc2bcf4dcead64187884530b683aa2f6887d9481ef82d747f3077056f5f0ebc255305e03f58c9fc6fc83d8f93fce27dfe8c0145974d3fe12bd0e

memory/928-117-0x0000000000400000-0x0000000000457000-memory.dmp

memory/912-120-0x0000000000400000-0x0000000000451000-memory.dmp

memory/928-123-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d49a39318e24bc685cdfbac4ee53cf20
SHA1 9e967cd55602e2f05b4a8bd7db3a10d626d7923d
SHA256 300d998afc6558928d343275b9dde9ba13054626213acc821a18544ae8b181d2
SHA512 3754756b255f66bfd3a78d8efae232efa02371c8960c7a8197b3f4275b574e55b9106b61cf892987a72f80f693803bc57fd8ae687115f543ac644dc6810b27af

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a28bf5281aa07e18065c61527aeee590
SHA1 ab5f758c2d54c3ab1e659a1c5dbf810894567ff5
SHA256 17c21aa52bfa189c09489fcd1f6944001fc65829db8237e91b2deeba03a9a04a
SHA512 eedb817912c1fa53260a3be2e6dac995e612974dcc5db5f4db6be031b2c7bd2066fc925b5927a0384948678ade6a8e4d173c4f42683a1d4035a572c891e74f5f

memory/3048-230-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d9a3f24f624a69db44cc7fedb100a301
SHA1 6bb3efa8d63c8002b8862d8c85093c49275ecba8
SHA256 575dec53e32ec346efc40f78a4a4b4d861427d4794d18f50e1890f2d895c6c0b
SHA512 c7562ab973c5f6e6457b82c9329d1462d82b1eff9e88b8e243acfe628dd949eab47fce4aa0c7848481756f948def5241408ae250158a42d1cac63bf643ebde21

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ccd6e50083221d08c7514e0d05ba10cd
SHA1 42ffd0572d05001476f2827d8a06e1541bd0a634
SHA256 d8f5c6d36f04f293f3b56eec5181e4b188e972a239c9941134d04ce6be8dac8f
SHA512 1b7d2368dca70f33db52c4c08fc8f2d634089e7c8800256f1477e881b52eabfe0b1154ec233a400c8a9e0dfe867f8f65175dc30fdb8758d71b8afd1bbbd4613d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e440919eed160ffdfeeafb6e6001e074
SHA1 12c5d8bbba38b84eb6331d7ef0d12a399acc2a89
SHA256 5c43c26f0587a228146d5689803453718d2b47b4f6cd432683a4393ec2d0ee49
SHA512 517db05066f73423a33799f420c28c8857219cb4396d1dc6855f2378c726cc431ba6a5fbdb317b578ca709a820914ca6b97e4a0190b3c944a9955f71a88b7269

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c505a18e1bffc7efe1274f0e6d51e84
SHA1 939dfdff7356fef9c244fb0c88cffbcc1a352e61
SHA256 6fd46cf1b46a5d04ffee480ab1eafaabc0ca6813a730dfbb9368206505656e49
SHA512 5f893eb1f40050199408a6731387f06100ba8166fc265bbb15c55d7187a7c9a0335bcd613c7bc9b090f6b69bfbafe3419d8a0ccffa9af0da11d32b1574889378

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 98cb8a77527d82841d4b485278dffcd2
SHA1 088cde87e094721c03592682400091bc7c491739
SHA256 69133dd19cc5921b82c7b8f74f16e65f4877b7cfcbe3e87bc90685d27faa5cbe
SHA512 301aa6715ebf2f61dbb41f471fa5fdc9bedf84d0c91f96ef7dc085711bb032c3b92f8e11b80024649af688530e886dc431a46a16936c72ce56f77585cec24770

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c03df24760e3fabd9e1aa48988c8fdbd
SHA1 e37302c6e0f3dee26b76aa61cf9b71c63041e702
SHA256 3e2178d21dcb6a1a90296b0369fc5baa3096ea4b543a9d4bfbe17e16c5bb2606
SHA512 3281d5b0e2f6650725dd3159ad0354343e6bfb222f73870ed86f201005b6417077d7ef2148616029a6ed8841914462043ca364c52712956b5da36bd44ba5b38b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e6735136138bceec2f3ee7d16af9a57
SHA1 1f924c838f788fe9788c7218c036aadfa0fc16f4
SHA256 f437aded1052908ffb08d1e93a98427b91c330e9313f7e52e2a72dec4b04cb82
SHA512 f24839c0fe25efddc5488d3c100f14800d5ea63946b8e0aa8fb84b251d3c82b54dc1812aef521683a40f8ab8d5cc0327e40e385c15a5b2ae77a0d9c1ad1ef43c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8d2448f3983a5e845a527fbfee1d8183
SHA1 d00d84dc894b103bc574121c4d30c0a93a1ab48b
SHA256 7956acd25ef901c50554f47c65fbbddfc7a6b6836f7a1a138aef1a593089dea9
SHA512 225f9225aa5ffe49966a29a76c06dfaa85bb998adc2930b5af379001c380fd7d98fd4ba6b059380ead41baf2e26338c74dd5c5a166b3dff5bb6089748a638ee7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e458969da40d42d4e51ab190f6de7e3
SHA1 120d333f07d881ecba40120bcac373d041698566
SHA256 2c8d8339502f70eed942aef51f37c2c3fa10bc2239f8c763e99bc0c370eb0883
SHA512 ef9b02ee8c3ce77537e58ef96fd456e9e702b0e3ae56c64937f5c28a6657fc039038a6d3f996c70392a881b5663c6ef533f6d28919aa5931d5cfbc99ae28ed70

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 10613439a100b3b4f96a46f439f5e069
SHA1 7032404d3e9e0f2201494fbab2e0d7657cb8912a
SHA256 1fef0880b22c00a02c869c25113884c55e2c22e5d33c65d44abacba7e118c72c
SHA512 6c76479282ae942c403f3b9c34f03ad19c5006d02eead1c44a7a501e9154343202bd4ab415ae5fa61fed38e77ce7385ff5e6fcfb9bef994da46655c49c4158b9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a178f68a05a5810f659e8ed1471b8508
SHA1 40ba948bf9f7665fd5baeb5f2a993ae412247f4b
SHA256 82923e3d5f7eab01a970cc2a3f6ba53f5bf65fb1a2ce8670d3f4e06dacddba36
SHA512 5affe441d6805f68368c72df8b6b89d7f0b63902a4b6f6efaa2f97ee34a18224cc0276ae0cf7c0d5759cfe4ff643c14fd9ec73abebf962ca503db4394af7499f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4c4f7358101587ed8906ebfdf7d76357
SHA1 574ab48f1adec445761d99f4ffe6fa7f8cec4030
SHA256 d233cc45f414df7023d8da5f35fe036938fe6f6e85acb4805aecff95dfe9899d
SHA512 99518a29a53ea820b24c3f2fd52bbeb6a8911be92e5fdfc4a86c5018a71fb864bb90de73bdacb3ac1c2d57e04ae553ddb231feaf1e9f9951c8a745f7d987280c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9b14edfebdf92cd6064b7569b7512ff8
SHA1 153662bb8e8607aa7fd7701382e7363485325871
SHA256 1448ac13ad786ebdece1e2258c4caa038c25a5e8db49e955fed58c0b022dc1b5
SHA512 e68cdb21a7283e242f2eb342f56776fad946355408b1b5f4a9330cee859eba03b9dc48b15bfb895c243104141c676ec864b55613a642de28433614cb0a3b5b4c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fbb6fae1df1d3855a29ea997ca79f3c2
SHA1 d774b34bc52d9c59d6e2895966dde1119125f14b
SHA256 076d9ccfca73845e10a0a238cffb607b0b5de99f56b37d08d678a3831c8e1d28
SHA512 778cdeeb318d786f1ad803043deab5915152640855dda6b517f03ccfeb924695c74af4428e13b54d13594fefe909a6e9f674f50978b556e82e089002f894ee4f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ded5f41f1f5befcdce394885aa43c56f
SHA1 b26e9bde71b2a09d9757888d25e543d0305cb57a
SHA256 8f511f4cd171c083309ded625b5c39508b37a0718b8a472aec0d225446dc0bb8
SHA512 ec43fcd8de765abe3f082a11820ff7727396e04015ff7a4e8c6b442964ad311513e6db0e87130a63c1a54ad09e46b7738a259a01cc731ca4c167c36dca570f30

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2fd1dadf910cb4a2164fde593b0a9f70
SHA1 5e222c0e540d2604ab14e1c0f180911bcff799c1
SHA256 ec7e44eb659639aec777ab332e20a145032c43be517f4b0b7ddf0d7ab02b0df7
SHA512 ff7c9c208268ab5470576ef4905ad596f5b9ac9e57c427628f76f8315794f56aebef55f9f1ee048c3aa51f417352d794a707856acf0b70e3739032b759a3b6fe

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 10:56

Reported

2024-07-03 10:59

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VK06AHV0-2MIQ-360Y-RXED-QB3DR020WLI4} C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VK06AHV0-2MIQ-360Y-RXED-QB3DR020WLI4}\StubPath = "C:\\Windows\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\server.exe N/A
N/A N/A C:\Windows\install\server.exe N/A
N/A N/A C:\Windows\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\install\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
File created C:\Windows\install\server.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
N/A N/A C:\Windows\install\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 2552 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3068 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3068 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3068 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3068 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3068 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3068 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3068 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3068 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\221e346418983460f083918f7ae5c8b1_JaffaCakes118.exe"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

C:\Windows\install\server.exe

"C:\Windows\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3068-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3068-12-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3068-17-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3068-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3068-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3068-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-18-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-20-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-30-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3068-29-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-25-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-22-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-34-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-33-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-32-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-31-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3056-37-0x0000000024010000-0x0000000024072000-memory.dmp

memory/3056-41-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2592-62-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2592-53-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2592-48-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2592-42-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/3056-337-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 f3885c07bb0fca089e7a38c6df0e7776
SHA1 0d351c5f036b763dd1ee94110a9ca9639c7a9d3d
SHA256 f9c223a62d727ab28458f1eda6454577f2f38cc48be6e9ab4fb7d4a47d36b3b3
SHA512 37e8c84db2065e20d8a4f5a49e2def160ba8ccddde6982efc0ffb4f8b932715bc4fd64315390a0a2145adcf2db9f9d058abf84573eec925444f464c7df873ce5

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

C:\Windows\install\server.exe

MD5 221e346418983460f083918f7ae5c8b1
SHA1 8374f92bdea380cece6ca3c8757b550afde10985
SHA256 fffed4b522cd8effd6914c90b628fdf705862c0954705bd1ad3bc20413de2de5
SHA512 d212a3ae8c9cbc2bcf4dcead64187884530b683aa2f6887d9481ef82d747f3077056f5f0ebc255305e03f58c9fc6fc83d8f93fce27dfe8c0145974d3fe12bd0e

memory/2656-391-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2656-379-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1520-392-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1520-397-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 488778771e62d2424bdff3b72b23b59d
SHA1 2c07c6d790f78cf91dadc70145fa5a771a70d7f4
SHA256 cf860cecaf39e3c2b26d395e816caa5354a8a5b833eff4517489d1514f5821d7
SHA512 bef3c23a02840930844ea4c14212e935966b9503ab228096ec9ff59af4cb7a1d2f450b0b2955fe2d08f607da55696a7a89518e8b97e87a719e8c897f67a9eca3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d49a39318e24bc685cdfbac4ee53cf20
SHA1 9e967cd55602e2f05b4a8bd7db3a10d626d7923d
SHA256 300d998afc6558928d343275b9dde9ba13054626213acc821a18544ae8b181d2
SHA512 3754756b255f66bfd3a78d8efae232efa02371c8960c7a8197b3f4275b574e55b9106b61cf892987a72f80f693803bc57fd8ae687115f543ac644dc6810b27af

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a28bf5281aa07e18065c61527aeee590
SHA1 ab5f758c2d54c3ab1e659a1c5dbf810894567ff5
SHA256 17c21aa52bfa189c09489fcd1f6944001fc65829db8237e91b2deeba03a9a04a
SHA512 eedb817912c1fa53260a3be2e6dac995e612974dcc5db5f4db6be031b2c7bd2066fc925b5927a0384948678ade6a8e4d173c4f42683a1d4035a572c891e74f5f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d9a3f24f624a69db44cc7fedb100a301
SHA1 6bb3efa8d63c8002b8862d8c85093c49275ecba8
SHA256 575dec53e32ec346efc40f78a4a4b4d861427d4794d18f50e1890f2d895c6c0b
SHA512 c7562ab973c5f6e6457b82c9329d1462d82b1eff9e88b8e243acfe628dd949eab47fce4aa0c7848481756f948def5241408ae250158a42d1cac63bf643ebde21

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ccd6e50083221d08c7514e0d05ba10cd
SHA1 42ffd0572d05001476f2827d8a06e1541bd0a634
SHA256 d8f5c6d36f04f293f3b56eec5181e4b188e972a239c9941134d04ce6be8dac8f
SHA512 1b7d2368dca70f33db52c4c08fc8f2d634089e7c8800256f1477e881b52eabfe0b1154ec233a400c8a9e0dfe867f8f65175dc30fdb8758d71b8afd1bbbd4613d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e440919eed160ffdfeeafb6e6001e074
SHA1 12c5d8bbba38b84eb6331d7ef0d12a399acc2a89
SHA256 5c43c26f0587a228146d5689803453718d2b47b4f6cd432683a4393ec2d0ee49
SHA512 517db05066f73423a33799f420c28c8857219cb4396d1dc6855f2378c726cc431ba6a5fbdb317b578ca709a820914ca6b97e4a0190b3c944a9955f71a88b7269

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c505a18e1bffc7efe1274f0e6d51e84
SHA1 939dfdff7356fef9c244fb0c88cffbcc1a352e61
SHA256 6fd46cf1b46a5d04ffee480ab1eafaabc0ca6813a730dfbb9368206505656e49
SHA512 5f893eb1f40050199408a6731387f06100ba8166fc265bbb15c55d7187a7c9a0335bcd613c7bc9b090f6b69bfbafe3419d8a0ccffa9af0da11d32b1574889378

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 98cb8a77527d82841d4b485278dffcd2
SHA1 088cde87e094721c03592682400091bc7c491739
SHA256 69133dd19cc5921b82c7b8f74f16e65f4877b7cfcbe3e87bc90685d27faa5cbe
SHA512 301aa6715ebf2f61dbb41f471fa5fdc9bedf84d0c91f96ef7dc085711bb032c3b92f8e11b80024649af688530e886dc431a46a16936c72ce56f77585cec24770

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c03df24760e3fabd9e1aa48988c8fdbd
SHA1 e37302c6e0f3dee26b76aa61cf9b71c63041e702
SHA256 3e2178d21dcb6a1a90296b0369fc5baa3096ea4b543a9d4bfbe17e16c5bb2606
SHA512 3281d5b0e2f6650725dd3159ad0354343e6bfb222f73870ed86f201005b6417077d7ef2148616029a6ed8841914462043ca364c52712956b5da36bd44ba5b38b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e6735136138bceec2f3ee7d16af9a57
SHA1 1f924c838f788fe9788c7218c036aadfa0fc16f4
SHA256 f437aded1052908ffb08d1e93a98427b91c330e9313f7e52e2a72dec4b04cb82
SHA512 f24839c0fe25efddc5488d3c100f14800d5ea63946b8e0aa8fb84b251d3c82b54dc1812aef521683a40f8ab8d5cc0327e40e385c15a5b2ae77a0d9c1ad1ef43c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8d2448f3983a5e845a527fbfee1d8183
SHA1 d00d84dc894b103bc574121c4d30c0a93a1ab48b
SHA256 7956acd25ef901c50554f47c65fbbddfc7a6b6836f7a1a138aef1a593089dea9
SHA512 225f9225aa5ffe49966a29a76c06dfaa85bb998adc2930b5af379001c380fd7d98fd4ba6b059380ead41baf2e26338c74dd5c5a166b3dff5bb6089748a638ee7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e458969da40d42d4e51ab190f6de7e3
SHA1 120d333f07d881ecba40120bcac373d041698566
SHA256 2c8d8339502f70eed942aef51f37c2c3fa10bc2239f8c763e99bc0c370eb0883
SHA512 ef9b02ee8c3ce77537e58ef96fd456e9e702b0e3ae56c64937f5c28a6657fc039038a6d3f996c70392a881b5663c6ef533f6d28919aa5931d5cfbc99ae28ed70

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 10613439a100b3b4f96a46f439f5e069
SHA1 7032404d3e9e0f2201494fbab2e0d7657cb8912a
SHA256 1fef0880b22c00a02c869c25113884c55e2c22e5d33c65d44abacba7e118c72c
SHA512 6c76479282ae942c403f3b9c34f03ad19c5006d02eead1c44a7a501e9154343202bd4ab415ae5fa61fed38e77ce7385ff5e6fcfb9bef994da46655c49c4158b9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a178f68a05a5810f659e8ed1471b8508
SHA1 40ba948bf9f7665fd5baeb5f2a993ae412247f4b
SHA256 82923e3d5f7eab01a970cc2a3f6ba53f5bf65fb1a2ce8670d3f4e06dacddba36
SHA512 5affe441d6805f68368c72df8b6b89d7f0b63902a4b6f6efaa2f97ee34a18224cc0276ae0cf7c0d5759cfe4ff643c14fd9ec73abebf962ca503db4394af7499f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4c4f7358101587ed8906ebfdf7d76357
SHA1 574ab48f1adec445761d99f4ffe6fa7f8cec4030
SHA256 d233cc45f414df7023d8da5f35fe036938fe6f6e85acb4805aecff95dfe9899d
SHA512 99518a29a53ea820b24c3f2fd52bbeb6a8911be92e5fdfc4a86c5018a71fb864bb90de73bdacb3ac1c2d57e04ae553ddb231feaf1e9f9951c8a745f7d987280c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9b14edfebdf92cd6064b7569b7512ff8
SHA1 153662bb8e8607aa7fd7701382e7363485325871
SHA256 1448ac13ad786ebdece1e2258c4caa038c25a5e8db49e955fed58c0b022dc1b5
SHA512 e68cdb21a7283e242f2eb342f56776fad946355408b1b5f4a9330cee859eba03b9dc48b15bfb895c243104141c676ec864b55613a642de28433614cb0a3b5b4c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fbb6fae1df1d3855a29ea997ca79f3c2
SHA1 d774b34bc52d9c59d6e2895966dde1119125f14b
SHA256 076d9ccfca73845e10a0a238cffb607b0b5de99f56b37d08d678a3831c8e1d28
SHA512 778cdeeb318d786f1ad803043deab5915152640855dda6b517f03ccfeb924695c74af4428e13b54d13594fefe909a6e9f674f50978b556e82e089002f894ee4f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ded5f41f1f5befcdce394885aa43c56f
SHA1 b26e9bde71b2a09d9757888d25e543d0305cb57a
SHA256 8f511f4cd171c083309ded625b5c39508b37a0718b8a472aec0d225446dc0bb8
SHA512 ec43fcd8de765abe3f082a11820ff7727396e04015ff7a4e8c6b442964ad311513e6db0e87130a63c1a54ad09e46b7738a259a01cc731ca4c167c36dca570f30