Malware Analysis Report

2024-09-22 09:04

Sample ID 240801-hj451sxdlk
Target 7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118
SHA256 c37d9b6d20af40ad67dca4b265d6abee6809f28a72b6153cd942b8c43049f80b
Tags
cybergate cyber discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c37d9b6d20af40ad67dca4b265d6abee6809f28a72b6153cd942b8c43049f80b

Threat Level: Known bad

The file 7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

UPX packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-08-01 06:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 06:46

Reported

2024-08-01 06:49

Platform

win7-20240704-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7T8XDUA-K3CU-V183-67AU-CW3488WYX073} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7T8XDUA-K3CU-V183-67AU-CW3488WYX073}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7T8XDUA-K3CU-V183-67AU-CW3488WYX073} C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7T8XDUA-K3CU-V183-67AU-CW3488WYX073}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2864 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2864-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2812-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-20-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-25-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-24-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-17-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-14-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-11-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-6-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-3-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-1-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1200-29-0x0000000002240000-0x0000000002241000-memory.dmp

memory/2316-312-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2316-311-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2316-559-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 0409fa098439559fb93fc0d8e914c20e
SHA1 d7396a66b28c2bc4840deeb285b81d574396b0ea
SHA256 95012d9251a4c60f32b16e769ef91722c424aa355a5ebe00f8d6e843703b6687
SHA512 e1381c9c3f5b73fcddce4525d1916938286d665c5203d2867124d773ce9357184ccff7b334273673d6124429568501b68df651b0aa3d7bfb710246dad46445de

C:\Windows\SysWOW64\install\server.exe

MD5 7f8982cfbf8b2ecab43661a12a87a8cc
SHA1 731d25d4ab66e8fa630ec737446412114f48f33b
SHA256 c37d9b6d20af40ad67dca4b265d6abee6809f28a72b6153cd942b8c43049f80b
SHA512 210561d8e84869bbced28e5983c6be9c0e6b379f97019aacf4a90c8adb4cecaa327ca87ed02e5a88d519b77969439d7deda7008c0b17c73ca6be974c3cd8e287

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d3199362e7f00b48589e199b838d37c1
SHA1 7f50a2249679eb78ac75b01bb821e5e9bf61b8e0
SHA256 7e9f16ff9a99703444cae45c029f2a371f4d2dd51a319eb788fcfe141f1abed4
SHA512 dae104fc3cbad516111d10ded65db255be6e80d731a3cb699f7d494efe707d6d827c33b0852602d5785900a49701efafb361730771feb1d2b27f31313e8452ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 99ff54a2a7e00898386769518574d390
SHA1 ea2eed7f42fd416b12fe28cd90919897c0d070e8
SHA256 a269ec9e157e3b1570e1e3b5b6a9e1613d486af3fac2a3306d6e38b5342474f9
SHA512 5c84e384657092b83b876fe995ef5659adac918caa704844217203923f2f96910947b50b5b7239048f153a3d26019d5ceba8b466ec5efe7c84b45b899a7c35c2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 40c72a149f2b2938915cafe7c3e45770
SHA1 165edd0dc675c5c8bdbc30af9a21f791464f3d0d
SHA256 019689edae1191c403c8027ab95165a91694ee185764d40a91197fbb8f447358
SHA512 0a96ab8ae7f1f72c8682ec45a933b00b2b45de118d8f033b9c0842ff7d0db306ce1dacc3d2ec2777d02a7a9dfd78f936c67680629d061293dbbfe89c6eaa988f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d8544174400f315d144888462568023b
SHA1 9b1124be65fc355fadaeeb62d8bc493a3749ccc3
SHA256 d8284f7bfe6c524cda79f5240c53f7441e942ed286826268c188756a59862de8
SHA512 91247f077a71652cc0439445d7a87300e5792c22bd1ea7365d85317843730da8de0f67cfd28e7d8b670f00c522f6a69e68980559bd2353dcf71a32ad2332ff75

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 202dcb88b421af51c91f6841849b9474
SHA1 744a254127879e2e2821a2c2cb44b4a558668911
SHA256 c6826806e7a2a169d892ca1d17f124ffe528da78bdf7fc22e081fd0c11c7d436
SHA512 b196ada8739bdab7bdb9820cf33000a65365e3df471a8c39160b0bfe2aaec5f1671044f4c8c09301849b0f26aa776b7abc351f8b9b5b4cea454ef7e7b51bdd25

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dcf18ae24dbc407e045999a588772d13
SHA1 3f4ff6a0dcb7b26b655c435fad9c05b698ef0b75
SHA256 afb1bed15cc0eea4c2d516f22667a39cbce66880c0507e0bb964fae80c23dd1a
SHA512 b6831457827513484307d66a3b3210aa4e23e3b19b040323eafe671c3b7ffcdb974b5a4dfd5829ced95a0df23f2d701f11f5ecc0b1ee2425eb2f483ffc231c1a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d9da0afa41c3f47e34c0fa2a70b7a690
SHA1 fbbaa27376899b78eb9ce1d1d809c9d459c2dfc9
SHA256 b789305e1ea69126f397f02a896f77e88513b4724c24e299cc689cddae56f213
SHA512 42c444c62c28f4fdc6400702421370fb2b1f98e317d78ba990fbfc59acde87d02ffea5c21158ba1c06aa8ec25faa9800894940af552cc3bc72af775ecaf944d3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7f4b05b01f543ea82923fa7cfc09f673
SHA1 befb2b62f1bcd331e1ac4033561793c26a77751c
SHA256 ab9937c0e13cd219fdd0e8e3009e634292121ce6605958985f1205ed5c536129
SHA512 3bfbf24e50674886064e20b006e82945d2fea67a08c9363a3dde75541921ee77d42db34698b91d37cfb66433e8c7b08206eaec98bd522b0e0be010eeca367233

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 539c243bb252ecc91c0ac71d8d2e94a0
SHA1 62dcdbecc458050f104c2b7a1353aa96d3cce4b3
SHA256 9340f8772e9ec04b09e7569316b05ef4a9bdabffc453d0524ff4415ded5da202
SHA512 5efe48f582e898e9bea45f86325a956a6cb359095285943a248648e5092855e3feae8d520e435dbd38124c837d853420acd82cd2fc805b35dbba22cd6f2b7e7d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f6c9f1838c0624e815b08a00a3184d4a
SHA1 97d0c8a9ea9ffb1a4677cb65e528d3ef0fefc976
SHA256 7949ff1c01e5c37779b45cf15dd5250069524565f30de6b1e259af8d8fadb439
SHA512 12b18aeccb5e3a2a10743dc53a1a776430f5f0da0a293ffef307f020a40d8abc3fcfdbf5a30978d56a45e715cb8ccbac852082d6675364c4273f896759a7220c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 11eae77929d9b9bc965d621f4a04bb44
SHA1 6f79d933780b698fb7a790c087aafe15c149886d
SHA256 0592d60dd89f6d63d3c778a5a758a6339a316ba27d658e02bcf931220278be3b
SHA512 18405023b3cf82a047fefab5e868d684d0674f805a927e222fcd74b7bae5953f78fb512baef1f7dcc69a12ff3ba8952de626aac1d576e934b35689f9a0dec118

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e3a0c05cdfe031dca7d9677fe756effa
SHA1 eea1f6170f43217bed144da7e89527a56006df84
SHA256 4b74e195b2b3571823eff3da71b596e53453fa78ee78fccf7b58107b4b0d79dc
SHA512 a19d2a5fda19461cb8f026e44469f98153660e2b33c6f143069d4c832138770cfcc6bccd92f5e63cc76c9634d3ddc341c40fd0e7db03de2f510e76775786fc87

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5103bd5fcc62ebd33a80a8b2f1b2b1ca
SHA1 ae93cebc7e9f35d22ae49b09c361a29f5537bdac
SHA256 c306592b684b3357362aae9efd6eca58ac2f880a42dd4b4c9f7e2302a6a6915a
SHA512 af96d8548ed2f00f7133cda25bbcc0af4c8be51a5a503f278c5d6e35d9d2075c51777be72edf6489dd394a09e4f0810c5bbc966d262466c68fe97ef3eee1d041

memory/2316-1740-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f492dc08a6b9c02d6fbed2acab7a936f
SHA1 f1f27d531ef730b15c77233f15133a983b46a989
SHA256 0c86a75dbc0bc67c9a42f90fe49f0fd8e379d4a05707fa2d6e4767230946552f
SHA512 e326b4783a887b4bc3c047d54f970fa58af4e2620a8a64652b4199ea6ef2871bbfff1794f761ca701c4b2dc8debccbf34f4329a362610949b79db319ecf06c68

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dc863267cb59a8ad244978d4afd0f344
SHA1 d74b04951751a7da1f5263d9b3fa3bd872aba89d
SHA256 cb6627974e4a1250a2bdb6ebe5ec2f82c354370a9d9f3f4a7c1d26222dbc138f
SHA512 a67155d5b9639c607583e5a2e4b2b5d0550fdf2dcb76fd939e205442834d0ee9d83b3566516eaef7d6679b907301bec46b391923676fa1fd7d46bdcd6d0f90d2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 771d96fa23257727e1ecba41599eba7d
SHA1 0a7b7a3d639e039cef0d35923d8e5b60f334daf3
SHA256 8041a259c30588b836443136e65265d9d3498888002eb145a3c904fa5a1bfcc4
SHA512 7de7c0211ccdd9be4da7f511175e22d2283f03d07f3be7a9afee6cb00b89632be6e58c61bfab70af39bfe4ca9119edecc6c501bd9baa6b985177b02a8a80cbcc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b1a82ae10f947316317c14e16c46e50b
SHA1 353e4057307d8f3eb37ad0f6b6d0484658868167
SHA256 322bc357169f04be49c36917cdb3af1c9f6713219403c3baf810f83e5079d780
SHA512 d524dfcadd27398b6d3b7fdafcadefb55ee9b411eef14e151999b12bbff42df8b3cb11e7a7f52fba5cb0084c63aeed8c8b72e781f949018755b972a9d31ada52

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7e5720e911e65fd5b115d51a0b34fc0e
SHA1 03ef5212b4d4e9b38535fe1e21028b5c41af6052
SHA256 8f3bebf4e838561130b22b88d40e5e0bffa97158a6e48268795071cc5f92d2ac
SHA512 79987bef1f433a3145487cbf6e530cb5a49d97406489b8ceccf4aee8abb7b8b89bbbbb4eefc64698b7392e91bf8adeaf7f74628745c919988d8a4b857d205c4e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 06:46

Reported

2024-08-01 06:49

Platform

win10v2004-20240730-en

Max time kernel

150s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7T8XDUA-K3CU-V183-67AU-CW3488WYX073} C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7T8XDUA-K3CU-V183-67AU-CW3488WYX073}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7T8XDUA-K3CU-V183-67AU-CW3488WYX073} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7T8XDUA-K3CU-V183-67AU-CW3488WYX073}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 1032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2904 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7f8982cfbf8b2ecab43661a12a87a8cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

memory/1032-0-0x0000000000500000-0x0000000000501000-memory.dmp

memory/2904-1-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2904-4-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2904-8-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2904-7-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2904-6-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2904-10-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2904-3-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2904-14-0x0000000010410000-0x0000000010475000-memory.dmp

memory/3732-19-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/3732-18-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2904-17-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/3732-79-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 0409fa098439559fb93fc0d8e914c20e
SHA1 d7396a66b28c2bc4840deeb285b81d574396b0ea
SHA256 95012d9251a4c60f32b16e769ef91722c424aa355a5ebe00f8d6e843703b6687
SHA512 e1381c9c3f5b73fcddce4525d1916938286d665c5203d2867124d773ce9357184ccff7b334273673d6124429568501b68df651b0aa3d7bfb710246dad46445de

C:\Windows\SysWOW64\install\server.exe

MD5 7f8982cfbf8b2ecab43661a12a87a8cc
SHA1 731d25d4ab66e8fa630ec737446412114f48f33b
SHA256 c37d9b6d20af40ad67dca4b265d6abee6809f28a72b6153cd942b8c43049f80b
SHA512 210561d8e84869bbced28e5983c6be9c0e6b379f97019aacf4a90c8adb4cecaa327ca87ed02e5a88d519b77969439d7deda7008c0b17c73ca6be974c3cd8e287

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 99ff54a2a7e00898386769518574d390
SHA1 ea2eed7f42fd416b12fe28cd90919897c0d070e8
SHA256 a269ec9e157e3b1570e1e3b5b6a9e1613d486af3fac2a3306d6e38b5342474f9
SHA512 5c84e384657092b83b876fe995ef5659adac918caa704844217203923f2f96910947b50b5b7239048f153a3d26019d5ceba8b466ec5efe7c84b45b899a7c35c2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 40c72a149f2b2938915cafe7c3e45770
SHA1 165edd0dc675c5c8bdbc30af9a21f791464f3d0d
SHA256 019689edae1191c403c8027ab95165a91694ee185764d40a91197fbb8f447358
SHA512 0a96ab8ae7f1f72c8682ec45a933b00b2b45de118d8f033b9c0842ff7d0db306ce1dacc3d2ec2777d02a7a9dfd78f936c67680629d061293dbbfe89c6eaa988f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d8544174400f315d144888462568023b
SHA1 9b1124be65fc355fadaeeb62d8bc493a3749ccc3
SHA256 d8284f7bfe6c524cda79f5240c53f7441e942ed286826268c188756a59862de8
SHA512 91247f077a71652cc0439445d7a87300e5792c22bd1ea7365d85317843730da8de0f67cfd28e7d8b670f00c522f6a69e68980559bd2353dcf71a32ad2332ff75

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 202dcb88b421af51c91f6841849b9474
SHA1 744a254127879e2e2821a2c2cb44b4a558668911
SHA256 c6826806e7a2a169d892ca1d17f124ffe528da78bdf7fc22e081fd0c11c7d436
SHA512 b196ada8739bdab7bdb9820cf33000a65365e3df471a8c39160b0bfe2aaec5f1671044f4c8c09301849b0f26aa776b7abc351f8b9b5b4cea454ef7e7b51bdd25

memory/1032-443-0x0000000000500000-0x0000000000501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dcf18ae24dbc407e045999a588772d13
SHA1 3f4ff6a0dcb7b26b655c435fad9c05b698ef0b75
SHA256 afb1bed15cc0eea4c2d516f22667a39cbce66880c0507e0bb964fae80c23dd1a
SHA512 b6831457827513484307d66a3b3210aa4e23e3b19b040323eafe671c3b7ffcdb974b5a4dfd5829ced95a0df23f2d701f11f5ecc0b1ee2425eb2f483ffc231c1a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d9da0afa41c3f47e34c0fa2a70b7a690
SHA1 fbbaa27376899b78eb9ce1d1d809c9d459c2dfc9
SHA256 b789305e1ea69126f397f02a896f77e88513b4724c24e299cc689cddae56f213
SHA512 42c444c62c28f4fdc6400702421370fb2b1f98e317d78ba990fbfc59acde87d02ffea5c21158ba1c06aa8ec25faa9800894940af552cc3bc72af775ecaf944d3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7f4b05b01f543ea82923fa7cfc09f673
SHA1 befb2b62f1bcd331e1ac4033561793c26a77751c
SHA256 ab9937c0e13cd219fdd0e8e3009e634292121ce6605958985f1205ed5c536129
SHA512 3bfbf24e50674886064e20b006e82945d2fea67a08c9363a3dde75541921ee77d42db34698b91d37cfb66433e8c7b08206eaec98bd522b0e0be010eeca367233

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 539c243bb252ecc91c0ac71d8d2e94a0
SHA1 62dcdbecc458050f104c2b7a1353aa96d3cce4b3
SHA256 9340f8772e9ec04b09e7569316b05ef4a9bdabffc453d0524ff4415ded5da202
SHA512 5efe48f582e898e9bea45f86325a956a6cb359095285943a248648e5092855e3feae8d520e435dbd38124c837d853420acd82cd2fc805b35dbba22cd6f2b7e7d

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f6c9f1838c0624e815b08a00a3184d4a
SHA1 97d0c8a9ea9ffb1a4677cb65e528d3ef0fefc976
SHA256 7949ff1c01e5c37779b45cf15dd5250069524565f30de6b1e259af8d8fadb439
SHA512 12b18aeccb5e3a2a10743dc53a1a776430f5f0da0a293ffef307f020a40d8abc3fcfdbf5a30978d56a45e715cb8ccbac852082d6675364c4273f896759a7220c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 11eae77929d9b9bc965d621f4a04bb44
SHA1 6f79d933780b698fb7a790c087aafe15c149886d
SHA256 0592d60dd89f6d63d3c778a5a758a6339a316ba27d658e02bcf931220278be3b
SHA512 18405023b3cf82a047fefab5e868d684d0674f805a927e222fcd74b7bae5953f78fb512baef1f7dcc69a12ff3ba8952de626aac1d576e934b35689f9a0dec118

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e3a0c05cdfe031dca7d9677fe756effa
SHA1 eea1f6170f43217bed144da7e89527a56006df84
SHA256 4b74e195b2b3571823eff3da71b596e53453fa78ee78fccf7b58107b4b0d79dc
SHA512 a19d2a5fda19461cb8f026e44469f98153660e2b33c6f143069d4c832138770cfcc6bccd92f5e63cc76c9634d3ddc341c40fd0e7db03de2f510e76775786fc87

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5103bd5fcc62ebd33a80a8b2f1b2b1ca
SHA1 ae93cebc7e9f35d22ae49b09c361a29f5537bdac
SHA256 c306592b684b3357362aae9efd6eca58ac2f880a42dd4b4c9f7e2302a6a6915a
SHA512 af96d8548ed2f00f7133cda25bbcc0af4c8be51a5a503f278c5d6e35d9d2075c51777be72edf6489dd394a09e4f0810c5bbc966d262466c68fe97ef3eee1d041

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f492dc08a6b9c02d6fbed2acab7a936f
SHA1 f1f27d531ef730b15c77233f15133a983b46a989
SHA256 0c86a75dbc0bc67c9a42f90fe49f0fd8e379d4a05707fa2d6e4767230946552f
SHA512 e326b4783a887b4bc3c047d54f970fa58af4e2620a8a64652b4199ea6ef2871bbfff1794f761ca701c4b2dc8debccbf34f4329a362610949b79db319ecf06c68

memory/3732-1353-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dc863267cb59a8ad244978d4afd0f344
SHA1 d74b04951751a7da1f5263d9b3fa3bd872aba89d
SHA256 cb6627974e4a1250a2bdb6ebe5ec2f82c354370a9d9f3f4a7c1d26222dbc138f
SHA512 a67155d5b9639c607583e5a2e4b2b5d0550fdf2dcb76fd939e205442834d0ee9d83b3566516eaef7d6679b907301bec46b391923676fa1fd7d46bdcd6d0f90d2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 771d96fa23257727e1ecba41599eba7d
SHA1 0a7b7a3d639e039cef0d35923d8e5b60f334daf3
SHA256 8041a259c30588b836443136e65265d9d3498888002eb145a3c904fa5a1bfcc4
SHA512 7de7c0211ccdd9be4da7f511175e22d2283f03d07f3be7a9afee6cb00b89632be6e58c61bfab70af39bfe4ca9119edecc6c501bd9baa6b985177b02a8a80cbcc

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b1a82ae10f947316317c14e16c46e50b
SHA1 353e4057307d8f3eb37ad0f6b6d0484658868167
SHA256 322bc357169f04be49c36917cdb3af1c9f6713219403c3baf810f83e5079d780
SHA512 d524dfcadd27398b6d3b7fdafcadefb55ee9b411eef14e151999b12bbff42df8b3cb11e7a7f52fba5cb0084c63aeed8c8b72e781f949018755b972a9d31ada52

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7e5720e911e65fd5b115d51a0b34fc0e
SHA1 03ef5212b4d4e9b38535fe1e21028b5c41af6052
SHA256 8f3bebf4e838561130b22b88d40e5e0bffa97158a6e48268795071cc5f92d2ac
SHA512 79987bef1f433a3145487cbf6e530cb5a49d97406489b8ceccf4aee8abb7b8b89bbbbb4eefc64698b7392e91bf8adeaf7f74628745c919988d8a4b857d205c4e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 bf5f67ecb64d9a6b1628d69cfdb452d3
SHA1 27b3e81b1d6d285bb35bb0642a49d1f233345dcd
SHA256 066aaf4128101a10fdd61864d87063d2d0a260d385dbd132c0114c833c986252
SHA512 2b69f631e101201b7575242038aada8a6945a08d336c6c03c6f6287734ab81c53cac8af56936a4ae24ccbabf0597e8ee7c009408801899101b20942396985631