Malware Analysis Report

2024-11-13 18:28

Sample ID 240815-tn47csvhlp
Target 9ab644449c7139b4ae722c8044383e4b_JaffaCakes118
SHA256 5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1
Tags
upx vítima cybergate discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1

Threat Level: Known bad

The file 9ab644449c7139b4ae722c8044383e4b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx vítima cybergate discovery persistence stealer trojan

Cybergate family

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 16:13

Signatures

Cybergate family

cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 16:13

Reported

2024-08-15 16:15

Platform

win7-20240704-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"

C:\install\server.exe

"C:\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2444-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2444-3-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1300-4-0x0000000002220000-0x0000000002221000-memory.dmp

memory/2368-249-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2368-247-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2444-337-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2368-553-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\install\server.exe

MD5 9ab644449c7139b4ae722c8044383e4b
SHA1 04356f283d8278241598c5d97261344bcb2fd8d1
SHA256 5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1
SHA512 f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 ede4ab0dc240d253ec6719bb232ced84
SHA1 f2e3d4558906ee268dd36595f1b5b22a37764c65
SHA256 76e94dfb3166cb8794b3be486bdfa5fb1566ec06a780c5fe328a8090cc67fbb5
SHA512 a1fa26d4c0487a2536269f19c9f98726c416cafb8fd16a7d02aff504c3c9a4c13db31778dbb9a9ccf94e1ca8802aaa2064ae2be734e2901ff4eae17be7287eb4

memory/2444-577-0x0000000000220000-0x0000000000277000-memory.dmp

memory/2444-885-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/1632-906-0x0000000006A90000-0x0000000006AE7000-memory.dmp

memory/2368-908-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2592-910-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1632-911-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1632-913-0x0000000006A90000-0x0000000006AE7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fb6445b5335a91922c5e6e68cc71d520
SHA1 f21e3cd41ada38f307dbd7d89c3e87811278416d
SHA256 b5f0ddece953bb5203c8d7ca0039b72acc90b1df5849655b6a99df58ec3ef75c
SHA512 a0df91c1eae6591318f6c29e1d7a47b5d99d8f1e2a1646d7ce51e42dbe22041ccc5cefe8a82e2485197bae028c7f1994c1a77aaf769bcad6ae9636d71d3c0834

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1cf765ecdf79c04773488dac4785327e
SHA1 959fd2d22c4b47904255fe3c418ab7c6814c4140
SHA256 162172801ccc25363aea0ceffde08b4cae340b839fdfaf23b4664932af889462
SHA512 3bc547356b4c4d35b1dcf454249fc94b164b0b01888d26b104203967d179d9fb77c0bd122fc9547cae78392ecf866ca148ed4ade91d433ea8225277c420eff88

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 734339e3dcb0dd446bcccb852ccdaf80
SHA1 bca375481f3e554addc47a5c36692438a630945c
SHA256 1547acab6d10c894e1c9b9a05b381c769a4af1c61fa3290f0c0b43a0f70be7f5
SHA512 dbf6baad219a554f20342db66fe6b718e12058d73854f426e65b3739e62372855641cd2d4717893915e57f3746fe7d0e16a370382a4acd8ae7a91d33080c7494

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4bec79e0cfa17c450a618803aa2b5bda
SHA1 3d609504d946b86f60589229ca44f07a828deefd
SHA256 ef1eed846e3de911f319cc90f26c8d8359b3a58934e9da99676c2e03302afe49
SHA512 a36dc78d7cba4c89cdc944e753345a2a223271bfe3e6d271c380a43a3767425b09d6e250ba72c446e8ca7653c41e91614c2ebccf209e32e01a4a27e45c3594c8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a7bcf93b2e933b7cc828cdaa41a96670
SHA1 fe7fe6a6e2b8c9f0a4c6ef1c0f8145623b87e203
SHA256 0736c6dd3c4f7502d717078d58227f8d2c8eb79e9435ee8631cfc9c5d4e15750
SHA512 70b028eebc28aac649fa2857d797e9d32777b0359c9695e29e4605d099a3677358df5d8ad6d9170480bb7c9f31b399709984883a5958ba2384424ebdd80f2413

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f12bf4538897f8a3c64ca2c6d4384ebb
SHA1 41d64e502c7cbd6e5242caea1bebcee6e2f883fe
SHA256 9c2d188ba427261a512947e2c1ce9a99d467f735a78a73330780da045e8d7bd3
SHA512 50cb1bddc319c01bf76ee5e58ee040c3289247d8530e57c1c248083a4a80dc225a04de5ecf0713adc941422bdeaa9aaf4bbcae77877b52bb375330c0bc51596f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 550a067fda5040bf35d9fbc2ecde6803
SHA1 f2dbdb2f452db37a8354270b03b9ed4040455bee
SHA256 3f76b9626e359555e5f7ec4e99b1c8e06bb139d360bb5f77f842536102f3ded3
SHA512 742bdada4a3e432b3f20969a1516c5f2a05d3f3c6114666e127fac052fc913a7c2f44f9efda07cd0f96d6e4295a54adfa844ee831affee1ec82d59f9ae637033

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0c59284fc3e6fd5a27d8e6063a3cfb11
SHA1 7ba57b8b43ef48b54605735d52bf6a69feba02e5
SHA256 66323070d53b29c70a95a28033ab61c1a9a991b8c897806eb73f5388b629d479
SHA512 7cadc74d292208a3e9c63c29c5ee77fb9d135e1730da689106fb83f00294d7b9525e0cd689c7ad5701b13966f7be816fd8a3d6ba530e6e02823f20ea21032661

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8b77986f78fecca844187ffa90f226f8
SHA1 8f2f505561f495cc297d05805ba5e523d6e147ad
SHA256 9d5dcac8ef78cc0bcee912f0d8508627607f9e0b40d299c5929216040bbf0ada
SHA512 deaf6a8e128ac8988c5b016561292228ab609d96398ddcf9ff5a6854015418b1e98222519296b156ddbaf1486529f74eb775c9d886a27d0267a81f0fe2f01d31

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21e4851d992d171d03070c57f6264571
SHA1 95722a82701400a574ecdbf54cf98025f9a61e18
SHA256 934db246b0319b5a6c5b3de78c59e3a814fc5095d26d4268b8c907bd6aa08b6b
SHA512 2fe08f82f01fa081834dd4ea605cbe94d2b5a6fac31260af65a0b06b4b0ece332df69e47d19e0704a2c1064b64fcbc71d3aa165f5b8f97f4f7959284275b8820

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 687d5b1c6f0a45f44808453c8d7a421b
SHA1 707c35a7a18c34567feea6f35e0ea2cb8722d3dd
SHA256 1b060df76a0d5c748e458f705637c50525cadd8c5d371c2c93838308c422cffd
SHA512 43f82013205971d219ad9afa95041d4ca1fbd608a1e47a76ddbf767f4821297ada714676558d383686fe4c847a63d47570201d30118b988cca0dfda5a4e8b00e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c2438a51f22d06fb7352c5cf46ced941
SHA1 f0c627f143760a936fac093d2622b2ff26842611
SHA256 94b262cd319996e00d317ebe7f2b8673c27bd1ec8d5d11b5987bd2a85873b53a
SHA512 2b988dbd427d14ea989d0401ccf42bfdde627455a71db2533b492ca83e73e58ad5ecaff1e8507394c45a6ea8c85a3a1523eb395da1d01f03146639387412821e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1d827f505228ca285b5fcf109be773a7
SHA1 e2699cfdd258ddd7978a2877dd9f82bbfb0497a5
SHA256 f468fc79f590cb7e6a12a1ec2ae0f6a67d0c198a781b5c7212431e402e2aa7d1
SHA512 3745dcf03d6197a02d2346880d675d02772be47ba0e737c22342b3ca3f59675ea6dafd944978bf096dcb4385fc59224e77854115ecd253c994a26298d621c1ad

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 74797a74c178f3c0cf5186efa6174d33
SHA1 d9d307dbe3793b568404acbbc68e62a8b2475d60
SHA256 d1a0133d311a61e6dbefe97e1255ab48aefb78c7492c21a844c7f9f3872d5a14
SHA512 54ee1a7140e974d94db69a8e076dae08470f86fef30ee9d4f12c7e32ffcfeed08cf7bff49d7bf3688890eb41a4b9da13b820d309da988883c2d6b684cf207d64

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aaffd81975b243aeda71664f74738c43
SHA1 8e28cfed3ada884f66a11b46f4332fb413eef807
SHA256 a314947908bc63b29b1cf8452991d1bf5739135499f10b50fa892c5a3720ecc8
SHA512 245d02990e6c8b750cb0d20cd3f423bb30d5a5a95792453c555c1e3aae102a3c257b3b8096281d5968121afde61ca6047348cf1c894a057bb0f4d556afdd3636

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 056466b5b74a107a79a26819cf1746e5
SHA1 586293c832636c76dd2605e38530660c92c1bf62
SHA256 a239b18edc6841424cafc988fd0ae78c56364fb55b056983cbff026b58b00441
SHA512 788e586ae3e3fe37e003155fb4b8018c3b197ca7ddcf0485a98eaf3f5db09825353b6ee368b4085206292b4a8c626297608f2bdb2a6b226967bd99847c6f896e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6eb8aff4c5ab039c13cac9503665ab01
SHA1 d6edaed15c05fd913df99a96ab4b44b2f838e462
SHA256 84fdf1bcfdac6919628287948c66a293f5f32c5d148fced55096996102e64788
SHA512 9f866cf064776f43e358c6dbc0b955853338a61ecabb3f211644b245a366cb5dccbdd4ad4ba7958de63346c9a072b8c9a595814de64391d186d0e75b8a397532

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a4216fd86b46ca6d32fcef0d8da63fef
SHA1 2ff817a8b90daef81377edb9795e5f13cb4e7887
SHA256 928476bdfb64879b8cc3165e440115134c464aca8c94f6e65e1f60918a3f3973
SHA512 c47dc9c07f19644ed541025ac6487f796b34d7f54abca8d2fc37708987ed04ea2ca8fa266f90ba998e8339620514df260e2bfc845dc4b64f449dd65e7e1f3931

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 84324c563e46a5918b89906f5603c01c
SHA1 aedeeee04f650a42bfa995e05d735d8c54843619
SHA256 a06b629f2d650124cdbe82aadd41e9856c7e6d964821b75ee1b10d7ada8ae0b3
SHA512 d5419c116f02b3b4f98b23cdc1fdb706dfe13536f5f27f65312034751eaeadf2e9282ca751d997c6fd2c64b3ba74aa61166eb49c35f082215ec0671ec444d147

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c1fb4bc55250a2006195b03ec5f220f7
SHA1 387ce2790b27d54cf0b2ca43ea700126e6fff791
SHA256 a22853ea7704a37247b6b127fc3e4dd32102b1e2f002f3a134aec148dcdc1648
SHA512 170419fc85dd938a5b84b2060ed7820f012c78c39378d9275ec846bacab2f1197f13dc28b9f8fb4b957727f5fbc108011b8b3b6ede21f463fa460692be7eeac0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0daeefa64e1d1119a8a06ac5368bcfb1
SHA1 bb9323b4b6c263e91227340a81a1678b9bb41e48
SHA256 08f2e622bd9617e66c4bebe95ad2e35a0fe8b36d12d0e8b320df56bb8678a17c
SHA512 bab03e6ceb877073c2138589261bcbfb4360802e730c3d764c3bc4deced88598b248b77bee8eab05fd93ca1fd006bc13a2f16dfca1a6c903ae2fadf553be9955

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 16:13

Reported

2024-08-15 16:15

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\install\server.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\install\server.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"

C:\install\server.exe

"C:\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/4636-0-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4636-3-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1928-8-0x00000000012B0000-0x00000000012B1000-memory.dmp

memory/1928-9-0x0000000001370000-0x0000000001371000-memory.dmp

memory/4636-24-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4636-66-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/1928-68-0x0000000003E60000-0x0000000003E61000-memory.dmp

memory/1928-70-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\install\server.exe

MD5 9ab644449c7139b4ae722c8044383e4b
SHA1 04356f283d8278241598c5d97261344bcb2fd8d1
SHA256 5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1
SHA512 f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 ede4ab0dc240d253ec6719bb232ced84
SHA1 f2e3d4558906ee268dd36595f1b5b22a37764c65
SHA256 76e94dfb3166cb8794b3be486bdfa5fb1566ec06a780c5fe328a8090cc67fbb5
SHA512 a1fa26d4c0487a2536269f19c9f98726c416cafb8fd16a7d02aff504c3c9a4c13db31778dbb9a9ccf94e1ca8802aaa2064ae2be734e2901ff4eae17be7287eb4

memory/4636-140-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2808-141-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/2864-161-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1928-162-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2808-163-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2808-164-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2779c84ceced72a3d34b16b6df3a2741
SHA1 bacf8a924fcf87660c78b38932458bf42cb7811f
SHA256 5e1ad37e803217090dbb19d5f0583fe9b6bbd97760361bc61782573504d08461
SHA512 46ecf84435a008aad5171380ceeefdcb542318150bc8f06025d1f7e1e2bc8871072321d1ec957843f61594e66d276574a8a094d634b97b14b200c3772f144601

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0ed06331028d63d49b4ee01f2641e352
SHA1 2a76c44528446443fe834ea00504df8e925cd000
SHA256 66d61dec7c65089d46126a3491ee7530969a4cbd60a211ce42f2d286cf1fc4ce
SHA512 1f78ac0ec1e8aa9cac135cc5e0acbd058b8409b687ed71f6c36a1748d99d619cc224570306608925e745835c85f424a2815e5882ec24199580dcbc33527897d3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 34d92c2987f6e95b83f84e300837ad18
SHA1 ed4e214b926098ffb26edda4c7c139f7b72e5c05
SHA256 214aed4cff482c2355a6c17908e88eb595fc9fd62e8e6ced533eb77a30a30a74
SHA512 e300a3e916b7132f96f271a147232322533cc6280be96d7cc0565049fd8aefb5ca8f6e170fee9e4ae4262db7f7463af068e19dc5175c4e63781e1ecfef59ef94

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fb6445b5335a91922c5e6e68cc71d520
SHA1 f21e3cd41ada38f307dbd7d89c3e87811278416d
SHA256 b5f0ddece953bb5203c8d7ca0039b72acc90b1df5849655b6a99df58ec3ef75c
SHA512 a0df91c1eae6591318f6c29e1d7a47b5d99d8f1e2a1646d7ce51e42dbe22041ccc5cefe8a82e2485197bae028c7f1994c1a77aaf769bcad6ae9636d71d3c0834

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1cf765ecdf79c04773488dac4785327e
SHA1 959fd2d22c4b47904255fe3c418ab7c6814c4140
SHA256 162172801ccc25363aea0ceffde08b4cae340b839fdfaf23b4664932af889462
SHA512 3bc547356b4c4d35b1dcf454249fc94b164b0b01888d26b104203967d179d9fb77c0bd122fc9547cae78392ecf866ca148ed4ade91d433ea8225277c420eff88

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 734339e3dcb0dd446bcccb852ccdaf80
SHA1 bca375481f3e554addc47a5c36692438a630945c
SHA256 1547acab6d10c894e1c9b9a05b381c769a4af1c61fa3290f0c0b43a0f70be7f5
SHA512 dbf6baad219a554f20342db66fe6b718e12058d73854f426e65b3739e62372855641cd2d4717893915e57f3746fe7d0e16a370382a4acd8ae7a91d33080c7494

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4bec79e0cfa17c450a618803aa2b5bda
SHA1 3d609504d946b86f60589229ca44f07a828deefd
SHA256 ef1eed846e3de911f319cc90f26c8d8359b3a58934e9da99676c2e03302afe49
SHA512 a36dc78d7cba4c89cdc944e753345a2a223271bfe3e6d271c380a43a3767425b09d6e250ba72c446e8ca7653c41e91614c2ebccf209e32e01a4a27e45c3594c8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a7bcf93b2e933b7cc828cdaa41a96670
SHA1 fe7fe6a6e2b8c9f0a4c6ef1c0f8145623b87e203
SHA256 0736c6dd3c4f7502d717078d58227f8d2c8eb79e9435ee8631cfc9c5d4e15750
SHA512 70b028eebc28aac649fa2857d797e9d32777b0359c9695e29e4605d099a3677358df5d8ad6d9170480bb7c9f31b399709984883a5958ba2384424ebdd80f2413

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f12bf4538897f8a3c64ca2c6d4384ebb
SHA1 41d64e502c7cbd6e5242caea1bebcee6e2f883fe
SHA256 9c2d188ba427261a512947e2c1ce9a99d467f735a78a73330780da045e8d7bd3
SHA512 50cb1bddc319c01bf76ee5e58ee040c3289247d8530e57c1c248083a4a80dc225a04de5ecf0713adc941422bdeaa9aaf4bbcae77877b52bb375330c0bc51596f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 550a067fda5040bf35d9fbc2ecde6803
SHA1 f2dbdb2f452db37a8354270b03b9ed4040455bee
SHA256 3f76b9626e359555e5f7ec4e99b1c8e06bb139d360bb5f77f842536102f3ded3
SHA512 742bdada4a3e432b3f20969a1516c5f2a05d3f3c6114666e127fac052fc913a7c2f44f9efda07cd0f96d6e4295a54adfa844ee831affee1ec82d59f9ae637033

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0c59284fc3e6fd5a27d8e6063a3cfb11
SHA1 7ba57b8b43ef48b54605735d52bf6a69feba02e5
SHA256 66323070d53b29c70a95a28033ab61c1a9a991b8c897806eb73f5388b629d479
SHA512 7cadc74d292208a3e9c63c29c5ee77fb9d135e1730da689106fb83f00294d7b9525e0cd689c7ad5701b13966f7be816fd8a3d6ba530e6e02823f20ea21032661

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8b77986f78fecca844187ffa90f226f8
SHA1 8f2f505561f495cc297d05805ba5e523d6e147ad
SHA256 9d5dcac8ef78cc0bcee912f0d8508627607f9e0b40d299c5929216040bbf0ada
SHA512 deaf6a8e128ac8988c5b016561292228ab609d96398ddcf9ff5a6854015418b1e98222519296b156ddbaf1486529f74eb775c9d886a27d0267a81f0fe2f01d31

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21e4851d992d171d03070c57f6264571
SHA1 95722a82701400a574ecdbf54cf98025f9a61e18
SHA256 934db246b0319b5a6c5b3de78c59e3a814fc5095d26d4268b8c907bd6aa08b6b
SHA512 2fe08f82f01fa081834dd4ea605cbe94d2b5a6fac31260af65a0b06b4b0ece332df69e47d19e0704a2c1064b64fcbc71d3aa165f5b8f97f4f7959284275b8820

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 687d5b1c6f0a45f44808453c8d7a421b
SHA1 707c35a7a18c34567feea6f35e0ea2cb8722d3dd
SHA256 1b060df76a0d5c748e458f705637c50525cadd8c5d371c2c93838308c422cffd
SHA512 43f82013205971d219ad9afa95041d4ca1fbd608a1e47a76ddbf767f4821297ada714676558d383686fe4c847a63d47570201d30118b988cca0dfda5a4e8b00e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c2438a51f22d06fb7352c5cf46ced941
SHA1 f0c627f143760a936fac093d2622b2ff26842611
SHA256 94b262cd319996e00d317ebe7f2b8673c27bd1ec8d5d11b5987bd2a85873b53a
SHA512 2b988dbd427d14ea989d0401ccf42bfdde627455a71db2533b492ca83e73e58ad5ecaff1e8507394c45a6ea8c85a3a1523eb395da1d01f03146639387412821e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1d827f505228ca285b5fcf109be773a7
SHA1 e2699cfdd258ddd7978a2877dd9f82bbfb0497a5
SHA256 f468fc79f590cb7e6a12a1ec2ae0f6a67d0c198a781b5c7212431e402e2aa7d1
SHA512 3745dcf03d6197a02d2346880d675d02772be47ba0e737c22342b3ca3f59675ea6dafd944978bf096dcb4385fc59224e77854115ecd253c994a26298d621c1ad

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 74797a74c178f3c0cf5186efa6174d33
SHA1 d9d307dbe3793b568404acbbc68e62a8b2475d60
SHA256 d1a0133d311a61e6dbefe97e1255ab48aefb78c7492c21a844c7f9f3872d5a14
SHA512 54ee1a7140e974d94db69a8e076dae08470f86fef30ee9d4f12c7e32ffcfeed08cf7bff49d7bf3688890eb41a4b9da13b820d309da988883c2d6b684cf207d64

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aaffd81975b243aeda71664f74738c43
SHA1 8e28cfed3ada884f66a11b46f4332fb413eef807
SHA256 a314947908bc63b29b1cf8452991d1bf5739135499f10b50fa892c5a3720ecc8
SHA512 245d02990e6c8b750cb0d20cd3f423bb30d5a5a95792453c555c1e3aae102a3c257b3b8096281d5968121afde61ca6047348cf1c894a057bb0f4d556afdd3636

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 056466b5b74a107a79a26819cf1746e5
SHA1 586293c832636c76dd2605e38530660c92c1bf62
SHA256 a239b18edc6841424cafc988fd0ae78c56364fb55b056983cbff026b58b00441
SHA512 788e586ae3e3fe37e003155fb4b8018c3b197ca7ddcf0485a98eaf3f5db09825353b6ee368b4085206292b4a8c626297608f2bdb2a6b226967bd99847c6f896e