Malware Analysis Report

2024-12-07 20:08

Sample ID 240826-emjrpstfjc
Target c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118
SHA256 bf54aa1a73313f1b8e09528ccef217c2519b90466d42e1367893f2f84057db17
Tags
upx vítima cybergate discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf54aa1a73313f1b8e09528ccef217c2519b90466d42e1367893f2f84057db17

Threat Level: Known bad

The file c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx vítima cybergate discovery persistence stealer trojan

Cybergate family

CyberGate, Rebhip

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 04:03

Signatures

Cybergate family

cybergate

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 04:03

Reported

2024-08-26 04:05

Platform

win7-20240708-en

Max time kernel

147s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{235IQA0T-XPEI-4KQ1-OW52-005O0OG1LGDL} C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{235IQA0T-XPEI-4KQ1-OW52-005O0OG1LGDL}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{235IQA0T-XPEI-4KQ1-OW52-005O0OG1LGDL} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{235IQA0T-XPEI-4KQ1-OW52-005O0OG1LGDL}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2384 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2384-0-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1212-4-0x0000000002970000-0x0000000002971000-memory.dmp

memory/2384-3-0x0000000024010000-0x0000000024072000-memory.dmp

memory/2340-247-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2340-249-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2384-301-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2340-529-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 c23e73d7f57840726ea8cbdd35deb400
SHA1 b16f1ee1ef264a0c736a0b4e7249233d34edaea8
SHA256 bf54aa1a73313f1b8e09528ccef217c2519b90466d42e1367893f2f84057db17
SHA512 cbb76afc8cd108aaf121f4720d0805d0f1cdd9933dd9826ac0d3d176fb5c94929ab3deef82531a77cc61e5f5eab24567060160fc307d4349699c4747f549be04

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 25691eef7144581181e0deaadf4613ce
SHA1 9850b3e48fca07bdf31414edab4118088c6ec39e
SHA256 bcd26c7bff535257723bfaa085e6802cb0db959865734ae151e5163a4c2a8a67
SHA512 781bf6b5bb2a40537193d72b3e48a06def01c69322b74f489e0148f716da6d7b08cce8955220c8158cfea069c24f7fd0484f3552ce4daacd34bcdae0fb78f5c2

memory/2996-550-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2384-856-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2996-858-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1356-880-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2996-878-0x0000000005DF0000-0x0000000005E6A000-memory.dmp

memory/2340-881-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2996-882-0x0000000000400000-0x000000000047A000-memory.dmp

memory/1356-883-0x0000000000400000-0x000000000047A000-memory.dmp

memory/2996-884-0x0000000024160000-0x00000000241C2000-memory.dmp

memory/2996-885-0x0000000005DF0000-0x0000000005E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9bb1b01d9baf287821f7795689f14ce2
SHA1 98facdedd77eafabc36f081feb5e758d73b1726f
SHA256 59904811b180c36c0ef60a0fe81e4e3bf97d0d6865faac1ca144dbd8d3803d53
SHA512 985f37927267a67682a418df6846bb43c91291f90b05e0b2363ddb5a16cfa20df80e09055d0a5d305c508b8d3539116b9609063f7c1b0adb3da03f19186ae7c2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dd2a075e017931fb4485ebbdd43ca76f
SHA1 e4e0fe7cdf943453e4bc2c169efd8525b7a42aad
SHA256 ce05d540660986aef0ad3b4f592566fdb8686f65de43153fd5e8e6ce8a7956a3
SHA512 227323e3fe23409cc03ad0b9a10866b00e5c92ae135303707d5eefd86012d37c1324aae72cd06777fa9475cb5e1aed24e10577637df2d580f7784bad397df4b8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5fd9b15643e150d3604ba14c7ee4e446
SHA1 2c381912eb7d9c1ebc873d99d3edaad5c2337554
SHA256 97c8a3e50b6a398ac7f5736a5dd7ca0785404b91ba3325cf7c871e732be2fa2c
SHA512 f766078c2a762ef9966cff68d777ea83cb2a469efe86a3efd6b6ae842c5d45215980daa2d7da5d887384c79827782fe8477324d1bc0cd876018a0bea1650a4fc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 63b7bfffde30201cb8ce77d3ce830d2b
SHA1 2c8c20de9003d7c4bc2206aff7b74435e3e693b9
SHA256 5c6a8df2cd15600a03c449c369c36d2eb7f73884adf9a92d596cdbb822434ac8
SHA512 3fac4ed2f418941ef27ebc6b6f37bfcb87b0f932a0739aaf2e56d7ff3a847779fd602c842d75d1120c7654c1a0bc346104e78d7b8d7642acc496fcc58cd889e5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 93c94e1e0b57f54e569a12ad2494c2ed
SHA1 36773e43968ddee0f3ba801b2a3bb9616ec5b10f
SHA256 f56b265a17b8236a9dbb6cd7bf34c4995c9721036dca0c896ac966b5e183da49
SHA512 6f619c58540bb9cd1211a903a6bf184842aaaeb445463b84d0d31e48eb3315486ecd222aaad1d124dcf967b2da944cfe58f7fd8bf140dbb4716eb6656eceb808

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 17563881990285b34fed5b008f04ef2a
SHA1 d972ddabf5503cab02d9f7e06c759df9eaf887a8
SHA256 7070051b1550dc572e2641b3679257348ead06bfe67a6bf9a543eea7288468cc
SHA512 336ce94defd1e475283e715252604314a8c17a06573939a4eaa2d42750131ce7b98cade364596eda75ea83d9f59fc4fd6417e4ae01f9bc96ebd21b9f927e9156

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 071ee7e0867cdc221524afa161c3f3c0
SHA1 78f9802af0d34d78f6ec70a1e66fd3c0bb0a25b2
SHA256 247eb958a602966ce2f24ca3e84d7c96e62e5ec3861eddee29799b7733e9da66
SHA512 82d67691343872ec06352916d0708f667ca1443de11935cb0e4575237e80d5b0a6c3700ddf3e2ec95e3835d8366a0e7c53e053597f75ca4043dda81ac17c6f3b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 49ab2abe23b3171829864af9a83663a0
SHA1 75b058a753e2a77e43ad62129c49bdb949d3a4cf
SHA256 0cc984ef9e90c7b434a5d517cbfcd1a7c5b55bd3135b343f40c0714887f398d7
SHA512 34abe9a7bbf65565b7d21d63379c7e8debe93b434c38b2c85c282e179aacbbe5f54fb46db866847ab5ebd1cc43d19ec50bf56561ff69b47dc43db66dfac9e9ad

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fcb95173265adfb780fc41589b0e8e6b
SHA1 3208dc115a3885cee4dc29d05b4062973152cc82
SHA256 1168beafd35b0dbad12af5dcc4ba202e0f141cc42e78a1f70e6eb1d5286c2ff8
SHA512 21eff42393dc2e41c6cd18166775a91d4ceaac433c7717f8585a6b131dd7558df0e00c307aa7f7d022c40006f07b21cf4df471ca43d7e7c793b9240f2ca93d9f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2a3e753472eb6ba6edf7ad21369f2df7
SHA1 ae2a5909ebab35093b402d44af4bc9a4e950c41f
SHA256 703205edb34151c1d916d27e9e0ef6620f2ed279bad0a8de638ff48614d1c556
SHA512 5a98cd09b156a9a02fef5f45bd8bfe46395912abd615abea1f4b5a628266bc29c8a35286c2265ee765e4e99b2cf5ec31d7cc254e6b717574630ec0ca083feb6a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 80d5b61ff565257ff9319e3272af6463
SHA1 a8f26aee48df3b53e9893ff196ec0a9e553239bf
SHA256 6b30d0379d934502f80c3d14a6914d24d181f227f0801ebb205cd2accfc7e9bb
SHA512 73ca2edecffc5d52e2f8d5a98970db8f86120d4c051eea0129435c74ccbd1535081ed9622d618b77e2d3553ef6b5881c622030a5c79053c40178636150fc9203

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2e1362eb32c960d3ed611a51107c1c6d
SHA1 e34825b27341a73a99ad145dd216abdc3b67552b
SHA256 66fe690110e60c2933ac2cc2a07842f35953f311a817c81b3fdf80d02398a7df
SHA512 8f9889058666a8dd50e4ee315f13f45764088e7500647ff07d59f5d88b477cc63e244baf728e6d06916520bd1c40420fdf28976eeee0bf2ca03d3f26528f702a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9b2443c1ac796bfbd68ac70c357fef86
SHA1 5dcb675b485f754ad66b4155f1437af1c806c366
SHA256 cf5ea12d85c2c26e65bf92213b0d2adc51ca7ab595e7683a67238b9b4ed97634
SHA512 b4390bfac260115d246c7746a5c3862e8fb2200c89a90bef571eb2dee7d1dce01106ab81c484773ff6b6a63e4eb8ccaddfede1a224365fdae5175453d1828c49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 edf643f02228ef885e58813e2805fbb5
SHA1 0dff5c4bcbbf484ae225212fd2552135b8e12d7c
SHA256 1cd6d21aa0ff4a8ab1d43cd3c7c80be44a797c674bbacb53b2544f43413f16a4
SHA512 92adbbe43804b1fd3fd2d8060801c76101d9112e017555302c99577597f8bd9f77ac7f1c178e8513eb3e797e70523f5dc8b9cbbd0743779502062933aae5eadd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21a6bc8bd09a529f20479036f816408d
SHA1 367048f149f055c43a3d5fbfefa31131def43aac
SHA256 407882c147421a5eb935a83ea355b010c6fbaa129a65a4fb703eed83e48de4e0
SHA512 e5f46f241fa7306519e57860388559ac18528030a1e3266c1f7f87f8ac849810eb01837702e92fe75ec2c1d0246d88305b98c1eedfe1b91d1203f3f780437ce6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 578ccd0134d80a6e92ee40596d2fd2e4
SHA1 f66cc0d91ea3a41daaa9c07c9fa0a302cc72339c
SHA256 f93bbdb2245c76ca40c96ae4fdd48d3f50963d84b1e20a7f6f9bc93609673267
SHA512 cfc5a63b6bd85904f4a17d937c7f595bd66d82e72b8cebe43aad6649854632df367d144c2be9590eb128e2f5770298cffb850a3d9b8a345b8912c168e7471995

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f978e9dd331b051e2833c31d5fa35275
SHA1 89352aca763b1f661f9dee4728ffd0178b5a7677
SHA256 c48f20e5bf9df6a31db958afba16bd3b30678b2626e42860d0036cadc219ce48
SHA512 74993c31bfb3ac3505887b3f3e0ae8866de7cfdec39befa32f61a9eafc15259ac7f5465bea1a184468a9247472d31e2cb5047745c339a84e96cb5b1a1d09f730

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c2e6ad01aeeafa82b4d7c1b54b65ed5b
SHA1 32ff1e2f402408b1cad0308cda56854fc95f8c26
SHA256 dae06ef5a0612bfa7f45977e889e136b05f9e47e40df955d8f5b69d42dc7da9c
SHA512 3de319a712e695315ec22d7069ac44ebaaf79c95b6e29aced2073c437c82c2d3dfa252ce70a569bf7e6c6cabc93302f579f044782b48122ae134a641d877c552

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 657c99ef23841d9744ef3f71a847fe24
SHA1 f90d8f674b1032cce425d5ce82272095afb973cd
SHA256 1a9211f8da5c1086490da7e9f555c859e77a5723e8b4cc1d279d946060be4cc6
SHA512 c79f75e8f90e0cf835dd90f35af750750da919a0e4b07ba974e6c23ae55794e99e4feda9ec6f83158703e2ced355b86cb7b326e8ae6d03b67ac476d9fbdaaf2f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 24bdb80ed73e35441660b05537003a65
SHA1 6248c69ae9b42010126634ceefd8b8c2fd800e61
SHA256 3aa22f4f52fab3d73d933b4bb5c33a28da41e4ada3d1b760e747321333f82b88
SHA512 ab614635d1b3a3419e93965d584ead7c0fa52add2a398b68d109eb45476c146d2fe4a1bd8a7c88411ad1ecc183cb0c0a80ecdb9765bcfcc1cd776a58ad3ff494

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6adf1f2f8873835f9997a6d2e5608058
SHA1 b613b9e516a82152ee0b18f026c8ad3c3afb688c
SHA256 239043fa1f5e5f8d65ce1c459787700c1392d972ee8f27b79fe619eff34405de
SHA512 26a669223329463b56850ca642526c200b8ed2031477961d3e0b5c0c324fd12908540c6f989b7992c11ac0b7a22079fdb60811a8420ef174cc7026ba17af5f85

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 04:03

Reported

2024-08-26 04:05

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{235IQA0T-XPEI-4KQ1-OW52-005O0OG1LGDL}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{235IQA0T-XPEI-4KQ1-OW52-005O0OG1LGDL} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{235IQA0T-XPEI-4KQ1-OW52-005O0OG1LGDL}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{235IQA0T-XPEI-4KQ1-OW52-005O0OG1LGDL} C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\install\server.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3556 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c23e73d7f57840726ea8cbdd35deb400_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 468 -ip 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3556-0-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3556-4-0x0000000024010000-0x0000000024072000-memory.dmp

memory/324-8-0x0000000000780000-0x0000000000781000-memory.dmp

memory/324-9-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/3556-24-0x0000000000400000-0x000000000047A000-memory.dmp

memory/3556-65-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/324-68-0x0000000003970000-0x0000000003971000-memory.dmp

memory/324-70-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/324-69-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Windows\SysWOW64\install\server.exe

MD5 c23e73d7f57840726ea8cbdd35deb400
SHA1 b16f1ee1ef264a0c736a0b4e7249233d34edaea8
SHA256 bf54aa1a73313f1b8e09528ccef217c2519b90466d42e1367893f2f84057db17
SHA512 cbb76afc8cd108aaf121f4720d0805d0f1cdd9933dd9826ac0d3d176fb5c94929ab3deef82531a77cc61e5f5eab24567060160fc307d4349699c4747f549be04

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 25691eef7144581181e0deaadf4613ce
SHA1 9850b3e48fca07bdf31414edab4118088c6ec39e
SHA256 bcd26c7bff535257723bfaa085e6802cb0db959865734ae151e5163a4c2a8a67
SHA512 781bf6b5bb2a40537193d72b3e48a06def01c69322b74f489e0148f716da6d7b08cce8955220c8158cfea069c24f7fd0484f3552ce4daacd34bcdae0fb78f5c2

memory/3556-139-0x0000000000400000-0x000000000047A000-memory.dmp

memory/5084-140-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/468-159-0x0000000000400000-0x000000000047A000-memory.dmp

memory/324-160-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/5084-161-0x0000000000400000-0x000000000047A000-memory.dmp

memory/5084-162-0x0000000024160000-0x00000000241C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5fd9b15643e150d3604ba14c7ee4e446
SHA1 2c381912eb7d9c1ebc873d99d3edaad5c2337554
SHA256 97c8a3e50b6a398ac7f5736a5dd7ca0785404b91ba3325cf7c871e732be2fa2c
SHA512 f766078c2a762ef9966cff68d777ea83cb2a469efe86a3efd6b6ae842c5d45215980daa2d7da5d887384c79827782fe8477324d1bc0cd876018a0bea1650a4fc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 63b7bfffde30201cb8ce77d3ce830d2b
SHA1 2c8c20de9003d7c4bc2206aff7b74435e3e693b9
SHA256 5c6a8df2cd15600a03c449c369c36d2eb7f73884adf9a92d596cdbb822434ac8
SHA512 3fac4ed2f418941ef27ebc6b6f37bfcb87b0f932a0739aaf2e56d7ff3a847779fd602c842d75d1120c7654c1a0bc346104e78d7b8d7642acc496fcc58cd889e5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 93c94e1e0b57f54e569a12ad2494c2ed
SHA1 36773e43968ddee0f3ba801b2a3bb9616ec5b10f
SHA256 f56b265a17b8236a9dbb6cd7bf34c4995c9721036dca0c896ac966b5e183da49
SHA512 6f619c58540bb9cd1211a903a6bf184842aaaeb445463b84d0d31e48eb3315486ecd222aaad1d124dcf967b2da944cfe58f7fd8bf140dbb4716eb6656eceb808

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 17563881990285b34fed5b008f04ef2a
SHA1 d972ddabf5503cab02d9f7e06c759df9eaf887a8
SHA256 7070051b1550dc572e2641b3679257348ead06bfe67a6bf9a543eea7288468cc
SHA512 336ce94defd1e475283e715252604314a8c17a06573939a4eaa2d42750131ce7b98cade364596eda75ea83d9f59fc4fd6417e4ae01f9bc96ebd21b9f927e9156

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 071ee7e0867cdc221524afa161c3f3c0
SHA1 78f9802af0d34d78f6ec70a1e66fd3c0bb0a25b2
SHA256 247eb958a602966ce2f24ca3e84d7c96e62e5ec3861eddee29799b7733e9da66
SHA512 82d67691343872ec06352916d0708f667ca1443de11935cb0e4575237e80d5b0a6c3700ddf3e2ec95e3835d8366a0e7c53e053597f75ca4043dda81ac17c6f3b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 49ab2abe23b3171829864af9a83663a0
SHA1 75b058a753e2a77e43ad62129c49bdb949d3a4cf
SHA256 0cc984ef9e90c7b434a5d517cbfcd1a7c5b55bd3135b343f40c0714887f398d7
SHA512 34abe9a7bbf65565b7d21d63379c7e8debe93b434c38b2c85c282e179aacbbe5f54fb46db866847ab5ebd1cc43d19ec50bf56561ff69b47dc43db66dfac9e9ad

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fcb95173265adfb780fc41589b0e8e6b
SHA1 3208dc115a3885cee4dc29d05b4062973152cc82
SHA256 1168beafd35b0dbad12af5dcc4ba202e0f141cc42e78a1f70e6eb1d5286c2ff8
SHA512 21eff42393dc2e41c6cd18166775a91d4ceaac433c7717f8585a6b131dd7558df0e00c307aa7f7d022c40006f07b21cf4df471ca43d7e7c793b9240f2ca93d9f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2a3e753472eb6ba6edf7ad21369f2df7
SHA1 ae2a5909ebab35093b402d44af4bc9a4e950c41f
SHA256 703205edb34151c1d916d27e9e0ef6620f2ed279bad0a8de638ff48614d1c556
SHA512 5a98cd09b156a9a02fef5f45bd8bfe46395912abd615abea1f4b5a628266bc29c8a35286c2265ee765e4e99b2cf5ec31d7cc254e6b717574630ec0ca083feb6a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 80d5b61ff565257ff9319e3272af6463
SHA1 a8f26aee48df3b53e9893ff196ec0a9e553239bf
SHA256 6b30d0379d934502f80c3d14a6914d24d181f227f0801ebb205cd2accfc7e9bb
SHA512 73ca2edecffc5d52e2f8d5a98970db8f86120d4c051eea0129435c74ccbd1535081ed9622d618b77e2d3553ef6b5881c622030a5c79053c40178636150fc9203

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2e1362eb32c960d3ed611a51107c1c6d
SHA1 e34825b27341a73a99ad145dd216abdc3b67552b
SHA256 66fe690110e60c2933ac2cc2a07842f35953f311a817c81b3fdf80d02398a7df
SHA512 8f9889058666a8dd50e4ee315f13f45764088e7500647ff07d59f5d88b477cc63e244baf728e6d06916520bd1c40420fdf28976eeee0bf2ca03d3f26528f702a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9b2443c1ac796bfbd68ac70c357fef86
SHA1 5dcb675b485f754ad66b4155f1437af1c806c366
SHA256 cf5ea12d85c2c26e65bf92213b0d2adc51ca7ab595e7683a67238b9b4ed97634
SHA512 b4390bfac260115d246c7746a5c3862e8fb2200c89a90bef571eb2dee7d1dce01106ab81c484773ff6b6a63e4eb8ccaddfede1a224365fdae5175453d1828c49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 edf643f02228ef885e58813e2805fbb5
SHA1 0dff5c4bcbbf484ae225212fd2552135b8e12d7c
SHA256 1cd6d21aa0ff4a8ab1d43cd3c7c80be44a797c674bbacb53b2544f43413f16a4
SHA512 92adbbe43804b1fd3fd2d8060801c76101d9112e017555302c99577597f8bd9f77ac7f1c178e8513eb3e797e70523f5dc8b9cbbd0743779502062933aae5eadd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21a6bc8bd09a529f20479036f816408d
SHA1 367048f149f055c43a3d5fbfefa31131def43aac
SHA256 407882c147421a5eb935a83ea355b010c6fbaa129a65a4fb703eed83e48de4e0
SHA512 e5f46f241fa7306519e57860388559ac18528030a1e3266c1f7f87f8ac849810eb01837702e92fe75ec2c1d0246d88305b98c1eedfe1b91d1203f3f780437ce6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 578ccd0134d80a6e92ee40596d2fd2e4
SHA1 f66cc0d91ea3a41daaa9c07c9fa0a302cc72339c
SHA256 f93bbdb2245c76ca40c96ae4fdd48d3f50963d84b1e20a7f6f9bc93609673267
SHA512 cfc5a63b6bd85904f4a17d937c7f595bd66d82e72b8cebe43aad6649854632df367d144c2be9590eb128e2f5770298cffb850a3d9b8a345b8912c168e7471995

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f978e9dd331b051e2833c31d5fa35275
SHA1 89352aca763b1f661f9dee4728ffd0178b5a7677
SHA256 c48f20e5bf9df6a31db958afba16bd3b30678b2626e42860d0036cadc219ce48
SHA512 74993c31bfb3ac3505887b3f3e0ae8866de7cfdec39befa32f61a9eafc15259ac7f5465bea1a184468a9247472d31e2cb5047745c339a84e96cb5b1a1d09f730

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c2e6ad01aeeafa82b4d7c1b54b65ed5b
SHA1 32ff1e2f402408b1cad0308cda56854fc95f8c26
SHA256 dae06ef5a0612bfa7f45977e889e136b05f9e47e40df955d8f5b69d42dc7da9c
SHA512 3de319a712e695315ec22d7069ac44ebaaf79c95b6e29aced2073c437c82c2d3dfa252ce70a569bf7e6c6cabc93302f579f044782b48122ae134a641d877c552

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 657c99ef23841d9744ef3f71a847fe24
SHA1 f90d8f674b1032cce425d5ce82272095afb973cd
SHA256 1a9211f8da5c1086490da7e9f555c859e77a5723e8b4cc1d279d946060be4cc6
SHA512 c79f75e8f90e0cf835dd90f35af750750da919a0e4b07ba974e6c23ae55794e99e4feda9ec6f83158703e2ced355b86cb7b326e8ae6d03b67ac476d9fbdaaf2f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 24bdb80ed73e35441660b05537003a65
SHA1 6248c69ae9b42010126634ceefd8b8c2fd800e61
SHA256 3aa22f4f52fab3d73d933b4bb5c33a28da41e4ada3d1b760e747321333f82b88
SHA512 ab614635d1b3a3419e93965d584ead7c0fa52add2a398b68d109eb45476c146d2fe4a1bd8a7c88411ad1ecc183cb0c0a80ecdb9765bcfcc1cd776a58ad3ff494