Malware Analysis Report

2025-01-02 13:59

Sample ID 240827-h1za4ayenf
Target c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118
SHA256 659226164c9602e07740b7c86622b18c697d507836d3270dbf97b207224c4b56
Tags
cybergate remote discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

659226164c9602e07740b7c86622b18c697d507836d3270dbf97b207224c4b56

Threat Level: Known bad

The file c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate remote discovery persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 07:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-27 07:12

Reported

2024-08-27 07:15

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3} C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 4444 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 4444 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 4444 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 4444 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 4444 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 4444 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 4444 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1548 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1548-2-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1548-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1548-5-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1548-6-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1548-9-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1548-10-0x0000000010410000-0x0000000010471000-memory.dmp

memory/3156-14-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

memory/3156-15-0x0000000001070000-0x0000000001071000-memory.dmp

memory/1548-30-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3156-76-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 1330a25175cac0995ea254c126568e85
SHA1 b8cdb1525ad69992c070ebe71ba210821152a85a
SHA256 475f369cae4fb919555e2c68fabb32c73181fb9bf6b4379c15dcf5dae8977658
SHA512 faac460421f34e216da650616e702010766cdcb4115e11f572eaab6fdb01aa1406b69767389052f9f1400b3b52d6c13e0e6f20ea52a31ac6deb6360209c72eee

C:\Windows\SysWOW64\install\server.exe

MD5 c48c03e6b3bb2bde1606ba3933a1c064
SHA1 2cc8efa2b9a3e45a5d90ee27097c41896201cbcc
SHA256 659226164c9602e07740b7c86622b18c697d507836d3270dbf97b207224c4b56
SHA512 b73affe5d9646bf4a28877edaca26f01529bb5b1d4e09a533c3d39852d396451c0f6067d4ff5c226d39472f337398c1cb1c50db9df5f8ec68d2ee54356ceb375

memory/1548-147-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1568-148-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/3156-173-0x0000000010480000-0x00000000104E1000-memory.dmp

memory/3116-176-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1568-177-0x0000000010560000-0x00000000105C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c5d27643a4c0180117469979a20f833
SHA1 d3dfe7c3f706fbaa8a16a7adfb4fca0397979274
SHA256 02e684433ddec1ad3ffb9012accd0cb94a3dde63047eaedc26086917da997863
SHA512 36f72a6647fa3c4354206c3e06642becb3ca7e6f6e89c31b1f73f74d4d5ac798bff6009cdfe5eb83adfb5a71fc0ae37810688ab4bf57e9bba11a919926b4e110

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 30e7e9575c82a670353bfa4c9d9a8136
SHA1 dd4c9db64a1ace9849bfd5518cb36e1d5b780e64
SHA256 fcc1f5bd0a1f4643ea4af6ce45a216a694d50a017d60089a264884733f66b54b
SHA512 19ccaf40d8b5424d7b137cc93dd15121c07ba0aa035335e2c9486a4c0e7f3bdf372ac093ced68c08dae6ced60d4b55d4a6a9f72109a59fd64daf785515cabb83

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ec0c09e1d3cf7341a5d396fe0cc83e9b
SHA1 503fce1778aee8f30de6a5931751b230b829fbe5
SHA256 c7053c8e301fc13f016ad13dd4c8138344f3662cd0632227870d8922bbc07cd6
SHA512 ffdd993114758feb9d2f87a994019f342e09e4d3b76fbf651bca17268dedd8d6e1a09118d54aaf734e05cc7b0d47bf9a33cd95514c6d39e21ba1ea2c3ec9b5a6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a52a5898a3b9c4c11de1850e29a26c71
SHA1 54cfec3325cb22e1a242377b8ced5051eb53e52d
SHA256 6f40e364309831d6d7507a76e47955828a1003a1a1e2b5b92c98537b174ddb7f
SHA512 115f0cd75fe5610daca4e9dc636044f338a69ad09ad7414e63d11ed10ace89d34062c61a358c2559fbe8497841bc3a96dc028b4bd0a15484278683b7d6fdf56c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aabb646cde25c98ccdca11893c764809
SHA1 ec63637811e29baccbbf2c08451b2798b8d0dad7
SHA256 7383b72d2a1532b91f44488636967fdeb6a667bd9ee0b77cb56631e363ee3597
SHA512 6884593bfee6fead18ab0d3cefb4046d80973d08d972ad47df64de345269df53dcb68b3865e9ce1450c350ac01bd7cc0a223e792722cafdcd295b2ca057056c6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9e6524da7b32b609820b75edba5a2f4a
SHA1 455d133382cf29a4c0d0ef7f3d4810ae16d53b00
SHA256 7e06fc782f1707d122526ba3f32c25f6c86a57e92edc032cbd61ef50415c10be
SHA512 26050035f119676f086b7d7967817afae3f277914c5408e2c63eb2fb8b40245c069f7d88ed1fd9585d8c5a5936faf02cf6d587b8f5647f1e7b0871550950abc7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a5ca702126ed83b08a1424b7fb0a8a5f
SHA1 3641daebcdab9e5a589a2648a131c0045376dd0b
SHA256 aeafe91d6b88a5596152499b8796bcce06ed46598770563ba2f57e6b88e7daac
SHA512 8e0c4c2649b801fea70842a78e56715b013d577175136377ebe6510af948b22160f02f620238b567308763094cb5345db4462ef8d798fe0a51d0899ce16abcb8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 591b5f7d19be810a528f434b25c4dbc9
SHA1 790ad025ec11adbe5c4c7bf30f49f2d6f8a85089
SHA256 90cbe0e472ace0f0764a4ef684087b802a8a0fdf296e919aef5c0dea33d3a05b
SHA512 4f250ce1f94624bd79f4c08160b0bc154c8112b32c178aee64c9fcf33c9cb1447e235cc3b491942b1f0e7700d3a88c304ceeb0e1ec361947dd97da0d4711f013

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c2a2359595c10f90eb48611f4e1593c1
SHA1 9a669e2e5686999cf1854c11e95a7bf03eb194ae
SHA256 527cc7d741744257da52e0a65a0600fe7b327d7407fcc846bc07ac20d2761eaa
SHA512 fd9ca8ca86b838902bd2e6672bca02fbb1321cb0e2b09638706474c2604060846b4721cdf8834ec2e6708e4622ba58750c150beaf2677a60825ff99a2c42c77f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 88003c44c7d50a09581fd958787ef296
SHA1 5692edb7a23094ae95f96b27da03f7aa53d82ec9
SHA256 5485d917606470e6432d5681e6b7ba77c0a7b1c8f9cb0987254e083044cd220b
SHA512 c3c6538a964194c6b6eab788e50d9290236e3e14afd9bbe71ea50e4c50e805d75e1b943b137dd21700f53101251a50358818e642732ed6d4897a9bfd43511fb8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7da6341c01051629b97a543da6a8c4df
SHA1 cb313eeaee6229a73fb05357b01ded5fc4637ba9
SHA256 f983ae93a15f0f3d1077670c12702dee648f9517a644ade44c27f6b150d6767d
SHA512 1f2d98d2c2e685b32dd1483216c99c885cdedea2ffdc4f0b6260956965619a48024ccb0ebfc8aa7055347978422a769c62b5e5a51d98de3634859803dc531efb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4b676df372b12fcd309916049df1e1f1
SHA1 a1bb1e6f5c17cad34d066c260e4629f1e2605d06
SHA256 e3c856940c887a0a4df5797a0305c19dcf20c7d4858456f7251ef8a369ae6409
SHA512 43a9adc88d71c3ba6fb5f28c5dbd39b553221b0bdd81e9abe6f98ae3fff6c08f88adf15eb441cddc4aeb15195742e06e1713ea213ae1621e6d9b4e301db862e6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c944bd9d3f2222669986416637636151
SHA1 abeeeb1cff5e18217cc750b2574ce3f3efdb80b0
SHA256 043e8d4df35f22477e77d7e62313c99b50787027ce3e82ac32e369a1235e4d2a
SHA512 67877ff06faf8a3881e3c97691c576fec1827fe14cdafdcb5e584a68c07404baab44e2bd225146a65e60a9553645d57c3b7e90b464287afb2ce40299cc7fa7eb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d7e8e18952f30b05f3657ae5e06e42ff
SHA1 4ffcf6eb6771672221b2ac27a72520e9dd682d96
SHA256 f6c410ac1aa9b27c3b635060bfbb15d2e1f0bad3587ff57502794061ea042fbc
SHA512 0b63b0ac9a1035044df20ec797e94bc427bedcdc5cad61ada92cd3f634a495ef555cd4c0a65cab03c83aa300918e97c940eeb7e6d71ca4cbfd0c1e96844af844

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dc1f487f76c55ebb1d34c66fc5825605
SHA1 fbb1ed92dcec7cb1d549dbc457ae43b1863bd5d9
SHA256 8fbef1ca07a0632aca58bcb18287c8a45c2da7f74c027ef3fb15bdafa2e90e4f
SHA512 a0361a138cc486b34ad22a8bc92207fe77ef0ac7762b6493e4ce29f77e12e307c522f9587d3720f7ae4ca25300a621c2e007f80e14fe879951096d452a8fbe50

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0ff7ef207d799aebc62d8c858e3ffde5
SHA1 5edda24d74dfd3fcf6f8d78324c71e9d5617abb3
SHA256 c662c39a06c2c1699bfefa1c79816e9adbe606d9bbd5914092db4aed4fbe9807
SHA512 c347a15a3b232aa3a94a811954cda78ddcd59861e9b553620ba2dbc81a394caa06af4b6d5b4c84cf08d391433a691a1318a20e4972e51df2c0132b8bd01dd58f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7b43b2cedf42b0e9cdf08e042574790c
SHA1 fe1b5430236d857362100463e0e622d89b3660d1
SHA256 425fec1508b0f6c6d93d5c7eb93bd03778067c6efffe453ade8fcf2f1284b858
SHA512 de7534e6b11c7c8a04c68ccdeec9c86f56329868a2a38e9d93c1688b006fd5fbc94cf847108be3d747dde5fbc940f302b5c781e12c3c6e34d33b599006370d5e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1adacfa90c9d4f34bbbbf56b95403463
SHA1 0c1954378d20d50453ec41f51d06de7e6358f968
SHA256 4dd9841aed4b36647312214d3b6bebfda498cbef54bec6ba3214217f646c8fe9
SHA512 4293b23012fb08a9f0a06be7afc47f879d53962896c3df866de7db4b3bcc984a7a464071dfc388e197cf56a8db54d22ed96f45251a4a6615b5d8c035b96890d3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 48e4a600f120bd7076ecf6f579d2c99f
SHA1 3d83d9d77f2b63da3f6a5f324dd4e165065be948
SHA256 0ae3b892fc01b9431bf83d2c159307cb04c5880ebaed4d899357c4e98d265c97
SHA512 714a518a022ddbb45d1cd691a78802c3ed059ffc38021e834d7936179eeca8f9bff8b9d4c2c8ce646c6374e48c257be1cc6e19feb3cf592a907330f7736138c2

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 07:12

Reported

2024-08-27 07:15

Platform

win7-20240704-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3} C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{G1R6SEU1-757G-2S0H-0E48-TEUU8CQ5S8J3}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\install\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2816 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c48c03e6b3bb2bde1606ba3933a1c064_JaffaCakes118.exe"

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\install\server.exe

C:\Windows\SysWOW64\install\server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2864-2-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2864-5-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2864-6-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2864-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2864-9-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1412-10-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/1164-253-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1164-257-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2864-310-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1164-539-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 1330a25175cac0995ea254c126568e85
SHA1 b8cdb1525ad69992c070ebe71ba210821152a85a
SHA256 475f369cae4fb919555e2c68fabb32c73181fb9bf6b4379c15dcf5dae8977658
SHA512 faac460421f34e216da650616e702010766cdcb4115e11f572eaab6fdb01aa1406b69767389052f9f1400b3b52d6c13e0e6f20ea52a31ac6deb6360209c72eee

C:\Windows\SysWOW64\install\server.exe

MD5 c48c03e6b3bb2bde1606ba3933a1c064
SHA1 2cc8efa2b9a3e45a5d90ee27097c41896201cbcc
SHA256 659226164c9602e07740b7c86622b18c697d507836d3270dbf97b207224c4b56
SHA512 b73affe5d9646bf4a28877edaca26f01529bb5b1d4e09a533c3d39852d396451c0f6067d4ff5c226d39472f337398c1cb1c50db9df5f8ec68d2ee54356ceb375

memory/2864-872-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2528-900-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2528-903-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1164-904-0x0000000010480000-0x00000000104E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 591b5f7d19be810a528f434b25c4dbc9
SHA1 790ad025ec11adbe5c4c7bf30f49f2d6f8a85089
SHA256 90cbe0e472ace0f0764a4ef684087b802a8a0fdf296e919aef5c0dea33d3a05b
SHA512 4f250ce1f94624bd79f4c08160b0bc154c8112b32c178aee64c9fcf33c9cb1447e235cc3b491942b1f0e7700d3a88c304ceeb0e1ec361947dd97da0d4711f013

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c2a2359595c10f90eb48611f4e1593c1
SHA1 9a669e2e5686999cf1854c11e95a7bf03eb194ae
SHA256 527cc7d741744257da52e0a65a0600fe7b327d7407fcc846bc07ac20d2761eaa
SHA512 fd9ca8ca86b838902bd2e6672bca02fbb1321cb0e2b09638706474c2604060846b4721cdf8834ec2e6708e4622ba58750c150beaf2677a60825ff99a2c42c77f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 88003c44c7d50a09581fd958787ef296
SHA1 5692edb7a23094ae95f96b27da03f7aa53d82ec9
SHA256 5485d917606470e6432d5681e6b7ba77c0a7b1c8f9cb0987254e083044cd220b
SHA512 c3c6538a964194c6b6eab788e50d9290236e3e14afd9bbe71ea50e4c50e805d75e1b943b137dd21700f53101251a50358818e642732ed6d4897a9bfd43511fb8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7da6341c01051629b97a543da6a8c4df
SHA1 cb313eeaee6229a73fb05357b01ded5fc4637ba9
SHA256 f983ae93a15f0f3d1077670c12702dee648f9517a644ade44c27f6b150d6767d
SHA512 1f2d98d2c2e685b32dd1483216c99c885cdedea2ffdc4f0b6260956965619a48024ccb0ebfc8aa7055347978422a769c62b5e5a51d98de3634859803dc531efb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4b676df372b12fcd309916049df1e1f1
SHA1 a1bb1e6f5c17cad34d066c260e4629f1e2605d06
SHA256 e3c856940c887a0a4df5797a0305c19dcf20c7d4858456f7251ef8a369ae6409
SHA512 43a9adc88d71c3ba6fb5f28c5dbd39b553221b0bdd81e9abe6f98ae3fff6c08f88adf15eb441cddc4aeb15195742e06e1713ea213ae1621e6d9b4e301db862e6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c944bd9d3f2222669986416637636151
SHA1 abeeeb1cff5e18217cc750b2574ce3f3efdb80b0
SHA256 043e8d4df35f22477e77d7e62313c99b50787027ce3e82ac32e369a1235e4d2a
SHA512 67877ff06faf8a3881e3c97691c576fec1827fe14cdafdcb5e584a68c07404baab44e2bd225146a65e60a9553645d57c3b7e90b464287afb2ce40299cc7fa7eb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d7e8e18952f30b05f3657ae5e06e42ff
SHA1 4ffcf6eb6771672221b2ac27a72520e9dd682d96
SHA256 f6c410ac1aa9b27c3b635060bfbb15d2e1f0bad3587ff57502794061ea042fbc
SHA512 0b63b0ac9a1035044df20ec797e94bc427bedcdc5cad61ada92cd3f634a495ef555cd4c0a65cab03c83aa300918e97c940eeb7e6d71ca4cbfd0c1e96844af844

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dc1f487f76c55ebb1d34c66fc5825605
SHA1 fbb1ed92dcec7cb1d549dbc457ae43b1863bd5d9
SHA256 8fbef1ca07a0632aca58bcb18287c8a45c2da7f74c027ef3fb15bdafa2e90e4f
SHA512 a0361a138cc486b34ad22a8bc92207fe77ef0ac7762b6493e4ce29f77e12e307c522f9587d3720f7ae4ca25300a621c2e007f80e14fe879951096d452a8fbe50

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0ff7ef207d799aebc62d8c858e3ffde5
SHA1 5edda24d74dfd3fcf6f8d78324c71e9d5617abb3
SHA256 c662c39a06c2c1699bfefa1c79816e9adbe606d9bbd5914092db4aed4fbe9807
SHA512 c347a15a3b232aa3a94a811954cda78ddcd59861e9b553620ba2dbc81a394caa06af4b6d5b4c84cf08d391433a691a1318a20e4972e51df2c0132b8bd01dd58f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7b43b2cedf42b0e9cdf08e042574790c
SHA1 fe1b5430236d857362100463e0e622d89b3660d1
SHA256 425fec1508b0f6c6d93d5c7eb93bd03778067c6efffe453ade8fcf2f1284b858
SHA512 de7534e6b11c7c8a04c68ccdeec9c86f56329868a2a38e9d93c1688b006fd5fbc94cf847108be3d747dde5fbc940f302b5c781e12c3c6e34d33b599006370d5e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1adacfa90c9d4f34bbbbf56b95403463
SHA1 0c1954378d20d50453ec41f51d06de7e6358f968
SHA256 4dd9841aed4b36647312214d3b6bebfda498cbef54bec6ba3214217f646c8fe9
SHA512 4293b23012fb08a9f0a06be7afc47f879d53962896c3df866de7db4b3bcc984a7a464071dfc388e197cf56a8db54d22ed96f45251a4a6615b5d8c035b96890d3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 48e4a600f120bd7076ecf6f579d2c99f
SHA1 3d83d9d77f2b63da3f6a5f324dd4e165065be948
SHA256 0ae3b892fc01b9431bf83d2c159307cb04c5880ebaed4d899357c4e98d265c97
SHA512 714a518a022ddbb45d1cd691a78802c3ed059ffc38021e834d7936179eeca8f9bff8b9d4c2c8ce646c6374e48c257be1cc6e19feb3cf592a907330f7736138c2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6ac549dfbff7f9851cd3e83b2270f0b9
SHA1 98c2b126bd56f124c373344d0ee3623ef0c169a1
SHA256 f4d5152adddd4f369961b54343adac12105e0434fb5ccbdbe3beaa491c635e7c
SHA512 b5c906219fa12c474eb05b64ffa30a2097a6ec4d16f504cc624ccd26aa9944ea77923ed6112777f6934215f548ddbd7dd94c707d052e1574b77ee5a277e6e932

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c8fa3a6ffd5ab242770b359f9949cf8f
SHA1 f9e4e284cd0c89121eaae9d1504481be1d80d7f7
SHA256 f5c78b1e232aa75704b1610e5de5d2637d95f0393f8c5e366b7f343a8e5e9145
SHA512 dab3c7e44d43699579710d985c9196344396b0d1ca7a83d24ccc3c1da9de1a78279f0473e6abfe7bddd7e8a3b534dcef544457c54bb09ace3bdcd44edff5fa96

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 22197f1d9c47d10ea1b04c4f794563c2
SHA1 b9240c8f73af9182f8741246b9c6b53cf7a14e88
SHA256 ce9c074913f907c948718b40e9f0276d4af78b5697a8635e74b01ec08478de12
SHA512 37262e2cc17eee071b1c4d8f46a6c4ea583cd6fde5a6707b74b1e1383036747418d59b2ae9cd033f074d966f21565bb9c90381c4737273158b371a113656dcc4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 438f9e9287bf9eaf7de7afd35595eff5
SHA1 a4e31c7bf0289950d1fe32f340883d9431f0f1fd
SHA256 55a8b8fbf088dca2fc3f6a3f80f5886b915fdf2a24d3d3e6d6affaf42d8daf28
SHA512 465514777df6445ae9d81debdacbf32852de0a547ff8fbc0d54dc3736f952881d06e137bde25dbe9bdcb21064e0525ddac0bca06d1a8ce3d0913e946381c8f27

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8f1182b87943c05b251f8ac407462693
SHA1 fb2bdfaec8a245bb88a558d3dde98bdec46f984f
SHA256 5c6c34ed83a1bfdae31d8c5bd68b0b8d3222da1421d62fe8b51b539021ca5702
SHA512 185b2bb52d87ecd3d60a00a2f14f6a79c768d6e17515348e9e1fb80667ad3b8743bcd4a4ae023df75dcde57e0e9f0f510a7d194eeb817e7902e82fc769cb135a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d12091b3416f22ac1c250f46922ba659
SHA1 5ea05b367c726d493f38368ed3aa1674e39abf95
SHA256 a343a8b50357e4206747c43be0ecda693d003610ea607b9c7686362331036d95
SHA512 04c9014a68e1d4cc4038f61b6d75ece1946f16e597550832f66ab7f758344557b507e33f43e96f89323f7ced2c7019dfef331c335fad4ae1163ae13fe484ad42