Malware Analysis Report

2025-01-02 14:05

Sample ID 240909-yrtbgsxcnr
Target d701b8fee63c28d1499e5329682d8a64_JaffaCakes118
SHA256 05cbb2a0501766018d1197101a6d4b55fcf6adc8eb6ec92692d93ea8d156135c
Tags
cybergate remote discovery persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05cbb2a0501766018d1197101a6d4b55fcf6adc8eb6ec92692d93ea8d156135c

Threat Level: Known bad

The file d701b8fee63c28d1499e5329682d8a64_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate remote discovery persistence stealer trojan upx

CyberGate, Rebhip

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 20:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 20:01

Reported

2024-09-09 20:04

Platform

win7-20240903-en

Max time kernel

150s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K1FC87E1-723A-425T-R2WI-EK5C1S0T06LD} C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K1FC87E1-723A-425T-R2WI-EK5C1S0T06LD}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012} C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 320 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe
PID 320 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe
PID 320 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe
PID 320 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe
PID 320 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe
PID 320 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe
PID 320 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe
PID 320 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe
PID 2576 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe
PID 2576 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe
PID 2576 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe
PID 2576 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe
PID 2576 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe
PID 2576 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe
PID 2576 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe
PID 2576 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE
PID 2760 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe

"C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe"

C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe

"C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe"

C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe

"C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe"

C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe

"C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\install\server.exe

"C:\Users\Admin\AppData\Roaming\install\server.exe"

C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe

"C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 452

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe

"C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 508

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/320-0-0x0000000074171000-0x0000000074172000-memory.dmp

memory/320-1-0x0000000074170000-0x000000007471B000-memory.dmp

memory/320-2-0x0000000074170000-0x000000007471B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe

MD5 41f13d72ec9d9d5bec7b2b479d980367
SHA1 dad758c3d835cbae2d2188cc96ca70fa54f7234b
SHA256 6da5c29943d377b0bc1d98b126edae517462cac7e3b652698c61581a53038e40
SHA512 827feb56f69f43644a2fc0a103008191a49cd18763922745a8d142f132654e676064d893b33f930b989ffe78dc820d68dc4c0c74eda9aea0f916decc35486d0d

memory/2576-15-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2576-16-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2576-20-0x0000000074170000-0x000000007471B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe

MD5 9650df97e914a968a82b8249603b3b02
SHA1 85209e1ade9d492bbcc7a601a4975f0442be24a1
SHA256 e8f3ac651ab69fb7eee395c57bdccd464d066fccddd6cda346bf6c51a3f06ab4
SHA512 5bed6a9476b8252e241c13b98c1f6c17f0325ace076a26b69c996ab96edcf65fb1c3b738faa30a1f3776a1e8cf8f147d8c3206e5198e1a8fd47698febd4700ea

memory/320-22-0x0000000074170000-0x000000007471B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe

MD5 f5a96a5138dcfe74209e5c8f37cd4bc8
SHA1 daa5bd26a7edd173fcf5957a545ce62f3df1fad6
SHA256 863480837c0c8bcc3f4c12bb820607cde7a7c174f3ca3a7f838182ab35ac6a11
SHA512 3a3bdab7d5de5d6f2a47f2d8488f4f81c5b048ffad2b0d7b1daeff12bce8c0c081d8e7768d8035148ae0049f8c0ac3ad39add04732aeea93905036cc3ae2f4e7

C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe

MD5 ab0cb4aa536bb64d49dd38fa9a86976f
SHA1 18922ebc6cfb2e5c011d49adebb76607ec855cbd
SHA256 369a308c7df00035d0f8032f3706f325116a9b81a5e912f3bc1f51d62d7bd5e8
SHA512 314ad480a1f876e0e099057dec6c8ca6bc65655572102d4b1bfc5a37abb2490671d73906f313fef23b8873114bbced1335e1bc016423c1d6fb808fc951c9ca57

memory/2576-39-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2964-40-0x0000000000FB0000-0x0000000000FF4000-memory.dmp

memory/1192-45-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2760-44-0x0000000010410000-0x0000000010471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 02b2416f3c67b9610250754058ef3744
SHA1 1767fb74c51b5b635c54a6d16b5880b7a5d94341
SHA256 117c271e3e57d8eb834178f3d9e74770d8793783c33d50fb24b5b18f1a065831
SHA512 bd87befd3daec44472639799d80e12efa10f778124df3c9f1784e47a89bb5fd8277c124ed75778074c3d1d49dbcca4c87afa3861d4c9522e7a3cdc46ee332641

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 898cbb1175c4cb877fc6eae3c9753bfc
SHA1 90b9fa2ee1de371c0b5eea221dfbf86e6ce83205
SHA256 bc905c9f9288c8656f36e13bef7590ef2df7673d74405737a786eb096205bb32
SHA512 8d8da36ca8b75ebc947f989015002ad3b9cdd96f84ef1014de385cafa915305668b5b89b16d4a9d2b59fb9ab3dbd40b7aca6aa5cebdc7ac72f6ff4098b5502ce

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d3e5a0574eeb3497209dfd1313728278
SHA1 f610b499e7c070b4d769b73c6aa269a4030c0434
SHA256 a7f1f9e82471db296b92f060cb3593a263adc34913798f423073cee946794d3b
SHA512 e5bd409efaaa13066b96970d5e57e61832c88d3d728f8391650d959f2d55a1254fd93515e82e83cbec7740432ec35fcfaa6bf00fb41c18dcd4e2a2cee4cd361d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 31c637e945037ecc47b8e69b8b8b1f50
SHA1 0df902e9cf1830c04f4a85bcb89cb2a842f26ce9
SHA256 0865b5b0b4d4af0225bd3dad856def9a7afbc9a2e242635d0b45bdab01b8dfa5
SHA512 34b4099b69eaf839d3b0a1401d2141081c99081c3d97fbe17a0754e8d18ea87d7e56649e3b7c5edda0d992856b81d4d2e365461767481e26d62223f081493907

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 554606143e6ef72bf6b126a3f1aa4a5c
SHA1 c6b8dd16d5ca605cef9a902b70415b8eebe1f3a8
SHA256 b3a861f342249716395803ecbcdfe19f0a14c806976ee885d4c17a5c8ea2f05b
SHA512 ba4f3af035d74dda3d242bba75f65f4ea75aba41001c36517caab51ae2f885e22df69abde13731dd3159a930cd73684b69b07d76bad3bf81eecc3e04cd4b89ab

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 25273b5bc6fb4a5ec32fa83eba3694c7
SHA1 7392e9a71fbbdf28c388f086ab326509a6445bbc
SHA256 10de9fcaf29c11446320f0d35cb246367310196ee2fcced1a61c967e910e1282
SHA512 92dc494fd8c2ebe7448c21bd5c518c237387d774f09096839a19ad4d15a97ba21e0aa24bc1f7968deff2c262cb2d44ca87c7e49a3dc097062764933dc1e0ebcf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a9b3abdf53252d4569c4909ed2d1d97c
SHA1 da56e6eebc8bfaa2952e67eb63fcac98cc2a31f2
SHA256 d32dbfaae02d287dd652c1053933a9080196012da9a67bd018a0b0ee7bcc548a
SHA512 b5d50a12dda70ddd8f77cce3a785173b82dfe3e4d151db9a574e1ee45f422496689ffec18395731bbd10a60f1367aa7bc1009761296145c772553a4e5f29dd98

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 118c455ca176f1446cee83526c02cc94
SHA1 3c4d9676150414222922cf141993b45bcd9c26f7
SHA256 eb1d188dffab71b05217486993c41b782195ed8cd34982b27a4173bb46d9beed
SHA512 d0b416f18fced1aa0eab30a508b391074f7cf2dfd47d70308f3fa92e8c7c9b8888cdbd3caf93944985448b64b011b8821c40762f393200bdcc1f70868edf63f5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 36380db486273385178b2775dc45e4e4
SHA1 1bed8d4e8d63f28668f67ba30bf06b1c78d5ee03
SHA256 353b364faaa6e8a0f860579691f240818680474671c602bddfd6851d2f6152c2
SHA512 7c4ada944570c64c8d395947d607d5771f64b54b7148ad003410220d8f65456914cea1ff51fff02dadba44e7278b07b379a702be59b376b347e2d8dd6e728329

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0d8d0a9d36253e5870fdb83bdf41e5d0
SHA1 9f3013ad016f9bbfc7a850825c7f31986c7b4d4b
SHA256 bb039e0126f8b81923830cdc30cf3e74240b94e4ffc36c64d0252723e82dbfae
SHA512 0f45a638787e91a33bcf7b01ccffdf31ce86e5f805cc2a8a5beab1a99126b2e5dd46c05ac450148bf6f678e15fdfb9eb061afcbd44cc337e72c993e734a2b6c9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c0c88262f3f124818ab130e1d84f8e7
SHA1 f00d5bbd5155977471d46cdd1b97b45ad5a095ff
SHA256 b4a8f91d44ed126a62021c84101d7715184ffa6a12f104f0894fcacf43c356c7
SHA512 e5de6bbcc3a81102544d8ba5ed9756c59ab285ae977055777a416c7485cde7681ae977467fba509242c9f174fd0dc249e67c2001248095e5790afba62797a57f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d37b36a5f219f97276f5587bc2e7f5cf
SHA1 5d8a5fd5ea0cc01adf3e63da69d63e57ffa02b6f
SHA256 7f103b8c471ccd0141a32c11f0e63fc556fb8fdc9145abfebbde78ebee5ff303
SHA512 16b9219025951fc751b7ba76e35e46dd4b8e62a3df0d94796c9bc5e8e144d279aaeada61e453afe71aa61c1c4818857a26c5de4f39fa1098d88e722b566cf340

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 407c24d0aaadc4121f34530d101858a3
SHA1 73865da00d4e629fb089d99fa1448f5ebdbf7950
SHA256 d84d668c0e2473b2d83643c8dcd4a6a213c9a3bd6844f00ceb7affac7fdc7116
SHA512 a8e65814c9e3c29a98446f297fb6e5e5f6402d7e8f1892e319a59058091b0d135210137d63b7a8e9f2af7177928ade5d5d0cb9b79b423bb9c91d2d291c485e90

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 28880813b00119362218c534e540b89c
SHA1 3447412e283c1d4612f3a697fc71093c862f938f
SHA256 6538a5c30467f6ae048709b9f7dda803f03a2a661a8e7f4cfc203f7f8d84271e
SHA512 44009b473705c8b1d44e3c95c1aaf71cb0cb3ec53a7714e7f2a1837b11fd7eb9aee6468730aec3b6d0ca38a196912f8deb42883eed6e72fd2eafee743f184721

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e1d6e499788fa5da668734d87d30bd51
SHA1 0d9063d9b579d421e0b0a384a66f37ea14428eb9
SHA256 b826ce9d7f5f324fb6d1ba93953ee77ff2200c620114ef42da6d1c988ac78b8f
SHA512 168c99ef72d4fccbb3f3e6d9563acbc038141ff7cf94643a4c97a856c3b80f6db3b5957c1b8069764c87afab6790602afc41545d6433e54373c356cd6589fa3d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3b63f2489a98cc26ca5622d17a345ef0
SHA1 6fd6a05955b6869d860a0f6b1547b246a5e8f363
SHA256 94cf736999b43ffd3bac00fc8683cd9f80d88a715b3c02197847a27193cf93ac
SHA512 9562aac80116c6d03237cf5eaa336fa22b143b53377914774ac0fa99ab2aa39e1de6521020f41df0aaae89008f4a6c404cc3b89483e01340f8159edae2bf7719

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 34477b911118687eec5442df97c6e12e
SHA1 cd8ce1a03167dc9f974edf1636aae92bd148bd77
SHA256 461b1d79fcfea079e00b5a41b6fc0ee78a40d6bcf23e7c134da57300605bf9b9
SHA512 6f04e9ef87d422c376a43cf3a7ce14f2036e78308688c46c264b4397a8c9c72689cf3747dd7b6be231627a0aebd74b853cc4cf0d656af5e7e6b9d83dc32064ec

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ce0a516e66173413a15b034b2c6daf72
SHA1 3983c2c492dc5cda348672ea638301f5803d2e62
SHA256 2fcda52ee553acb2524c40e94188b4b2ebee29ef960a84fba3a5e3e943105f6a
SHA512 07345ff3cd449eaa849991f08713854e9d7d3e2eec252097e72f962e8d7e5033b3206ccb353c75c1faa8218c341867997d943b885ff5dfd9e4f2a729e575f5ac

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ca58c9211ade5585a695e2f82852bd99
SHA1 d95ce27b06908f5ce8db8a987922861c787c7be8
SHA256 a52321b17b57a34019c05f96df17ad0f0458377ed9b0f9a512c821fc003cb0dd
SHA512 1507ef228bb7d441276619406e0edc5cc62b26207e27e64fb3ae3dedd5f49f15d9437d01e7623e5a6a7de51d1b9f2c4d0ca0ed009714f46b82f828a3da210825

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8c0fd5c61c097651ef8720e6bfaeb6a6
SHA1 945d5eb1b7e17a01f3a67424d12a29e2daa81290
SHA256 bdf6a76062320c5e82b52c3144393698a93fc6493f94d80d1fa78f9b1804fa1e
SHA512 a371a447c13e8201847330494de07faf0557ef9a1d047ab8817aa7d55d54318bc9541537ba16717d739d1524bbf1b27ea395128b5ebacabbf5635734e771bb64

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8d80afef69b8bef533296c15647c9793
SHA1 5b9b8255ff12be54ca536fff9966e594919f7c3a
SHA256 b25c00d74a4baa9b8e882b8ad0e28f4e20c70befeb91213d362647aed5070e5a
SHA512 e5f192ed5e0b301bdc20a5b58ab5507bcb0cf70e9f905588b87f93a43c9fcde2314d64c4f3c2e0410d80c01a57a9ed86bd1e3fd80e904697e4aaab301e35e2c4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 98f476c8537d042f5c4806ac22e0198e
SHA1 c95d0aab434ff983e80df7ea3a9348748a8fa25f
SHA256 f887c6c70dbcf276699dcc15142c66bb021786a906936df67fcba71d7e93568f
SHA512 0d4970a8776f2b0ce388273bf0b78cdc1db6ef898cbdc715e8da645fc3e9115dce66135386d5f9aa338dc629742b3dc611fe5faa9ec006d727bd9c50c2148756

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c5bd7cd2f4e8df03def7b3e7282f54bd
SHA1 dfe32baa80f2232265d74db30b5c9160d237efc8
SHA256 a3eafcb7fafa4585e6f71e6f8ce6fc9e7aa08103bd19a620c06b4db9458aeff2
SHA512 809eb60c9769814cbc398b6d85ff4e016feee85d6059cde3e5dc0cdb7ea295d48ea8afdec7b15a1b204eaeb20328679c8d0ee5e714e071421d7540d260951195

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a237fb5a4ed8b2dc7e1e3e9581766044
SHA1 3f62fee53f61f9e9d8f56f932da798e942456908
SHA256 7c8f9096b3ca790522e4f1842ae18963b2bb8f76042e03b0aebf0a817746efeb
SHA512 de9b03636e2b1794e610820922fa8e60f6af67dbd2a6b349188deb3db19775c586dc603aa76b3244c4502725c56080bb3e5258f4390df816317f36a4d4fb115b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 20:01

Reported

2024-09-09 20:04

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K1FC87E1-723A-425T-R2WI-EK5C1S0T06LD} C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K1FC87E1-723A-425T-R2WI-EK5C1S0T06LD}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012} C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012}\StubPath = "C:\\Windows\\system32\\install\\server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe N/A
File created C:\Windows\SysWOW64\install\server.exe C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe N/A
File opened for modification C:\Windows\SysWOW64\install\server.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\install\ C:\Windows\SysWOW64\explorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\install\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe
PID 1336 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe
PID 1336 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe
PID 1336 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe
PID 1336 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe
PID 1336 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe
PID 4388 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe
PID 4388 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe
PID 4388 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe
PID 4388 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe
PID 4388 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe
PID 4388 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE
PID 376 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe

"C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe"

C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe

"C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe"

C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe

"C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe"

C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe

"C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\install\server.exe

"C:\Windows\system32\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 564

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe

"C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe"

C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe

"C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 976

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 www.server.com udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 33.140.123.92.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/1336-0-0x0000000074E72000-0x0000000074E73000-memory.dmp

memory/1336-1-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/1336-2-0x0000000074E70000-0x0000000075421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe

MD5 41f13d72ec9d9d5bec7b2b479d980367
SHA1 dad758c3d835cbae2d2188cc96ca70fa54f7234b
SHA256 6da5c29943d377b0bc1d98b126edae517462cac7e3b652698c61581a53038e40
SHA512 827feb56f69f43644a2fc0a103008191a49cd18763922745a8d142f132654e676064d893b33f930b989ffe78dc820d68dc4c0c74eda9aea0f916decc35486d0d

C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe

MD5 f5a96a5138dcfe74209e5c8f37cd4bc8
SHA1 daa5bd26a7edd173fcf5957a545ce62f3df1fad6
SHA256 863480837c0c8bcc3f4c12bb820607cde7a7c174f3ca3a7f838182ab35ac6a11
SHA512 3a3bdab7d5de5d6f2a47f2d8488f4f81c5b048ffad2b0d7b1daeff12bce8c0c081d8e7768d8035148ae0049f8c0ac3ad39add04732aeea93905036cc3ae2f4e7

memory/4388-23-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4388-26-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4388-28-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/2044-29-0x000000007157E000-0x000000007157F000-memory.dmp

memory/2044-31-0x0000000005330000-0x00000000053CC000-memory.dmp

memory/1336-32-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/2044-33-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/2044-30-0x0000000000A20000-0x0000000000A64000-memory.dmp

memory/2044-34-0x00000000053D0000-0x0000000005462000-memory.dmp

memory/2044-36-0x00000000054D0000-0x0000000005526000-memory.dmp

memory/2044-35-0x0000000005310000-0x000000000531A000-memory.dmp

memory/2044-37-0x0000000071570000-0x0000000071D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe

MD5 9650df97e914a968a82b8249603b3b02
SHA1 85209e1ade9d492bbcc7a601a4975f0442be24a1
SHA256 e8f3ac651ab69fb7eee395c57bdccd464d066fccddd6cda346bf6c51a3f06ab4
SHA512 5bed6a9476b8252e241c13b98c1f6c17f0325ace076a26b69c996ab96edcf65fb1c3b738faa30a1f3776a1e8cf8f147d8c3206e5198e1a8fd47698febd4700ea

C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe

MD5 ab0cb4aa536bb64d49dd38fa9a86976f
SHA1 18922ebc6cfb2e5c011d49adebb76607ec855cbd
SHA256 369a308c7df00035d0f8032f3706f325116a9b81a5e912f3bc1f51d62d7bd5e8
SHA512 314ad480a1f876e0e099057dec6c8ca6bc65655572102d4b1bfc5a37abb2490671d73906f313fef23b8873114bbced1335e1bc016423c1d6fb808fc951c9ca57

memory/4388-55-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/376-58-0x0000000010410000-0x0000000010471000-memory.dmp

memory/4864-64-0x00000000013B0000-0x00000000013B1000-memory.dmp

memory/4864-63-0x00000000012F0000-0x00000000012F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 215fd6a04417b2c76ae3d22dd62a6134
SHA1 5b76be62a791b5f2ea6eea2e1ef51562b2bc9d64
SHA256 0cbf6e473c6b3f3bc1d6e07fe0a33bdca1da5e6e6c7be6876bc52970d52d4424
SHA512 f1892f63146d6b28d03a12460563d3b853035e952465c78845bcb794e3d2a61b23db88cd006772d4748964b8ac847403d5ac4c5b92243feb8cf2c091da913631

memory/1552-72-0x0000000010480000-0x00000000104E1000-memory.dmp

memory/1552-76-0x0000000010410000-0x0000000010471000-memory.dmp

C:\Users\Admin\AppData\Roaming\cglogs.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/2044-352-0x000000007157E000-0x000000007157F000-memory.dmp

memory/2044-353-0x0000000071570000-0x0000000071D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 31c637e945037ecc47b8e69b8b8b1f50
SHA1 0df902e9cf1830c04f4a85bcb89cb2a842f26ce9
SHA256 0865b5b0b4d4af0225bd3dad856def9a7afbc9a2e242635d0b45bdab01b8dfa5
SHA512 34b4099b69eaf839d3b0a1401d2141081c99081c3d97fbe17a0754e8d18ea87d7e56649e3b7c5edda0d992856b81d4d2e365461767481e26d62223f081493907

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 554606143e6ef72bf6b126a3f1aa4a5c
SHA1 c6b8dd16d5ca605cef9a902b70415b8eebe1f3a8
SHA256 b3a861f342249716395803ecbcdfe19f0a14c806976ee885d4c17a5c8ea2f05b
SHA512 ba4f3af035d74dda3d242bba75f65f4ea75aba41001c36517caab51ae2f885e22df69abde13731dd3159a930cd73684b69b07d76bad3bf81eecc3e04cd4b89ab

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 25273b5bc6fb4a5ec32fa83eba3694c7
SHA1 7392e9a71fbbdf28c388f086ab326509a6445bbc
SHA256 10de9fcaf29c11446320f0d35cb246367310196ee2fcced1a61c967e910e1282
SHA512 92dc494fd8c2ebe7448c21bd5c518c237387d774f09096839a19ad4d15a97ba21e0aa24bc1f7968deff2c262cb2d44ca87c7e49a3dc097062764933dc1e0ebcf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a9b3abdf53252d4569c4909ed2d1d97c
SHA1 da56e6eebc8bfaa2952e67eb63fcac98cc2a31f2
SHA256 d32dbfaae02d287dd652c1053933a9080196012da9a67bd018a0b0ee7bcc548a
SHA512 b5d50a12dda70ddd8f77cce3a785173b82dfe3e4d151db9a574e1ee45f422496689ffec18395731bbd10a60f1367aa7bc1009761296145c772553a4e5f29dd98

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 118c455ca176f1446cee83526c02cc94
SHA1 3c4d9676150414222922cf141993b45bcd9c26f7
SHA256 eb1d188dffab71b05217486993c41b782195ed8cd34982b27a4173bb46d9beed
SHA512 d0b416f18fced1aa0eab30a508b391074f7cf2dfd47d70308f3fa92e8c7c9b8888cdbd3caf93944985448b64b011b8821c40762f393200bdcc1f70868edf63f5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 36380db486273385178b2775dc45e4e4
SHA1 1bed8d4e8d63f28668f67ba30bf06b1c78d5ee03
SHA256 353b364faaa6e8a0f860579691f240818680474671c602bddfd6851d2f6152c2
SHA512 7c4ada944570c64c8d395947d607d5771f64b54b7148ad003410220d8f65456914cea1ff51fff02dadba44e7278b07b379a702be59b376b347e2d8dd6e728329

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0d8d0a9d36253e5870fdb83bdf41e5d0
SHA1 9f3013ad016f9bbfc7a850825c7f31986c7b4d4b
SHA256 bb039e0126f8b81923830cdc30cf3e74240b94e4ffc36c64d0252723e82dbfae
SHA512 0f45a638787e91a33bcf7b01ccffdf31ce86e5f805cc2a8a5beab1a99126b2e5dd46c05ac450148bf6f678e15fdfb9eb061afcbd44cc337e72c993e734a2b6c9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c0c88262f3f124818ab130e1d84f8e7
SHA1 f00d5bbd5155977471d46cdd1b97b45ad5a095ff
SHA256 b4a8f91d44ed126a62021c84101d7715184ffa6a12f104f0894fcacf43c356c7
SHA512 e5de6bbcc3a81102544d8ba5ed9756c59ab285ae977055777a416c7485cde7681ae977467fba509242c9f174fd0dc249e67c2001248095e5790afba62797a57f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d37b36a5f219f97276f5587bc2e7f5cf
SHA1 5d8a5fd5ea0cc01adf3e63da69d63e57ffa02b6f
SHA256 7f103b8c471ccd0141a32c11f0e63fc556fb8fdc9145abfebbde78ebee5ff303
SHA512 16b9219025951fc751b7ba76e35e46dd4b8e62a3df0d94796c9bc5e8e144d279aaeada61e453afe71aa61c1c4818857a26c5de4f39fa1098d88e722b566cf340

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 407c24d0aaadc4121f34530d101858a3
SHA1 73865da00d4e629fb089d99fa1448f5ebdbf7950
SHA256 d84d668c0e2473b2d83643c8dcd4a6a213c9a3bd6844f00ceb7affac7fdc7116
SHA512 a8e65814c9e3c29a98446f297fb6e5e5f6402d7e8f1892e319a59058091b0d135210137d63b7a8e9f2af7177928ade5d5d0cb9b79b423bb9c91d2d291c485e90

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 28880813b00119362218c534e540b89c
SHA1 3447412e283c1d4612f3a697fc71093c862f938f
SHA256 6538a5c30467f6ae048709b9f7dda803f03a2a661a8e7f4cfc203f7f8d84271e
SHA512 44009b473705c8b1d44e3c95c1aaf71cb0cb3ec53a7714e7f2a1837b11fd7eb9aee6468730aec3b6d0ca38a196912f8deb42883eed6e72fd2eafee743f184721

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e1d6e499788fa5da668734d87d30bd51
SHA1 0d9063d9b579d421e0b0a384a66f37ea14428eb9
SHA256 b826ce9d7f5f324fb6d1ba93953ee77ff2200c620114ef42da6d1c988ac78b8f
SHA512 168c99ef72d4fccbb3f3e6d9563acbc038141ff7cf94643a4c97a856c3b80f6db3b5957c1b8069764c87afab6790602afc41545d6433e54373c356cd6589fa3d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3b63f2489a98cc26ca5622d17a345ef0
SHA1 6fd6a05955b6869d860a0f6b1547b246a5e8f363
SHA256 94cf736999b43ffd3bac00fc8683cd9f80d88a715b3c02197847a27193cf93ac
SHA512 9562aac80116c6d03237cf5eaa336fa22b143b53377914774ac0fa99ab2aa39e1de6521020f41df0aaae89008f4a6c404cc3b89483e01340f8159edae2bf7719