Analysis Overview
SHA256
20604f1b548043558e282ea1b410e8ee4ef4e1d3de204d0c6854217e0122c79f
Threat Level: Known bad
The file fed62f18b8f0aca58596014b4faf3270_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Modifies Installed Components in the registry
Adds policy Run key to start application
UPX packed file
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-21 08:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 08:11
Reported
2024-04-21 08:13
Platform
win7-20240215-en
Max time kernel
109s
Max time network
113s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFY8J8CU-882J-26LS-MBE5-UC0UVIA8D1A7} | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFY8J8CU-882J-26LS-MBE5-UC0UVIA8D1A7}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cbevn.exe | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1540 set thread context of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\lshss.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\go1gab0f.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DAF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1DAE.tmp"
C:\Users\Admin\AppData\Roaming\lshss.exe
C:\Users\Admin\AppData\Roaming\lshss.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Roaming\lshss.exe
"C:\Users\Admin\AppData\Roaming\lshss.exe"
C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1540-0-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/1540-1-0x0000000002290000-0x00000000022D0000-memory.dmp
memory/1540-2-0x0000000074950000-0x0000000074EFB000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\go1gab0f.cmdline
| MD5 | 02f4c1c404164205b331f19a497a7a8b |
| SHA1 | 0f3d893a1c3a69878fb5fa62753b596e62da9be6 |
| SHA256 | c970f071a1f532f669b762da509eab2ef6e28b99e51c9b999ca9660dceefa0a1 |
| SHA512 | 7900e639f5b0120a519f186c0a941133c51152bbbcd9154fa3a041e2cc32b39d5afb06392737dfa779514e9bd95c8bbde5a9b49a81e5a521e4345abbab2ecd7b |
\??\c:\Users\Admin\AppData\Local\Temp\go1gab0f.0.cs
| MD5 | b63430207638c1a36b9b27002e0da3da |
| SHA1 | 54356082f32c71498c4ac5f85f4588e0d1c57ad0 |
| SHA256 | fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193 |
| SHA512 | 29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC1DAE.tmp
| MD5 | 1e5da92872b6a223c5de0ecf0419128a |
| SHA1 | 3d5b98451b230bfb31086b10076ff944b23b0810 |
| SHA256 | f59c899b3453b8171e010ce255c7cb0b652fe5fa4c15054cf1711acb2729afce |
| SHA512 | b06c56b65c4603b282dedc9cea18f177bffe4759762c487cff6657537b992583bc556f6cb022e84336dd8375c968962aef4e0b3ea9292c0d175947bbc4a50740 |
C:\Users\Admin\AppData\Local\Temp\RES1DAF.tmp
| MD5 | 653f37738139085ed8593abe5999d4b4 |
| SHA1 | 7a2ce56ad6e964f75304926bdee6e4488a3e24fe |
| SHA256 | 1895a3e138798702925c3c4564649966b072e4281e21fdeb3e643e996d5fa9f7 |
| SHA512 | 318fed5783c2f1543a7d359807ca53dffbe86c48c2cb09f94a67a86a8606d49852cba1b2edd05ac1a05f46749b71c871418e0c8bb9939d5be04afd4659c3b38d |
C:\Users\Admin\AppData\Local\Temp\go1gab0f.dll
| MD5 | a22bbfa3218125938bdce4afba0c1c0e |
| SHA1 | f0240b3443d157b3d5434d6eb0ac27de1ca057da |
| SHA256 | b4d1353a928f4121c2e8e55f04a6bc1f33b19817d5b410a1f838a4036b66bad0 |
| SHA512 | 5972c5a0673b98b18b4c62ae8921c5b22965dd70c5c0954f6b933dd108ba0b58de576ffc2f9a908058dcd7f62136efeae5064dd74c92f005e414a43fea5b2ed0 |
\Users\Admin\AppData\Roaming\lshss.exe
| MD5 | 369f12dc43e4e422b1004082082b5dba |
| SHA1 | 1267e5fa9aac4c38b54356d8ff5dfef056fbddc6 |
| SHA256 | 4a144bb8cc185c893fc0dcb71e595b01b4006f99171a88ec267e50f174e1cb77 |
| SHA512 | 51ee58e6b96401f4465cbf142ac71696b1f0a2fbd32ce13fa72b98d2861960413496bd4de4b5c26517fe3ada25a5fe070a527b88687e7643f53501606553aba9 |
memory/2708-23-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-25-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-31-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-29-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-27-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-33-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-35-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-39-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2708-41-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-44-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-45-0x0000000000400000-0x0000000000480000-memory.dmp
memory/2708-50-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2860-54-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2860-60-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2860-67-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2860-355-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2708-356-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 19a38f2cfb32f4609eecb8c4a4f776bb |
| SHA1 | 56d3ee61ee3c7d16abf0a68188dd901205885b3f |
| SHA256 | dcedcfcb0f064d1fff4f7fb1b823ab524e8f3ef3be59624d643dddd5bb4544a8 |
| SHA512 | adbd013d5c72e18bd8d80a6791bdac5fa8e7eaf8b2fb0dd9760978ca1bb5b587fd13da5868ac481d6df457c7b471c871418595e563e58dd04cb11add9dc773e9 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/1540-383-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/1540-384-0x0000000002290000-0x00000000022D0000-memory.dmp
memory/1540-385-0x0000000074950000-0x0000000074EFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2736e5cb342e9f26fa722ea28edfa975 |
| SHA1 | 86e097ba99644565010c87d1bc9c980296976868 |
| SHA256 | 812b487bda3534d22e6a6d42ddea25b018f818c8e1cf1f711bbda3deb4feaef8 |
| SHA512 | 2bc70845a96a4b1194455aada0c861e730000c89646ca925e980d09bed2acb0c1e0f43551b1f3826fc49c461655706522338df505079bde43f8bbe83eff4abd5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c238c9e70c2fc4a7b26cb1599acbd3b7 |
| SHA1 | 0e1fc5bb1e58c0c1e612338f30236e8ed13fd58e |
| SHA256 | 8b0fa314ecc5d52c684adc8a2f9e04a5066ba7b5dd96692c7e2f9533a2ce1691 |
| SHA512 | 20220aabb1d53913b7aeefa20eb82cb28ad7bf12b20034e459773c0f5e4fead3b104af508f3544804a142577401a9a97a2635050a223aed69a1011e489d6878a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d66204f8a3080eedf44e47e0e3f024c0 |
| SHA1 | 4d577063a39c131827b039267d1d08966012af9c |
| SHA256 | 85a9d634a85f585d20a8d8dd6aa449bb40ecd472ce5a035dc586c018607f5e1a |
| SHA512 | b602be61a409ab061285ca070ac539f5d9eee92be98e319c012245ef007f0e2ef59573d8587092e0e14547a6593455ecb552c21c97f51dd6ca4501703d595e71 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b848b047a5b4d3c59e37ad281f6787b6 |
| SHA1 | 0e6744a3d52e669bbe06b39f4f251e84970e69ee |
| SHA256 | 631cfa4c246ee78c6b868b65e2a6065a773e852444cd09ac944dfa1054f79712 |
| SHA512 | dcf6fa4f11f1917a516f6e91bbb9c1d7c33868f6d8e593a98105e86acb6e351ed1b0f5117b63c2ffa7fadb29af6e8c386810114e9f84587e2e0ba8300c58a2ff |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f25a5f41d6113bfea1f4c8a3b4da9617 |
| SHA1 | 222826ab803472b8438e5871278048ff8163df35 |
| SHA256 | 10d1edfcb107cc83238b1a4ca9bb54b4d8d816cd83820b6b4c4bec9a14545aa2 |
| SHA512 | 366b1a05b15e284d74576945bca7bbd2db21a3be4d66ee817bdcfe787b6afae95f866c24a2b145ef236d62c8680acf0bc0c46b5e0bef004d59a24a0648aa564b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7f0080a6792944212f02595b66984f94 |
| SHA1 | e1dee6dcf58e5ce23a141f4fc21707f195b9a8fd |
| SHA256 | a38a7252335949dc249182135f0e95cb28d0318761110775c3d1487712d31edb |
| SHA512 | a573a093c639d414ea19a290c0c8b3b46f78a40dfd11bd8f119487700a3a238a9510bfc5de82d37c624e71354821f174869255038b18061488dfe2bd43e8b845 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5847254264eb178dc2d44863699adcb2 |
| SHA1 | 54a69f6e33bb29ce1779cff52bd10884dc52a209 |
| SHA256 | 3483042388c9a0e6d35ffaa66d25d2875ff454c22b578aa6d7384496e860a34f |
| SHA512 | 47a95b5f899113d2d9a33ac58db70a5d9fdaf42930bc192eb446c297e38f2857694b41502d6e2ecfeffb91975c64a27541ec7b44856f8edd7693f0d355e69c2a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f636e7ac3f324064e788dd87639a816a |
| SHA1 | 7de9334c34c32d9a39d4537dd2eb547ccaf0b8b8 |
| SHA256 | ee3117f225e92923a045853394b38067d6b1b32f5488a519e291ec3500932f93 |
| SHA512 | 0d551ad8e4a6fe1ac27ed6326acbf8b2bc5f6fd70246ba7f564b8f5b3223a4d0e310f72eb2c34c823d59c0cac30007f271997d3dfe18b3d9eac9cbe9d3324e90 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 84e1d59e3b5163f35ac356b10fedced0 |
| SHA1 | d5503f243c497e8f0a00df87472366689ad15dc3 |
| SHA256 | ee5b08abde8cf7437c5a98d556b8536b834fb125a0347af1620cfbfe7a77119c |
| SHA512 | 351da843d7e88cc385c5e47fe70990ec281dccdaefd77277340c2ea3498b4ef92dc3c84b2a496ff153b6a47216b2572546b487abdc2fcea349e6149088ecb472 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fb4c14b3b8e9b2ffcbdcb2dd89322b72 |
| SHA1 | d0b10fa4dda15b7541e78444b7c66394f2ac9f33 |
| SHA256 | f88ecd4589f2e59e2b5920fb85c551697f26350116aeb433ef25035afb1a9d5c |
| SHA512 | 087b9280e751c6293b3ef4574a19d6f67960741f31ac6a9744c35806f6d737e47f393a8a62941016a810658ccec8eca7d4f896914c55be9c6e3493f25c549e11 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c5e38779c50335d5b9e184246e64bcd1 |
| SHA1 | 1b215f2fe2dd6ef6ac708da09dd6159e4e0bcb65 |
| SHA256 | 0895435b80dc097c83db6fdffd167b20927839e48270ca7ed16f244465d8248e |
| SHA512 | 0b883a5800ad4dcbb5e15a2f2c1ad7fbf68443a755886640a67e96e434ca62b3ecc2e8af026fab3b5cb6d056eedafc7a50c5c65a7f1600c080f06cc1f7617e28 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a5b82372f0471ddc0c495ddcc61293ee |
| SHA1 | 4a982fc36d5b0a50f634931c1c7a7e9e3d80ce68 |
| SHA256 | 33ce428344e24d48742e2e00da5934c269c4e3cab7e2045835801151f14531fc |
| SHA512 | 3d2498409af8e19ac66937e992ed9b16ec5cc9ec18d57ec123c6cb5bb3938bd9b0dbc96ae50898e827e948f62270a94352efa9f908ba54c3ba16a2aa5c688888 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 557eb5fa265b31fbfd23a9863d117dfb |
| SHA1 | 463d240d53d79ce1c241f493408ed0ac19389100 |
| SHA256 | eec5da5d6e3f866cc507faaf8636ab5f52db4f45305a15ff314ccad642f21323 |
| SHA512 | 945c24bdfa0439733327d48da2627ddb865f7c667a8cd8c77e78cc3e82a6157b228ffaa587746954b9d538d61823f3cb5b24f59af25daf2c71669698fd1e8986 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5fbe9076737c1bac5f76362cc960f99e |
| SHA1 | f4a23459eabe2d1a0b515670b779c9c7f3fad32d |
| SHA256 | be97aa6d7734771067ccdb756627fdbefbbd6d4f2ca8738e4c858f0191e54542 |
| SHA512 | b3a10609776a34a4194d8e8a992364853d4316433fce11419f0dd42a05c718f44973585153b149ca1a54ca81a98b9fd34fac7e6c7a19bf00d3274eeff9597ff0 |
memory/2860-1024-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1be6508ff9d37173374d6d93c87b56aa |
| SHA1 | b1127cd8de3fb4eaa4d9b453bddcf60f0ca121be |
| SHA256 | 226d956b11a1c337b60a712cf0a0658b5580a04df23f2be0e874957ccea8126b |
| SHA512 | d12810f1a11678d10038c4216cdc4f250b2708b388c886aee4f03d84f202ccef8434d61066497ecb6123304f51725c20bf24a6fb9d3a1870d8add0a3ffa26753 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 21904d1d53170b6e801d2941b54f1b0e |
| SHA1 | 401737632ad93739bbcc0d9734192fb89a712498 |
| SHA256 | 19c99fc2b1d034947c50a64e52dd1623796d05b6382c4ba72e175ae78db4fb19 |
| SHA512 | c32dfacc55d7fdcdf18cc2f0736574ef9529b7389b5ef76bac19e3045f596dc6dd1bbb0ab682f3b48c8b65502c9fdd0e60a2478b5a05849e137861f008ff6969 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7b0f8980804b99af82ed7176ca258ecf |
| SHA1 | fbf76dfa23828993b7ce05468934f9dee7cbe251 |
| SHA256 | ad457c080ac554cb2c8268b89910f047be8e6d3125754645d3c29510570f1f38 |
| SHA512 | a70f4639dd1fb5a8379548428c037745348f1d076121fe82e5f59f5ade830f878415ccc35bcf49ac9598bb3216774f4e2b171130dae387d61887f033bfc888da |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9c0d23239fefecfcf6490e79cc50c763 |
| SHA1 | ee341ace3f98f2f2fe12234d15cccdf32c7b0716 |
| SHA256 | d622c8d9e19e2bf618d5a0fbc5eb95f5da05f5d0c5b078108a107012f1b0de5d |
| SHA512 | ee965ae5d47a28b561a8b6bd38af2976933b8b68b4b661bd950137125d8938abe9d1664e69358388396f197cda2318bf273ceb2b21dbb3b25f7c2cf1cfa8b184 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8609cdfb2d18278e831155aefe7f0ec1 |
| SHA1 | f0a9cc3b78094fe521e6003c04a08750ce64f2eb |
| SHA256 | 35a41f08a409d3bb4fe46269084354675501a6fdb89844d3ccd8032c26593ec2 |
| SHA512 | 6699381d7820746e4bcb0e7dfac4672aefb87042334039f7680c3ee02d93ee6d8cc6ba778bf2379e8173f783be0b56a8336c00b66ae5a4c594b509351a49a27a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 08:11
Reported
2024-04-21 08:13
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFY8J8CU-882J-26LS-MBE5-UC0UVIA8D1A7} | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFY8J8CU-882J-26LS-MBE5-UC0UVIA8D1A7}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cbevn.exe | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4396 set thread context of 3888 | N/A | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\lshss.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\lshss.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fed62f18b8f0aca58596014b4faf3270_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkbbbwqx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C70.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2C6F.tmp"
C:\Users\Admin\AppData\Roaming\lshss.exe
C:\Users\Admin\AppData\Roaming\lshss.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Roaming\lshss.exe
"C:\Users\Admin\AppData\Roaming\lshss.exe"
C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4396-0-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/4396-1-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/4396-2-0x0000000001060000-0x0000000001070000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rkbbbwqx.cmdline
| MD5 | a904b9562e6726165637c0ecd81678c2 |
| SHA1 | db7268e986eb96cd1b2faa0b5b8b511ffeec0e3d |
| SHA256 | fdb1ba96ea3992723c44ef6abc7bfa1e651ef168732d3f373ece433d2252259d |
| SHA512 | f6cad7f03c7f2ca84a85d5e5a25d0948bde14d2c75a3b769f7d01097396257655313604a97f93d994e38611ea4bf18a9bcb107ca1a7665e3ff6053dab7ca929f |
memory/752-9-0x0000000000C10000-0x0000000000C20000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rkbbbwqx.0.cs
| MD5 | b63430207638c1a36b9b27002e0da3da |
| SHA1 | 54356082f32c71498c4ac5f85f4588e0d1c57ad0 |
| SHA256 | fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193 |
| SHA512 | 29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC2C6F.tmp
| MD5 | 9f693177fdc2c91278cc9406941dd8b7 |
| SHA1 | dba95a124de41443b8f9955e6e916fc9c03ef51b |
| SHA256 | 5d07da7f1f0155a43a0491670d65fa3f09542ddc10191da282ba7ecbd69c40f0 |
| SHA512 | 302436258581302325211409364c585f896fe3257c066f29b6bb97a30f862e795a4a7f1358c9afc2babf06958fe4a5f97edf80d1c459161c24982951a2dd1688 |
C:\Users\Admin\AppData\Local\Temp\RES2C70.tmp
| MD5 | 21241fc43cb2c2551410d8bd94e5176b |
| SHA1 | d5f5dd1a1fa63cf0a6dcdac8025a74f517d761aa |
| SHA256 | e8c645b7da663fe4077eaad3814d64d967f710e404b4975c58593c446de09685 |
| SHA512 | f7e1844ca1299c94b2aac894e81958d9ca76f43ef39101b7a551f11912faf728709577998e53442f50aae975a7907e9c32432c4f1a82e5809a1825e6bc742a36 |
C:\Users\Admin\AppData\Local\Temp\rkbbbwqx.dll
| MD5 | d94b41ada13685b737f017a2b9b2d825 |
| SHA1 | 26d861aa2b421668bc8aa9c440325acc5ab59477 |
| SHA256 | f02f72474f134f55b67ed76dd7b5256403a3cce61c748fdd7c467b35a145f3d6 |
| SHA512 | e7dcaf6be31da64e2099ab31c5e2b1218f4a91b26a7a6e9b1d90319f22ea9d862e96260bbf9a0f9cec049b5de4a8b7837ef8bd552bfce77a47588715c58bf441 |
memory/3888-19-0x0000000000400000-0x0000000000480000-memory.dmp
memory/3888-22-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Roaming\lshss.exe
| MD5 | 369f12dc43e4e422b1004082082b5dba |
| SHA1 | 1267e5fa9aac4c38b54356d8ff5dfef056fbddc6 |
| SHA256 | 4a144bb8cc185c893fc0dcb71e595b01b4006f99171a88ec267e50f174e1cb77 |
| SHA512 | 51ee58e6b96401f4465cbf142ac71696b1f0a2fbd32ce13fa72b98d2861960413496bd4de4b5c26517fe3ada25a5fe070a527b88687e7643f53501606553aba9 |
memory/3888-24-0x0000000000400000-0x0000000000480000-memory.dmp
memory/3888-26-0x0000000000400000-0x0000000000480000-memory.dmp
memory/3888-30-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1176-34-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1176-35-0x0000000000570000-0x0000000000571000-memory.dmp
memory/3888-91-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1176-97-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/3888-99-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 19a38f2cfb32f4609eecb8c4a4f776bb |
| SHA1 | 56d3ee61ee3c7d16abf0a68188dd901205885b3f |
| SHA256 | dcedcfcb0f064d1fff4f7fb1b823ab524e8f3ef3be59624d643dddd5bb4544a8 |
| SHA512 | adbd013d5c72e18bd8d80a6791bdac5fa8e7eaf8b2fb0dd9760978ca1bb5b587fd13da5868ac481d6df457c7b471c871418595e563e58dd04cb11add9dc773e9 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/4396-124-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/4396-125-0x0000000074E20000-0x00000000753D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c238c9e70c2fc4a7b26cb1599acbd3b7 |
| SHA1 | 0e1fc5bb1e58c0c1e612338f30236e8ed13fd58e |
| SHA256 | 8b0fa314ecc5d52c684adc8a2f9e04a5066ba7b5dd96692c7e2f9533a2ce1691 |
| SHA512 | 20220aabb1d53913b7aeefa20eb82cb28ad7bf12b20034e459773c0f5e4fead3b104af508f3544804a142577401a9a97a2635050a223aed69a1011e489d6878a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d66204f8a3080eedf44e47e0e3f024c0 |
| SHA1 | 4d577063a39c131827b039267d1d08966012af9c |
| SHA256 | 85a9d634a85f585d20a8d8dd6aa449bb40ecd472ce5a035dc586c018607f5e1a |
| SHA512 | b602be61a409ab061285ca070ac539f5d9eee92be98e319c012245ef007f0e2ef59573d8587092e0e14547a6593455ecb552c21c97f51dd6ca4501703d595e71 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b848b047a5b4d3c59e37ad281f6787b6 |
| SHA1 | 0e6744a3d52e669bbe06b39f4f251e84970e69ee |
| SHA256 | 631cfa4c246ee78c6b868b65e2a6065a773e852444cd09ac944dfa1054f79712 |
| SHA512 | dcf6fa4f11f1917a516f6e91bbb9c1d7c33868f6d8e593a98105e86acb6e351ed1b0f5117b63c2ffa7fadb29af6e8c386810114e9f84587e2e0ba8300c58a2ff |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f25a5f41d6113bfea1f4c8a3b4da9617 |
| SHA1 | 222826ab803472b8438e5871278048ff8163df35 |
| SHA256 | 10d1edfcb107cc83238b1a4ca9bb54b4d8d816cd83820b6b4c4bec9a14545aa2 |
| SHA512 | 366b1a05b15e284d74576945bca7bbd2db21a3be4d66ee817bdcfe787b6afae95f866c24a2b145ef236d62c8680acf0bc0c46b5e0bef004d59a24a0648aa564b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7f0080a6792944212f02595b66984f94 |
| SHA1 | e1dee6dcf58e5ce23a141f4fc21707f195b9a8fd |
| SHA256 | a38a7252335949dc249182135f0e95cb28d0318761110775c3d1487712d31edb |
| SHA512 | a573a093c639d414ea19a290c0c8b3b46f78a40dfd11bd8f119487700a3a238a9510bfc5de82d37c624e71354821f174869255038b18061488dfe2bd43e8b845 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5847254264eb178dc2d44863699adcb2 |
| SHA1 | 54a69f6e33bb29ce1779cff52bd10884dc52a209 |
| SHA256 | 3483042388c9a0e6d35ffaa66d25d2875ff454c22b578aa6d7384496e860a34f |
| SHA512 | 47a95b5f899113d2d9a33ac58db70a5d9fdaf42930bc192eb446c297e38f2857694b41502d6e2ecfeffb91975c64a27541ec7b44856f8edd7693f0d355e69c2a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f636e7ac3f324064e788dd87639a816a |
| SHA1 | 7de9334c34c32d9a39d4537dd2eb547ccaf0b8b8 |
| SHA256 | ee3117f225e92923a045853394b38067d6b1b32f5488a519e291ec3500932f93 |
| SHA512 | 0d551ad8e4a6fe1ac27ed6326acbf8b2bc5f6fd70246ba7f564b8f5b3223a4d0e310f72eb2c34c823d59c0cac30007f271997d3dfe18b3d9eac9cbe9d3324e90 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 84e1d59e3b5163f35ac356b10fedced0 |
| SHA1 | d5503f243c497e8f0a00df87472366689ad15dc3 |
| SHA256 | ee5b08abde8cf7437c5a98d556b8536b834fb125a0347af1620cfbfe7a77119c |
| SHA512 | 351da843d7e88cc385c5e47fe70990ec281dccdaefd77277340c2ea3498b4ef92dc3c84b2a496ff153b6a47216b2572546b487abdc2fcea349e6149088ecb472 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fb4c14b3b8e9b2ffcbdcb2dd89322b72 |
| SHA1 | d0b10fa4dda15b7541e78444b7c66394f2ac9f33 |
| SHA256 | f88ecd4589f2e59e2b5920fb85c551697f26350116aeb433ef25035afb1a9d5c |
| SHA512 | 087b9280e751c6293b3ef4574a19d6f67960741f31ac6a9744c35806f6d737e47f393a8a62941016a810658ccec8eca7d4f896914c55be9c6e3493f25c549e11 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c5e38779c50335d5b9e184246e64bcd1 |
| SHA1 | 1b215f2fe2dd6ef6ac708da09dd6159e4e0bcb65 |
| SHA256 | 0895435b80dc097c83db6fdffd167b20927839e48270ca7ed16f244465d8248e |
| SHA512 | 0b883a5800ad4dcbb5e15a2f2c1ad7fbf68443a755886640a67e96e434ca62b3ecc2e8af026fab3b5cb6d056eedafc7a50c5c65a7f1600c080f06cc1f7617e28 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a5b82372f0471ddc0c495ddcc61293ee |
| SHA1 | 4a982fc36d5b0a50f634931c1c7a7e9e3d80ce68 |
| SHA256 | 33ce428344e24d48742e2e00da5934c269c4e3cab7e2045835801151f14531fc |
| SHA512 | 3d2498409af8e19ac66937e992ed9b16ec5cc9ec18d57ec123c6cb5bb3938bd9b0dbc96ae50898e827e948f62270a94352efa9f908ba54c3ba16a2aa5c688888 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 557eb5fa265b31fbfd23a9863d117dfb |
| SHA1 | 463d240d53d79ce1c241f493408ed0ac19389100 |
| SHA256 | eec5da5d6e3f866cc507faaf8636ab5f52db4f45305a15ff314ccad642f21323 |
| SHA512 | 945c24bdfa0439733327d48da2627ddb865f7c667a8cd8c77e78cc3e82a6157b228ffaa587746954b9d538d61823f3cb5b24f59af25daf2c71669698fd1e8986 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5fbe9076737c1bac5f76362cc960f99e |
| SHA1 | f4a23459eabe2d1a0b515670b779c9c7f3fad32d |
| SHA256 | be97aa6d7734771067ccdb756627fdbefbbd6d4f2ca8738e4c858f0191e54542 |
| SHA512 | b3a10609776a34a4194d8e8a992364853d4316433fce11419f0dd42a05c718f44973585153b149ca1a54ca81a98b9fd34fac7e6c7a19bf00d3274eeff9597ff0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1be6508ff9d37173374d6d93c87b56aa |
| SHA1 | b1127cd8de3fb4eaa4d9b453bddcf60f0ca121be |
| SHA256 | 226d956b11a1c337b60a712cf0a0658b5580a04df23f2be0e874957ccea8126b |
| SHA512 | d12810f1a11678d10038c4216cdc4f250b2708b388c886aee4f03d84f202ccef8434d61066497ecb6123304f51725c20bf24a6fb9d3a1870d8add0a3ffa26753 |
memory/1176-1386-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 21904d1d53170b6e801d2941b54f1b0e |
| SHA1 | 401737632ad93739bbcc0d9734192fb89a712498 |
| SHA256 | 19c99fc2b1d034947c50a64e52dd1623796d05b6382c4ba72e175ae78db4fb19 |
| SHA512 | c32dfacc55d7fdcdf18cc2f0736574ef9529b7389b5ef76bac19e3045f596dc6dd1bbb0ab682f3b48c8b65502c9fdd0e60a2478b5a05849e137861f008ff6969 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7b0f8980804b99af82ed7176ca258ecf |
| SHA1 | fbf76dfa23828993b7ce05468934f9dee7cbe251 |
| SHA256 | ad457c080ac554cb2c8268b89910f047be8e6d3125754645d3c29510570f1f38 |
| SHA512 | a70f4639dd1fb5a8379548428c037745348f1d076121fe82e5f59f5ade830f878415ccc35bcf49ac9598bb3216774f4e2b171130dae387d61887f033bfc888da |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9c0d23239fefecfcf6490e79cc50c763 |
| SHA1 | ee341ace3f98f2f2fe12234d15cccdf32c7b0716 |
| SHA256 | d622c8d9e19e2bf618d5a0fbc5eb95f5da05f5d0c5b078108a107012f1b0de5d |
| SHA512 | ee965ae5d47a28b561a8b6bd38af2976933b8b68b4b661bd950137125d8938abe9d1664e69358388396f197cda2318bf273ceb2b21dbb3b25f7c2cf1cfa8b184 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8609cdfb2d18278e831155aefe7f0ec1 |
| SHA1 | f0a9cc3b78094fe521e6003c04a08750ce64f2eb |
| SHA256 | 35a41f08a409d3bb4fe46269084354675501a6fdb89844d3ccd8032c26593ec2 |
| SHA512 | 6699381d7820746e4bcb0e7dfac4672aefb87042334039f7680c3ee02d93ee6d8cc6ba778bf2379e8173f783be0b56a8336c00b66ae5a4c594b509351a49a27a |