Analysis Overview
SHA256
9f89c3e2d8ed39a274830170caa995e8fd1c6bdd0da459e56c4fcec4939fba9a
Threat Level: Known bad
The file 014a399b9e54f24e020e860257be4738_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
UPX packed file
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-22 04:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 04:37
Reported
2024-06-22 04:39
Platform
win7-20231129-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{N483N47O-F4Y2-J73W-3334-7V7PL0WD18H8} | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N483N47O-F4Y2-J73W-3334-7V7PL0WD18H8}\StubPath = "C:\\Windows\\system32\\boot\\rundll32.exe Restart" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{N483N47O-F4Y2-J73W-3334-7V7PL0WD18H8} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N483N47O-F4Y2-J73W-3334-7V7PL0WD18H8}\StubPath = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\boot\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\boot\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\boot\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\boot\ | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2964 set thread context of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe |
| PID 2432 set thread context of 2192 | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | C:\Windows\SysWOW64\boot\rundll32.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe"
C:\Windows\SysWOW64\boot\rundll32.exe
"C:\Windows\system32\boot\rundll32.exe"
C:\Windows\SysWOW64\boot\rundll32.exe
C:\Windows\SysWOW64\boot\rundll32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2972-2-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-19-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-20-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-18-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2972-14-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-21-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-12-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-10-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-6-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-8-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2972-4-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1360-25-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/2972-24-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1668-268-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1668-270-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1668-558-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\boot\rundll32.exe
| MD5 | 014a399b9e54f24e020e860257be4738 |
| SHA1 | a4a719a79c44c25f02f771e935930374e6d2b9a4 |
| SHA256 | 9f89c3e2d8ed39a274830170caa995e8fd1c6bdd0da459e56c4fcec4939fba9a |
| SHA512 | a738ef243ed1f8b6b3070b1849bc81d4a23798e79b24bf18f12b094fc5557ba000d3cc602f77627a316915500c493462488886f90e0a48fc631d72470b23be3a |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 9b1ad3060f18597cc360973bcd7a43fe |
| SHA1 | 341b0c19ab74ec996802033ca0af43c2db1f71f7 |
| SHA256 | c7ce1b23442e647ddb16e0ba93cdbd5b647a42da0e38d0dc675d9e4896954443 |
| SHA512 | 2b57a1b40683da4053f8369b878203e4e1b6b610af9b4c3b7df8fa651261edd6d60d3245fbfef20df5ee9ac6c986c3ec5f825b57dcf4e6cff2c0e494ca34737b |
memory/2972-890-0x0000000000400000-0x0000000000451000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e8e0278180e16f6f97af56e4597c2d4e |
| SHA1 | feaaaddbd8a3ac0a5254631c4476e1149f870ea1 |
| SHA256 | edba7237c0c2e62710ce0b894a9d7b557252679e87178d0804ad04831e3b9382 |
| SHA512 | d44ca6fb8523513dc7a68a725bffaa93c994c5a2434427c375abf111dc4e42b19a5281216728394a232d65285587376acbd7bf23ccbafcc74a486e0b3b188172 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | befa36c7bbf26c09d345f29544f588f2 |
| SHA1 | a0614998264428c7962e45bfc8bb0655fa9cf5af |
| SHA256 | b3556404ce52945f202ecd5c61f18c9bc92b48df824405838b617bd977461abc |
| SHA512 | bbdd9dd87d55dd5d64bc4e6b0671e21a62a5fe49df1f7ff906a11e16a4ea0c5b4edc71498a183a130b9c6ef93ece745b672ff7dc1e7f054291fd9931e61f6299 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a45b6f6a3d71c4c10cb07ac10e3e9a44 |
| SHA1 | 9874f7f3fcdba684e12dcb49fa6e6321c6c3504b |
| SHA256 | 06da4f52e0215d32aff8d39d61213d669c86458613726b14def3f47f00bc8198 |
| SHA512 | 4f488604e5a683ca6fb18be9724cfa0cc8b3c7a9e5a902eff5714feeeb203a63416c1cbc09bc78b7998818cbdbd74115e3d5502adb1d65b2dbd44af4197957bf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | dc9c5c5ee8b3d4bff9c8b919aaaffeb6 |
| SHA1 | 999198399faff0c86ced557bdb2d8cbfb8c36225 |
| SHA256 | e9d0e657ff033df53a993f69f303ba1692f56429cdd45469fa0049c0426eec06 |
| SHA512 | 6c16e721e84a50f06edf908c25699485c3b00352c6d6cc463866be8a6de5b1a4f4f9b956b95fb145a37641c4a9d2b6d4ae1067588ad40850a0315d235bc42fef |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 00dae364a1b8cdb284f90cb100333ff9 |
| SHA1 | d441fa5cfa4b7cf0f97b62d3f36cdf48f4e7c553 |
| SHA256 | e102da072fc8904adb8b7386a86807492b0ec5508b225e9fe3235e7d5dd525fb |
| SHA512 | 550a7d2b95e71eb90b8e5e70967531e819e7fc75a03f07d3e135bf0ba4732c5f61ef0a018f9225915139438b60e4bfbb721aedc6f29a6bbb98caea94f4d252ba |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0440db197b08b17c9949c9c12106e29a |
| SHA1 | 52ba74ff96b926bf3a810a0b389c2d614c9c1223 |
| SHA256 | 66dc088a9b1a07378a66523d6cc718bd5640537774b4f9e9feaf560b0279ff87 |
| SHA512 | 866e623951ae09b14a81e9d3ba5054e64c5712ba6f8abc71d2d2c5e7197e1227b5908e3531e2599deaf39194b4be3cf46227921e1a65b5f62090b12920b59f32 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c4cb083f41e9cff14d708965fd21d0b7 |
| SHA1 | 198fb0bef34734a7c885113f90287874b1af0a2f |
| SHA256 | bc8c381b3aadd0d2ca05f68b494635669f11a00f7a8d4185f564bf2480650c4b |
| SHA512 | 2bc8abd7a487521ad25ef1863aaa6689e7c7d15a088f5aac522ea6161c43973148b62786b77a535c08dd6dbc167c17f2f31d16799bd1bb1dc56dd0e95db930b8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e6c20c5c5a96d9247d3f5b659bab3ef8 |
| SHA1 | 2ed60feb6f710b91953a51633a1423933e59bb70 |
| SHA256 | eecdcc79be187be7e7fde8e98fc52be9807d6535edc28069db128c56cfb373ee |
| SHA512 | 09eb9bceeb4bf46aa99efe1c7614968aa2c1e5ae1d635db1fc3d8117d002611f552a77ba1a1a74a069f6b7af6af3da3e7b2858a627c9d9a4853c63d789e7a64d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d82319d8f3f6d4e6594ff41fd059c8fb |
| SHA1 | 1d2932d534ae8a6945d3aab5fafd1381fec4b78b |
| SHA256 | d7a9099f1d2349e6a6fb11d348b8edee25a4e977464cebdfbcaea415802259c1 |
| SHA512 | d9281e5d3421d5c0ce972a70dc50a77f1c505d11c0ce422b3a371d3c357dc6d5e39aa32e4e420b5ca3017ff94acad7a7356ab43c4bad0ebc1203d51b970f5363 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ce3f8076fa52e81b48ac7b09ac68c452 |
| SHA1 | 4c3d631e1f9ad019206be6b54ff295e380e42643 |
| SHA256 | 33f48e9b99b58c69d3c8e6c23742524ea618567f093079a2ef96982fd7a15f70 |
| SHA512 | cd871159e7ab830ec90277572eeb62e6c53fbd5987ad1bd9f7deb4d23012a1063c3e7922ce3f45d0ffdc34d59371420d5388442797a32ab34e58cd4e6c343a9b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | dc43e8b328fc0efbd675d0bdef36e175 |
| SHA1 | 44f249892fa4fe8a83ceec9f36082d6b1c86e3ad |
| SHA256 | 0a993df1143c74ca40fc59dd7e38453e25625e4bddea9e741bfb2e45377ed68c |
| SHA512 | 1fc1469a069130aa659f635a4df41bcbaa59e427bcc8631f1fe378354ebb92d4e4caed2f115e9a13e267ff34f14fcd97cc90816989602f678299896788689426 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0abb00e5dbecd38bb2650af7e599e52b |
| SHA1 | 15c8f0c28945b9bf60d0d33044a247e1dac3fb6b |
| SHA256 | 76882558bcadde43d1c7f5816acefb822d194fa14ac139330ae4bf828defb631 |
| SHA512 | 999eb10d6095339682741a91d614261123fb4c5e6056cb9edade540b6406e4bffc8a4be0481075fbc59783d2a0f7624ee68d43260bda48ad4019a023223e0d05 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 23486c316c9a95b3bfe99fbfbf21d6bb |
| SHA1 | 0a54631dac3db199b218f01ad6ecb61c9e5a7b84 |
| SHA256 | cadd8254f2bbeb754f3d2fe3ffce78840aa733e855a0b644eb06d93cefa0f29d |
| SHA512 | 37d1bd2690222936dedf831f77569570b29b5b20b14ebaf73d60739588b9cf61f0dccb3e5ca3122b27676bedc2314adc68e31ef999ec9151a56c81dc0b72cf27 |
memory/1668-1663-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ba285d2c807e83072b8fe1132974c862 |
| SHA1 | 7573f74f57129706b3c89964b8afa698264b5a1c |
| SHA256 | dc66df6ea61f1aec129d5492c5384c647aff6384fe2cb757d4f068b12693ca57 |
| SHA512 | 72a716269574c4ee1953490400f2b0231167a7b7ad676d6e30bd20f50576ca808f0c66680689b43668c15bb976480aaf4d8e1e2cf4ae84f47f1cb8157ac3f33e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e2e0640fa1f17abff33b4b9986325554 |
| SHA1 | 90060b9f31c5b4a1c1a4222169a81452e8e51af8 |
| SHA256 | bfacdeb44caaee1c7cb9bb6184b89fb73eaa57a9ce1fde5058c65ede3135d5c0 |
| SHA512 | 6e1d26e64f32c917cb7aa64bb3ab45b2ed2210f60fcc5ca649738be92575e37c1ccc539e04d15582e2a1eeebdfdbc3288919e91998668082e6c132a9812f1821 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c50063725bbf0b47a855d40ac15de4a6 |
| SHA1 | 5d7fda2454cd7f72c318b07a0cc961012dbafba2 |
| SHA256 | ebaaa5ad54bb57b8471318dd62d533bc93fa96ced6292a5fb2448378c9caea01 |
| SHA512 | 08913e12762b6de5c8cbfcec7b5a9a799d0b5f3328f6614f904f8bca92ad30f2811b1734c379810a122dc267e38011fd2fe9563f02d234892ae6fb7a24b3d6cf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 169f819f1537922148c384afb7fa8f2d |
| SHA1 | d17bf35b04e79056e91d9aed6abadd8e593bf163 |
| SHA256 | 74d24a06a20eaab3a717da60e0ce21f54dc0ab42276e05a730113f500ef87bf8 |
| SHA512 | bc31589f32d76c632ee7b1be2fa631436dd27285ffdd76f46421068e5ca99b1ac94e083a388202dd9e81c63b8a5b7e672eb10ded8ae735b5e560d4d00f9e4cf8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 71cc940d0be434d973bc8850a29852d4 |
| SHA1 | 2be17437cdd010a4ebbdad023c54396490d3ea56 |
| SHA256 | bd1204e147deb846960eec8ee42b7637138edea3ddd20b0186802bf036418f16 |
| SHA512 | fd76800d065cef53f7543ffbc77bd983587f9408612350f6b0d431e4e6576629fe0de9a879ca3e57a83f7dcb7afe6c2fd9fbe747a00481786278e85a5f2961e7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6b3038de4b799174161a8561ab3f06e0 |
| SHA1 | 8826d56f60bcdf4730d5aa209d03feafa65b65a9 |
| SHA256 | c434a324f5f392e727828a889c114fbac760c4d9d9f950e72eacbf63f808c855 |
| SHA512 | d417b2a8201d525a194d692ca18583888e5fbc84ef957b3f9bfe3928bb31d27f7770671e072dd382fa77626bc058011baa3e8c5c525284ecb3a9433c55a11fa6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 04:37
Reported
2024-06-22 04:39
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N483N47O-F4Y2-J73W-3334-7V7PL0WD18H8}\StubPath = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{N483N47O-F4Y2-J73W-3334-7V7PL0WD18H8} | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N483N47O-F4Y2-J73W-3334-7V7PL0WD18H8}\StubPath = "C:\\Windows\\system32\\boot\\rundll32.exe Restart" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{N483N47O-F4Y2-J73W-3334-7V7PL0WD18H8} | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\boot\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\boot\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\boot\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\boot\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\boot\ | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5044 set thread context of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe |
| PID 3564 set thread context of 1924 | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | C:\Windows\SysWOW64\boot\rundll32.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\boot\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\boot\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\014a399b9e54f24e020e860257be4738_JaffaCakes118.exe"
C:\Windows\SysWOW64\boot\rundll32.exe
"C:\Windows\system32\boot\rundll32.exe"
C:\Windows\SysWOW64\boot\rundll32.exe
C:\Windows\SysWOW64\boot\rundll32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 708
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/5056-4-0x0000000000400000-0x0000000000451000-memory.dmp
memory/5056-5-0x0000000000400000-0x0000000000451000-memory.dmp
memory/5056-3-0x0000000000400000-0x0000000000451000-memory.dmp
memory/5056-2-0x0000000000400000-0x0000000000451000-memory.dmp
memory/5056-9-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2376-13-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/2376-14-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/5056-70-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2376-74-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 9b1ad3060f18597cc360973bcd7a43fe |
| SHA1 | 341b0c19ab74ec996802033ca0af43c2db1f71f7 |
| SHA256 | c7ce1b23442e647ddb16e0ba93cdbd5b647a42da0e38d0dc675d9e4896954443 |
| SHA512 | 2b57a1b40683da4053f8369b878203e4e1b6b610af9b4c3b7df8fa651261edd6d60d3245fbfef20df5ee9ac6c986c3ec5f825b57dcf4e6cff2c0e494ca34737b |
C:\Windows\SysWOW64\boot\rundll32.exe
| MD5 | 014a399b9e54f24e020e860257be4738 |
| SHA1 | a4a719a79c44c25f02f771e935930374e6d2b9a4 |
| SHA256 | 9f89c3e2d8ed39a274830170caa995e8fd1c6bdd0da459e56c4fcec4939fba9a |
| SHA512 | a738ef243ed1f8b6b3070b1849bc81d4a23798e79b24bf18f12b094fc5557ba000d3cc602f77627a316915500c493462488886f90e0a48fc631d72470b23be3a |
memory/5056-145-0x0000000000400000-0x0000000000451000-memory.dmp
memory/4428-146-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a45b6f6a3d71c4c10cb07ac10e3e9a44 |
| SHA1 | 9874f7f3fcdba684e12dcb49fa6e6321c6c3504b |
| SHA256 | 06da4f52e0215d32aff8d39d61213d669c86458613726b14def3f47f00bc8198 |
| SHA512 | 4f488604e5a683ca6fb18be9724cfa0cc8b3c7a9e5a902eff5714feeeb203a63416c1cbc09bc78b7998818cbdbd74115e3d5502adb1d65b2dbd44af4197957bf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | dc9c5c5ee8b3d4bff9c8b919aaaffeb6 |
| SHA1 | 999198399faff0c86ced557bdb2d8cbfb8c36225 |
| SHA256 | e9d0e657ff033df53a993f69f303ba1692f56429cdd45469fa0049c0426eec06 |
| SHA512 | 6c16e721e84a50f06edf908c25699485c3b00352c6d6cc463866be8a6de5b1a4f4f9b956b95fb145a37641c4a9d2b6d4ae1067588ad40850a0315d235bc42fef |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 00dae364a1b8cdb284f90cb100333ff9 |
| SHA1 | d441fa5cfa4b7cf0f97b62d3f36cdf48f4e7c553 |
| SHA256 | e102da072fc8904adb8b7386a86807492b0ec5508b225e9fe3235e7d5dd525fb |
| SHA512 | 550a7d2b95e71eb90b8e5e70967531e819e7fc75a03f07d3e135bf0ba4732c5f61ef0a018f9225915139438b60e4bfbb721aedc6f29a6bbb98caea94f4d252ba |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0440db197b08b17c9949c9c12106e29a |
| SHA1 | 52ba74ff96b926bf3a810a0b389c2d614c9c1223 |
| SHA256 | 66dc088a9b1a07378a66523d6cc718bd5640537774b4f9e9feaf560b0279ff87 |
| SHA512 | 866e623951ae09b14a81e9d3ba5054e64c5712ba6f8abc71d2d2c5e7197e1227b5908e3531e2599deaf39194b4be3cf46227921e1a65b5f62090b12920b59f32 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c4cb083f41e9cff14d708965fd21d0b7 |
| SHA1 | 198fb0bef34734a7c885113f90287874b1af0a2f |
| SHA256 | bc8c381b3aadd0d2ca05f68b494635669f11a00f7a8d4185f564bf2480650c4b |
| SHA512 | 2bc8abd7a487521ad25ef1863aaa6689e7c7d15a088f5aac522ea6161c43973148b62786b77a535c08dd6dbc167c17f2f31d16799bd1bb1dc56dd0e95db930b8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e6c20c5c5a96d9247d3f5b659bab3ef8 |
| SHA1 | 2ed60feb6f710b91953a51633a1423933e59bb70 |
| SHA256 | eecdcc79be187be7e7fde8e98fc52be9807d6535edc28069db128c56cfb373ee |
| SHA512 | 09eb9bceeb4bf46aa99efe1c7614968aa2c1e5ae1d635db1fc3d8117d002611f552a77ba1a1a74a069f6b7af6af3da3e7b2858a627c9d9a4853c63d789e7a64d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d82319d8f3f6d4e6594ff41fd059c8fb |
| SHA1 | 1d2932d534ae8a6945d3aab5fafd1381fec4b78b |
| SHA256 | d7a9099f1d2349e6a6fb11d348b8edee25a4e977464cebdfbcaea415802259c1 |
| SHA512 | d9281e5d3421d5c0ce972a70dc50a77f1c505d11c0ce422b3a371d3c357dc6d5e39aa32e4e420b5ca3017ff94acad7a7356ab43c4bad0ebc1203d51b970f5363 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ce3f8076fa52e81b48ac7b09ac68c452 |
| SHA1 | 4c3d631e1f9ad019206be6b54ff295e380e42643 |
| SHA256 | 33f48e9b99b58c69d3c8e6c23742524ea618567f093079a2ef96982fd7a15f70 |
| SHA512 | cd871159e7ab830ec90277572eeb62e6c53fbd5987ad1bd9f7deb4d23012a1063c3e7922ce3f45d0ffdc34d59371420d5388442797a32ab34e58cd4e6c343a9b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | dc43e8b328fc0efbd675d0bdef36e175 |
| SHA1 | 44f249892fa4fe8a83ceec9f36082d6b1c86e3ad |
| SHA256 | 0a993df1143c74ca40fc59dd7e38453e25625e4bddea9e741bfb2e45377ed68c |
| SHA512 | 1fc1469a069130aa659f635a4df41bcbaa59e427bcc8631f1fe378354ebb92d4e4caed2f115e9a13e267ff34f14fcd97cc90816989602f678299896788689426 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0abb00e5dbecd38bb2650af7e599e52b |
| SHA1 | 15c8f0c28945b9bf60d0d33044a247e1dac3fb6b |
| SHA256 | 76882558bcadde43d1c7f5816acefb822d194fa14ac139330ae4bf828defb631 |
| SHA512 | 999eb10d6095339682741a91d614261123fb4c5e6056cb9edade540b6406e4bffc8a4be0481075fbc59783d2a0f7624ee68d43260bda48ad4019a023223e0d05 |
memory/2376-994-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 23486c316c9a95b3bfe99fbfbf21d6bb |
| SHA1 | 0a54631dac3db199b218f01ad6ecb61c9e5a7b84 |
| SHA256 | cadd8254f2bbeb754f3d2fe3ffce78840aa733e855a0b644eb06d93cefa0f29d |
| SHA512 | 37d1bd2690222936dedf831f77569570b29b5b20b14ebaf73d60739588b9cf61f0dccb3e5ca3122b27676bedc2314adc68e31ef999ec9151a56c81dc0b72cf27 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ba285d2c807e83072b8fe1132974c862 |
| SHA1 | 7573f74f57129706b3c89964b8afa698264b5a1c |
| SHA256 | dc66df6ea61f1aec129d5492c5384c647aff6384fe2cb757d4f068b12693ca57 |
| SHA512 | 72a716269574c4ee1953490400f2b0231167a7b7ad676d6e30bd20f50576ca808f0c66680689b43668c15bb976480aaf4d8e1e2cf4ae84f47f1cb8157ac3f33e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e2e0640fa1f17abff33b4b9986325554 |
| SHA1 | 90060b9f31c5b4a1c1a4222169a81452e8e51af8 |
| SHA256 | bfacdeb44caaee1c7cb9bb6184b89fb73eaa57a9ce1fde5058c65ede3135d5c0 |
| SHA512 | 6e1d26e64f32c917cb7aa64bb3ab45b2ed2210f60fcc5ca649738be92575e37c1ccc539e04d15582e2a1eeebdfdbc3288919e91998668082e6c132a9812f1821 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c50063725bbf0b47a855d40ac15de4a6 |
| SHA1 | 5d7fda2454cd7f72c318b07a0cc961012dbafba2 |
| SHA256 | ebaaa5ad54bb57b8471318dd62d533bc93fa96ced6292a5fb2448378c9caea01 |
| SHA512 | 08913e12762b6de5c8cbfcec7b5a9a799d0b5f3328f6614f904f8bca92ad30f2811b1734c379810a122dc267e38011fd2fe9563f02d234892ae6fb7a24b3d6cf |
memory/4428-1448-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 169f819f1537922148c384afb7fa8f2d |
| SHA1 | d17bf35b04e79056e91d9aed6abadd8e593bf163 |
| SHA256 | 74d24a06a20eaab3a717da60e0ce21f54dc0ab42276e05a730113f500ef87bf8 |
| SHA512 | bc31589f32d76c632ee7b1be2fa631436dd27285ffdd76f46421068e5ca99b1ac94e083a388202dd9e81c63b8a5b7e672eb10ded8ae735b5e560d4d00f9e4cf8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 71cc940d0be434d973bc8850a29852d4 |
| SHA1 | 2be17437cdd010a4ebbdad023c54396490d3ea56 |
| SHA256 | bd1204e147deb846960eec8ee42b7637138edea3ddd20b0186802bf036418f16 |
| SHA512 | fd76800d065cef53f7543ffbc77bd983587f9408612350f6b0d431e4e6576629fe0de9a879ca3e57a83f7dcb7afe6c2fd9fbe747a00481786278e85a5f2961e7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6b3038de4b799174161a8561ab3f06e0 |
| SHA1 | 8826d56f60bcdf4730d5aa209d03feafa65b65a9 |
| SHA256 | c434a324f5f392e727828a889c114fbac760c4d9d9f950e72eacbf63f808c855 |
| SHA512 | d417b2a8201d525a194d692ca18583888e5fbc84ef957b3f9bfe3928bb31d27f7770671e072dd382fa77626bc058011baa3e8c5c525284ecb3a9433c55a11fa6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa8d9658c28117e3c2c9e46b1b52c290 |
| SHA1 | fbdc3486881dc25983dd0dfd4f7850154fbbbea9 |
| SHA256 | ae95de7eef4858d83a4394a858bdd4d78b805f611d2f88a15d1312f95082d86e |
| SHA512 | 7df0013ca56a94602559b08cdbc954c7d1ea24b3188b3d066fbab03e1c523e7256dab37d59950a25b2ee198aa76a741b442771a8b5fd8f464df14153b4c08bb0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cfae4d19d19b8b967554385795abdab1 |
| SHA1 | e2bfb473e37218d7c5041433d90fa2e8a85a9072 |
| SHA256 | 540e547cdf6bd4195255004910a23dab61b78b196e08ed0ae5e84185267aa966 |
| SHA512 | 1437c90223b60a98dc4cfb4f27ba7dddc84d8231b7897b8f41b4f33ba7fe0644be95afc958a0ef3fb1a12bab1b6f0dba9dece10e672e00d58699226a97a1743f |