Analysis Overview
SHA256
a17cdb385a0c1cc143f022259811ed01c01755a11728cdeb29908411dcd0d514
Threat Level: Known bad
The file 11d0567ff68877be29309b3f08ea096a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Uses the VBS compiler for execution
Executes dropped EXE
UPX packed file
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-26 11:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 11:18
Reported
2024-06-26 11:21
Platform
win7-20231129-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W121SN5F-H0BT-3K24-XOQQ-IP4SQ7OQ8W1C} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W121SN5F-H0BT-3K24-XOQQ-IP4SQ7OQ8W1C}\StubPath = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W121SN5F-H0BT-3K24-XOQQ-IP4SQ7OQ8W1C} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W121SN5F-H0BT-3K24-XOQQ-IP4SQ7OQ8W1C}\StubPath = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rqHLNFetlWEGbE\\IWgBPCoPlkNtLx\\4.17.46.9205\\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsKB4772395\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2136 set thread context of 3004 | N/A | C:\Users\Admin\AppData\Local\Temp\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe
"C:\Windows\system32\WindowsKB4772395\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2136-0-0x0000000074F01000-0x0000000074F02000-memory.dmp
memory/2136-1-0x0000000074F00000-0x00000000754AB000-memory.dmp
memory/2136-2-0x0000000074F00000-0x00000000754AB000-memory.dmp
memory/3004-3-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-4-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-5-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-7-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-9-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-10-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-11-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3004-14-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-15-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-19-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3004-22-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1368-23-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/576-268-0x0000000000120000-0x0000000000121000-memory.dmp
memory/576-267-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/576-553-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | fa7240892636a9a29f289f904913253e |
| SHA1 | 4f684e100fda8322a5a7390ee01dfadba87225ea |
| SHA256 | 602448f2942dc0396f3f5d19c20d11b680bc4fde3955d879af70130411aa5a04 |
| SHA512 | efa527b058401a89ce108f6566d30efbfc7bf02807c4a166a77a7f371137c12189fe10a698652892dcc167aa546abffa2c2a6881d65a6719e2f82dec2362baaf |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2136-905-0x0000000074F00000-0x00000000754AB000-memory.dmp
memory/2136-907-0x0000000074F00000-0x00000000754AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 17a86ba226d79bf298e9d32a451fd69a |
| SHA1 | 8047ec3de00415ec2bf4ab8ad6306dde2b8d4ffc |
| SHA256 | c01c4067b7707c159ea9eea5f3e2693e92d18b3d21e946a1b442272516353636 |
| SHA512 | b309f0c2c477163d1226dd9ea7de5af7e7d5fb537076e5f4a973490cfb989996b2eca3b4642e7275ff3c3397340c4d5eb1af83179063b722cc2407294e0c8c5d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2a250f9c198fb066eed8b33017d53e94 |
| SHA1 | d39e97bf547a17ab9f4983826edf2c50fcc9380e |
| SHA256 | 5094da5a859530fbdec55288666995f30d4bde31d169c5d01fe57bb192f484c8 |
| SHA512 | 7d65b0bb2199bc1f31789b545524615717e5dbffc3865b7aa85c3e1ab11cba5fb240efbec4b38ab4a5494b8bb43286c8f09b15f529ed2a383b053db35264b651 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d26677d2459a010b34dcf8bcb7b368af |
| SHA1 | 08ddf5ea85701b7eebf828ae01959a3d8e6332df |
| SHA256 | dc26c8af7d06bddf08d88aee267d8d1d84a6121bcf44eae9fd37ca3dbe57c6ef |
| SHA512 | f1065ff0da4d672b61a13bbde256d6aa76afa34ea4d1f54e1d822c87f8be12680cc6bc73fce1fbce1226dd940f860b1f41e3971fdefcf6240facc565bb0e10a8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5530a85f259994112a033a383de8255e |
| SHA1 | 008ba45224a2c087e774a25194e9800d9f99676f |
| SHA256 | 070923ed9efab09570683d50cf4177cda4f87bba69bc03803e7d1da3ff6dcc76 |
| SHA512 | a284e9abb4d451ec3b8f71435afbc393860b9c45d393b7d20b788a8d467e188337f47e8f2f3cc48f0585aa93ee89f6a60110ec22e84418ee9ba32d32d0e10f16 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a85a22cde745bb6479d4534f2ac695a9 |
| SHA1 | 6266fa418d9e91d2ee8c7e08b6d9787a44a677ac |
| SHA256 | 451309f8b0bf7464bbc78ed55eab305ed91cefad2ea303fbe5c3f8446cce0a00 |
| SHA512 | 69b6154b2dc765fa1f68497092eb1b424d5606449eac0d919265f11d11d21ccecfc61686f90d979f5ff594cdd4eabf212b05e14fab09a2f675352af0021f6173 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5a7dc6efd816993a6ec113d2f81f5bd8 |
| SHA1 | 0a4ef828261d1bed0d307aaa1acaf621a8be6e9c |
| SHA256 | 2cce71d002aecd64672845ffa7674319f116a3203331444194b9909632a27c24 |
| SHA512 | 5608b7f3839492ee8db5db98d5206c17e5393354ed7dc8de87312c7a57eb7267c5230ad79136d86792463043cdabde70b27ca0a67ae5459874f8179926c4d599 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e372cace48b0a55bc9a48be1cb985b8d |
| SHA1 | cfc564319b9a7852d69e3557cc3260155169f651 |
| SHA256 | 65adc6c74b14c63004f483f53a951cf19794b3db6e9407e98a8c14422241908c |
| SHA512 | abc5401dcfb4249355d9cdff9cfb7ad27335d178ebf202148791cd801308073e4c80dc4b7312ab5a6ebfc0d47f0d0faffd37bdd8c9b1a2df35a1ae649e867bb9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7cc39555fb6df83723e62d3538f37f02 |
| SHA1 | bc31ef0f0ad100b9b897a4a3e54533424c0832ca |
| SHA256 | b4d0934d5ef30baea2ea817d1c7879813f01b53c98060512923c0c6afc2769dd |
| SHA512 | 6a5c415eed904e916e78be1f1a4a0d43dabb4662b60acf56ba67af46d04dfbc3cf753aabe678f6944709dbb6adf247ebee1ecaedce2987da0dd9c760c84c0229 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9d4fe554e42dacbf9f50e88bc9420ad2 |
| SHA1 | aa6c231f8d742326716da40b17402b5b49d5c254 |
| SHA256 | 5ce4825fd16974ac3de9f8bfac11f77c0930ff25863b1b272ee496e4639e6c1e |
| SHA512 | 473fce76018cabc21d3fa46954e030122759f7790de4eb3d6ea9e0319bc7d48d8bddcc2e44592791b5ce90728b41e8fdd852cd3f97f2128061841d6982ad9b89 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 910d343a21fbde540033fb34eb5ea82d |
| SHA1 | ae1b21ab65daa5a853c1e1f024c4356bbe760d9f |
| SHA256 | d039ade81cba3334fafdb47351458095ba33e83b38851fb5f1c79cb00d706d01 |
| SHA512 | 0eab93eb5fb0e4f4f5d94c3b6c05c1d94179c669e67161d15cad42790c8dbe628e55d2d0d9916e86c1fe4e87f522b2da9aa51d19082929a8c74a00cefb88dbfa |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 627eaef3b9854f99b0e6f077d7068726 |
| SHA1 | 48665a6e26b9980283c94bb9a2084b7dbd95114d |
| SHA256 | db226a2744b79cad30f25c3d629fa8dd08074208b98ece7d6cf0c99590693df9 |
| SHA512 | 6c3bdc4da60fa2cf37ac9e9e52e2a09719374748d82121fa768268766381e158f66212d88748b70cc45b7202501e51665a0795cbe222c3fef4e740c5b69d4197 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 10912be97c7d3488f28e9401aed2029a |
| SHA1 | d1b049e63b230725ec68988f915248c59db86807 |
| SHA256 | 001de748094d840830c4b9c4bbc7e69e67244e255d76144a87c49dcb2747b240 |
| SHA512 | 5c9bc7b3eab25e408fb37aff0f7c1585566fcccef1f19d96d2342bb26e95b1a4e518369753216f64a5270249e809354dfc959192b34fc9f6c9c18dc60989716d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cc8cebe69fb2ddbb87259802bd699bd6 |
| SHA1 | 1813b5f4fe81c3d536edcdce900f2eb33c1ac964 |
| SHA256 | ce33e53fe3dd8adc95352ff5a2d4c8dac282ae88cacb62aa81050502b36067b9 |
| SHA512 | a007ebafdb172da9c19fa50951b78f418b690dfc1fbd692b9d44c0c6a9df3c07648c7c3f2e09ee6c0595d3200cbed25fc6b0e7c2ae5509c78c1db7ea2eec1886 |
memory/576-1510-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f850ea731af6d735367a028fa8e0fae8 |
| SHA1 | aa7e1e2e57d3ca40afc29848a47a50d3788b0e32 |
| SHA256 | 5a6f844b284edd3706578044c5ba7341c4a6c9e8378dae8f93cec0419ac631f7 |
| SHA512 | a30ac5e4e8520a996104d912e9f0841b9d77bd466849d36c37524c02b843c3e3efc509c03654f1fb607f6ed0c5bd5260fe15478e17fcf9702411234155da2501 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c65a5498e46884438ca69000d8b85901 |
| SHA1 | 2d5d40c74f34a12f07f7607e6bf7b92892ea6c1e |
| SHA256 | a0372f1664e01707880d035f09ad80502d17a36f2dee3bc557ffc0411e17340b |
| SHA512 | d23a9a3bca5d7a170e5f32e9b77afbaafec1e532f628faa2050d571d57c1c3b284f1318542e37743b2ca0a9314c08e62d66eb305a1a0dcf3d04db0bc82addf89 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cbe60344358e283fd60b792a90737f4a |
| SHA1 | 082be74c4b2670ae1e4bcf3e99c8378a3859a74d |
| SHA256 | 49637b1ea8bf2fd5638be8b10e0dccf5df6b3778ad629c42079b2e10f1e23289 |
| SHA512 | f7920c47a6eb269a0b0ed91d6a882a42f2e4b40cc2867de30e9a79371e739896b77405a4b76ab7dbc35a55918d2c1ab7ab098d859c76d4a756ef7361c6fe516a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5daa73e423b59cfad46134603befa6a4 |
| SHA1 | 8511d43834ec8f2fdfed46ebf5520c1120d05132 |
| SHA256 | d63abf34cc634d50101ca4210a2d666faf6145dff1cfcf84c13dbbfd4cc63307 |
| SHA512 | 2f90e0ca6f9fb64e2913b6b4314f1a52bac5e2a1cb39c95938cbb6a142d2c6860ffe6fbb5048bc7ac6804b51afcbb73a0a29b13958f962c3541fadc5cc3db8ec |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c6a8f6b8e4e3e9606fa66aff8ead5298 |
| SHA1 | 3f7330b7628acdd57bcd3b9431d79824746dbdd3 |
| SHA256 | bca89483bc1bbb6843314886ba86f5bac62e671355e812fa515aff40273ef1c2 |
| SHA512 | ea5260e47e3dbbb05702be186a51211d88142fae369bc485ad034982554c75d07c27460f91f6d2b1ad8e946d899aaf9498e8cd906a39329fd2a5d609425b277e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | eed50bbba6bbc3e2a73d67f001abdc5b |
| SHA1 | b1bd521f04917282054d9280b586481c9cdecab3 |
| SHA256 | 4ac7a64f551a9db6819f71e7191600a33fa7dbbf611603fad0065cef81ed35b5 |
| SHA512 | 0934ea6b3d4aa29a8e2cd34b32c70636778ee654ae4d4560a1596d1d3407af99c3b30467cc747a9e72df3ee8b97655ff0a12d9b9a241e72c78d8481626ea3c9f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 11:18
Reported
2024-06-26 11:21
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W121SN5F-H0BT-3K24-XOQQ-IP4SQ7OQ8W1C} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W121SN5F-H0BT-3K24-XOQQ-IP4SQ7OQ8W1C}\StubPath = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe Restart" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W121SN5F-H0BT-3K24-XOQQ-IP4SQ7OQ8W1C} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W121SN5F-H0BT-3K24-XOQQ-IP4SQ7OQ8W1C}\StubPath = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WindowsKB4772395\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rqHLNFetlWEGbE\\IWgBPCoPlkNtLx\\4.17.46.9205\\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsKB4772395\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2068 set thread context of 1496 | N/A | C:\Users\Admin\AppData\Local\Temp\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d0567ff68877be29309b3f08ea096a_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe
"C:\Windows\system32\WindowsKB4772395\svchost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2068-0-0x0000000074A02000-0x0000000074A03000-memory.dmp
memory/2068-1-0x0000000074A00000-0x0000000074FB1000-memory.dmp
memory/2068-2-0x0000000074A00000-0x0000000074FB1000-memory.dmp
memory/1496-3-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1496-4-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1496-8-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1496-9-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1496-12-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2312-18-0x0000000000E30000-0x0000000000E31000-memory.dmp
memory/2312-17-0x0000000000B70000-0x0000000000B71000-memory.dmp
memory/1496-16-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2312-78-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\WindowsKB4772395\svchost.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | fa7240892636a9a29f289f904913253e |
| SHA1 | 4f684e100fda8322a5a7390ee01dfadba87225ea |
| SHA256 | 602448f2942dc0396f3f5d19c20d11b680bc4fde3955d879af70130411aa5a04 |
| SHA512 | efa527b058401a89ce108f6566d30efbfc7bf02807c4a166a77a7f371137c12189fe10a698652892dcc167aa546abffa2c2a6881d65a6719e2f82dec2362baaf |
memory/1496-148-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2604-150-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2068-171-0x0000000074A02000-0x0000000074A03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2a250f9c198fb066eed8b33017d53e94 |
| SHA1 | d39e97bf547a17ab9f4983826edf2c50fcc9380e |
| SHA256 | 5094da5a859530fbdec55288666995f30d4bde31d169c5d01fe57bb192f484c8 |
| SHA512 | 7d65b0bb2199bc1f31789b545524615717e5dbffc3865b7aa85c3e1ab11cba5fb240efbec4b38ab4a5494b8bb43286c8f09b15f529ed2a383b053db35264b651 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d26677d2459a010b34dcf8bcb7b368af |
| SHA1 | 08ddf5ea85701b7eebf828ae01959a3d8e6332df |
| SHA256 | dc26c8af7d06bddf08d88aee267d8d1d84a6121bcf44eae9fd37ca3dbe57c6ef |
| SHA512 | f1065ff0da4d672b61a13bbde256d6aa76afa34ea4d1f54e1d822c87f8be12680cc6bc73fce1fbce1226dd940f860b1f41e3971fdefcf6240facc565bb0e10a8 |
memory/2068-286-0x0000000074A00000-0x0000000074FB1000-memory.dmp
memory/2068-290-0x0000000074A00000-0x0000000074FB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5530a85f259994112a033a383de8255e |
| SHA1 | 008ba45224a2c087e774a25194e9800d9f99676f |
| SHA256 | 070923ed9efab09570683d50cf4177cda4f87bba69bc03803e7d1da3ff6dcc76 |
| SHA512 | a284e9abb4d451ec3b8f71435afbc393860b9c45d393b7d20b788a8d467e188337f47e8f2f3cc48f0585aa93ee89f6a60110ec22e84418ee9ba32d32d0e10f16 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a85a22cde745bb6479d4534f2ac695a9 |
| SHA1 | 6266fa418d9e91d2ee8c7e08b6d9787a44a677ac |
| SHA256 | 451309f8b0bf7464bbc78ed55eab305ed91cefad2ea303fbe5c3f8446cce0a00 |
| SHA512 | 69b6154b2dc765fa1f68497092eb1b424d5606449eac0d919265f11d11d21ccecfc61686f90d979f5ff594cdd4eabf212b05e14fab09a2f675352af0021f6173 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5a7dc6efd816993a6ec113d2f81f5bd8 |
| SHA1 | 0a4ef828261d1bed0d307aaa1acaf621a8be6e9c |
| SHA256 | 2cce71d002aecd64672845ffa7674319f116a3203331444194b9909632a27c24 |
| SHA512 | 5608b7f3839492ee8db5db98d5206c17e5393354ed7dc8de87312c7a57eb7267c5230ad79136d86792463043cdabde70b27ca0a67ae5459874f8179926c4d599 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e372cace48b0a55bc9a48be1cb985b8d |
| SHA1 | cfc564319b9a7852d69e3557cc3260155169f651 |
| SHA256 | 65adc6c74b14c63004f483f53a951cf19794b3db6e9407e98a8c14422241908c |
| SHA512 | abc5401dcfb4249355d9cdff9cfb7ad27335d178ebf202148791cd801308073e4c80dc4b7312ab5a6ebfc0d47f0d0faffd37bdd8c9b1a2df35a1ae649e867bb9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7cc39555fb6df83723e62d3538f37f02 |
| SHA1 | bc31ef0f0ad100b9b897a4a3e54533424c0832ca |
| SHA256 | b4d0934d5ef30baea2ea817d1c7879813f01b53c98060512923c0c6afc2769dd |
| SHA512 | 6a5c415eed904e916e78be1f1a4a0d43dabb4662b60acf56ba67af46d04dfbc3cf753aabe678f6944709dbb6adf247ebee1ecaedce2987da0dd9c760c84c0229 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9d4fe554e42dacbf9f50e88bc9420ad2 |
| SHA1 | aa6c231f8d742326716da40b17402b5b49d5c254 |
| SHA256 | 5ce4825fd16974ac3de9f8bfac11f77c0930ff25863b1b272ee496e4639e6c1e |
| SHA512 | 473fce76018cabc21d3fa46954e030122759f7790de4eb3d6ea9e0319bc7d48d8bddcc2e44592791b5ce90728b41e8fdd852cd3f97f2128061841d6982ad9b89 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 910d343a21fbde540033fb34eb5ea82d |
| SHA1 | ae1b21ab65daa5a853c1e1f024c4356bbe760d9f |
| SHA256 | d039ade81cba3334fafdb47351458095ba33e83b38851fb5f1c79cb00d706d01 |
| SHA512 | 0eab93eb5fb0e4f4f5d94c3b6c05c1d94179c669e67161d15cad42790c8dbe628e55d2d0d9916e86c1fe4e87f522b2da9aa51d19082929a8c74a00cefb88dbfa |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 627eaef3b9854f99b0e6f077d7068726 |
| SHA1 | 48665a6e26b9980283c94bb9a2084b7dbd95114d |
| SHA256 | db226a2744b79cad30f25c3d629fa8dd08074208b98ece7d6cf0c99590693df9 |
| SHA512 | 6c3bdc4da60fa2cf37ac9e9e52e2a09719374748d82121fa768268766381e158f66212d88748b70cc45b7202501e51665a0795cbe222c3fef4e740c5b69d4197 |
memory/2312-975-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 10912be97c7d3488f28e9401aed2029a |
| SHA1 | d1b049e63b230725ec68988f915248c59db86807 |
| SHA256 | 001de748094d840830c4b9c4bbc7e69e67244e255d76144a87c49dcb2747b240 |
| SHA512 | 5c9bc7b3eab25e408fb37aff0f7c1585566fcccef1f19d96d2342bb26e95b1a4e518369753216f64a5270249e809354dfc959192b34fc9f6c9c18dc60989716d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cc8cebe69fb2ddbb87259802bd699bd6 |
| SHA1 | 1813b5f4fe81c3d536edcdce900f2eb33c1ac964 |
| SHA256 | ce33e53fe3dd8adc95352ff5a2d4c8dac282ae88cacb62aa81050502b36067b9 |
| SHA512 | a007ebafdb172da9c19fa50951b78f418b690dfc1fbd692b9d44c0c6a9df3c07648c7c3f2e09ee6c0595d3200cbed25fc6b0e7c2ae5509c78c1db7ea2eec1886 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f850ea731af6d735367a028fa8e0fae8 |
| SHA1 | aa7e1e2e57d3ca40afc29848a47a50d3788b0e32 |
| SHA256 | 5a6f844b284edd3706578044c5ba7341c4a6c9e8378dae8f93cec0419ac631f7 |
| SHA512 | a30ac5e4e8520a996104d912e9f0841b9d77bd466849d36c37524c02b843c3e3efc509c03654f1fb607f6ed0c5bd5260fe15478e17fcf9702411234155da2501 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c65a5498e46884438ca69000d8b85901 |
| SHA1 | 2d5d40c74f34a12f07f7607e6bf7b92892ea6c1e |
| SHA256 | a0372f1664e01707880d035f09ad80502d17a36f2dee3bc557ffc0411e17340b |
| SHA512 | d23a9a3bca5d7a170e5f32e9b77afbaafec1e532f628faa2050d571d57c1c3b284f1318542e37743b2ca0a9314c08e62d66eb305a1a0dcf3d04db0bc82addf89 |
memory/2604-1429-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cbe60344358e283fd60b792a90737f4a |
| SHA1 | 082be74c4b2670ae1e4bcf3e99c8378a3859a74d |
| SHA256 | 49637b1ea8bf2fd5638be8b10e0dccf5df6b3778ad629c42079b2e10f1e23289 |
| SHA512 | f7920c47a6eb269a0b0ed91d6a882a42f2e4b40cc2867de30e9a79371e739896b77405a4b76ab7dbc35a55918d2c1ab7ab098d859c76d4a756ef7361c6fe516a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5daa73e423b59cfad46134603befa6a4 |
| SHA1 | 8511d43834ec8f2fdfed46ebf5520c1120d05132 |
| SHA256 | d63abf34cc634d50101ca4210a2d666faf6145dff1cfcf84c13dbbfd4cc63307 |
| SHA512 | 2f90e0ca6f9fb64e2913b6b4314f1a52bac5e2a1cb39c95938cbb6a142d2c6860ffe6fbb5048bc7ac6804b51afcbb73a0a29b13958f962c3541fadc5cc3db8ec |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c6a8f6b8e4e3e9606fa66aff8ead5298 |
| SHA1 | 3f7330b7628acdd57bcd3b9431d79824746dbdd3 |
| SHA256 | bca89483bc1bbb6843314886ba86f5bac62e671355e812fa515aff40273ef1c2 |
| SHA512 | ea5260e47e3dbbb05702be186a51211d88142fae369bc485ad034982554c75d07c27460f91f6d2b1ad8e946d899aaf9498e8cd906a39329fd2a5d609425b277e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | eed50bbba6bbc3e2a73d67f001abdc5b |
| SHA1 | b1bd521f04917282054d9280b586481c9cdecab3 |
| SHA256 | 4ac7a64f551a9db6819f71e7191600a33fa7dbbf611603fad0065cef81ed35b5 |
| SHA512 | 0934ea6b3d4aa29a8e2cd34b32c70636778ee654ae4d4560a1596d1d3407af99c3b30467cc747a9e72df3ee8b97655ff0a12d9b9a241e72c78d8481626ea3c9f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 83e5057b9a9e1cf640fd6cc38d19ab17 |
| SHA1 | ad09ffdcfc0dfc87f4cae0f0c899ce3755467d53 |
| SHA256 | d8211d7972a79ba243e9ab899342c1882212b50a4cf968a4b39cac6f2ee4a06d |
| SHA512 | 80a19ece5bdeee86e9f548024b5b1847dfb86156826ba5b45d324ccfddb0f437b14141284a82a85681281c28608c0daf50f76fca916eb3dffc3772adb38371bc |