Analysis Overview
SHA256
ad95fef2ae8da6aaeef23bdaf9640d5c0ca36a586a7b2dcac172555b46f015b0
Threat Level: Known bad
The file 2107bbb520699b9a545539a76ea9759f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-03 04:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-03 04:09
Reported
2024-07-03 04:12
Platform
win7-20231129-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Win_Updates\\updates.exe" | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Win_Updates\\updates.exe" | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI} | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI}\StubPath = "C:\\Windows\\system32\\Win_Updates\\updates.exe Restart" | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI}\StubPath = "C:\\Windows\\system32\\Win_Updates\\updates.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Win_Updates\updates.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Win_Updates\updates.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Win_Updates\updates.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Win_Updates\\updates.exe" | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Win_Updates\updates.exe | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win_Updates\ | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\Win_Updates\updates.exe | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win_Updates\updates.exe | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2216 set thread context of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe |
| PID 108 set thread context of 664 | N/A | C:\Windows\SysWOW64\Win_Updates\updates.exe | C:\Windows\SysWOW64\Win_Updates\updates.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe"
C:\Windows\SysWOW64\Win_Updates\updates.exe
"C:\Windows\system32\Win_Updates\updates.exe"
C:\Windows\SysWOW64\Win_Updates\updates.exe
C:\Windows\SysWOW64\Win_Updates\updates.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1884-0-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1884-2-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1884-5-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1884-4-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1884-7-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1884-8-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1884-10-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1884-9-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1884-11-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1400-15-0x0000000002E40000-0x0000000002E41000-memory.dmp
memory/1884-14-0x0000000024010000-0x000000002406F000-memory.dmp
memory/1352-503-0x00000000002B0000-0x0000000000531000-memory.dmp
C:\Windows\SysWOW64\Win_Updates\updates.exe
| MD5 | 2107bbb520699b9a545539a76ea9759f |
| SHA1 | 9aeee3ac6ae39a1aa6b5a2285ab4305b21b388f8 |
| SHA256 | ad95fef2ae8da6aaeef23bdaf9640d5c0ca36a586a7b2dcac172555b46f015b0 |
| SHA512 | d916bebda6eacd837f0511f1f158501fb3ac574549acf4b3f23b03081e91c986a358056b811c15db5d8fb9ba13a6d5fae7d676319f0abd0c2d898b544ba148d6 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 72770489be05211de1afa816cacb8e99 |
| SHA1 | b6dd8baaddf383048d61c30c82ab281fcf7d2e54 |
| SHA256 | f3ceb704b2f812b9c1e704b0e5c0688cf19de3b1cd897d27f999ecee79981248 |
| SHA512 | aaecb88f68bfc606ef8b6f2cbcb911e41b8ab874632bdd55525c6bb7b48ff6d5b6e3a7a0b8d956ea1fb377f10e3905f3c6f63aa96f7b61e899d5130a555150f3 |
memory/856-563-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1884-862-0x0000000000400000-0x0000000000453000-memory.dmp
memory/856-863-0x0000000024130000-0x000000002418F000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/664-894-0x0000000000400000-0x0000000000453000-memory.dmp
memory/664-897-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4797dc706f092c8eeeec204492df6aa5 |
| SHA1 | 818ab6498bb442551cdc5dfea6d3b365b78d1ec3 |
| SHA256 | 1359aec981421a9c1363486e3bd8177cfd7578ad42e44bdb8319cecdc894f85a |
| SHA512 | acd8205fa4d132c0d464a76c2c9d3f9eeadffa3cc89e1883b6def5e4a1780844992766e72babfdfac40ed470262fa8aa8a92dd033449edab187cb82f0d5bdcec |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 21026ff6aabf3fd2922f560848a6674f |
| SHA1 | a5775b4dfccacd989b197cecfc6502ff1a172ef8 |
| SHA256 | 52523246da41d4180c7410aa6169986448343591155a16596c08d35431568487 |
| SHA512 | 9a24a4023a45c9559483380907cebe93c6bd19050e34f96c1442b61c29e992420c4749be52405a7331bd7196a8f4286ac0cc1324523a6c8ff1b8702bf84a4700 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c52892c89161f334960e38c1920f9b13 |
| SHA1 | d0ac1ccfeb8fab9cba2be645ce94fbc8df315fc4 |
| SHA256 | 7779f895569bb5f7ee0abaf9118b2717a5b2879a91d1730e35b3f64cd33899e5 |
| SHA512 | 8edb638bb1e09f237c9e3f81376a337b62cdb3c76b51db55c0a58cf29480239cd271c73c5bb66dd45985485d48850f6196976d1042af7f69253ea5bc3a0e3e8d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2e59b0fcc16abe2f44849821df4f7c0c |
| SHA1 | 18e0e41b7d125c2a00c18b7ff621a4c62f41be27 |
| SHA256 | 503480f20f49d75a1ffe8601eabc4223e81e143ad202cedb6591ca7965783164 |
| SHA512 | 63f8d4a945fe630c43a195525ab18f7dc52bea24990b184f331d0ca313e5347c5da7f9b3716cfcccb3e9b5f956aa6cdeba74d54b0c8791be99074de6b9f07d7a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aa107e518b3fdbd67e64925d0f9c2acd |
| SHA1 | 2c5d484c0b42c052e2c9c4e44b4e1f6404a685cc |
| SHA256 | 30b536d01e847354c17fe699271e08bb1450f82abf8fea6db44f400df33b6812 |
| SHA512 | 3c12f22abbc8b125999f367890e6224c46f9f020e443c56ac88c064dd017aaee59d1d5bb82f971324c1fd58e422a4b8145c098db3e96bb51f2d1df123091b9fc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | da1473106d088a5b92027cb585b7a1e3 |
| SHA1 | b6146ff206626eafa27587e458375c30d54567fd |
| SHA256 | 44607042d6f35e787672aa0f544e03f17c4bc789814ba36824ea903e71fe33ac |
| SHA512 | b2890436d565c00a34b88f466434f0b2feacdd8d05076ad272f44f7fc17a68d8af29f0dad3f540c1c924ce3adf2f52bdba9cfdfbe6e09d5a8cae4c5348fd9095 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | de7b7ca474c40fe917b6267fb95b4114 |
| SHA1 | 11fec7a754c9f69e94c0fa01af3c5231dc0c1720 |
| SHA256 | c9c2cd12d0fb80907004482e90ebbe81eeeee989d35f0d360bc40feb20bacd50 |
| SHA512 | e2ab7a0b0ac0665ecd42c57d735ad7041afdadaab6b6e5b230f4f7f27a265e653c37998033c1fca87481cdc6b89358e8d5602940a27021e2416de1d11dc921d4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 085a9ca0eb62cbe56aed6896c0be70ac |
| SHA1 | d475a11836c9ed4f33f85c083cc90a911c000c6b |
| SHA256 | 42857271c0557265816428c0a37b199582991434996aab38bb2e9a8cc9505642 |
| SHA512 | 0b4f464eba9347ac7bc1dbba862c5d2e7a858159314f2be6e029f6356e956d515bc55e7bbfadec5779f1d797b439969258567d6f761d57a784ab0257facade17 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aaff3f7ea3175568ccbd63b1c7d4e860 |
| SHA1 | e3d232a2634bdeb40063c028b543b7a206f82104 |
| SHA256 | 51062cd8f16df9ba5123b49b328793c0d5bdd24950dfd04cb89f57814628706d |
| SHA512 | 7c384accc32fe4ca59a296c9414d03856cd422e025b1b90260f46e931a6b4f65ee1563075fbb0c701adeb32f7433dec36b205960949a8bb44b21b038d2c773c4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e08674f6fc73126ea7cade8728a4be0d |
| SHA1 | f2312fc4f03bc9c5512d3776d26824bf11e8f9c3 |
| SHA256 | e04b01a64124da6000e3ca5e56e07f5238d8fab42b4222723df2eee7577b7a58 |
| SHA512 | 503d62d52b8dcdac1acdcfe4b0ae7cebb8279f30cad0a84a23d0b715b9d5425fbfa7e2cece91e30c12f3c2a05937862064abd76806f30ee3a7c3cb0d4fc78bce |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d96699c006fefd7b7b6d97006ef757c4 |
| SHA1 | 439549314c1d44a1e8d9123969521de4aa2c564b |
| SHA256 | db1e9706cb680feb3e10c9434ff73469de593db8c68409504fb420fec679b3ab |
| SHA512 | 904e4bf48ab106b39730676e144a270f41177e510f57988a3c1f837e6bf50072b49e153aa2a9d94dffeda66302b7b91ac1fd2eab934e5c9c859f7d6e88e7bf8a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d817396b709383a5e7581d7afe7011ce |
| SHA1 | ce3789361b64836902c0e2780b544a36a9c60d5b |
| SHA256 | a7dc168f568e3c10a0c6d518262c82329feea4048e2ff71d0be5c065c2cabc10 |
| SHA512 | 0301a3f7547199f463f9524ecd78311f3a791e50fa60f473d0d6bb85d0a0c5006b92eac2147c535839ecb56aa3aae316c59b860b573f43d8b1a13b6534bf0bf9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9a57fda1ef3827219793043f15d9ea66 |
| SHA1 | 0baa63a008c0637a2808e6db19693a4f464adadf |
| SHA256 | fd740af55fa725ff620806730a50a99587c7c9dee86be469c79096ecd3848f82 |
| SHA512 | 26a58828fb332635d10dc5e3326f52c342f3315c916f1ae488d907bf0feb7237cdb290d8758b10638b6d794cea37cb0b7565a6caa544f49232474fbacf74a40c |
memory/856-1696-0x0000000024130000-0x000000002418F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aec92d467d03a3855ab5c6aa97f4ed67 |
| SHA1 | 4190fe5ab14510d07ef8d590765b4276ebca1c4d |
| SHA256 | 8b45a1fa354dd1e89d0a4bf8c2c474a91f5ebb853cec49fd4cb305b6a403548b |
| SHA512 | bf6ce7672e1602e77afd7f9c9b33c2b0ef69ba8566b410eeafe36b7c831c926049f2fb047f9b51fce8e77f633de0eeb213bbc4e270da1b9b507f7487cb60fb8c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f5eff4f567d472a7b189cdae3f2af1bf |
| SHA1 | 2c1497ead24c34c30c4fa68abbf92ec9e289c8f9 |
| SHA256 | 34586a031659161996f9b88d835da32799acc52c29953177194816a54e4653e3 |
| SHA512 | e782e26143ddd57d77215baa67c895120e9f8e6a2d07318de64e041faadb8d509708bfbc011d4ba9b6b818ca586302c9a4738fa1c0edcf746e179b072da1f740 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b77217055f2bbcb220a2790a91dd9493 |
| SHA1 | c4ec8d32e7a28fa28b6de46c8fa8a9ad2169f164 |
| SHA256 | f9ce71b341c831a4a25c81cc605db145dca84a7da8d5654411aa795ed961f8a4 |
| SHA512 | 7a884e611d02d2bf99a129e6d6399e8fa1d5f7dfe1b65e07ea8374cf188502570f0ff3bdfb174c607b950afc5fb56a3eb20d0edc3681a8fd046415d1fbb6b3f5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 74ad1cffbf156e68e7068042452e7273 |
| SHA1 | ded7e86086b86ab80ab8c0cd89fddd8f61981241 |
| SHA256 | 47a91d7f6e3f3b7f29eed527c30207f031b228a6b1567075920a08148e5d1177 |
| SHA512 | 19f198274ec37b90aea1f509a3c5c0ebc5cdd8f45d920dc76db2e267c991ac0e3cd2779942e57ed109824cfba55903c40d6fbc0421d383e893e8b33ced80d721 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7efbc7bb512e69ab8c104a5ba7f24849 |
| SHA1 | b9c5b0bb36e709ac4efe7d71afdbd93aedbc9f55 |
| SHA256 | 3f63a83182d1e1a8947c125943b8a9886dda4e7a746d05a26b2945dd06dcbd5a |
| SHA512 | 1b9df761d7d0b5cf058055724eeb1c48e1565074a310504f51f1ac7346de172fe7069d3387ec5afecdba859af6d43157b114129d967b454e084ab6f6b5ce651c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b89da096ba08457f1ccc923411524506 |
| SHA1 | df040f1c847770828df2e8bfa0df3bee3514e2da |
| SHA256 | 2ef03315a7441c9f84a20f777f62ffce444b86edd989b41ab0bf589d59d03c0d |
| SHA512 | ba026fd43710a58379414e63ab4fbeb209ef5be640baef15b9a4361c7beafb1d9d25712b24106d2f69dbd850a4d9b741b1716696b24f352c47c85c9101949402 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-03 04:09
Reported
2024-07-03 04:12
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Win_Updates\\updates.exe" | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Win_Updates\\updates.exe" | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI} | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI}\StubPath = "C:\\Windows\\system32\\Win_Updates\\updates.exe Restart" | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K27S1S64-ECI6-77S4-2VO5-4AHKWT10CMDI}\StubPath = "C:\\Windows\\system32\\Win_Updates\\updates.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Win_Updates\updates.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Win_Updates\updates.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Win_Updates\\updates.exe" | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Win_Updates\updates.exe | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win_Updates\ | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\Win_Updates\updates.exe | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Win_Updates\updates.exe | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4908 set thread context of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe |
| PID 5008 set thread context of 592 | N/A | C:\Windows\SysWOW64\Win_Updates\updates.exe | C:\Windows\SysWOW64\Win_Updates\updates.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Win_Updates\updates.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2107bbb520699b9a545539a76ea9759f_JaffaCakes118.exe"
C:\Windows\SysWOW64\Win_Updates\updates.exe
"C:\Windows\system32\Win_Updates\updates.exe"
C:\Windows\SysWOW64\Win_Updates\updates.exe
C:\Windows\SysWOW64\Win_Updates\updates.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 592 -ip 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/928-0-0x0000000000400000-0x0000000000453000-memory.dmp
memory/928-2-0x0000000000400000-0x0000000000453000-memory.dmp
memory/928-3-0x0000000000400000-0x0000000000453000-memory.dmp
memory/928-4-0x0000000000400000-0x0000000000453000-memory.dmp
memory/928-8-0x0000000024010000-0x000000002406F000-memory.dmp
memory/852-13-0x0000000001390000-0x0000000001391000-memory.dmp
memory/852-12-0x00000000012D0000-0x00000000012D1000-memory.dmp
memory/928-11-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/852-73-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Windows\SysWOW64\Win_Updates\updates.exe
| MD5 | 2107bbb520699b9a545539a76ea9759f |
| SHA1 | 9aeee3ac6ae39a1aa6b5a2285ab4305b21b388f8 |
| SHA256 | ad95fef2ae8da6aaeef23bdaf9640d5c0ca36a586a7b2dcac172555b46f015b0 |
| SHA512 | d916bebda6eacd837f0511f1f158501fb3ac574549acf4b3f23b03081e91c986a358056b811c15db5d8fb9ba13a6d5fae7d676319f0abd0c2d898b544ba148d6 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 72770489be05211de1afa816cacb8e99 |
| SHA1 | b6dd8baaddf383048d61c30c82ab281fcf7d2e54 |
| SHA256 | f3ceb704b2f812b9c1e704b0e5c0688cf19de3b1cd897d27f999ecee79981248 |
| SHA512 | aaecb88f68bfc606ef8b6f2cbcb911e41b8ab874632bdd55525c6bb7b48ff6d5b6e3a7a0b8d956ea1fb377f10e3905f3c6f63aa96f7b61e899d5130a555150f3 |
memory/3324-143-0x0000000024130000-0x000000002418F000-memory.dmp
memory/928-145-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/592-170-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 21026ff6aabf3fd2922f560848a6674f |
| SHA1 | a5775b4dfccacd989b197cecfc6502ff1a172ef8 |
| SHA256 | 52523246da41d4180c7410aa6169986448343591155a16596c08d35431568487 |
| SHA512 | 9a24a4023a45c9559483380907cebe93c6bd19050e34f96c1442b61c29e992420c4749be52405a7331bd7196a8f4286ac0cc1324523a6c8ff1b8702bf84a4700 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c52892c89161f334960e38c1920f9b13 |
| SHA1 | d0ac1ccfeb8fab9cba2be645ce94fbc8df315fc4 |
| SHA256 | 7779f895569bb5f7ee0abaf9118b2717a5b2879a91d1730e35b3f64cd33899e5 |
| SHA512 | 8edb638bb1e09f237c9e3f81376a337b62cdb3c76b51db55c0a58cf29480239cd271c73c5bb66dd45985485d48850f6196976d1042af7f69253ea5bc3a0e3e8d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2e59b0fcc16abe2f44849821df4f7c0c |
| SHA1 | 18e0e41b7d125c2a00c18b7ff621a4c62f41be27 |
| SHA256 | 503480f20f49d75a1ffe8601eabc4223e81e143ad202cedb6591ca7965783164 |
| SHA512 | 63f8d4a945fe630c43a195525ab18f7dc52bea24990b184f331d0ca313e5347c5da7f9b3716cfcccb3e9b5f956aa6cdeba74d54b0c8791be99074de6b9f07d7a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aa107e518b3fdbd67e64925d0f9c2acd |
| SHA1 | 2c5d484c0b42c052e2c9c4e44b4e1f6404a685cc |
| SHA256 | 30b536d01e847354c17fe699271e08bb1450f82abf8fea6db44f400df33b6812 |
| SHA512 | 3c12f22abbc8b125999f367890e6224c46f9f020e443c56ac88c064dd017aaee59d1d5bb82f971324c1fd58e422a4b8145c098db3e96bb51f2d1df123091b9fc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | da1473106d088a5b92027cb585b7a1e3 |
| SHA1 | b6146ff206626eafa27587e458375c30d54567fd |
| SHA256 | 44607042d6f35e787672aa0f544e03f17c4bc789814ba36824ea903e71fe33ac |
| SHA512 | b2890436d565c00a34b88f466434f0b2feacdd8d05076ad272f44f7fc17a68d8af29f0dad3f540c1c924ce3adf2f52bdba9cfdfbe6e09d5a8cae4c5348fd9095 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | de7b7ca474c40fe917b6267fb95b4114 |
| SHA1 | 11fec7a754c9f69e94c0fa01af3c5231dc0c1720 |
| SHA256 | c9c2cd12d0fb80907004482e90ebbe81eeeee989d35f0d360bc40feb20bacd50 |
| SHA512 | e2ab7a0b0ac0665ecd42c57d735ad7041afdadaab6b6e5b230f4f7f27a265e653c37998033c1fca87481cdc6b89358e8d5602940a27021e2416de1d11dc921d4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 085a9ca0eb62cbe56aed6896c0be70ac |
| SHA1 | d475a11836c9ed4f33f85c083cc90a911c000c6b |
| SHA256 | 42857271c0557265816428c0a37b199582991434996aab38bb2e9a8cc9505642 |
| SHA512 | 0b4f464eba9347ac7bc1dbba862c5d2e7a858159314f2be6e029f6356e956d515bc55e7bbfadec5779f1d797b439969258567d6f761d57a784ab0257facade17 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aaff3f7ea3175568ccbd63b1c7d4e860 |
| SHA1 | e3d232a2634bdeb40063c028b543b7a206f82104 |
| SHA256 | 51062cd8f16df9ba5123b49b328793c0d5bdd24950dfd04cb89f57814628706d |
| SHA512 | 7c384accc32fe4ca59a296c9414d03856cd422e025b1b90260f46e931a6b4f65ee1563075fbb0c701adeb32f7433dec36b205960949a8bb44b21b038d2c773c4 |
memory/852-822-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e08674f6fc73126ea7cade8728a4be0d |
| SHA1 | f2312fc4f03bc9c5512d3776d26824bf11e8f9c3 |
| SHA256 | e04b01a64124da6000e3ca5e56e07f5238d8fab42b4222723df2eee7577b7a58 |
| SHA512 | 503d62d52b8dcdac1acdcfe4b0ae7cebb8279f30cad0a84a23d0b715b9d5425fbfa7e2cece91e30c12f3c2a05937862064abd76806f30ee3a7c3cb0d4fc78bce |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d96699c006fefd7b7b6d97006ef757c4 |
| SHA1 | 439549314c1d44a1e8d9123969521de4aa2c564b |
| SHA256 | db1e9706cb680feb3e10c9434ff73469de593db8c68409504fb420fec679b3ab |
| SHA512 | 904e4bf48ab106b39730676e144a270f41177e510f57988a3c1f837e6bf50072b49e153aa2a9d94dffeda66302b7b91ac1fd2eab934e5c9c859f7d6e88e7bf8a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d817396b709383a5e7581d7afe7011ce |
| SHA1 | ce3789361b64836902c0e2780b544a36a9c60d5b |
| SHA256 | a7dc168f568e3c10a0c6d518262c82329feea4048e2ff71d0be5c065c2cabc10 |
| SHA512 | 0301a3f7547199f463f9524ecd78311f3a791e50fa60f473d0d6bb85d0a0c5006b92eac2147c535839ecb56aa3aae316c59b860b573f43d8b1a13b6534bf0bf9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9a57fda1ef3827219793043f15d9ea66 |
| SHA1 | 0baa63a008c0637a2808e6db19693a4f464adadf |
| SHA256 | fd740af55fa725ff620806730a50a99587c7c9dee86be469c79096ecd3848f82 |
| SHA512 | 26a58828fb332635d10dc5e3326f52c342f3315c916f1ae488d907bf0feb7237cdb290d8758b10638b6d794cea37cb0b7565a6caa544f49232474fbacf74a40c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aec92d467d03a3855ab5c6aa97f4ed67 |
| SHA1 | 4190fe5ab14510d07ef8d590765b4276ebca1c4d |
| SHA256 | 8b45a1fa354dd1e89d0a4bf8c2c474a91f5ebb853cec49fd4cb305b6a403548b |
| SHA512 | bf6ce7672e1602e77afd7f9c9b33c2b0ef69ba8566b410eeafe36b7c831c926049f2fb047f9b51fce8e77f633de0eeb213bbc4e270da1b9b507f7487cb60fb8c |
memory/3324-1276-0x0000000024130000-0x000000002418F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f5eff4f567d472a7b189cdae3f2af1bf |
| SHA1 | 2c1497ead24c34c30c4fa68abbf92ec9e289c8f9 |
| SHA256 | 34586a031659161996f9b88d835da32799acc52c29953177194816a54e4653e3 |
| SHA512 | e782e26143ddd57d77215baa67c895120e9f8e6a2d07318de64e041faadb8d509708bfbc011d4ba9b6b818ca586302c9a4738fa1c0edcf746e179b072da1f740 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b77217055f2bbcb220a2790a91dd9493 |
| SHA1 | c4ec8d32e7a28fa28b6de46c8fa8a9ad2169f164 |
| SHA256 | f9ce71b341c831a4a25c81cc605db145dca84a7da8d5654411aa795ed961f8a4 |
| SHA512 | 7a884e611d02d2bf99a129e6d6399e8fa1d5f7dfe1b65e07ea8374cf188502570f0ff3bdfb174c607b950afc5fb56a3eb20d0edc3681a8fd046415d1fbb6b3f5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 74ad1cffbf156e68e7068042452e7273 |
| SHA1 | ded7e86086b86ab80ab8c0cd89fddd8f61981241 |
| SHA256 | 47a91d7f6e3f3b7f29eed527c30207f031b228a6b1567075920a08148e5d1177 |
| SHA512 | 19f198274ec37b90aea1f509a3c5c0ebc5cdd8f45d920dc76db2e267c991ac0e3cd2779942e57ed109824cfba55903c40d6fbc0421d383e893e8b33ced80d721 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7efbc7bb512e69ab8c104a5ba7f24849 |
| SHA1 | b9c5b0bb36e709ac4efe7d71afdbd93aedbc9f55 |
| SHA256 | 3f63a83182d1e1a8947c125943b8a9886dda4e7a746d05a26b2945dd06dcbd5a |
| SHA512 | 1b9df761d7d0b5cf058055724eeb1c48e1565074a310504f51f1ac7346de172fe7069d3387ec5afecdba859af6d43157b114129d967b454e084ab6f6b5ce651c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b89da096ba08457f1ccc923411524506 |
| SHA1 | df040f1c847770828df2e8bfa0df3bee3514e2da |
| SHA256 | 2ef03315a7441c9f84a20f777f62ffce444b86edd989b41ab0bf589d59d03c0d |
| SHA512 | ba026fd43710a58379414e63ab4fbeb209ef5be640baef15b9a4361c7beafb1d9d25712b24106d2f69dbd850a4d9b741b1716696b24f352c47c85c9101949402 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e1ccbc1db49e45c12da6a0e54bf4e63e |
| SHA1 | 6dca2f96a238de10604b1b8aa3c4df2902840df9 |
| SHA256 | c15fc67217f051c8897f9ebe52d10928aceb02df6941a840e94cfb2106658ff2 |
| SHA512 | 940981993fbe580fefd5261e5d0095dd60d8b8c2137f81520eb3f92f4482c78ce88b7befcf0959c9eb5a5eeb9bc9c6f10182ebb8ec9db24848eb7ab1ebe2fb49 |