Analysis Overview
SHA256
52d84c8469d2288d1e072e39828caaf9b43911d5530a98d1af6bce4fa7addb8c
Threat Level: Known bad
The file 639ce84468b5b67681d9e3341b1446af_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-22 14:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-22 14:52
Reported
2024-07-22 15:06
Platform
win7-20240705-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6} | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6}\StubPath = "c:\\directory\\CyberGate\\Windir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6}\StubPath = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\Windir\Svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\Windir\Svchost.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\Windir\Svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2052 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
C:\directory\CyberGate\Windir\Svchost.exe
"C:\directory\CyberGate\Windir\Svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2052-0-0x0000000074482000-0x0000000074484000-memory.dmp
\Users\Admin\AppData\Local\Temp\vbc.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
memory/2012-7-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-17-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-25-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-23-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2012-19-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-15-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-26-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-11-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-9-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-13-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-45-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-49-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-50-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-47-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-43-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-41-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-39-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-37-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-35-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-33-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2012-31-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1204-54-0x0000000002EB0000-0x0000000002EB1000-memory.dmp
memory/2012-53-0x0000000010410000-0x0000000010475000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 7ac4d9688725365d6b888b8a36d593da |
| SHA1 | 5917e2b1ebde71eb2b22e94e969eccbe915dc8f6 |
| SHA256 | 693fd211a9ba5ecbe4041e9275e4aaf75e8fe1c30e46ac00564d22c0d9db53ea |
| SHA512 | 065a1c1503597129117a2c19099b6d2f16be540eaf273fb5ddc38f0692ace1324be6068e73624d5f0c48d009866d8e6c0bb6d60c8f716cd56562ead3237413ea |
memory/2012-947-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 73d8877056fa6c02f7dbc36a5c2fb755 |
| SHA1 | 40dd80a171d0b3401870efed85bf579b0b68cddc |
| SHA256 | ce18491c84a7faf78d725e8253077e71fee3972a9f055f09500b285e7584ae7c |
| SHA512 | 1283d7a8b9b2716a38ce2e94f22ddc8eab47c04c0b9323d4407e83530566e9579cb69624ece1343f13ba41e0001ee6203ccce76d6bf518817b59af1d5708ea67 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4b8ed7a89f2994cf5c431b2c8fd79e0a |
| SHA1 | 59c2928b947d921b5b9bd5346e652f879a0ddf05 |
| SHA256 | fcb3a1f1dd9fc740326c6555f30517b23a8d4b5ba8686f97d9e3361e5f79ab25 |
| SHA512 | 208da970803c8de10c5e6d51c28551be7d11605bfa8291a6e934fae9a38ea83e804ca20f10fe70d16d2055fb65fb9d5dd69acb57bb9e0aee28c2004ff7657a11 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 488ab729c58706f62cdaad81596794c9 |
| SHA1 | 7f8203c355a58ad8cdce555a70942edc341b51dd |
| SHA256 | b0cba3a22e522997592bd005e6eb075bb3906baa818469a009ce4245bbf3ab73 |
| SHA512 | aa59c585898d99023144166e9d358f21be838f3966f6170d72a6acd6559a9deb32712356d39a50f77de2149cb097871b59243d5b76c219311db9e484ee35d5e1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0bb4a35619ae64f316f5fc0c963fc969 |
| SHA1 | 95583356379219c2d57dfa6594d2b4bc1230ac8a |
| SHA256 | b1fec2e29c54ba36cff4eae099a227397496d14122dbed354a354f510a8d46df |
| SHA512 | 6e53821b34abb563ae9bad795b7a9fa29382f4970f014d493e9eb5e95a68df7949361b80891ce6755bf1b644f34571715413161df5a56b0ae13d6e5237dc5617 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 202ac6731f99e0609425d3014eacfa31 |
| SHA1 | b967772c1b7c9ecd9bcc8a9d1bdd1e8a3b159e7e |
| SHA256 | ffbfdcd80fea7a1690197f9659360c72a25ee81162c551419e22c4ac47375d44 |
| SHA512 | e787abd9677e174f98f607206b9f7f051c5edd16e3aa2db1a35854de8225dde591f93b49ebe1dad15467c799d595311cb37a8137c413c9b37be20d34ba80e1a6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8a8eda76044871f48da80b999eda4e03 |
| SHA1 | 7ecdcdd54d32fdb0ff914d9ebf4fa9a88674c965 |
| SHA256 | ed6d535ef68434839e13f2a5a79a0fc2da132407ee2c11d7f2cce3dbed2db1bc |
| SHA512 | 3994b00c9d599e4deae6d90e9903a5e1152129ab2d268762756f814c4958671ffb1d063b55f8a936abe55f44a5a4bfbb78077ac2bef0ad94ec1be5da50cac680 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bf7e308d3569b49ac4f4a80ef3aad483 |
| SHA1 | 0fec73928ced39b8feda9d31974e2c1edd0fb67f |
| SHA256 | 0790142fce5bd70fb5196c5fc39717231fd5e1af860d7451546b55908f95441a |
| SHA512 | a00fa41af4a5d7a1da847c8e70efb65a10b7e905c395a0f528835b3370f10292c8f41e5cf34e21329b174b95699d39f420a7bdc5ad5e8592e88258dcd8bf9c9c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f32ca196de348afb0443021a05dd18ea |
| SHA1 | 111306149ac7905caa6a68a0c02d95fc0a071839 |
| SHA256 | 90f18b5831ca8080b029275a51ed5b66fb41f80d85b79272e2e1be755ccde2bd |
| SHA512 | 5db8cdf342273d1eaef412cfec4cec90577d68f22e115c8ea0fb71b74ad6ac4c994fce6636f274b35ee85295b4bb3c868831187a9d3354432261bdd697dae600 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1daa1cb04df7515ceeaf96174d5c975b |
| SHA1 | d38504a2cb57cecf44aed6136276c5dc5c39bcc6 |
| SHA256 | b6ffcf4aeec56e46f1349dc535e066eef75db15551ffdac46982ba585aa97bbb |
| SHA512 | 330742ff951b3b378928c50f8bb7541e48e1cd059e79b56b8894cbaec514963508e48e4dcbebf4b17e53d866f8e3c57ccec064591571e76eec67d09eaf54c032 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 08b7a6cfafd78af4002296e30532544c |
| SHA1 | 18181e538cc4f73d5f2f5e158ea08b0b77770e20 |
| SHA256 | 1e92e25e15c31b7dd5bcbea1b039b90ee98414e0b00c411627cc80dc1591f002 |
| SHA512 | ba6c85093b3bc7334b0071647644913557c725fcf2ae93428163fd376abd0e00d941c4f330c7397db3ab64dc3cf7c1f351ecebce8bb3f7dd7956af9dc75ca58e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 272ac3e46a143147fa6570d3a706e8ea |
| SHA1 | 61c171c48c652a10d266e2a59417d495e5a1d1fd |
| SHA256 | 8c2d17aa4924bc3eb844ddf01970808b4ce733ab79870f878c41d5b63d41ad67 |
| SHA512 | 5b8d5f11375c9673cf45047ddbd605ec8e40927d6424fe59e0b95215226c548c27aca509eae6fa6a512d8146db6aa621c7c637251d589f7c88c3e5aca7cd50b7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2ea8269242ffaeefcfd04d59e55c4e98 |
| SHA1 | 7c3093e66324be60a10cc9f046c61acf33b89e22 |
| SHA256 | 7a4676a2446a9bdbd64c630af715f61d0e870aa8621ff952985a86abaaaeb18a |
| SHA512 | b9563976f0943eda06bfad55f6aaf0be2312ef8885148355ffb30b2aa6e6378e9b7b06399d4efe2d1e9f61f445b1ded5bc4f8712882b8dc5c9b788c23c45d959 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7dce213baa964ba0c5f8b9e059d10fa4 |
| SHA1 | fe3b76d0362fd20b35d326f0fcfa195f35314c32 |
| SHA256 | 11c39ca776c7986b72fae73f6bcb7c55983e0e39481bc7e8d548e686616dbfde |
| SHA512 | 21e02a00bc0b25e25e05c77eecc54a79eaea7d3493aa4a73e1d635eb8959cd69e413067c3e78bc694026637d94dc4ebf654c13d43ddbd51cc281eaf3148d2ebd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2db5de88d10659148417a46d7384d040 |
| SHA1 | a0a04ebed6092a06fc144a4bf60e1e509e1aa387 |
| SHA256 | aaf5db80ddc79ac2fcecb2160ae4f8766f261278d2278ba3b148d4749a8d531f |
| SHA512 | dbdc29406cc7173ca26eba1450151b4b268703652c105b57837e9bc9448c2b58ba3e45d29953db3832ea5901b680ee715f532f0761a7a2ae3550236d19413d22 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0350e45ee7aad9eb572a73b1ccb9a5e6 |
| SHA1 | a23464a166977ebffb2ea5b3875338ec24787218 |
| SHA256 | 58879fd4888503b89c477ec0c8654210e76b4f381132f3194dccbc9ea5a1e1fe |
| SHA512 | a38506f83a56a179403d414c3e6feb4cff1512e871591b82c7742ec85dd6a685563688b513c4ecd3c42a72aae75293b4d8dfd0702228c95b4081f12103ea1230 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 85a65a70633ae98c97d9900526f01e05 |
| SHA1 | 735b50329e16f2bfe92fb1a7396fcfd7a91c4394 |
| SHA256 | 34bb399f3f712588826eaeab72cb80651de091ce0bd8e0de74a3daabfcaa8889 |
| SHA512 | 151fe1ee38eccd6628b3229a5a4447e20375a94b750dcc2712cd48272aaa0e2a74bb0693a449c0b6b3543f137d8ee3ae16aa5277a59539faf8812bc6753eb169 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d380f9f14cf43eb5ebb5f050e8dfdd9e |
| SHA1 | 1eb5d72249911d54668f86108bcaff31909b5b12 |
| SHA256 | 5e92fb020a75950695ae5da9d645fd46de53827b1951cdbb2023def347aa6d3b |
| SHA512 | 9661ebba288548f2b3062106687e7a81db1c7f15b142e7b53fb38784da8b4452b46f6ffe610a023144ed993902dfd7e740046416662ad64652375ad5588b3009 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1869db0614db8a6a57b7500e41546c60 |
| SHA1 | 6edfe2714cdf932a134ce47b01b93371596fd7e7 |
| SHA256 | ed4b85b7474ac1aa26a48c97a3bb71a650b86e9f83b3a4717532085238b2d46d |
| SHA512 | 02c46ed34554815d3d04afa91283a49dcb707554a842e1c9bedf7d6af5383da7377c0055c41c09ebc3eedfe1c1b90462d032924d6ab2679781972ddec1f8bb20 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8d874ca6e0c6e29799e6b2ab0fe122ad |
| SHA1 | 0907c829b00955ec11b2e4d788567f161e553095 |
| SHA256 | 4b60365a64b7741ed5bbe8ffd872f5073748dd50cf3994341a6b347c6cc32956 |
| SHA512 | b4385c3907b5eb3b48d7333384d95dfa0e636e7d70f799aec8bc6e6a0614878a94b6482853c67c7ee54492d1665b6198f02b39afd5d5f38c94ca2bd3fd6932d2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6e09166e10fba4e8dd2b78b7947656d4 |
| SHA1 | 6bcb882dace55d3fcee03d24dd4c1b55c3827845 |
| SHA256 | 98f8a09611912e74ee91c6cf92011e127e95dde499cd2fc245b45a43dfa299ba |
| SHA512 | e55b2bb557083b45d7e90bdf964469ef93649b5dfbce2625e21700428e39ad4296c6ebb4a235dbe872d6a4af4611fa0dd925be6e1deda000a65e879ec9bcd54d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 50c6fc433cb5ae0cda7fd79b7237626c |
| SHA1 | cd25fbfc9391554fd0fafcdb63ac71f6f26a0ac5 |
| SHA256 | 2c3993f184c8ec6f797e1ecbc26ab7ec02b062a945fc8cd4671c2236a125b44d |
| SHA512 | 9ce389c75818b39f36953d4057981a674678524d118120055bc8871969f517d5d88ec8754b925ecc855e6057a4da374c9c521c5ed6b3fd85b35478ec32132fad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-22 14:52
Reported
2024-07-22 15:07
Platform
win10v2004-20240709-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6} | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6}\StubPath = "c:\\directory\\CyberGate\\Windir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U1X1TA7Q-6312-XQA7-J386-0QVS6Q801MI6}\StubPath = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\Windir\Svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\Windir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1232 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vbc.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\639ce84468b5b67681d9e3341b1446af_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
C:\directory\CyberGate\Windir\Svchost.exe
"C:\directory\CyberGate\Windir\Svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1232-0-0x0000000075072000-0x0000000075073000-memory.dmp
memory/1232-1-0x0000000075070000-0x0000000075621000-memory.dmp
memory/1232-2-0x0000000075070000-0x0000000075621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
memory/3068-7-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3068-11-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3068-12-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1232-13-0x0000000075070000-0x0000000075621000-memory.dmp
memory/3068-14-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3068-18-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1844-22-0x0000000000700000-0x0000000000701000-memory.dmp
memory/1844-23-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/3068-78-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1844-83-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 7ac4d9688725365d6b888b8a36d593da |
| SHA1 | 5917e2b1ebde71eb2b22e94e969eccbe915dc8f6 |
| SHA256 | 693fd211a9ba5ecbe4041e9275e4aaf75e8fe1c30e46ac00564d22c0d9db53ea |
| SHA512 | 065a1c1503597129117a2c19099b6d2f16be540eaf273fb5ddc38f0692ace1324be6068e73624d5f0c48d009866d8e6c0bb6d60c8f716cd56562ead3237413ea |
memory/3068-155-0x0000000000400000-0x000000000045A000-memory.dmp
memory/908-156-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d33a8b708fa612254eea6624b944caf9 |
| SHA1 | 6c52b690ce0dd59f5ec1a87187c4a261e80c471f |
| SHA256 | d8ce022cbd2bf222d3100b957469bc266bef6d077638ea5e94980af9d467cd7c |
| SHA512 | d5f9cc0a343b53c1dbb15547150052d0938152ce1a6293edad85c5654347e9c3389e0212dbf7dc98a07326ea976438ea90767057eb71ff28038baeaf7b2575e3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | be900d6b9a1da6c88081b18fa13b13c9 |
| SHA1 | a777f1980f37b675cfadfd4a9ee1633dc71de49b |
| SHA256 | 8e884d883b7e938ca53b3b306746a39cd43d8653b1d872fb4b8f57a4ec5cda0b |
| SHA512 | 7ca1efb3082deabf3ffdb377deaa09c53481dc7b4966b96800bf090010cb37ab00cf1bf8d5ee00b64506bd280390b0abcd802fb74da5204b5a0459c812821135 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 097b1a5256653be9077f43a355e83d97 |
| SHA1 | 6b6bda394cc59ad0ccaa92c7dd76a87b127e1329 |
| SHA256 | d610c5a7489d5fc368469be86d99879187e60de26ef4b1adb6ee1db9aad05f81 |
| SHA512 | dd7c381d90b8f338ee82cb721fedb3c35ad7c36e3d9888b24bd4da95c09376341b1e6aca742b4829cfdc24eeac10bf5559c3f85035f95605692e5ea0392a97f8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3e9dfd370b6a1942e02cc7cb0d415743 |
| SHA1 | 1df92d6ea83f103a95494248330cb80aca5538ad |
| SHA256 | 66a5095f2cda950b6d68a946b8e12508421b060df02b1b95f9a53ead277fb312 |
| SHA512 | 4f4262b3d776a12571f2e8924c31f44a5abab47f85e6552572ea800d9170827211e9ac75edb5e41207b913f55f79508f704e1a17a851e49ebf3a3774d91a9cbe |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d0319f6a4be461d4e04fc3e76de43c64 |
| SHA1 | 8c967550404a27d1df795ad36df29e686a3615fe |
| SHA256 | b163312dfefebbea0d71e305c1508d104663731b1c587cd10dcda71915a9d39e |
| SHA512 | 21dd52e9276ac7f4f0eb0c3e4af4b3e1b1c47bf4e150a338dbc832388cd0752aa4c774f76b571b90d12b6937c7fa5e3f33810af6de2fb3b66fb9820c7d7c8a29 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5832412353295ad33bddb87a78308958 |
| SHA1 | c9df18a3b5c38842c1c89bac5c5d781cd30440fb |
| SHA256 | a559f8d55bf31d60277f523ce3ce22c35c4cae269fc99172b1ecf822f3bfdb4e |
| SHA512 | 5f73d77bd4ef87ee29431947f349e1dc342dc921e06dbc450da7889e189ea620895cfb7f351753480064258b56f2942bf52e48465f3f1375aac0ae71b9b8fe01 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 882246894b3feeb57881bb15f02b4fa7 |
| SHA1 | 4a8e1963eeeadaf0646cb312e99500a8937fe227 |
| SHA256 | 771661779734755f73849e7c95aab995c8ecdf98984249be8677345f55d92afc |
| SHA512 | 68a297e70c38b04bc1b1aed2805c0d64ae30518d3c4796bd02b6f6e3467ea75b8fd3c9c68ce82f31faad9e8feb8b65e8c3ba0e053bc508a31916b82def54c494 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2eb1ee046602c3be0e6e4dc9910159ce |
| SHA1 | 84c17a60f8edfbd4ebd2a6ff02dc7f34f3abb0f0 |
| SHA256 | fa3fd05a630997c60255494bbf378799bfd4572a31d7a05ae99d6be9486d76ad |
| SHA512 | 8c5816c697bb2fdf494a5e59e268c72a0f02a891e81e0743348468fb7a6bc0c5ee25ceed88387652a47a3759b54371e0748d8cc11ca7d61b5fd6fb2638d28658 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2eea62f0655640a001605c30ae329301 |
| SHA1 | 7058a686e80ddf7a29deffdfd80c3180fbdcd569 |
| SHA256 | 5858a8214b2f0404d2bd54d8a41d108f726fd783a44a7397d5b866fe963d3336 |
| SHA512 | cfd531775d6f249363dbcc607254970c6f24f3310689c463e1c1854f0dd05ba6db16bbc5f638dcdeffa2808a8120d317f439b7c1c2b765483717aef11c92b00f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 386dfa2db01951cedb24cebfd2ada017 |
| SHA1 | 58b8d05a6134c177ae574b9959097f2c3a89dd11 |
| SHA256 | 4dc7930d675efba611df76121dd1dc177eb27bd51909fb5b1a90f8dbca22c1d6 |
| SHA512 | 9f09535a025e4730078ed8777db0180b5e375620d0c7138b944995ef58e4852324f6e449cf9da2b3a4e5bb8f1d714234d187a742384032f7b4fea510cddcbeea |
memory/1844-994-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cfab339d5296aa94dc36b5d107a73ea9 |
| SHA1 | 3aba0607264ca52d5058bb11de8a5aa39461729f |
| SHA256 | bf3bf0f893ad42f9bf8027fec2eaa6e990565b0debd143fcc15a55ab47afb619 |
| SHA512 | 378cb314bd459679485d69b5e0a12f762494cc68385d1044a2b83d9603e25ee26e7fc0d55f6ff1f17c8b4789c7fc836e3773d25855030e7d462fecb4d960d14f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1bdb492ec54e03a36fcf07834d5c0d17 |
| SHA1 | 1b55fbce3203e86bfbaba2511f06c717af36e329 |
| SHA256 | ef5e195c29ba3f00e8b567da5acd7eeb760e2449a8d75942d4d92939ddbf7883 |
| SHA512 | 8352b09000615d2b0428a300a922bb976ef035fa86044d073b031a6b3065ba6a9c75ec80ac0f3dfe8f0621fe6017fe12fc914bb8d65e662015adef48e1d8a316 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 78e6bbe02344122824490c13631e5ffe |
| SHA1 | b45279cc065bdb0b08331a75a415bf6b7a05f82a |
| SHA256 | 8c30d4baabf4b58d9e5aab2fae716f6fc15d5c5e7e67d824b2ccae1bdcb15a57 |
| SHA512 | a49d7b4a815ab3c759d9bfb6f8e6c31f8cc06c761fc158bf3008bd8e0b21eafa428b84791d9fd000e28e93b0c6d5626c2e8e136cf59272adcd0f3a0e345c14c0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8ea2cb89042822db6f2e54a8712641f3 |
| SHA1 | 49b63bb1fee9e0e39e6bd5d7caf5891b9728012c |
| SHA256 | 821bf557fee51d3665551b77f67fec99bd642a1b8a33d892909d3e3ab2e1fa1a |
| SHA512 | 810d89b1c5df6a7c8ffe991a561e5a203e8656c7d0bdcfc875d0cad3032ad5429fb1add99a7c74ba5e89a93ec14ea83fa7085e56f02240b8f5494d04a3136fbf |
memory/908-1448-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3fd8997d9d0ec5cf5a5fe0123bb112fa |
| SHA1 | b9045c229ad13aa2abf9d0588cbfaec1ca73ec19 |
| SHA256 | 006a58b64d807377bb373622bac66e9ed4bfae70f826359ce8f7530355d3fb94 |
| SHA512 | 4af5db0deeccd0fa9e377d8491bcdbb8dd3df38fea73102e5d86aff9aee3f2edf1c26c81e073cf871766de23b945a3d7b971fb68eb7bb85c6e5a6f21e96a1de8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d3d038996f3ab99b2195323e51aa9149 |
| SHA1 | 5e94ba756a1a2ab370451a8eb28bbb65e9bebf4a |
| SHA256 | d8215c76d2e1af91701c2b24b71f066e466f70b5657b7e9aa38299c5f9d158c1 |
| SHA512 | cb0ee6f98980907546a87b59ab87035f16c36575eca6e9f98e1552df4810c0279d8c238036ce23e28133a4220d416cae329e823006a8e33aa0e4b4667beb9c8b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3a06350f3aa7f469f1923ec45458e9c9 |
| SHA1 | aa3b5e6abf0c92ca31b6a9fe8507136820ae1c35 |
| SHA256 | 2fd79ec91065317f3f9fc136f4c7b313291b202d6956f38d703f51015ae0a80a |
| SHA512 | 9d349b93581539783cffa1ba9dd26aca5152af249bd441395668ba4c8259b0ff950177914f01fe79cb9a7ad1a1b344c65bd80e1650ddb13278bbe913d5973c67 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | da971e9e739f9b18677c171b2461db17 |
| SHA1 | b66dd3243ce828dfb9738bcf93100146c8ec1988 |
| SHA256 | ce6604c4dc93710de45e191129dbddc1434bcab8f99fd823b0562c137252d056 |
| SHA512 | e6cd02b6fd4a5f5ecd97723165abe0fb0c7bc0cc5d46c45e22f0485422794ec1f3a233222f62eb03980ddae6ca8c7fcbcb991430b772938cd62c15492b071ba6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 16252ca4713c1edbdf2b975ba97b1892 |
| SHA1 | eefbe4956dde4dc66444a87f5bb0d2d533df71b6 |
| SHA256 | 8b7b2b501f616ab5380542978df9d31277f9a74b114c6636c37bbd0935ef7491 |
| SHA512 | 07a346df32c628f4fc32345c3ca36983312682c9959bd25e5d8ec5fcabc45898c29cc2b21690dfe263257bc65aaf7bdf1e0d339f7c590870bfa95cb45c7a4d51 |