Analysis Overview
SHA256
a76fba3723f7ca56efbf3955854243ebc2a05e277726cdb96a727ef0822bae63
Threat Level: Known bad
The file 6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Loads dropped DLL
UPX packed file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-24 22:09
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 22:09
Reported
2024-07-24 22:13
Platform
win7-20240708-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6} | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
C:\Users\Admin\AppData\Roaming\7za.exe
"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
C:\Users\Admin\AppData\Roaming\Server.exe
C:\Users\Admin\AppData\Roaming\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Roaming\Server.exe
"C:\Users\Admin\AppData\Roaming\Server.exe"
C:\Windows\SysWOW64\WinDir\server.exe
"C:\Windows\system32\WinDir\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2544-0-0x0000000000400000-0x0000000000528000-memory.dmp
\Users\Admin\AppData\Roaming\7za.exe
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
C:\Users\Admin\AppData\Roaming\Server.7z
| MD5 | ddd9d0d3cdda3902a869f6a84ac2eef9 |
| SHA1 | 6f069bc0105017aabf6e678946ac5e6d7a752e41 |
| SHA256 | 64086acbbb720217891d0cddc7b5b731dd51e2cb0aee4c4f46944469c176ca89 |
| SHA512 | 83c2ab68c2e836098f3db12be3db46043a811823269e2eb1e1d5ac3519c0ec92727e8865e7b5e00068fb8a33c92ef71039a96bd2671009bf083da12e8238bbc1 |
\Users\Admin\AppData\Roaming\Server.exe
| MD5 | e3f31fe5eca07ec9ac1b76f5690583e2 |
| SHA1 | 72c45c5377ca38ab978f7969eb9619d5b41176f5 |
| SHA256 | 64a956320b0bc4462dcdeeb326a151f3d1ba9f1f88b91db0c9df84d6f690d896 |
| SHA512 | 0091cdfaf07f19808e6991d8494d4548027c7852e620aeb4af2f9ec69b60e15e3969eae9dee1a6236ceaa5b518bbf353bd9fbb17a5c3fe1158f11bb00204d373 |
memory/2544-15-0x0000000002300000-0x0000000002394000-memory.dmp
memory/2240-19-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2544-18-0x0000000002300000-0x0000000002394000-memory.dmp
memory/2756-47-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2240-320-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2756-39-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2756-33-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2756-27-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2240-22-0x0000000024010000-0x000000002406F000-memory.dmp
memory/2240-26-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/2756-322-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 9aa5ee67a5bd087e97dfa33ef6b43eb6 |
| SHA1 | 24bb7733caeac3e295849a7f04b24ad148769d53 |
| SHA256 | 2bd8f39d14f17cdb6f318e3b1a3fe261a159a11591ff68876eaf11bd25bac5a7 |
| SHA512 | fae4d7ccf3cf2bd0b314b7ccc75fefc37ba1cd62c762d2d6398e5cfdc4806d0ca0f86f61eb8d2eccf8d479d8e43ccc291ee9dc8d8d5e8fcf86b7178f5074c946 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2824-346-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2756-345-0x0000000005690000-0x0000000005724000-memory.dmp
memory/2824-348-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2544-351-0x0000000000400000-0x0000000000528000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 63ddf9ce9e89cf20ff8ef2a5e35c37fb |
| SHA1 | 95258782120c620cdd2f61d845fc16eda98809ad |
| SHA256 | 72d0a5db4c540dd46a6d2644e4f5703d0e6af7d25ef6f9b51fae3d1b1ef4b8c5 |
| SHA512 | e9384e39e9b9b93261e387ce2de0e3021547704bd8e17289e2407b5c98e4d414493ad5cc46418b01419c92280c729226fde0cd2e6aa0f76fc49bfd7464e1e4f1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9c4940df5fb176d2bfa101145ca043c3 |
| SHA1 | 77016de684d868b49b995c517f5d6200b2ef9dd6 |
| SHA256 | 5010bfce59bef537b061aae670bc876f00ed224b0df6dd6ddb5176c67401e2d4 |
| SHA512 | 8ae977c822bcfbcaf8c7dc1f0e83c72fde6a7d24172a143bc9f10d1825ca6e28da1de5bba4cad05f613bf885adf8d71806c1a960363ee751e87a32864d5b29ef |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fae7799711c543c319cd7f5326186d20 |
| SHA1 | 25561311dd56c78af5ad6d3d52decfa79f0e66ec |
| SHA256 | ee391200a40340ad949745bb6289cd41bfef091f8ad94db8e6dea1d91b95f1b7 |
| SHA512 | 8e4d61e3a451f99ff6be919b76e1831138cb25f235d96794b1dbbb6322598d913c1abbe501b084e61f93a5807e2931472cdc9c8f37c75acf20526d8316dab5ac |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ead123d36eb9c26c81b5c5092d5d4c04 |
| SHA1 | b6c0bb3a1177e4be3bd96a6bb5b3057917493c8a |
| SHA256 | bea4e7d31419bbc69d9471cc961cb7fa69c91b9d31bae814f55733b58aa5458e |
| SHA512 | 832d793801338fa7f0a81bf36bae9a416dc12e851e1a329b7491e4aae4cbc0a65ddbec0eaf46c9f6644ebdd8f8c7b9e504d52a4926c760215b6acaf5ca32a6dc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e3135f94e006e13fcb39ffea14fabe55 |
| SHA1 | 4984a26108173ec50b604931654acc6943622110 |
| SHA256 | a80132e9bcf515deab7ab919ee1c2ff6c14ee32fa65e42a65028b9399d763b24 |
| SHA512 | 1e33a4eb60170a7c76e0c5d2549553f241cff280e3bc0f0783854f4d0c871253a412e3ee26bd38040cbb1c5d23336c658eed1b0c9155d0ec8cbecc724e2c90c3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c43f7d24c5eafe6de317101b87a94220 |
| SHA1 | 1fb7e37760e3513c8d2d09cf3a969bed28da929f |
| SHA256 | d679ee132d6319f599d4153a13bd673ac58827b4d80d3dc6b8103d54751fd1ad |
| SHA512 | 703beef03cdc5db1cde1d91dde10b4b96f1f28f1e725de7c7833ab4eac6b20acb3a53cb391f6b6489222e2eac2af4663f761fec8956488dab847165b46f9a3d8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b8455d1bc06c4c34ee8452fd02985537 |
| SHA1 | e1fa585a706ffeaf8b6686b5ab230f7f57cb5b8e |
| SHA256 | 408393a0b478d573f351e807ab4a135b0039de517275cbc55b3c38934e3acc87 |
| SHA512 | a6f584be259b8c92b08bc3e160135e4a86d81922d3bf77f2c83cb7dd01e733d3f5fff33c1c83a7f30a4457f5637af05a2e3a57ccb0b7acad4475115691327b7b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 231befed527e967b3b4186f70e4fcdc7 |
| SHA1 | 16e7932dd9bcdae8fb715fce535e2151d7e30379 |
| SHA256 | 8465f2023ecfcfc8644a7cb4aa51faeac815d8285aa54dd849709234445ee5e7 |
| SHA512 | 02adf730e4976152672fdea6809901f7b7572aaed8a1684e11db79048b6645a79b11e2a005871f624d1772ca472e69989f172566016a53cd707c3b9d35d527cf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f94f584f878e710b2fa47040d99e06a9 |
| SHA1 | 0db5b0302497aeafccd3f6692d413e2256732bf4 |
| SHA256 | 508d930064405e18e8b8cdc80683a21c888b3404503901ce7726d7be27f68565 |
| SHA512 | 020b85c333dc31a5c86750f607552af23c9fcc8083e72e53e249a8d4f368d265a285b53d6ec147c18a71e52c575ec1b51181840ae32a50b9d14106b345c6ce03 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1e33b76c7765a702e1e3c23a561c0580 |
| SHA1 | d7513a78964c5d6d1fe0e983fb8d91a01893a46f |
| SHA256 | f680c2c456f96b45822795bf236af77dfd031c70a74239f217dc6fcbe51de3cf |
| SHA512 | 8f574eff11cd9b4145cbedf96aa39550f25f160e75b56afe1eedfeb63bfe7373358087c17a06af6dce7266969d96d64dc2d31fc334d016e98252ffba9d404c3f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0be95fd092ece4037b27ac5555f356ae |
| SHA1 | f2c75c0489d9480388444c370cbde17d791600de |
| SHA256 | 1dc627d25b9b08d71e9647ce3f1bb1359d62241768cef733616d8e37c7234fb1 |
| SHA512 | b1b5c8dd7b9b70a87e1c5143da7fcd056a68f4631a9c318a2c3335953fe1a3b90ac89997421b0348c2feffe3a7dd4775ccd1b02b0c9a1c719c15a0d7fe93c3b1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3e138d5fc1b36e4e5389dc4298bda9d1 |
| SHA1 | e5be70d9304f00db65c122d8ba71bd8c88d5f343 |
| SHA256 | d660cff6211c4e718227a68dae2f08e75d3bf9f1d86f9e8a65f608daf8ef5749 |
| SHA512 | afd19e22a7e7777edd7f46cc21c67419bb225fe3a31ddf4fa3bbfff36217ff449537c328f2e879e6c562d4ad92b45c74aba1337e1b3f836420e6b6e7b85eb947 |
memory/2756-915-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c792eb5a216e3d36e9bb2285971a1f0a |
| SHA1 | d8ac2f1ee74c8bc3ada8dd0cd32b2d697e062c03 |
| SHA256 | a8fda5da63e87ca2a4827926163e60d3f64753e2b7abdd2c4374e9eadf0419ff |
| SHA512 | a55a554d57e99c813c3bea448bfb86adb1e4a2239295ee7469e14f7288ee6c7a0c0f4314d88bbe21159de33b6ffc8766a8b69bf6c99b189e78d8e8f081fe7796 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5a0eb696937c3984fdabde034788357d |
| SHA1 | 99f8736c0acec650dfcd3d1f86b3a79d87f9c387 |
| SHA256 | 42ef3ed12a188ed236522c4bb2d46598b036faee0105b8c6dd11ac6c9eb81c14 |
| SHA512 | ec806d034ad6a09b0319a416d0a7a28965fe617f755c6dbce18b57bd1b42f4b20e6aa50f240d2f8082da664ebe15986397626379b9fa92ea7ab9849159159b52 |
memory/2756-1032-0x0000000005690000-0x0000000005724000-memory.dmp
memory/2756-1034-0x0000000005690000-0x0000000005724000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6ebbf6182cbd7d91ed9800249ed33360 |
| SHA1 | 1d80dd2a9e6b6f1fd7972d9072474981ce34dae3 |
| SHA256 | 7c772850d305adde377ae81920db786a6c684b747ea5cba892531637c5fb2557 |
| SHA512 | 71873ad295ac98bbbba19268e8fad69ea6ca827b46a2d5d38a5907111ead384090014e0ddf6b4bdc72a2b71b8038036008e1a7d9872b2e29ca179daccc444da2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | daa0f98f17e4a0c751ad3f5273a7bfee |
| SHA1 | de81a9e218aabdeb1369c2f8ab184ae676cae82f |
| SHA256 | a3051ffdb62e3051069aa0dfea27036d5e65e253dc95a6f15a6ed3cf25c8b92f |
| SHA512 | 44f2c6b187bb2537c9d7fba17d25404a007a112e152be8dc4571b8fe74ab913a7255d52b450aa6d1e40c1a9072c44a53106cce18f596623943f196e0d5fb90a8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bf4edd9ad7e3271429a590f7b3baaec9 |
| SHA1 | 2e02341512f8605afe1f066e004ddece58ddf9a1 |
| SHA256 | d8c9c6269600e4437eb83e8b926f0d6f0b763e08cc237c5795acaf8673d6f810 |
| SHA512 | 59f154dff3f373a21b63595927458cd11d042b221b1a761f1fbf7dbfb6d31d708135ab627c375fc9ef0a4987d22cabd3d95f7e2ba8ca20b3d236bcfa0a99acf1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 08f55f464d5a899bff3e968e3b957aed |
| SHA1 | a0e31f17958e514017d7999b393ef0c9ebb85775 |
| SHA256 | b9642cd8050c3ee223e9847071cf460f9c556a15790ac2d888b6e8bf7eef737d |
| SHA512 | 3d20ea1ab7fb37d36f507b4176d18a20a5821b70ae2694c99b559f510aae4849763df37d245999037ebe4836123442d06a8afe4ec85c5ff6fa58feb91327ffd4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0cd9e617178251efd49889ef660ef764 |
| SHA1 | a388dc19e1d188574bacdc1e9eeaf401f45dcb69 |
| SHA256 | 0b073c67ee5b4b2e8a433e14fbc63e4bdf7de33b00d2687c1244f93cef5e308f |
| SHA512 | 3e0faac7e7247157bd4e517e571726241758c3ee150aae33ebdfbedc28e4c4f43235dfb7a42fdff673ade045c71e41d1f95afb61a5af6f4218284b82e5002a0a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 573f45df392d4a00ac71ef3c2d845a97 |
| SHA1 | d5546981c540480535fded947c5089f0046373ee |
| SHA256 | 88996b7cd643b8bffaa12a3121d15f4fd263e30585a909dd2559cd97a74aed02 |
| SHA512 | 6b938cd9d3e445a790695f01b2914f73770d6612fc3e2e6a477255172f60f2b821fd90e58ebffe292eadf7b7286b4bbe97620ed521c1ac1747d366ceec1fcec9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2928330f0ada0ec8f090c1cc413b1851 |
| SHA1 | 7b8b668da85d0bac5ef670a8dfd12dd62307d4e6 |
| SHA256 | 7a6fb7fa0cde3e7c3fdbb1ca5ae64e0a836f2d3bebd808b9d3bf94e81cb3b16e |
| SHA512 | 38735f985e0abe92b8615f393b09004eaf4a38ad5f675aa0e7d61062123685b1302ae7f10c1a938f4e94d0d048301a5e36a8d61a911d365604a65569bc311350 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-24 22:09
Reported
2024-07-24 22:12
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6} | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4P11P8R0-BK57-2245-T4V4-63M05E0263K6}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WinDir\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDir\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\7za.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6cfa6163ab015c7716ba8bcc7017ca91_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
C:\Users\Admin\AppData\Roaming\7za.exe
"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
C:\Users\Admin\AppData\Roaming\Server.exe
C:\Users\Admin\AppData\Roaming\Server.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Roaming\Server.exe
"C:\Users\Admin\AppData\Roaming\Server.exe"
C:\Windows\SysWOW64\WinDir\server.exe
"C:\Windows\system32\WinDir\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2448 -ip 2448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 228
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.58.20.217.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/5112-0-0x0000000000400000-0x0000000000528000-memory.dmp
C:\Users\Admin\AppData\Roaming\7za.exe
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
C:\Users\Admin\AppData\Roaming\Server.7z
| MD5 | ddd9d0d3cdda3902a869f6a84ac2eef9 |
| SHA1 | 6f069bc0105017aabf6e678946ac5e6d7a752e41 |
| SHA256 | 64086acbbb720217891d0cddc7b5b731dd51e2cb0aee4c4f46944469c176ca89 |
| SHA512 | 83c2ab68c2e836098f3db12be3db46043a811823269e2eb1e1d5ac3519c0ec92727e8865e7b5e00068fb8a33c92ef71039a96bd2671009bf083da12e8238bbc1 |
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | e3f31fe5eca07ec9ac1b76f5690583e2 |
| SHA1 | 72c45c5377ca38ab978f7969eb9619d5b41176f5 |
| SHA256 | 64a956320b0bc4462dcdeeb326a151f3d1ba9f1f88b91db0c9df84d6f690d896 |
| SHA512 | 0091cdfaf07f19808e6991d8494d4548027c7852e620aeb4af2f9ec69b60e15e3969eae9dee1a6236ceaa5b518bbf353bd9fbb17a5c3fe1158f11bb00204d373 |
memory/4032-14-0x0000000000400000-0x0000000000494000-memory.dmp
memory/4032-17-0x0000000024010000-0x000000002406F000-memory.dmp
memory/4032-18-0x0000000024010000-0x000000002406F000-memory.dmp
memory/2904-27-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2904-23-0x0000000000600000-0x0000000000601000-memory.dmp
memory/2904-22-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4032-21-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/4032-80-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/2904-85-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/4032-87-0x0000000000400000-0x0000000000494000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 9aa5ee67a5bd087e97dfa33ef6b43eb6 |
| SHA1 | 24bb7733caeac3e295849a7f04b24ad148769d53 |
| SHA256 | 2bd8f39d14f17cdb6f318e3b1a3fe261a159a11591ff68876eaf11bd25bac5a7 |
| SHA512 | fae4d7ccf3cf2bd0b314b7ccc75fefc37ba1cd62c762d2d6398e5cfdc4806d0ca0f86f61eb8d2eccf8d479d8e43ccc291ee9dc8d8d5e8fcf86b7178f5074c946 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2448-108-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2448-110-0x0000000000400000-0x0000000000494000-memory.dmp
memory/5112-113-0x0000000000400000-0x0000000000528000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7f88ac45f28613914a9f2c2e457ae878 |
| SHA1 | 33dd7ba3f663c97d0b8c5db7db3181b9c5673e76 |
| SHA256 | 1b0e2e07f62e3f92d8c569ed366368ede72209a143495bb9ce78ba5eacf676a2 |
| SHA512 | 9203612e8e7dab70c25b08c849f8e057e2e10c872e0fcccdbd10a0a8722a139abbc6420b702059bc74ca7fc8a37c79771fcb0611f15c4bd8ab6b75fd5c8c57e0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 96bc1c24d516b31e17d82329a9de096e |
| SHA1 | 2f9cdf85050a683820b2b74cf2d253c1fe241c9b |
| SHA256 | 6ae8822ba0be486f7eb11705849293d6b33468694adc323d5169a2b1cfadc24f |
| SHA512 | ef98cc0a635faf5bfd4ff885d54dd40e8a1ba4a63fd681ba24965d2a2167a63296214abb713bbeb66fb53cd318e3a49339f5b1811329d045053b83d5cd5907af |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f58807ffb50ce6c9780f4c4a482d67bb |
| SHA1 | f3f774272fead0fb24298dadd674df273cca7e2b |
| SHA256 | 7509a37a3d83850150d76197314326c8c0754b39987f2b3f8eb84e478a7c337c |
| SHA512 | 216d4dc2a3affb5dfb970e93991407a86d649f1e54e8315d50774faf75a44e50b9fd23c655919feeedd0ee1ca2ab26fdb194b5d17323722ab0a3f4c76b53d158 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2fd6d1624b5647dcc9148b36a4ffad97 |
| SHA1 | 2c756dd35532d1f5a0b97834b1585edcd4862f2a |
| SHA256 | eef26019d6d4eabec531a2229551b63b6eb4b7f27494689e95769e94b2f67d94 |
| SHA512 | c42fef88fc2c223108c78b42f7f500b7680349f0fe93bc3cf3d019762023ab48c90424aead43689b8f0d795dc8d7b1d8e3ce56020f4892d7844a15a34c6873d0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | dcbee7cd4ff8e8f7f810650d42069f16 |
| SHA1 | 50481f0e0bf659849f1f87c342910ef5ea12ee8e |
| SHA256 | 73454e9434ad372f6cfaecdd767f32f10ec9433b64c68e7fe5287e06a2f38503 |
| SHA512 | ce796b21a737d7731ca18a8de7ead76fa152bcd00a467361beaac6dc9e0f70e02a5b9f028e33fd23db370f2c5ed8ef55206afa2bf16ea6a61d3a986f670812b9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 75d7509f1e0cc715e80b7873ceec5888 |
| SHA1 | 0cefdfe34832a6090bf6475f01a2ecf875455520 |
| SHA256 | 86740633c5bf45d975343a2250498c2af95e8af1fe2e3b0487cc59edab2ff0f9 |
| SHA512 | bf16c13334274239262931ef9f689a19ccc083a9694674ef56f01312b0f607b31ca034c1afb13f0935868a53f16567c3361fe75561394cc5a26a8ad8f85a0c47 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 966825d176946023299e76fb5cff4b9e |
| SHA1 | 00d7a47596744d061f7a2c295a3250e197b4ffd4 |
| SHA256 | 19d37cc4acb97e7cc98f68e044f4582b16783ced76e7baa1796081c14adf937b |
| SHA512 | b8962288ff52ebaa1bc5e24cc1b2e8d669dfb9339638cd423fcc8004c7c5cb552c81aebc1bac1bf8377bbc00fdf672a17433591a00b2d9fa7d53a8eb21c6a123 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 35bb294671004e5833272d8eac18a7f9 |
| SHA1 | fae7be769c0e4f95b28308cb653f5f5256568a32 |
| SHA256 | d2579d21528624bfcb638056a7b817625f471e63bc94bf86143c02030948fc69 |
| SHA512 | 2d328d47ada3beeb4b15814d8a95ecad69210e952311895add7f0dc3d8a52c422cef3eb125f0c2ee7c0d59de6603ff924d6bc0522a034b05b35b2d6a64aec65d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6279087668580d62bbef1f383816235a |
| SHA1 | 6bb2d623bf654b548ca3802172cc7f294eb225c5 |
| SHA256 | 895e84d727df7fc9a7cf78622fa83a6076b25c530f29c62464e7973ddaa35761 |
| SHA512 | f7696fcc87501d627fdbc3f6e4bc1fdb1dfb3aba09e9b1ce7a0a8226d6fe6c84bdea385444fafffea1edcbb36fd7e38ad653eb80f4c2626b38d71bd707bd9348 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 435c62a8517c51f6e8dd057a0e80de73 |
| SHA1 | 8eb5746c624875f0da781ae1ae240f868aaed0c5 |
| SHA256 | 6c3e836fec4120e42f65de07a5165c074cf735cf8894d7f590b7689abfb32fed |
| SHA512 | cb140dc3088e45eacf63d4ff44aeabb4fb33f2ffe3fbaa487bec2b28861d2a2f3c23598f3b658fba9ffe58d83a221f39b70ac0287fbaeceff0a9918216f196aa |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 41d9a99c90261c0d30c3cbf5caa9e4ce |
| SHA1 | 44a1eed5d9bbcb5f7bf9081d1245ed9e5888703e |
| SHA256 | 4ede988873d463b308c6d52c57e19065a42be29050286461ecb0b7a858db234e |
| SHA512 | 5a203fe689617098b5474890ecba8517a94e955aec8b244522061e38b0c0f62f3fc7afa85704625d4c1ac350a192e0b421522ee9728732e6360a9f7628af9558 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5f0c3676362633629f02b4b414a9e34b |
| SHA1 | d07282875053047ae3c009aacdc7ee03c67437c1 |
| SHA256 | 031e63096affebef908ca71d12f7875b75363c2e3dc21f1f7bc892c02fa33b0f |
| SHA512 | 4d920e64ec2ba41f90a5edd733c1a72ba344222fc476501c52f088e8cc5c5580d5fd97be00a794595a7f0fb36525b9eac571a63121e6bfbf21f70075acca31c5 |
memory/2904-1208-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ba7923603d3ebee02a253dca149ecc02 |
| SHA1 | be9426cf6af4fc1a4d39beae5bdf99ccd83a94df |
| SHA256 | a09be3863d8a812d8e29abb354c3d594805969a3fe816c5f839cfa472c97ebbf |
| SHA512 | 32328678db3c4ff9977460f163d8afb778d5334ae037d4e08bbe445bdb9ff75531f40ec1d60bbaf201d98b4ff7d7de46f36d1445e4d3269cf93b3dd41512faca |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d11e04fc70ecaad8c32a1119bf3b091d |
| SHA1 | 54ef883d52e4d9b6dacc6e6e4ffabd84e55e948d |
| SHA256 | 484198319ecf16393c1277ca08efc582b431c7e27ab5663fc05967f4a43f88c4 |
| SHA512 | 405a5f15d2772b32b69a70dd959f11ebf57d5efa707a0070d2fe640655baa7e4e66e4b17ab5b3e9078086b229ba6a9bc132a95cabbae4ca8a20a3a686aa3fb66 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9aa383aa01ce55662f506be0108a85e6 |
| SHA1 | a3d6023233d638749ff7179a48e554d8d4f492d8 |
| SHA256 | 5bdc7d76aa2ee70fc9f08d46ddc32100fa2fa6d5bb69e1bcd8421afdf17660b3 |
| SHA512 | 055f8760a11d5ddcb6de641ca1cf9604145b7f70c0b1d95da77293b5f95eb178496415ecddb00bbde85a64ef77978e9cffc2eee5424bb69ec7e9c707a89964fb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d755107ec7d3df6e3c6b3da8e862ac08 |
| SHA1 | b2bbf1b021b2da410dfd0d523297db6f5b0eb86c |
| SHA256 | e980dd3c7e53a0f19c4b05fd16c882b3ba8104526ea9a7533f5285b4ec294811 |
| SHA512 | fa14bb02fc4f58fadcb9ee46ffd6d4393ff9f25eec9d66cac5a14f45d4705a5e4f1ca62c16c89510e0c52966b219b985fd4c8480d539023c6b0666b8717885c4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1d1ff834cbfdf182a0242ce3a3b8afcb |
| SHA1 | 6a25d5b18911044f9bc4ae8828fa6d039f7dd2d1 |
| SHA256 | 681ed82925c2768f86596c74deddaaf55fdb4b960a362f27209213f43c475386 |
| SHA512 | 4a378aed7f0ae968c76c5ce2579888629a9ef30980eb86f89ddf934b4e77beb0592dcdead19e99f7d809b56fb686a48671b2f05954e2d1f90fdce558a622bf5c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 333525d4978783346d8f96b9c302ec13 |
| SHA1 | 2519045d551c87442854aec57e1f84a39361d009 |
| SHA256 | 4383c1be0211d113ce638fbe496dbac2d6cf0d2e0a5e0a50aced1019d96ec352 |
| SHA512 | ba5ceb912c31cbe2ee32bdf48c413678759d5773256955174a5b6038fe61db14e8067020e5593aadbaf0965980a70bbf95e8219ce4f5acad21d09954848b87aa |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f0c5956ad51ced48f9a3bfec2fc19c3b |
| SHA1 | afbc76b08f429c05710d65b1988c7503f95adc29 |
| SHA256 | a5ae99421314a477d8136cd953045a348b7c742597d6eb25124850c4ced424d6 |
| SHA512 | d61c33f4c59192d39176b3cb1f649d7414872406b02f6f78c0c8da33b479eea13f42ac01642f3989ce941bad02a1dd8fc539d70749273c3047349c3bcef7a87e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 47ef7b6a240158c48a4d2bff1774ecef |
| SHA1 | 1d0e66da601ccf4345134b04fd7fffe56e71c594 |
| SHA256 | 8b52c9e210fc4354c364a204b8fe400e64f97b1d6434e757687dae61cc14bdf1 |
| SHA512 | a4f38ab81f291ecf395b3b26be48c43c18b95b757fa0fe221816ce8a5b6d313a1bbd3b5ae99cd73f3e57ca627f833788f57e6e9f74d5d346341d8e8b13779b3c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b7c956a45bd42a6a8666aac60ce2812b |
| SHA1 | c679886f139852935935e768b2796dcf9496edb2 |
| SHA256 | ce2f09b6bbd62443f3aa08b363c8ad0fa25e5824a32f0605b4c7c5d4b712d292 |
| SHA512 | f50ac1771c035d79ec2f309c2f7187242efb802ba8d7a81572ac5e6ca8d57f9ea20a053bc26445fb3bd001644f130e74466d2e3be8fae2237a0ae8b395dce228 |