Analysis Overview
SHA256
b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6
Threat Level: Known bad
The file 7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
UPX packed file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-25 21:53
Signatures
Cybergate family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-25 21:53
Reported
2024-07-25 22:00
Platform
win7-20240704-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\server.exe
"C:\Windows\system32\WinDir\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2312-0-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1196-4-0x0000000002E20000-0x0000000002E21000-memory.dmp
memory/2312-3-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2784-247-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2784-260-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2784-534-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\WinDir\server.exe
| MD5 | 7162f99c0ceefc19c88816af9e8dde09 |
| SHA1 | 8cefb5d035e2f31de72c227217d180356e1e9b55 |
| SHA256 | b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6 |
| SHA512 | ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 6524fca5b80b5de75d75b92a1a092cc3 |
| SHA1 | 95e3fdf049f8633a07d9f3f28d5b73ce2fd709dc |
| SHA256 | 8c3713637e0f6671a910a4162de97fb2b4aa0b5c05690e42d45957fbfb4cb53e |
| SHA512 | 467a8d5bb5e388c8b7d8a1c8fe8a32e9156b133859d40fc0d0ecfb92242d50239cf7db8dc78f19d22925d5873ae0de1728c93ce37c00d465501a9b48a58486a6 |
memory/2312-558-0x0000000001F00000-0x000000000202E000-memory.dmp
memory/1348-559-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2312-866-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1348-886-0x0000000007100000-0x000000000722E000-memory.dmp
memory/1348-889-0x0000000007100000-0x000000000722E000-memory.dmp
memory/2552-890-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 40f506e7ce59ca438339bad7b5ce88f1 |
| SHA1 | d5eb89da786448164a5addc9ae68ad850e18b87f |
| SHA256 | 8f1958d84ee094b8616a530dc906190aef8593cc5ec06abe3892c2d32f631e7d |
| SHA512 | 31a71daa9cffe7ee44d808deddd525b629ab2873c084f0cafad9a3d5dfe4bd22cbfcbe4786f6acc6ace924c04d2ee0be8887a7a1db2e96cf4c17fbf98fecc406 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | db458e4172f2b2ba19fcf2e1265e314b |
| SHA1 | 5fdf21ea18545649a57f33f5d2f9f0fa0691928a |
| SHA256 | da1f6041f96d43655538850ee9edaf09b633cb9e092d1644f7082d7926121f5d |
| SHA512 | a160aefa0082c822d42236d4e4cf6a41a8dba14005e99da0c8a914817a75412fb013cfa1090a34779fee7e5dd9121ed3932bea895d8a1320963082f34726102b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 44c7120057cef1c8abf2665833f55d9b |
| SHA1 | 385f662a68a58cb47100a6c45c02038a9978a1b9 |
| SHA256 | a126869c1d2e3a8da406417ce5a8c9648e46f30002442619c6feec026be95798 |
| SHA512 | 5a67f1cf758a5a0065af5c66becc7fa39350922aa40f4ca8d929f837e0edded4b55710f8ea2f3fb01f82bed4557bb1d2173544755649fc03e4bf5dccade22962 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f616a84e5c2a0e3fe52b6a6f7167a9f6 |
| SHA1 | 4e8b65374bbb87a496817bbc584b6e54ac7b8461 |
| SHA256 | c85d918dad4c7e664d44926ef2728e1c96197a7ba425e63761981615a2985c11 |
| SHA512 | c460d6b0ca9f7f353f0f5ad7cb3e0f10384ab56f82fc39acb3f4eb81d2ef80e5c4c527ee252872e505980642c5f9d3d5d7e8cca431cbf2285efea09ce72b3f8c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bfd3ad42e1261e182d9316641b38c00b |
| SHA1 | f19312a2960b19380f98e2f072e7267846e650b6 |
| SHA256 | c60b15513049ad49236598563d4a6795a9c8bf00e1b8f56b293811831e607ad4 |
| SHA512 | df07780e70889927a89daa21f056580b950d0fb6c964be9152fb90f758f01c0cae661fddffe92ca722031a969ec249965f63e40928bcd71e375a9d3bbe420ca7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 838668465d21ab41bb7c7d1bb254c0e1 |
| SHA1 | 7e7fce7f736a9771debc7e484d9443e10e7d5456 |
| SHA256 | e05723a73dd0b741b71e866f277e0ff712f597c5acb8b1276c5a24e9f382a7b5 |
| SHA512 | 33fa4b1d2f83162b16826c4bd97bca32369aae84f3edcd0fb728921da7f50aa73c2a7079e8809a699a33c9838d419e88fed3d88bb43afb08855dd7605f1232b7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2ccb9597929ef690ec885522e78d7233 |
| SHA1 | 23df45c074311f61570b432beb6e8839e14c5537 |
| SHA256 | 4a36f00676e25e4f67a8a65637d43241c34cdab0d115626232f234e4f9702c4c |
| SHA512 | b3083a5c2fbf52f6c7e6e70068495663c9a5baaf6ccf3669afe1a76b6c7c2a7a930e84c66cd1afe6e342cc4eee80133f7989442260afbde91074a6e627604c51 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 16d86ef1995919c5678f4e0f01fc2235 |
| SHA1 | d327649643f7ec606c37125b6f57e8178eca52b9 |
| SHA256 | 605a21f244b900fa76d58af5bb045be4182a9692b4b7fd62ab6e32272f7d373a |
| SHA512 | d8cd8494edcfa7119ea4dc81b6534229d705d19ae7324b21c58f5c8906c2277d74ec26da756c70a6d9d3389e8f2c83de2c8fb9903cddddb855bb8f4226ec5737 |
memory/2784-1452-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ec54e6f99ec3cdb86e6bcb71ae068b08 |
| SHA1 | 10003b8499f0e6c69e6548fd81053dea7d57de45 |
| SHA256 | 56d3b3ac8bba1254ab75c19d4ea6869fbd4e73fca9d2fe0aacf9c262ebc4ced9 |
| SHA512 | a2da045f4ce2e35588620b40db827f7d84c6a4b5dce5030f208a0e02070ec2542c104c5eebf77e21707c752ce6f87ad14fff6ee692ba1d2ccfaa1a93a7f8599c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 382f59def667d4ca86f9ae5057acacee |
| SHA1 | 31e95d034baa2bc5a6b79ff227a2ac93c42c0c08 |
| SHA256 | 10c24ce50e0bb56391be7267aaa025e3eaa921ae9b73651c08d3b632c10623b9 |
| SHA512 | 735ca899b605beeb99502b2b6250df8a006ff9032d534d007ed25d660eb04e2385f74ca60064a67c6822a553f08efadf70571c429646e8acca15c27040972a42 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0046745063100bd31bf915a9c0c3bc40 |
| SHA1 | feb995853e106f298fa57c9bdd54f7bd145cbb1b |
| SHA256 | 37aca4eb14b0debd9dfd5454191ca759e0fa6e5e8418ebd3dd46e943764231dc |
| SHA512 | 6b6837c9b4e108b81e70b6d253006aede2b8529075d5892fa2e7a77fb30a1fc912b5cf3dcd092c8990a44a280132ccc21c9484e175b431e2c0d27c0cf7fd3777 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4a364a0523d9f3869e00902d860e598b |
| SHA1 | 76d7da1582b953b92340614f07dd19901869fa97 |
| SHA256 | a3a9cbef0977cbb93c382e61da0011b0c1b20c05b01a596a8b9a543809108dd2 |
| SHA512 | 038b704b76c648aa485ca2d9f725bfb764b55fdea54c53f021c16970d50305488ae43503e018b83c4a4354c75009a41764a6f66ddb4c8957ddfae09bf4d165f4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 14b9f4e7cf9fa4024bf8d57c410db595 |
| SHA1 | a7a8bf59e439ed83179e33ad3463c93d1f093f90 |
| SHA256 | 3e9fc31b3e977486665b40aa454c3fe3043a577eaffbb7d754a15d1cae83a0d8 |
| SHA512 | b8ec84461317c9b52fe5e916e3934dc33a1c60ade806e086e2c3d65edb41aade04ecc2fa0112b3e778681a3bf4bed5d73613acc239f001d5453877de4c97be7a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d32978ca54948369ddcea653fcd183ca |
| SHA1 | bc5fcf4595b8ef8071a1be69abb5404437218f94 |
| SHA256 | c2db9e9db96947f0b3fd4a447e1470abbd56ec163ee59c17c96a26cdec20f521 |
| SHA512 | 6f8a8ba957d6cc5ec9a4d38f9e3abaf908fd60ac623eceb23eae52da6b36a55b3e1b53266718dcb9b5094eb1e79d56ee100f98201728de103e8ad0675f61c998 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8908ad11a84cc33c9e0913c6560ebcc2 |
| SHA1 | 905eb6eacf19b4d1a6c1cf286c91103a31001c97 |
| SHA256 | 5600c12621a494b8d5728bb52bab2e59c7cad8284f77327f93c1304706dd25e1 |
| SHA512 | 78b6ce07a2125f5b7d517293bd14198401529f7049bb2a9b0bab470cf97fa450ffe199bfa6c3aefb4f4a4f0ea5a6b9fad9c9927edf1a06d1068e25febbb00214 |
memory/1348-2026-0x0000000007100000-0x000000000722E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f8b6a6871b77727fa1a0d72f08b71cd4 |
| SHA1 | aa5b5925180e4c68b8a63216a9c5033c07e2d1c5 |
| SHA256 | 0d948dca2f8affa24b9debd3a4d7377e93eda73caa0e94d77181212fb832baf9 |
| SHA512 | f95f418372ff21e138cee22e3af8ae5c513599fbef727626fb4d9bd9cdc4fede46bdea90e43c963d721ee2203b073e9d907dd79c5052758cb1f971bbb6c490e7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | baf1f5e7a8663446b6da715d2312edea |
| SHA1 | 842e3ff0c0b5ff356dc5a750e05a0eae03f02285 |
| SHA256 | e72ed236c4aa947d400e69678e06f91fbba2172f11df4eb949dbca7eed2d77c2 |
| SHA512 | ed0c7b1575cb5c7f1258cb0738f40f266ca9077c7ce6b7423352e9e9518ac6ba52442458a5049bb453d2c5b13d149cee004e8be306572baff2b7d00f1c5ad321 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e94d1b2383458caf3b4b31e0b62a7b26 |
| SHA1 | a26c093e9276798f40255f68395746ce44502dab |
| SHA256 | fa3cc5e41d38fe7dcddb31951f05b4bf61587cc48c5d685f6f325575bb05bf15 |
| SHA512 | 6500b3796af9d8a5a4310af04a90a84ae951861487d3f01191845606dfe8c6af29d83c2a25c48a29256df348d7e90cdbbe530a6259518810a29ea0858147ab68 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0fe4dfcf31bbc0bc2e53a74d6270ef25 |
| SHA1 | 27d41a031f37d5f202ce77c48f4f7e3ac8a498a1 |
| SHA256 | d160b186213132d4b75441049eae69841cc7dbf2c6684697fd569e5fcbddd4a4 |
| SHA512 | 8d4f4454b00646239c271a9f9cbaa5893e504cb6dc9c44cc020fae6cf3b54ceb26efc37413fcafbe509e621742660345ee8de504df7845b591257d1cb44c5dc1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 771c5a17eb00ab5d591814e6db300a49 |
| SHA1 | 36bd7487fcb12a9f18a9a9a5dabd3b7087b89f5d |
| SHA256 | cb8d91ffdf53a089fc893ff2270a3be3ed33a37dfcee1a8678ebc1044d4f59d5 |
| SHA512 | ee948c440d3a2f3342f97fe0dcd459cc4a79de21f43e3f766c92209a4815e685fc34bcba3deac9fa495b55f0234bcfd6b98340bb976660d4ccbdf18480c1a598 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a22ffc3c84f98e28499783b78abe2703 |
| SHA1 | 8cd37dd9f7ced78a9b2294d01e8cc5bade4e2f03 |
| SHA256 | 4fd9322a359b0aa25038f279ebc6cf79099e6295023d633834be4ce2feda4985 |
| SHA512 | 45cf07923ae0063a1aba2cb743c700be9121b3469c83baf37393c7faaf73b27e0babaf8b23384c85765a12a7b7827be06ce0114f47f102c6021819e8ff60b6b5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-25 21:53
Reported
2024-07-25 21:59
Platform
win10v2004-20240704-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75UUGN24-5R4S-D777-A1FR-GT724GYR0R23}\StubPath = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\server.exe" | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\server.exe | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WinDir\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDir\server.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7162f99c0ceefc19c88816af9e8dde09_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\server.exe
"C:\Windows\system32\WinDir\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 336 -ip 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/908-0-0x0000000000400000-0x000000000052E000-memory.dmp
memory/908-3-0x0000000010410000-0x0000000010475000-memory.dmp
memory/3584-8-0x0000000000650000-0x0000000000651000-memory.dmp
memory/3584-9-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/3584-69-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/3584-67-0x0000000003840000-0x0000000003841000-memory.dmp
memory/908-64-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 6524fca5b80b5de75d75b92a1a092cc3 |
| SHA1 | 95e3fdf049f8633a07d9f3f28d5b73ce2fd709dc |
| SHA256 | 8c3713637e0f6671a910a4162de97fb2b4aa0b5c05690e42d45957fbfb4cb53e |
| SHA512 | 467a8d5bb5e388c8b7d8a1c8fe8a32e9156b133859d40fc0d0ecfb92242d50239cf7db8dc78f19d22925d5873ae0de1728c93ce37c00d465501a9b48a58486a6 |
C:\Windows\SysWOW64\WinDir\server.exe
| MD5 | 7162f99c0ceefc19c88816af9e8dde09 |
| SHA1 | 8cefb5d035e2f31de72c227217d180356e1e9b55 |
| SHA256 | b18b75f5d303126308e565ff10a3a921a75227bd60f9025266c4047cb6c295c6 |
| SHA512 | ec843c3f3914efee586d6217a4d894b3d42453da972888adb97e2543c45517f1b70cce182ca68166244bf65a035d87ec0783c66b1429ac358cc9b3dd829a1703 |
memory/3132-90-0x0000000000400000-0x000000000052E000-memory.dmp
memory/908-139-0x0000000000400000-0x000000000052E000-memory.dmp
memory/3132-140-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/336-159-0x0000000000400000-0x000000000052E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0c37b884998b4f2680618bb9e02b6e8c |
| SHA1 | f671f62189576ce2d23673e9464a38925647646f |
| SHA256 | c369b7fee9c4905fbb4e017fe37e61d8552f21464ccb2e143fed27fadd1a4ccb |
| SHA512 | 2c6406fea40268e2340367de0df6b1cc96a76e7fd3305c87fe12ee2ed953bef19957890d687380c581ed9b40501fd40e536dc80f3040f6ae84fe5c73fcf1d17c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3fe4dc1b01d3a515ee04e5840867c380 |
| SHA1 | 4a0ebe4fbf737162870800514ce85f42630927e5 |
| SHA256 | 41b59bc94ceb900be9c925248dc50cf3112d1f1f9563abc1c856ee1674765c6a |
| SHA512 | 67bd13c2ae79f1e68c909305954ef570102567c32cfc6a31328e924fe74850ca17e73a6e2ca0f8f53474a3223eb3ca155c8e79686d82b4bb1261268716b8d60d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8f2b8f46959a0fc5a7409d7041c700bb |
| SHA1 | 7f37376a8ab0e522c846ee9603befb886957582a |
| SHA256 | b35324aa5cb112dcbc5feedb49101437f08f8501e8e78f705d316de95073c2e7 |
| SHA512 | 71e5073adcaa6c33872433413295a0d0bb306ed8abdb7d3b0176eae4f45659ebd63b5a2fefb83addbc7468b5d995a73dc851533a01c16c81352951725fda1a7d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8b3f49f4ed73809338ad084d8347573a |
| SHA1 | 29a6f2624e7924d13d44ced908e02659f937c470 |
| SHA256 | 67ac0f3addaef9a9a02d944a81dea35766c6d3349d26e08a00edf15df624e5f4 |
| SHA512 | 9b121de67559e97e596d9596265a2bb5c3acdfc00c82fbc97cc0224b933575dad7f08802c627e30d258be1210b588ad5e5e3ae8b685763fbfabbd72688aaba11 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fcd5f81ebd2680ee2fcadc3902ff52f6 |
| SHA1 | fba7758ca010548a149fe7f21bd8fd1ef4360424 |
| SHA256 | da15662bcc474eba53d66e10e3eb6b45fbf50b373d35de36b589d2b08a849ecf |
| SHA512 | c5fa2ab95ff78d7c58830cf8c9d4f0c6a01c3275541a376ae340a5b7043dfe33ad6bfa0361b5e23a6859a7b1469460855497dd70c1928f2b1c5a8249681768fa |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fb56e7595dbfb6522ccc0223103b5014 |
| SHA1 | 3173e52033964c0dbb20dec2a7b46bbc7cdaf409 |
| SHA256 | f05b6182964815ed8fb91f1dc1cc384074f5475ca9c17bd9e73f58acd4159474 |
| SHA512 | 62726206ef090bcaf792466fdccb34c3aa978373305316295dfed583b1fb6e22db0f1fd3be6deb79c90264516fc338803554c758fbb8c842006c9ed6918a48d3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4a4a966a0e796455ae8a4f68ea51fff8 |
| SHA1 | b5de545a78005054ef82cf07215519cf8f241d2f |
| SHA256 | 1ba82f4e30343e7c6169e46e868b9f88ab822ff4b0b38e53914bf3fea0d62667 |
| SHA512 | eabe111b0bb1469716ebd66409c93dfe15a7f68995517a77a934b5b5d35469ddc630447075577b06e23d210280c35d88907f710437c3f9a68bc24d1705013ee9 |
memory/3584-802-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cfaf3499d220322bb2b98757fd465345 |
| SHA1 | dac7520577e090a280ee02de4db27ecb3e4e5553 |
| SHA256 | d2a0a2fe606e100b5b054a362ebe0afbc99f1d8523a398225633dc50f3b404f8 |
| SHA512 | 6e6cfdb3552011120bb3786bf0ab75ef2088f4f6d052b12bf5cb712f3590e54754a8d7532d94b855ce62b0ef5cec0be57d69b8429e9b4431a254976b85bd5f5d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 470df2065e75242b2f47860d24da4154 |
| SHA1 | 8fff7f55dc75adfc57c4e55e50f2f0c628548702 |
| SHA256 | b5598c201925e63b323d8341bf06ffa6d19f6fb0674c2bc294f4da743309a83e |
| SHA512 | 70470d488d0f584f56d2b50549b868d0d62996283b4cf053d00b055f967b2560dcac4aabe01edb13ddace3734263a966c0d2eb4988c110690008d28e39bf3336 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a7b96efffff719e5071e85b841e59817 |
| SHA1 | c2bf5fe32f5c8071ea698b8f45c1b977999faa93 |
| SHA256 | e6d97f9fa3ab10fb6b487cc18805217dcf13267458cd79e8b7e3401295426ded |
| SHA512 | b3374de212b182c4bcfb923ba8a429af6070559e51ac0eed80775d679b9f5f2fcbdc847a41745d0627e11a0cc9f7eb8d3421df772973970d2dcd93110a4def18 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 00fa157213063c051d123991413fd266 |
| SHA1 | 5607462969483b16af54931f3cb1e25d4c07ffd9 |
| SHA256 | 8cf244f9dd379d76659333b0311ae7c83455fad5de7b6da835d7fd6ab717f4f2 |
| SHA512 | e152f5294715782a1be10f3acfd48fbf80f6009e7695aaab985745ee70e799416e1dd2ece011f2ea2ba13f9b233837f5bd0c25741de558b453dfaf673bc834ef |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5a7365d6492ff6a81e3b603a2bb38bdb |
| SHA1 | 1dbc141f3a3b56e6f75084407be88daa33c1dad9 |
| SHA256 | 8b59fcb1347e838e1d727e3fd88e0a4a01faab67ca6715fb423126a2e6bb7fb8 |
| SHA512 | 1361b743a3edc37889a41d5845aa1c3dd110212e1bddb3ece1311b9bc0ecbef4ad2d912cffb0eba486fe828708151cf68227e68437d26dff0e0e5e8026b5669f |
memory/3132-1256-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b6ceae1698a04082f8f1128d07e45b8d |
| SHA1 | 84add7fb9afcb9f378c4885577d974ead4d468aa |
| SHA256 | 062f402b1a06585ac49dc2fcd7451e511ccc57581f0c36ec7d7d09cbb9057998 |
| SHA512 | 5d9cb3767a13f3ea76465042c173f2c3fe9225973df0d095fdf3246fd865dbc9166dfa04ba92ab3850b80832bbdcfcad23af035a60165395316e88b8c840f8af |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ae40f691de87e781b1a342ff6d410ab4 |
| SHA1 | 4adcd7a605fc681186f0058b15907069350facbd |
| SHA256 | 231d2746b08abb99f4bb82f7993e3ca7ff29b7ac4d04692ac39fa67e2a8091ae |
| SHA512 | ef13b209a621c7f2cc66e45721ad180af6a5b35190e7f702bc8d29b301b5576270024325cd66ebd2740719dca67373cf4dc45448510547d87bb72a58f3a42125 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e5df670854fdf57fe8f36f545e98da30 |
| SHA1 | e38acb2fd8eeddb7cc88f2db306c32de9596a12a |
| SHA256 | 10e8fc2d7d0024d93069134577256b20b8521f4ca13ed97bc4f6da2ffbd26392 |
| SHA512 | b81d78e6442afa7183ad16419b4ec0ae9d9bfafb70a7283d83cb97b37519e2fcbf3add3bf458e7d73a8e1852844b2e1f82120eba80ec37230831ab7f0dc28602 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b2b9b05a72d812925a09cdc9da51a04e |
| SHA1 | 61bf4e8ecfe5fb5f2d7971891abed41ea38f0770 |
| SHA256 | 3897791dd8e56b3b3c2875dbae24d8eb8779c1d00a49015ade4567ffe462ef4e |
| SHA512 | bfc95f6c29dcc9e640944cc22c237b2b08824bc148c874294b5c6bcf9cefe177e4a8c90535c867ad3c165df58d3355ac6dc816e9ba6a5280cc3eb4b5a21bba76 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f9ce5a5b87d55727edceca3c9c7a3185 |
| SHA1 | 03c807473f28445a0ae1b6f97ba54f3789161f08 |
| SHA256 | 38eb3e5342b3278f95aeeccf70639ac3a948b0e5899de2cdb23700a0523ea4a1 |
| SHA512 | 1dc1165f222739982c095f9aa200f54e7e3b664e92dee677cd8f1356fe437a2ed910e65676ded9f91219ca1b28052b0e55e81563ae3c7e6507e28d5fe3d2cf41 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5f6e5734a7ddd91f0705dc0e83346e28 |
| SHA1 | 0c50d08b8916124c049f4ca105a6973e3a144874 |
| SHA256 | 9bc6c1457e8709f6d7eb9f8bcd86165686d282b627b41d5c050814660d3506e5 |
| SHA512 | ddceec376c17ba8fdc9a946a3c49a67444e3057e75642ba2c188eb8570d1f7c0803cac52205c18b2f8d0165b5710a8770987f083d21c63efe661884cb9bd658a |