Analysis Overview
SHA256
2388636eb9ba2e19e4c037a63bf795346b08e72f2925b39cba7d150a9e3bf28a
Threat Level: Known bad
The file 75ed6063a91684770f1a50cef3465653_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-26 22:09
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 22:09
Reported
2024-07-27 14:23
Platform
win7-20240708-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{205QXXLG-MDNY-7EPD-NDY8-N4N3HH688J81} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{205QXXLG-MDNY-7EPD-NDY8-N4N3HH688J81}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{205QXXLG-MDNY-7EPD-NDY8-N4N3HH688J81} | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{205QXXLG-MDNY-7EPD-NDY8-N4N3HH688J81}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1228-3-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/2292-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1936-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1936-255-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1936-531-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 54ee57e12f966e1eb9370934ac6cc8fe |
| SHA1 | 3d9b4f0e1ce5478e2b4eadddee50e584e70405fc |
| SHA256 | d40e7266c4aaf45a5ae9f86289d4bd6044f733e4db7c04870d56542d94ea8a92 |
| SHA512 | 5e4dbdb6548bddbe3b0c2b75cee7c27a3df2248fbcd5f2b275a6afd73f4590e9b1a924ccdefd7f453f76172c4ae3dc1571e3f467595ddb7c112cb1284ebde818 |
C:\Windows\SysWOW64\WinDir\Svchost.exe
| MD5 | 75ed6063a91684770f1a50cef3465653 |
| SHA1 | 5b947cadf09a3e9f759ecead808cf57596f51a67 |
| SHA256 | 2388636eb9ba2e19e4c037a63bf795346b08e72f2925b39cba7d150a9e3bf28a |
| SHA512 | ee23c4d374497ee53282ea2f5d7a2f42a4e3b46219d2604277869fab5d14fd0dcbbbf5e98f69234a39ef4c2187e532e9ad7a4c13b6a2fa0bf0fe10c82e217b70 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f9cd47731431824c426a6841c1ba2d6f |
| SHA1 | 8cf43b658c8098e4593a6e16f7e8d33c01fde3cd |
| SHA256 | f3e8daf35e436633c95a1f6d1ea441ad7070b118edc8ba9fb7b4887566282bc4 |
| SHA512 | 77ca78b927b823e0f64352296cbe50642143d3b940f19343f37c01f6836b76a28c95f85298c93bd2b306ba5c60ceff97d6abe331c9f0ccef44058cd360066984 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6988ebe431a517c003715e8fd3d11734 |
| SHA1 | f6274244350e399fcddf5373968e6c5bdca3230d |
| SHA256 | 563b0f4c2314cfc7567f67c895d9a12dcca7f265e29531e83a631b8973b0545e |
| SHA512 | f5f6be0c11e129a522c8f0451e6a9f4e47fd145c7083595f4ac049ab54139df5fcf562964e74e26e84bb09776401168d9fd294cf9ac9cf393eea1b4d8b60278e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5c4178acd5dfffe7ee6479a139f623d2 |
| SHA1 | 1cad5fae1b275f71e4683169d6246488ce20b228 |
| SHA256 | f0f00dfb99819995aed29cfe1c1131bfb7e10b578eb3af78dac209c6f019fbe5 |
| SHA512 | 79c47071f569f55036a7dbdbcedacf28775168a89c246bcc0492575fa9dd545fa945abac99a9c7bb7ed6717f3f00d2279b195553eb828f0c199d49156cea4222 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 460865447919faeb828f8e649334daf6 |
| SHA1 | 20a9bb127f3b4306a2e10592c2bb30cdcecbade8 |
| SHA256 | d0ad568c7adf65e1de776aae4ada0b08eac840b3ffa30e40b4a5e7c82c807087 |
| SHA512 | e4fc177195198c7bc32a5fdf1da96a4dfa96865cf7c0241476154f63342005c1ba8d8f883e3d2454e8fae0ef66f35e9f7117e56bc55661e2cc60fc326236bc35 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f1bc10926fb146aafeeb9d28cf116827 |
| SHA1 | ba7cf1618b9f4ba65fdab8538c6ca1cb3eb27ea3 |
| SHA256 | 642eb90c4192dd510832a126235694f96798fe31c676e9c71acfc0877752fb6c |
| SHA512 | efd58b30b0a22b7209ebb90e7737468c506516d762fb722887e3e93b81f81f906ffffeb561e2017ca328836548e11ebd85107913cd2d6cee23218b85dca4007c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 875c67680c08dccc8f00245f6359a7fd |
| SHA1 | 08298292ae5749b7e3ad946305551555771699be |
| SHA256 | 434ed05566f86563725b78952223c702d49143152a46dda9ed5054963ab50a4c |
| SHA512 | e6219db3d2107b3672e451f29b6380e58e3ab61bffee7954f450161da7c7bccd492a907d1adf04e8b28855af0c8ac8a2251b9206af7cee8b4b383a4a2974a018 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b5e98923139203ea58a5ec453b2e330b |
| SHA1 | cae167b69273b63a98a0adfbeb55be69fbcb5d8d |
| SHA256 | 97bdc8c0e275ccff4c9972f45bddd19a5776a9b3951df467b841256a0ada3256 |
| SHA512 | c6e15877850098f793865e3c98ea5ede99f25214074a2d1e51e94e92ab7d5fff140dd1c9e1bba7721edaf0447259f87e6e6903c61ab1e45147cf87347c32aa5a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f375651c8a90a581086be4f156c121ff |
| SHA1 | c89eba2e7d9dd6dd00c8267c1b362f103875b264 |
| SHA256 | 879bbe1e07ac5405008155408d3639fbf01365f7f1d9a485b7b55926e5423345 |
| SHA512 | 3e83af9e6d27c0efebb3a32d44ca28414e1d062f6d75c8cf9b8d09a8f614af3659435d92f0da005dab4f107fb0157a1fa5c12324afccae3749b1c18709ecac0f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 963388c86fc3a29386c212666d3dda19 |
| SHA1 | d2df7a46e7d5f41ab6af45972c8b6c084106b853 |
| SHA256 | c2171f4ee7aa6ead8fe1d9a092ea9ef34146c2797c7f9b5ade4a964bd85298d8 |
| SHA512 | 3212ed6e31a4b6057de29e145331039d086c20e48a9f1fea833f343286f757a22c31b641665065055a60ca2205abe6d6e4153dfcfb8cce5436e2c6bdda119d55 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d7548c540df05d88f7f64780255f1451 |
| SHA1 | e33c98bd310348f595cb0b7effb9cba6faaa7a97 |
| SHA256 | 1c71691a72fa5c0da412f673bb3bc24a9a93befcdc3194a92f944a2929174b79 |
| SHA512 | 97614125e19238178295c3451726cc4b1ecaa646a3613c46d6ccd6141e5db3df286aac916a7e249df2a0e7c96e8fe8479b91ef7783cadd0b69b65b83186850f0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 885d19a8f47fe76b4be457cd005b3dc5 |
| SHA1 | e5da8b3bb50d883f644425fd6a832025e9d97753 |
| SHA256 | af3ab88ff0443a6fa759990b9cb2ff111bdcf6e705f3c67780e172b4d73de50a |
| SHA512 | 87134a7a58a86e3ebcddf0e9ff541c09f21458eae646cf6167267ef70b671806b630c5826baa9d5cebfccea57d29a0ce061db2293a68915cd759d7077b7dfe64 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d71f96c9e87b698103b2b77ad3631e43 |
| SHA1 | c5e0074ab327d579634c15d4c589a07beb829bc7 |
| SHA256 | 3ea3c9c92216287eeba5cc9c412584c7d8d534fda95d618ba925b3803e5398dc |
| SHA512 | 9109eb1ffac436e53b6ddcae6813a7176f24b99bcfa84ab4ca6d613183deb27091a79268f15d66122dafc7ea41ff2fce416cc711f10a8cc009c2cdbbd98d3419 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ca9a91a2b5e4161b618b7f7ef1d3e457 |
| SHA1 | 2b1544536c46dfeb89dbca09c1faa7316b53d1c9 |
| SHA256 | 440baabfb4eeed24ba2ce6caae8d52ed8c27a9497532227d02dffab9fe57778a |
| SHA512 | 69227730ef527a04a7f438bed2d1ecf8245eeed081f528c208eda206c695ca9543a3dd8329dee5a3665969715247ac06e5ee069560eb263f1d3f6336eac9f9cc |
memory/1936-1578-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1b40b3a9bee6d2db427a09e2b3b744c2 |
| SHA1 | 3e5bef6c9355183eb2b6dff06ea43ca9cb341609 |
| SHA256 | 36a1736a6285b1ce2599131ed2826504b0fa1fab59784c8c2c68184649667b9a |
| SHA512 | cfbc903acd53f572928709fcb793624238d6ad2aadbe7cb7f4f24ba2593c13007b9e5274853c3c6fef348338e0c33be2f49fe29e2bf2e0d96055b16b838f2759 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 88ecf3632ed055307e4dc9cc65cda63a |
| SHA1 | 0f9a5f02454b2df0b4d9dcea7d94d126bd22cc8e |
| SHA256 | 07a32000a4d59d1a517d4325441d046e02cb048df96e281e7ebf2ebd8af53a81 |
| SHA512 | df2edf71002326be87a51c46c4c48abfd7976aae0322bf5d4342bbeb6aca593b87df5da95a5a18954f5e60c19b3fea85e1c43114c0728802cefeed86d8e80894 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 777f1fc82057c906982e9b7a00e487ff |
| SHA1 | 42db3cc698fd89c24fdc4b17f2b31805672def9b |
| SHA256 | 32ba7778e1466e99a1f5096081cdc4f3f1bd806dd1d4ee7090d793fc57e6c75f |
| SHA512 | a1d25923ef700bf8b6d9c08946ab55662d4f942f4edc12804d7dbe8ce1a19985f44a3facaa5b7232cf38c99260e6cea6d8d55b99e7c3599165c3631a5150fd23 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7f3729674013c740b600c2c2c20cdc50 |
| SHA1 | db23708b59d847854afa0655b7f316d705d46270 |
| SHA256 | d1b88548acde19d0d9232821a9a981cd196d9b289edf6307c3ea539c8f04d868 |
| SHA512 | 92f29f25748ed47f3cc6d58c8ea43214deae24693f0fedfa341e95080b3eec2db30ee987dbaeea05c794e93aaa9b3169139eaa460d0c89f02224a210431e76f3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8476f447e360fae5ec79b2b74630e416 |
| SHA1 | aeaa409efce5c0381c916af8f5cccceda713895d |
| SHA256 | 11bab6123bb7ea7d9df56c391b06b4cd5af81a7e623916ca26ba523d5c10635a |
| SHA512 | 5c29b9d851300b7b962e88face46069f9f463d494473b35b00083d5ea3f2c2e83ea6f6643d559fda74b70564f59d61474a21e29a9b5bcc48b51739baa5387b4d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 22:09
Reported
2024-07-27 14:38
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{205QXXLG-MDNY-7EPD-NDY8-N4N3HH688J81} | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{205QXXLG-MDNY-7EPD-NDY8-N4N3HH688J81}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{205QXXLG-MDNY-7EPD-NDY8-N4N3HH688J81} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{205QXXLG-MDNY-7EPD-NDY8-N4N3HH688J81}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WinDir\Svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75ed6063a91684770f1a50cef3465653_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2096 -ip 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 596
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2072-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1844-8-0x0000000001320000-0x0000000001321000-memory.dmp
memory/2072-6-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1844-7-0x0000000001260000-0x0000000001261000-memory.dmp
memory/2072-63-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1844-68-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 54ee57e12f966e1eb9370934ac6cc8fe |
| SHA1 | 3d9b4f0e1ce5478e2b4eadddee50e584e70405fc |
| SHA256 | d40e7266c4aaf45a5ae9f86289d4bd6044f733e4db7c04870d56542d94ea8a92 |
| SHA512 | 5e4dbdb6548bddbe3b0c2b75cee7c27a3df2248fbcd5f2b275a6afd73f4590e9b1a924ccdefd7f453f76172c4ae3dc1571e3f467595ddb7c112cb1284ebde818 |
C:\Windows\SysWOW64\WinDir\Svchost.exe
| MD5 | 75ed6063a91684770f1a50cef3465653 |
| SHA1 | 5b947cadf09a3e9f759ecead808cf57596f51a67 |
| SHA256 | 2388636eb9ba2e19e4c037a63bf795346b08e72f2925b39cba7d150a9e3bf28a |
| SHA512 | ee23c4d374497ee53282ea2f5d7a2f42a4e3b46219d2604277869fab5d14fd0dcbbbf5e98f69234a39ef4c2187e532e9ad7a4c13b6a2fa0bf0fe10c82e217b70 |
memory/2220-137-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fef4827996adf48ff8703f4467ce48c8 |
| SHA1 | 98ce9ec06a3c1f5a96a54e1376a7cb8778c7ecf7 |
| SHA256 | 1243a9e5da3c95b480d72bc553f85c5d527514d8af492a6e85fe45b142f5b051 |
| SHA512 | 130b01194527f15ae8d88e1d28b7065441607dddc687eb4b63cd9e4a256fdf562cf73ec1167f7d54c8eb19d18178654f3e029ce32a19293790305a42082750d2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2322e2723c30a0974394cb174475a7b2 |
| SHA1 | b977b213e0244acd88b722e887a1944f17d991cd |
| SHA256 | ac4e615f8432d7aef8ca0351af21d925d6dff124b36bb3a1897369325ba4c1bf |
| SHA512 | 7cc30c6f0c6dc3a7f06c5981bd548a675acad409aec0f9024d8d5ff8bd41eb9d2ca2875742f064b9abf075b7f518b72a85352593957666457acc4249f4ff6ebe |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0c336f2f1f2fcb788972a367115e0512 |
| SHA1 | 2bb7fa1f7484ba81adad564f8bdb9fd5395dfba0 |
| SHA256 | e8de950ff5d6f2ffc935b9c493e8635bc579cc3faebfd2c017e206bc39f289c9 |
| SHA512 | 7af392a705434b8be142f7000b97e65d8fc4a87276c4f9980e0e86171957176117d2e5f010be36933a16f1c069bbbebec0fa0529dd4bf7c01ce8c87b231e7e5e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1a24ab7f2a6c6281bf8ecc57b0907269 |
| SHA1 | f207a9240b3e08f537faa7b29f9d3c827f1e192f |
| SHA256 | eb8eb0f18fa2b5da681fda41590b3318b809ff7110d12687d89e9bbcfa68bdbe |
| SHA512 | 16a42b28a7c3c9657e1161b52e6ab274e98655444c9fb43d9ca68ba975fb77b3cdf821b164df73f93ba17f9c54ebcdf9d546d26a949886fb36e8bfe0bd5aaf29 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | eaedff2b0ac628d438022527fbb460f8 |
| SHA1 | e8621923265a1c4d33a7c3c96538731a9342712a |
| SHA256 | 31f8bfb229b0bb490049d953ba4b1ac4c959cf0f4c23b8b3870ef2a8f0e9d0f4 |
| SHA512 | 376aff043fb8d47d36a4861efae120db6dc63815527598b831bc10349e1412042e231a2bbccc13ddd99a12acf9db2a222c5463bbd454d3ee57096c44df92f9a6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6446daa85d4f9e1ab7ce15fd4a5ec892 |
| SHA1 | 9c70285d6c64731871c2c0b632825879c2b2cfc0 |
| SHA256 | 18a7eec102b3f75d6fbe34e7caba41e93a3fde4414494ac9ecd2cfb567d39f7e |
| SHA512 | ae2ce3dcf90ff1bd307798c4f23d1ea72dd1a72061d7a93fb574dc0e29e145899f69c7a6254e5c271b06a0e17f41c3b12b8bd1304b3cc1dc9cb07971a8bb6335 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 88b3890d9506826c64199041987fe1d8 |
| SHA1 | 0b0bfbae75ea6e28f09d821447542021cb898478 |
| SHA256 | 82cdda3839efa63d1255e079a0bab7743ca1117476e2f4b07db310684c73a5ce |
| SHA512 | f76db688735e63b551c4fe3d451e610e45fe332ad75ddacb7d4daa4c2ff31beea81ac4641470b4729b3e836f6cc72a63fdfb9f439ece7cebbb36a5b81acd26d0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c728c26b1096002b6c2887e620bf28a6 |
| SHA1 | 8891cddbfacb1967b0c2282169078bda866b2845 |
| SHA256 | 382ad5b1a801637ea8911614556a6be43f1825a227ad403af4463ec87c82c21f |
| SHA512 | b93e70e7cb0124edb43a7f221f3612230e0cdb5843df7818bf5ad5dfd459be5abc5820d3faa9042aa826fca56f7e88953bfa2a3f8a09268e06983269732b9179 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e520fcd3bf4b34f2b300644183de836c |
| SHA1 | 14375a304513a66ecb676dd8c21ec42bae5119ff |
| SHA256 | 842b15803f55c846524b827001bbe1a85481b5ac8daf4ce31b03235548230359 |
| SHA512 | 2186091eec1f886860e9d2b320770fcb4cc2ec1e968967d0ea1be83677a64c9b3eb8e12469568ccee349b32223a112abcbd91e4ffdf51031688f906a475f54c5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 085bf359c06bcf01dc06d3e84a4dc012 |
| SHA1 | e44871e15b7484e0773650ba5002e9ea8adc898a |
| SHA256 | a5d5cd29981f64fa8979f5a881650276c5c0a28b6259dc06e0f6473cb39a20ed |
| SHA512 | ba32057fecb05dae5bad88b1fe0b17bcc00f400ecc0f1d22f4707ba4b3e754801e600ad730e607d7277d7f99a7b11287ab351cc7fa734af2395ab4bc07cac5a9 |
memory/1844-942-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fcf3ba95a760498993ab484effa2f96e |
| SHA1 | a19272d837e709357b1392036af84018c68bfb60 |
| SHA256 | 292375d174a73da8219f04149c1c94739ea2cd00c753dc51bf1b1b9fa89e2c02 |
| SHA512 | 48ac69b34a13391ce8b965f4131cca6cfd6273c4c1dbf3b070e3de2586daedc88c360a89ff0c9f552dd03bdb5a2ad077f7fb5a13e7fa35000aa14384dd9f185e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3188d6b9149d689c25d6f2d2e4cb7ad4 |
| SHA1 | 259d91803ec254532dd210d4814afaf9c704c062 |
| SHA256 | d7fe336cfbcf8b9307d9fe284e390facb89af1aa76ad9b703ff7f38818de719f |
| SHA512 | fa6b04cebe5831768eecb7141a5c218ca656d11df91c182f98693ac9a809cca272316aaf39ebe8859689213cc25322efb68d878b830a5824030090b1c21648a2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 508a6b7b2d008ce9ff691a9d474f632a |
| SHA1 | 2158b126e778b6e9bc8f4d1a4bc09d577c6a29b4 |
| SHA256 | e28c72e5003513e4966f4973f7b3b13dfefd56c413afd207ccfc9fe511b6ae7f |
| SHA512 | 99175cc3cb38c699bb2fcb3e32de1229b2314cb0aeb7fbe168c6d7b7c5febfa0a8f6fa29e83879edbf822351e5806a3738ba60a07990f5b8ab05b5d750505272 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c0dadac9630fe39403a1c1d2afa08156 |
| SHA1 | 9504f3f3d0ec1a2f3620f8b88de50bb6ee72dae2 |
| SHA256 | a907d477eff0f2e1ed85a327aca3503015874e420b9d6b9626aaf8780fc273e0 |
| SHA512 | 1a8297010d7b653af08765c5c0fdc8f48d0c2f23d31db4e75aa76564aa1a4c205e9a8a945091fa13b353990e24202019ac7fe84c6e978013a4f5511713abc236 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e9399c275a61c971cb25562c88f6c9fc |
| SHA1 | d19b2314e138f466763ddb66c8dd7aceac9c0c78 |
| SHA256 | 55097410bdf9275919417e7e93b9f8627f4e182134bc986406f2d0d4ad5684b3 |
| SHA512 | 7f80038436e84b557ed5c60f374b653c4d078283d50ccf01944a19212e0bc9254949755554b2cd7f8526a91dd80153c43b8d90b19baa92f7fdac5eb5289d01a2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 67525cabdfea659840e02e48c891e139 |
| SHA1 | 1554a4a214c2e0f6d531fa8165543eba4c24a6cc |
| SHA256 | f2db2a40ec9226e462ae9be4ebbb3c32d821dcb828b052c3ce309664817dfb10 |
| SHA512 | d5b0fa733f1a75123519aa0e900f490ae7cdcd068b8e83109d4e4997a0a0e7fdd3a83b67d60a43c1d92d51b0e581e40f5b007016064d4473591cdd297851c275 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ab812a1b55bc418c215b705cd146936d |
| SHA1 | 2e99caea7ec4244602ccfe5ce0f40683c28e5309 |
| SHA256 | e042b08b928e1ff776c5161510a5ca7fa31c091dd9c053ee76684952fd01aba4 |
| SHA512 | 7e6a0db12a7712ae6b21f24453f3c5a36333e7359c20d12b7478e382fe7ee132a94c353bca00f8d4559739fcfa3ea53300123a5d03aed3c84fa268d955793820 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 37f6f19cac65b0feb2178eaf7dab0256 |
| SHA1 | 05043f4b1f33e64caeac455a551fc037c61a33ef |
| SHA256 | 3b76bcf173c56370f3528792b6925ab0ea140ac5109bb924fb7438f091c510b3 |
| SHA512 | 05e797b51d1b2020ec1b7402be6f3dbd7ec114a00adfc2efaf4c3ca8d2306de1f7c3dc7ea3857557df4b48665afad4486498c3c9e08fbe8f2431a16cc999e1c6 |
memory/2220-1691-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 838b12a40972917ecf63a1a23b922164 |
| SHA1 | 147a639ca8d609fa2d1db1afbb0c99bb8e49de6e |
| SHA256 | c9706e670655503791ef86eea63556a5c0c1749a6e00e486226055a99874a92b |
| SHA512 | f48864e212924fb6cef292ed2a53617a68d9e83bf781bc540ab33a5fab92816803e1bdb5dff1c891e0601c28fc878beeccec65b0649bc84d2e7c5b05b58813c4 |