Analysis Overview
SHA256
836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b
Threat Level: Known bad
The file 79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-30 18:55
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-30 18:55
Reported
2024-07-30 18:59
Platform
win7-20240704-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8}\StubPath = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe Restart" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8}\StubPath = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8} | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Winlog\ | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"
C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe
"C:\Windows\system32\Winlog\CyberGatev1.07.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2924-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1220-3-0x0000000002640000-0x0000000002641000-memory.dmp
memory/2224-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2224-272-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2224-534-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | df5f7d3169da73bca487758bce36e122 |
| SHA1 | c6e4a791d32084d7182eb97b5bceed64f7fb854b |
| SHA256 | 69157368071dc7b854a17a661d646c0746744acda03b2c15382c3a51be22a9df |
| SHA512 | 077f15897593b428b4fa85ebdde0d46436eee03791a75b62af9e8606487ef8967bca9d61e8588d1dc61d88c573d2731799585705024ec9541915133ae72654de |
C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe
| MD5 | 79a62d9b25dd93ce3345c92e49e6a658 |
| SHA1 | 89aeb299eaf63fc3e87d0bb41ccc4f995e92d6fd |
| SHA256 | 836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b |
| SHA512 | f38f7a601b9c3901ed4678271da5cd4a20b0fb00cff4a4978d9388e25df90348599f0ea2ec01cdd1bc2f2eb1b4e618ddb9d300c0e63c0478fa49905df629fbbd |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d41b0e8987e9edca230c7ac0f95ba3e1 |
| SHA1 | 2cfb4c6688296d55a1c50bb8279a493413ec246b |
| SHA256 | 1dabe30c88d906d172edd189878ec2d09992411158958df64d190d02359c7d3a |
| SHA512 | 14f9404f0fc5e98967aaf9e70e68e484063da76b4e079659f3611df58cd4a6656135e3ea2651161c00f521104c3034e93d8df509d50082b28a6095bde4eca187 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 942d92c81ab1b83d1f48c6b919641bdb |
| SHA1 | dcc0782bda21bbd26e7f2ddea8b297e9b27dae5d |
| SHA256 | df130cc0b4d087a3f2a36f3986a199c2a7515bb96ed509bc4b22a103299d7a57 |
| SHA512 | d968f8254702c4d66afc5a65283c54b3f402c000f3467edb533a9bb5005338fc301b1dcb62a17c0e1731425a1b6f8bf0958bd221858bd6f8efd263dd11bb6847 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 73b3fc4c7d24fa5ac26afc6ac1686d8f |
| SHA1 | 99cc8cdcac64850562d5f8c7aa608de589b0f68c |
| SHA256 | 3a13c3fcf1baab5f43cfb02f2270bd19d199c4e155846a229fbc55105876d925 |
| SHA512 | 0399b59dd34a85f8cfdcdd9e2d48295945986f24ad9b74d255503342e89c0a03c2aea018557ff390d197717660a1af0e5f66ecac4c8aa47e54d4a3b54a16b399 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 32f2d42c91b42fbf89d09286cd136d6c |
| SHA1 | ea9b41b42667189227144ecb031d1ddc473e4241 |
| SHA256 | 00a28d5bb2c7b1b5f2e605fe199788b8ecb6fa440f867f031efeb66e811fec1f |
| SHA512 | d68d717fd918cfdb084384597dfeae6cceaa638eeb733b96e692bd69364f7db5bc0f38ea6319fd510743b855a33feb99fb81890b507f257c03075d5c58061800 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | de6e367997a25c50435cdbbf856a1e1e |
| SHA1 | e14cff84b3b0ccc69cd7f5af20564975d6f6ab5c |
| SHA256 | e5552cf8b02855dcf1059ae532276bda5225b1da3f8f43d37ae15dc8117ade5d |
| SHA512 | 05b633a64d3f6a7efc6e9d7a263da310119b552dd698d285b20885488943f290e8e0d4a9702d9b5f6d17249a1aea8b81c71750fc4b692787181690f45ad00c58 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a15555ad96987f9bc1b1f629dcb50776 |
| SHA1 | 663f2a23267d39401919b69812a20f5d046e8a8e |
| SHA256 | b5fbd515a82223a92139127f18fcf1ebd38c95aa2ee561cf3a4dc99bdc74e579 |
| SHA512 | b8c58222c5702b87ba67dd14b8cf6cd2eb4939aeee798761a2fc6fcf3166508936b17151bcc98ae3400a8d07488b80beaf31600855235ba72124fd2048d61623 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3450043a4d4cd144a878e9ee74bdca41 |
| SHA1 | 5334e532bab77578a0ab2f51b43d7e58fa09032d |
| SHA256 | 182d983f6747cc639ec6e29758fd0e50c493c466e98b4d451ff9d27816337ea4 |
| SHA512 | 6612720c900852ce7578c1d029be87faf93b22c4a01866379b6223e22377ab243b03a0d7e6d9d9f70230d73882fc181a7a1b919a9393201939aa55ab826abe85 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1cdb0d34913549c29c816ece75b2ec03 |
| SHA1 | 5bfe4b7f9aa1bdf0e7f4d61abdd2c8dcec986dfc |
| SHA256 | e69750fa17cbe6bd5dca6127289682ea233592e28439a6fbb432b242c7cf7cb1 |
| SHA512 | 880aa1ee91076a8d7d673d50efe2e9a012e6d390df238b753314d36460b70daf57782b58231c4eea8a42592164d9a9862c20211c79df445942a9c84db85e2b86 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0e71640ca7a8c92e5f4e151313f5068c |
| SHA1 | 1d0a5c7cd8e2777d3286f8f0e09a504b9a0ec411 |
| SHA256 | 85ecd7c26efc1a08742bcb9fd2e6358e1ba81f532a0b121b9dd35c15126a3fcb |
| SHA512 | 5090352087bc156bd322071a84922ee34ac17049050047429fc3ce3a9323970e8f5410d518e07b1a4a1cbef6cb9da1f0a1ab32b159692516606ebb3df684e9a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 362b9790b915824a8ecadfa3946dcecd |
| SHA1 | 8431695e95c636323090b16a86ce7a5eb705640c |
| SHA256 | fe0dbb91ceb7b9862fdc2ab7c8589890f3b3c203567eccbd384f161426bb748f |
| SHA512 | dda3a2d0279ecb2918d216383c43339333604b037cf6b0524dea820717ac0d3e38353ebad50021eb98e9554ec68d1fa7873d9fbd36c2bff884847a40f009d019 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cc1c03533ecaac60fc16c855c7991efe |
| SHA1 | 41775128cac5404909ddde5b2f1e6435e641dc46 |
| SHA256 | e3154fcdc8ffa91708822b5f82a480e48c6a961d1e12d9c7a4ba2ba993679bb2 |
| SHA512 | 948beffd94513c48d0220caec2ac9658ebaa04dc78d59725beb8c91d9b5ca0c67d1ffcf681f89ed5eca76f97bd418899ed540d3bec3ed6207a975390b0622232 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | af4159b05c06a346c3f3e7084f8d026d |
| SHA1 | 88e52f9d828487573b907c11c83de3b01f9b7941 |
| SHA256 | e5bf9481161ebf6309f38f3c618e28e670766562bfea04069d96890dcb93bf81 |
| SHA512 | 4441aaf69b0d0795e726e8fd75e03b3344f59a41406d703a018f529f7131766e3d4fd96a87a5f8c13c6cf69dda123d3222dd2ac5ab523610cacf62a5461c3ed2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b2d4ab1ccab63ab032cc482ff76133c6 |
| SHA1 | cdfb97a09d86faacb5ee1305c8a6d4d620b86aaa |
| SHA256 | 202bd750e40fa8723bde769b1695a34c39a44bb2bb33d4cd59ccf5b964ef7687 |
| SHA512 | bb42f2c99150e5bc8bc5ff73d4d00f76d7ab9040f37578a1bd849866a0adca123f50b131cd97dd10c946031d0384edf2c627c1be93cc2d57b5ddd3a62ad670be |
memory/2224-1557-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 46c5c09c4fcc44fbfab0959e60daa74e |
| SHA1 | d5ddabde9f4e7924f418f397dcdb72c842568f7f |
| SHA256 | 0ec2dbf625ca619338b48aeaa6637c2770d2d511bd00429239e0f4526db4c9f0 |
| SHA512 | 7eef42366e21d33d10678e21c7b8df7b4d4bf01cb2f90b0036c988eb86cd074eab653551bebdce27bd736e60915d7d33818d039be77d7fe62c9caaf4e05e38e4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cb5eca5739b54e0b04db2e333a5b32f7 |
| SHA1 | 654bbb66f2aa6fc1d6862d0233be678718967c3b |
| SHA256 | 67d5a3f9f4e2a09c14943fc5402aa4d3255edfde91808ba81f452481bd4c6a23 |
| SHA512 | 0b5c28e1057e79e4b3da303fc7b5eaa4ef61b435a05c71028ccdbf551faa77790c5dd7eb75200377f3f1e3ae5f403053b33ec88ff7a52a7781afb09e449786f7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ed5eb6a9ffdcdda2c855c58fd9898343 |
| SHA1 | 9121a7e4d5961e50d896923f35d38c63054993c0 |
| SHA256 | c9fcc489af99e0ac5bf21bb01433fec04337afd304d332575647acfa738f9ced |
| SHA512 | de71bf7f6edd4a0526e36d7519b4adff268d3e0c2d5bcf4d0ef8455b47a28bf23c83b2c13934867cfdea67748777732882fa4c07fad4b192f9977d9ca991fdfd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 68c01df2de159934347ebb034e4e69ab |
| SHA1 | 8492a46372e5a0f507236400ce7e1b020a1f83be |
| SHA256 | 5bcef2c9d9c2abd79b2eadc088fedaa6151edec525896800f618a3d34953bb53 |
| SHA512 | a32a67461af1dbda73b57674d430bc45bf94c73b755064dd6dfe5d86e335da0650c7500f6e8dbbf6c53adb923ddd2fa3e922e47a677fab77b93d0121d21b3984 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8b004d873817859b2602b0aa46f40549 |
| SHA1 | d90d92b3fa3c2e1b4104c4388538fb438c081191 |
| SHA256 | 085a96aa8678e2823ebd652ff20e514e4256b5d637aa32ca9970c3d7b8a78dd9 |
| SHA512 | 700ecf0a29755490936b3d8650ace4af5559aa76f47f4515a36f2374f691a12a995e5fb490c610edd19f422d2adcad270201c58add17ec81a0331ab593724fec |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7b6c80d2f72378f1d19d46003d8f78d5 |
| SHA1 | ce4189f0fd2dd6f5ce8c83f0637f223c476eec4d |
| SHA256 | 5bbc9d383f8f8c8a31c97f60e561a026754a1129a1eb7c63a98578eb3de7c71b |
| SHA512 | 1a8ffada3d70a29c4a17bb1a24009b0c0e15bcf9759721edec6ea11f8fa6b6c2aa077cb0a26bbb05d56f1665ff44d84daec9f1b37d8adacc545c320fac0b3836 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-30 18:55
Reported
2024-07-30 18:58
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8} | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8}\StubPath = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe Restart" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7GG0MI2L-8210-7GE5-AR25-BS6X1CH10KL8}\StubPath = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\CyberGatev1.07.5.exe" | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Winlog\ | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79a62d9b25dd93ce3345c92e49e6a658_JaffaCakes118.exe"
C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe
"C:\Windows\system32\Winlog\CyberGatev1.07.5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3756 -ip 3756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/4572-4-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1820-8-0x0000000001050000-0x0000000001051000-memory.dmp
memory/1820-7-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/4572-6-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4572-63-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1820-66-0x0000000003B40000-0x0000000003B41000-memory.dmp
memory/1820-68-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | df5f7d3169da73bca487758bce36e122 |
| SHA1 | c6e4a791d32084d7182eb97b5bceed64f7fb854b |
| SHA256 | 69157368071dc7b854a17a661d646c0746744acda03b2c15382c3a51be22a9df |
| SHA512 | 077f15897593b428b4fa85ebdde0d46436eee03791a75b62af9e8606487ef8967bca9d61e8588d1dc61d88c573d2731799585705024ec9541915133ae72654de |
C:\Windows\SysWOW64\Winlog\CyberGatev1.07.5.exe
| MD5 | 79a62d9b25dd93ce3345c92e49e6a658 |
| SHA1 | 89aeb299eaf63fc3e87d0bb41ccc4f995e92d6fd |
| SHA256 | 836250cc1bb5ff9bda81c4554a83008fb9b61803d7d613977b41763606b58f3b |
| SHA512 | f38f7a601b9c3901ed4678271da5cd4a20b0fb00cff4a4978d9388e25df90348599f0ea2ec01cdd1bc2f2eb1b4e618ddb9d300c0e63c0478fa49905df629fbbd |
memory/440-138-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 878574bdf5d7e68856bcd7307cda4bab |
| SHA1 | a089d8bb2a4bfdcc6648d8cfbd863b9d671d5a54 |
| SHA256 | 5e494f2bfb8b8187032c17c084f5577bdf16c0d9f8a1541eecd4b97a176592ee |
| SHA512 | d4eea2514373e2c564e6d23c4f9e0bdf01f28a2dd1962338d1a8cfd50c6c36d2253464071701a135eefcdf38c7e27c8530858dac04041389e394039f5566591a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bc509463a3f1f077440181a681b626db |
| SHA1 | 0de48222a0c4ffc8e49cb40f785bb029c6ee98fb |
| SHA256 | 7c8e1a9f2b456ed8156f36570eac58792151cae0068699596dc77514b5ddf7ba |
| SHA512 | 66d3429ebb4b70e4a279bfdc24484e1e6dae5705a668464e9628d162007fce2dbd36f41d9f71b44d4063071d8d3043bebe80fe6cb82a87a6265e5c4975f66749 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 461fbbbb1dd8a3b6d487ba0619666542 |
| SHA1 | 3456ff34ac587483a0c7f05466490239a645c3f1 |
| SHA256 | 5dd9c0b49ae63a9434c463c83a4bd4cc90665a7a7466a73afbec5fa825d66ddf |
| SHA512 | e68f0b0363a6ef0a1c1580847da0b816238e14e508f5f6dd34913fdd3f897a22aff4afcb6f38d8936cf3d891cc5afd2d3d0049c3eae39272e85e513bae6af1db |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5dfc3481ec27b6bc35d71a66cdf235e2 |
| SHA1 | 5fe2a8d960a633c15b2288227a49247ed1ff7768 |
| SHA256 | c68bbf7993193fb8fd1df54e184fd8d8abe0e9b2e492cf9a368e17da90b710a8 |
| SHA512 | 92b3d84a731c0f4e0a6d2eafdb2c6878063d5b6f4557d31c80fd14aead15d22c088cf1436139383cefbc8cbda71999f29e70d00e4e4ce8b08670fc49ad64b384 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 54d40568212ab6f63f65bc2ff7d86081 |
| SHA1 | 61df6c8161d4a115e249348b9a18a60691035562 |
| SHA256 | f42d061e9bb216ba808f32b4e6092142d9605b839c2a37a852feb7aebb340357 |
| SHA512 | d9d3d8fbd8e18de2d33c6b160d642a0f89cf0a4d833587c211526778e9814d3128e6e4d77543c6964fd5dd232939965f676cf20bed606f64d297f26f42867bcf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 44e255ade644d036e982dcea96e9db03 |
| SHA1 | cf1595ef20bed983e8da9e00dac93a87d6b566c1 |
| SHA256 | 48d5ea596ef4287b986e82a8ef6833a0bce8dff6d6c93da8194bee526ce5c2d9 |
| SHA512 | 4e4442c91021a9efc71419c388ea5a8af4d8f60974dd43ee6a4214003851d670ebb9b1724e040826ed6b8bbd5ee305f71861cf636f2ebeff013a7cdfea324963 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 99bf0280c8e5555cf0c4a65c1202ade4 |
| SHA1 | 06e1bb84bd9ccd10843b898f7c1bc47b7c1770b7 |
| SHA256 | e91eb3ee0e2232d5135fade1a305c1a9a795d852d45b53457504449010206a72 |
| SHA512 | 4205a7345bd207ac5420a0e49731e12537035dad4365658f2841f3af1f236236eaa8c92bd0da4641d7a3975ce8601789a4938b7a223307c73796f9afc44bb50b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 854ac89f516164d3bc513f82998a912f |
| SHA1 | 6ce6ffaf1f5152caf594dc16bf95766da36bf079 |
| SHA256 | 493509bfa8468e679d2d9e413859a1fd90f9cad1623c659d9e20c0175c182df7 |
| SHA512 | 60549259ffc0a828ddef03be08c626950fb2be995c043984de720b824adec3fd82d84bd8270dcec6a141e19d241194ee58a80f67bb611efc795b5f9f59f92122 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c3a5882859878c5f15258e46fa5e4060 |
| SHA1 | cfb7e3e2f9c0e022888ac2958de5002010ddf101 |
| SHA256 | b9b38e74c039b35e2ba858e5441a1fd18f8f289accce174069aeaff7f0048187 |
| SHA512 | f727f29fc5e43058911f50c694c7920bf1e971a31ac1d49fd1088759a2b70d027f7cff53c5505b0b27d16ad79714425f7dadc9dfd95ea3bb7712a2658a901d8b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | af084873c07b23353d58d80e9b324c21 |
| SHA1 | b8681c40e18f78b42859d1f6647b9768131af610 |
| SHA256 | 90267f22e8dbe14cd9791aee7c15e184c9f0d7a1c8a9d0387f636c79023a045f |
| SHA512 | e8f0195205910f3c9a16c43a92e7a7cab9a61cc29ad3f29c2df1f196654fd3be3c6f1594c0dbbb430561e29abe4e6d38fbf14746daacffd1178ac22604124670 |
memory/1820-981-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f707de1c96fd772a8c33151c62ab8fd9 |
| SHA1 | 0cef3b9c54cea7a8fec0a515621746188b0b2f1a |
| SHA256 | 490c0340d265face0ab282482ee025fd8f1e7850245dd2734ec0438a2cacd4bf |
| SHA512 | ef5337e650550f6d95e35a792e8482d289b7249a30a9d499fc53b0b0f02c8de3a90a46e093c39cd5aee26b4359c90a9bc9c4c21082d3ed4ce8f5b4cb3bd3beb6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2bb7b6f8a6d79996ad5705bc6973de76 |
| SHA1 | 4373a923f6435e28fb693bb6801d36a0f2e42882 |
| SHA256 | c768e5338fd7c270cc0b00d57cce34c2d8af7e4297c825d12a6514191ed4edd7 |
| SHA512 | 72d88ea741c080bd42db02ff69759177f3803291bd123ee61756217fc723aa74fe6b1fd00c016a83b79329e688d511518cb1124e9cb9bc98e082df54c6c806ce |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 08d2d1ddffab4ecd1d85841b16bdf52a |
| SHA1 | 90857b1ce577ce9ed8ca3f5b3bf150574e6e2092 |
| SHA256 | 4afa7e5680b70c756c33b5f5932a3c4ee4429eb370b2796192e7543806c83a74 |
| SHA512 | 0a17b43e8723def2a682cb5b77fd983c60f3dd3cf0f5a9f92db4ef854011313e4c8d053a5bac44211c1cecf1fc4754543535de057384042622ce1928942ce4f8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 337ab9565da3b6eabcdc2dde71a8465a |
| SHA1 | c392967d1d976686903d786e6d43d617d705d4b0 |
| SHA256 | 09cdfb7a7a37b023a9463b63e3bcabb5869aa6ed02b9e8879487c5b9300fdd4d |
| SHA512 | a52741397ded0e4b060804f7cd93a5bccfceae0e7cf70089ce7cbc867cc2c2b248e710a7ae1daaffdac792b5e11658628fbcbf13eb6f7cd9be8cd9558e739454 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ab0df17ab2a59b695fd8019a49b96dfb |
| SHA1 | fdf88fdfe88b9dcd9342878234614967f0f1e8fa |
| SHA256 | 45c9f416f933343f7e34ce2dfbf07f20b1dba9afb225b96ab84db5accb163b35 |
| SHA512 | 6a33af61ee296812f62559770635f9b85825f83bd1daf893696d463a48c15193dd798bb339a85e2a4c6b917ecb0f8918bb2907ec47ddea5b49cf4e0ce43ca87e |
memory/440-1436-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b38228f17c06a4f0ce343c61c4e6d86f |
| SHA1 | bfaeb91979ff811691b2870487fa77c864639b74 |
| SHA256 | 86e775cf0efe195c39dfaa4a24d1064bdefe0c99af9388cd989cc3325397d2e1 |
| SHA512 | b8cff81b23910062dddf9e410996c5a772f64ee8f5d4b678174f0581f5387b7db828ecd628ad0b1eaa2e7ffdc69df766debc9ee6fedc9af218ae0f2b2267f1d2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5437749b579a0d56e5b4ae303decb0b3 |
| SHA1 | 3586a7735efeaa37ea71ce82a2c2a2942483fd54 |
| SHA256 | 54d935a4dd92004a8c78e8f92358d92723f02e3ee7af61addfb543febb84580f |
| SHA512 | e38e3a976072148a123dd7f1ef967cc6c6e9957b41d0aa87ebebd9a74d0fb6ce69de78e7cb22d8f14554ea84c5bccec768407456ecb2461b594657f1376db936 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 74b7be9bb7402adf6eb56054d6d7d2ee |
| SHA1 | a5606394cd2eacb07bf5b6b86596d87c238ffcf2 |
| SHA256 | bcef319d1b1c18ab8c85194ee66221e1f016df39298754ab8f1069cae4a32f6d |
| SHA512 | 305a62e2d165ad791ef01e1070fc0c839638b6b7caf65af190e833e8de737c1997933988075a6712a689d58d9b47b500c6d88d965b8a38507e0ce74fd3808a00 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f85943e1f664aca285dff490056a5c4d |
| SHA1 | 06d22a9e0cefd72fbf36294f1799b3c7bf54d4c7 |
| SHA256 | ecf5055cd8c1cee6216259fbe7819c17c33d985ee74b6d78b4f18d78f2d934d0 |
| SHA512 | 75160b8bdb9fbf4c65157f121177cec7e1c29a1fb51b69d3117d00da0f3945f371587a9d1c64e2ddd8be40f63c07b13da956aa7fca1bd5c6734b7f61f5941ff5 |