Analysis Overview
SHA256
075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16
Threat Level: Known bad
The file 79ee1b8ab439125a681223920358d32d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
UPX packed file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-30 20:31
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-30 20:31
Reported
2024-07-30 20:33
Platform
win7-20240708-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ}\StubPath = "C:\\Windows\\system32\\WinDir\\SSychost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ}\StubPath = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ} | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\SSychost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\SSychost.exe | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\SSychost.exe | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\SSychost.exe | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\SSychost.exe
"C:\Windows\system32\WinDir\SSychost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1196-3-0x0000000002470000-0x0000000002471000-memory.dmp
memory/1056-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2952-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2952-309-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2952-536-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\WinDir\SSychost.exe
| MD5 | 79ee1b8ab439125a681223920358d32d |
| SHA1 | e0227af1698b1ef9daf299c22986d2849483bb67 |
| SHA256 | 075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16 |
| SHA512 | 9411ea51dcb7f01a1a621f7ab24634f23720a8bbf2a693e864dd2b4d89bcae1cfdb997825a72ca5592dcce14afb2a3fdd1973fb907876044af52c68df0493174 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 6fc1d113e4b78557ab2787c2f7ffa180 |
| SHA1 | 8da78a37da41d25c42b389541bdb7fb5ca98dba0 |
| SHA256 | 54eeabf2a1482afd04175bdc6f5dbff5faf798fb49740e7bf816f99b805967ea |
| SHA512 | 67db8326a6f72ff78da18b1510c1137688971ead3f0394f12f82affbf7b432f83b37f8b0d58afdea726d9184d41df06cd10bb0b3b62157bc79ba4a6a4643ca1a |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 84314c2ba99da34d8eb32c8680938152 |
| SHA1 | e3bc738b022305cbc507c715e35ebb89e187fc9b |
| SHA256 | 0359ca198244b5fbe22db1302f3c80cc1d026ab78b7d3c4d230b36c11caeea98 |
| SHA512 | 3dbe43c21bf34d0b425488a907771e7e0954159b54ffddf0a5a631b2d3a835dcce147fab84dedca4496746910b99add6663c89fb774f98c93f4aab1c24ad958c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d6f8d68c2fba6112842640ddeac38ba2 |
| SHA1 | 2afa9c2106701ccfc828a992562535517c63e096 |
| SHA256 | 039f54c439708bbf645b7e83f452688cf00cff6f3f01d3475e4d74625d4ac924 |
| SHA512 | 51360a930c577dc9dd6252095773f8feb4bbdd5f11f1f56c4ce6673ec9c5f3d0059f60e606c41f8fe572cd7bde3f473e6004e03b2e4dff25f9df90515e471b89 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4792d4b0ee22a25f85623b0211eebda1 |
| SHA1 | ee9c4fa21e79cd987a1979a98bdd7bd28abb4cba |
| SHA256 | a5dd8fab031d98e71abf001faf3ef13cdd700477c0c08f78908167961aa94ca1 |
| SHA512 | 1ab35cb6a3b943cb72011a44da9b1c633c3fb4f59366c66ac1638fa3c88c7abbee8a462dd9975a517210c41aacd0f048a52922134701d50bb9b1539f3b9b0de6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e2c278325f4e5770422bafde1e3b878b |
| SHA1 | a67c255bd1cb7d6777e44918c9603381a6fb4335 |
| SHA256 | 8bfae5f95dac70bb23182bb02ca6e8d85c198a8dbdd7f0ecf333368ae193d8b5 |
| SHA512 | 7c5af6463369f9ddf454da07c6670a151f6a6c290a9763bdd8bbe1b88fc9db3ff209d14b78c3b13b31b09fe88f196ecf32cba9c254e55e7209f618130939013d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fecb6c4edf85d1277e13f5526f0b12e7 |
| SHA1 | 85a52670d3d726c03df9242b522dd0018c1b264a |
| SHA256 | 9940d8aa86422adbb0c91279df4fd4d3113fa2cebf551247ec49b52e081ea440 |
| SHA512 | 3ff3891b618eb96a197fc45bf4c7c8f4818026312a342373bf9dad8a8c527b108efc0fff0a069c8b642b7cef2bac893389cf8689395ea9578933217f0b53097d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2c79c1d5c891df869701bde98f405ae8 |
| SHA1 | 90a5bbf7e1b4ab5c134f27052dada8fce4534bcf |
| SHA256 | 2bf627646b54fe8f97d704653917d559f0f87b3c702886338589b4321fd67a7e |
| SHA512 | 0090e0b3bcffa814a2034637e28bdded116cced25fe94a2c89ac4fa2520df7eda3b4a1a48a0f2f4bbb4ad4568b1adc7afd4639d59ffd12a5379582f82ad87485 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cdeb3a654660912e437963918eec509e |
| SHA1 | aa68c299aa6fc099a75665218c0413f6917817e5 |
| SHA256 | 2ee49973fffab28dc59ef0c9b2bfdd9e8d452476f12b121d33020654830b5944 |
| SHA512 | 0136659ad4f9b946c66305238ec7b8160f3a8c23d794f7f402a9e7aec2c619769ae387fc71b9734738896b7761479075acd96b971e8d75085bce20d7e3dbfe4e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1c87a0772d8fcc1288104517251479b2 |
| SHA1 | 638b94b70a00aa3741c7d9f429ede94db8124773 |
| SHA256 | 179b08ff5b8f81c29d0f1a4477ae89e66adc4a791b37850fe4321321deb93b5d |
| SHA512 | e49e6af16ca1444d2de1f39d9f2c4f73d923ecb5bb5f9e6b23111a90d5de7e785416243862a40c2a8b05108e796e71d0e7063ba5efd30168e74dadc41d6c1a16 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 62709348c38a7e551c293ad0a8064699 |
| SHA1 | d33b5b719b4716573f9bfe84c3b4f19f02a37f59 |
| SHA256 | 5c0d65be1fe4a06b8a40d9d10834f5628bf6664f2171910742a0290b6801a9a3 |
| SHA512 | 3212a04b53039eb21e31070a296bd68650955b49f6937a6fa66fa67977966264e920a1b4c679bf901e0204410828ad0d397861ff7d53ba207b9bd4847efc7d4e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e4940f174d8ee75abb1561b78187b10b |
| SHA1 | a7256ee78fa9d1c80472a2f115d74133acfc79ce |
| SHA256 | f53ac34ad48d891de7f5d0921093c11774a26fd356cbf18d3ae1ae214687d2a9 |
| SHA512 | 1c22da7a76f26d878ccbef33b4aadeb8b9b5ecf8ecca7511e294fa02a6564772a83a80978a857c59a09b9771490b3868ad9a45bdf7afd8da41f008d273f4710a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9c16217371c5b2baefbaaae9f4691e58 |
| SHA1 | 9eb61dbc7e168dd5ab91981226bac4a1abc78f80 |
| SHA256 | 7ed806ce75563808f0f80488a536061a55b8e134005b11baaec5cbed76ed36ee |
| SHA512 | e23c6d6e31e322461e678f386c55bd99e7ff6b274d1f5d70af035b70d6f154f863662028acb2ad958e0f6fb4745eb701edc1dff70f3d46c71cc7e3c4e5937188 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 20d26c26b72266b533fed18f9b55d25e |
| SHA1 | a1217b6e520a807ec44a77754849a065d4629ebd |
| SHA256 | 1d8fb3c860ab3e7599cbd2cd3840ca447425ccbfddd46c0a39d889dbce3880c5 |
| SHA512 | 56bb399f609f88e0a34164deb470988c0ee4780798240c4876ebd9e69b66de5fee8a0ee0981a9d1108eb4abfd0e05f8cad41d540e2af2fb5992abf1d59058a5e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d76822bcda54c679dc0ce901ca79cf10 |
| SHA1 | 0eee04e1154be61dab341bc48f78d95f680491a0 |
| SHA256 | 47a7456961c63186a26b593cd0ae57b92fde6a676458d6a536b1f0128bf13e35 |
| SHA512 | b0a335cb7d325d843d2f5051922131d1ae3d3992fd733873dbe9d3045943d0fbe9b24bebeea1a8123470c60159be03b2d66da6eecbb2e1514d58ee408fc00d3a |
memory/2952-1754-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6fc0c857e0d56056a82ed3847600f79d |
| SHA1 | 4efc2ab3cbfd5ea145617cd8ad66e923245c98f9 |
| SHA256 | d5300b102cdb54f5247f002e9c3d977daf00b9c2367b82338c9400449b8fec7c |
| SHA512 | cace4de2dde6406318998de33a2e96e6099fc40a377f77b24fb5046e54b58257b3f639066e5cb819fa49a06550e6cca5e5c5a0500cbe757ac74f96241267fc58 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | adbd732b56097c95e2c7216a5e8634ec |
| SHA1 | 573acc1404a64eecbeb2f9bfdecedf97599a260d |
| SHA256 | ea459db767719a63f17eb116fdc8132318bf0717bde18f8f3620eba812ed737c |
| SHA512 | e12e06d48153c0a8d000933b9a697706f0529287b7e19105651b5b3801155902cc860284963405c45d71d2898a85f7e1183b26a52768a2e6e36b4384395302ce |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 43b3a2b9f23f0e14940e3080da57ff15 |
| SHA1 | c1f3a30fc84b6019d17c5f3ce938fc444481e273 |
| SHA256 | 6de4c2db4966cff7fd37eac0db508634ae6e38d447550805842a48caf7680c1b |
| SHA512 | 4ab91fe07ff14cf1d6ef3d7e512619b097e50ea8d63ee73e48a33fa069d33633d1da05d22070008c4a77420a2322e16473d3b1874f17363d0694c7e6159a0386 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cdcde7a591a91192cabaf1c9e0150219 |
| SHA1 | 7c26f33c2483db7c6f12bdae2b2f017627b773c2 |
| SHA256 | e029353fc6c15b0f0191bb43ac245f542cee2c69de17cfbfbdf2d2145e29699b |
| SHA512 | cc912f20a5f68b00670e42ee12a46d3b2a80d1d90f82af5ea1159061dd931f15a70cc10a55cfe33d86b3b2cba4b7f6d142b00c0d0b3c6739c399d7bd8cee67b6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7ee19f9ec59fda92f62c613be7edd15b |
| SHA1 | a48551c407373454ff6981a6e43e98aa77c7a1b6 |
| SHA256 | c7caff26d72526612339681de13424d5672b06b9669aac906504581d04f5d462 |
| SHA512 | e2a0b774258499959b04711791ed1a0928cccbb9c56e727018891e708b3a3bdcfc7fd4ef89bd5297c6d0978efb56b249ac9faa16338e57921b9d7fe33029e7b1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b2103cd2712570a0d25a97309040cb60 |
| SHA1 | 21938bf636bfc388059b81eb41202d04b6535153 |
| SHA256 | f8b3320ae9886e16993bc9b5ca1293f661b0e91b81f1cf713be467b58fb5345c |
| SHA512 | 28af59224f60adad99bae71c42bfcad53f06d2f5b3a6faf70abab96ca803950f37467c6c41089d41d574893b669667de7b36c8f96d9db3e937ca41fd79e6e6c8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6e41c0c07d292d4fd84c7ff029c9fe75 |
| SHA1 | e2b71647061bd1c38389be1fb89e16604d5aa6d5 |
| SHA256 | e72b4b065538fa0b70f1cfc116e9bc07842d87892abb25235c2d1a408fd696ab |
| SHA512 | 399830baaa2ba220340e2c6c3ca374a2484141e4eb563446a42d10d066c020684bb5f2efaf691da3b6fecc6731b24edf0cbc959462ff13870612020327777bef |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-30 20:31
Reported
2024-07-30 20:33
Platform
win10v2004-20240730-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ} | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ}\StubPath = "C:\\Windows\\system32\\WinDir\\SSychost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N4TXP8HP-D5QP-6035-HTK0-BOXHKJ2XS1PJ}\StubPath = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\SSychost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\SSychost.exe" | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WinDir\SSychost.exe | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\SSychost.exe | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\WinDir\SSychost.exe | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WinDir\SSychost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDir\SSychost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79ee1b8ab439125a681223920358d32d_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\SSychost.exe
"C:\Windows\system32\WinDir\SSychost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 592
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 23.58.20.217.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/796-3-0x0000000010410000-0x0000000010475000-memory.dmp
memory/976-7-0x0000000000F80000-0x0000000000F81000-memory.dmp
memory/976-8-0x0000000001240000-0x0000000001241000-memory.dmp
memory/796-63-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/976-66-0x0000000003CB0000-0x0000000003CB1000-memory.dmp
memory/976-67-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/976-68-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\WinDir\SSychost.exe
| MD5 | 79ee1b8ab439125a681223920358d32d |
| SHA1 | e0227af1698b1ef9daf299c22986d2849483bb67 |
| SHA256 | 075672291ff4cb62a1ea33346eed991e7bd61f7da5ffd9994d170c2b636b1c16 |
| SHA512 | 9411ea51dcb7f01a1a621f7ab24634f23720a8bbf2a693e864dd2b4d89bcae1cfdb997825a72ca5592dcce14afb2a3fdd1973fb907876044af52c68df0493174 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 6fc1d113e4b78557ab2787c2f7ffa180 |
| SHA1 | 8da78a37da41d25c42b389541bdb7fb5ca98dba0 |
| SHA256 | 54eeabf2a1482afd04175bdc6f5dbff5faf798fb49740e7bf816f99b805967ea |
| SHA512 | 67db8326a6f72ff78da18b1510c1137688971ead3f0394f12f82affbf7b432f83b37f8b0d58afdea726d9184d41df06cd10bb0b3b62157bc79ba4a6a4643ca1a |
memory/3224-138-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e2c278325f4e5770422bafde1e3b878b |
| SHA1 | a67c255bd1cb7d6777e44918c9603381a6fb4335 |
| SHA256 | 8bfae5f95dac70bb23182bb02ca6e8d85c198a8dbdd7f0ecf333368ae193d8b5 |
| SHA512 | 7c5af6463369f9ddf454da07c6670a151f6a6c290a9763bdd8bbe1b88fc9db3ff209d14b78c3b13b31b09fe88f196ecf32cba9c254e55e7209f618130939013d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fecb6c4edf85d1277e13f5526f0b12e7 |
| SHA1 | 85a52670d3d726c03df9242b522dd0018c1b264a |
| SHA256 | 9940d8aa86422adbb0c91279df4fd4d3113fa2cebf551247ec49b52e081ea440 |
| SHA512 | 3ff3891b618eb96a197fc45bf4c7c8f4818026312a342373bf9dad8a8c527b108efc0fff0a069c8b642b7cef2bac893389cf8689395ea9578933217f0b53097d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2c79c1d5c891df869701bde98f405ae8 |
| SHA1 | 90a5bbf7e1b4ab5c134f27052dada8fce4534bcf |
| SHA256 | 2bf627646b54fe8f97d704653917d559f0f87b3c702886338589b4321fd67a7e |
| SHA512 | 0090e0b3bcffa814a2034637e28bdded116cced25fe94a2c89ac4fa2520df7eda3b4a1a48a0f2f4bbb4ad4568b1adc7afd4639d59ffd12a5379582f82ad87485 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cdeb3a654660912e437963918eec509e |
| SHA1 | aa68c299aa6fc099a75665218c0413f6917817e5 |
| SHA256 | 2ee49973fffab28dc59ef0c9b2bfdd9e8d452476f12b121d33020654830b5944 |
| SHA512 | 0136659ad4f9b946c66305238ec7b8160f3a8c23d794f7f402a9e7aec2c619769ae387fc71b9734738896b7761479075acd96b971e8d75085bce20d7e3dbfe4e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1c87a0772d8fcc1288104517251479b2 |
| SHA1 | 638b94b70a00aa3741c7d9f429ede94db8124773 |
| SHA256 | 179b08ff5b8f81c29d0f1a4477ae89e66adc4a791b37850fe4321321deb93b5d |
| SHA512 | e49e6af16ca1444d2de1f39d9f2c4f73d923ecb5bb5f9e6b23111a90d5de7e785416243862a40c2a8b05108e796e71d0e7063ba5efd30168e74dadc41d6c1a16 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 62709348c38a7e551c293ad0a8064699 |
| SHA1 | d33b5b719b4716573f9bfe84c3b4f19f02a37f59 |
| SHA256 | 5c0d65be1fe4a06b8a40d9d10834f5628bf6664f2171910742a0290b6801a9a3 |
| SHA512 | 3212a04b53039eb21e31070a296bd68650955b49f6937a6fa66fa67977966264e920a1b4c679bf901e0204410828ad0d397861ff7d53ba207b9bd4847efc7d4e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e4940f174d8ee75abb1561b78187b10b |
| SHA1 | a7256ee78fa9d1c80472a2f115d74133acfc79ce |
| SHA256 | f53ac34ad48d891de7f5d0921093c11774a26fd356cbf18d3ae1ae214687d2a9 |
| SHA512 | 1c22da7a76f26d878ccbef33b4aadeb8b9b5ecf8ecca7511e294fa02a6564772a83a80978a857c59a09b9771490b3868ad9a45bdf7afd8da41f008d273f4710a |
memory/976-759-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9c16217371c5b2baefbaaae9f4691e58 |
| SHA1 | 9eb61dbc7e168dd5ab91981226bac4a1abc78f80 |
| SHA256 | 7ed806ce75563808f0f80488a536061a55b8e134005b11baaec5cbed76ed36ee |
| SHA512 | e23c6d6e31e322461e678f386c55bd99e7ff6b274d1f5d70af035b70d6f154f863662028acb2ad958e0f6fb4745eb701edc1dff70f3d46c71cc7e3c4e5937188 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 20d26c26b72266b533fed18f9b55d25e |
| SHA1 | a1217b6e520a807ec44a77754849a065d4629ebd |
| SHA256 | 1d8fb3c860ab3e7599cbd2cd3840ca447425ccbfddd46c0a39d889dbce3880c5 |
| SHA512 | 56bb399f609f88e0a34164deb470988c0ee4780798240c4876ebd9e69b66de5fee8a0ee0981a9d1108eb4abfd0e05f8cad41d540e2af2fb5992abf1d59058a5e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d76822bcda54c679dc0ce901ca79cf10 |
| SHA1 | 0eee04e1154be61dab341bc48f78d95f680491a0 |
| SHA256 | 47a7456961c63186a26b593cd0ae57b92fde6a676458d6a536b1f0128bf13e35 |
| SHA512 | b0a335cb7d325d843d2f5051922131d1ae3d3992fd733873dbe9d3045943d0fbe9b24bebeea1a8123470c60159be03b2d66da6eecbb2e1514d58ee408fc00d3a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6fc0c857e0d56056a82ed3847600f79d |
| SHA1 | 4efc2ab3cbfd5ea145617cd8ad66e923245c98f9 |
| SHA256 | d5300b102cdb54f5247f002e9c3d977daf00b9c2367b82338c9400449b8fec7c |
| SHA512 | cace4de2dde6406318998de33a2e96e6099fc40a377f77b24fb5046e54b58257b3f639066e5cb819fa49a06550e6cca5e5c5a0500cbe757ac74f96241267fc58 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | adbd732b56097c95e2c7216a5e8634ec |
| SHA1 | 573acc1404a64eecbeb2f9bfdecedf97599a260d |
| SHA256 | ea459db767719a63f17eb116fdc8132318bf0717bde18f8f3620eba812ed737c |
| SHA512 | e12e06d48153c0a8d000933b9a697706f0529287b7e19105651b5b3801155902cc860284963405c45d71d2898a85f7e1183b26a52768a2e6e36b4384395302ce |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 43b3a2b9f23f0e14940e3080da57ff15 |
| SHA1 | c1f3a30fc84b6019d17c5f3ce938fc444481e273 |
| SHA256 | 6de4c2db4966cff7fd37eac0db508634ae6e38d447550805842a48caf7680c1b |
| SHA512 | 4ab91fe07ff14cf1d6ef3d7e512619b097e50ea8d63ee73e48a33fa069d33633d1da05d22070008c4a77420a2322e16473d3b1874f17363d0694c7e6159a0386 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cdcde7a591a91192cabaf1c9e0150219 |
| SHA1 | 7c26f33c2483db7c6f12bdae2b2f017627b773c2 |
| SHA256 | e029353fc6c15b0f0191bb43ac245f542cee2c69de17cfbfbdf2d2145e29699b |
| SHA512 | cc912f20a5f68b00670e42ee12a46d3b2a80d1d90f82af5ea1159061dd931f15a70cc10a55cfe33d86b3b2cba4b7f6d142b00c0d0b3c6739c399d7bd8cee67b6 |
memory/3224-1439-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7ee19f9ec59fda92f62c613be7edd15b |
| SHA1 | a48551c407373454ff6981a6e43e98aa77c7a1b6 |
| SHA256 | c7caff26d72526612339681de13424d5672b06b9669aac906504581d04f5d462 |
| SHA512 | e2a0b774258499959b04711791ed1a0928cccbb9c56e727018891e708b3a3bdcfc7fd4ef89bd5297c6d0978efb56b249ac9faa16338e57921b9d7fe33029e7b1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b2103cd2712570a0d25a97309040cb60 |
| SHA1 | 21938bf636bfc388059b81eb41202d04b6535153 |
| SHA256 | f8b3320ae9886e16993bc9b5ca1293f661b0e91b81f1cf713be467b58fb5345c |
| SHA512 | 28af59224f60adad99bae71c42bfcad53f06d2f5b3a6faf70abab96ca803950f37467c6c41089d41d574893b669667de7b36c8f96d9db3e937ca41fd79e6e6c8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6e41c0c07d292d4fd84c7ff029c9fe75 |
| SHA1 | e2b71647061bd1c38389be1fb89e16604d5aa6d5 |
| SHA256 | e72b4b065538fa0b70f1cfc116e9bc07842d87892abb25235c2d1a408fd696ab |
| SHA512 | 399830baaa2ba220340e2c6c3ca374a2484141e4eb563446a42d10d066c020684bb5f2efaf691da3b6fecc6731b24edf0cbc959462ff13870612020327777bef |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d0a09057777ffabceaaeee34ad090d46 |
| SHA1 | 44e6e704f586eebd6c1c55b8e0a6a4651be7e03c |
| SHA256 | 9779dd22ebbc00cb9cfd8f34c8c8de473265db71c035f046afef6d5a941b74d0 |
| SHA512 | e6927e3dfa9bceb8699a77ba8cd63c697fdcac945ca2a9385b75b6d6b7ae0301c3533554454547c8ea9c293b3e0f9a9e830e62467adf2b9effde3103333434f3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bef1966efc26325095f75a84a2ffc07c |
| SHA1 | e6ad5b7e5f4cb951f11d6e8d71cf2ca04783956b |
| SHA256 | 5162af6247cc19eceed3e9a03a1224b3a9447ff3f6f8a9fbeba08e0fcbfc25d9 |
| SHA512 | dbbd75991805152855d9eae2119af4018564f258397cb76104825171fd99dd12c2b33a2a3e0a195d801be6d3e8da742dda9d9feb399464c79b164d60813c7964 |