Analysis Overview
SHA256
0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b
Threat Level: Known bad
The file 8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-08-01 16:30
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 16:30
Reported
2024-08-01 16:33
Platform
win7-20240708-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L} | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L} | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1188-3-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/3004-278-0x0000000000160000-0x0000000000161000-memory.dmp
memory/3004-299-0x0000000000720000-0x0000000000721000-memory.dmp
memory/3004-527-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 30ef56f1e8fabb47b170358d9c79ae46 |
| SHA1 | 4d036a2bc18f68c4b841e7bad0f4dc6ea99f9712 |
| SHA256 | a620d8cfdf8e42c18c11f245470048d7bb297fa8358032675256edc1ab08c75e |
| SHA512 | 269c564171da5a0768cadcf8d16b04cb8586768754d5e32d6e7c5eef37d481d22490f514dfd70496051c6fc7735cd02d62091a7420ae53f4915f3d045433d696 |
C:\Windows\SysWOW64\WinDir\Svchost.exe
| MD5 | 8136ac6572c5e8e6f6f85bcf92274bf7 |
| SHA1 | a34fd043c3f3370f1619c89614c44fc256024c79 |
| SHA256 | 0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b |
| SHA512 | c309fc0f95e49a790e924f234d310cd68aa89bf5fd390cf7c108e8629104ac5ab83294496703b316b5bb49d1f6eb81c3cdcc2810eae3f68e0f45c42431f668fa |
memory/1624-857-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4437a23e1ae32ab467d3b8d24d6845c6 |
| SHA1 | 5ebc0c1e0d5dc76b86cb7aca42fd714b342cacd1 |
| SHA256 | ac9c0f0abd61ed28c8f0e8247ffa77bbcedef156ca41fc0a4cb364e8c60643c9 |
| SHA512 | 0c2e629d07379f38270a6287749e8f1fe6b4c211b18fbf2098c49a5bfd2f67589bad0ddc9dafdd0bda3d73e4ba4fe3bda0479cae1ff855bdf789b3393037b0b1 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b7b51eca6dced9a02dfeb26e0172823e |
| SHA1 | 9f0feb4cda74add4056ad2d2f02591998e370caa |
| SHA256 | be20ef279bb935da81ba018483f33a57b70d460827ce281686c409de89f47f79 |
| SHA512 | 927157829fbd0fd535c2f2e5c71ad5ed0da2396f5d106231239510ad1f990ebd6e88dd54ef254b541974c45cf06637782ced5080920fe2985c21132245abd464 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a342fe2d75cc0f0ebdbc44a3803ba87f |
| SHA1 | 5130f89abf2fa6de40f8b96364de15215261489a |
| SHA256 | f38cdb256f2ccc8840b1d5dc8a24e44ef11549030a8fb95ddbad48dc9be26296 |
| SHA512 | ef5568e623b7f02c27b0c3447a2fa3d8840cb13f3ffc55173ccfa86cb08380ca9d45379738ff7d86698a7a81232dbc65d97c2ec6c662f6ac8800314e4808d76d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | adefe05a088283e7e6ec31d0d9253c6e |
| SHA1 | 403165a438ff1662279f57b9cba0bdb49689b48f |
| SHA256 | 37f27a032fcd1fe44f158065963279eeb40a3be191741ce0e9cdab4541f0a691 |
| SHA512 | b90f387c84a46e210f6faa1d5bb584200653147fd44c8c8c463031447f5656e4c7505f0475b5624bd0dfd9ec43288720bb2941b3911ec27042c20c674f81d3a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b05dddbeaf6da4f15194038212ad84f2 |
| SHA1 | 22eec39cf1a37458953cc8a6785d8cabfae3a8e7 |
| SHA256 | 8af4120849f6ff52fadd489ec23c297dcde9bfd4f138e34711af60e553f2c127 |
| SHA512 | 5fe9b9fa420603a899042d6e2c01f1b48ed552001d54a98f78a6ae36e02625573b39daacc629eaf4479f6dbff4d978d191e2c7cc1b469901427d94bc0480f5c0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8ce48817c6854d02abc6cad8ac089703 |
| SHA1 | e2fad68a5934bc016b068d9092c205a87e4f7660 |
| SHA256 | 4d3348133188468f1ab7c706421854802aa9185aa9e7e76a976eaeff4b90449a |
| SHA512 | 2f82260ac33efdc5a1086674e008905ead41dfe2d92307ed42da39768581d0e47ce6f08b99d8205a88315409681d0c5a3575e8c87ff5900ccf91887c64cfa52c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 79b0a686413be35243fd0ed931c6bf31 |
| SHA1 | 6bd81d514f35c085b4271f062c64e6d4f72983c2 |
| SHA256 | 0ca08b74bbf98bcd93d9a827666d26e8662f5ffdfd5423e2459664a2205c9282 |
| SHA512 | 4a679520293c8f479eb547757f0c50177f4659836b5510363adda518f43e7ea4bd3822842705f6f20a0498470ed2ad0d85763ec9591c48bb4564e4e59952b668 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1546315285d0b0c8841aab60f567787f |
| SHA1 | b084284bbff07a7b2799c24b9b4f0fff48f5c6c1 |
| SHA256 | b52c2f258e78c1c31066ce1728c9b0cc3e739930e65df479671871d1055d887d |
| SHA512 | 844419bc12ba59ad33a986d2299e46d7df1f0346d623a3576c78542496ddecad5c530257bbd72ae24db384368ae441609c44e569a532df632aa3ce33d727eafb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 86f70b5f6429d23e8247af645bb13f09 |
| SHA1 | 7b8add361850870feda854a6db71d4cd5ba7e337 |
| SHA256 | ed3a2e19370499877da0b400dac35d9ca5f8dfb909a72ea192d80732d92ad59e |
| SHA512 | bfcefd46b998a5f7f10424bf35e3dbb63f02d9956e0e9f5eddd05ce270ad0e019d4d6da6f594cb962676018cb45b024cc8c4148277abef4c72e4d3e4d44d50d9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 132c5c7e4f19cfa216adbd37fa1123d1 |
| SHA1 | 34981955a3e8f584b5ef0f57d880702eb9cb48de |
| SHA256 | 460834d36bc5c976e2fb3048adaeb2cb5aeb12acf1ef0db4f38b84cd32364abd |
| SHA512 | 0696a8be0918b8213132d91d25da84f77b4a054c45c7439486e81ded4f4630da1163565aa29c89290da1c691ad6305200801ce510a7597136e69f75ef2289684 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 573390e8bbc8f969a41b6a4dfacd35b8 |
| SHA1 | a2738062800234a66c1c8c500a2a9fec89126c52 |
| SHA256 | daf020011d03f4ce6bf6de5161965ff5bffa7703a1114f13401967b946634230 |
| SHA512 | 24c3967652dc8e0eb4aca3fbdd3c945798ab3c35acfe405af816f23ed14ea0b6493382b8c861af13253b5e9351c6114169877e3bd1ad69daa87de70a59b6726c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 475a5f692959acb40325f491386813b8 |
| SHA1 | 35a7acc8e41ea683cba554b89c7d338f69fa456e |
| SHA256 | 2d7aa6bb8ba30f1e94394db9d650505ecee207c05c35ecf2666526b09d4271ab |
| SHA512 | 997354a146f6f498f282323d6d9f171e597acb6bb5a2064795e8da004713ba5cd165ae02f348c3349b1480dd1a946f76acdb907cacad9350b0f94c9090d1cc05 |
memory/3004-1652-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 09fe816e228d82bef96ec60d304adb57 |
| SHA1 | 3e209c33045ed21dc1c6bbcab0130a45e47fca1e |
| SHA256 | f2752d67cc91b8087c7c89144fa74c19590c0cc4c5be7aeb42e24c720a7dc245 |
| SHA512 | 59fc744b271a77ad31592609ee7e09a8a6b4a457bac7f3f743fd63bbd0ef40a2ca92bbf3f16dbdc625dd5088648263cda168296758a2e2a4d80b0f5cfe315d0c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 97b50583b7f07b7e4c4e9bb36357729b |
| SHA1 | a1958d209988ccf7c61d90d086451ace66a27cda |
| SHA256 | 9ae17e5affc7acd9b46b8fcd4ef29f92eb4cd9443017f2e08a55a10ccb9a587c |
| SHA512 | 79ec096cbe64debba10cecf93be1e0362c1f323134927650e5b5f9c9f7ae609a17befcc35062947219570ea9355c83855aa5b478bf006ac1757e51a7fb036961 |
memory/1624-1811-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bfd4c7b8d9980f5ed6f9be8eca4551aa |
| SHA1 | 80ce3ed7c9b3b094eee5e538fed04bcf1c56f216 |
| SHA256 | 7279e7b6790c64968600c85e6bfefeeee4908c2777d88fa2b9909b42abaa4717 |
| SHA512 | e76749eb7ca6db3b0ab2bb712c4f0aa87c079573db3e678b8c7c2a4d7c01b78acb94ee71cf46900b707eacbb19e258493892c43932293ae8d94a3a455db3546b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 88b80dc7973c80607bbb0085adc62405 |
| SHA1 | 38805b7f789c99d3a8496f5fc73e59ecd1e58413 |
| SHA256 | 4c28648e66213e45adf42a073743fc97cc89a04730014d639a7f94335ffc1e70 |
| SHA512 | 8554f44c410592ef22afa7d90ee9699a683056acf75cc48375e2c4c39b5be8b88a10f71ec2d68957eea356dcbdf7b139383ac025991d6e718837fecf02d13a26 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d99c1bcea6018746338142bb88c87cd8 |
| SHA1 | 5471c3b03c53018de050a0556aed79b6026e0d1f |
| SHA256 | 9a0f52f5fbbd3ff1b0e586a8e61d0b99be04cbe0916f084c7dff371fb6d31b9f |
| SHA512 | 56efc8b3c322e00a54b47ef8c3090e115b23d35a37e4eb380f170766ee039ed46eaadce05fcb15affaa468e44fd03d7fee723d4be14199728be51616e7604042 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4ae05efbc9922e6f53e2ba6ae7378ce2 |
| SHA1 | c9fa3eb5e826d1bbcec75ac7a39a886f5cfc098c |
| SHA256 | 69172561a8f9043aaf0a44b755304508ca7d70091ef0c0fe85db22997dd92c6a |
| SHA512 | c8f62667181f8f6b12e1fd966ab0f3f7541e49a5553dfdcae86aa2407e191cbdf0bc480ce3ad37a9d18f63719a2e4d95600aff00ff77cabc1514a3246139f02b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 08ae8ff51e6314940c4625aebe68fe0b |
| SHA1 | d3a242430c2a87d28bdaddd33a4e9752a5c4e7e3 |
| SHA256 | 5ade2f846116775ca12eb89b22f3690ef19f425f7645f6774905b2fdc82591a5 |
| SHA512 | 125531e3a33b3325820c0c313e7ea362d4eb10fbb0e68c6659e314b8940dba7fd983f7693519ee2f78d552e00ae87f0ea1e9a0df220db7c788620a4fcabc0dbc |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8c5ec02bfde96846dcb09f69cf1d992e |
| SHA1 | 5b6c5e84be3188099e47d956e1d91d9dfec31e92 |
| SHA256 | 1e937708353cc0a9d3c55ee2d37d701f8d911953434db1bb125a55a3e422433d |
| SHA512 | 096128a47e81cbd447f53d9ea5aa7daf1e04a6361406baead14b4e4a89a0a2efc424eeb04a80ec8327d7932b2317006980e36b3da74394cb10e751a44552b229 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3083d31c60d668de994727573d50c28a |
| SHA1 | b3b1be29b727b6b32162e64f03af3b02409693ce |
| SHA256 | b761fd51c66625d970bf86c10260cbcf4f664903e6127b9d64eb09c25b9c1f2a |
| SHA512 | 743e6c28cba17f51a267b718523262f0bace47bd45a15ea5d1ddeb9b0f449d3e72a9c036216afd21b1a4005fbb6e213087fb87e094041d87a268166bef0f8540 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 16:30
Reported
2024-08-01 16:33
Platform
win10v2004-20240730-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L} | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68X65EQ2-JR3U-8708-F5KK-O554UL1B735L}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WinDir\Svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8136ac6572c5e8e6f6f85bcf92274bf7_JaffaCakes118.exe"
C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/5096-3-0x0000000010410000-0x0000000010475000-memory.dmp
memory/3544-8-0x0000000000550000-0x0000000000551000-memory.dmp
memory/3544-7-0x0000000000490000-0x0000000000491000-memory.dmp
memory/3544-66-0x0000000003480000-0x0000000003481000-memory.dmp
memory/3544-68-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/3544-67-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/5096-63-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Windows\SysWOW64\WinDir\Svchost.exe
| MD5 | 8136ac6572c5e8e6f6f85bcf92274bf7 |
| SHA1 | a34fd043c3f3370f1619c89614c44fc256024c79 |
| SHA256 | 0303198253d95e625492a5c949095557e55f3666643308e0dbbdbb8eb65d5c5b |
| SHA512 | c309fc0f95e49a790e924f234d310cd68aa89bf5fd390cf7c108e8629104ac5ab83294496703b316b5bb49d1f6eb81c3cdcc2810eae3f68e0f45c42431f668fa |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 30ef56f1e8fabb47b170358d9c79ae46 |
| SHA1 | 4d036a2bc18f68c4b841e7bad0f4dc6ea99f9712 |
| SHA256 | a620d8cfdf8e42c18c11f245470048d7bb297fa8358032675256edc1ab08c75e |
| SHA512 | 269c564171da5a0768cadcf8d16b04cb8586768754d5e32d6e7c5eef37d481d22490f514dfd70496051c6fc7735cd02d62091a7420ae53f4915f3d045433d696 |
memory/2340-138-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b7b51eca6dced9a02dfeb26e0172823e |
| SHA1 | 9f0feb4cda74add4056ad2d2f02591998e370caa |
| SHA256 | be20ef279bb935da81ba018483f33a57b70d460827ce281686c409de89f47f79 |
| SHA512 | 927157829fbd0fd535c2f2e5c71ad5ed0da2396f5d106231239510ad1f990ebd6e88dd54ef254b541974c45cf06637782ced5080920fe2985c21132245abd464 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a342fe2d75cc0f0ebdbc44a3803ba87f |
| SHA1 | 5130f89abf2fa6de40f8b96364de15215261489a |
| SHA256 | f38cdb256f2ccc8840b1d5dc8a24e44ef11549030a8fb95ddbad48dc9be26296 |
| SHA512 | ef5568e623b7f02c27b0c3447a2fa3d8840cb13f3ffc55173ccfa86cb08380ca9d45379738ff7d86698a7a81232dbc65d97c2ec6c662f6ac8800314e4808d76d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | adefe05a088283e7e6ec31d0d9253c6e |
| SHA1 | 403165a438ff1662279f57b9cba0bdb49689b48f |
| SHA256 | 37f27a032fcd1fe44f158065963279eeb40a3be191741ce0e9cdab4541f0a691 |
| SHA512 | b90f387c84a46e210f6faa1d5bb584200653147fd44c8c8c463031447f5656e4c7505f0475b5624bd0dfd9ec43288720bb2941b3911ec27042c20c674f81d3a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b05dddbeaf6da4f15194038212ad84f2 |
| SHA1 | 22eec39cf1a37458953cc8a6785d8cabfae3a8e7 |
| SHA256 | 8af4120849f6ff52fadd489ec23c297dcde9bfd4f138e34711af60e553f2c127 |
| SHA512 | 5fe9b9fa420603a899042d6e2c01f1b48ed552001d54a98f78a6ae36e02625573b39daacc629eaf4479f6dbff4d978d191e2c7cc1b469901427d94bc0480f5c0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8ce48817c6854d02abc6cad8ac089703 |
| SHA1 | e2fad68a5934bc016b068d9092c205a87e4f7660 |
| SHA256 | 4d3348133188468f1ab7c706421854802aa9185aa9e7e76a976eaeff4b90449a |
| SHA512 | 2f82260ac33efdc5a1086674e008905ead41dfe2d92307ed42da39768581d0e47ce6f08b99d8205a88315409681d0c5a3575e8c87ff5900ccf91887c64cfa52c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 79b0a686413be35243fd0ed931c6bf31 |
| SHA1 | 6bd81d514f35c085b4271f062c64e6d4f72983c2 |
| SHA256 | 0ca08b74bbf98bcd93d9a827666d26e8662f5ffdfd5423e2459664a2205c9282 |
| SHA512 | 4a679520293c8f479eb547757f0c50177f4659836b5510363adda518f43e7ea4bd3822842705f6f20a0498470ed2ad0d85763ec9591c48bb4564e4e59952b668 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1546315285d0b0c8841aab60f567787f |
| SHA1 | b084284bbff07a7b2799c24b9b4f0fff48f5c6c1 |
| SHA256 | b52c2f258e78c1c31066ce1728c9b0cc3e739930e65df479671871d1055d887d |
| SHA512 | 844419bc12ba59ad33a986d2299e46d7df1f0346d623a3576c78542496ddecad5c530257bbd72ae24db384368ae441609c44e569a532df632aa3ce33d727eafb |
memory/3544-759-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 86f70b5f6429d23e8247af645bb13f09 |
| SHA1 | 7b8add361850870feda854a6db71d4cd5ba7e337 |
| SHA256 | ed3a2e19370499877da0b400dac35d9ca5f8dfb909a72ea192d80732d92ad59e |
| SHA512 | bfcefd46b998a5f7f10424bf35e3dbb63f02d9956e0e9f5eddd05ce270ad0e019d4d6da6f594cb962676018cb45b024cc8c4148277abef4c72e4d3e4d44d50d9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 132c5c7e4f19cfa216adbd37fa1123d1 |
| SHA1 | 34981955a3e8f584b5ef0f57d880702eb9cb48de |
| SHA256 | 460834d36bc5c976e2fb3048adaeb2cb5aeb12acf1ef0db4f38b84cd32364abd |
| SHA512 | 0696a8be0918b8213132d91d25da84f77b4a054c45c7439486e81ded4f4630da1163565aa29c89290da1c691ad6305200801ce510a7597136e69f75ef2289684 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 573390e8bbc8f969a41b6a4dfacd35b8 |
| SHA1 | a2738062800234a66c1c8c500a2a9fec89126c52 |
| SHA256 | daf020011d03f4ce6bf6de5161965ff5bffa7703a1114f13401967b946634230 |
| SHA512 | 24c3967652dc8e0eb4aca3fbdd3c945798ab3c35acfe405af816f23ed14ea0b6493382b8c861af13253b5e9351c6114169877e3bd1ad69daa87de70a59b6726c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 475a5f692959acb40325f491386813b8 |
| SHA1 | 35a7acc8e41ea683cba554b89c7d338f69fa456e |
| SHA256 | 2d7aa6bb8ba30f1e94394db9d650505ecee207c05c35ecf2666526b09d4271ab |
| SHA512 | 997354a146f6f498f282323d6d9f171e597acb6bb5a2064795e8da004713ba5cd165ae02f348c3349b1480dd1a946f76acdb907cacad9350b0f94c9090d1cc05 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 09fe816e228d82bef96ec60d304adb57 |
| SHA1 | 3e209c33045ed21dc1c6bbcab0130a45e47fca1e |
| SHA256 | f2752d67cc91b8087c7c89144fa74c19590c0cc4c5be7aeb42e24c720a7dc245 |
| SHA512 | 59fc744b271a77ad31592609ee7e09a8a6b4a457bac7f3f743fd63bbd0ef40a2ca92bbf3f16dbdc625dd5088648263cda168296758a2e2a4d80b0f5cfe315d0c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 97b50583b7f07b7e4c4e9bb36357729b |
| SHA1 | a1958d209988ccf7c61d90d086451ace66a27cda |
| SHA256 | 9ae17e5affc7acd9b46b8fcd4ef29f92eb4cd9443017f2e08a55a10ccb9a587c |
| SHA512 | 79ec096cbe64debba10cecf93be1e0362c1f323134927650e5b5f9c9f7ae609a17befcc35062947219570ea9355c83855aa5b478bf006ac1757e51a7fb036961 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bfd4c7b8d9980f5ed6f9be8eca4551aa |
| SHA1 | 80ce3ed7c9b3b094eee5e538fed04bcf1c56f216 |
| SHA256 | 7279e7b6790c64968600c85e6bfefeeee4908c2777d88fa2b9909b42abaa4717 |
| SHA512 | e76749eb7ca6db3b0ab2bb712c4f0aa87c079573db3e678b8c7c2a4d7c01b78acb94ee71cf46900b707eacbb19e258493892c43932293ae8d94a3a455db3546b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 88b80dc7973c80607bbb0085adc62405 |
| SHA1 | 38805b7f789c99d3a8496f5fc73e59ecd1e58413 |
| SHA256 | 4c28648e66213e45adf42a073743fc97cc89a04730014d639a7f94335ffc1e70 |
| SHA512 | 8554f44c410592ef22afa7d90ee9699a683056acf75cc48375e2c4c39b5be8b88a10f71ec2d68957eea356dcbdf7b139383ac025991d6e718837fecf02d13a26 |
memory/2340-1439-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d99c1bcea6018746338142bb88c87cd8 |
| SHA1 | 5471c3b03c53018de050a0556aed79b6026e0d1f |
| SHA256 | 9a0f52f5fbbd3ff1b0e586a8e61d0b99be04cbe0916f084c7dff371fb6d31b9f |
| SHA512 | 56efc8b3c322e00a54b47ef8c3090e115b23d35a37e4eb380f170766ee039ed46eaadce05fcb15affaa468e44fd03d7fee723d4be14199728be51616e7604042 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4ae05efbc9922e6f53e2ba6ae7378ce2 |
| SHA1 | c9fa3eb5e826d1bbcec75ac7a39a886f5cfc098c |
| SHA256 | 69172561a8f9043aaf0a44b755304508ca7d70091ef0c0fe85db22997dd92c6a |
| SHA512 | c8f62667181f8f6b12e1fd966ab0f3f7541e49a5553dfdcae86aa2407e191cbdf0bc480ce3ad37a9d18f63719a2e4d95600aff00ff77cabc1514a3246139f02b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 08ae8ff51e6314940c4625aebe68fe0b |
| SHA1 | d3a242430c2a87d28bdaddd33a4e9752a5c4e7e3 |
| SHA256 | 5ade2f846116775ca12eb89b22f3690ef19f425f7645f6774905b2fdc82591a5 |
| SHA512 | 125531e3a33b3325820c0c313e7ea362d4eb10fbb0e68c6659e314b8940dba7fd983f7693519ee2f78d552e00ae87f0ea1e9a0df220db7c788620a4fcabc0dbc |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8c5ec02bfde96846dcb09f69cf1d992e |
| SHA1 | 5b6c5e84be3188099e47d956e1d91d9dfec31e92 |
| SHA256 | 1e937708353cc0a9d3c55ee2d37d701f8d911953434db1bb125a55a3e422433d |
| SHA512 | 096128a47e81cbd447f53d9ea5aa7daf1e04a6361406baead14b4e4a89a0a2efc424eeb04a80ec8327d7932b2317006980e36b3da74394cb10e751a44552b229 |