Analysis Overview
SHA256
5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1
Threat Level: Known bad
The file 9ab644449c7139b4ae722c8044383e4b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
UPX packed file
Adds Run key to start application
Unsigned PE
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 16:13
Signatures
Cybergate family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 16:13
Reported
2024-08-15 16:15
Platform
win7-20240704-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"
C:\install\server.exe
"C:\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2444-0-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2444-3-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1300-4-0x0000000002220000-0x0000000002221000-memory.dmp
memory/2368-249-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2368-247-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2444-337-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2368-553-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\install\server.exe
| MD5 | 9ab644449c7139b4ae722c8044383e4b |
| SHA1 | 04356f283d8278241598c5d97261344bcb2fd8d1 |
| SHA256 | 5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1 |
| SHA512 | f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | ede4ab0dc240d253ec6719bb232ced84 |
| SHA1 | f2e3d4558906ee268dd36595f1b5b22a37764c65 |
| SHA256 | 76e94dfb3166cb8794b3be486bdfa5fb1566ec06a780c5fe328a8090cc67fbb5 |
| SHA512 | a1fa26d4c0487a2536269f19c9f98726c416cafb8fd16a7d02aff504c3c9a4c13db31778dbb9a9ccf94e1ca8802aaa2064ae2be734e2901ff4eae17be7287eb4 |
memory/2444-577-0x0000000000220000-0x0000000000277000-memory.dmp
memory/2444-885-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/1632-906-0x0000000006A90000-0x0000000006AE7000-memory.dmp
memory/2368-908-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/2592-910-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1632-911-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1632-913-0x0000000006A90000-0x0000000006AE7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fb6445b5335a91922c5e6e68cc71d520 |
| SHA1 | f21e3cd41ada38f307dbd7d89c3e87811278416d |
| SHA256 | b5f0ddece953bb5203c8d7ca0039b72acc90b1df5849655b6a99df58ec3ef75c |
| SHA512 | a0df91c1eae6591318f6c29e1d7a47b5d99d8f1e2a1646d7ce51e42dbe22041ccc5cefe8a82e2485197bae028c7f1994c1a77aaf769bcad6ae9636d71d3c0834 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1cf765ecdf79c04773488dac4785327e |
| SHA1 | 959fd2d22c4b47904255fe3c418ab7c6814c4140 |
| SHA256 | 162172801ccc25363aea0ceffde08b4cae340b839fdfaf23b4664932af889462 |
| SHA512 | 3bc547356b4c4d35b1dcf454249fc94b164b0b01888d26b104203967d179d9fb77c0bd122fc9547cae78392ecf866ca148ed4ade91d433ea8225277c420eff88 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 734339e3dcb0dd446bcccb852ccdaf80 |
| SHA1 | bca375481f3e554addc47a5c36692438a630945c |
| SHA256 | 1547acab6d10c894e1c9b9a05b381c769a4af1c61fa3290f0c0b43a0f70be7f5 |
| SHA512 | dbf6baad219a554f20342db66fe6b718e12058d73854f426e65b3739e62372855641cd2d4717893915e57f3746fe7d0e16a370382a4acd8ae7a91d33080c7494 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4bec79e0cfa17c450a618803aa2b5bda |
| SHA1 | 3d609504d946b86f60589229ca44f07a828deefd |
| SHA256 | ef1eed846e3de911f319cc90f26c8d8359b3a58934e9da99676c2e03302afe49 |
| SHA512 | a36dc78d7cba4c89cdc944e753345a2a223271bfe3e6d271c380a43a3767425b09d6e250ba72c446e8ca7653c41e91614c2ebccf209e32e01a4a27e45c3594c8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a7bcf93b2e933b7cc828cdaa41a96670 |
| SHA1 | fe7fe6a6e2b8c9f0a4c6ef1c0f8145623b87e203 |
| SHA256 | 0736c6dd3c4f7502d717078d58227f8d2c8eb79e9435ee8631cfc9c5d4e15750 |
| SHA512 | 70b028eebc28aac649fa2857d797e9d32777b0359c9695e29e4605d099a3677358df5d8ad6d9170480bb7c9f31b399709984883a5958ba2384424ebdd80f2413 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f12bf4538897f8a3c64ca2c6d4384ebb |
| SHA1 | 41d64e502c7cbd6e5242caea1bebcee6e2f883fe |
| SHA256 | 9c2d188ba427261a512947e2c1ce9a99d467f735a78a73330780da045e8d7bd3 |
| SHA512 | 50cb1bddc319c01bf76ee5e58ee040c3289247d8530e57c1c248083a4a80dc225a04de5ecf0713adc941422bdeaa9aaf4bbcae77877b52bb375330c0bc51596f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 550a067fda5040bf35d9fbc2ecde6803 |
| SHA1 | f2dbdb2f452db37a8354270b03b9ed4040455bee |
| SHA256 | 3f76b9626e359555e5f7ec4e99b1c8e06bb139d360bb5f77f842536102f3ded3 |
| SHA512 | 742bdada4a3e432b3f20969a1516c5f2a05d3f3c6114666e127fac052fc913a7c2f44f9efda07cd0f96d6e4295a54adfa844ee831affee1ec82d59f9ae637033 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0c59284fc3e6fd5a27d8e6063a3cfb11 |
| SHA1 | 7ba57b8b43ef48b54605735d52bf6a69feba02e5 |
| SHA256 | 66323070d53b29c70a95a28033ab61c1a9a991b8c897806eb73f5388b629d479 |
| SHA512 | 7cadc74d292208a3e9c63c29c5ee77fb9d135e1730da689106fb83f00294d7b9525e0cd689c7ad5701b13966f7be816fd8a3d6ba530e6e02823f20ea21032661 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8b77986f78fecca844187ffa90f226f8 |
| SHA1 | 8f2f505561f495cc297d05805ba5e523d6e147ad |
| SHA256 | 9d5dcac8ef78cc0bcee912f0d8508627607f9e0b40d299c5929216040bbf0ada |
| SHA512 | deaf6a8e128ac8988c5b016561292228ab609d96398ddcf9ff5a6854015418b1e98222519296b156ddbaf1486529f74eb775c9d886a27d0267a81f0fe2f01d31 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 21e4851d992d171d03070c57f6264571 |
| SHA1 | 95722a82701400a574ecdbf54cf98025f9a61e18 |
| SHA256 | 934db246b0319b5a6c5b3de78c59e3a814fc5095d26d4268b8c907bd6aa08b6b |
| SHA512 | 2fe08f82f01fa081834dd4ea605cbe94d2b5a6fac31260af65a0b06b4b0ece332df69e47d19e0704a2c1064b64fcbc71d3aa165f5b8f97f4f7959284275b8820 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 687d5b1c6f0a45f44808453c8d7a421b |
| SHA1 | 707c35a7a18c34567feea6f35e0ea2cb8722d3dd |
| SHA256 | 1b060df76a0d5c748e458f705637c50525cadd8c5d371c2c93838308c422cffd |
| SHA512 | 43f82013205971d219ad9afa95041d4ca1fbd608a1e47a76ddbf767f4821297ada714676558d383686fe4c847a63d47570201d30118b988cca0dfda5a4e8b00e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c2438a51f22d06fb7352c5cf46ced941 |
| SHA1 | f0c627f143760a936fac093d2622b2ff26842611 |
| SHA256 | 94b262cd319996e00d317ebe7f2b8673c27bd1ec8d5d11b5987bd2a85873b53a |
| SHA512 | 2b988dbd427d14ea989d0401ccf42bfdde627455a71db2533b492ca83e73e58ad5ecaff1e8507394c45a6ea8c85a3a1523eb395da1d01f03146639387412821e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1d827f505228ca285b5fcf109be773a7 |
| SHA1 | e2699cfdd258ddd7978a2877dd9f82bbfb0497a5 |
| SHA256 | f468fc79f590cb7e6a12a1ec2ae0f6a67d0c198a781b5c7212431e402e2aa7d1 |
| SHA512 | 3745dcf03d6197a02d2346880d675d02772be47ba0e737c22342b3ca3f59675ea6dafd944978bf096dcb4385fc59224e77854115ecd253c994a26298d621c1ad |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 74797a74c178f3c0cf5186efa6174d33 |
| SHA1 | d9d307dbe3793b568404acbbc68e62a8b2475d60 |
| SHA256 | d1a0133d311a61e6dbefe97e1255ab48aefb78c7492c21a844c7f9f3872d5a14 |
| SHA512 | 54ee1a7140e974d94db69a8e076dae08470f86fef30ee9d4f12c7e32ffcfeed08cf7bff49d7bf3688890eb41a4b9da13b820d309da988883c2d6b684cf207d64 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aaffd81975b243aeda71664f74738c43 |
| SHA1 | 8e28cfed3ada884f66a11b46f4332fb413eef807 |
| SHA256 | a314947908bc63b29b1cf8452991d1bf5739135499f10b50fa892c5a3720ecc8 |
| SHA512 | 245d02990e6c8b750cb0d20cd3f423bb30d5a5a95792453c555c1e3aae102a3c257b3b8096281d5968121afde61ca6047348cf1c894a057bb0f4d556afdd3636 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 056466b5b74a107a79a26819cf1746e5 |
| SHA1 | 586293c832636c76dd2605e38530660c92c1bf62 |
| SHA256 | a239b18edc6841424cafc988fd0ae78c56364fb55b056983cbff026b58b00441 |
| SHA512 | 788e586ae3e3fe37e003155fb4b8018c3b197ca7ddcf0485a98eaf3f5db09825353b6ee368b4085206292b4a8c626297608f2bdb2a6b226967bd99847c6f896e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6eb8aff4c5ab039c13cac9503665ab01 |
| SHA1 | d6edaed15c05fd913df99a96ab4b44b2f838e462 |
| SHA256 | 84fdf1bcfdac6919628287948c66a293f5f32c5d148fced55096996102e64788 |
| SHA512 | 9f866cf064776f43e358c6dbc0b955853338a61ecabb3f211644b245a366cb5dccbdd4ad4ba7958de63346c9a072b8c9a595814de64391d186d0e75b8a397532 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a4216fd86b46ca6d32fcef0d8da63fef |
| SHA1 | 2ff817a8b90daef81377edb9795e5f13cb4e7887 |
| SHA256 | 928476bdfb64879b8cc3165e440115134c464aca8c94f6e65e1f60918a3f3973 |
| SHA512 | c47dc9c07f19644ed541025ac6487f796b34d7f54abca8d2fc37708987ed04ea2ca8fa266f90ba998e8339620514df260e2bfc845dc4b64f449dd65e7e1f3931 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 84324c563e46a5918b89906f5603c01c |
| SHA1 | aedeeee04f650a42bfa995e05d735d8c54843619 |
| SHA256 | a06b629f2d650124cdbe82aadd41e9856c7e6d964821b75ee1b10d7ada8ae0b3 |
| SHA512 | d5419c116f02b3b4f98b23cdc1fdb706dfe13536f5f27f65312034751eaeadf2e9282ca751d997c6fd2c64b3ba74aa61166eb49c35f082215ec0671ec444d147 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c1fb4bc55250a2006195b03ec5f220f7 |
| SHA1 | 387ce2790b27d54cf0b2ca43ea700126e6fff791 |
| SHA256 | a22853ea7704a37247b6b127fc3e4dd32102b1e2f002f3a134aec148dcdc1648 |
| SHA512 | 170419fc85dd938a5b84b2060ed7820f012c78c39378d9275ec846bacab2f1197f13dc28b9f8fb4b957727f5fbc108011b8b3b6ede21f463fa460692be7eeac0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0daeefa64e1d1119a8a06ac5368bcfb1 |
| SHA1 | bb9323b4b6c263e91227340a81a1678b9bb41e48 |
| SHA256 | 08f2e622bd9617e66c4bebe95ad2e35a0fe8b36d12d0e8b320df56bb8678a17c |
| SHA512 | bab03e6ceb877073c2138589261bcbfb4360802e730c3d764c3bc4deced88598b248b77bee8eab05fd93ca1fd006bc13a2f16dfca1a6c903ae2fadf553be9955 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 16:13
Reported
2024-08-15 16:15
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\install\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\install\server.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b_JaffaCakes118.exe"
C:\install\server.exe
"C:\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/4636-0-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4636-3-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1928-8-0x00000000012B0000-0x00000000012B1000-memory.dmp
memory/1928-9-0x0000000001370000-0x0000000001371000-memory.dmp
memory/4636-24-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4636-66-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/1928-68-0x0000000003E60000-0x0000000003E61000-memory.dmp
memory/1928-70-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\install\server.exe
| MD5 | 9ab644449c7139b4ae722c8044383e4b |
| SHA1 | 04356f283d8278241598c5d97261344bcb2fd8d1 |
| SHA256 | 5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1 |
| SHA512 | f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9 |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | ede4ab0dc240d253ec6719bb232ced84 |
| SHA1 | f2e3d4558906ee268dd36595f1b5b22a37764c65 |
| SHA256 | 76e94dfb3166cb8794b3be486bdfa5fb1566ec06a780c5fe328a8090cc67fbb5 |
| SHA512 | a1fa26d4c0487a2536269f19c9f98726c416cafb8fd16a7d02aff504c3c9a4c13db31778dbb9a9ccf94e1ca8802aaa2064ae2be734e2901ff4eae17be7287eb4 |
memory/4636-140-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2808-141-0x0000000024160000-0x00000000241C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | e21bd9604efe8ee9b59dc7605b927a2a |
| SHA1 | 3240ecc5ee459214344a1baac5c2a74046491104 |
| SHA256 | 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46 |
| SHA512 | 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493 |
memory/2864-161-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1928-162-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/2808-163-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2808-164-0x0000000024160000-0x00000000241C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2779c84ceced72a3d34b16b6df3a2741 |
| SHA1 | bacf8a924fcf87660c78b38932458bf42cb7811f |
| SHA256 | 5e1ad37e803217090dbb19d5f0583fe9b6bbd97760361bc61782573504d08461 |
| SHA512 | 46ecf84435a008aad5171380ceeefdcb542318150bc8f06025d1f7e1e2bc8871072321d1ec957843f61594e66d276574a8a094d634b97b14b200c3772f144601 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0ed06331028d63d49b4ee01f2641e352 |
| SHA1 | 2a76c44528446443fe834ea00504df8e925cd000 |
| SHA256 | 66d61dec7c65089d46126a3491ee7530969a4cbd60a211ce42f2d286cf1fc4ce |
| SHA512 | 1f78ac0ec1e8aa9cac135cc5e0acbd058b8409b687ed71f6c36a1748d99d619cc224570306608925e745835c85f424a2815e5882ec24199580dcbc33527897d3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 34d92c2987f6e95b83f84e300837ad18 |
| SHA1 | ed4e214b926098ffb26edda4c7c139f7b72e5c05 |
| SHA256 | 214aed4cff482c2355a6c17908e88eb595fc9fd62e8e6ced533eb77a30a30a74 |
| SHA512 | e300a3e916b7132f96f271a147232322533cc6280be96d7cc0565049fd8aefb5ca8f6e170fee9e4ae4262db7f7463af068e19dc5175c4e63781e1ecfef59ef94 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fb6445b5335a91922c5e6e68cc71d520 |
| SHA1 | f21e3cd41ada38f307dbd7d89c3e87811278416d |
| SHA256 | b5f0ddece953bb5203c8d7ca0039b72acc90b1df5849655b6a99df58ec3ef75c |
| SHA512 | a0df91c1eae6591318f6c29e1d7a47b5d99d8f1e2a1646d7ce51e42dbe22041ccc5cefe8a82e2485197bae028c7f1994c1a77aaf769bcad6ae9636d71d3c0834 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1cf765ecdf79c04773488dac4785327e |
| SHA1 | 959fd2d22c4b47904255fe3c418ab7c6814c4140 |
| SHA256 | 162172801ccc25363aea0ceffde08b4cae340b839fdfaf23b4664932af889462 |
| SHA512 | 3bc547356b4c4d35b1dcf454249fc94b164b0b01888d26b104203967d179d9fb77c0bd122fc9547cae78392ecf866ca148ed4ade91d433ea8225277c420eff88 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 734339e3dcb0dd446bcccb852ccdaf80 |
| SHA1 | bca375481f3e554addc47a5c36692438a630945c |
| SHA256 | 1547acab6d10c894e1c9b9a05b381c769a4af1c61fa3290f0c0b43a0f70be7f5 |
| SHA512 | dbf6baad219a554f20342db66fe6b718e12058d73854f426e65b3739e62372855641cd2d4717893915e57f3746fe7d0e16a370382a4acd8ae7a91d33080c7494 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4bec79e0cfa17c450a618803aa2b5bda |
| SHA1 | 3d609504d946b86f60589229ca44f07a828deefd |
| SHA256 | ef1eed846e3de911f319cc90f26c8d8359b3a58934e9da99676c2e03302afe49 |
| SHA512 | a36dc78d7cba4c89cdc944e753345a2a223271bfe3e6d271c380a43a3767425b09d6e250ba72c446e8ca7653c41e91614c2ebccf209e32e01a4a27e45c3594c8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a7bcf93b2e933b7cc828cdaa41a96670 |
| SHA1 | fe7fe6a6e2b8c9f0a4c6ef1c0f8145623b87e203 |
| SHA256 | 0736c6dd3c4f7502d717078d58227f8d2c8eb79e9435ee8631cfc9c5d4e15750 |
| SHA512 | 70b028eebc28aac649fa2857d797e9d32777b0359c9695e29e4605d099a3677358df5d8ad6d9170480bb7c9f31b399709984883a5958ba2384424ebdd80f2413 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f12bf4538897f8a3c64ca2c6d4384ebb |
| SHA1 | 41d64e502c7cbd6e5242caea1bebcee6e2f883fe |
| SHA256 | 9c2d188ba427261a512947e2c1ce9a99d467f735a78a73330780da045e8d7bd3 |
| SHA512 | 50cb1bddc319c01bf76ee5e58ee040c3289247d8530e57c1c248083a4a80dc225a04de5ecf0713adc941422bdeaa9aaf4bbcae77877b52bb375330c0bc51596f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 550a067fda5040bf35d9fbc2ecde6803 |
| SHA1 | f2dbdb2f452db37a8354270b03b9ed4040455bee |
| SHA256 | 3f76b9626e359555e5f7ec4e99b1c8e06bb139d360bb5f77f842536102f3ded3 |
| SHA512 | 742bdada4a3e432b3f20969a1516c5f2a05d3f3c6114666e127fac052fc913a7c2f44f9efda07cd0f96d6e4295a54adfa844ee831affee1ec82d59f9ae637033 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0c59284fc3e6fd5a27d8e6063a3cfb11 |
| SHA1 | 7ba57b8b43ef48b54605735d52bf6a69feba02e5 |
| SHA256 | 66323070d53b29c70a95a28033ab61c1a9a991b8c897806eb73f5388b629d479 |
| SHA512 | 7cadc74d292208a3e9c63c29c5ee77fb9d135e1730da689106fb83f00294d7b9525e0cd689c7ad5701b13966f7be816fd8a3d6ba530e6e02823f20ea21032661 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8b77986f78fecca844187ffa90f226f8 |
| SHA1 | 8f2f505561f495cc297d05805ba5e523d6e147ad |
| SHA256 | 9d5dcac8ef78cc0bcee912f0d8508627607f9e0b40d299c5929216040bbf0ada |
| SHA512 | deaf6a8e128ac8988c5b016561292228ab609d96398ddcf9ff5a6854015418b1e98222519296b156ddbaf1486529f74eb775c9d886a27d0267a81f0fe2f01d31 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 21e4851d992d171d03070c57f6264571 |
| SHA1 | 95722a82701400a574ecdbf54cf98025f9a61e18 |
| SHA256 | 934db246b0319b5a6c5b3de78c59e3a814fc5095d26d4268b8c907bd6aa08b6b |
| SHA512 | 2fe08f82f01fa081834dd4ea605cbe94d2b5a6fac31260af65a0b06b4b0ece332df69e47d19e0704a2c1064b64fcbc71d3aa165f5b8f97f4f7959284275b8820 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 687d5b1c6f0a45f44808453c8d7a421b |
| SHA1 | 707c35a7a18c34567feea6f35e0ea2cb8722d3dd |
| SHA256 | 1b060df76a0d5c748e458f705637c50525cadd8c5d371c2c93838308c422cffd |
| SHA512 | 43f82013205971d219ad9afa95041d4ca1fbd608a1e47a76ddbf767f4821297ada714676558d383686fe4c847a63d47570201d30118b988cca0dfda5a4e8b00e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c2438a51f22d06fb7352c5cf46ced941 |
| SHA1 | f0c627f143760a936fac093d2622b2ff26842611 |
| SHA256 | 94b262cd319996e00d317ebe7f2b8673c27bd1ec8d5d11b5987bd2a85873b53a |
| SHA512 | 2b988dbd427d14ea989d0401ccf42bfdde627455a71db2533b492ca83e73e58ad5ecaff1e8507394c45a6ea8c85a3a1523eb395da1d01f03146639387412821e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1d827f505228ca285b5fcf109be773a7 |
| SHA1 | e2699cfdd258ddd7978a2877dd9f82bbfb0497a5 |
| SHA256 | f468fc79f590cb7e6a12a1ec2ae0f6a67d0c198a781b5c7212431e402e2aa7d1 |
| SHA512 | 3745dcf03d6197a02d2346880d675d02772be47ba0e737c22342b3ca3f59675ea6dafd944978bf096dcb4385fc59224e77854115ecd253c994a26298d621c1ad |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 74797a74c178f3c0cf5186efa6174d33 |
| SHA1 | d9d307dbe3793b568404acbbc68e62a8b2475d60 |
| SHA256 | d1a0133d311a61e6dbefe97e1255ab48aefb78c7492c21a844c7f9f3872d5a14 |
| SHA512 | 54ee1a7140e974d94db69a8e076dae08470f86fef30ee9d4f12c7e32ffcfeed08cf7bff49d7bf3688890eb41a4b9da13b820d309da988883c2d6b684cf207d64 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | aaffd81975b243aeda71664f74738c43 |
| SHA1 | 8e28cfed3ada884f66a11b46f4332fb413eef807 |
| SHA256 | a314947908bc63b29b1cf8452991d1bf5739135499f10b50fa892c5a3720ecc8 |
| SHA512 | 245d02990e6c8b750cb0d20cd3f423bb30d5a5a95792453c555c1e3aae102a3c257b3b8096281d5968121afde61ca6047348cf1c894a057bb0f4d556afdd3636 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 056466b5b74a107a79a26819cf1746e5 |
| SHA1 | 586293c832636c76dd2605e38530660c92c1bf62 |
| SHA256 | a239b18edc6841424cafc988fd0ae78c56364fb55b056983cbff026b58b00441 |
| SHA512 | 788e586ae3e3fe37e003155fb4b8018c3b197ca7ddcf0485a98eaf3f5db09825353b6ee368b4085206292b4a8c626297608f2bdb2a6b226967bd99847c6f896e |