Analysis Overview
SHA256
1b9a6cdc93613ae1ba56d7bb625fc85ef9f8b6525574b83121dad7529d8ead77
Threat Level: Known bad
The file c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-27 18:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-27 18:18
Reported
2024-08-27 18:21
Platform
win7-20240704-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{14FO3V77-H16S-83P1-GSG0-681QL1MPQ72W} | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14FO3V77-H16S-83P1-GSG0-681QL1MPQ72W}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe |
| PID 2808 set thread context of 2680 | N/A | C:\directory\CyberGate\install\server.exe | C:\directory\CyberGate\install\server.exe |
| PID 2816 set thread context of 2544 | N/A | C:\directory\CyberGate\install\server.exe | C:\directory\CyberGate\install\server.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2704-5-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-8-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-11-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2704-6-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-13-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-14-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-16-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-17-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-15-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-20-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2672-36-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2672-31-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2672-25-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2704-24-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2672-38-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2704-127-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2704-109-0x0000000000400000-0x0000000000458000-memory.dmp
\directory\CyberGate\install\server.exe
| MD5 | c57aa5df3c79df3ba7c1ffa023cec29e |
| SHA1 | 0de9651f4217a9a8a34b018ec1f3a250f5b1445f |
| SHA256 | 1b9a6cdc93613ae1ba56d7bb625fc85ef9f8b6525574b83121dad7529d8ead77 |
| SHA512 | 0d980d01c83f8ab6e43049a71ae2a7743b703f2cb35e5e91d159b34d107c84afa54fa2481470a29930328082d6fd8e109383dd885b40ec3719bd1ad4702de194 |
memory/2704-332-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 5d533e1565a86082d1d1f47b704db8ad |
| SHA1 | c8fb1e5f5352155890b10e77afdbe94d762064f5 |
| SHA256 | 1e87336e2a35297ee072a2ea7d641993f249648290c71313aec0c06f6972dc1e |
| SHA512 | 28533e666f4f683812af6e117212c3e01248f053771a572736c247e0195f36790bd82298bd6b2b1b717beaa6bfed0effc768e839457d9d35f977ef3dc3c4bed2 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\88603cb2913a7df3fbd16b5f958e6447_5349ca0f-aec5-405f-83e0-aa034653cb76
| MD5 | 5fc2ac2a310f49c14d195230b91a8885 |
| SHA1 | 90855cc11136ba31758fe33b5cf9571f9a104879 |
| SHA256 | 374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092 |
| SHA512 | ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3 |
memory/2544-382-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2680-387-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2544-388-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 04f5c9b8a12bb647a9c4f7edd2b0642f |
| SHA1 | 519b22afe40c915b3ef0433bf23b935cf6e57aa4 |
| SHA256 | febcf9f4f833e3f2028503010caddcb5458249cfb8bfabbd2febc3e47ca54198 |
| SHA512 | cf76e8c3685d32aafd0d6c0b09f025a787903686bb864ccb8f0bf96b6494674f829a78a6ecae2a84fe7e23f6f768932ff50d846602326c24a8b798839ebd8004 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 26b61f0e003efe5f773d1caeb650053e |
| SHA1 | afce71a3deeb8d5d6c981f0903cad5e25262e3fa |
| SHA256 | dd6df60bbe4b9abac58c254d85eaffd65fd6d711dfd59ec6e68eb428911993a1 |
| SHA512 | 5140b3577f61592419c7b886665082e72739af8b94c23dc0efa9b4f3e11558800cd8e1285e833324dab452ef6a1aaef8ee9134ace263da5f9903fe4894bf918b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 004dcadebbf4b583bb3e59961b46c373 |
| SHA1 | 6de29525fcbb434eae8c476ca55da94374c5be16 |
| SHA256 | 2d1e8439407e84b6328b8d91190a560beb8f109948431c6392c99af98e4f27a9 |
| SHA512 | 40f02d5c22119829313a327a3ce701150d423726fd3bd8a8d2df593ba2660616749d20497ac709ff6e459bc58c932db5e5b015747c158a91e68948f0d3106398 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3848e4fa9fac8f90d0ed1c211406e03a |
| SHA1 | 1175be821014163c42d5b7244a53639552e43f02 |
| SHA256 | 3337a539fcc13f265e1d72c546d9a1bef58255ace4f2ec87c5d58fcf1dd9c119 |
| SHA512 | 77cc36decae91d5dda867ecf967d9bae193342f9adac61119ddcf1d3086f256624a1440da7a503eb284cc399b4f11817484264cf4b99aec08c4ad039de6672f6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2912ecbd76b3a9a2a92e899a1384a8c2 |
| SHA1 | fcab81b1b68f58ac2570aa6a10e2bc3000c27ae1 |
| SHA256 | 55fc5ce8c5fca45a8ace02afc020c139825959e90d486dd9821dbb83c09533be |
| SHA512 | da587411888dbd8a3e0f6273a431591b81365af11d4ce8cc105d22bd1d38f5ba5a436ef19acf252a1b34cdfb13ee66e94fe43df86e02011aee6f70e81facc417 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6358fff7ea65ccb8e26041f7a8e42c5a |
| SHA1 | a36a77d23949c32d530dfaeac8aa11aba3620fc2 |
| SHA256 | 1f9f16d65054839cc17264d49ad408c74a4602386209e5a8a219555f714be98e |
| SHA512 | 959525b8ef512464654cca7ee8d8701b2ffb868f6f29a3c20650951b10765698ce7063078c9f2da1201733afdc6f4597df301b2935c40223b8ba8521501d77a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 25bbd49e4ac819dbeb85a6c6e3970077 |
| SHA1 | 32c27767a3dc6ccf77d00459fe9a363543b615c8 |
| SHA256 | d8bb8290d2e7ba8a4728c72e79db3d99ee735c90c4af6047c0514bc5e581753d |
| SHA512 | 4f16272bb4acaeaa90a6583051df7ae7f7de20392ab766453659c805b3fba45748b4e7393d61906290e577f49ed63dd046aa73c2721d2bd141964fdd5d8be900 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cd389d4e17e41bcfcf540102b068d24d |
| SHA1 | 728a454c32e90f5d23794f8d2f24565c3f97a794 |
| SHA256 | a80f7331b478a2f430d34b51a08b2d23b3f4e91624ed8d3c6a618b1a5dd6b83c |
| SHA512 | 5054022f60ccc810213658512fd72572f09b6f341e5ffd8f131ff4873384d252d14f64ec5a1bb32c044303c05a5bb086413b7dd30be209d790f9b533ca2854d5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2aaf316aace9a6057921c12fc94b67f9 |
| SHA1 | 45ba2d1add901da529916da6b4c73fd876d9447f |
| SHA256 | a0c11a8078de2a6cdde7a1bdc0f90c3b0675502e8a2ad9265c868d5429a93403 |
| SHA512 | 3d0064bcac3eea142a4790ddd0e845a7d736d4f4f064562870db412cf1c108ac18a4e32b46370bb697f6aaea41a375579b1f08f15a3c3152523bc3cd22d9810a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 47179fcaae0ac392f801f3797e468a7e |
| SHA1 | 539c0bcb7b28bce47cdda56032a8339046908a39 |
| SHA256 | 794b5ecafe45780310fbcf79f0cdf8101db83f9b07acd57ac847127bab2647fb |
| SHA512 | 3e990b2f44990577c0e90cacfbbdb405a5a0a4cafa12eddca66ec7d4cb59b27ebfab2f6972526275c5427d8ba03b86208112825033ad95cff1a54a3669faea4c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2fa8c0bc721522dd4698b66fd9b23a1f |
| SHA1 | 45438447cab9b54ed05be2dd5175e5986e78f163 |
| SHA256 | 8066d0c42ec53e30645a72551da786da43f2137af396de666ebabd03c7259293 |
| SHA512 | 9b76e8dc72c98d65a845da37f6060c5a4305dda97481dfeb096e0d5fd8c03ace1fa39718816b573e0927c6f3091c90b386b55960b86a7712abf54dbb4000379b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 606dfe3917c59363cabc3dc42ecc4669 |
| SHA1 | 3eaac6ba640a8be19b162446fcf1c43c9ef1b264 |
| SHA256 | 774a6cc683b4c45b52630c20588d7ea301a84b12da8ce132479c0f5722532703 |
| SHA512 | aa91ccff566672762df95e2ff735c41889d6de3cab262b49915c67e697e96b590c7388da7c90ab26aeeecacc245a5e303a1409b09fa4262c6c47f8a72f7b33d3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 37a837b99feb84a1d3a992b6a067fe27 |
| SHA1 | da946733e3c75f240840e925dfd53d1990d25ea7 |
| SHA256 | 50cee5fc598170579a77de1942709abe523cee954b2291aca06941b0aee978fa |
| SHA512 | 09e87774ed43d820d336a0af2cddc8b48bdf593b42e61643ff716e6de1a29cc46fa08dcec4512c60a6e3b3a18309771c4486c833a4789b27a1b3e1a2a42f2dce |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 13af99d64fcac3462d5e539167e219a5 |
| SHA1 | e6fcb2c0103151fc5130d74c175818c127546433 |
| SHA256 | 433e55425721cd1126498536664a68e8f6cec82ba0b8ca29282d47baa4363da7 |
| SHA512 | e945c8326ee20c27a9ed1947360a5df9145c2174130c671efc667eebbf0a428834eb6a269cdfa9d48464794a892b1ac0cb995d4c805712ddfe4c13579ebb1564 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 527c4efe42d08232bb3bcc36dc516b77 |
| SHA1 | 35a5c5e97dd1f67fd0268278a43eb2b345ce3f78 |
| SHA256 | 86ac35cd0a7953b0d8634f8a83248604eaf1aee18174d3e740c3744637113fb3 |
| SHA512 | 94de442529329a153b36c9bbfc4df6426893a66a087955b9fb6122d74f478bd8033864e4faef1bc9b874e8b44d5382a0eb53c72fd8387b220bc336e4d74f13e2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 21faefe28f35d75d1f1fe68afa00e4e5 |
| SHA1 | acfa2d1e00c0c68fc60be9ecce725024b5e25a77 |
| SHA256 | 468ade6aaa84724cb16aa5db1281ac03268ec2f67d37eda0cc034a7fce4e3558 |
| SHA512 | 3e938248f1ab65cfeb9b3b70f770ce077912527031971350b9dd2772780fb633931dbcc71ef0b07a19f3cad8351352fe3e9ef1cc651244932d6f2849335a6f4f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 079b7be8d14e238f75b974535f7b6f0e |
| SHA1 | 244e57ede3ed72eb0c49b4c4a7affe0c2514a30e |
| SHA256 | 3560ea59b904e121fb36fb7231eaab713e018952e4dc509e5d2336acecabd89e |
| SHA512 | 8e7b2741c42b8f5752f94f9737cc4a872c7f083c34348f4967b03150d3ae6d8bed6e5f74285e0db1ae3432bbfb09c94c83fec09c453eaddf440fd0c1dc3d4315 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a15e5ccc7e1c7ae24db90dd3b5ad8e58 |
| SHA1 | 82bacbf007d9657f3d6d57d5e0911fa8fb95f7a7 |
| SHA256 | 1ef984ecced10b9f2d2096cc94448c2969b3c9861e5eea36f324956e7d8895a5 |
| SHA512 | e5689e12b7b4fafb848b1d9e2ab8e1202c93a08f0625914d34e1ed5d44dcfa238c1b514eb0f030757acff967e986dbacebab86dc67dfb4b3f4fc76fd6b1928be |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8d47e8fced9365036c0d8182847dfb27 |
| SHA1 | 5fcf3b983437a6183eb4ca4690146e546893aa4e |
| SHA256 | b0048376e18b5b23e8f04c41b0a0be7a568464610a87bf37a5900c9e315d353d |
| SHA512 | 67c13e860f8dcf71c5e3fd6627647e177d91b625ba0e6ff5e9a01c0b0e664e0d4e655f7f3386c703471a7dc27f26a1e091ebc7954272825f882f633d540419f2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e4d6fcd9994cc326f1cf0f193b181b4f |
| SHA1 | 1d8a650d842313b5f6eb93bf86771807405f5d97 |
| SHA256 | 63bc9e5cd0ea0c08c4529bc11a26516ba31fd85ff253a5c1d85889e38039fa7a |
| SHA512 | 4e4a469114d2d706b8d1df1cb6b44c5f3e7c6b14bab990a456c2a75520706f892999e9a47bbdc4e3289516abcf6f8004e2fcf6e5cd65d8f9a0652d4de06a50c8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-27 18:18
Reported
2024-08-27 18:21
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{14FO3V77-H16S-83P1-GSG0-681QL1MPQ72W} | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14FO3V77-H16S-83P1-GSG0-681QL1MPQ72W}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3532 set thread context of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe |
| PID 3752 set thread context of 4548 | N/A | C:\directory\CyberGate\install\server.exe | C:\directory\CyberGate\install\server.exe |
| PID 4408 set thread context of 5088 | N/A | C:\directory\CyberGate\install\server.exe | C:\directory\CyberGate\install\server.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\directory\CyberGate\install\server.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\directory\CyberGate\install\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c57aa5df3c79df3ba7c1ffa023cec29e_JaffaCakes118.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4548 -ip 4548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 560
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/1708-4-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1708-6-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1708-7-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1708-8-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1708-12-0x0000000010410000-0x0000000010475000-memory.dmp
memory/4776-17-0x0000000000570000-0x0000000000571000-memory.dmp
memory/4776-20-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4776-16-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1708-15-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1708-33-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 5d533e1565a86082d1d1f47b704db8ad |
| SHA1 | c8fb1e5f5352155890b10e77afdbe94d762064f5 |
| SHA256 | 1e87336e2a35297ee072a2ea7d641993f249648290c71313aec0c06f6972dc1e |
| SHA512 | 28533e666f4f683812af6e117212c3e01248f053771a572736c247e0195f36790bd82298bd6b2b1b717beaa6bfed0effc768e839457d9d35f977ef3dc3c4bed2 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\directory\CyberGate\install\server.exe
| MD5 | c57aa5df3c79df3ba7c1ffa023cec29e |
| SHA1 | 0de9651f4217a9a8a34b018ec1f3a250f5b1445f |
| SHA256 | 1b9a6cdc93613ae1ba56d7bb625fc85ef9f8b6525574b83121dad7529d8ead77 |
| SHA512 | 0d980d01c83f8ab6e43049a71ae2a7743b703f2cb35e5e91d159b34d107c84afa54fa2481470a29930328082d6fd8e109383dd885b40ec3719bd1ad4702de194 |
memory/1708-106-0x0000000000400000-0x0000000000458000-memory.dmp
memory/5088-124-0x0000000000400000-0x0000000000458000-memory.dmp
memory/4548-123-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\88603cb2913a7df3fbd16b5f958e6447_c186ecc3-67e4-4d2b-8682-b6c322da87aa
| MD5 | 5fc2ac2a310f49c14d195230b91a8885 |
| SHA1 | 90855cc11136ba31758fe33b5cf9571f9a104879 |
| SHA256 | 374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092 |
| SHA512 | ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3 |
memory/4548-127-0x0000000000400000-0x0000000000458000-memory.dmp
memory/5088-128-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d5c58c3c938390e0956c4d1d63dc0f63 |
| SHA1 | fb3e33fed862eaef01c3ac621377084fe7af0990 |
| SHA256 | abef8960d586fda4065bd2bc5c5ffe1a3318744c4ebcf449c94456f7c72153ae |
| SHA512 | afa4ede699a21e60ea06c7141df49bfaf1f8c4c0074352f1243b9746ecfdeb3cbfcd76a5e93bf5aff0a47018ff1d3d986a744d502d5ec5a312b12aa0e315e8c4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 95edf7847d17924259679da3f2ffee55 |
| SHA1 | dadf9297bdfd8e9cc79a4d9f035beb1c556fc210 |
| SHA256 | 67456f0d29c26e39c4b828d5a48415565ce9471e7b919c34ae545734b71c88bb |
| SHA512 | 64e8df8879fd17356cd34cec38b388d47965ad6229908cffa9683aadc8dbe453ff0bb1581f6c3cc8099f6d690c4052b01b51289e3bd29275780535c0c07138c4 |
memory/5088-264-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 04f5c9b8a12bb647a9c4f7edd2b0642f |
| SHA1 | 519b22afe40c915b3ef0433bf23b935cf6e57aa4 |
| SHA256 | febcf9f4f833e3f2028503010caddcb5458249cfb8bfabbd2febc3e47ca54198 |
| SHA512 | cf76e8c3685d32aafd0d6c0b09f025a787903686bb864ccb8f0bf96b6494674f829a78a6ecae2a84fe7e23f6f768932ff50d846602326c24a8b798839ebd8004 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 26b61f0e003efe5f773d1caeb650053e |
| SHA1 | afce71a3deeb8d5d6c981f0903cad5e25262e3fa |
| SHA256 | dd6df60bbe4b9abac58c254d85eaffd65fd6d711dfd59ec6e68eb428911993a1 |
| SHA512 | 5140b3577f61592419c7b886665082e72739af8b94c23dc0efa9b4f3e11558800cd8e1285e833324dab452ef6a1aaef8ee9134ace263da5f9903fe4894bf918b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 004dcadebbf4b583bb3e59961b46c373 |
| SHA1 | 6de29525fcbb434eae8c476ca55da94374c5be16 |
| SHA256 | 2d1e8439407e84b6328b8d91190a560beb8f109948431c6392c99af98e4f27a9 |
| SHA512 | 40f02d5c22119829313a327a3ce701150d423726fd3bd8a8d2df593ba2660616749d20497ac709ff6e459bc58c932db5e5b015747c158a91e68948f0d3106398 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3848e4fa9fac8f90d0ed1c211406e03a |
| SHA1 | 1175be821014163c42d5b7244a53639552e43f02 |
| SHA256 | 3337a539fcc13f265e1d72c546d9a1bef58255ace4f2ec87c5d58fcf1dd9c119 |
| SHA512 | 77cc36decae91d5dda867ecf967d9bae193342f9adac61119ddcf1d3086f256624a1440da7a503eb284cc399b4f11817484264cf4b99aec08c4ad039de6672f6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2912ecbd76b3a9a2a92e899a1384a8c2 |
| SHA1 | fcab81b1b68f58ac2570aa6a10e2bc3000c27ae1 |
| SHA256 | 55fc5ce8c5fca45a8ace02afc020c139825959e90d486dd9821dbb83c09533be |
| SHA512 | da587411888dbd8a3e0f6273a431591b81365af11d4ce8cc105d22bd1d38f5ba5a436ef19acf252a1b34cdfb13ee66e94fe43df86e02011aee6f70e81facc417 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6358fff7ea65ccb8e26041f7a8e42c5a |
| SHA1 | a36a77d23949c32d530dfaeac8aa11aba3620fc2 |
| SHA256 | 1f9f16d65054839cc17264d49ad408c74a4602386209e5a8a219555f714be98e |
| SHA512 | 959525b8ef512464654cca7ee8d8701b2ffb868f6f29a3c20650951b10765698ce7063078c9f2da1201733afdc6f4597df301b2935c40223b8ba8521501d77a9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 25bbd49e4ac819dbeb85a6c6e3970077 |
| SHA1 | 32c27767a3dc6ccf77d00459fe9a363543b615c8 |
| SHA256 | d8bb8290d2e7ba8a4728c72e79db3d99ee735c90c4af6047c0514bc5e581753d |
| SHA512 | 4f16272bb4acaeaa90a6583051df7ae7f7de20392ab766453659c805b3fba45748b4e7393d61906290e577f49ed63dd046aa73c2721d2bd141964fdd5d8be900 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cd389d4e17e41bcfcf540102b068d24d |
| SHA1 | 728a454c32e90f5d23794f8d2f24565c3f97a794 |
| SHA256 | a80f7331b478a2f430d34b51a08b2d23b3f4e91624ed8d3c6a618b1a5dd6b83c |
| SHA512 | 5054022f60ccc810213658512fd72572f09b6f341e5ffd8f131ff4873384d252d14f64ec5a1bb32c044303c05a5bb086413b7dd30be209d790f9b533ca2854d5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2aaf316aace9a6057921c12fc94b67f9 |
| SHA1 | 45ba2d1add901da529916da6b4c73fd876d9447f |
| SHA256 | a0c11a8078de2a6cdde7a1bdc0f90c3b0675502e8a2ad9265c868d5429a93403 |
| SHA512 | 3d0064bcac3eea142a4790ddd0e845a7d736d4f4f064562870db412cf1c108ac18a4e32b46370bb697f6aaea41a375579b1f08f15a3c3152523bc3cd22d9810a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 47179fcaae0ac392f801f3797e468a7e |
| SHA1 | 539c0bcb7b28bce47cdda56032a8339046908a39 |
| SHA256 | 794b5ecafe45780310fbcf79f0cdf8101db83f9b07acd57ac847127bab2647fb |
| SHA512 | 3e990b2f44990577c0e90cacfbbdb405a5a0a4cafa12eddca66ec7d4cb59b27ebfab2f6972526275c5427d8ba03b86208112825033ad95cff1a54a3669faea4c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2fa8c0bc721522dd4698b66fd9b23a1f |
| SHA1 | 45438447cab9b54ed05be2dd5175e5986e78f163 |
| SHA256 | 8066d0c42ec53e30645a72551da786da43f2137af396de666ebabd03c7259293 |
| SHA512 | 9b76e8dc72c98d65a845da37f6060c5a4305dda97481dfeb096e0d5fd8c03ace1fa39718816b573e0927c6f3091c90b386b55960b86a7712abf54dbb4000379b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 606dfe3917c59363cabc3dc42ecc4669 |
| SHA1 | 3eaac6ba640a8be19b162446fcf1c43c9ef1b264 |
| SHA256 | 774a6cc683b4c45b52630c20588d7ea301a84b12da8ce132479c0f5722532703 |
| SHA512 | aa91ccff566672762df95e2ff735c41889d6de3cab262b49915c67e697e96b590c7388da7c90ab26aeeecacc245a5e303a1409b09fa4262c6c47f8a72f7b33d3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 37a837b99feb84a1d3a992b6a067fe27 |
| SHA1 | da946733e3c75f240840e925dfd53d1990d25ea7 |
| SHA256 | 50cee5fc598170579a77de1942709abe523cee954b2291aca06941b0aee978fa |
| SHA512 | 09e87774ed43d820d336a0af2cddc8b48bdf593b42e61643ff716e6de1a29cc46fa08dcec4512c60a6e3b3a18309771c4486c833a4789b27a1b3e1a2a42f2dce |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 13af99d64fcac3462d5e539167e219a5 |
| SHA1 | e6fcb2c0103151fc5130d74c175818c127546433 |
| SHA256 | 433e55425721cd1126498536664a68e8f6cec82ba0b8ca29282d47baa4363da7 |
| SHA512 | e945c8326ee20c27a9ed1947360a5df9145c2174130c671efc667eebbf0a428834eb6a269cdfa9d48464794a892b1ac0cb995d4c805712ddfe4c13579ebb1564 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 527c4efe42d08232bb3bcc36dc516b77 |
| SHA1 | 35a5c5e97dd1f67fd0268278a43eb2b345ce3f78 |
| SHA256 | 86ac35cd0a7953b0d8634f8a83248604eaf1aee18174d3e740c3744637113fb3 |
| SHA512 | 94de442529329a153b36c9bbfc4df6426893a66a087955b9fb6122d74f478bd8033864e4faef1bc9b874e8b44d5382a0eb53c72fd8387b220bc336e4d74f13e2 |