Analysis Overview
SHA256
428a36fee1850e5df1767098373bc2c6971837f3d5b30ac3a0555f66e2b1e49b
Threat Level: Known bad
The file c80d5d4773783828a9152dea2b127c2f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
UPX packed file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 02:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-29 02:13
Reported
2024-08-29 02:16
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7LFYWV3L-2613-WD02-W4KT-40EXDVC1R045}\StubPath = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7LFYWV3L-2613-WD02-W4KT-40EXDVC1R045} | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7LFYWV3L-2613-WD02-W4KT-40EXDVC1R045}\StubPath = "c:\\directory\\CyberGate\\com32\\com32.exe Restart" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7LFYWV3L-2613-WD02-W4KT-40EXDVC1R045} | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\directory\CyberGate\com32\com32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1528 set thread context of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe |
| PID 1828 set thread context of 4028 | N/A | C:\directory\CyberGate\com32\com32.exe | C:\directory\CyberGate\com32\com32.exe |
| PID 2340 set thread context of 3656 | N/A | C:\directory\CyberGate\com32\com32.exe | C:\directory\CyberGate\com32\com32.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\directory\CyberGate\com32\com32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\com32\com32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\com32\com32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\com32\com32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\com32\com32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2912 -ip 2912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 76
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
C:\directory\CyberGate\com32\com32.exe
"C:\directory\CyberGate\com32\com32.exe"
C:\directory\CyberGate\com32\com32.exe
C:\directory\CyberGate\com32\com32.exe
C:\directory\CyberGate\com32\com32.exe
"C:\directory\CyberGate\com32\com32.exe"
C:\directory\CyberGate\com32\com32.exe
"C:\directory\CyberGate\com32\com32.exe"
C:\directory\CyberGate\com32\com32.exe
C:\directory\CyberGate\com32\com32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3656 -ip 3656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 532
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2388-2-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2388-4-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2388-6-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2388-5-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2388-9-0x0000000024010000-0x000000002406F000-memory.dmp
memory/2388-10-0x0000000024010000-0x000000002406F000-memory.dmp
memory/1380-15-0x00000000012A0000-0x00000000012A1000-memory.dmp
memory/1380-14-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/2388-13-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/2388-29-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1380-76-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 352b46588686c0fa7581efdda2a52ce1 |
| SHA1 | 4aee3c969366baeeb3d0a5108b50093eb3649ca4 |
| SHA256 | b59e714101c533e62c893d4294cbc4b799b25b55ca2c083d5a7fffdc027aca26 |
| SHA512 | 69189618e9fd9cedcca247357eb1aefe8525460640d2d9a64adc88c7230f0669640f3d64a3476c3145e272187b359e397cca5b42a474fc2bdf7a8a77153ad156 |
\??\c:\directory\CyberGate\com32\com32.exe
| MD5 | c80d5d4773783828a9152dea2b127c2f |
| SHA1 | bc8c2db8b5d64a9ef41dc1e84835df0f3ba10da6 |
| SHA256 | 428a36fee1850e5df1767098373bc2c6971837f3d5b30ac3a0555f66e2b1e49b |
| SHA512 | aa6975a5b5a9cfb4ee1e233ec5863f93df4e6394d19e2be99469a06918f76b1a2bf431e01002c483df511cf4615d1252c228404e8a0715276ee01bb57612d544 |
memory/2388-94-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4028-171-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 430f82fb5116c2ae9afd093c538800e8 |
| SHA1 | 814d528ab9d2889ef14a5a6e4e2625d2dbb60396 |
| SHA256 | 4fd25d592b58e12e79c3ba3fc54245502aa466fb0076937a19c5369c93703349 |
| SHA512 | beae00f4f0487c41451da607bfbf6f6cdf6e172428dc99aa41f6c232703dd34a72365bf615d535111ca05e78a9cb408d2a72d00dd5c167dc0a127b90dbb51537 |
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/1380-197-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/3656-196-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3656-201-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 944d4700cadcc7ff90b07e38a8bde71d |
| SHA1 | 563256bbda7dd809bba626d86e11632d2165decb |
| SHA256 | ec3ff5b095bdfb4dff436b65d3631319163f58a45fd46d0a8a4a887baa47dc82 |
| SHA512 | d3ef2661c274a1bec93d40138f4a17c8bc659c7ff8e163f29f593f9c7106f5893e239a75db21fcfeff1d61f6af85a17b3132d81a4c48615969237aa781d1300d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d734ad541715132565c5dcc89c5f0b30 |
| SHA1 | fc6590cf3976d02780d76d0a7387f3f57721c147 |
| SHA256 | a29511acbda094c3d17dea7aa14aa40f2a5bb4cb57dd2f8162ddc32bc198eae0 |
| SHA512 | 01f9e12c5a85e6f70ec9b91bf1552d952c1e3b7829df7311c6520597580a1585bcb3af4dc097b2e28476571f924e34384b804512578f8021eedf356661cfeb66 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 02f03e701bbd213b476a5be0ef5da5a2 |
| SHA1 | e80c2185481c5158dda1b6b62f75379c6bd30347 |
| SHA256 | 750f2456ac0c9d11e8a420e6e70c6bc4db4b75173691f69a5d3d6a20dc5e6f4d |
| SHA512 | 29f32307693b26e72ead33e6f0fac33d807711daa4513d4d3662b2a4411d774b98a8ed9367c749f8d5b0a69511ea1ae8ca90b3f55364ba44c565856c205be9d2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 89b10770bef192b9ea652f59b1d8a946 |
| SHA1 | 15895f2543d3b66a3206fba6c20578dbe309988c |
| SHA256 | 37a0efbf5c000b5b7f49809764e98bc0a75e33ba549018e499ed78b14af34c80 |
| SHA512 | e8b6dfccf8b413e79223e5d91c45d06388575143178aeb2822b40c8ad600bb4e69729eec2ae3078c110393b64541fbb9c94855badd62d79b8aed2e2aeda3c985 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b45a8cb6640484148f64060da0b28477 |
| SHA1 | f14bb6387eb2906152878920ebae077c02489040 |
| SHA256 | 3bef2a1cddd64bd2764650f75127752eb5a31649c1da748fe8a739c80e440679 |
| SHA512 | c0c82eda4257421ba33e89ac58aa515dd48bebfe2a9a67ee9054bab0cea4e0a0aec9680109b1fb600100b5adb83f01f17625a97b432d4995c9f5ed0ab275592d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9b4e6a10a32377bd0360083182dd7622 |
| SHA1 | 3db444bbab84691f90916f3592a1137b9ed4543a |
| SHA256 | 34023ea584013460686d5bc488a0f2d72c6e9fa5eb2a4d683c9985ce35b10822 |
| SHA512 | 63456a714235dcad980d10ccef70e5e74c1791baccbf473c31a635bc3a736df1e2b7f35c6d9d131fccca2dd0efed644b67e7211e64b5e1fdad30e562d84e8163 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9882fe900f957b03330f4357edf89b01 |
| SHA1 | 987debfc89485ebc04d636780b3ee12c0c0522e2 |
| SHA256 | c2d1aaab6da34f2d32247711936a2f644397f0728e354e15b7687caf3274c1a3 |
| SHA512 | 4cc9c9cda1b02a55c717d2ca7ff1c15196799da84cd99f0dc8fa651404b815fc597c955a1cbe683bb1babb6aeddbd283932c45737a993a8e69eb544bed47f056 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c0b460f0908a19cb8a42d3bf06bce4b6 |
| SHA1 | ee762fc72a6284ed834f3fcc224aeb0b15629cf3 |
| SHA256 | 787b3b4de931aec111ac244e5a084d48927e900ff794f5bb879edaecb65dd3f7 |
| SHA512 | 45abc97a93d8490e52794cca9b41e5a1bf3c25afdc2f17f2a3d641a3d227d0acd46a86fcf6b16812e14c8151f36869929140004e7d0b2a08ce6f0d9ddd4e0aa3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ef0047e7b12c4af8e84146f754ac9275 |
| SHA1 | 845df0a5db0c99b515557d55d3e2935c44c9d5df |
| SHA256 | 9be7094762c814ee38ecc0bbf0f4702c293368df2e85555bc525ca7a8bcf68d8 |
| SHA512 | 0c01e66988d9ac46c45b1c0fbfb02123e9f3c0754f1ad35fe228576bd8aa5439af44ddd15fd014e8c022de53ebaaedbe3ddd4825a1a14b62c4644d141c9bdbc0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 21d6c497a0b9b06c83b6a4d1a4cab77a |
| SHA1 | d5609d632f4b2b8eb7588591eaf53f2638c8277b |
| SHA256 | faa3464852d2d52f7f72be9a100d8a31ae500b5dec88ac98091ae991d432e2fe |
| SHA512 | 76d400af868f4e1739428f760a56e1b074e349d07f3e213778e505132ee3e489a6d0127c2d5d636a01ab4d8091ca125ce0b3f1187487154a82c514863dbf3179 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d4a20a5afa3ad162ad8d31a105c800a9 |
| SHA1 | 8851a429708488fffbe7634bb1b033fe4725de0a |
| SHA256 | b42f9563d9098ff77708ed80cabe60803e8269933c9c7fd1f4d6125aa3e499b3 |
| SHA512 | e1414d5b931ce7ec3f0c20cd26469282ebfdefcdf99aa49e2cd4573903949de5aa778e35e3a670200f0147e7d448dff3f2045230957f24a669d8bffe43d3bce5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c56254e337f95a526be2ee902a5502b2 |
| SHA1 | c4dea28f9177d42b2bc03812fad98ed14876dabb |
| SHA256 | 686b18b60a73318131394030d206f04f6975c4f9446888bf0f95e6a32cac821a |
| SHA512 | afb00c0f8a7fe7dd0a86b66498dc6b9a7950e10e5a7dd32d9b3de9f097dca4154467d98a40907f35cdafba664ee7ee7e24768affc520d1b4d9959e5bbdcfdf14 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 98f79596f9f114a3f18004bcf5643b8d |
| SHA1 | d4d3e0ca5d893c053db038de0046804396005290 |
| SHA256 | f989b1154c0dcd75714773db6b401a2bafdeee16af5e5abe9e1127fe4da3e125 |
| SHA512 | 0c643fdce0387d0dd622764397baf926586e5263e04b9f0d29946dec4fd3151d897db23a42bb271e66753f31524e53f17dfb828520794c3e35c400be0c0de3c3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 238f064880666e8bf89ceea18436eccb |
| SHA1 | e29e0df0c627450df3d72e3c4dd0272440ba96ce |
| SHA256 | 5c0185414c062bd3c3ba22e9d3358eb3dc750f1f8b1f940fd4622e57dfec9da8 |
| SHA512 | 0a6731ed5a6fa369afa350910cf82a3afb11d6395e5d781319a99169346fb132cbec4b248c1d0c6dadc37f6c7c5293301c02b614e84686e27568dd1628581bd3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7e549130e1692ab99049f837017182a7 |
| SHA1 | d421b6882f02f762992bf3d7734685d914ceef1d |
| SHA256 | 6f26c328bf1c324e24842dd2123feec97893057dd9e2426aa488bf14a9b58f87 |
| SHA512 | 9f40cfb4ab9a26e33ad3714bf7b7e1c40abb9ed9b288f99a8e64a70bd8c7982ec14eb87824665184b39119130cad8c6c93df4a8b3dfd1209e1521bce9ec76a7f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9574f138606eb596cf569db88a0efb0e |
| SHA1 | f3928c94930c4a795c8177578789ec5bd1e48cd0 |
| SHA256 | 393fbdebd150e698916919a5b734c494a5c8761adb827a0ede78b12ab2610c2f |
| SHA512 | 451c070704ea39882be3589d899ec51b4f73d149da2fbf8c0443b89cd4cd0191225af323f7b1d236a013f312d7fe1ae0502e8f104f492b27be694c4441378847 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3613bf8e0cf17722ef754f6cbc86f921 |
| SHA1 | eed49d009e07fb56cdc1c08ee8950be817205c02 |
| SHA256 | b4ad931d1656f64209f32e7a127ae4da18e61284b881eac656a14c6c873f2cd6 |
| SHA512 | 454f216ea9690830d332b7886bd49742e2afa8f861cfd36db062e9c6aa2193b5a86ef159d6b25aefb32786ede47dc9646383d0207ecf42f0faaad23e90d959e5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0cf783db93163dd9418f9c11c08106ad |
| SHA1 | 1671639f73b7d01043c0e872c076fee054af9ffa |
| SHA256 | f42dbc773353e46f84e58a14ce09415d8c43e85c4f7cb946d7702f6ecfb44146 |
| SHA512 | fbcfdf68930c832b6bad69837d580a4bcbc533cb6daa93b40ab2180cd8af7b32c7f3cfaecb242c0867f93d358b7e3ac81dc0dece49ae29022ef5b197b62b69c9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 53fdb8c2ab5245d9bc6a79b89fef24df |
| SHA1 | 82c4196cfdc37c50144b28dfef4a8de12160055b |
| SHA256 | ed5030a94d85d9b5a0f935bcc2e5a1885be82aa92a2a6e8bd78ba8360c85e4ba |
| SHA512 | 4de6fae73efe9cdf8a01315f4e97170f0bb2958b2bf1dd3dadecbc20c68ddb5e06f36d25247e5ece4ec5ce4335d99a088ffec94674ac9a3afd5a9087e95867b1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 02:13
Reported
2024-08-29 02:16
Platform
win7-20240705-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7LFYWV3L-2613-WD02-W4KT-40EXDVC1R045} | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7LFYWV3L-2613-WD02-W4KT-40EXDVC1R045}\StubPath = "c:\\directory\\CyberGate\\com32\\com32.exe Restart" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7LFYWV3L-2613-WD02-W4KT-40EXDVC1R045} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7LFYWV3L-2613-WD02-W4KT-40EXDVC1R045}\StubPath = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\com32\\com32.exe" | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2964 set thread context of 1304 | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe |
| PID 2092 set thread context of 2012 | N/A | C:\directory\CyberGate\com32\com32.exe | C:\directory\CyberGate\com32\com32.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\directory\CyberGate\com32\com32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\com32\com32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c80d5d4773783828a9152dea2b127c2f_JaffaCakes118.exe"
C:\directory\CyberGate\com32\com32.exe
"C:\directory\CyberGate\com32\com32.exe"
C:\directory\CyberGate\com32\com32.exe
C:\directory\CyberGate\com32\com32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1304-2-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1304-4-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1304-5-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1304-7-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1304-6-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-11-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1304-10-0x0000000024010000-0x000000002406F000-memory.dmp
memory/2908-254-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2908-262-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1304-296-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2908-539-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 352b46588686c0fa7581efdda2a52ce1 |
| SHA1 | 4aee3c969366baeeb3d0a5108b50093eb3649ca4 |
| SHA256 | b59e714101c533e62c893d4294cbc4b799b25b55ca2c083d5a7fffdc027aca26 |
| SHA512 | 69189618e9fd9cedcca247357eb1aefe8525460640d2d9a64adc88c7230f0669640f3d64a3476c3145e272187b359e397cca5b42a474fc2bdf7a8a77153ad156 |
\??\c:\directory\CyberGate\com32\com32.exe
| MD5 | c80d5d4773783828a9152dea2b127c2f |
| SHA1 | bc8c2db8b5d64a9ef41dc1e84835df0f3ba10da6 |
| SHA256 | 428a36fee1850e5df1767098373bc2c6971837f3d5b30ac3a0555f66e2b1e49b |
| SHA512 | aa6975a5b5a9cfb4ee1e233ec5863f93df4e6394d19e2be99469a06918f76b1a2bf431e01002c483df511cf4615d1252c228404e8a0715276ee01bb57612d544 |
memory/1304-873-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2012-899-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2012-903-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2908-904-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c0f755f54e4d527257d6a2618c880334 |
| SHA1 | 76da88429cb28067034b1b5a5b8de088617c270b |
| SHA256 | 3b6b52cb95e240b4845bd8ea754110366c2a2436e024a44862c628c12313a3f9 |
| SHA512 | 2a761af7e1495859a0caa85646672f79374122d9ec47ddbade7d2cc48cdf9449be2febe7974d9ebcca610f0011defa84b781c502b0ca4f577a8440c9aacaf66b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 69f29c67a3c7cbc5278f8db66cd02cc8 |
| SHA1 | 23495082c9ad8487356e23665eaba53bf5bea482 |
| SHA256 | 097c298ef2cffad4e8c930ab7330a27ca53b9a995a27e1ecd1a94aac225b3c45 |
| SHA512 | 9192ec032292f33abe754417659ae34a5da257341943769e93c927a0abb50995d7f4927d5cc11441d9521f3e8e68d8cc3a6a72099e867a86e4f92ae484a7f1cd |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 79ef803e2f954e43f26feada3201d39b |
| SHA1 | 320066824885e09abaaf824995ad79a5db6a1924 |
| SHA256 | b8d588b29d95130a452543bcf55598670f164067c162941aed60fb4a5d00745c |
| SHA512 | 3856729f63def25e1f062354f8680815b550acf3f1c40a30a718ee868436b03a09396df92d813496ecef5e1dbec466b61b1149d869fac8c3536094492af3962b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2811d3b6a80f75aba6eee2fc8af739ab |
| SHA1 | f84e826e026d458be5b2c1387a424e67e1ad9d9d |
| SHA256 | fd6cbe1aa9214d406a7eab940c1612dc8a522c62edcaaa13c07a421135fe20a9 |
| SHA512 | 902d1a37b3a4cda772c54f46a6b8ce4288cd5bbdff261da1acad3e58f442fa0bad751c7f1c2b6112ba406aa17cde7156f886dccd8fec0d6968175f095d1c00ee |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d92aab301ec5dd355269b025861df495 |
| SHA1 | 5e9a898bed0be07e245a0501bcec05572cbcf234 |
| SHA256 | 682ab0209e491d5ada3025ea14fb52a0a709debe5e734fc19358b40308171e87 |
| SHA512 | 3a81e8f7d713786217848e35ca4e6491ca939397a1cf8ee684907c9cf6d4abb892a08aa4ef99eb038a305f4e2f1cca9b20ccb15a78c9d2ddd306bdfa14abd1d4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 659645e2714f700c199ceea5f12b5964 |
| SHA1 | 6ebf5e4ca37f72ccc50b19716962333bee2b789e |
| SHA256 | 86f9b84f4f1828f5fab1832724351dcafc5d18bafc62a99c81d689c9b6b63dea |
| SHA512 | 77c28c70063cefa5089d1782b55be590c278d55cb6da1545bff4b0be373dd6f65149afa0f71136f166a9f56afa075419b63d951a36c5b4419a60ab1bf9290b5a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2955cd5e953364e7fbc076a780a217a2 |
| SHA1 | 7692e389abd40681639cd6ac3b8ee0c068813682 |
| SHA256 | 918f6a9620c21f44d47727b69d2abd95605853f160bda7b0ea36d120366ef594 |
| SHA512 | f8b2aeb653577771253b581e2529d0de0ba3fbba413f5c50fc43b0a511f871e1f4428bd6fe0308c05ecdedac66896c985cd9e0fdc28616c6ac0184c388762013 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 999f6cc90241a728943317b2ebdb42ae |
| SHA1 | 940d79ddbebee2110c95c860f1efef3d4c3cc08a |
| SHA256 | b5d5c1957d3d4ad528951b8add6bd31ccff0fe91b1ccfc7ab9e46c92f899c3b0 |
| SHA512 | c5b4a20b3b4089adba0a54057145b55f991c1c0f12e2c9b3d19823856561e8844e0106c680071ae8fdf7e7b1371699f7f16b5b9a80cbf7819e08c18ebd1964a3 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4add5a6484886fcfd331c391152745d6 |
| SHA1 | 304b05373b9321889aeae162f48b10f5fb192b10 |
| SHA256 | d0a3763cc12efeade87b66c7fb7ceb3cd1d3ec075978b09f47601ddff691227c |
| SHA512 | f5ad84d8c9bb02efea0a1de90e15c257fcdb1637c86e25df05fc81f590db22166fcd4a73c02742037b463ed9d4963db676d92d564881683aafbb6941154622a7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ed845ccee9c4348053212fd28dbf3317 |
| SHA1 | 30232725c19e8f1250714f0e2339ed20f7942663 |
| SHA256 | 8d6c9cc58fd0c62aed0773f5bee140aa508293f5a6bd780c70bcac6b838a4bd5 |
| SHA512 | 47ebe6bb57e929452353b8ffbae6641556dc6a52bb445a73f22da5ed1187fd2be1945e2a432dd4dce6fb29f465a2a517163afe5fbf3203f934482a365b3e1f76 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 944d4700cadcc7ff90b07e38a8bde71d |
| SHA1 | 563256bbda7dd809bba626d86e11632d2165decb |
| SHA256 | ec3ff5b095bdfb4dff436b65d3631319163f58a45fd46d0a8a4a887baa47dc82 |
| SHA512 | d3ef2661c274a1bec93d40138f4a17c8bc659c7ff8e163f29f593f9c7106f5893e239a75db21fcfeff1d61f6af85a17b3132d81a4c48615969237aa781d1300d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d734ad541715132565c5dcc89c5f0b30 |
| SHA1 | fc6590cf3976d02780d76d0a7387f3f57721c147 |
| SHA256 | a29511acbda094c3d17dea7aa14aa40f2a5bb4cb57dd2f8162ddc32bc198eae0 |
| SHA512 | 01f9e12c5a85e6f70ec9b91bf1552d952c1e3b7829df7311c6520597580a1585bcb3af4dc097b2e28476571f924e34384b804512578f8021eedf356661cfeb66 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 02f03e701bbd213b476a5be0ef5da5a2 |
| SHA1 | e80c2185481c5158dda1b6b62f75379c6bd30347 |
| SHA256 | 750f2456ac0c9d11e8a420e6e70c6bc4db4b75173691f69a5d3d6a20dc5e6f4d |
| SHA512 | 29f32307693b26e72ead33e6f0fac33d807711daa4513d4d3662b2a4411d774b98a8ed9367c749f8d5b0a69511ea1ae8ca90b3f55364ba44c565856c205be9d2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 89b10770bef192b9ea652f59b1d8a946 |
| SHA1 | 15895f2543d3b66a3206fba6c20578dbe309988c |
| SHA256 | 37a0efbf5c000b5b7f49809764e98bc0a75e33ba549018e499ed78b14af34c80 |
| SHA512 | e8b6dfccf8b413e79223e5d91c45d06388575143178aeb2822b40c8ad600bb4e69729eec2ae3078c110393b64541fbb9c94855badd62d79b8aed2e2aeda3c985 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b45a8cb6640484148f64060da0b28477 |
| SHA1 | f14bb6387eb2906152878920ebae077c02489040 |
| SHA256 | 3bef2a1cddd64bd2764650f75127752eb5a31649c1da748fe8a739c80e440679 |
| SHA512 | c0c82eda4257421ba33e89ac58aa515dd48bebfe2a9a67ee9054bab0cea4e0a0aec9680109b1fb600100b5adb83f01f17625a97b432d4995c9f5ed0ab275592d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9b4e6a10a32377bd0360083182dd7622 |
| SHA1 | 3db444bbab84691f90916f3592a1137b9ed4543a |
| SHA256 | 34023ea584013460686d5bc488a0f2d72c6e9fa5eb2a4d683c9985ce35b10822 |
| SHA512 | 63456a714235dcad980d10ccef70e5e74c1791baccbf473c31a635bc3a736df1e2b7f35c6d9d131fccca2dd0efed644b67e7211e64b5e1fdad30e562d84e8163 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9882fe900f957b03330f4357edf89b01 |
| SHA1 | 987debfc89485ebc04d636780b3ee12c0c0522e2 |
| SHA256 | c2d1aaab6da34f2d32247711936a2f644397f0728e354e15b7687caf3274c1a3 |
| SHA512 | 4cc9c9cda1b02a55c717d2ca7ff1c15196799da84cd99f0dc8fa651404b815fc597c955a1cbe683bb1babb6aeddbd283932c45737a993a8e69eb544bed47f056 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c0b460f0908a19cb8a42d3bf06bce4b6 |
| SHA1 | ee762fc72a6284ed834f3fcc224aeb0b15629cf3 |
| SHA256 | 787b3b4de931aec111ac244e5a084d48927e900ff794f5bb879edaecb65dd3f7 |
| SHA512 | 45abc97a93d8490e52794cca9b41e5a1bf3c25afdc2f17f2a3d641a3d227d0acd46a86fcf6b16812e14c8151f36869929140004e7d0b2a08ce6f0d9ddd4e0aa3 |