Analysis Overview
SHA256
2324baf9b9e29806f6e4346c5ab351acd474b182aa138d87ca4ccdca701a75c0
Threat Level: Known bad
The file cb44cafd8070323fe108f19c9afcae10_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
UPX packed file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 17:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 17:03
Reported
2024-08-30 17:06
Platform
win7-20240704-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q} | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Windows\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\ | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
"C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE"
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
C:\Windows\install\server.exe
"C:\Windows\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
| MD5 | 2f16426a0274725cf8ff7c44ffcbd275 |
| SHA1 | fd9937938d814ab83d78983b17f941b4e0139794 |
| SHA256 | 59e0a784eb6f56e411946e86e015672786d830f69b2fc1f8886692f10f197ac7 |
| SHA512 | e6031d309b81b1ee3e88efa3eea80523098d6dda5018949b48ed63682569c776ba3956fd18151fa853b54955f0f248487bd1fff9bdd73d80cbc035229353a014 |
\Users\Admin\AppData\Local\Temp\SERVER.EXE
| MD5 | dde3e497c0924260d286ff11bccbb6ec |
| SHA1 | de0847cca9180e94d0d20fbdaa3e23189f9a4454 |
| SHA256 | 64e43c1240b8c762720a9e0754cc2fb27a498a444b3918e285ad0ceb598b1962 |
| SHA512 | 60b874446c4fbdfd0a3bbf05c67105a39e24033834b4af74b1e89438249cca996a073d3aa54bb5711a79300e507590554ea65eb2366ed6b069f72a55c484e364 |
memory/2288-15-0x0000000002910000-0x0000000002A13000-memory.dmp
memory/2228-17-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/2228-18-0x0000000000F70000-0x0000000000FE6000-memory.dmp
memory/2608-22-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2608-23-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2796-34-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2796-46-0x0000000000400000-0x0000000000503000-memory.dmp
memory/2608-44-0x0000000001D60000-0x0000000001E63000-memory.dmp
memory/2796-43-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2796-28-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2608-27-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2608-354-0x0000000000400000-0x0000000000503000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | b87bf5a04d6f0aa4ead70d655c0af299 |
| SHA1 | 52160184112c0bec6c539d939d71d6dcef6a07a3 |
| SHA256 | 9052750374fc200907798ff1b08216b54f0ffc0eaeb56c1f4b609264b9eb6668 |
| SHA512 | 415fee417e51c8ed741a10130f809e4e83e4c12d70deaa7291418bedc562ed14da800ce66952d9616e76ecbcc7bc2ef3357d231372e47325700c6accafcd5d59 |
memory/1856-378-0x0000000000400000-0x0000000000503000-memory.dmp
memory/2228-379-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/1856-381-0x0000000000400000-0x0000000000503000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 561fa0b9e5bb5922528e07658fe60f1e |
| SHA1 | 84a4c9e10d9648643891512e46b1305ca57c195a |
| SHA256 | bc6454b5b0d2baea39920e94c1a101e76507598f711ba2d9b1d5efe41707591b |
| SHA512 | 41d73da2475048a332882da6033252f7d5818746fdb92c59149809405a8d2ab3ee5e7805df37d9b6e9c3d2436cbb13b275103d117d672d841a29614ea69a1684 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4af95d72603353c9829f9ba923c3146b |
| SHA1 | 8b3a131426eb5e2613289f1af15da4faffc29461 |
| SHA256 | a6605acddb59e73c60caac8ce9659a0c7a8abf93a20f21e425e4d1e0ba21e3b4 |
| SHA512 | b7150d23ae31b9dea12e8c9539d322a95b65e86a8761313cf4b923dee90599064bce7522c77e7339ea294b10485e5b17064b81fb17196045ea03ac67591597e6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 793ef1e19303097630275211f5972b4b |
| SHA1 | f890ef92a92b8869b32f576909ed226f556f0560 |
| SHA256 | 4c14d2c0d81684f19a4539315a0b7b0f63f994d33186152b7c47a6baae1233fd |
| SHA512 | 810f691cffecd152099b60e05891b92116413d954d12544d5aa38fb070f7200130ac80f0b2469e351c06394cb302e55a267a6c6416930e7af29d08a709762061 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 778880950cf1fcc510735918503f70b6 |
| SHA1 | 43871cf027a03bbadf499258dbe9bcaf48b83c35 |
| SHA256 | f75a35db4a95f9fbc0f9d7e27a9feb3f6f9d3f08db4d5c4ca80a574dc05f80f8 |
| SHA512 | 135f65409372108ca7aafdcf1511251e3ab15b93eb2c311689e8b661e752978fb07fe949e0383b067e8f2464c20a378cdfaac888a5710c8b45c75363bc817b9e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 396bedf26c40485516bb5b676b3197fd |
| SHA1 | 162c5d4a1a28a81966a097bb9470f573bfc51091 |
| SHA256 | 1b2b7517d053a2f10bcfedaf6589e68144c2d4a2585b292551f53699c51f0520 |
| SHA512 | 0fd6262ff8648caf087f53902b9138a8d2d907cefc1d53ef35820cd8c65de556c6abc35b75051df4001c9c05b1dfbdfc2d35fa878f7b3a775d9673609341254d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4e5ce4ff62e3f0246d787bb818b32326 |
| SHA1 | 7d2e061def799121e6241a95a2dfea307a987942 |
| SHA256 | e7a21ad4f923ce07a1c578aa06c98bf64e2357b1ac0b5bf8b6618032d1dfeae7 |
| SHA512 | add1088cc673b667c24d24416613a839f4f058fa3af8f5c8d774174f357fa1954a4a6ea5e082290aad27c7a8f1c494ec99c5abdfddc4e9f8ba023bc0ff68cee6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 808c6653dbae28bbefd2c7489c9e90d3 |
| SHA1 | 7dde2de14e5bf1946a07f8e7efd32f3ea88e23fa |
| SHA256 | 31692b79d2e635c1b767834d42691c1c4b6d22f44b2c2833744794312bca98b8 |
| SHA512 | 0d67f10e33805ce680bbfa655f84472ea26823da03d467100ff116e3ae22474e8cf695cc172b467d7384d73c076757b55770ec123ba5b5972c1e1b10a632eecb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 66f2f713cf9623b4c3cbba8585868339 |
| SHA1 | a923df2d4b1bbe9a5c72f4c644db732698b97b39 |
| SHA256 | 82b9a0955e9f437be8205cdf81e8558fef7e4af66799dec961ed709bb229ef77 |
| SHA512 | 6bf9e779a0cc54dc2dd1897a3dd98d52dd011b9c6de4fd03c00fb8c821c09569d47bcd023cf385da014fd46c0e166237ccd2620c5a45a34dfd50f63904b1aced |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4abd85b51806563bee7240e0deab1462 |
| SHA1 | 6ad1059cdd392a65ea76df8462e34e97942c7f0d |
| SHA256 | 9e818ba99ddca41a9ed730d06aecb5e99867f4608d9d5f9bdae8ccbdc10382d6 |
| SHA512 | 4b9b97779565b1af06b7b5f60de852793e0e4a556124cdde99c47a65e9acaf36b4e9e25033b7535e601a8585e8dc24f1da87e36d6dfd3d915a793598e417ca28 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 58a1dfa78019a0d10e41ba0cb294d259 |
| SHA1 | 5664c22c886c10c191918e67c81f54be4a738afa |
| SHA256 | a2196f6b3da68ed9ae9cba9c2d6f1228835129f230ced1efaad41e77b140a7fd |
| SHA512 | 2ae8b120c22592da12354836a9735cbfe1b9336958fa336d89f5ca1c351f579f065c797c9d3f5c040745119ca198be597f5a9af1e84b78d2d687d1cea1b67448 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cafaa838ee0cfb27d30771a1498f9706 |
| SHA1 | 9569081a758700e347cb5355f97786f0f2184283 |
| SHA256 | 92a69c2f36d749fa2559d3bcf9d9a63486b14035b5234f3f255a4b7d45e582f9 |
| SHA512 | c1b872d1e2e1f09eb14442c89bd1857fb5e0268dc578ea1b3874ded5d8fa42bf527f76baf6418233153808a37b8b14397783e059bbf7c21e0b2647d811e64871 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e5f0f3371f125917c47943a772bfd378 |
| SHA1 | 3db7a0ba17d03f01d3d45703b01e992ffed8e0eb |
| SHA256 | 777ea10f13afd9bbcc5ea8fff82a81cda15cd5b256f36346701a287067a90ebc |
| SHA512 | e01faa0569c9dc0a32e697262225ecf0ae32fa05a47487b67085163f8355792cd722c8d102c712c23d8e6d891b6cf99febb17bf7721eb1704ee84401c87b40ef |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f6df5c725e7114d73ee02db0493bac2a |
| SHA1 | 10fdda14aeb54c0ee279292c8c253c14aa22ddca |
| SHA256 | 4097ba88d2c50b81962ff51e794f223086bb9265e865106e5c5a168f1d8e0f9a |
| SHA512 | 3b19f6cbce138cd41eaa332268c3229ae30199667b6f8d199f0d4561732639b97607ea38367e062c75654076d4f7aab3cd845243c6182156ccde160bdfd7832a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d659f80a0ce340109ebb6d3db7a6f394 |
| SHA1 | 6a51b0408072c5f7f066ee941312a9ca4027ff3f |
| SHA256 | bd6dfd86de2c61cf6af57dfac24e1b6e096c1141f755fc9805a2302a16e37426 |
| SHA512 | dd0f2e8df9c9aed3d14b36b68672e33fc10fb1ceedc65fb2a678735048f83ff167b007365a638b59282d30f053e2f4da842e8ea58b566272d7ab6394aef51cca |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1d4785acdb999a8af36e7f63f373b371 |
| SHA1 | 98e34f6caccdd9947c87c9a61f6dcc4aab52d8cc |
| SHA256 | 1cc0b9244596ff9ccb312e56b6a9832ea14c53ed186c7e898334ca3439231e67 |
| SHA512 | 9d2a2b8fd3e8b6094b021ba15d0e135876223b477dd6bff4828e9495298e1d2c8a7878e7cef5c3849f5fa9644812a1fd016c9ddd0a7efb8fdc6cc3bfdecfbbd7 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 87204afa86667fa001a9e109a1a030d0 |
| SHA1 | d83dbb2837683655962c683f0d30c9d4bf8087b0 |
| SHA256 | 62e4609b6cf6581f570c0833894a8ae0ec3261fc2f8d60bab385af6d176884a0 |
| SHA512 | 8fcb0413d68244da00c169b4bf4d9e68fac80d50416cf7a2ee0566b746d11da6b9ad13aef4f6a04e43f31444bf107fd703357661b69fbd61d95b4203c2d4d210 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a2c13b4e9f08e6f05c48a0a0cee572bd |
| SHA1 | 2d90105c52c7110017c7fcf4de01946e22066486 |
| SHA256 | af17ed472301c9693dee5a04e2c0e45d6310e8752ab1f0505e251da3c4832e81 |
| SHA512 | 866c2178696f08ef3328e902d67cca0bf3913e8cf55d1f1dcdd9a01f9a418a3bca2664f2c4fee0f92943e136e43fafb9eeacdd9e1d8a0656e53f9b0062900be3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 38fc774b8d320add2faf6a9ba014e7ac |
| SHA1 | 52f9284414bd1d401b4ff7bfe7433a0f44ef2262 |
| SHA256 | 2e7bd3d69675dc9e979766910375edebffd2e7fc469793767a6ed5cb8ceb12fd |
| SHA512 | 966a12c5096723a283f3624f666d03cd6b5a9b07b55d7f57b75fc5514edf5fab90984b614b89376392a36d239461b8cf0f73d207b0fc775f2fb118c50f59f4c3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0df9238064b6796fa48c5b577df6fbca |
| SHA1 | b1b4a86f0f3a59f4d429157b9cea6f8f684e6734 |
| SHA256 | 645558c3c17ced25e155603a183f272749cc6cde704ae4d9ab2db6b4f7ff0ac4 |
| SHA512 | db6b5ed8bb1b658f367e69cff1562a215f695ee4e6b765de4e379640707b2bb55b13cf9a0d0254f20c0fd9f1beee289373aab77b74042bf44a8cefed63dbf863 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0da6634ada4bd370b334c11207dfe86f |
| SHA1 | 9a5cd4004bde2fbc16211917aa97f674cb9231de |
| SHA256 | 83649976f8482501db3170c94b22fd4b3cfd8c2916a417aa1a76ddb10aaecf24 |
| SHA512 | c1e7d37fe2312d5c86e0eed0f048732e6978ddd4cc181eecc9a40ca4b3866a4a86a9baf039201aefa50fc8f408b8ac2b44d94ce9fd29370906bd65825520a8be |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 189600cc0a8b21dddb2e1e65f53ef3dd |
| SHA1 | 9e59b956a2294c14a285ff599198c21fa5bfd075 |
| SHA256 | 433b4203be406097897f68f8e0dfbc79bbd476873ea7c8d5cde6d6640340f0bc |
| SHA512 | 5ba4259b2834a96dcf056ab45a22220bd2801a9e7d4db34ef2e9d737bf08d6f0bc447d68f5583dd1aae241452d7fe61daf222a6082a9116122215f2ffdbd4680 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 17:03
Reported
2024-08-30 17:06
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q} | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Windows\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\ | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\install\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\install\server.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
"C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE"
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
C:\Windows\install\server.exe
"C:\Windows\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 440 -ip 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
| MD5 | 2f16426a0274725cf8ff7c44ffcbd275 |
| SHA1 | fd9937938d814ab83d78983b17f941b4e0139794 |
| SHA256 | 59e0a784eb6f56e411946e86e015672786d830f69b2fc1f8886692f10f197ac7 |
| SHA512 | e6031d309b81b1ee3e88efa3eea80523098d6dda5018949b48ed63682569c776ba3956fd18151fa853b54955f0f248487bd1fff9bdd73d80cbc035229353a014 |
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
| MD5 | dde3e497c0924260d286ff11bccbb6ec |
| SHA1 | de0847cca9180e94d0d20fbdaa3e23189f9a4454 |
| SHA256 | 64e43c1240b8c762720a9e0754cc2fb27a498a444b3918e285ad0ceb598b1962 |
| SHA512 | 60b874446c4fbdfd0a3bbf05c67105a39e24033834b4af74b1e89438249cca996a073d3aa54bb5711a79300e507590554ea65eb2366ed6b069f72a55c484e364 |
memory/3532-20-0x000000007350E000-0x000000007350F000-memory.dmp
memory/2200-19-0x0000000000400000-0x0000000000503000-memory.dmp
memory/3532-21-0x00000000001E0000-0x0000000000256000-memory.dmp
memory/3532-22-0x0000000004C00000-0x0000000004C9C000-memory.dmp
memory/3532-23-0x0000000005260000-0x0000000005804000-memory.dmp
memory/3532-24-0x0000000004D50000-0x0000000004DE2000-memory.dmp
memory/3532-25-0x0000000004CF0000-0x0000000004CFA000-memory.dmp
memory/3532-26-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/3532-27-0x0000000004F90000-0x0000000004FE6000-memory.dmp
memory/2200-30-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2200-31-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1320-35-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1320-36-0x0000000000670000-0x0000000000671000-memory.dmp
memory/2200-34-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2200-92-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1320-99-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2200-98-0x0000000000400000-0x0000000000503000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | b87bf5a04d6f0aa4ead70d655c0af299 |
| SHA1 | 52160184112c0bec6c539d939d71d6dcef6a07a3 |
| SHA256 | 9052750374fc200907798ff1b08216b54f0ffc0eaeb56c1f4b609264b9eb6668 |
| SHA512 | 415fee417e51c8ed741a10130f809e4e83e4c12d70deaa7291418bedc562ed14da800ce66952d9616e76ecbcc7bc2ef3357d231372e47325700c6accafcd5d59 |
memory/440-120-0x0000000000400000-0x0000000000503000-memory.dmp
memory/3532-121-0x000000007350E000-0x000000007350F000-memory.dmp
memory/440-123-0x0000000000400000-0x0000000000503000-memory.dmp
memory/3532-124-0x0000000073500000-0x0000000073CB0000-memory.dmp
memory/1320-126-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2658981cc6602f71d38ede7bb07191d8 |
| SHA1 | 2dbbb6af18b5251615c89987414c0e6d1880ea52 |
| SHA256 | 310562049dae8ff1dca21bd26aa12b8a85381e650a67d2e75f021b0796ff56b6 |
| SHA512 | 8005872ac63a39d255bfb834687255596298db6d11a1a0ef177303b862cc0ecd2f13225280f3120749769ed9de2fe7e3f11dc32d77b4c602e345203be640f016 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d34b4148e2fb20a80368bece7bab98b4 |
| SHA1 | 2b3cb144374b9d0a44bf35024799d1610cbcf06b |
| SHA256 | 30d0174e2faeca7e71e7541e42a6c365e7508d6c2db933c3f93cfa98f701ad36 |
| SHA512 | 1dfdc56601be3d3dfcc3c6fdfb00ebe0115bb6f1da3385f8c0d6c690e7148cf7755858a1b662cc7355ecff78f061708620cb659dff0405feafd1d9ac56665df9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 09de5771fcee1055b5fe8952d91edb17 |
| SHA1 | 26c32b0668b53cdd395e1e2c480d81c0a5f8063f |
| SHA256 | f6c4b3931e71cc0cf7b7372942213eaa5aaf2fa796f611e30a6f74f8ee614ece |
| SHA512 | fbf224bb78964448a3e718971830d3a82ffd5aa59facc6023281fb4bf222921b37d0d7be36b9b9dcd7bc0dad537d9ec8340598ec0e0d9c87b99de68ab9785fb0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 561fa0b9e5bb5922528e07658fe60f1e |
| SHA1 | 84a4c9e10d9648643891512e46b1305ca57c195a |
| SHA256 | bc6454b5b0d2baea39920e94c1a101e76507598f711ba2d9b1d5efe41707591b |
| SHA512 | 41d73da2475048a332882da6033252f7d5818746fdb92c59149809405a8d2ab3ee5e7805df37d9b6e9c3d2436cbb13b275103d117d672d841a29614ea69a1684 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4af95d72603353c9829f9ba923c3146b |
| SHA1 | 8b3a131426eb5e2613289f1af15da4faffc29461 |
| SHA256 | a6605acddb59e73c60caac8ce9659a0c7a8abf93a20f21e425e4d1e0ba21e3b4 |
| SHA512 | b7150d23ae31b9dea12e8c9539d322a95b65e86a8761313cf4b923dee90599064bce7522c77e7339ea294b10485e5b17064b81fb17196045ea03ac67591597e6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 793ef1e19303097630275211f5972b4b |
| SHA1 | f890ef92a92b8869b32f576909ed226f556f0560 |
| SHA256 | 4c14d2c0d81684f19a4539315a0b7b0f63f994d33186152b7c47a6baae1233fd |
| SHA512 | 810f691cffecd152099b60e05891b92116413d954d12544d5aa38fb070f7200130ac80f0b2469e351c06394cb302e55a267a6c6416930e7af29d08a709762061 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 778880950cf1fcc510735918503f70b6 |
| SHA1 | 43871cf027a03bbadf499258dbe9bcaf48b83c35 |
| SHA256 | f75a35db4a95f9fbc0f9d7e27a9feb3f6f9d3f08db4d5c4ca80a574dc05f80f8 |
| SHA512 | 135f65409372108ca7aafdcf1511251e3ab15b93eb2c311689e8b661e752978fb07fe949e0383b067e8f2464c20a378cdfaac888a5710c8b45c75363bc817b9e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 396bedf26c40485516bb5b676b3197fd |
| SHA1 | 162c5d4a1a28a81966a097bb9470f573bfc51091 |
| SHA256 | 1b2b7517d053a2f10bcfedaf6589e68144c2d4a2585b292551f53699c51f0520 |
| SHA512 | 0fd6262ff8648caf087f53902b9138a8d2d907cefc1d53ef35820cd8c65de556c6abc35b75051df4001c9c05b1dfbdfc2d35fa878f7b3a775d9673609341254d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4e5ce4ff62e3f0246d787bb818b32326 |
| SHA1 | 7d2e061def799121e6241a95a2dfea307a987942 |
| SHA256 | e7a21ad4f923ce07a1c578aa06c98bf64e2357b1ac0b5bf8b6618032d1dfeae7 |
| SHA512 | add1088cc673b667c24d24416613a839f4f058fa3af8f5c8d774174f357fa1954a4a6ea5e082290aad27c7a8f1c494ec99c5abdfddc4e9f8ba023bc0ff68cee6 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 808c6653dbae28bbefd2c7489c9e90d3 |
| SHA1 | 7dde2de14e5bf1946a07f8e7efd32f3ea88e23fa |
| SHA256 | 31692b79d2e635c1b767834d42691c1c4b6d22f44b2c2833744794312bca98b8 |
| SHA512 | 0d67f10e33805ce680bbfa655f84472ea26823da03d467100ff116e3ae22474e8cf695cc172b467d7384d73c076757b55770ec123ba5b5972c1e1b10a632eecb |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 66f2f713cf9623b4c3cbba8585868339 |
| SHA1 | a923df2d4b1bbe9a5c72f4c644db732698b97b39 |
| SHA256 | 82b9a0955e9f437be8205cdf81e8558fef7e4af66799dec961ed709bb229ef77 |
| SHA512 | 6bf9e779a0cc54dc2dd1897a3dd98d52dd011b9c6de4fd03c00fb8c821c09569d47bcd023cf385da014fd46c0e166237ccd2620c5a45a34dfd50f63904b1aced |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4abd85b51806563bee7240e0deab1462 |
| SHA1 | 6ad1059cdd392a65ea76df8462e34e97942c7f0d |
| SHA256 | 9e818ba99ddca41a9ed730d06aecb5e99867f4608d9d5f9bdae8ccbdc10382d6 |
| SHA512 | 4b9b97779565b1af06b7b5f60de852793e0e4a556124cdde99c47a65e9acaf36b4e9e25033b7535e601a8585e8dc24f1da87e36d6dfd3d915a793598e417ca28 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 58a1dfa78019a0d10e41ba0cb294d259 |
| SHA1 | 5664c22c886c10c191918e67c81f54be4a738afa |
| SHA256 | a2196f6b3da68ed9ae9cba9c2d6f1228835129f230ced1efaad41e77b140a7fd |
| SHA512 | 2ae8b120c22592da12354836a9735cbfe1b9336958fa336d89f5ca1c351f579f065c797c9d3f5c040745119ca198be597f5a9af1e84b78d2d687d1cea1b67448 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | cafaa838ee0cfb27d30771a1498f9706 |
| SHA1 | 9569081a758700e347cb5355f97786f0f2184283 |
| SHA256 | 92a69c2f36d749fa2559d3bcf9d9a63486b14035b5234f3f255a4b7d45e582f9 |
| SHA512 | c1b872d1e2e1f09eb14442c89bd1857fb5e0268dc578ea1b3874ded5d8fa42bf527f76baf6418233153808a37b8b14397783e059bbf7c21e0b2647d811e64871 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e5f0f3371f125917c47943a772bfd378 |
| SHA1 | 3db7a0ba17d03f01d3d45703b01e992ffed8e0eb |
| SHA256 | 777ea10f13afd9bbcc5ea8fff82a81cda15cd5b256f36346701a287067a90ebc |
| SHA512 | e01faa0569c9dc0a32e697262225ecf0ae32fa05a47487b67085163f8355792cd722c8d102c712c23d8e6d891b6cf99febb17bf7721eb1704ee84401c87b40ef |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f6df5c725e7114d73ee02db0493bac2a |
| SHA1 | 10fdda14aeb54c0ee279292c8c253c14aa22ddca |
| SHA256 | 4097ba88d2c50b81962ff51e794f223086bb9265e865106e5c5a168f1d8e0f9a |
| SHA512 | 3b19f6cbce138cd41eaa332268c3229ae30199667b6f8d199f0d4561732639b97607ea38367e062c75654076d4f7aab3cd845243c6182156ccde160bdfd7832a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d659f80a0ce340109ebb6d3db7a6f394 |
| SHA1 | 6a51b0408072c5f7f066ee941312a9ca4027ff3f |
| SHA256 | bd6dfd86de2c61cf6af57dfac24e1b6e096c1141f755fc9805a2302a16e37426 |
| SHA512 | dd0f2e8df9c9aed3d14b36b68672e33fc10fb1ceedc65fb2a678735048f83ff167b007365a638b59282d30f053e2f4da842e8ea58b566272d7ab6394aef51cca |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1d4785acdb999a8af36e7f63f373b371 |
| SHA1 | 98e34f6caccdd9947c87c9a61f6dcc4aab52d8cc |
| SHA256 | 1cc0b9244596ff9ccb312e56b6a9832ea14c53ed186c7e898334ca3439231e67 |
| SHA512 | 9d2a2b8fd3e8b6094b021ba15d0e135876223b477dd6bff4828e9495298e1d2c8a7878e7cef5c3849f5fa9644812a1fd016c9ddd0a7efb8fdc6cc3bfdecfbbd7 |