Analysis Overview
SHA256
5f31f2824fe304f40be12dfdab2fd88ea0e2cc8f42acd04718c6e6ab71685528
Threat Level: Known bad
The file ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 13:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 13:59
Reported
2024-08-31 14:02
Platform
win7-20240729-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q1702V1Y-7G3R-30LP-SDT5-6QBC1TLC7T3G}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q1702V1Y-7G3R-30LP-SDT5-6QBC1TLC7T3G} | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3040 set thread context of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe |
| PID 1040 set thread context of 2880 | N/A | C:\Windows\SysWOW64\install\server.exe | C:\Windows\SysWOW64\install\server.exe |
| PID 2332 set thread context of 2728 | N/A | C:\Windows\SysWOW64\install\server.exe | C:\Windows\SysWOW64\install\server.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\install\server.exe
C:\Windows\SysWOW64\install\server.exe
C:\Windows\SysWOW64\install\server.exe
C:\Windows\SysWOW64\install\server.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2304-2-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-18-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-20-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-19-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2304-14-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-12-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-10-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-8-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-6-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-4-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2304-21-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2856-37-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2856-32-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2856-29-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2304-28-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2304-24-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2856-38-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2304-95-0x0000000000400000-0x0000000000451000-memory.dmp
\Windows\SysWOW64\install\server.exe
| MD5 | ccee4af16376dfd1fbae0f422e982c3a |
| SHA1 | 32725d0610612c2782c84755ea3057ef3f621c08 |
| SHA256 | 5f31f2824fe304f40be12dfdab2fd88ea0e2cc8f42acd04718c6e6ab71685528 |
| SHA512 | c9bdd5a79281f44e0241d246351589eb14b25a826fcef76e844a025c321daf476f15c18aedecb4dfead02a23f7301cef3db865e33b98f044b7928ab01fc12542 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 31caa896442d4993e8ea0a4eda6b45f9 |
| SHA1 | 3f5c9fab1dde7debc09117491b523c256b640213 |
| SHA256 | b39f7e3a3285dde53e72bb05221819f4532fb8000c70147cb70a7e93e3689c3b |
| SHA512 | 258ec1775580c7d32ed9dec2a132674e96f995f11ad39d3af7c0961b06e8780cc8c18ead410db1b9e2ee73e35dd0e64812d27ef3feb433684dc2a90d4d48ca92 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2304-336-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2880-380-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2880-400-0x0000000000400000-0x0000000000451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bcba3ca029d59046554b22c21e565090 |
| SHA1 | 1416d069f9f2f30fc3523d6f334c6943e8d966e4 |
| SHA256 | db4ac5b8345c25ba8c7c79082cc2876a3f6c17e1864bb6b51c20662a2325e2dc |
| SHA512 | f169c55642cceb92c74de83f7991ba0f4f86f95d5d1177c6aa04af0a7a40ad9ad7fc3363509b20d80dee26cdc5f7563a980af21ab7c1564bfc40b16076a241f3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa866b1de89820471351480cec1bb5e2 |
| SHA1 | cc26f4c25ed300c3bafb36c79bc939f2ed9bd648 |
| SHA256 | fead11324714f90cc55209e987d890ce0b230a3e70b3820589a71790040ac7be |
| SHA512 | bb446af2ff37c4c8c2220d89453b975d9621a4711c338d8e8b24b2d8abb06f4e12b44c33a5584f6b0c76deda1597873f71a1bd4da4cff415b1cf6431d6f093d8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fdaaeb8412e87f8ba8e66771ee76ac9a |
| SHA1 | ef325c5bd23e9ba6354a206ca24146f3a983d0a3 |
| SHA256 | 3d8b51bcc0d233119f61d5b0e8e864ffe80f3b34bb290df405ec972ae0788ad6 |
| SHA512 | e2c635b8c97602109898ea13d54149b2901aa90509fe2b8951b3383c84ba9c8607cc2ccc6803f13725499cbac518d6581d866fc12ad50692c63f2d33500a4767 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 55127b140b850f0e944b1ab53857a537 |
| SHA1 | 503a47a86ccde136f237dc4ab2125972e8ce9020 |
| SHA256 | 6c71006052d562635fb316118a24555e316eb42998713cbfb7697dd757d0ff21 |
| SHA512 | 01fe31d31ebf594dc3181112c8112e923ec5dbfad9baadf56505408fbefd1c0c5922e07ef5e95aaf39106fb5f20917c2d1b128de377141653f47e96a8a15a5b9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d5fee50055953c4e23ba3057006f0292 |
| SHA1 | 6cd1919e04a0707396388392fff654e62ed777aa |
| SHA256 | 873c5aaee8fc5aab4a1bcaa4ce68a942ab2c622776184bc4b39b2d39e0923c6d |
| SHA512 | 6e7f831e94c2b8116141bebc699db5c62bdfcce0b50e2dc27973cb88a6bca106919ac6c610551e32bb8cd4eb05f52dbf00c7a0faafcf8304066963fc7f11b8f5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b1d99a75907d9f6ef22ba1047a7fe364 |
| SHA1 | a8b7afc7d4034b09ad8c8406371f4e4bb8b459f4 |
| SHA256 | 4bb4514f600f31f5490350e53c52410df96ca8aea940724a86247657b8f52da3 |
| SHA512 | 946fe7b706411e447508998ea23e2b2d77056609c9c9450c1a9cf249ace94df407754f9455786d8b0211bb5ca5fa3edaa42ee10cd3d9b794f73e90cf8a6521db |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | faa8a9a9b96a4969369953cd695800f0 |
| SHA1 | 265b30e4d8c21b8d11163dde4b365eb7f25f2b1c |
| SHA256 | 2ac474ffc325e1bfabdb405c151b24960066e15e1da8ef81d44d108fce583139 |
| SHA512 | d7c689c3bc9681611954b94b5a1f5189e9b3f253f5eb1e1ce91c73a64f5df31a16016542c283adda979105c6e2fdc29db3536ccd7fb2c83b5a636b87e61836ae |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fb6bc6e93a9614d7a0a105d36fdcd759 |
| SHA1 | 0e5e27407ed4f8412fd18cfafe1f96d9b28c523c |
| SHA256 | 29df028ab16b14ef69f858863863fb98729841f8bb38da7ed6b1e9a4a6b78ed0 |
| SHA512 | 53bd11ea2eee30a386bebe546c1c4201715f6b3ce682fb15565f3bd5bc7898c3a0603ecb6a30a2e6248f226cba3604c05b1d5a2eef87bd92f507cab95d9d73af |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | afae8cc8e76456ef2c73ce8227df1bce |
| SHA1 | 8a21176e1f83cd3cb345b546a664a843b85fa22a |
| SHA256 | f0a4bb5c4bc8935f85418234828467562d266e392ecc1c77606acec738593dc2 |
| SHA512 | 5d747049042a451ee53db39087083e8a2c0ef53f0803396c98ff38298cf52044d808c5dd209525aacbc6c1058a1f8715a6b1834e3264e025e116382ec03279f5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | caaded6d1b474e1eca4c6092e6164831 |
| SHA1 | 18745a9d5c395a546b71d3ed53aa8bf6169d797f |
| SHA256 | 9c474376d81beab7156cc9d2b2825c4c1559cb1ce8e27f7988cf0443bcb3a5eb |
| SHA512 | 790a076c0c3a1fae05a55f09de12537bfd11d8aa8b306394feccb0d635a4f098a32326045471b3ca4baea6c09b30350754ea53de7468ab99214720469281f31d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2fc887b88164286ebd7909a9b7a8c9fb |
| SHA1 | 335419971bd36b3eed7c79546e5498c507871281 |
| SHA256 | 1d30a6e306bc628a092a5d5b6585823cf0cdcf4d82ece2e8c6a4af4c7b932b04 |
| SHA512 | 4db03e18af10bd1d6e06b8eda73e1612c12297d92175469ba54ff125d329aa6167a6fb86be61e49167ee296ae15f06b576974454e8391bccbc804ac20ac0c1a4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ac208a6f4d8548701d57ef29c1ffc11b |
| SHA1 | d95b2662003661d309ca98d1f99af15e2605adb6 |
| SHA256 | 7e91e2c67f69cc1d296918c36e55807ba03167232b4eeb9cf9a9930b2220519f |
| SHA512 | 6df9340ea3872a8be759fd94dff7f0863450a9dd724fb6a8d95b54c2592929e17e3da1ffa0b3db26d501234bd8b655f6ab5b02a14fe56a868f33c04864f3d6d3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | daeb91fdc3b820b3b7af934ac0484b0a |
| SHA1 | a701330a1f87b5a1d627540af2f77c9bee6f36ef |
| SHA256 | 852cf0bcf3d68b18da6a1c6ae4d23c66426c19f678dfdc8f17be886abde6fd2b |
| SHA512 | 2ba8024c671c1a48fd2d9881f43536a6fa4187680fb0f4ac17b57cd557fe0b448cfe9cbc62e727662404222d080fdfeae52d99844e110f46094a2365de7165b9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4ad291246d27110518578221f1cec6b8 |
| SHA1 | 3acab1f76db750bb8d4f70fd827f9030fedb15ab |
| SHA256 | b71fffbd78afd4b6111f639cf5a9487ea5b8df98ae333595e24185003e1f0ce7 |
| SHA512 | c5e92ccad0f61a46911f772715c00561524dd3a84498d68031a2ec9fcf55c0cd5bdba9e35152a448a66f7eaa13e70395eac841b0f0de330dceff42620fcf06ed |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7e5442d535ce4b50e13591dc9f1ccc43 |
| SHA1 | 96e477059e6600e16c4deb3b65843c01bf682e51 |
| SHA256 | e40fc0fb963d2cf34c663f2717d0d8c993d41166c53aec9d351fb888d556d138 |
| SHA512 | a7250894b95930a8f5b6899b84ca4f349c4699962426ad840a0018c0ae738d36ba207ff532518709f0a51489e2700845b2f672864a2823ceec3286de18b0f624 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 16733b69e4218f4b5c477c586dde4e26 |
| SHA1 | 547b65e3b30ad1df53a38147ebe99e2d13f70a66 |
| SHA256 | dbb03facfee68eaa281e59ec20cb04017163e79e091e1d7f9ec03e5c408b06e6 |
| SHA512 | 06361a8763c8d196312bc605161748a96c409fb1d28b3dfb7122f876f5c5a3130521f91d1e0c4fec1d2979e1f6956a76ccdf2f865e4958d9f9aee0331d53665b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 64ffed629c5038e6af1c21c03550ed81 |
| SHA1 | 430bc379315e26b531e0e849da172ec3306efb86 |
| SHA256 | 9730bbb00d113cb9c7541098bfbfe4a0f21733d0c93fe3aa934b80f92520b314 |
| SHA512 | 9150ac1f611ce5f0fa835f2ab512fa919997a5686bd2468fc35f3b1b0a069d934531fe8ed2c9c94a166dd7c9e38322220aa2f01d5a4d6ef8de112a268c68160a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f8197343040486e5283f7b81b3a29af0 |
| SHA1 | c831bb5d84cf95dd32abad0fae7f2a08fe4ecfc5 |
| SHA256 | da9c73e37f46e8dd2e2eca8cc6973a1b8fde1aea9addcdff99f3316f52c5f222 |
| SHA512 | d623b60ecf9087727c22358c9778638a5dbf359c8b554a667f95bdee91ba8a8b11dc78ef792fbeb8ce614d8ed1ca6a5d7ccbdeee471136bc01cd766e1c768052 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 06873e79aece2a0a3841a5be071c0705 |
| SHA1 | 5429eae59296e44a92b0702d61a5b220863fd500 |
| SHA256 | 8d824370208d7370a6500b8a6cd04a9d542c5c7f0d320616be412651db4614f8 |
| SHA512 | 98cb4b0642eac70c774adf4ef76248069ef5e682526e26af7e3418e961a97ac51d2a3a063ba95537925963e93f8f89de5030778f381b7890ed853a287434e07c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 13:59
Reported
2024-08-31 14:02
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Q1702V1Y-7G3R-30LP-SDT5-6QBC1TLC7T3G} | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Q1702V1Y-7G3R-30LP-SDT5-6QBC1TLC7T3G}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4872 set thread context of 4960 | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe |
| PID 1680 set thread context of 4864 | N/A | C:\Windows\SysWOW64\install\server.exe | C:\Windows\SysWOW64\install\server.exe |
| PID 4112 set thread context of 540 | N/A | C:\Windows\SysWOW64\install\server.exe | C:\Windows\SysWOW64\install\server.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\server.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\install\server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccee4af16376dfd1fbae0f422e982c3a_JaffaCakes118.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\install\server.exe
C:\Windows\SysWOW64\install\server.exe
C:\Windows\SysWOW64\install\server.exe
C:\Windows\SysWOW64\install\server.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 548
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| IE | 52.111.236.23:443 | tcp | |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/4960-2-0x0000000000400000-0x0000000000451000-memory.dmp
memory/4960-3-0x0000000000400000-0x0000000000451000-memory.dmp
memory/4960-4-0x0000000000400000-0x0000000000451000-memory.dmp
memory/4960-8-0x0000000010410000-0x0000000010475000-memory.dmp
memory/800-13-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/800-12-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4960-11-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4960-68-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/800-73-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 31caa896442d4993e8ea0a4eda6b45f9 |
| SHA1 | 3f5c9fab1dde7debc09117491b523c256b640213 |
| SHA256 | b39f7e3a3285dde53e72bb05221819f4532fb8000c70147cb70a7e93e3689c3b |
| SHA512 | 258ec1775580c7d32ed9dec2a132674e96f995f11ad39d3af7c0961b06e8780cc8c18ead410db1b9e2ee73e35dd0e64812d27ef3feb433684dc2a90d4d48ca92 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Windows\SysWOW64\install\server.exe
| MD5 | ccee4af16376dfd1fbae0f422e982c3a |
| SHA1 | 32725d0610612c2782c84755ea3057ef3f621c08 |
| SHA256 | 5f31f2824fe304f40be12dfdab2fd88ea0e2cc8f42acd04718c6e6ab71685528 |
| SHA512 | c9bdd5a79281f44e0241d246351589eb14b25a826fcef76e844a025c321daf476f15c18aedecb4dfead02a23f7301cef3db865e33b98f044b7928ab01fc12542 |
memory/800-119-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fdaaeb8412e87f8ba8e66771ee76ac9a |
| SHA1 | ef325c5bd23e9ba6354a206ca24146f3a983d0a3 |
| SHA256 | 3d8b51bcc0d233119f61d5b0e8e864ffe80f3b34bb290df405ec972ae0788ad6 |
| SHA512 | e2c635b8c97602109898ea13d54149b2901aa90509fe2b8951b3383c84ba9c8607cc2ccc6803f13725499cbac518d6581d866fc12ad50692c63f2d33500a4767 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 55127b140b850f0e944b1ab53857a537 |
| SHA1 | 503a47a86ccde136f237dc4ab2125972e8ce9020 |
| SHA256 | 6c71006052d562635fb316118a24555e316eb42998713cbfb7697dd757d0ff21 |
| SHA512 | 01fe31d31ebf594dc3181112c8112e923ec5dbfad9baadf56505408fbefd1c0c5922e07ef5e95aaf39106fb5f20917c2d1b128de377141653f47e96a8a15a5b9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d5fee50055953c4e23ba3057006f0292 |
| SHA1 | 6cd1919e04a0707396388392fff654e62ed777aa |
| SHA256 | 873c5aaee8fc5aab4a1bcaa4ce68a942ab2c622776184bc4b39b2d39e0923c6d |
| SHA512 | 6e7f831e94c2b8116141bebc699db5c62bdfcce0b50e2dc27973cb88a6bca106919ac6c610551e32bb8cd4eb05f52dbf00c7a0faafcf8304066963fc7f11b8f5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b1d99a75907d9f6ef22ba1047a7fe364 |
| SHA1 | a8b7afc7d4034b09ad8c8406371f4e4bb8b459f4 |
| SHA256 | 4bb4514f600f31f5490350e53c52410df96ca8aea940724a86247657b8f52da3 |
| SHA512 | 946fe7b706411e447508998ea23e2b2d77056609c9c9450c1a9cf249ace94df407754f9455786d8b0211bb5ca5fa3edaa42ee10cd3d9b794f73e90cf8a6521db |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | faa8a9a9b96a4969369953cd695800f0 |
| SHA1 | 265b30e4d8c21b8d11163dde4b365eb7f25f2b1c |
| SHA256 | 2ac474ffc325e1bfabdb405c151b24960066e15e1da8ef81d44d108fce583139 |
| SHA512 | d7c689c3bc9681611954b94b5a1f5189e9b3f253f5eb1e1ce91c73a64f5df31a16016542c283adda979105c6e2fdc29db3536ccd7fb2c83b5a636b87e61836ae |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fb6bc6e93a9614d7a0a105d36fdcd759 |
| SHA1 | 0e5e27407ed4f8412fd18cfafe1f96d9b28c523c |
| SHA256 | 29df028ab16b14ef69f858863863fb98729841f8bb38da7ed6b1e9a4a6b78ed0 |
| SHA512 | 53bd11ea2eee30a386bebe546c1c4201715f6b3ce682fb15565f3bd5bc7898c3a0603ecb6a30a2e6248f226cba3604c05b1d5a2eef87bd92f507cab95d9d73af |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | afae8cc8e76456ef2c73ce8227df1bce |
| SHA1 | 8a21176e1f83cd3cb345b546a664a843b85fa22a |
| SHA256 | f0a4bb5c4bc8935f85418234828467562d266e392ecc1c77606acec738593dc2 |
| SHA512 | 5d747049042a451ee53db39087083e8a2c0ef53f0803396c98ff38298cf52044d808c5dd209525aacbc6c1058a1f8715a6b1834e3264e025e116382ec03279f5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | caaded6d1b474e1eca4c6092e6164831 |
| SHA1 | 18745a9d5c395a546b71d3ed53aa8bf6169d797f |
| SHA256 | 9c474376d81beab7156cc9d2b2825c4c1559cb1ce8e27f7988cf0443bcb3a5eb |
| SHA512 | 790a076c0c3a1fae05a55f09de12537bfd11d8aa8b306394feccb0d635a4f098a32326045471b3ca4baea6c09b30350754ea53de7468ab99214720469281f31d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2fc887b88164286ebd7909a9b7a8c9fb |
| SHA1 | 335419971bd36b3eed7c79546e5498c507871281 |
| SHA256 | 1d30a6e306bc628a092a5d5b6585823cf0cdcf4d82ece2e8c6a4af4c7b932b04 |
| SHA512 | 4db03e18af10bd1d6e06b8eda73e1612c12297d92175469ba54ff125d329aa6167a6fb86be61e49167ee296ae15f06b576974454e8391bccbc804ac20ac0c1a4 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ac208a6f4d8548701d57ef29c1ffc11b |
| SHA1 | d95b2662003661d309ca98d1f99af15e2605adb6 |
| SHA256 | 7e91e2c67f69cc1d296918c36e55807ba03167232b4eeb9cf9a9930b2220519f |
| SHA512 | 6df9340ea3872a8be759fd94dff7f0863450a9dd724fb6a8d95b54c2592929e17e3da1ffa0b3db26d501234bd8b655f6ab5b02a14fe56a868f33c04864f3d6d3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | daeb91fdc3b820b3b7af934ac0484b0a |
| SHA1 | a701330a1f87b5a1d627540af2f77c9bee6f36ef |
| SHA256 | 852cf0bcf3d68b18da6a1c6ae4d23c66426c19f678dfdc8f17be886abde6fd2b |
| SHA512 | 2ba8024c671c1a48fd2d9881f43536a6fa4187680fb0f4ac17b57cd557fe0b448cfe9cbc62e727662404222d080fdfeae52d99844e110f46094a2365de7165b9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4ad291246d27110518578221f1cec6b8 |
| SHA1 | 3acab1f76db750bb8d4f70fd827f9030fedb15ab |
| SHA256 | b71fffbd78afd4b6111f639cf5a9487ea5b8df98ae333595e24185003e1f0ce7 |
| SHA512 | c5e92ccad0f61a46911f772715c00561524dd3a84498d68031a2ec9fcf55c0cd5bdba9e35152a448a66f7eaa13e70395eac841b0f0de330dceff42620fcf06ed |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7e5442d535ce4b50e13591dc9f1ccc43 |
| SHA1 | 96e477059e6600e16c4deb3b65843c01bf682e51 |
| SHA256 | e40fc0fb963d2cf34c663f2717d0d8c993d41166c53aec9d351fb888d556d138 |
| SHA512 | a7250894b95930a8f5b6899b84ca4f349c4699962426ad840a0018c0ae738d36ba207ff532518709f0a51489e2700845b2f672864a2823ceec3286de18b0f624 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 16733b69e4218f4b5c477c586dde4e26 |
| SHA1 | 547b65e3b30ad1df53a38147ebe99e2d13f70a66 |
| SHA256 | dbb03facfee68eaa281e59ec20cb04017163e79e091e1d7f9ec03e5c408b06e6 |
| SHA512 | 06361a8763c8d196312bc605161748a96c409fb1d28b3dfb7122f876f5c5a3130521f91d1e0c4fec1d2979e1f6956a76ccdf2f865e4958d9f9aee0331d53665b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 64ffed629c5038e6af1c21c03550ed81 |
| SHA1 | 430bc379315e26b531e0e849da172ec3306efb86 |
| SHA256 | 9730bbb00d113cb9c7541098bfbfe4a0f21733d0c93fe3aa934b80f92520b314 |
| SHA512 | 9150ac1f611ce5f0fa835f2ab512fa919997a5686bd2468fc35f3b1b0a069d934531fe8ed2c9c94a166dd7c9e38322220aa2f01d5a4d6ef8de112a268c68160a |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f8197343040486e5283f7b81b3a29af0 |
| SHA1 | c831bb5d84cf95dd32abad0fae7f2a08fe4ecfc5 |
| SHA256 | da9c73e37f46e8dd2e2eca8cc6973a1b8fde1aea9addcdff99f3316f52c5f222 |
| SHA512 | d623b60ecf9087727c22358c9778638a5dbf359c8b554a667f95bdee91ba8a8b11dc78ef792fbeb8ce614d8ed1ca6a5d7ccbdeee471136bc01cd766e1c768052 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 06873e79aece2a0a3841a5be071c0705 |
| SHA1 | 5429eae59296e44a92b0702d61a5b220863fd500 |
| SHA256 | 8d824370208d7370a6500b8a6cd04a9d542c5c7f0d320616be412651db4614f8 |
| SHA512 | 98cb4b0642eac70c774adf4ef76248069ef5e682526e26af7e3418e961a97ac51d2a3a063ba95537925963e93f8f89de5030778f381b7890ed853a287434e07c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 84b112700ee9d639962619c4adb84040 |
| SHA1 | 49c9d29941fbfbf5ef3f17c46efd86a8f49113a3 |
| SHA256 | c44b69de79422606c5751ffe3deea1919e67668660bb91988e7fd8d0eb44f400 |
| SHA512 | d16e9721026ca1da8054c87dbdbd4a8eb552b343740ab1551deaba5d98a3c3a25f396be483f9978be00e4791394248ecac5aa4b705b251c7dcb400ef48663028 |