Analysis Overview
SHA256
2d92de149bb71b838b00447b26c68fb0f8cb7a8ec1bcbbccc6ed647c34ec04e9
Threat Level: Known bad
The file cf01b4c33f857697e725945458f1f22d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Checks computer location settings
UPX packed file
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-06 07:32
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-06 07:32
Reported
2024-09-06 07:35
Platform
win7-20240903-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GFR3DV57-1GB4-8C0N-5F5V-47TC0JHJ456Q} | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GFR3DV57-1GB4-8C0N-5F5V-47TC0JHJ456Q}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GFR3DV57-1GB4-8C0N-5F5V-47TC0JHJ456Q} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GFR3DV57-1GB4-8C0N-5F5V-47TC0JHJ456Q}\StubPath = "C:\\Windows\\system32\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1208-3-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/764-2-0x0000000010410000-0x0000000010471000-memory.dmp
memory/2068-248-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2068-262-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2068-523-0x0000000010480000-0x00000000104E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 145daeb62b9b8f0e29528d51fccab9af |
| SHA1 | d83e3dbed292417774bf9df18918720d1087c6a5 |
| SHA256 | dd6e0fe716e659d917eaaa2924fee06a552dc382a115e0042aa80b979431cb36 |
| SHA512 | fcc2f20d322be690fc140231ffc38d5ab67ad13aa0a4631d63c5fcf2e882be5be2f2a70b848528c2ba49e2f187780add600ee38e152f14f036ec0ec42e257017 |
C:\Windows\SysWOW64\install\server.exe
| MD5 | cf01b4c33f857697e725945458f1f22d |
| SHA1 | 7409c0f8b11d17072a015848a008d2572e0a3750 |
| SHA256 | 2d92de149bb71b838b00447b26c68fb0f8cb7a8ec1bcbbccc6ed647c34ec04e9 |
| SHA512 | 156d6e6672d22f95ed8c8b2e30d412ecd326382324578d7bb53616741485b835bf28149e51b282c93d9e5a5b8de458e7246390b8c69100949aa64f6fdcc85ab0 |
memory/1832-856-0x0000000010560000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\cglogs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2068-875-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/1832-883-0x0000000010560000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8ecc02523d1a50256d9638aab1293c29 |
| SHA1 | 8da21fb483256bf1931c9ff1fb277a4f12a92801 |
| SHA256 | 2aec96fb0f6d94e104749a7d49dcd4812aa53f9f7f625779a278ae5a0d4d7434 |
| SHA512 | ab0d44c468b690aa7b87157bdb3159f82b7490ab9cd903e882a97d49324ec807b025b4c05b3eb738a4ebabda504f0c15ea56713e502a2090edfd3fec0b24cc71 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 65189b613ea94b7058b3c20a06a04a27 |
| SHA1 | 212bd836333322a5b53c64e457c96f9ceab2a9f5 |
| SHA256 | 9542c47c16bf207593d7622d69b7f1f5ad42c7211f95f20d9411954f2781bb1d |
| SHA512 | bd50d7a2171ad7a653064a068af13d9dfb099895fe93c41ea25b00567e14a6cc9fb1639972eeae1aa21d60c2891c8725f38430f960732723e59707f4221ab81e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f8514b6e0eb3abec23a05f5f671ff41a |
| SHA1 | 3b12a4c8caa6b883b9bdf083cc4d5b03b69cbad3 |
| SHA256 | 79ac9b261c666938cbd6b46392e1e902846813233cceae24fe6d3e307e2942fa |
| SHA512 | f1c6ea9e00ba2a333f04dd2aa0a0f79bb9713f36ab9f5aae57f818b3080d79f8316b321753422cdda2c65c0cf12b8db15edf7c3a5eb06c444bdcb9462eed108e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 133de71e8b202cc88331cd0d96747985 |
| SHA1 | 7e51435e4da6dc6fa2463c71a3ed18d0abe53168 |
| SHA256 | b78c4da5265c1dbbbd9502211bc26791831fc7116253ffb8bd6f470600fbedbe |
| SHA512 | 44541da648b17b83bf4d855b80741f0d91957cad53c4bf2678b83ee8ab52d9f8d44810642fc33afde6e4433cdc51872ade8f147729e4dcb0134f75d910c1dbc6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b0001733e299d6bca4b9327703f184f9 |
| SHA1 | fc4834223ed0d5bb62f3f9e49af5c481add63add |
| SHA256 | 4766932bf14e19d8a260d973aeb21321e3ba8474eb5f2348f36e778dfffef670 |
| SHA512 | da55e7a8141cba7e5aa073d74ce20f4c5df3772c9412812fb545a449dec332f31170e0bfd86c0e4ca0b2165654af9463e2312bc1b1e3b91365d058d8ff6ffbbc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a4f5561bd2fd8b197963e408a11a2a43 |
| SHA1 | e38b3dbb6cb9e700e44dfee6029bb4f6c7e887f1 |
| SHA256 | 17957a1398737697173ce4d3784de5ed5ceb5ddfbd3d826373066d707cd45c9b |
| SHA512 | b89963b7405d02da32875f4c93b94194d4aba886dec62e2bd11f8b80cd2c45f9cdfb34103965eb2068e9bf401874ee37a7d36c52a5bb47755b0a58006484378c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a6de7781c1bbb3a2dd92802644a0c2e7 |
| SHA1 | d74d80a25ec7ba5506161bbf4128f05cd30625bf |
| SHA256 | b039c54e71d2748410616d07d0a3eb097e66be65df8c79d30bf8ff02bb7140a2 |
| SHA512 | 7a2b0be3a0d70d416447bd42f5091223f3eab721142d88a25dbe0dded055274ae2d670e7510e49ad325b33feb6682b47092e1a80dab6753977dbadbb06ea884e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ac2e8d060e72cb9a051b2f64f943aa2c |
| SHA1 | 70ffb9b12f23b7a647d2586c66461c6b0398ba99 |
| SHA256 | 79538ea3a99e5cf95ea0701667a27a1b8634290f15cb2331a04c9f339da0320a |
| SHA512 | 990085979470221ce47dd7574cc2d271a730a207526dd360d5197b2b22df2cc439dd33dbc8f8fb3d1e4d5358e0998582436956e0edac63f98ed5bbf4bc73a976 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4ebe4ecb418555577db7fac350d99fdb |
| SHA1 | f17d25e9929dd229f4cc4dfa615b4e2302ff5348 |
| SHA256 | 334242f5566bf1c4ec387590e1d7d2160ea9a7741c97f17e74f46db5c64665f8 |
| SHA512 | 2e07dec6570755e4ffc269fb6296ac3997d3cbec44980fcbee08f0ae8be1c8b1f30e2d7dd9958eee88e8578e9aa089b4ee978b8051d43955b41ea9ee4f993b4b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a9c4ac570aae3c3a4174a17e4a84e8a5 |
| SHA1 | fb5f6b6bee617412b5c837c443b9b75ac4882e70 |
| SHA256 | 133c630ac289b5e52d805403b53f1e5ced6691d49c7c1bbbf8a2b3ec09dfcc9d |
| SHA512 | a8c656ced6c9f56357b539691487066e2dbabb4c1ddfb15d1b11c2fa698894821458e78973be52496bf212dfa4812e67bfe2d91550e1f33a0232048cd608601f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 97a2044b9554a684b6231ea4491b92ca |
| SHA1 | 9179e9eb286a51f2a55322ecc0d2ae0cea06f82b |
| SHA256 | dcc4a115edc8d4ca9ab925f261154065003b4dbd9b5021f8e6d2dfc58b69a5d7 |
| SHA512 | 04baa242a74d7642da2c46398cb089cb3b0d54b0b2411c66ff79a583d4e5e590f34f38a716b0af2966ef7dd646f715d7745e618ade2e6f32570d1657022ce565 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5c8d217440a973608b38b8214c6213cd |
| SHA1 | 74d2fd3487d08ef05140b4d120ab55c19684c1d1 |
| SHA256 | 7a9f6c3872fbd669d3623664bcf607ba0e587d28c155855b97a776a9f41d3ec1 |
| SHA512 | 61a1eb6a3e14ba102cc73d0dfa5c2dc44d9d0734178e6debe672413514516f059704e90fef0f5e4164979d51e4ac5a18ebccf5f6e30f61fa1eb9986b54cdb910 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 57d2d7edcf3051fa0c310e935e196ee7 |
| SHA1 | dcdcfa4e31ba1e476bfed9c437a3c3ef9aa9e877 |
| SHA256 | 21852bfa1852722f07b63c7316dbf3b66318f58154275a277fe56c85961160be |
| SHA512 | 8374dab84af6e8bafa98bc42966b1058c4a4b5f962676d690ed9adbce9c2f1731a73264966ed16baacfe8611fd77665c14e5b7703ef8fd172b24e2f882f263c0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 10afec7cf820a695a1c5bb07a98b1be0 |
| SHA1 | 51c7fa693b3a0566c1cbf998fc2b96f71e8ce65e |
| SHA256 | ff4f7de656d951cbadff796feba84e262a2b846f5dc4b7af8e3ca8a88f307437 |
| SHA512 | bb413416202e07ee438fc969b17657063048434f392d0503cce48e6ed1e498980cac7bfbeda4179cb0536eaf513a7efdfc02e8cbe1c0ad42754fc003a12c2499 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f70619c68c5e0dd768ef271aa1365799 |
| SHA1 | 05c9d4ea008ff666c82c8146cd02fb9150063472 |
| SHA256 | cbb556d984f0e9c0094286b8b723043d95a6225d510c13ac2d822d89b6df20e3 |
| SHA512 | 8b0517d7f7806802d99ef22a4539173df8ca4bfd3a8a988361820ac3d91693ae03a8831b68090192988184c0a68d96912bd091c8f7c4084a4e161ce2da9f275c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 88d06d849cb255f345adc8bd5c09a6ef |
| SHA1 | 60d27abb8308cc69e73e4d3900a208756d9d05db |
| SHA256 | 4518e794902872254175d06839771cd58ee571354486232ae69dd8c1a79a4d92 |
| SHA512 | aa294d45bb194fb29deadc573a72e9819ddd14224e516797f03770bc2b0914c4ca355ade9be96c0e93de4928b9c947a21b062cc651ac24ea4e6dbc80af1e1c0c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 14e4e9d2c396f0e28b8e97dd160a9cb2 |
| SHA1 | a870de0056e7e1adbc23767e527279fed7b5cddd |
| SHA256 | 6d898b8166c193966a6721b304ca65b9467e7da522b0aa8d51d5e16fec09e161 |
| SHA512 | 73484dbedb107eec5d712391ce049f218cd9908e65f7d332f063d660459cbba0b391b1166280da24a2dd8941a34d501573aae1d6518690462018a894dcf3f7c5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5d63f9e0fd4cf1968b264ff8e03c090c |
| SHA1 | 7a495920c17ae1bd2e8bfd370be7b5df1854ad4c |
| SHA256 | ac175916004a6a6c9fdbf4b73bc3d5adfd582ef70aaff7ce3c246820190c0e3f |
| SHA512 | 05d87561e506fb1707cefe318c2a2099a9523c238392407cbb403c4ba34f23165ed79b60dae2fabe30cd7bed956ac9108e45a6b596497de0fa362d5fe088bffb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c2359401170f66dcb178a582d81caedb |
| SHA1 | ffc1647339192cf8dc4889b0801af12b300f613f |
| SHA256 | bb40810f403dccb1dc06d151d5e11ff55ec8270ca2af7c77f6a7de709ab979ef |
| SHA512 | 7db5bae6d527f1c7c1448cb3008270655852f65e82936ad8f433cafe39796419acfce6c1bbbe8c2013ce017113dd00e2f5198ddad26bee07949b73561e544849 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 51e7b11e2e71d4bc57a0213ca5d4d49e |
| SHA1 | 64e1cc3fe767dabc3de8b9308e6d9ce23212af2a |
| SHA256 | 1adb967de56f330558ce033c348b96314ca51d70599761af958c486e361465c3 |
| SHA512 | e68c92656c7872a382249cbbb0b3dc76e35af10c91b579618d2a62f071b837128d38d22f5a33a4260c3f4856f93a2fda14905aa3bc22fb5e596508e2f5ce94b4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d917f735b86d97e522d536e75f4321c8 |
| SHA1 | 3c8b53cde2279322e9806e7d59435d9f43abea58 |
| SHA256 | 4461a081bec0b1979765ab94b616408426d3b21b8c5da45101ff891bf794bb8a |
| SHA512 | 40788f8fbfb7b3f635ac1285fce6881ac14aec5c5b123931853adc4d4edf4deef62e9ee73507e1a379b651bba6a5a421c2f8897bd5cb300652143c2a4b2f7e07 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-06 07:32
Reported
2024-09-06 07:35
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GFR3DV57-1GB4-8C0N-5F5V-47TC0JHJ456Q} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GFR3DV57-1GB4-8C0N-5F5V-47TC0JHJ456Q}\StubPath = "C:\\Windows\\system32\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GFR3DV57-1GB4-8C0N-5F5V-47TC0JHJ456Q} | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GFR3DV57-1GB4-8C0N-5F5V-47TC0JHJ456Q}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\install\server.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf01b4c33f857697e725945458f1f22d_JaffaCakes118.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1396 -ip 1396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 572
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.211.222.173.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1692-3-0x0000000010410000-0x0000000010471000-memory.dmp
memory/4700-7-0x0000000001120000-0x0000000001121000-memory.dmp
memory/4700-8-0x00000000011E0000-0x00000000011E1000-memory.dmp
memory/1692-63-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/4700-66-0x0000000003CC0000-0x0000000003CC1000-memory.dmp
memory/4700-67-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/4700-68-0x0000000010480000-0x00000000104E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 145daeb62b9b8f0e29528d51fccab9af |
| SHA1 | d83e3dbed292417774bf9df18918720d1087c6a5 |
| SHA256 | dd6e0fe716e659d917eaaa2924fee06a552dc382a115e0042aa80b979431cb36 |
| SHA512 | fcc2f20d322be690fc140231ffc38d5ab67ad13aa0a4631d63c5fcf2e882be5be2f2a70b848528c2ba49e2f187780add600ee38e152f14f036ec0ec42e257017 |
C:\Windows\SysWOW64\install\server.exe
| MD5 | cf01b4c33f857697e725945458f1f22d |
| SHA1 | 7409c0f8b11d17072a015848a008d2572e0a3750 |
| SHA256 | 2d92de149bb71b838b00447b26c68fb0f8cb7a8ec1bcbbccc6ed647c34ec04e9 |
| SHA512 | 156d6e6672d22f95ed8c8b2e30d412ecd326382324578d7bb53616741485b835bf28149e51b282c93d9e5a5b8de458e7246390b8c69100949aa64f6fdcc85ab0 |
memory/1248-138-0x0000000010560000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\cglogs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/4700-158-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/1248-160-0x0000000010560000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 65189b613ea94b7058b3c20a06a04a27 |
| SHA1 | 212bd836333322a5b53c64e457c96f9ceab2a9f5 |
| SHA256 | 9542c47c16bf207593d7622d69b7f1f5ad42c7211f95f20d9411954f2781bb1d |
| SHA512 | bd50d7a2171ad7a653064a068af13d9dfb099895fe93c41ea25b00567e14a6cc9fb1639972eeae1aa21d60c2891c8725f38430f960732723e59707f4221ab81e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f8514b6e0eb3abec23a05f5f671ff41a |
| SHA1 | 3b12a4c8caa6b883b9bdf083cc4d5b03b69cbad3 |
| SHA256 | 79ac9b261c666938cbd6b46392e1e902846813233cceae24fe6d3e307e2942fa |
| SHA512 | f1c6ea9e00ba2a333f04dd2aa0a0f79bb9713f36ab9f5aae57f818b3080d79f8316b321753422cdda2c65c0cf12b8db15edf7c3a5eb06c444bdcb9462eed108e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 133de71e8b202cc88331cd0d96747985 |
| SHA1 | 7e51435e4da6dc6fa2463c71a3ed18d0abe53168 |
| SHA256 | b78c4da5265c1dbbbd9502211bc26791831fc7116253ffb8bd6f470600fbedbe |
| SHA512 | 44541da648b17b83bf4d855b80741f0d91957cad53c4bf2678b83ee8ab52d9f8d44810642fc33afde6e4433cdc51872ade8f147729e4dcb0134f75d910c1dbc6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | b0001733e299d6bca4b9327703f184f9 |
| SHA1 | fc4834223ed0d5bb62f3f9e49af5c481add63add |
| SHA256 | 4766932bf14e19d8a260d973aeb21321e3ba8474eb5f2348f36e778dfffef670 |
| SHA512 | da55e7a8141cba7e5aa073d74ce20f4c5df3772c9412812fb545a449dec332f31170e0bfd86c0e4ca0b2165654af9463e2312bc1b1e3b91365d058d8ff6ffbbc |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a4f5561bd2fd8b197963e408a11a2a43 |
| SHA1 | e38b3dbb6cb9e700e44dfee6029bb4f6c7e887f1 |
| SHA256 | 17957a1398737697173ce4d3784de5ed5ceb5ddfbd3d826373066d707cd45c9b |
| SHA512 | b89963b7405d02da32875f4c93b94194d4aba886dec62e2bd11f8b80cd2c45f9cdfb34103965eb2068e9bf401874ee37a7d36c52a5bb47755b0a58006484378c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a6de7781c1bbb3a2dd92802644a0c2e7 |
| SHA1 | d74d80a25ec7ba5506161bbf4128f05cd30625bf |
| SHA256 | b039c54e71d2748410616d07d0a3eb097e66be65df8c79d30bf8ff02bb7140a2 |
| SHA512 | 7a2b0be3a0d70d416447bd42f5091223f3eab721142d88a25dbe0dded055274ae2d670e7510e49ad325b33feb6682b47092e1a80dab6753977dbadbb06ea884e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ac2e8d060e72cb9a051b2f64f943aa2c |
| SHA1 | 70ffb9b12f23b7a647d2586c66461c6b0398ba99 |
| SHA256 | 79538ea3a99e5cf95ea0701667a27a1b8634290f15cb2331a04c9f339da0320a |
| SHA512 | 990085979470221ce47dd7574cc2d271a730a207526dd360d5197b2b22df2cc439dd33dbc8f8fb3d1e4d5358e0998582436956e0edac63f98ed5bbf4bc73a976 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 4ebe4ecb418555577db7fac350d99fdb |
| SHA1 | f17d25e9929dd229f4cc4dfa615b4e2302ff5348 |
| SHA256 | 334242f5566bf1c4ec387590e1d7d2160ea9a7741c97f17e74f46db5c64665f8 |
| SHA512 | 2e07dec6570755e4ffc269fb6296ac3997d3cbec44980fcbee08f0ae8be1c8b1f30e2d7dd9958eee88e8578e9aa089b4ee978b8051d43955b41ea9ee4f993b4b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a9c4ac570aae3c3a4174a17e4a84e8a5 |
| SHA1 | fb5f6b6bee617412b5c837c443b9b75ac4882e70 |
| SHA256 | 133c630ac289b5e52d805403b53f1e5ced6691d49c7c1bbbf8a2b3ec09dfcc9d |
| SHA512 | a8c656ced6c9f56357b539691487066e2dbabb4c1ddfb15d1b11c2fa698894821458e78973be52496bf212dfa4812e67bfe2d91550e1f33a0232048cd608601f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 97a2044b9554a684b6231ea4491b92ca |
| SHA1 | 9179e9eb286a51f2a55322ecc0d2ae0cea06f82b |
| SHA256 | dcc4a115edc8d4ca9ab925f261154065003b4dbd9b5021f8e6d2dfc58b69a5d7 |
| SHA512 | 04baa242a74d7642da2c46398cb089cb3b0d54b0b2411c66ff79a583d4e5e590f34f38a716b0af2966ef7dd646f715d7745e618ade2e6f32570d1657022ce565 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5c8d217440a973608b38b8214c6213cd |
| SHA1 | 74d2fd3487d08ef05140b4d120ab55c19684c1d1 |
| SHA256 | 7a9f6c3872fbd669d3623664bcf607ba0e587d28c155855b97a776a9f41d3ec1 |
| SHA512 | 61a1eb6a3e14ba102cc73d0dfa5c2dc44d9d0734178e6debe672413514516f059704e90fef0f5e4164979d51e4ac5a18ebccf5f6e30f61fa1eb9986b54cdb910 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 57d2d7edcf3051fa0c310e935e196ee7 |
| SHA1 | dcdcfa4e31ba1e476bfed9c437a3c3ef9aa9e877 |
| SHA256 | 21852bfa1852722f07b63c7316dbf3b66318f58154275a277fe56c85961160be |
| SHA512 | 8374dab84af6e8bafa98bc42966b1058c4a4b5f962676d690ed9adbce9c2f1731a73264966ed16baacfe8611fd77665c14e5b7703ef8fd172b24e2f882f263c0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 10afec7cf820a695a1c5bb07a98b1be0 |
| SHA1 | 51c7fa693b3a0566c1cbf998fc2b96f71e8ce65e |
| SHA256 | ff4f7de656d951cbadff796feba84e262a2b846f5dc4b7af8e3ca8a88f307437 |
| SHA512 | bb413416202e07ee438fc969b17657063048434f392d0503cce48e6ed1e498980cac7bfbeda4179cb0536eaf513a7efdfc02e8cbe1c0ad42754fc003a12c2499 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f70619c68c5e0dd768ef271aa1365799 |
| SHA1 | 05c9d4ea008ff666c82c8146cd02fb9150063472 |
| SHA256 | cbb556d984f0e9c0094286b8b723043d95a6225d510c13ac2d822d89b6df20e3 |
| SHA512 | 8b0517d7f7806802d99ef22a4539173df8ca4bfd3a8a988361820ac3d91693ae03a8831b68090192988184c0a68d96912bd091c8f7c4084a4e161ce2da9f275c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 88d06d849cb255f345adc8bd5c09a6ef |
| SHA1 | 60d27abb8308cc69e73e4d3900a208756d9d05db |
| SHA256 | 4518e794902872254175d06839771cd58ee571354486232ae69dd8c1a79a4d92 |
| SHA512 | aa294d45bb194fb29deadc573a72e9819ddd14224e516797f03770bc2b0914c4ca355ade9be96c0e93de4928b9c947a21b062cc651ac24ea4e6dbc80af1e1c0c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 14e4e9d2c396f0e28b8e97dd160a9cb2 |
| SHA1 | a870de0056e7e1adbc23767e527279fed7b5cddd |
| SHA256 | 6d898b8166c193966a6721b304ca65b9467e7da522b0aa8d51d5e16fec09e161 |
| SHA512 | 73484dbedb107eec5d712391ce049f218cd9908e65f7d332f063d660459cbba0b391b1166280da24a2dd8941a34d501573aae1d6518690462018a894dcf3f7c5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5d63f9e0fd4cf1968b264ff8e03c090c |
| SHA1 | 7a495920c17ae1bd2e8bfd370be7b5df1854ad4c |
| SHA256 | ac175916004a6a6c9fdbf4b73bc3d5adfd582ef70aaff7ce3c246820190c0e3f |
| SHA512 | 05d87561e506fb1707cefe318c2a2099a9523c238392407cbb403c4ba34f23165ed79b60dae2fabe30cd7bed956ac9108e45a6b596497de0fa362d5fe088bffb |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c2359401170f66dcb178a582d81caedb |
| SHA1 | ffc1647339192cf8dc4889b0801af12b300f613f |
| SHA256 | bb40810f403dccb1dc06d151d5e11ff55ec8270ca2af7c77f6a7de709ab979ef |
| SHA512 | 7db5bae6d527f1c7c1448cb3008270655852f65e82936ad8f433cafe39796419acfce6c1bbbe8c2013ce017113dd00e2f5198ddad26bee07949b73561e544849 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 51e7b11e2e71d4bc57a0213ca5d4d49e |
| SHA1 | 64e1cc3fe767dabc3de8b9308e6d9ce23212af2a |
| SHA256 | 1adb967de56f330558ce033c348b96314ca51d70599761af958c486e361465c3 |
| SHA512 | e68c92656c7872a382249cbbb0b3dc76e35af10c91b579618d2a62f071b837128d38d22f5a33a4260c3f4856f93a2fda14905aa3bc22fb5e596508e2f5ce94b4 |