Analysis Overview
SHA256
436232240571a649272155704072854375cf25ca874662d1116ab4470486c5c9
Threat Level: Known bad
The file dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Cybergate family
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
Loads dropped DLL
UPX packed file
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-12 04:16
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-12 04:16
Reported
2024-09-12 04:18
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15T441SH-8U76-S7X5-32EI-482C4EB56YMR} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15T441SH-8U76-S7X5-32EI-482C4EB56YMR}\StubPath = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15T441SH-8U76-S7X5-32EI-482C4EB56YMR} | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15T441SH-8U76-S7X5-32EI-482C4EB56YMR}\StubPath = "C:\\Windows\\system32\\rudll\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rudll\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rudll\server.exe | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rudll\server.exe | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rudll\server.exe | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rudll\ | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe"
C:\Windows\SysWOW64\rudll\server.exe
"C:\Windows\system32\rudll\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1224-3-0x0000000002520000-0x0000000002521000-memory.dmp
memory/2496-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2496-248-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2496-527-0x0000000010480000-0x00000000104E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 4afa223f16032a16b66529866b02bd14 |
| SHA1 | 1666588ec77c44b15889ff6ad778144b3fb358af |
| SHA256 | a626e9b0ac7cd23951ad496ff9b07be0f6a9a3e24ad2f70e18a2ae75e5481496 |
| SHA512 | 8b61fa355fbd7536deb630c0c5e1aa1e38ca296ebbf7afb9fe5319a42b8f5913cb0f187e2e345a1614542be4b60d6f885642e80fd16b00b9be45e42da1db8d7a |
C:\Windows\SysWOW64\rudll\server.exe
| MD5 | dbcb6ce8cd611d2f325902be00b7bc7a |
| SHA1 | 4485e20149d54b24aade15efeb789aa4ed395cae |
| SHA256 | 436232240571a649272155704072854375cf25ca874662d1116ab4470486c5c9 |
| SHA512 | a0ebeca67b32f8e9394cae8b112632a20267321fd2c74c9a78df6e812b0a8abd5ae1c43f115191e12abe57fab24901318fcbad514faf183c2327759ef9e6096b |
memory/2856-857-0x0000000010560000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\cglogs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2496-879-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/2856-884-0x0000000010560000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e8c28cdfa11f2a59702bf7d274076622 |
| SHA1 | 62e0abe020a024bd72239de6abfa0492fdbef14c |
| SHA256 | d7bce855cb6c5109419b2b9a52733dff84227615cf99e440a94713a179090dbb |
| SHA512 | ccaa0c7158b9b5280326127b72eeaab71740f0d88f67da9ee03605337f4cbe83f82339f8d119725de3a7edc6cea79dc46107b364947519f9cdb544aca02abd8a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 837859bd9c291671b62215a1df86a180 |
| SHA1 | af4898e5ef91ea5a3f36aa1b5028a207a018e9cc |
| SHA256 | dce010fd02bfa3b6b7d513fb5dc7f3d74b7fb66b315852be1eb0f3bd56a55c41 |
| SHA512 | b051cb0bf0c262db9b9bbbcaafc1f98c8232d5efdd4cf9fdd4868f84a1497c65a7972c62ccdf8b806f90bd42e5716a3262545f2f26fc153c8feac08dc1fc62ea |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 18541147fe4253ec740b296263437821 |
| SHA1 | a3ec88344dd307366c61daa7d5899471bd5a9768 |
| SHA256 | 92884a3508b44742fb126c4f551d232d29f20bf78668f438f5a5e1e93b7f4f3e |
| SHA512 | 25b6809e9943420b585477ceaa08fc418fab545c40b2a8b88455b7b15f8a0c8df07db02fce3b376cdecc197b2d52e4c3d9c7c41af8ca9f01b4a3bc08fdd2afb5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0a8d4fbe5c978e6b32eafff0d29ac904 |
| SHA1 | 72e01a99512aa56170f90a3831587715765bcdb6 |
| SHA256 | 9790987340cf505cb2054435f0ca090b8d33e827324675e23235a2f33ef6d185 |
| SHA512 | e119682d6dfc1d0fc59bc207db9142390d86e7bed0013e8b8c39cc71f0cd06b272bbef47f8e3fbfd26f2cc9c6302f14883a36328de44213ada3f7b6ea89ba45a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | effebf1a74ecdeecfabea78edc32f154 |
| SHA1 | 8cef9455087434e40dd8bd18e120e2ad09f65d9f |
| SHA256 | 8172d1761797a2723ed2044cfa14325530b671ba34c3bedf002ccc16815949b7 |
| SHA512 | df0d03bedd3e1a4487933c065abb5a4d05d6653affe1952194a50e3108fc75b28a3be1c476566372c7d5db0b69ad86075ba799def7ad5ae15dff491e9b60b1da |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 595ba09f2da22dec7403705aaf6ffa97 |
| SHA1 | c9a57db7417633ea581948303b3496d98658401a |
| SHA256 | 847e8e3481acbd0ccb32ce481168c5659e4c351bfe635ace9352768dea9837cb |
| SHA512 | 63b0185193fee59de8f6822dea06355c690fd74fb219536c1d13989946772b46635a5ba15a2cdf7bf4ea22135783530b8811bb17fd155eaf3069ed26e8bbe9d7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7968fda4fa932bf5309cf2ac82b63cf7 |
| SHA1 | 8f2c3b6071bf11cc110a8a8a2937464557e4a0c8 |
| SHA256 | b71e7bedbba8d6b7ff03c12e24292342df93c4fda5e02a5eaa5b7f391466d1f2 |
| SHA512 | f36219052f5d85e4f39e35a8fd84cfab657d3ba5f4a7c629a180c72abe5dca768b19034fe63afff9c8e0ece59315a921e3024b37ff559c728149d3b7df5ef721 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 61fb1244a55b8747ad533b3f01028d35 |
| SHA1 | cbafad79f9fcc4fa0e06ada9d4fdf2d0f21ddf11 |
| SHA256 | bb70b1dc0813504fa1866d4b3c0e9274e4acc35ea0baaa95503ff0e48d946783 |
| SHA512 | cd7dd8b8f9cf7cfa791f60aa32b7984346c50d8e3ca581c27926919a168d0dfaca331d62c16c5a1a0e7ff3091730b3aa520eac15a5e7184424c513586f875cbf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1f435515ddbbd47ca28f24e1bcad5118 |
| SHA1 | e9c14ba11de7588caedcf7c571b9d5a84087f75d |
| SHA256 | 0397f8cf76ed666be22891c9f3f039f0e353f22b29971bb60fefe68ade004569 |
| SHA512 | d4d7a20aebfe32d84ab7155151f024632de8d0f91414ef27c47e60279a8a9318ce47ad9aba32116b3f5e20321cc377790b9abc5b9357bcdeb3add8eeb5d11421 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8d184bc3bd6106a13e1e468b938e41f6 |
| SHA1 | c0995989c548a18fb605c6de3695eb6d76e83a11 |
| SHA256 | 1e003c951c92f54b2d9f3145366db86d823703f14ec97b2d7947abe25860c93f |
| SHA512 | 41a33df185761dad1e4cf286cf4da981db70a3aefe19e827aa4d49f6e6a937094633a15a21a5e16e15a2c43b57e73456e3548eb1628849c8ee29fb23a8f80d1a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a1f2fbdef616cd03612ae8b90b42cb40 |
| SHA1 | 7e73d383b8d2d5afe593a2634a34339dbadac998 |
| SHA256 | a614bbe3e4b3a0f9291cac1d99a732144d849bbbb6b5dfb1d2eab185acb2e205 |
| SHA512 | d9e24220841b74d15c252e948a22e343429b1c7364ab4af89d27e1438bcf4835abe73e06a05df89562d49cd924023ff2fd187955727d00afc1f1eb0124cd6f69 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 51532b9ee1959324173532e903d30a5c |
| SHA1 | dc08ccf97ac8c1f25ee101a47600365cd10fcd05 |
| SHA256 | 2015930ce44c35fd7d43648b6eb3715513d8874b1d63112eea39695a64b45792 |
| SHA512 | 85944f40b073dacb91c0252cf6794f49fcd2f1be375ac24ad4becf881494dad89d4f9fb4e030966a68905c944fb91d01a6f55974462167a2ca66747af014cbea |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6dc42cd6f5e888a773382a761b409cf0 |
| SHA1 | 6362c110c94cf1394c384bef37b41adef2ebe3ef |
| SHA256 | 05d1cf00dfcb97af7523e89426821b0b565e5bc176072db3a2d7ae9048ca2df0 |
| SHA512 | 45cd1d8626754a63a128e5ee795196a4f46d1ea7d968572674061ae85f3ad75b8965b276cf3f72598b9baeecbccab9e94b2a7d7117f54798fecc15ca1f6852b1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5562ec3f95fe90b5b80b0223416682bc |
| SHA1 | b50b201427589ed5318b5f52086afe62c10f5626 |
| SHA256 | 323372802dfe1dc1b8857074b7601c37028b4abec74adec317ee776a66b4d104 |
| SHA512 | 20e591e99a451f423aae62bfcee24deeac69acd63a00a6e392e88eb77d2ac417432911eb58e70d6ef7169bc45b59b5e9c04e9e6e997c4e55cbfe748fa053c6e9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ec2a7edb747e9f09ef8d5d8f86900488 |
| SHA1 | 7eccbb65e66cc4d14b4b3d0c925e695f7930cec9 |
| SHA256 | d5b38f47443ffc735620dd640efa3a38096f6f931656f113d4f14cc4cb3be197 |
| SHA512 | 5ccfe9f3c8215f4b98584347914f818e7bdc35d71c17ea7b86dd134866ff506e0b89a917efcdc9e9ef52e2615fcfcb43630f08a261e5de1848daf7b8693d3bae |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f9fea3934298445eaa738fd35cb79539 |
| SHA1 | aa2c566fabeb00d260818071cccfe0f7a44f0604 |
| SHA256 | 5726942d689018946d812bf68df06a901f1458947d289b2c8ac40820eef60b38 |
| SHA512 | 8bbc74985a191d13d8df0459bdfa4e0bbe6fabc77ef266091cb91da6c318f03323b48732408514b28f325907c5f7dec78d14de02ab41586d812b5e96fcd24584 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0ab508821d9e57ceab16f252d022289b |
| SHA1 | 55070a7a5fe988a0397495655c4b1569bf3a0feb |
| SHA256 | 5709e446ff6741a7d2c811a67ca522ff1777d59eb28af49c26130290698f96fe |
| SHA512 | ec4e4c94140d602aadf823d395d79c63ff654cc76b9f5f2a332c4a8ae611331086faba98ae13229d8775a074d388425eef26e0330aba211e94e0f27c47db1093 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2fe1b3dfa927d221fed4a8c8292d35ca |
| SHA1 | 75f3a7f4a1028b4fc42e65e7b5537e84f0a316fd |
| SHA256 | aeb803abb6f97f03df34b6edbbde9f221e61fe19a3670ac8cb330e3263f4bcbc |
| SHA512 | 5a37fc513c40301bf9e6ff87b7c35161011f91fb4b7447d4b3b7b95118c44b750b8392e2b5b0f19aafd7db86d7d950f2a7ba86c2375a7c7a5fd891f7c1408f0e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e5ce4c830d873378ebb0729a6d2f8e96 |
| SHA1 | 0a2a28ab9155b9a2c2760d9bffea8c6afcd053a7 |
| SHA256 | 7f9675a9d526d451707faafa0309d99c7717ef5db822357d40762a9c47b3793a |
| SHA512 | 86ac8390dfa42a6ccf38d06bb77feea98cb790b549906d7a0078ea9c7f79b0fe450626cd7d695757b33a17ba073f6fd79f9fbd9fafd66dd00cbb03b420057c8d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ae4a8c74bcc5c47a4daf2e8f17302262 |
| SHA1 | 6bfd2dc955df36b695e713643df45795641c57b6 |
| SHA256 | c5faa1a46ca9e95f6ac4568ff61f02626c731669c2ed0490fde4e071d6ef95fb |
| SHA512 | 5c78107b1874b3d5f63a63879249fcf475dfa501355d945a8ddf85d72ba748c90527cac215e4d9e2b504f04e89be889ab81df340b69adafc926eb5ea34c67add |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 86ddcdf3ea6adefdb1f00b3ddbf7ad6d |
| SHA1 | f7eda63a3015c4f14d9cc17ef55109b0a9ee5d67 |
| SHA256 | 7e85fb3a2f925c86744c85a0c1abe8e2410977e860e0bec83cdde0bfcdaa7232 |
| SHA512 | 56999b6fd0a31f34cdefc55c7d261901f5214f3f95dd0ad516022e722b2e2796bfde33001f57ca541b026c929e52d40dd8bda9b2b90c5ae56e518de25e438e33 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-12 04:16
Reported
2024-09-12 04:18
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15T441SH-8U76-S7X5-32EI-482C4EB56YMR}\StubPath = "C:\\Windows\\system32\\rudll\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{15T441SH-8U76-S7X5-32EI-482C4EB56YMR} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15T441SH-8U76-S7X5-32EI-482C4EB56YMR}\StubPath = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{15T441SH-8U76-S7X5-32EI-482C4EB56YMR} | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rudll\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\rudll\\server.exe" | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rudll\server.exe | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rudll\server.exe | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rudll\ | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\rudll\server.exe | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rudll\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rudll\server.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbcb6ce8cd611d2f325902be00b7bc7a_JaffaCakes118.exe"
C:\Windows\SysWOW64\rudll\server.exe
"C:\Windows\system32\rudll\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2724 -ip 2724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2312-2-0x0000000010410000-0x0000000010471000-memory.dmp
memory/4532-8-0x0000000001250000-0x0000000001251000-memory.dmp
memory/4532-7-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/2312-6-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/2312-63-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/4532-68-0x0000000010480000-0x00000000104E1000-memory.dmp
C:\Windows\SysWOW64\rudll\server.exe
| MD5 | dbcb6ce8cd611d2f325902be00b7bc7a |
| SHA1 | 4485e20149d54b24aade15efeb789aa4ed395cae |
| SHA256 | 436232240571a649272155704072854375cf25ca874662d1116ab4470486c5c9 |
| SHA512 | a0ebeca67b32f8e9394cae8b112632a20267321fd2c74c9a78df6e812b0a8abd5ae1c43f115191e12abe57fab24901318fcbad514faf183c2327759ef9e6096b |
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 4afa223f16032a16b66529866b02bd14 |
| SHA1 | 1666588ec77c44b15889ff6ad778144b3fb358af |
| SHA256 | a626e9b0ac7cd23951ad496ff9b07be0f6a9a3e24ad2f70e18a2ae75e5481496 |
| SHA512 | 8b61fa355fbd7536deb630c0c5e1aa1e38ca296ebbf7afb9fe5319a42b8f5913cb0f187e2e345a1614542be4b60d6f885642e80fd16b00b9be45e42da1db8d7a |
memory/3436-138-0x0000000010560000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\cglogs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/4532-158-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/3436-160-0x0000000010560000-0x00000000105C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 837859bd9c291671b62215a1df86a180 |
| SHA1 | af4898e5ef91ea5a3f36aa1b5028a207a018e9cc |
| SHA256 | dce010fd02bfa3b6b7d513fb5dc7f3d74b7fb66b315852be1eb0f3bd56a55c41 |
| SHA512 | b051cb0bf0c262db9b9bbbcaafc1f98c8232d5efdd4cf9fdd4868f84a1497c65a7972c62ccdf8b806f90bd42e5716a3262545f2f26fc153c8feac08dc1fc62ea |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 18541147fe4253ec740b296263437821 |
| SHA1 | a3ec88344dd307366c61daa7d5899471bd5a9768 |
| SHA256 | 92884a3508b44742fb126c4f551d232d29f20bf78668f438f5a5e1e93b7f4f3e |
| SHA512 | 25b6809e9943420b585477ceaa08fc418fab545c40b2a8b88455b7b15f8a0c8df07db02fce3b376cdecc197b2d52e4c3d9c7c41af8ca9f01b4a3bc08fdd2afb5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0a8d4fbe5c978e6b32eafff0d29ac904 |
| SHA1 | 72e01a99512aa56170f90a3831587715765bcdb6 |
| SHA256 | 9790987340cf505cb2054435f0ca090b8d33e827324675e23235a2f33ef6d185 |
| SHA512 | e119682d6dfc1d0fc59bc207db9142390d86e7bed0013e8b8c39cc71f0cd06b272bbef47f8e3fbfd26f2cc9c6302f14883a36328de44213ada3f7b6ea89ba45a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | effebf1a74ecdeecfabea78edc32f154 |
| SHA1 | 8cef9455087434e40dd8bd18e120e2ad09f65d9f |
| SHA256 | 8172d1761797a2723ed2044cfa14325530b671ba34c3bedf002ccc16815949b7 |
| SHA512 | df0d03bedd3e1a4487933c065abb5a4d05d6653affe1952194a50e3108fc75b28a3be1c476566372c7d5db0b69ad86075ba799def7ad5ae15dff491e9b60b1da |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 595ba09f2da22dec7403705aaf6ffa97 |
| SHA1 | c9a57db7417633ea581948303b3496d98658401a |
| SHA256 | 847e8e3481acbd0ccb32ce481168c5659e4c351bfe635ace9352768dea9837cb |
| SHA512 | 63b0185193fee59de8f6822dea06355c690fd74fb219536c1d13989946772b46635a5ba15a2cdf7bf4ea22135783530b8811bb17fd155eaf3069ed26e8bbe9d7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7968fda4fa932bf5309cf2ac82b63cf7 |
| SHA1 | 8f2c3b6071bf11cc110a8a8a2937464557e4a0c8 |
| SHA256 | b71e7bedbba8d6b7ff03c12e24292342df93c4fda5e02a5eaa5b7f391466d1f2 |
| SHA512 | f36219052f5d85e4f39e35a8fd84cfab657d3ba5f4a7c629a180c72abe5dca768b19034fe63afff9c8e0ece59315a921e3024b37ff559c728149d3b7df5ef721 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 61fb1244a55b8747ad533b3f01028d35 |
| SHA1 | cbafad79f9fcc4fa0e06ada9d4fdf2d0f21ddf11 |
| SHA256 | bb70b1dc0813504fa1866d4b3c0e9274e4acc35ea0baaa95503ff0e48d946783 |
| SHA512 | cd7dd8b8f9cf7cfa791f60aa32b7984346c50d8e3ca581c27926919a168d0dfaca331d62c16c5a1a0e7ff3091730b3aa520eac15a5e7184424c513586f875cbf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 1f435515ddbbd47ca28f24e1bcad5118 |
| SHA1 | e9c14ba11de7588caedcf7c571b9d5a84087f75d |
| SHA256 | 0397f8cf76ed666be22891c9f3f039f0e353f22b29971bb60fefe68ade004569 |
| SHA512 | d4d7a20aebfe32d84ab7155151f024632de8d0f91414ef27c47e60279a8a9318ce47ad9aba32116b3f5e20321cc377790b9abc5b9357bcdeb3add8eeb5d11421 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8d184bc3bd6106a13e1e468b938e41f6 |
| SHA1 | c0995989c548a18fb605c6de3695eb6d76e83a11 |
| SHA256 | 1e003c951c92f54b2d9f3145366db86d823703f14ec97b2d7947abe25860c93f |
| SHA512 | 41a33df185761dad1e4cf286cf4da981db70a3aefe19e827aa4d49f6e6a937094633a15a21a5e16e15a2c43b57e73456e3548eb1628849c8ee29fb23a8f80d1a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a1f2fbdef616cd03612ae8b90b42cb40 |
| SHA1 | 7e73d383b8d2d5afe593a2634a34339dbadac998 |
| SHA256 | a614bbe3e4b3a0f9291cac1d99a732144d849bbbb6b5dfb1d2eab185acb2e205 |
| SHA512 | d9e24220841b74d15c252e948a22e343429b1c7364ab4af89d27e1438bcf4835abe73e06a05df89562d49cd924023ff2fd187955727d00afc1f1eb0124cd6f69 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 51532b9ee1959324173532e903d30a5c |
| SHA1 | dc08ccf97ac8c1f25ee101a47600365cd10fcd05 |
| SHA256 | 2015930ce44c35fd7d43648b6eb3715513d8874b1d63112eea39695a64b45792 |
| SHA512 | 85944f40b073dacb91c0252cf6794f49fcd2f1be375ac24ad4becf881494dad89d4f9fb4e030966a68905c944fb91d01a6f55974462167a2ca66747af014cbea |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6dc42cd6f5e888a773382a761b409cf0 |
| SHA1 | 6362c110c94cf1394c384bef37b41adef2ebe3ef |
| SHA256 | 05d1cf00dfcb97af7523e89426821b0b565e5bc176072db3a2d7ae9048ca2df0 |
| SHA512 | 45cd1d8626754a63a128e5ee795196a4f46d1ea7d968572674061ae85f3ad75b8965b276cf3f72598b9baeecbccab9e94b2a7d7117f54798fecc15ca1f6852b1 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5562ec3f95fe90b5b80b0223416682bc |
| SHA1 | b50b201427589ed5318b5f52086afe62c10f5626 |
| SHA256 | 323372802dfe1dc1b8857074b7601c37028b4abec74adec317ee776a66b4d104 |
| SHA512 | 20e591e99a451f423aae62bfcee24deeac69acd63a00a6e392e88eb77d2ac417432911eb58e70d6ef7169bc45b59b5e9c04e9e6e997c4e55cbfe748fa053c6e9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ec2a7edb747e9f09ef8d5d8f86900488 |
| SHA1 | 7eccbb65e66cc4d14b4b3d0c925e695f7930cec9 |
| SHA256 | d5b38f47443ffc735620dd640efa3a38096f6f931656f113d4f14cc4cb3be197 |
| SHA512 | 5ccfe9f3c8215f4b98584347914f818e7bdc35d71c17ea7b86dd134866ff506e0b89a917efcdc9e9ef52e2615fcfcb43630f08a261e5de1848daf7b8693d3bae |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f9fea3934298445eaa738fd35cb79539 |
| SHA1 | aa2c566fabeb00d260818071cccfe0f7a44f0604 |
| SHA256 | 5726942d689018946d812bf68df06a901f1458947d289b2c8ac40820eef60b38 |
| SHA512 | 8bbc74985a191d13d8df0459bdfa4e0bbe6fabc77ef266091cb91da6c318f03323b48732408514b28f325907c5f7dec78d14de02ab41586d812b5e96fcd24584 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0ab508821d9e57ceab16f252d022289b |
| SHA1 | 55070a7a5fe988a0397495655c4b1569bf3a0feb |
| SHA256 | 5709e446ff6741a7d2c811a67ca522ff1777d59eb28af49c26130290698f96fe |
| SHA512 | ec4e4c94140d602aadf823d395d79c63ff654cc76b9f5f2a332c4a8ae611331086faba98ae13229d8775a074d388425eef26e0330aba211e94e0f27c47db1093 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2fe1b3dfa927d221fed4a8c8292d35ca |
| SHA1 | 75f3a7f4a1028b4fc42e65e7b5537e84f0a316fd |
| SHA256 | aeb803abb6f97f03df34b6edbbde9f221e61fe19a3670ac8cb330e3263f4bcbc |
| SHA512 | 5a37fc513c40301bf9e6ff87b7c35161011f91fb4b7447d4b3b7b95118c44b750b8392e2b5b0f19aafd7db86d7d950f2a7ba86c2375a7c7a5fd891f7c1408f0e |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e5ce4c830d873378ebb0729a6d2f8e96 |
| SHA1 | 0a2a28ab9155b9a2c2760d9bffea8c6afcd053a7 |
| SHA256 | 7f9675a9d526d451707faafa0309d99c7717ef5db822357d40762a9c47b3793a |
| SHA512 | 86ac8390dfa42a6ccf38d06bb77feea98cb790b549906d7a0078ea9c7f79b0fe450626cd7d695757b33a17ba073f6fd79f9fbd9fafd66dd00cbb03b420057c8d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ae4a8c74bcc5c47a4daf2e8f17302262 |
| SHA1 | 6bfd2dc955df36b695e713643df45795641c57b6 |
| SHA256 | c5faa1a46ca9e95f6ac4568ff61f02626c731669c2ed0490fde4e071d6ef95fb |
| SHA512 | 5c78107b1874b3d5f63a63879249fcf475dfa501355d945a8ddf85d72ba748c90527cac215e4d9e2b504f04e89be889ab81df340b69adafc926eb5ea34c67add |