Analysis Overview
SHA256
f3715fc56282125e665193ec95de45f2ed033a8f2d0f93f4f979116129731490
Threat Level: Known bad
The file bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
UPX packed file
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-03 05:49
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-03 05:49
Reported
2024-12-03 05:52
Platform
win7-20241010-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666} | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666}\StubPath = "C:\\Windows\\system32\\mslogs\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666}\StubPath = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mslogs\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mslogs\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\mslogs\ | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mslogs\server.exe | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mslogs\server.exe | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mslogs\server.exe | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe"
C:\Windows\SysWOW64\mslogs\server.exe
"C:\Windows\system32\mslogs\server.exe"
C:\Windows\SysWOW64\mslogs\server.exe
"C:\Windows\system32\mslogs\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1204-3-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1528-2-0x0000000010410000-0x0000000010475000-memory.dmp
memory/536-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/536-248-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/536-531-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 131693a5c66c159bcdf969ef75d907ad |
| SHA1 | f8a5ecda1e72e6afd3f3cc7ff2e811a6775e3341 |
| SHA256 | 8cd6b2b52155b8b12430806bf3725afa3dc64092da4584ce7a60fe7c5e374f53 |
| SHA512 | 245b0624495a52b32383644f0c091926abc56e15d8ad93c0f5d00379f537d602dbedef9728dcfb1e38dd479010f0d5599ad216b67b4290bdebd1a64302e19276 |
C:\Windows\SysWOW64\mslogs\server.exe
| MD5 | bbfd4a5dffd037c02622ded43f8d5bc7 |
| SHA1 | 83f567e53358aa5ac6554c1840f9616ce714e01c |
| SHA256 | f3715fc56282125e665193ec95de45f2ed033a8f2d0f93f4f979116129731490 |
| SHA512 | 1956198f2ed1982df2eb120d31b50ba6783ec6c184f697716ae58284dd5d1276904acfb8056c61fa59b3c9523433a4b8366b4b40344017f33b363a134022098c |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/536-888-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 21b441986c21628767a0b75cdf213495 |
| SHA1 | d5833f1b8eabe11cd2cbdf661407eb32e09ff25c |
| SHA256 | cb53e66b246ee31b16598330a3101857d8418e0f4f0ca68031b3291b2de02e28 |
| SHA512 | 2d6c9706e099eac3edcdc686a257b6aaf4563b334c223c8da93f0b60d7cd786a8a45c8560537ce2b8096a59ea23a3b0e782042d8460b398abb797599d4cd1e43 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c710507d5fb4c9a337487fae283cfc0c |
| SHA1 | 124e5bcfe203fafa51b87a6323aef7d5d6938d35 |
| SHA256 | 3d0f5dcbcc27ece1c0087bbd006083e6552868d243ff03dfbafb8f2bacdecde9 |
| SHA512 | 5671eaa431fa11d99d04b42bc8d46bd10cb73010de958866db692286abcb696f9a94e159c7d0b06f0239e420c429c2705e9a5b321a982413aa857d48cf389934 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 53d1e2281189949ac203959f8757369d |
| SHA1 | 37840a89926cb0e5e44460fceae5ad724b8852f6 |
| SHA256 | b25b1f9d6e1b9606b28c4e5b36f70cd1c55d895231228c1b1f666c78165d8975 |
| SHA512 | cb91d9367fb296aab460d41cfaf66ec974cc662a8a42335e76ec241b5a25ab3c4afee22cfa419e2264e6d5c6c694cf9d94cdf7e4dbe693137475585395eb8b88 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b59f44bae99c1c9753ca4e04ce78eb52 |
| SHA1 | 89969b2b163aeecf7a65348682a1a9f55105350e |
| SHA256 | 94a097a2b2343c416b5c9c50ed205ca5d6c31640d7f0edafbc3e68f19eff3a57 |
| SHA512 | 6133e4a0be9351b7f428cffc22614c49ea74ab5f18ac6ab7867b4ffdd396b917a8ba3178da207cfca16df0534d2ee563a9b47116aa3a4fa7ad532d7af210a494 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | af649df6e05cd7f7a037440f7268fe48 |
| SHA1 | 9dc132dd591664f2b7d158fbe92eb6948bf7ed25 |
| SHA256 | c4d3fcb396b46bdc9b649b49f6b8cd28bd7ece732563c3ce365522e56f25f553 |
| SHA512 | 13d4f9ccc3093753232a11c0ffed6d0a48e0c73da998fec1cf3bb175953a737a1b97b8708b67437b80d25a71519d0fc75ac23533b3672f07ffa05da509ae612c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ba7f73497f10710a4a4ad138e88eff7b |
| SHA1 | 2ee710ff17f43b50a616daeae6babd671b631baf |
| SHA256 | de42e1c88a286a6cfe85e7a95fdeb5ec435881a9f3193bb0afffaa70a4048e9b |
| SHA512 | 50a2f27b0803ae95991a4e5b2d4ae99855934eb5050aa6012941e19ffdb5dac69d7b511e2c8af0db8518906d1fc8c9e0d2669547dd9748ce3f804256ec91ce39 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2f3097dd37443a04e3ba0a892bc2f2c8 |
| SHA1 | 6432b3f1af872d6837fc460ecdbaed34b51ccc47 |
| SHA256 | d1d23b125d47d4d74596e7176fac21fca943caa2619faa2004904962ff905617 |
| SHA512 | 54a527767b7379e229b85b0907e9805c3c0962bda6ef908aca708ecfa3456dc7cc8f795bec587acec281c2b188aa7016be6bb57995bafa4f93dfacb6235b1bbd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a8c06a13047b938454b51d3cb99470d3 |
| SHA1 | e828cfb55769f8e2fd235ab05356e917194fbfdc |
| SHA256 | c4de54f0f797897457e8afccf00c07c51c8d209861a78c9cccb60789d87db052 |
| SHA512 | f3e84185ec8015543a5795b01e549b904c11477939a801a176ab9cb6a489b2f8d8fe3bc34cb1d645e1e5d73fb2b065844b52f6595d910491c8603bb260c5c8be |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 558463fa075309bcc3fa86ef03660590 |
| SHA1 | f31fb9303300015d1c277a8587c0569928529f45 |
| SHA256 | 7a713f5115b1bd94f489863d71fe7f5cc4d9a05ee8ccb9a212222369f2ccdd30 |
| SHA512 | 5d77dd02552607e831d52dfd0fbd423f038b9173fd8e16d14731c1abe098961ff8aef4c0c0bc001ddf19014e619deb6405b1ab193b97c8146f93b3859410fab2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a95a102895b1751e23119e4d4b65a1be |
| SHA1 | e522c473b358c50fa39a644c1440c8b7c0ffa265 |
| SHA256 | 4e8474fc3d3afdd4791b02def8718a051f2cecd51c984f61be3161e6488fea8c |
| SHA512 | 80d57adbae01f83c6718a6c541fe26a265d4fa1d8c2a73f74acb08e0d4a2b58b89b1f026b742c1c89dfc2e6d9f53032128977337e02ad09f5c1ed88e90958fc3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 022f8080641cf2fa29d78e8416af2412 |
| SHA1 | d75a0606745e27e43a20bfb3f883870fa9af019f |
| SHA256 | 8ae7ae186a0eae62507a8dcbc2f82df258e91edb7f0ca323bc9310c869c2fabe |
| SHA512 | 2483c4acebb0c56828d1774108a9496812c82e314cbe3446cb3e8f31a4bc4c7a09e8ef79bb082e127ca89007a97a5213bd0328e5009e7a1e3feeb5e3d62e7d65 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5e129e664b2f459228b1dbe3edc8e2ce |
| SHA1 | 67c6595a651e3c58449887ddea306165a6d1f85f |
| SHA256 | 8c854cc906597a5e6f92f075c344120273c8a87ffaf2f231c0590468b6ff92ec |
| SHA512 | d2fdff93bb422f67c335a71ba9e97e90f3a081543ba912cf1070793b584ac7262e57dcee151dab68a61c19b7cbbb97aadc3e09af9b36ed7834716d773a949832 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 32171ebaba30f259ef70e8e4154133a0 |
| SHA1 | 16d42787e8582b3ad03cc2c637aae715ce32f114 |
| SHA256 | 49bb187fbbfa232e98e4071144e0e6446a65883cde75681d9e0bfbf1664eb2f7 |
| SHA512 | f8f7f14a20574888eb35fada32e8906a394f23ce2b7a41d929183c8b6c352d91388bc20d06b9f8625baf0d8d16a0140e1a36e1bb3b56c1a0348ffefa6c7e877d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9a4f07808d4fb8e6c12319140b75af12 |
| SHA1 | 10147145719b4f7055f2b36597b2b8e64dbf0fd6 |
| SHA256 | 0f8d233289fdddf955aecd21c5284fee8ce780e842a98095f5bb9f7118ab668c |
| SHA512 | 2ea0717b39579176d12c242ea08f3ec8292e4b93fb8fa9ee08fbfe103f9aa761c2c4305e77240a956a3c94d7c36ff2ef05683fa1aefa0d9f569d6060da857c1b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c720434e2d2d7adbc7a5549a84665cee |
| SHA1 | de57e41cc77b0b0e191513b0f6cd0da389742e2d |
| SHA256 | d9090f18e39d7d76f982a18188a35be4cde8a749b3af7442ea90aee61cae9a94 |
| SHA512 | 2fb8eda49ace5cd678ac750bedd83c0b7b7c79bba5cdbbd48b186640c521171f7b33177a96241e2c465c87a94021e77bff41ea1e2cf22b8744d3348bd5c5f4ff |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1eae8e1cae4baa1ff0ed8fa6e8d6c750 |
| SHA1 | 4666d9263cb6051be650f339cf79a66537b263ee |
| SHA256 | 37068d3fa6bf8264953e954964a5a64024042c96d1fa664cbd252f4f88d2eecb |
| SHA512 | 68c3d67dd61d8b18f87743dfb7c4fe2c5d654dfd6b3b46d22ac6cc74538ef9906b867776a53d0737ed1cd7aa4bd22f01316d712742169ed49b802df030fbd661 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f70b49d64524e4c9529b488e97fdf3f2 |
| SHA1 | c9760d995058fbaace1c55f14a0462a623f40906 |
| SHA256 | 583da37e2f63e9a3111a09cf5fea083c76d97a93a7118590284fa67e689d972a |
| SHA512 | 77b2eb2d26eaaa192c38ebef22c7b66adbe48504e563f7a1ab255b408ea4303bce396c52e813d1e839c25a085e7c96a9202ada174328d041fc363e2a2aa82910 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e924ae08c326c43c598975320432d317 |
| SHA1 | 97acc43c4ecf8876ffdb4627db881c051f17bc85 |
| SHA256 | 471876471c79290cf863905615f0299482558074061814bbd0ffeef32fbdeeae |
| SHA512 | 77c0878a065dd7d87e6b24e816651b32752c518a6399543f3a68c960f7f1f64a9f266d31438e739bd42fbdb0c0e967de97476ec372738334603672be414f75d9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a8a3b33c8f992b25327d77ecd0afef6b |
| SHA1 | fdb307ef4de83b7413213e7a80cd1963f9012f89 |
| SHA256 | dc199dbe0b5cd0040c28cf9ce0f86f1f011c7a885e162489c67c42d3f3bc5266 |
| SHA512 | ba9de72beb4698b4387a76186cbac3194bd874cafcbb43b95688ffc83f0c8841511a9d49ec69603df067a3784ce86cde7165563b1261142a4a87aa855f6e68cc |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 03e2371611eb5af8882717eed42335b1 |
| SHA1 | e0063007ff63788414283261e75181067490b139 |
| SHA256 | 02121ced81fbe66d788df5e63647d3f210a0ddeeb4b72f1df55382f12ce75584 |
| SHA512 | 56341bd83eb3809412d6525a68f1b0115975e15f28d3420e6df176a547210e2cfe87037fb07ade3ef1c26fce0510a9826e2a9b299e5c5b845393ad29626b5258 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-03 05:49
Reported
2024-12-03 05:52
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
CyberGate, Rebhip
Cybergate family
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666}\StubPath = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666} | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666}\StubPath = "C:\\Windows\\system32\\mslogs\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42VQ8ST-FNCX-5845-K44N-32O3KY3Q8666} | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mslogs\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mslogs\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\mslogs\\server.exe" | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\mslogs\server.exe | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mslogs\ | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mslogs\server.exe | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mslogs\server.exe | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\mslogs\server.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\mslogs\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mslogs\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbfd4a5dffd037c02622ded43f8d5bc7_JaffaCakes118.exe"
C:\Windows\SysWOW64\mslogs\server.exe
"C:\Windows\system32\mslogs\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 580
C:\Windows\SysWOW64\mslogs\server.exe
"C:\Windows\system32\mslogs\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4108 -ip 4108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 548
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/4980-3-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1788-7-0x0000000001270000-0x0000000001271000-memory.dmp
memory/1788-8-0x0000000001330000-0x0000000001331000-memory.dmp
memory/4980-63-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1788-66-0x0000000003DA0000-0x0000000003DA1000-memory.dmp
memory/1788-67-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1788-68-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 131693a5c66c159bcdf969ef75d907ad |
| SHA1 | f8a5ecda1e72e6afd3f3cc7ff2e811a6775e3341 |
| SHA256 | 8cd6b2b52155b8b12430806bf3725afa3dc64092da4584ce7a60fe7c5e374f53 |
| SHA512 | 245b0624495a52b32383644f0c091926abc56e15d8ad93c0f5d00379f537d602dbedef9728dcfb1e38dd479010f0d5599ad216b67b4290bdebd1a64302e19276 |
C:\Windows\SysWOW64\mslogs\server.exe
| MD5 | bbfd4a5dffd037c02622ded43f8d5bc7 |
| SHA1 | 83f567e53358aa5ac6554c1840f9616ce714e01c |
| SHA256 | f3715fc56282125e665193ec95de45f2ed033a8f2d0f93f4f979116129731490 |
| SHA512 | 1956198f2ed1982df2eb120d31b50ba6783ec6c184f697716ae58284dd5d1276904acfb8056c61fa59b3c9523433a4b8366b4b40344017f33b363a134022098c |
memory/4036-137-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/1788-159-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4036-162-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c710507d5fb4c9a337487fae283cfc0c |
| SHA1 | 124e5bcfe203fafa51b87a6323aef7d5d6938d35 |
| SHA256 | 3d0f5dcbcc27ece1c0087bbd006083e6552868d243ff03dfbafb8f2bacdecde9 |
| SHA512 | 5671eaa431fa11d99d04b42bc8d46bd10cb73010de958866db692286abcb696f9a94e159c7d0b06f0239e420c429c2705e9a5b321a982413aa857d48cf389934 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 53d1e2281189949ac203959f8757369d |
| SHA1 | 37840a89926cb0e5e44460fceae5ad724b8852f6 |
| SHA256 | b25b1f9d6e1b9606b28c4e5b36f70cd1c55d895231228c1b1f666c78165d8975 |
| SHA512 | cb91d9367fb296aab460d41cfaf66ec974cc662a8a42335e76ec241b5a25ab3c4afee22cfa419e2264e6d5c6c694cf9d94cdf7e4dbe693137475585395eb8b88 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b59f44bae99c1c9753ca4e04ce78eb52 |
| SHA1 | 89969b2b163aeecf7a65348682a1a9f55105350e |
| SHA256 | 94a097a2b2343c416b5c9c50ed205ca5d6c31640d7f0edafbc3e68f19eff3a57 |
| SHA512 | 6133e4a0be9351b7f428cffc22614c49ea74ab5f18ac6ab7867b4ffdd396b917a8ba3178da207cfca16df0534d2ee563a9b47116aa3a4fa7ad532d7af210a494 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | af649df6e05cd7f7a037440f7268fe48 |
| SHA1 | 9dc132dd591664f2b7d158fbe92eb6948bf7ed25 |
| SHA256 | c4d3fcb396b46bdc9b649b49f6b8cd28bd7ece732563c3ce365522e56f25f553 |
| SHA512 | 13d4f9ccc3093753232a11c0ffed6d0a48e0c73da998fec1cf3bb175953a737a1b97b8708b67437b80d25a71519d0fc75ac23533b3672f07ffa05da509ae612c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ba7f73497f10710a4a4ad138e88eff7b |
| SHA1 | 2ee710ff17f43b50a616daeae6babd671b631baf |
| SHA256 | de42e1c88a286a6cfe85e7a95fdeb5ec435881a9f3193bb0afffaa70a4048e9b |
| SHA512 | 50a2f27b0803ae95991a4e5b2d4ae99855934eb5050aa6012941e19ffdb5dac69d7b511e2c8af0db8518906d1fc8c9e0d2669547dd9748ce3f804256ec91ce39 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 2f3097dd37443a04e3ba0a892bc2f2c8 |
| SHA1 | 6432b3f1af872d6837fc460ecdbaed34b51ccc47 |
| SHA256 | d1d23b125d47d4d74596e7176fac21fca943caa2619faa2004904962ff905617 |
| SHA512 | 54a527767b7379e229b85b0907e9805c3c0962bda6ef908aca708ecfa3456dc7cc8f795bec587acec281c2b188aa7016be6bb57995bafa4f93dfacb6235b1bbd |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a8c06a13047b938454b51d3cb99470d3 |
| SHA1 | e828cfb55769f8e2fd235ab05356e917194fbfdc |
| SHA256 | c4de54f0f797897457e8afccf00c07c51c8d209861a78c9cccb60789d87db052 |
| SHA512 | f3e84185ec8015543a5795b01e549b904c11477939a801a176ab9cb6a489b2f8d8fe3bc34cb1d645e1e5d73fb2b065844b52f6595d910491c8603bb260c5c8be |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 558463fa075309bcc3fa86ef03660590 |
| SHA1 | f31fb9303300015d1c277a8587c0569928529f45 |
| SHA256 | 7a713f5115b1bd94f489863d71fe7f5cc4d9a05ee8ccb9a212222369f2ccdd30 |
| SHA512 | 5d77dd02552607e831d52dfd0fbd423f038b9173fd8e16d14731c1abe098961ff8aef4c0c0bc001ddf19014e619deb6405b1ab193b97c8146f93b3859410fab2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a95a102895b1751e23119e4d4b65a1be |
| SHA1 | e522c473b358c50fa39a644c1440c8b7c0ffa265 |
| SHA256 | 4e8474fc3d3afdd4791b02def8718a051f2cecd51c984f61be3161e6488fea8c |
| SHA512 | 80d57adbae01f83c6718a6c541fe26a265d4fa1d8c2a73f74acb08e0d4a2b58b89b1f026b742c1c89dfc2e6d9f53032128977337e02ad09f5c1ed88e90958fc3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 022f8080641cf2fa29d78e8416af2412 |
| SHA1 | d75a0606745e27e43a20bfb3f883870fa9af019f |
| SHA256 | 8ae7ae186a0eae62507a8dcbc2f82df258e91edb7f0ca323bc9310c869c2fabe |
| SHA512 | 2483c4acebb0c56828d1774108a9496812c82e314cbe3446cb3e8f31a4bc4c7a09e8ef79bb082e127ca89007a97a5213bd0328e5009e7a1e3feeb5e3d62e7d65 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5e129e664b2f459228b1dbe3edc8e2ce |
| SHA1 | 67c6595a651e3c58449887ddea306165a6d1f85f |
| SHA256 | 8c854cc906597a5e6f92f075c344120273c8a87ffaf2f231c0590468b6ff92ec |
| SHA512 | d2fdff93bb422f67c335a71ba9e97e90f3a081543ba912cf1070793b584ac7262e57dcee151dab68a61c19b7cbbb97aadc3e09af9b36ed7834716d773a949832 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 32171ebaba30f259ef70e8e4154133a0 |
| SHA1 | 16d42787e8582b3ad03cc2c637aae715ce32f114 |
| SHA256 | 49bb187fbbfa232e98e4071144e0e6446a65883cde75681d9e0bfbf1664eb2f7 |
| SHA512 | f8f7f14a20574888eb35fada32e8906a394f23ce2b7a41d929183c8b6c352d91388bc20d06b9f8625baf0d8d16a0140e1a36e1bb3b56c1a0348ffefa6c7e877d |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 9a4f07808d4fb8e6c12319140b75af12 |
| SHA1 | 10147145719b4f7055f2b36597b2b8e64dbf0fd6 |
| SHA256 | 0f8d233289fdddf955aecd21c5284fee8ce780e842a98095f5bb9f7118ab668c |
| SHA512 | 2ea0717b39579176d12c242ea08f3ec8292e4b93fb8fa9ee08fbfe103f9aa761c2c4305e77240a956a3c94d7c36ff2ef05683fa1aefa0d9f569d6060da857c1b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | c720434e2d2d7adbc7a5549a84665cee |
| SHA1 | de57e41cc77b0b0e191513b0f6cd0da389742e2d |
| SHA256 | d9090f18e39d7d76f982a18188a35be4cde8a749b3af7442ea90aee61cae9a94 |
| SHA512 | 2fb8eda49ace5cd678ac750bedd83c0b7b7c79bba5cdbbd48b186640c521171f7b33177a96241e2c465c87a94021e77bff41ea1e2cf22b8744d3348bd5c5f4ff |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1eae8e1cae4baa1ff0ed8fa6e8d6c750 |
| SHA1 | 4666d9263cb6051be650f339cf79a66537b263ee |
| SHA256 | 37068d3fa6bf8264953e954964a5a64024042c96d1fa664cbd252f4f88d2eecb |
| SHA512 | 68c3d67dd61d8b18f87743dfb7c4fe2c5d654dfd6b3b46d22ac6cc74538ef9906b867776a53d0737ed1cd7aa4bd22f01316d712742169ed49b802df030fbd661 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f70b49d64524e4c9529b488e97fdf3f2 |
| SHA1 | c9760d995058fbaace1c55f14a0462a623f40906 |
| SHA256 | 583da37e2f63e9a3111a09cf5fea083c76d97a93a7118590284fa67e689d972a |
| SHA512 | 77b2eb2d26eaaa192c38ebef22c7b66adbe48504e563f7a1ab255b408ea4303bce396c52e813d1e839c25a085e7c96a9202ada174328d041fc363e2a2aa82910 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e924ae08c326c43c598975320432d317 |
| SHA1 | 97acc43c4ecf8876ffdb4627db881c051f17bc85 |
| SHA256 | 471876471c79290cf863905615f0299482558074061814bbd0ffeef32fbdeeae |
| SHA512 | 77c0878a065dd7d87e6b24e816651b32752c518a6399543f3a68c960f7f1f64a9f266d31438e739bd42fbdb0c0e967de97476ec372738334603672be414f75d9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a8a3b33c8f992b25327d77ecd0afef6b |
| SHA1 | fdb307ef4de83b7413213e7a80cd1963f9012f89 |
| SHA256 | dc199dbe0b5cd0040c28cf9ce0f86f1f011c7a885e162489c67c42d3f3bc5266 |
| SHA512 | ba9de72beb4698b4387a76186cbac3194bd874cafcbb43b95688ffc83f0c8841511a9d49ec69603df067a3784ce86cde7165563b1261142a4a87aa855f6e68cc |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 03e2371611eb5af8882717eed42335b1 |
| SHA1 | e0063007ff63788414283261e75181067490b139 |
| SHA256 | 02121ced81fbe66d788df5e63647d3f210a0ddeeb4b72f1df55382f12ce75584 |
| SHA512 | 56341bd83eb3809412d6525a68f1b0115975e15f28d3420e6df176a547210e2cfe87037fb07ade3ef1c26fce0510a9826e2a9b299e5c5b845393ad29626b5258 |