Malware Analysis Report

2025-01-03 08:11

Sample ID 240418-z7r9ssfc24
Target f8c6f91efa4817c54c437e33b9846157_JaffaCakes118
SHA256 bebc94d1ba964a1cc1b23acfeb8b4ec4a5457649cf203e58c0e93c0161a0bf78
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bebc94d1ba964a1cc1b23acfeb8b4ec4a5457649cf203e58c0e93c0161a0bf78

Threat Level: Known bad

The file f8c6f91efa4817c54c437e33b9846157_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 21:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 21:21

Reported

2024-04-18 21:24

Platform

win7-20240221-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Programes\Power\ll.exe N/A
N/A N/A C:\Programes\Power\lol.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

NTFS ADS

Description Indicator Process Target
File created C:\Programes\Power\lol.exe:Zone.Identifier C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Programes\Power\lol.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Programes\Power\ll.exe
PID 1688 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Programes\Power\ll.exe
PID 1688 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Programes\Power\ll.exe
PID 1688 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Programes\Power\ll.exe
PID 2720 wrote to memory of 2576 N/A C:\Programes\Power\ll.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2576 N/A C:\Programes\Power\ll.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2576 N/A C:\Programes\Power\ll.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2576 N/A C:\Programes\Power\ll.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 1688 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
PID 2576 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 2576 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 2576 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 2576 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 2576 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 2576 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 2576 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 2444 wrote to memory of 2492 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2444 wrote to memory of 2492 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2444 wrote to memory of 2492 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2444 wrote to memory of 2492 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"

C:\Programes\Power\ll.exe

"C:\Programes\Power\ll.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\55ED.tmp\55FD.tmp\55FE.bat C:\Programes\Power\ll.exe"

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Programes\Power\prev.pptx"

C:\Programes\Power\lol.exe

lol.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
GE 176.221.252.198:4444 tcp

Files

\Programes\Power\ll.exe

MD5 f59d5f571baa32085623e50216883cb0
SHA1 c53dc803a0a18d3ab05259bb92abbf3182747d6b
SHA256 d8d00188183ae4f36c1ca2bc2e2301314ed03fc0661dd7f549e3a979f896ca4c
SHA512 fecb7c03a8d9f1603b00c0939cb40072ab661714dce73b0d4b702532ab44183e07776ca555817e8d677d2528f19317845bbf2628ac76708d4bae75ba6eeb44b7

C:\Users\Admin\AppData\Local\Temp\55ED.tmp\55FD.tmp\55FE.bat

MD5 ba6af7d6d40086090929b59917b75dd5
SHA1 c4f88f42320df939bec38ce8d7d3b6c6d5f7c5db
SHA256 0c7af3fddd012303c3d1ee4e366852ad00dcf1723b7c813b7bffe4581abb360f
SHA512 2a978e37e45aeb5ec39aa8c15596d43799d41dc541f3b2a4568d309d89b313dde7e442a027cf58ecd6292a22d1e47809aeb35cc5142a475e5f5e67faafa2be53

C:\Programes\Power\lol.exe:Zone.Identifier

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

C:\Programes\Power\lol.exe

MD5 bb1f9c3f2eb93358942d23995990b254
SHA1 9303c176a3f5c409381af91bc86160fc2cc483ba
SHA256 68f45370a0e05bcbca4b88cdc66fbd9c6f895cbec3f4e42d50e32011f02c1eea
SHA512 1396cc3105e6a0deb633a04150a372f3451f4b1bd09bfa3acdbb4197aff0d558a8ed614993eb19120031904da344dc5f47b8e461e49fb63da7ea115d042b40ca

memory/2444-27-0x000000002DDC1000-0x000000002DDC2000-memory.dmp

memory/2444-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2444-29-0x0000000071EDD000-0x0000000071EE8000-memory.dmp

memory/2472-31-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Programes\Power\prev.pptx

MD5 d1ad83616f64413a9afa8d55acad1e23
SHA1 e61e00403eb66d26dfe97c654af3d6e30e674927
SHA256 532305013971d96ce6a7958a1d5fe19b620b8efb515f33304f66e8abb07dd4d3
SHA512 91c79a61341c9d3f19ef072e19f4eb29a56af6543934d757e2f24abc90d0d8a823331fde9f93c7d4260ada64ef9ecce7f14c65fb69b791529b4578edfde2ca5f

memory/2444-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2444-44-0x0000000071EDD000-0x0000000071EE8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 21:21

Reported

2024-04-18 21:24

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Programes\Power\ll.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Programes\Power\ll.exe N/A
N/A N/A C:\Programes\Power\lol.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Programes\Power\lol.exe:Zone.Identifier C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Programes\Power\ll.exe
PID 4820 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Programes\Power\ll.exe
PID 4820 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Programes\Power\ll.exe
PID 4820 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 4820 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 4820 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2980 wrote to memory of 3788 N/A C:\Programes\Power\ll.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 3788 N/A C:\Programes\Power\ll.exe C:\Windows\system32\cmd.exe
PID 3788 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 3788 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe
PID 3788 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Programes\Power\lol.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f8c6f91efa4817c54c437e33b9846157_JaffaCakes118.exe"

C:\Programes\Power\ll.exe

"C:\Programes\Power\ll.exe"

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Programes\Power\prev.pptx" /ou ""

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\94AE.tmp\94AF.tmp\94B0.bat C:\Programes\Power\ll.exe"

C:\Programes\Power\lol.exe

lol.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
GE 176.221.252.198:4444 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

C:\Programes\Power\ll.exe

MD5 f59d5f571baa32085623e50216883cb0
SHA1 c53dc803a0a18d3ab05259bb92abbf3182747d6b
SHA256 d8d00188183ae4f36c1ca2bc2e2301314ed03fc0661dd7f549e3a979f896ca4c
SHA512 fecb7c03a8d9f1603b00c0939cb40072ab661714dce73b0d4b702532ab44183e07776ca555817e8d677d2528f19317845bbf2628ac76708d4bae75ba6eeb44b7

C:\Programes\Power\prev.pptx

MD5 d1ad83616f64413a9afa8d55acad1e23
SHA1 e61e00403eb66d26dfe97c654af3d6e30e674927
SHA256 532305013971d96ce6a7958a1d5fe19b620b8efb515f33304f66e8abb07dd4d3
SHA512 91c79a61341c9d3f19ef072e19f4eb29a56af6543934d757e2f24abc90d0d8a823331fde9f93c7d4260ada64ef9ecce7f14c65fb69b791529b4578edfde2ca5f

memory/3340-17-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-18-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-20-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-21-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-22-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-19-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-24-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-25-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-23-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-26-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94AE.tmp\94AF.tmp\94B0.bat

MD5 ba6af7d6d40086090929b59917b75dd5
SHA1 c4f88f42320df939bec38ce8d7d3b6c6d5f7c5db
SHA256 0c7af3fddd012303c3d1ee4e366852ad00dcf1723b7c813b7bffe4581abb360f
SHA512 2a978e37e45aeb5ec39aa8c15596d43799d41dc541f3b2a4568d309d89b313dde7e442a027cf58ecd6292a22d1e47809aeb35cc5142a475e5f5e67faafa2be53

memory/3340-28-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

C:\Programes\Power\lol.exe:Zone.Identifier

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

memory/3340-32-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-33-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-31-0x00007FFC129B0000-0x00007FFC129C0000-memory.dmp

memory/3340-34-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-36-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-35-0x00007FFC129B0000-0x00007FFC129C0000-memory.dmp

memory/3340-37-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-38-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-39-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-40-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-41-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-42-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

memory/3340-43-0x00007FFC55290000-0x00007FFC55485000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 37bfa7e4024092f51555e1fbf3140751
SHA1 7c68c2d66281c5ac2c1b9b2a6ec164864370f790
SHA256 33c9be9190f3dd9aadc78d6978d413b20a1ded86c7902149dfdfd2b87c750b7e
SHA512 558a6ebfcad0aa957498586ccf11bd578eab281355f9310657095d906669e0a6ce8490266d1eca9d41b216171ae51ad8e4d4b3dcc24ca212e82c78f0e7816891

C:\Programes\Power\lol.exe

MD5 bb1f9c3f2eb93358942d23995990b254
SHA1 9303c176a3f5c409381af91bc86160fc2cc483ba
SHA256 68f45370a0e05bcbca4b88cdc66fbd9c6f895cbec3f4e42d50e32011f02c1eea
SHA512 1396cc3105e6a0deb633a04150a372f3451f4b1bd09bfa3acdbb4197aff0d558a8ed614993eb19120031904da344dc5f47b8e461e49fb63da7ea115d042b40ca

memory/4428-69-0x0000000000580000-0x0000000000581000-memory.dmp

memory/3340-79-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-80-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-81-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-82-0x00007FFC15310000-0x00007FFC15320000-memory.dmp

memory/3340-83-0x00007FFC55290000-0x00007FFC55485000-memory.dmp