Malware Analysis Report

2024-09-11 10:02

Sample ID 240421-mqmlrsha48
Target ff181c2fde2ed1e091f9cf7a3fb5cb98_JaffaCakes118
SHA256 68d86a6264814df91c2b58dd342fe9451134535d42eecbb623051ae616202912
Tags
limerat rat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68d86a6264814df91c2b58dd342fe9451134535d42eecbb623051ae616202912

Threat Level: Known bad

The file ff181c2fde2ed1e091f9cf7a3fb5cb98_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

limerat rat discovery

LimeRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-21 10:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 10:40

Reported

2024-04-21 10:42

Platform

win7-20240220-en

Max time kernel

145s

Max time network

146s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\ff181c2fde2ed1e091f9cf7a3fb5cb98_JaffaCakes118.jar

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\New-Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\player.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\New-Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\New-Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\player.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\player.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2640 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 2020 wrote to memory of 2640 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 2020 wrote to memory of 2640 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 2640 wrote to memory of 2572 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 2572 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 2572 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2640 wrote to memory of 2464 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2640 wrote to memory of 2464 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2640 wrote to memory of 2464 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2572 wrote to memory of 2708 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\New-Client.exe
PID 2572 wrote to memory of 2708 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\New-Client.exe
PID 2572 wrote to memory of 2708 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\New-Client.exe
PID 2572 wrote to memory of 2708 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\New-Client.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2708 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 2708 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Users\Admin\AppData\Roaming\player.exe
PID 2708 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Users\Admin\AppData\Roaming\player.exe
PID 2708 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Users\Admin\AppData\Roaming\player.exe
PID 2708 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Users\Admin\AppData\Roaming\player.exe

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\ff181c2fde2ed1e091f9cf7a3fb5cb98_JaffaCakes118.jar

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\xkxsxewbpw.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oVxRAoYHJl.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\oapiwqvgu.txt"

C:\Users\Admin\AppData\Roaming\New-Client.exe

"C:\Users\Admin\AppData\Roaming\New-Client.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\player.exe'"

C:\Users\Admin\AppData\Roaming\player.exe

"C:\Users\Admin\AppData\Roaming\player.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp

Files

memory/2020-6-0x0000000002530000-0x0000000005530000-memory.dmp

memory/2020-12-0x0000000000340000-0x0000000000341000-memory.dmp

C:\Users\Admin\xkxsxewbpw.js

MD5 429911446e5f159495309d0290cb654c
SHA1 c75f6e784a1be339c92d356e200df1922c3a303b
SHA256 1c8942fcadb3b76905b0b71d267730f1f1bd26befe0d512a3fc8d9bab25b6289
SHA512 28bf47f7d25ce3cab61dda34df71a707824e72370a18f3ebe3f93e14013be17ffc7e61193d8f99f51499337d212fe201d45e2d81e0bb6f3135bb6d75cb4b0789

C:\Users\Admin\AppData\Roaming\oVxRAoYHJl.js

MD5 3bb731a281fc7a55c9c7b8f192568c5a
SHA1 c31fe3483d2210876fd6b60ccbd65b4cc4d340d3
SHA256 1c9ffe5682dcf0a68f10d49d1ac6eea187f8afc2a5b99881654fdd83f37759ef
SHA512 803eef5aacc2d1feef93c5130297faa6af66903682fdd1871c281b6770d0c025e50f61ee3d99c96e146e13b30777efe07bfe5c5d5b2548cdcea26aceca75b683

C:\Users\Admin\AppData\Roaming\New-Client.exe

MD5 1ad564a6ca1520e8886faffc4e0ff1d4
SHA1 7d3b61daef1afed73838351dbf788448cf88d031
SHA256 2c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512 b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441

C:\Users\Admin\AppData\Roaming\oapiwqvgu.txt

MD5 d89bd5c794363237602a61b057673299
SHA1 3d37e97124b25fe0c955f880cfc7e0004809e2ac
SHA256 e038e94963e067ccda7e6df50965a117dd14603cddf0082e0759c6eb134549f4
SHA512 106dfa9ca06437317712386852c85d950bd9c07e67fee91a6b3aacce49c7012abfb8dc6dfff74a53203772706e1609fe41d10ecb2c861795ee61fd502bada35d

memory/2464-31-0x00000000027E0000-0x00000000057E0000-memory.dmp

memory/2708-38-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/2708-39-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/2708-40-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/2464-41-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-48-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-53-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-59-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-61-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-63-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1760-78-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/1760-79-0x0000000000980000-0x00000000009C0000-memory.dmp

memory/2708-77-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/1760-80-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/2464-84-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-85-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-86-0x00000000027E0000-0x00000000057E0000-memory.dmp

memory/1760-98-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/2464-99-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-106-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2464-111-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-21 10:40

Reported

2024-04-21 10:42

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\ff181c2fde2ed1e091f9cf7a3fb5cb98_JaffaCakes118.jar

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\New-Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\New-Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\player.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\SYSTEM32\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\player.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\player.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 3388 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 372 wrote to memory of 3388 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 372 wrote to memory of 3312 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 372 wrote to memory of 3312 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 3312 wrote to memory of 8 N/A C:\Windows\SYSTEM32\wscript.exe C:\Windows\System32\WScript.exe
PID 3312 wrote to memory of 8 N/A C:\Windows\SYSTEM32\wscript.exe C:\Windows\System32\WScript.exe
PID 3312 wrote to memory of 2896 N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 3312 wrote to memory of 2896 N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 8 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\New-Client.exe
PID 8 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\New-Client.exe
PID 8 wrote to memory of 1468 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\New-Client.exe
PID 1468 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Users\Admin\AppData\Roaming\player.exe
PID 1468 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Users\Admin\AppData\Roaming\player.exe
PID 1468 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Roaming\New-Client.exe C:\Users\Admin\AppData\Roaming\player.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\ff181c2fde2ed1e091f9cf7a3fb5cb98_JaffaCakes118.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Admin\xkxsxewbpw.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oVxRAoYHJl.js"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hpiulquwja.txt"

C:\Users\Admin\AppData\Roaming\New-Client.exe

"C:\Users\Admin\AppData\Roaming\New-Client.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\player.exe'"

C:\Users\Admin\AppData\Roaming\player.exe

"C:\Users\Admin\AppData\Roaming\player.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 repo1.maven.org udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 209.192.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 199.232.192.209:443 repo1.maven.org tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.21:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp

Files

memory/372-2-0x0000020AE2BE0000-0x0000020AE3BE0000-memory.dmp

memory/372-13-0x0000020AE1340000-0x0000020AE1341000-memory.dmp

C:\Users\Admin\xkxsxewbpw.js

MD5 429911446e5f159495309d0290cb654c
SHA1 c75f6e784a1be339c92d356e200df1922c3a303b
SHA256 1c8942fcadb3b76905b0b71d267730f1f1bd26befe0d512a3fc8d9bab25b6289
SHA512 28bf47f7d25ce3cab61dda34df71a707824e72370a18f3ebe3f93e14013be17ffc7e61193d8f99f51499337d212fe201d45e2d81e0bb6f3135bb6d75cb4b0789

C:\Users\Admin\AppData\Roaming\oVxRAoYHJl.js

MD5 3bb731a281fc7a55c9c7b8f192568c5a
SHA1 c31fe3483d2210876fd6b60ccbd65b4cc4d340d3
SHA256 1c9ffe5682dcf0a68f10d49d1ac6eea187f8afc2a5b99881654fdd83f37759ef
SHA512 803eef5aacc2d1feef93c5130297faa6af66903682fdd1871c281b6770d0c025e50f61ee3d99c96e146e13b30777efe07bfe5c5d5b2548cdcea26aceca75b683

C:\Users\Admin\AppData\Roaming\hpiulquwja.txt

MD5 d89bd5c794363237602a61b057673299
SHA1 3d37e97124b25fe0c955f880cfc7e0004809e2ac
SHA256 e038e94963e067ccda7e6df50965a117dd14603cddf0082e0759c6eb134549f4
SHA512 106dfa9ca06437317712386852c85d950bd9c07e67fee91a6b3aacce49c7012abfb8dc6dfff74a53203772706e1609fe41d10ecb2c861795ee61fd502bada35d

C:\Users\Admin\AppData\Roaming\New-Client.exe

MD5 1ad564a6ca1520e8886faffc4e0ff1d4
SHA1 7d3b61daef1afed73838351dbf788448cf88d031
SHA256 2c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512 b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441

memory/2896-30-0x000002544DF30000-0x000002544EF30000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 aad831262795e4742adb092983e0a748
SHA1 18f5ee52379461d47b6028798af93cef5917f077
SHA256 025ea9e0fd0b3bd23c7cddb0c5f8bc9e55949367518797289caf3ec9adc924a5
SHA512 99a2d3c31a6b51ecef717d583394184e5178b2e609e82ed83dbf4056e832f473c76f65768d3c11f61dfa715e31c35b438fa943a870790c8bcf5db6826c29716f

memory/2896-41-0x000002544C6D0000-0x000002544C6D1000-memory.dmp

memory/1468-45-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/1468-46-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/1468-47-0x0000000000E80000-0x0000000000E90000-memory.dmp

memory/2896-51-0x000002544DF30000-0x000002544EF30000-memory.dmp

memory/2896-58-0x000002544DF30000-0x000002544EF30000-memory.dmp

memory/2896-65-0x000002544C6D0000-0x000002544C6D1000-memory.dmp

memory/2896-68-0x000002544DF30000-0x000002544EF30000-memory.dmp

memory/2896-75-0x000002544C6D0000-0x000002544C6D1000-memory.dmp

memory/2896-83-0x000002544DF30000-0x000002544EF30000-memory.dmp

memory/2896-92-0x000002544DF30000-0x000002544EF30000-memory.dmp

memory/2896-117-0x000002544C6D0000-0x000002544C6D1000-memory.dmp

memory/2896-144-0x000002544DF30000-0x000002544EF30000-memory.dmp

memory/2896-161-0x000002544DF30000-0x000002544EF30000-memory.dmp

memory/1468-171-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/1468-203-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/2896-204-0x000002544E310000-0x000002544E320000-memory.dmp

memory/3968-205-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/2896-206-0x000002544DF30000-0x000002544EF30000-memory.dmp