Malware Analysis Report

2024-08-06 19:29

Sample ID 240511-xbjaxabh2t
Target 35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118
SHA256 bb5c6472c24b306edf107bd3d4b82b10d62d25cb68c3aaca9a3a8f2e529b26d5
Tags
persistence darkcomet 2march rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb5c6472c24b306edf107bd3d4b82b10d62d25cb68c3aaca9a3a8f2e529b26d5

Threat Level: Known bad

The file 35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence darkcomet 2march rat trojan

Darkcomet

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-11 18:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 18:40

Reported

2024-05-11 18:43

Platform

win7-20240419-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kgjfkdlld.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10485384\\jhw.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10485384\\JIQ_NU~1" C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1812 set thread context of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 992 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 992 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 992 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 992 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 992 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 992 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 992 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1904 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1904 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1904 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1904 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1904 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1904 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1904 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1812 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1812 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1812 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1812 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1812 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1812 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1812 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1812 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe

"C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe" jiq=nus

C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe

C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\UKFUV

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\10485384\jhw.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\10485384\jiq=nus

MD5 897180943c2079e7450e6d7a5b78dc6c
SHA1 ece5eb004b6ce455105d3ea369a1d5b3b49b3b68
SHA256 239f4af905ba26c6437bd117a6d7a8378ac44aa9b143c16b78a9ac17da3c1ea1
SHA512 96d9c9271f9b75f818fc6532badaaf4c28c343f739859834489dad0bf1e8899514ca36c8b4277ed5ddd3389b7982e0fe7c04a447fc35338608df2da4de0ab52a

C:\Users\Admin\AppData\Local\Temp\10485384\tej.bmp

MD5 98a5807e73994274f2b48b1eec59d401
SHA1 738b2eb58af56e82bd79e4e9978f13741ccb80c1
SHA256 bd85860aacdbd5858ca3219644839407108031448e150fbc1b36f116bbe91e7d
SHA512 a455aefa5227d94b82b6872204b01ca92ef1552a352e89401d20814fae9150832a7af285e7be89fe1fe1fb026da11fedf022cc71af10563ee33bdebb8324c46c

C:\Users\Admin\AppData\Local\Temp\10485384\xrd.pdf

MD5 0fbc1bcfe7ff7e813a7b13e0939e2182
SHA1 0ea99e8f0df2a03f651b430fc5f173bef2dd539e
SHA256 8f311d93c196ca09c09bcc4d6cb29fc3f07f17cc4ae20308a2526c48b3a54b95
SHA512 05a3cc4b5b5bd89172c32db39ea104301e28226c0d04601f55a053e6192d6bffc78b2fa8493bae01a3a4f4c0f78144ff691169c9f91f44704168481794ffb0d9

C:\Users\Admin\AppData\Local\Temp\10485384\xqe.mp4

MD5 8a1065cbc342675a4a756409cd7a04ae
SHA1 66e6e4b137407f788f2ead670bee5112def722b3
SHA256 09bdbfe702f1d9f48b001e76f3ee95152ac37467dcb7e43bfa8d94810f65532c
SHA512 23902698965cd0d36275aefd39effdfa5d249b5e57ce4e8733015b68f9bd440df8637eb3d0aa82342563f26633ffd65a4c705e74cb3b977ff7c446b61c748fb8

C:\Users\Admin\AppData\Local\Temp\10485384\xnw.mp3

MD5 27eb3dc0f2f33dd4c7dbff86ecb913b3
SHA1 538d2bb20e2de0a9ef44c065f1945efa3df71e1c
SHA256 57f3ac43625bd80c6392c8167f175f4ea96cae1296418fd08cc9b1711eba6261
SHA512 4a91eb4d613de64e62ea8132ecccaa22d27752fd0b43fea49300bab04cb4f3de533caacf506a36caf3250b67da3f7b9dcbecc8408d353b9620e8502d0ae6750a

C:\Users\Admin\AppData\Local\Temp\10485384\xnn.docx

MD5 97eef28d5ed4f74ee9fbafe701981cd9
SHA1 dbdb5a9f4e4968cf7f1101f66a67f2db0455e757
SHA256 1e869ded3546b7eb9663ca5291b2a8fcd523ca5e63749547ca119e4750b15d7f
SHA512 627749a4220f2ad6a7f63c3e34b9d072867bc9903f2e68fe814f9643fb6f94b56e42eb35b56ba8a3ce54b00ce3b5cbfcf976f06df8387bbe37a9844512078768

C:\Users\Admin\AppData\Local\Temp\10485384\xat.bmp

MD5 fbb2b7f008b1072823cef187a6789e2b
SHA1 0690934ce8ad135cd7fa693142fa947261e5e041
SHA256 a063c17764bcddc94ef90dab88c8cd72565bb447a602e882151f25521fb3082a
SHA512 4dab482fada46a4c44252f9dce91d8018b8974989a34cde4b32569bf09306a8ef61f19f80806a1153dcc8c9c1d3219dc03fb4498e4de7c8549676ff268690238

C:\Users\Admin\AppData\Local\Temp\10485384\whd.ico

MD5 5b38573104d309730288f8c80869d3fd
SHA1 ead5046eb1a50989209b02e174b3e4e7d9a30236
SHA256 4b276d88d361d14396db09f2369d058a2672344251f1c9a09f18f04a9cb91b89
SHA512 9d13a4fa50565910860258b36a5819f27b201b3c610b3e726511024451be3b0a22db6120090f3edabb8245054eb083e54df355d650a937efb56bcc4e7d022f6c

C:\Users\Admin\AppData\Local\Temp\10485384\vtj.jpg

MD5 0256ed700c2bb6f4db76ed39d0d03e64
SHA1 c97b62fdcd460cd21d5af5950483e8c99c3f9adb
SHA256 71b7926533bdd21a18f8ad78f30c547ead2eb6928a95087535fa765f40b011c1
SHA512 a3df8d7dcea7fe2834e4285998f7a09d5f11a4ed35c8a3bf7dd89c0c5d8a09a258b4dff78b177374b376aea3adfc0500112d2767d307838391b7a67865db51cd

C:\Users\Admin\AppData\Local\Temp\10485384\vah.jpg

MD5 d294c471f26483248a29624cf66c6c5d
SHA1 9a61b3e1b007a2cd408183794fcadc89445f84bc
SHA256 bd51e187b701f5e2b0e648e355334b20a226747270411fc8a82dbed88b0c43bb
SHA512 405b1a07efc84528d8fd83f0d5c9c557f5e384b2556a4f2950b180b93105516856b3903af3b227381e0f5edcbe5186154621fd812f441b4386308cc236d51978

C:\Users\Admin\AppData\Local\Temp\10485384\ueg.jpg

MD5 e8bd4715d1bf2cfc2e12294d74a486bb
SHA1 726f6480e2452d6665c9852c49defbac38dc1bd2
SHA256 3ab216ebc133be842e6b2a7e65e7803d6d5b2d94f426ca8deead6e6ba7d45aac
SHA512 f529b6d5fb4f86c3cc98f232647ba4448d7f9c63ea3b0fe69bcd92400b9ee70124e04113dcc8145081f54698a56522dc585c29277fd8f066472c9cd9d5a207cd

C:\Users\Admin\AppData\Local\Temp\10485384\udw.dat

MD5 0e9a02c2a4e269f3f49ef23056ec4508
SHA1 cfb37defd6caacb5c9bd1245bb92edde0ef9a1e7
SHA256 7ebe683c5c0f18644605bf1fe34fdf7756281468fb5dfbae02ec4cf07d586a8f
SHA512 4194f892bf68f6479f9080d2a99aad09a59b5e5ef1b938abe15ae50e1b76a8a51a8b35e0e985492b77f61f4189837caa804216f8e25848f0db418d1e0acfc606

C:\Users\Admin\AppData\Local\Temp\10485384\tct.pdf

MD5 b3372919c851526e7356422a98c6bfb0
SHA1 b4a2082f74b5f946ccbac52bebc1baa0cd9d74d7
SHA256 2953a3a02f04c70e5ae8e60eac2b9a1d9de7185e60104cbe9aaa3917ba7e9cd5
SHA512 359cdde58f3833e8675cd9c58d8390e85ab8d53cc14a609850ad9fd82d5f3859ac81ae21858cd431a7c52b9512a10d89e4f664611145e8139a449aa0e927d6c5

C:\Users\Admin\AppData\Local\Temp\10485384\tbw.pdf

MD5 ae9019ab7dcfda0a3698480a56f70c22
SHA1 93db4c3ce4a55001f0143f1042e93ebddea11302
SHA256 7f7c3d43ae2d6910371e226f277ee067e8cf2cb21fee302dd0f9e88ff40b17fe
SHA512 faa8daad3afac2ab933e6d85e8cadfb9f0917db02c82c5c1ccacdb636239771133f478d7ee1caa21f6a7452b07762be30bdebc0dda9c7c76ed8bbeeb7f7d7fde

C:\Users\Admin\AppData\Local\Temp\10485384\rqu.ppt

MD5 eee62134bd61202d685986066d15ab86
SHA1 6a223bfa97c32cc216390a2ceee3ea11a8a3d3b9
SHA256 8001d8bdb4fb0e5b2b1e6027f528890a086ad1969737e1aab5ba45717a6f17ab
SHA512 66b40fea4f24acc6dcfa9db4bab869f2b6feefdd74ba37fa63ab3906b4769e5bcc0e79310a49656190f670ab01d6d62ba983d0531011f4aa737188013d2dff3d

C:\Users\Admin\AppData\Local\Temp\10485384\rim.mp4

MD5 2d7a785846aa6b1be37c1afc4339bd0d
SHA1 8a47f9c4e43f49ab9fe5b813dcee263d4b7f239e
SHA256 af5fee79d256738e12ddd74f104c0334955692a4ba1b52f0170d39835d61f639
SHA512 d0e1a7308bb9b467f96dbc468f27e23b03776e6dc40fb4296131e63cc4871f62e3278b532c7d175004c6c68973baa426716511e8663d04154a458ce49b5dc40d

C:\Users\Admin\AppData\Local\Temp\10485384\pxq.xl

MD5 c464386b348ffe4f4cfb429c42fe8792
SHA1 b19c0116b47fc25ca2d16ef4439127b2acd763d8
SHA256 6009b771cbd49bfa9fed0466fa7a646ecf5ea28e1ad242426fbaaa29f39de65e
SHA512 d482ac8bfff3725b228614a5dd110e34fee2ac237911fc40a106ba7a4e6b223ff3e0beee013f01530bda5138ed03c67a5f5c47cb3f704eddea86117c7dc308d6

C:\Users\Admin\AppData\Local\Temp\10485384\pgj.mp4

MD5 aaaf0b35d6f5d4f2c66c477653ef08a5
SHA1 e87ddfde38eac4a14f8e4818b70d1597f6743d31
SHA256 cad89a44d98c13632bcc750bab3c28fa1cbcbf72b08a294cdc07384f4a35051b
SHA512 cb58968f250fb0656972e7a3055755699214ae79586276d40eba1be21cf4c5e03045526b3a33ac485f59ffd1a1dec93535a351984c6b6f0c3f6d39d1c116aade

C:\Users\Admin\AppData\Local\Temp\10485384\owf.dat

MD5 2db3104c9a0637b1846df688c0e2ea52
SHA1 069795a7b3be2a3725b6089a8a7f02578fc6fde4
SHA256 0f617a8f8f19d137df0aed4916fd9288143ed12b241a1a8df8a204d6e6a5da35
SHA512 c19a1a1e749bc64bc5e38dc75d97d2c67dbc3d785e8a249d7c808030f55cbbe7f0794d619555a941bbc91a2527ae3aac8e656b47ff88f88f3acc6ec15a06d392

C:\Users\Admin\AppData\Local\Temp\10485384\ohq.xl

MD5 0afb5dcc7385cbc6c885dcdbf649cf3c
SHA1 e2af2fd56c5fdd2561525e58bb4e4578f14c007e
SHA256 b4f9ae3eec7ce65a4c9860d931dda69e7a7ef3d4b11412327f43d4a743f0c95a
SHA512 c4d9e0c2defb9726b473da7f2576ed636dca69bb09201bf0b214ac4532a67947da7105d7461f8d134da8dceca893867a19f063225ec892125ccc2393beb5ddc5

C:\Users\Admin\AppData\Local\Temp\10485384\obm.ppt

MD5 5575f6ccb6e0e1331477ee83096cc237
SHA1 e8eb05fefd1b9f3cfa7dbd38f0edce8caea38537
SHA256 71f867878ffba892836cca93b056f4560fcabfe9201e56b63ff3336a6c941b49
SHA512 b3a4b047bdb5b11eb4be3228f2963efac1cff6613169c5ef61dbf9ffa01383abc774cb294271e87fc3b67aaaf41191b62eded40d4346fd43fb9909f9f35641f3

C:\Users\Admin\AppData\Local\Temp\10485384\nvj.txt

MD5 30599b489c05a0f21760342c11076487
SHA1 8ad227e9cdc6a77df110966b46bab50219da8535
SHA256 25a51ca7e299e54da6a184e6ffe7068927973cc5379e0cdd6c9528f0eebe219f
SHA512 81f7dc859c0e5b48ce2e610f1ba00bfbc251de09d73e412841640bc7665106b9ac176bcb695164e6aa4292c68b347dbc00c613c2e781eae61f928d33bc32cb2c

C:\Users\Admin\AppData\Local\Temp\10485384\nvj.dat

MD5 a5d7f3b2efbc94e564a9ebaecb863453
SHA1 b2ca2787cf4c734fa2af9b86259f954ae927aadc
SHA256 30581befc140a5ead4ff75714e903f1db1387db8ffeb1655a41f4c6e35e547a8
SHA512 af29efc4eb6940017e1f2242b8f09b85567b6f8312dd44ad4201bbe63c2f36b62d9fb8a0ddc8bbe7c0b89f3174bf484b50fe4895476f55a6b562fc1b53a5ce72

C:\Users\Admin\AppData\Local\Temp\10485384\nds.bmp

MD5 3a06786ce32eb390640a390688498fcd
SHA1 193adeee16fb3f71292600c3b2648b9fe1c4cb0f
SHA256 40735bb86906e8a5f50f441326ee4d18f51f59c9daf946d6e9f53e8aa20a2512
SHA512 7157d3046156495bc8eb43e04c7f432ac4782311fc53fbc78c57f377dccdbffdc62f803409b54820cef82e8c605d069a752ae26147ef797c2c7b4bfb62476982

C:\Users\Admin\AppData\Local\Temp\10485384\msq.pdf

MD5 d15b4a243f3474aff6d6c866899a1abd
SHA1 3133267de7a1b0c7c221cf3dfd740c193ac6715f
SHA256 be5125d00d31d2fe8a8332797434a1e49c9d8dd027dc5bb1f3eae7ac0364f5db
SHA512 c65e9d4bc01217fa232654c9f03572842241c3ade0dd07371760debfb630b90fbde74b35c9354a5a03223bce23f50ecb24b084edb1fe481285a5e4a12b7d6edb

C:\Users\Admin\AppData\Local\Temp\10485384\mlv.ico

MD5 35e4011854e24895f01270e706afb0a2
SHA1 8911da01dfa271b03ff9d0c1fd82bf2904eb5c6f
SHA256 516bb436aeb6acb9d150fa7c46c20a10a94b8db1697333d28657581b3a633f4b
SHA512 377036fbd5028552e60774c6fb47b738b97bcae95ab32896a40f3d815cf030a797f9eded332f4a4d888214ea2616ca36eeac820deab07c1c9b73079ba24b4618

C:\Users\Admin\AppData\Local\Temp\10485384\lwp.docx

MD5 c57895ac5311bdf731a161fb5c80b21b
SHA1 6890ee1026ae21e0d879a09b75e7ad236d508a86
SHA256 b1497a1ef061dc1bd4f253db83c1e9e6cf3c2ddfc4bd5b9c9cf852936f002e1e
SHA512 2785cf70b1746c04fcf1729df8dc264603b162abae36ec9219d402803f0ad5fa9e73ff107bf36c857f5d4c5e1af36a249448e8a3ad1a64753f963de193efaefe

C:\Users\Admin\AppData\Local\Temp\10485384\lcw.dat

MD5 b27b52f034d5e5772085f7b3eb83c875
SHA1 ac3428397b9556f524d1497df62eb66bc1972c54
SHA256 5a5d9a902076a44187ff7a4360939c868185c53ec37fc27620f6656c62524a0b
SHA512 9e3d99d58b401de7ae32661c4ad8d516ca8a010e4502e34f9810e808c1f185386c01c2833733e41d6f6d27c791fda121759412af426dac72726fa9ee7ae5c5e6

C:\Users\Admin\AppData\Local\Temp\10485384\lca.ppt

MD5 414083c170ad3869811f32dcd3034723
SHA1 c2af6ea612dd017b0a740b7fccaf6d374c7998f4
SHA256 388a3a746abe9fdbbb787daa3b79fb3b452503a6dfaec76701f494fae1fead1d
SHA512 b107f8689a2fb8135a84ab10c098d01672a8ec462b298423243a2daee3b6612359e004e592f666c4bf324b44b0f7dda8b9d070a53cc8de65b9eb4f7982a27ea0

C:\Users\Admin\AppData\Local\Temp\10485384\khr.dat

MD5 07441535531eb1f831d02809f6196060
SHA1 3bfb7f4d3fe3aeea49ec58832f6b5de9c4e490a9
SHA256 f1ae933935816606ec90258635e6e434dbe4bbf3a3f8fc03b54c7f69ba8d8ea9
SHA512 d6eb672438a972d13796d18b81895d7d833ac3e97476efca5de72e00d9e74cc60425e9289ca0363d46a9d30fa978a79ddd8e4f1a22c48551871f2fdbcc068f8d

C:\Users\Admin\AppData\Local\Temp\10485384\irj.icm

MD5 d6865ee8dde79f1a3d796946cbdddac9
SHA1 d9c8b24b6e20f13910f9b76935f95e6a06d51b75
SHA256 296ef98200b1ad157bc4ccd1c05c5be530a5f5911f2289a90ea4202bd01ecd64
SHA512 1d013564b15b5e7787f521050a64abea35b679753a6f0a3b1b8df4a56849c92c8272436a90092f8f593466e91c686789d692e0dc661485c943ec0bc600409af3

C:\Users\Admin\AppData\Local\Temp\10485384\iqx.pdf

MD5 cc3966e3b84b22a9504b97426286c047
SHA1 2d65a8367f8a49ec0da2f22fd42216d25c751eda
SHA256 13b78118a3bfcf130d06b88e1bf0b1b7eccb9e9779ed385ec3c41e11e8048a3e
SHA512 5036c5dbf8807e720cf74e63873b8b757135fb9e8aac24cb6874f8aff7d63beb335a78aac1ca0bc8e8037f4eebbc804b6a7603aadd30da2f749b9f491aefdfd5

C:\Users\Admin\AppData\Local\Temp\10485384\gqb.pdf

MD5 0921f3de56c350684bba0c1b1fb19280
SHA1 372003c474464067864c641dc29236415713d6b8
SHA256 48018e9b880d781a2664feae544617267561f6c7efbbbebd31f40094da5117f6
SHA512 36c4e8b65073fb0a07c746725d60c5812ed0cc598228b908e6208760cdc5d79b86e0ea62da395cd94c90f5b3e48b100ce5a0771e588f70ce7d5ec0831f665723

C:\Users\Admin\AppData\Local\Temp\10485384\fwd.xl

MD5 f30d864889e04f316beb0b73f6769677
SHA1 6d7285a3f43639c90c44ba867a5c137f2d150c0c
SHA256 07f671b89a145500abadba605bdc071abe188f5c5307bd0cbf877837bdfbdb8f
SHA512 bd9e0ec21cfc39259eaff6274fea22c6a60d516fac849094a407b57db7a16205c83f69def5471e1483765db2f17b8737c7fe11a994b4ecdd1efc1ece260a7d09

C:\Users\Admin\AppData\Local\Temp\10485384\evx.icm

MD5 9c691037d8465160ebf62dc810697dda
SHA1 3b74683729f1042cc66ef8ff46f93093721fe66c
SHA256 d62171af5471b7972ae9ee98b2c4986f816c8f22f32ea96d876f23fbae2a1137
SHA512 25b66fcd45086254a83f87a46fb4e1f84568249bc6219600eee9df9ce5522dead7b21097bfb66a8b6d6de1b06587e71946d9889181129e87ebcefa0053c753b5

C:\Users\Admin\AppData\Local\Temp\10485384\eth.dat

MD5 0158630f9ec01c5b4c7d178135a92c28
SHA1 ad3cf3b0edcbd07cd2e6c0378b54dd62c84be5a2
SHA256 7af667639acffd9baf4ddfd8fa29c1bfccd032cef2947f418686acbd348612a3
SHA512 9fd6699b27e1752fa261629c359e08be3eb12c8ec1b537d5328ae3454bb649af79a36f1f4e3c46420240372472f737b852cf30541faa7abdadc3352c5a965e26

C:\Users\Admin\AppData\Local\Temp\10485384\dmr.xl

MD5 611dc9538594565e1e249f90e4d16084
SHA1 fe5ae1e540e9c0e5983e105e105f42d3e45344cf
SHA256 efffd78042f0e4bbeafd7dddf5fc5a38892826adcefe0d2afc30507bccf74610
SHA512 fce814860e9cb4c56ea396b7741c5482d2bf16d2d76ed6aed8825d6f63087777b97a8e098a675b9d22dc19fc03e6296676859d03a2452ab4985a243a792a0636

C:\Users\Admin\AppData\Local\Temp\10485384\dfj.icm

MD5 599c7397e0d58e7deac0acb7fcc2a9fe
SHA1 4caa0ff6aa0530cf396af98a355cf8b655f1c094
SHA256 32627ba9126579851c32984c9d39ec1611e80b6198188a573235b5232f87fdc6
SHA512 f658630cac02741938c2b54df9be5589ce0ff957222c590be599fdae24fc55803e3174d0c2379fb00bd8d74e9cfea31d8cc12721befbbca908782a292bba5812

C:\Users\Admin\AppData\Local\Temp\10485384\cwx.mp3

MD5 2c42f4bd5e04132e7e403f1ec5f4ffad
SHA1 db777e2f85a77bdab1774ae8930ca30b4cad8c57
SHA256 48e7e2b99cabc523309acea6f4875538655418d8897bc2913e35990e0321358e
SHA512 3711696281fe43e9c68060906867b5bde9576146c52fefa2fc4b1b8197ef5730a40f7f1641bc30f816655fc93b78a4908edb0e866f75064f894216ee4198d1fb

C:\Users\Admin\AppData\Local\Temp\10485384\cwi.xl

MD5 9cceb456062b2464f50fc2a113e10152
SHA1 dbc8fbce5b2bc70b5afd5549577f567e18f6a56c
SHA256 ec73aa34b7011c79609dd85c12891059830882f141891d2090cd685afbe1f1d5
SHA512 32d0af8c504eafdf8bb60983b6c869605ade0fb12baa37249c6ae101410e5ec1be97139652a89cab5f5d4f0311ce2d3cdca5a1373a5f506d42c29549793bfb30

C:\Users\Admin\AppData\Local\Temp\10485384\bvh.mp3

MD5 c05b9563d6500dd2350190e8b3186290
SHA1 fbe6a361b56f4003a41d5825143ebf29d6d1dd90
SHA256 48ef32cc7858d9024595dd9dd9f0f466a5a67244df90868bff67ffd78d3866c3
SHA512 5ffd26843174ca152be4f7845230b92615673d21170c28c1bdeaad597b79d95a10d56ca34a1c2e3b0c093b413a7f0ce38186bde4f795275c0592e7a689395c0f

C:\Users\Admin\AppData\Local\Temp\10485384\buw.icm

MD5 d695608ba5d1d41dff38b24db8ac5e75
SHA1 b745799bc05e69d7f7c668a512bd53af2e5d2cbb
SHA256 05a0f46a7c245e47bbf7574e7afce15b25e19728da3fca81904f6ce663b670ba
SHA512 63ffa63d5bfa56bfd288bd0b40e5b998694d735aa8c27e423b27805adcaf42aae546a0f67c95590308c6f4833a919b1e4216271b669a47571b037b08786d2484

C:\Users\Admin\AppData\Local\Temp\10485384\brc.bmp

MD5 dd76d29266d38ce79c490520aac360f1
SHA1 e1bc621805a82afdc8f9de0651167e5b254a5e49
SHA256 e7d762e2feb77c326c55e346f2b158902531b34aeb96ced353d85c3b690a84b5
SHA512 bda03a8bc02ee0801f7cab940b9371b8fcd31537202c8d59fec08a93f1de66114b97f6e20a2985bbb42a7e6e4a18c737e4d93f43f87ae863f11255bc1a6c2782

C:\Users\Admin\AppData\Local\Temp\10485384\bfo.icm

MD5 309ef252e2d5282563bdd87c9697a5d2
SHA1 2c95e21122dbd9c95458694b94218915221dddf1
SHA256 7dcbf0d4e11a11bab9fdae4f9b80f295e7ca6c00db0727ea214b1f1e50fc88dc
SHA512 22d58c94b43afd9fd1c1115f9b13ca3aa467d0ec3311892fd9d2021408a9c635bbc674eae20ecb4dad5c536b390ecdc1120ebfd21a167a72cd60199d8a4aa82f

C:\Users\Admin\AppData\Local\Temp\10485384\asu.txt

MD5 b3ac3f89c0d3d848639efa9e10270b2e
SHA1 9d581888b661b79146b9d6467e2ffef0e3503d63
SHA256 7e6bfc04d9d896d3b2e3f97b60344500d6adcb1fd0a673090fa02225aad4423a
SHA512 4260f79b356e87f051a966ca9b8196b4769782abdf90ecd4a7f94eeb9bdeee6586149e385e7e3f7f9e4a82241f3e5297aa26338839cc9246dec356444e3ba380

C:\Users\Admin\AppData\Local\Temp\10485384\UKFUV

MD5 e392efb0506abff8071f7ba13b9ea213
SHA1 a89e4c6abc31d7e95d9e4f69fb1039ea9006b3d5
SHA256 035e1933f8692e8e4bb9279b922ebf895bc17f1f0882a358b370e763022ffcc2
SHA512 e4b6bb71f53b851d43994b082d5e301aad4bba9bbb4b1c21bd0eab706b025c83b49131379a8822319a4107c3ba3d21e9a146875d5d9ac8f41a8c8a6dd6325f27

memory/304-155-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 18:40

Reported

2024-05-11 18:43

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgjfkdlld.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10485384\\jhw.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10485384\\JIQ_NU~1" C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3580 set thread context of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 4392 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 4392 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1536 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1536 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 1536 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3580 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35fe8f7a8ea9c3ad4d7b8a9fbe0f5298_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe

"C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe" jiq=nus

C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe

C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe C:\Users\Admin\AppData\Local\Temp\10485384\SKVSJ

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 yoongconie.ddns.net udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\10485384\jhw.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\10485384\jiq=nus

MD5 897180943c2079e7450e6d7a5b78dc6c
SHA1 ece5eb004b6ce455105d3ea369a1d5b3b49b3b68
SHA256 239f4af905ba26c6437bd117a6d7a8378ac44aa9b143c16b78a9ac17da3c1ea1
SHA512 96d9c9271f9b75f818fc6532badaaf4c28c343f739859834489dad0bf1e8899514ca36c8b4277ed5ddd3389b7982e0fe7c04a447fc35338608df2da4de0ab52a

C:\Users\Admin\AppData\Local\Temp\10485384\tej.bmp

MD5 98a5807e73994274f2b48b1eec59d401
SHA1 738b2eb58af56e82bd79e4e9978f13741ccb80c1
SHA256 bd85860aacdbd5858ca3219644839407108031448e150fbc1b36f116bbe91e7d
SHA512 a455aefa5227d94b82b6872204b01ca92ef1552a352e89401d20814fae9150832a7af285e7be89fe1fe1fb026da11fedf022cc71af10563ee33bdebb8324c46c

C:\Users\Admin\AppData\Local\Temp\10485384\xrd.pdf

MD5 0fbc1bcfe7ff7e813a7b13e0939e2182
SHA1 0ea99e8f0df2a03f651b430fc5f173bef2dd539e
SHA256 8f311d93c196ca09c09bcc4d6cb29fc3f07f17cc4ae20308a2526c48b3a54b95
SHA512 05a3cc4b5b5bd89172c32db39ea104301e28226c0d04601f55a053e6192d6bffc78b2fa8493bae01a3a4f4c0f78144ff691169c9f91f44704168481794ffb0d9

C:\Users\Admin\AppData\Local\Temp\10485384\xqe.mp4

MD5 8a1065cbc342675a4a756409cd7a04ae
SHA1 66e6e4b137407f788f2ead670bee5112def722b3
SHA256 09bdbfe702f1d9f48b001e76f3ee95152ac37467dcb7e43bfa8d94810f65532c
SHA512 23902698965cd0d36275aefd39effdfa5d249b5e57ce4e8733015b68f9bd440df8637eb3d0aa82342563f26633ffd65a4c705e74cb3b977ff7c446b61c748fb8

C:\Users\Admin\AppData\Local\Temp\10485384\xnw.mp3

MD5 27eb3dc0f2f33dd4c7dbff86ecb913b3
SHA1 538d2bb20e2de0a9ef44c065f1945efa3df71e1c
SHA256 57f3ac43625bd80c6392c8167f175f4ea96cae1296418fd08cc9b1711eba6261
SHA512 4a91eb4d613de64e62ea8132ecccaa22d27752fd0b43fea49300bab04cb4f3de533caacf506a36caf3250b67da3f7b9dcbecc8408d353b9620e8502d0ae6750a

C:\Users\Admin\AppData\Local\Temp\10485384\xnn.docx

MD5 97eef28d5ed4f74ee9fbafe701981cd9
SHA1 dbdb5a9f4e4968cf7f1101f66a67f2db0455e757
SHA256 1e869ded3546b7eb9663ca5291b2a8fcd523ca5e63749547ca119e4750b15d7f
SHA512 627749a4220f2ad6a7f63c3e34b9d072867bc9903f2e68fe814f9643fb6f94b56e42eb35b56ba8a3ce54b00ce3b5cbfcf976f06df8387bbe37a9844512078768

C:\Users\Admin\AppData\Local\Temp\10485384\xat.bmp

MD5 fbb2b7f008b1072823cef187a6789e2b
SHA1 0690934ce8ad135cd7fa693142fa947261e5e041
SHA256 a063c17764bcddc94ef90dab88c8cd72565bb447a602e882151f25521fb3082a
SHA512 4dab482fada46a4c44252f9dce91d8018b8974989a34cde4b32569bf09306a8ef61f19f80806a1153dcc8c9c1d3219dc03fb4498e4de7c8549676ff268690238

C:\Users\Admin\AppData\Local\Temp\10485384\whd.ico

MD5 5b38573104d309730288f8c80869d3fd
SHA1 ead5046eb1a50989209b02e174b3e4e7d9a30236
SHA256 4b276d88d361d14396db09f2369d058a2672344251f1c9a09f18f04a9cb91b89
SHA512 9d13a4fa50565910860258b36a5819f27b201b3c610b3e726511024451be3b0a22db6120090f3edabb8245054eb083e54df355d650a937efb56bcc4e7d022f6c

C:\Users\Admin\AppData\Local\Temp\10485384\vtj.jpg

MD5 0256ed700c2bb6f4db76ed39d0d03e64
SHA1 c97b62fdcd460cd21d5af5950483e8c99c3f9adb
SHA256 71b7926533bdd21a18f8ad78f30c547ead2eb6928a95087535fa765f40b011c1
SHA512 a3df8d7dcea7fe2834e4285998f7a09d5f11a4ed35c8a3bf7dd89c0c5d8a09a258b4dff78b177374b376aea3adfc0500112d2767d307838391b7a67865db51cd

C:\Users\Admin\AppData\Local\Temp\10485384\vah.jpg

MD5 d294c471f26483248a29624cf66c6c5d
SHA1 9a61b3e1b007a2cd408183794fcadc89445f84bc
SHA256 bd51e187b701f5e2b0e648e355334b20a226747270411fc8a82dbed88b0c43bb
SHA512 405b1a07efc84528d8fd83f0d5c9c557f5e384b2556a4f2950b180b93105516856b3903af3b227381e0f5edcbe5186154621fd812f441b4386308cc236d51978

C:\Users\Admin\AppData\Local\Temp\10485384\ueg.jpg

MD5 e8bd4715d1bf2cfc2e12294d74a486bb
SHA1 726f6480e2452d6665c9852c49defbac38dc1bd2
SHA256 3ab216ebc133be842e6b2a7e65e7803d6d5b2d94f426ca8deead6e6ba7d45aac
SHA512 f529b6d5fb4f86c3cc98f232647ba4448d7f9c63ea3b0fe69bcd92400b9ee70124e04113dcc8145081f54698a56522dc585c29277fd8f066472c9cd9d5a207cd

C:\Users\Admin\AppData\Local\Temp\10485384\udw.dat

MD5 0e9a02c2a4e269f3f49ef23056ec4508
SHA1 cfb37defd6caacb5c9bd1245bb92edde0ef9a1e7
SHA256 7ebe683c5c0f18644605bf1fe34fdf7756281468fb5dfbae02ec4cf07d586a8f
SHA512 4194f892bf68f6479f9080d2a99aad09a59b5e5ef1b938abe15ae50e1b76a8a51a8b35e0e985492b77f61f4189837caa804216f8e25848f0db418d1e0acfc606

C:\Users\Admin\AppData\Local\Temp\10485384\tct.pdf

MD5 b3372919c851526e7356422a98c6bfb0
SHA1 b4a2082f74b5f946ccbac52bebc1baa0cd9d74d7
SHA256 2953a3a02f04c70e5ae8e60eac2b9a1d9de7185e60104cbe9aaa3917ba7e9cd5
SHA512 359cdde58f3833e8675cd9c58d8390e85ab8d53cc14a609850ad9fd82d5f3859ac81ae21858cd431a7c52b9512a10d89e4f664611145e8139a449aa0e927d6c5

C:\Users\Admin\AppData\Local\Temp\10485384\tbw.pdf

MD5 ae9019ab7dcfda0a3698480a56f70c22
SHA1 93db4c3ce4a55001f0143f1042e93ebddea11302
SHA256 7f7c3d43ae2d6910371e226f277ee067e8cf2cb21fee302dd0f9e88ff40b17fe
SHA512 faa8daad3afac2ab933e6d85e8cadfb9f0917db02c82c5c1ccacdb636239771133f478d7ee1caa21f6a7452b07762be30bdebc0dda9c7c76ed8bbeeb7f7d7fde

C:\Users\Admin\AppData\Local\Temp\10485384\rqu.ppt

MD5 eee62134bd61202d685986066d15ab86
SHA1 6a223bfa97c32cc216390a2ceee3ea11a8a3d3b9
SHA256 8001d8bdb4fb0e5b2b1e6027f528890a086ad1969737e1aab5ba45717a6f17ab
SHA512 66b40fea4f24acc6dcfa9db4bab869f2b6feefdd74ba37fa63ab3906b4769e5bcc0e79310a49656190f670ab01d6d62ba983d0531011f4aa737188013d2dff3d

C:\Users\Admin\AppData\Local\Temp\10485384\rim.mp4

MD5 2d7a785846aa6b1be37c1afc4339bd0d
SHA1 8a47f9c4e43f49ab9fe5b813dcee263d4b7f239e
SHA256 af5fee79d256738e12ddd74f104c0334955692a4ba1b52f0170d39835d61f639
SHA512 d0e1a7308bb9b467f96dbc468f27e23b03776e6dc40fb4296131e63cc4871f62e3278b532c7d175004c6c68973baa426716511e8663d04154a458ce49b5dc40d

C:\Users\Admin\AppData\Local\Temp\10485384\pxq.xl

MD5 c464386b348ffe4f4cfb429c42fe8792
SHA1 b19c0116b47fc25ca2d16ef4439127b2acd763d8
SHA256 6009b771cbd49bfa9fed0466fa7a646ecf5ea28e1ad242426fbaaa29f39de65e
SHA512 d482ac8bfff3725b228614a5dd110e34fee2ac237911fc40a106ba7a4e6b223ff3e0beee013f01530bda5138ed03c67a5f5c47cb3f704eddea86117c7dc308d6

C:\Users\Admin\AppData\Local\Temp\10485384\pgj.mp4

MD5 aaaf0b35d6f5d4f2c66c477653ef08a5
SHA1 e87ddfde38eac4a14f8e4818b70d1597f6743d31
SHA256 cad89a44d98c13632bcc750bab3c28fa1cbcbf72b08a294cdc07384f4a35051b
SHA512 cb58968f250fb0656972e7a3055755699214ae79586276d40eba1be21cf4c5e03045526b3a33ac485f59ffd1a1dec93535a351984c6b6f0c3f6d39d1c116aade

C:\Users\Admin\AppData\Local\Temp\10485384\owf.dat

MD5 2db3104c9a0637b1846df688c0e2ea52
SHA1 069795a7b3be2a3725b6089a8a7f02578fc6fde4
SHA256 0f617a8f8f19d137df0aed4916fd9288143ed12b241a1a8df8a204d6e6a5da35
SHA512 c19a1a1e749bc64bc5e38dc75d97d2c67dbc3d785e8a249d7c808030f55cbbe7f0794d619555a941bbc91a2527ae3aac8e656b47ff88f88f3acc6ec15a06d392

C:\Users\Admin\AppData\Local\Temp\10485384\ohq.xl

MD5 0afb5dcc7385cbc6c885dcdbf649cf3c
SHA1 e2af2fd56c5fdd2561525e58bb4e4578f14c007e
SHA256 b4f9ae3eec7ce65a4c9860d931dda69e7a7ef3d4b11412327f43d4a743f0c95a
SHA512 c4d9e0c2defb9726b473da7f2576ed636dca69bb09201bf0b214ac4532a67947da7105d7461f8d134da8dceca893867a19f063225ec892125ccc2393beb5ddc5

C:\Users\Admin\AppData\Local\Temp\10485384\obm.ppt

MD5 5575f6ccb6e0e1331477ee83096cc237
SHA1 e8eb05fefd1b9f3cfa7dbd38f0edce8caea38537
SHA256 71f867878ffba892836cca93b056f4560fcabfe9201e56b63ff3336a6c941b49
SHA512 b3a4b047bdb5b11eb4be3228f2963efac1cff6613169c5ef61dbf9ffa01383abc774cb294271e87fc3b67aaaf41191b62eded40d4346fd43fb9909f9f35641f3

C:\Users\Admin\AppData\Local\Temp\10485384\nvj.txt

MD5 30599b489c05a0f21760342c11076487
SHA1 8ad227e9cdc6a77df110966b46bab50219da8535
SHA256 25a51ca7e299e54da6a184e6ffe7068927973cc5379e0cdd6c9528f0eebe219f
SHA512 81f7dc859c0e5b48ce2e610f1ba00bfbc251de09d73e412841640bc7665106b9ac176bcb695164e6aa4292c68b347dbc00c613c2e781eae61f928d33bc32cb2c

C:\Users\Admin\AppData\Local\Temp\10485384\nvj.dat

MD5 a5d7f3b2efbc94e564a9ebaecb863453
SHA1 b2ca2787cf4c734fa2af9b86259f954ae927aadc
SHA256 30581befc140a5ead4ff75714e903f1db1387db8ffeb1655a41f4c6e35e547a8
SHA512 af29efc4eb6940017e1f2242b8f09b85567b6f8312dd44ad4201bbe63c2f36b62d9fb8a0ddc8bbe7c0b89f3174bf484b50fe4895476f55a6b562fc1b53a5ce72

C:\Users\Admin\AppData\Local\Temp\10485384\nds.bmp

MD5 3a06786ce32eb390640a390688498fcd
SHA1 193adeee16fb3f71292600c3b2648b9fe1c4cb0f
SHA256 40735bb86906e8a5f50f441326ee4d18f51f59c9daf946d6e9f53e8aa20a2512
SHA512 7157d3046156495bc8eb43e04c7f432ac4782311fc53fbc78c57f377dccdbffdc62f803409b54820cef82e8c605d069a752ae26147ef797c2c7b4bfb62476982

C:\Users\Admin\AppData\Local\Temp\10485384\msq.pdf

MD5 d15b4a243f3474aff6d6c866899a1abd
SHA1 3133267de7a1b0c7c221cf3dfd740c193ac6715f
SHA256 be5125d00d31d2fe8a8332797434a1e49c9d8dd027dc5bb1f3eae7ac0364f5db
SHA512 c65e9d4bc01217fa232654c9f03572842241c3ade0dd07371760debfb630b90fbde74b35c9354a5a03223bce23f50ecb24b084edb1fe481285a5e4a12b7d6edb

C:\Users\Admin\AppData\Local\Temp\10485384\mlv.ico

MD5 35e4011854e24895f01270e706afb0a2
SHA1 8911da01dfa271b03ff9d0c1fd82bf2904eb5c6f
SHA256 516bb436aeb6acb9d150fa7c46c20a10a94b8db1697333d28657581b3a633f4b
SHA512 377036fbd5028552e60774c6fb47b738b97bcae95ab32896a40f3d815cf030a797f9eded332f4a4d888214ea2616ca36eeac820deab07c1c9b73079ba24b4618

C:\Users\Admin\AppData\Local\Temp\10485384\lwp.docx

MD5 c57895ac5311bdf731a161fb5c80b21b
SHA1 6890ee1026ae21e0d879a09b75e7ad236d508a86
SHA256 b1497a1ef061dc1bd4f253db83c1e9e6cf3c2ddfc4bd5b9c9cf852936f002e1e
SHA512 2785cf70b1746c04fcf1729df8dc264603b162abae36ec9219d402803f0ad5fa9e73ff107bf36c857f5d4c5e1af36a249448e8a3ad1a64753f963de193efaefe

C:\Users\Admin\AppData\Local\Temp\10485384\lcw.dat

MD5 b27b52f034d5e5772085f7b3eb83c875
SHA1 ac3428397b9556f524d1497df62eb66bc1972c54
SHA256 5a5d9a902076a44187ff7a4360939c868185c53ec37fc27620f6656c62524a0b
SHA512 9e3d99d58b401de7ae32661c4ad8d516ca8a010e4502e34f9810e808c1f185386c01c2833733e41d6f6d27c791fda121759412af426dac72726fa9ee7ae5c5e6

C:\Users\Admin\AppData\Local\Temp\10485384\lca.ppt

MD5 414083c170ad3869811f32dcd3034723
SHA1 c2af6ea612dd017b0a740b7fccaf6d374c7998f4
SHA256 388a3a746abe9fdbbb787daa3b79fb3b452503a6dfaec76701f494fae1fead1d
SHA512 b107f8689a2fb8135a84ab10c098d01672a8ec462b298423243a2daee3b6612359e004e592f666c4bf324b44b0f7dda8b9d070a53cc8de65b9eb4f7982a27ea0

C:\Users\Admin\AppData\Local\Temp\10485384\khr.dat

MD5 07441535531eb1f831d02809f6196060
SHA1 3bfb7f4d3fe3aeea49ec58832f6b5de9c4e490a9
SHA256 f1ae933935816606ec90258635e6e434dbe4bbf3a3f8fc03b54c7f69ba8d8ea9
SHA512 d6eb672438a972d13796d18b81895d7d833ac3e97476efca5de72e00d9e74cc60425e9289ca0363d46a9d30fa978a79ddd8e4f1a22c48551871f2fdbcc068f8d

C:\Users\Admin\AppData\Local\Temp\10485384\irj.icm

MD5 d6865ee8dde79f1a3d796946cbdddac9
SHA1 d9c8b24b6e20f13910f9b76935f95e6a06d51b75
SHA256 296ef98200b1ad157bc4ccd1c05c5be530a5f5911f2289a90ea4202bd01ecd64
SHA512 1d013564b15b5e7787f521050a64abea35b679753a6f0a3b1b8df4a56849c92c8272436a90092f8f593466e91c686789d692e0dc661485c943ec0bc600409af3

C:\Users\Admin\AppData\Local\Temp\10485384\iqx.pdf

MD5 cc3966e3b84b22a9504b97426286c047
SHA1 2d65a8367f8a49ec0da2f22fd42216d25c751eda
SHA256 13b78118a3bfcf130d06b88e1bf0b1b7eccb9e9779ed385ec3c41e11e8048a3e
SHA512 5036c5dbf8807e720cf74e63873b8b757135fb9e8aac24cb6874f8aff7d63beb335a78aac1ca0bc8e8037f4eebbc804b6a7603aadd30da2f749b9f491aefdfd5

C:\Users\Admin\AppData\Local\Temp\10485384\gqb.pdf

MD5 0921f3de56c350684bba0c1b1fb19280
SHA1 372003c474464067864c641dc29236415713d6b8
SHA256 48018e9b880d781a2664feae544617267561f6c7efbbbebd31f40094da5117f6
SHA512 36c4e8b65073fb0a07c746725d60c5812ed0cc598228b908e6208760cdc5d79b86e0ea62da395cd94c90f5b3e48b100ce5a0771e588f70ce7d5ec0831f665723

C:\Users\Admin\AppData\Local\Temp\10485384\fwd.xl

MD5 f30d864889e04f316beb0b73f6769677
SHA1 6d7285a3f43639c90c44ba867a5c137f2d150c0c
SHA256 07f671b89a145500abadba605bdc071abe188f5c5307bd0cbf877837bdfbdb8f
SHA512 bd9e0ec21cfc39259eaff6274fea22c6a60d516fac849094a407b57db7a16205c83f69def5471e1483765db2f17b8737c7fe11a994b4ecdd1efc1ece260a7d09

C:\Users\Admin\AppData\Local\Temp\10485384\evx.icm

MD5 9c691037d8465160ebf62dc810697dda
SHA1 3b74683729f1042cc66ef8ff46f93093721fe66c
SHA256 d62171af5471b7972ae9ee98b2c4986f816c8f22f32ea96d876f23fbae2a1137
SHA512 25b66fcd45086254a83f87a46fb4e1f84568249bc6219600eee9df9ce5522dead7b21097bfb66a8b6d6de1b06587e71946d9889181129e87ebcefa0053c753b5

C:\Users\Admin\AppData\Local\Temp\10485384\eth.dat

MD5 0158630f9ec01c5b4c7d178135a92c28
SHA1 ad3cf3b0edcbd07cd2e6c0378b54dd62c84be5a2
SHA256 7af667639acffd9baf4ddfd8fa29c1bfccd032cef2947f418686acbd348612a3
SHA512 9fd6699b27e1752fa261629c359e08be3eb12c8ec1b537d5328ae3454bb649af79a36f1f4e3c46420240372472f737b852cf30541faa7abdadc3352c5a965e26

C:\Users\Admin\AppData\Local\Temp\10485384\dmr.xl

MD5 611dc9538594565e1e249f90e4d16084
SHA1 fe5ae1e540e9c0e5983e105e105f42d3e45344cf
SHA256 efffd78042f0e4bbeafd7dddf5fc5a38892826adcefe0d2afc30507bccf74610
SHA512 fce814860e9cb4c56ea396b7741c5482d2bf16d2d76ed6aed8825d6f63087777b97a8e098a675b9d22dc19fc03e6296676859d03a2452ab4985a243a792a0636

C:\Users\Admin\AppData\Local\Temp\10485384\dfj.icm

MD5 599c7397e0d58e7deac0acb7fcc2a9fe
SHA1 4caa0ff6aa0530cf396af98a355cf8b655f1c094
SHA256 32627ba9126579851c32984c9d39ec1611e80b6198188a573235b5232f87fdc6
SHA512 f658630cac02741938c2b54df9be5589ce0ff957222c590be599fdae24fc55803e3174d0c2379fb00bd8d74e9cfea31d8cc12721befbbca908782a292bba5812

C:\Users\Admin\AppData\Local\Temp\10485384\cwx.mp3

MD5 2c42f4bd5e04132e7e403f1ec5f4ffad
SHA1 db777e2f85a77bdab1774ae8930ca30b4cad8c57
SHA256 48e7e2b99cabc523309acea6f4875538655418d8897bc2913e35990e0321358e
SHA512 3711696281fe43e9c68060906867b5bde9576146c52fefa2fc4b1b8197ef5730a40f7f1641bc30f816655fc93b78a4908edb0e866f75064f894216ee4198d1fb

C:\Users\Admin\AppData\Local\Temp\10485384\cwi.xl

MD5 9cceb456062b2464f50fc2a113e10152
SHA1 dbc8fbce5b2bc70b5afd5549577f567e18f6a56c
SHA256 ec73aa34b7011c79609dd85c12891059830882f141891d2090cd685afbe1f1d5
SHA512 32d0af8c504eafdf8bb60983b6c869605ade0fb12baa37249c6ae101410e5ec1be97139652a89cab5f5d4f0311ce2d3cdca5a1373a5f506d42c29549793bfb30

C:\Users\Admin\AppData\Local\Temp\10485384\bvh.mp3

MD5 c05b9563d6500dd2350190e8b3186290
SHA1 fbe6a361b56f4003a41d5825143ebf29d6d1dd90
SHA256 48ef32cc7858d9024595dd9dd9f0f466a5a67244df90868bff67ffd78d3866c3
SHA512 5ffd26843174ca152be4f7845230b92615673d21170c28c1bdeaad597b79d95a10d56ca34a1c2e3b0c093b413a7f0ce38186bde4f795275c0592e7a689395c0f

C:\Users\Admin\AppData\Local\Temp\10485384\buw.icm

MD5 d695608ba5d1d41dff38b24db8ac5e75
SHA1 b745799bc05e69d7f7c668a512bd53af2e5d2cbb
SHA256 05a0f46a7c245e47bbf7574e7afce15b25e19728da3fca81904f6ce663b670ba
SHA512 63ffa63d5bfa56bfd288bd0b40e5b998694d735aa8c27e423b27805adcaf42aae546a0f67c95590308c6f4833a919b1e4216271b669a47571b037b08786d2484

C:\Users\Admin\AppData\Local\Temp\10485384\brc.bmp

MD5 dd76d29266d38ce79c490520aac360f1
SHA1 e1bc621805a82afdc8f9de0651167e5b254a5e49
SHA256 e7d762e2feb77c326c55e346f2b158902531b34aeb96ced353d85c3b690a84b5
SHA512 bda03a8bc02ee0801f7cab940b9371b8fcd31537202c8d59fec08a93f1de66114b97f6e20a2985bbb42a7e6e4a18c737e4d93f43f87ae863f11255bc1a6c2782

C:\Users\Admin\AppData\Local\Temp\10485384\bfo.icm

MD5 309ef252e2d5282563bdd87c9697a5d2
SHA1 2c95e21122dbd9c95458694b94218915221dddf1
SHA256 7dcbf0d4e11a11bab9fdae4f9b80f295e7ca6c00db0727ea214b1f1e50fc88dc
SHA512 22d58c94b43afd9fd1c1115f9b13ca3aa467d0ec3311892fd9d2021408a9c635bbc674eae20ecb4dad5c536b390ecdc1120ebfd21a167a72cd60199d8a4aa82f

C:\Users\Admin\AppData\Local\Temp\10485384\asu.txt

MD5 b3ac3f89c0d3d848639efa9e10270b2e
SHA1 9d581888b661b79146b9d6467e2ffef0e3503d63
SHA256 7e6bfc04d9d896d3b2e3f97b60344500d6adcb1fd0a673090fa02225aad4423a
SHA512 4260f79b356e87f051a966ca9b8196b4769782abdf90ecd4a7f94eeb9bdeee6586149e385e7e3f7f9e4a82241f3e5297aa26338839cc9246dec356444e3ba380

C:\Users\Admin\AppData\Local\Temp\10485384\SKVSJ

MD5 e392efb0506abff8071f7ba13b9ea213
SHA1 a89e4c6abc31d7e95d9e4f69fb1039ea9006b3d5
SHA256 035e1933f8692e8e4bb9279b922ebf895bc17f1f0882a358b370e763022ffcc2
SHA512 e4b6bb71f53b851d43994b082d5e301aad4bba9bbb4b1c21bd0eab706b025c83b49131379a8822319a4107c3ba3d21e9a146875d5d9ac8f41a8c8a6dd6325f27

memory/1952-150-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1952-151-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1952-153-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1952-152-0x0000000000400000-0x00000000004B2000-memory.dmp