Malware Analysis Report

2024-08-06 15:23

Sample ID 240519-y5gvlsgb8y
Target 5b4966b97a3e3979116e52661911d864_JaffaCakes118
SHA256 520a9841c77609dc1c87d0cc7e8ca7ac4e36fb9a78c4401e056c12585ceaec04
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

520a9841c77609dc1c87d0cc7e8ca7ac4e36fb9a78c4401e056c12585ceaec04

Threat Level: Known bad

The file 5b4966b97a3e3979116e52661911d864_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-19 20:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 20:21

Reported

2024-05-19 20:24

Platform

win7-20240215-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18254108\\lgd.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\18254108\\KMI_OS~1" C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1288 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1288 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1288 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1288 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1288 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1288 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1768 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1768 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1768 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1768 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1768 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1768 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1768 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 1976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe

"C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe" kmi=osx

C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe

C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\NNWVF

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C Start C:\Users\Admin\AppData\Local\Temp\jb.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 elektroklinika.pl udp
PL 109.95.157.165:80 elektroklinika.pl tcp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp
US 8.8.8.8:53 kgentle77.hopto.org udp
US 8.8.4.4:53 kgentle77.hopto.org udp

Files

\Users\Admin\AppData\Local\Temp\18254108\lgd.exe

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\18254108\kmi=osx

MD5 b0d258804fa00a647c1729344c174bc2
SHA1 0756e29d9285062368251067785ecd65ef6689d7
SHA256 b9d0bef84e72304ae026dc446c12d2682c203c572d36a09ffb3cd967aad35b7a
SHA512 d83e224ebecaa348e3d2d0f2784d63e689f66f3f7123444e165eb63d205becb2232ee2cba1f7fcd179bfafbeb9d97c505a73b53f9820b8d4d5f5e284f051a85d

C:\Users\Admin\AppData\Local\Temp\18254108\jhv.ppt

MD5 a7d240d3baf033adbe819e6a8b6e4bf2
SHA1 6d8a5aaa5d2c3b7c771ad7fe24f8c329fb79f079
SHA256 3e40d67d48f35e6c530984dffdc53f810612c6e23fbe988db8074e9343ea92c6
SHA512 2bd5abf3c23b1651515c967c9b52c94edafd40e6651ff489367876dce32ffcb5667d94ceb57040ef36d480f58894e10f01882f4669747c42f19c165b44168fee

C:\Users\Admin\AppData\Local\Temp\18254108\aak.ico

MD5 4b7d936bb8f97601411d30bcabcd55fc
SHA1 dfd3f1aa73f33db7c01a813a8385d6057a9bdcfb
SHA256 7dc80aad3b07cf4743db3395d95aec6d91a144f9d101daa3152230bc686f4535
SHA512 f6db1032d5300c9645366103c5d6f7d99f054f9bbcad90370e3042ecbe9abb500ca4c7c362ac9cf1877d76eabe2805a86c1f66ab555e193cf990e42461f7a87e

C:\Users\Admin\AppData\Local\Temp\18254108\adq.xl

MD5 2b21b183081e453d608acb2a8063205e
SHA1 8a92dadc1dcb3f69cfe99c96bca2a2c4b9760c41
SHA256 cfb8b2b204098098c31117cba9fef3b1dee7f49923f1623b05d5bea7b95adea5
SHA512 c88f8f3658186fd37bda8d09d2a61f64847771f48f769849b71982bc87ccf4ae47b3378777b8eb592e9edef5e9a5262bfedd2d2348e8f45b58715f4d8838a127

C:\Users\Admin\AppData\Local\Temp\18254108\alp.xl

MD5 c0050548ec07897e43f21b855bd64145
SHA1 73517e613c60a0160d00c5a09e8bc17c070e60fe
SHA256 ee09b9ce37d97b57a05cb5d46e517669e5c32509831b67352e8895511be8261a
SHA512 196faff0d5fc33106d2b78a1ce43045f0401972815b911ec2b2510fdbe1801208c6fd8844dd599ee843f3d2204d9fe4f081bce8c23d29f4aaf845e9b215ee410

C:\Users\Admin\AppData\Local\Temp\18254108\lgi.xl

MD5 63f90896f922e686bbb7f8aa36a5d821
SHA1 b79beedc85ddca79900c9829197f67aab726fa1e
SHA256 e3e9771ebb7ae86c136ee91165026d991c5543cadd6dd020d5471649a63b828b
SHA512 5b5356c4f614e53893dd4406811dabc3ca1a0a394ce900a54ae8f22ca4f46fe93d1e1f021a61123c83e957033f3af441246a3ad4eaa70dfbab8b2a78cbd2b199

C:\Users\Admin\AppData\Local\Temp\18254108\xvh.dat

MD5 cfd66d7de6428fae7b526f16003f9587
SHA1 2c7e02518d3befc513cbda365707e660591b8131
SHA256 22159c7f317cd237c548c6b275312c84e3b96e1791bb402c913ca941435caabc
SHA512 82efb402fc901596bd3f6d751a651effb15410872907ead6bdaa2f4b52dd50a445fdec84ba9fbedd87c723ef9d4fac53a7ba195ae0353964f5e7a5ff7e0a5161

C:\Users\Admin\AppData\Local\Temp\18254108\xtk.mp3

MD5 5dbc9ab3a43c4b4fb5ab9333973a8657
SHA1 18453b43dab291b188d966c3d77f14fa9689af39
SHA256 3e1cbb8eb6cff226cedac867296664891fec5c8dae85fb942b1771456bc1ba8c
SHA512 2e6469d901497e26837764dec8c69715f0f2c0dc7933abab20a33a0fd7022d5177720bd67d4408e519416e9ce755595dee3e6a84c724942cdf50973b41586dbe

C:\Users\Admin\AppData\Local\Temp\18254108\xmc.ppt

MD5 c2cf9febdaf19d53e6eaf759950c89a6
SHA1 2db4ed910cc9849640f6139d3b415cecad22e2d4
SHA256 fedf65300ec6d3c97018a09e4ae576620c224e544c2708298cd1c2705569c369
SHA512 7776283bc347e4b0f863b9ecf13222e60bf8d2e5c6bdc15416a03c9f7384dc70b36a12895e10fc94e4eec2c95edcfdc9bcdb26c68ac995c7a8dd3468ccf0b24a

C:\Users\Admin\AppData\Local\Temp\18254108\wmh.bmp

MD5 7ec59289b54c2b77a38e02f8a834c315
SHA1 b321679bd461b83f05c9669fa4b8917a8ed19e89
SHA256 ee1e937144926b2e2ce0a563830baa4dca43d17ee35b07b40e7582f1b5236bd4
SHA512 c65bf3f6b6411ed3b1814fb814d735f94e64d11b5e95f41007e7c6ad7af1338dfac9cda59b0d3e349ba8efe58407fb856d9553acffe91d3af5916aa02058ee1c

C:\Users\Admin\AppData\Local\Temp\18254108\wai.dat

MD5 43ac98c8b4bf8774db720d95ab0271f6
SHA1 f639d38e5b7de8d718089582b1dcc6bd0fdfc189
SHA256 11ba9adb952c67e4a7deff4abeb04a2ba83c021bd2a2bd13c6d081319e6cdaa7
SHA512 97566981c1c76d3896cf9a851d1a69abd31eb5e93040dfe61e808b4b85c21b4ba19ca2b29ec7c73bb2902ea69070a186ef350d19c045e442fe2c0f3e058f5912

C:\Users\Admin\AppData\Local\Temp\18254108\vkh.icm

MD5 d22f4679bd5e465ee48356fd2bda4cd4
SHA1 3fe5e1363428263752b4a10b112167142e9bcd44
SHA256 9a60241805f07e61ad887c850b7eef9f93af5c8e260f9af631c0ef3ff3b02e9d
SHA512 1eb54b67eff8b39cf130ec1c8863a5301340925552c2433e5649e813c9931afb7fa5a4bfddf687799edef64a58089563afe95149f76551ba1e3e88e64faa9f42

C:\Users\Admin\AppData\Local\Temp\18254108\uqt.xl

MD5 c870088582d1ca0ce14624fb8e0b3a5c
SHA1 d70bec18c8621959f35594a7fba883933a2cd863
SHA256 7fb653e40c4286e04352716559c948aa7f6b1a4495e63e5a7cdff6ee1f40c6c3
SHA512 8b2486a1280c317f6ac1c378669fc44e6bfd93eb9ef9f6d9851ef7fc217f3d35982bf7b0c1c475ae8314f92ad661daaa77ab44cf537b3c535ff53b3b5a50de0f

C:\Users\Admin\AppData\Local\Temp\18254108\uqg.xl

MD5 6503db599cb074501059247e7ea0e988
SHA1 40a239f9237c695bd688ae6b0084c95f6af4b5ce
SHA256 a0a124b15129523bbad1e41651ea7f566e43499421dbef2578cd493451ec6e3f
SHA512 cc616bee48ebf4361b925e9b226c2d3f97f8af609fe592a20d6d7fb0a821a26c026a95e22821059bacf9e52cbe0165566bcf790caa7368fc5e1659fbf3c34549

C:\Users\Admin\AppData\Local\Temp\18254108\upe.bmp

MD5 a3260540c4bfb39025feb75fb15c7990
SHA1 c3e6bf73f0befe971617bd341d18c908871a0f8f
SHA256 e1719a06fd8800d5ab2b23ca207b92eb66da0c666acb5606f922208d5f05dc41
SHA512 9490e6ecd276026b464d1123319e7836025fbce797bf61b5e905c82b3bde4d8ae9f0f85bf3e4b14ec1d5629998b12a8885bc4345540ce48547588830aa6d7fd1

C:\Users\Admin\AppData\Local\Temp\18254108\ujd.mp4

MD5 982d6c6f44c36d0e5c36caadc2bc5265
SHA1 978d20be791af6317d985032a44dc4704e60542b
SHA256 5295154b06dd909e4ff60826bfa56e9171d4a514338a4e95b666cf03743c4e39
SHA512 ae428224e95a5552b6d1072748cadefedac736b7f7524f41aa801596f5b6b05dd855b8e74efe07a6016ad407d0fe22c7fa1aa117e0e96865b99a01d911b55217

C:\Users\Admin\AppData\Local\Temp\18254108\txi.ppt

MD5 885ee5a9ff7b9df7c7275e12402ad44f
SHA1 29b556b7fac7e3862f4af3970f3797da213c4a1a
SHA256 52d581da71384fe884368020db5da7574b03808b606af5593981ea95561f5de3
SHA512 b4f08003d391064b7b05233abc231fceb89b393ad1a2fa8b2ff0582c9dcec10df5156daedba58a2560627e177890402cb49776dc233aca473f16efde9b0da244

C:\Users\Admin\AppData\Local\Temp\18254108\twd.mp3

MD5 d1d0870ac71f993bbb0fe8eec6dafb8f
SHA1 247b0d7ec03768379955d506a59ff07074602e9f
SHA256 f9ec169dd56c402deee51e630a994923217d3bc523d0a19ed33a43f0e2d1e624
SHA512 87c367be11d69d250fbf6ea90088c4c8e782a1c29cf1830365e5ee748be00824faf0f24d827d43b87796f62285d9a7ee5650acf6dd7286338a7a9a63d01a8d64

C:\Users\Admin\AppData\Local\Temp\18254108\sac.bmp

MD5 eea3ede84a52dd9dae18137cfa3669cb
SHA1 1c38a22c1b32954f9a5bdd334a7aaead1da933ed
SHA256 39984e352a500125ec72247b11a5d82223c4c61d5c9688e2b8b08d409e247a63
SHA512 4c70c6b2a00e2d6c12abbfe12eed279ca4fe076cf5d023193997992057c15f95945290258b8e6f98028328e4298292bd9298fe4bee1bbec205e7194c0f37c691

C:\Users\Admin\AppData\Local\Temp\18254108\prr.xl

MD5 af91549bf62c3e2578349210c51c6fc9
SHA1 dbdbafbabd43f7189740d0590232c03aaedbe7bb
SHA256 8418d818ca58e7c5f944e0be6e478e064bd92111529c023a2a1da89d495bfe92
SHA512 f905ad8c3107aec8cafcc12dc9a98cfaa4f991a216bd93d77c90c094c220abeb08642cbe4883aa250488bd5068612e044cbade94825601c4052817193e686b90

C:\Users\Admin\AppData\Local\Temp\18254108\pjm.icm

MD5 b451f2ae04bef5e07111e0ee60113422
SHA1 cb5839b2ee181d1c84fd45d4e6ec764d5f7856b2
SHA256 6c0588917855d7be428860a1fdd1d616eaf48a107a730e9d8e6098d683372737
SHA512 395e0ce76fc803c2c26684d5e3d2d72a4b5e9dd799306011f25bbb3a988875bb6eb88d54e4bdda8b918820c85c71d3de9bd877d7b88727a2eb2acfb584cdb515

C:\Users\Admin\AppData\Local\Temp\18254108\okv.pdf

MD5 56d830e1c3df571ff3d952f25970d85d
SHA1 78e402c2c17a7e7a7d47ca438420510eee366f92
SHA256 9cb6ba8c5260cbe4d9590126f9f69986569072ff57607f932e24c5e4cef2994b
SHA512 c9aeefb020d848a0e8b35e2fa85c3d0bde3edaef69705eb79ef5416afe2e6364c82251612c3d4ab6a2e7031d67c57655315532a88741b2044363bda178862325

C:\Users\Admin\AppData\Local\Temp\18254108\odl.mp4

MD5 a0ba51acdf69aad794cda67359921d74
SHA1 6d5bda01eb08aa797680f91581602bbb0505aaeb
SHA256 2aec0a7bf87f18fcf6fcb0c45ee14092f31fbddaa364acf76ac496f093f411f4
SHA512 2c4e72537b8af4f345329e36cdc690b8dcdb9b83cf18b58c2d26e47563744ab324a33284655862ae7763a828e988d03e2db019a4983bbd56379185684b65f476

C:\Users\Admin\AppData\Local\Temp\18254108\nwc.docx

MD5 6557b7006c2f8fab59522dd54daa2d30
SHA1 0b8e193e7885e6f9dab8e5241ba4bfe0601eb295
SHA256 2336a184a8532e35af66ad8b0e0465ec47ca479268e25db1a7ead9453500e026
SHA512 16e00e26a12069b2cd7b95f280d3cbcadb1afda403ff48864ed29830f204f6333b076bbbdf6ee5c249870a3bed55d88fd07fdbfe60625a27d83f8a45f00aa850

C:\Users\Admin\AppData\Local\Temp\18254108\nks.docx

MD5 3e61da979d3d943090488e0d5de04914
SHA1 8c0e338278918beff46820b052284cefc2c1746c
SHA256 8cf5ac665c632b6ff66cf32633d603039868fe946000a328e0b54d4e80c2ee12
SHA512 26e2a722802cb6b3285b96cd34ffadbd43e989c02200599ba3cc63cce2d027e0f9773486adc0af9140351489e4f2c9866205e2f1d3d28c9c8915a3c8f76cbce4

C:\Users\Admin\AppData\Local\Temp\18254108\mdo.xl

MD5 2a78f3ff773b2305e2eb2aac0a9ab4c2
SHA1 61467abe3cad2ecaaf105b41162e9d4791341b73
SHA256 951067ef3dc0745b0ebb0e4187ee24e439087e42fac8294cd8878de7660b7e7e
SHA512 8a14b5e632d6c2079619e096bd80c9643d295390929355c849e8ee26170f6181319b5563386a75f351fd2005e454c1706099dbb7ddb95fcf39ebc44b76fe41db

C:\Users\Admin\AppData\Local\Temp\18254108\kbb.bmp

MD5 227a67de5dad71fe4ee860152d1149bc
SHA1 d732c2741906f877563e82e824c58639ddfb7c5f
SHA256 07c5526755185ee44747b69370482ddc38dd369f6647f9098dcea66ac696927a
SHA512 5877a1d72a862fa030737c900d87bd48ac38b8941374679da24a7f3a43c52e40f5bb7bee4186f1a00cbba35433f1160afa9357182a8baa5608adb16a2177f7b4

C:\Users\Admin\AppData\Local\Temp\18254108\jhr.ico

MD5 0da4c0fa87d546dd9c9bc629485bc385
SHA1 4f5b18072a6cf1acd92146427ce96319906531ba
SHA256 3d5ed2f337fe20de65f120d7b99944fc711627d5ac17adc3232af1ebc60bf936
SHA512 b6863bebfe13f203a3f04e12436609688f020cda7eda4bc460361b4a6013f035c920864cffa1fb0e2b2ad5fbbc38d9c18758757e0f6a4ae51f76c2d8fce7080d

C:\Users\Admin\AppData\Local\Temp\18254108\inl.bmp

MD5 52615e062402cafbbcdcc000119793fc
SHA1 6f45ada462048206ad5522cd88979e61cb93fedb
SHA256 4180440dfec7755e6a495ea0d30530327ccd8fabf228979feeb822636878445e
SHA512 354b2a2b841f583478e3ba6c02a109a7cf26531b5eacf30592865141a92818e19fb00d25bd0078b4b3620e737d44ecc7f4e51519532f33a0f299a9de690e0dc1

C:\Users\Admin\AppData\Local\Temp\18254108\htf.ico

MD5 4292ccc086181849fece06f7f6a6c103
SHA1 2215c667784d76da1be356f01ab66646f79f8a01
SHA256 06f6d9b7df617913346bfaaefe10191eda1187a7f16484a7fafcf436f89ba178
SHA512 693e3f28a89cea77655cb68b31232a062c49d99f50518f7580ac9068907ced86abd7ef57f056aa7f1a7f5693e7b1050e2d14a730806104704a6807737531ba76

C:\Users\Admin\AppData\Local\Temp\18254108\hll.bmp

MD5 8ea1e6775143560e6beffaca3cc8a854
SHA1 fe35f5bc90ac3c7bb73200681542639d4fb65a23
SHA256 ba29cb09c4b86b85f7db10adfe84111eb7551cd2306bbd871492dc11d6593bae
SHA512 787b54f12c78e34f254a0d2b55deb62f6de38a391413c3113a49bb6392d45012ec90abe255a31187d0d03fa6c530467b730300f670e26acc4cfd441044df80ec

C:\Users\Admin\AppData\Local\Temp\18254108\gsm.pdf

MD5 98bea26bd41a8c7181185950a1758c9a
SHA1 90615d2df7817626c10121469bd255b5b832f6c1
SHA256 ccece5de99b222e2ef157464a0073a67a6ff4884f4937451bdca496242701a25
SHA512 6fcdfdcbe256ed03114881aeaab14e1dad58eec064f85a249939cc5a64ff388d1f654a804e56e5f302a424bdef5432c7208fe8116f07c7b5fad374d44963adce

C:\Users\Admin\AppData\Local\Temp\18254108\gnk.mp3

MD5 21644daaf42ae78c145528efdfbd9f5f
SHA1 917ef347f2f53810357f0b434d96aec7a994c0c5
SHA256 dc2c8b4a12db9edf0bf2d0ed31efa53b90ebd0ee0388eab611b96cd6790bad2c
SHA512 d4f479f3ae0a4d3e3f7370c12c91feeaea572123b5c74f4e103742983401864f5159a57e48e561ba5ca31e8eb323afc3434a883369895b93778854afba3e2fef

C:\Users\Admin\AppData\Local\Temp\18254108\gmu.jpg

MD5 8cdec7d62286345591054f42456572de
SHA1 ee83ce90033afe216aeb4f36b057c23b75d7fb91
SHA256 e48d6b9bb4366cf87f70c248cc6a932966a5834218d569e95201f49e6f6060ef
SHA512 cc67691db1c770c390e1e89e087585f1c416d76845847c9b72bab53c6c7c1c070194d0e2175b0d566476eefa93b2d908ed3a0a30eade9f763451cb7838baec95

C:\Users\Admin\AppData\Local\Temp\18254108\glu.ico

MD5 1b59123e20ad7eab809ed27970f0812b
SHA1 a7b6c808a9579cad09788c57f763952198680f5e
SHA256 e75260a146f2b17a01d73e11327df072eed6a5f360d3fbcef6dae7c9572fb3a3
SHA512 aaff78894444c10c2793bcc72f7ce1044744696b652e4ca99250d0d46067e021e40541e2e8c95d5f52179cc9cf6f677950ad7c6af7c70b49d595a7e80a8f5941

C:\Users\Admin\AppData\Local\Temp\18254108\esc.pdf

MD5 feb284d14d4e167b8a7a825d236e4a91
SHA1 d78759da0f934222244aed10e26dcc68e93fb491
SHA256 fe156c85f7bc0d45baa96835969ee52c91d10e4bebc154bf66b58b48b980f0d7
SHA512 cbb9dda9a6fa06d99a91fbd21dae6e065c5345e3b8fd25cacbf5e7dcd40f3785f32b04536d170d396fd0241d5d573f5c4cf8a0652f2ffcad330bb0c18a0f29c9

C:\Users\Admin\AppData\Local\Temp\18254108\eno.bmp

MD5 c41d230171cc99d10aaf6e5198a1c719
SHA1 a0f2645cef83f05c05ffbd1463535552c78c7248
SHA256 308b086866ca6582a893f1916c534fbf8ea206baa56103ca47e19f8036716067
SHA512 7bed236446b3110e228e705c00d1c968de7e8f5de9bec36819b97e9f89adf56f751341b7c8d0b5d64512d8ad2302568fb2539ef54eb55eee90af57342584984a

C:\Users\Admin\AppData\Local\Temp\18254108\efn.jpg

MD5 c676902b0ecb9f9ce689494cbb61c285
SHA1 5ce6557bc5c33b93421f7d1865c41040b1c589dd
SHA256 7a676d597ed1e40536859c396c150196fae06369d7e6d8871a366921f59a3daa
SHA512 4dad4c9ce492303dcdeb5148707c731d1f5878e5c6189f07b302a2655bda6d62e650a02674a0583491a436e1808b779580fca36192615786d2e4b7ea04b8cbb9

C:\Users\Admin\AppData\Local\Temp\18254108\dih.dat

MD5 aca5bfabe99b206f35183aa2f6c12c69
SHA1 d93a63f3c361ca715ef7125378a32bf9fd4f17dd
SHA256 1a38eb8e889bf55549e04d3871779ad835f0436a4fa9b82dd9f150e8c98a2014
SHA512 fc120f1db195ac47b20e74729a5679b1167ec93be39e1193163dac3f81f3d9c1bfa62a12fa1a34bcd3be72e2761067283d6623f3e27a271b2c51c5b6bd9812c6

C:\Users\Admin\AppData\Local\Temp\18254108\deu.jpg

MD5 aa7e5a0d476351b03424dff6e5c3d643
SHA1 dad375f213c8503bb3a8506c14ab3ebbf9a7b0f1
SHA256 405ebcefee547fe10d30968e06b6efd73cb93a3b0c0caf8d7ee8ef22ff06883d
SHA512 2964a50b87c54a28c334ee63f16b6ef4040d99d7feccb732eff18f18066d8216a5292758b5eb1b1e85103c886f1025cea10df360d9b5884bd63302577f915359

C:\Users\Admin\AppData\Local\Temp\18254108\ddp.docx

MD5 ba1d06eabb3e2d65eec6a8c987f207f4
SHA1 86304fd7994a56f79af283fa38943e1fe384b984
SHA256 51b2b414ed0316821cec5fb597e78bf235bce8dd6907dde2d72e57242384befd
SHA512 9e23975b04b9e0523ff1e9935d926558be3cf28ddaa2ee142211dc6250f5f84c0dbf3158bd8ce31f4ba58c303a559b1ee4f814f234a442e23993f3359682c349

C:\Users\Admin\AppData\Local\Temp\18254108\cre.txt

MD5 e16f8c478e4a983546b30c957fde56d2
SHA1 222eacc4593b1d80ed8a3bb3e05f74542075b9b3
SHA256 f6ca93a5569353e667dd4c85ec6ffd20ce0f7ce336cc4eb3fa555fc5d0e12ab8
SHA512 30860553620e6c44b9f0b2c9fe89d04eb0ba26091610fad746f0a04dd5f81c352ef3dc066fc05de23194a363055223e55b6f70e8214aa6ea5580e77c1159a589

C:\Users\Admin\AppData\Local\Temp\18254108\cpo.mp3

MD5 daa89c4a95d3136d808fbd969de48b4c
SHA1 07bc81586f77da8dd6981b92daf0b3a8eb6d953a
SHA256 ef5e3df6a70559e8d59b5d491eb507d63c8193719f2c067ce6c8dd2acf0116f2
SHA512 b45cd6a85b9fc6bdfda435c792fc556f20e47e833ccb8154bbc3ed209f22262cfb3f418667cd2120afa6c6e7d699b24df3b38a6ea4ed8102ab6b553f0da6a1c0

C:\Users\Admin\AppData\Local\Temp\18254108\ceq.ppt

MD5 a38b2e33a0d3cd39fed41bdbe6aca3bc
SHA1 02c2b280f3bb1e2acd44ac2ab45488997bb59e84
SHA256 8f5be524ee3211aab1c589853228a46a5239b8e5cfb666600ca0e6ff1347c46b
SHA512 29b4b9571ea88888b193a8c5ab166aae724ce886518ee928c45a245edaf3f04fa1b3fcab36fb3284281378e66763497f29222e00c84cbee5eb7faa95a3e7f1ab

C:\Users\Admin\AppData\Local\Temp\18254108\ccw.ico

MD5 3567773ed785722ee8c56c305e8caa25
SHA1 df9e71768503493ff8e37c0db54521c707c230bc
SHA256 c04fb6562b3df8835a218816250f0164d758e712fa394528b220a08760da0a00
SHA512 1e37f34d403e4c86f7cc0aa9a3771b1cd7840b6d36def4a83ef063963a9460863da7ee52a58ae32ada1e1d7ceeb127e6379637f8aa8ea1f240768876dda7bed4

C:\Users\Admin\AppData\Local\Temp\18254108\bfm.txt

MD5 f4a729622f6e3ef8584c01f3217a3c48
SHA1 cb8a6d638465f6c637bc232aa5a3aa0392ac749f
SHA256 4d0be49c58a53f703605e4e550a093a65288d4a069c9e0e07dd84308bd2d1c76
SHA512 68a5f483390826610204d1a5b75dad85253199e2a174010a8328cb6f7a609e39c176ab990e13ea2eecef46702d5b29f17495c2b1497a2fb9a148fc49555ff80c

C:\Users\Admin\AppData\Local\Temp\18254108\asa.ico

MD5 c451bb23ed8b448f76a5b8b0c4c33b29
SHA1 93bceaf4e4d1131621114ee5245ca53954974fd9
SHA256 c23de7cfeb902faedd2f701bc7e5d11dcd0ee5e16e6951d0e4490fc823144e48
SHA512 103c5162f913df09e9d1d5f9738d265b4fa3221998fc78b3f8eb9fc9b8772c8d72a9a0ba02d36fe509f4e1a41b23537e1dc4f9cee5c439d40af85345acf20a61

C:\Users\Admin\AppData\Local\Temp\18254108\arj.ppt

MD5 2c80c221c13f2446c346a46aa5884081
SHA1 397bc2ad1dc9d386d727c2b213231b5221c0532d
SHA256 ee1b14ae9753c1edd496041bc973487ca7cd0cc37c7b8a9f821f9db74d39508d
SHA512 a895b1d24aea17eafe2edf01dcb5386b3bc4ebdf6e578af3c6b84dec33d9dc0cdd77a8091e512ca4573dc07adc87e8e4d08cbf9353de06fcf434d293de4048bb

C:\Users\Admin\AppData\Local\Temp\18254108\alt.dat

MD5 e9973de3b365d78cd3f093c552ed16b5
SHA1 a1ac2ea67364e15772321a4b8300df80c9a4d3ca
SHA256 5cfc502e1cde50f9148b6f395b191a0896ba540bf4935c62e9d0106ceddfd20f
SHA512 a24a01ce2118bb310e94bcba38e97ca3ccd5ced1691ad04b267f1aca38001179ececfeb8e10e8ea51138348794f724f4b1984959250a269fe64962ed77a718e1

C:\Users\Admin\AppData\Local\Temp\18254108\NNWVF

MD5 ff7459696f42bd340e804f7799127cc3
SHA1 696a0578c0319d67262b87eae12d6fa4d51701ff
SHA256 c9f7fcee294c82cf8f5e2c59cf1d5fc0b36e89422fa26eb0c86107a5086902d3
SHA512 baa4d51668ed197d2977f16074019cf78b5ba7ea48030e5861113b88ed5e38b8e61be8dc611fa2b9ed3d4ff3df00ecbc0f2478e247ec0a9f75e9c18af34eb72d

memory/2832-184-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-188-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-194-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-193-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-192-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2832-190-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-186-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-195-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-197-0x00000000004E0000-0x00000000004EA000-memory.dmp

memory/2832-198-0x00000000004F0000-0x000000000050E000-memory.dmp

memory/2832-199-0x0000000000510000-0x000000000051A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 20:21

Reported

2024-05-19 20:24

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18254108\\lgd.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\18254108\\KMI_OS~1" C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 868 set thread context of 1488 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3508 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 3508 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 3508 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 4688 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 4688 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 4688 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe
PID 868 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 868 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 868 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 868 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5b4966b97a3e3979116e52661911d864_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe

"C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe" kmi=osx

C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe

C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe C:\Users\Admin\AppData\Local\Temp\18254108\ZSOAM

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C Start C:\Users\Admin\AppData\Local\Temp\jb.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 80

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 elektroklinika.pl udp
PL 109.95.157.165:80 elektroklinika.pl tcp
US 8.8.8.8:53 165.157.95.109.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\18254108\lgd.exe

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\18254108\kmi=osx

MD5 b0d258804fa00a647c1729344c174bc2
SHA1 0756e29d9285062368251067785ecd65ef6689d7
SHA256 b9d0bef84e72304ae026dc446c12d2682c203c572d36a09ffb3cd967aad35b7a
SHA512 d83e224ebecaa348e3d2d0f2784d63e689f66f3f7123444e165eb63d205becb2232ee2cba1f7fcd179bfafbeb9d97c505a73b53f9820b8d4d5f5e284f051a85d

C:\Users\Admin\AppData\Local\Temp\18254108\xvh.dat

MD5 cfd66d7de6428fae7b526f16003f9587
SHA1 2c7e02518d3befc513cbda365707e660591b8131
SHA256 22159c7f317cd237c548c6b275312c84e3b96e1791bb402c913ca941435caabc
SHA512 82efb402fc901596bd3f6d751a651effb15410872907ead6bdaa2f4b52dd50a445fdec84ba9fbedd87c723ef9d4fac53a7ba195ae0353964f5e7a5ff7e0a5161

C:\Users\Admin\AppData\Local\Temp\18254108\ZSOAM

MD5 ff7459696f42bd340e804f7799127cc3
SHA1 696a0578c0319d67262b87eae12d6fa4d51701ff
SHA256 c9f7fcee294c82cf8f5e2c59cf1d5fc0b36e89422fa26eb0c86107a5086902d3
SHA512 baa4d51668ed197d2977f16074019cf78b5ba7ea48030e5861113b88ed5e38b8e61be8dc611fa2b9ed3d4ff3df00ecbc0f2478e247ec0a9f75e9c18af34eb72d

C:\Users\Admin\AppData\Local\Temp\18254108\xtk.mp3

MD5 5dbc9ab3a43c4b4fb5ab9333973a8657
SHA1 18453b43dab291b188d966c3d77f14fa9689af39
SHA256 3e1cbb8eb6cff226cedac867296664891fec5c8dae85fb942b1771456bc1ba8c
SHA512 2e6469d901497e26837764dec8c69715f0f2c0dc7933abab20a33a0fd7022d5177720bd67d4408e519416e9ce755595dee3e6a84c724942cdf50973b41586dbe

C:\Users\Admin\AppData\Local\Temp\18254108\xmc.ppt

MD5 c2cf9febdaf19d53e6eaf759950c89a6
SHA1 2db4ed910cc9849640f6139d3b415cecad22e2d4
SHA256 fedf65300ec6d3c97018a09e4ae576620c224e544c2708298cd1c2705569c369
SHA512 7776283bc347e4b0f863b9ecf13222e60bf8d2e5c6bdc15416a03c9f7384dc70b36a12895e10fc94e4eec2c95edcfdc9bcdb26c68ac995c7a8dd3468ccf0b24a

C:\Users\Admin\AppData\Local\Temp\18254108\wmh.bmp

MD5 7ec59289b54c2b77a38e02f8a834c315
SHA1 b321679bd461b83f05c9669fa4b8917a8ed19e89
SHA256 ee1e937144926b2e2ce0a563830baa4dca43d17ee35b07b40e7582f1b5236bd4
SHA512 c65bf3f6b6411ed3b1814fb814d735f94e64d11b5e95f41007e7c6ad7af1338dfac9cda59b0d3e349ba8efe58407fb856d9553acffe91d3af5916aa02058ee1c

C:\Users\Admin\AppData\Local\Temp\18254108\wai.dat

MD5 43ac98c8b4bf8774db720d95ab0271f6
SHA1 f639d38e5b7de8d718089582b1dcc6bd0fdfc189
SHA256 11ba9adb952c67e4a7deff4abeb04a2ba83c021bd2a2bd13c6d081319e6cdaa7
SHA512 97566981c1c76d3896cf9a851d1a69abd31eb5e93040dfe61e808b4b85c21b4ba19ca2b29ec7c73bb2902ea69070a186ef350d19c045e442fe2c0f3e058f5912

C:\Users\Admin\AppData\Local\Temp\18254108\vkh.icm

MD5 d22f4679bd5e465ee48356fd2bda4cd4
SHA1 3fe5e1363428263752b4a10b112167142e9bcd44
SHA256 9a60241805f07e61ad887c850b7eef9f93af5c8e260f9af631c0ef3ff3b02e9d
SHA512 1eb54b67eff8b39cf130ec1c8863a5301340925552c2433e5649e813c9931afb7fa5a4bfddf687799edef64a58089563afe95149f76551ba1e3e88e64faa9f42

C:\Users\Admin\AppData\Local\Temp\18254108\uqt.xl

MD5 c870088582d1ca0ce14624fb8e0b3a5c
SHA1 d70bec18c8621959f35594a7fba883933a2cd863
SHA256 7fb653e40c4286e04352716559c948aa7f6b1a4495e63e5a7cdff6ee1f40c6c3
SHA512 8b2486a1280c317f6ac1c378669fc44e6bfd93eb9ef9f6d9851ef7fc217f3d35982bf7b0c1c475ae8314f92ad661daaa77ab44cf537b3c535ff53b3b5a50de0f

C:\Users\Admin\AppData\Local\Temp\18254108\uqg.xl

MD5 6503db599cb074501059247e7ea0e988
SHA1 40a239f9237c695bd688ae6b0084c95f6af4b5ce
SHA256 a0a124b15129523bbad1e41651ea7f566e43499421dbef2578cd493451ec6e3f
SHA512 cc616bee48ebf4361b925e9b226c2d3f97f8af609fe592a20d6d7fb0a821a26c026a95e22821059bacf9e52cbe0165566bcf790caa7368fc5e1659fbf3c34549

C:\Users\Admin\AppData\Local\Temp\18254108\upe.bmp

MD5 a3260540c4bfb39025feb75fb15c7990
SHA1 c3e6bf73f0befe971617bd341d18c908871a0f8f
SHA256 e1719a06fd8800d5ab2b23ca207b92eb66da0c666acb5606f922208d5f05dc41
SHA512 9490e6ecd276026b464d1123319e7836025fbce797bf61b5e905c82b3bde4d8ae9f0f85bf3e4b14ec1d5629998b12a8885bc4345540ce48547588830aa6d7fd1

C:\Users\Admin\AppData\Local\Temp\18254108\ujd.mp4

MD5 982d6c6f44c36d0e5c36caadc2bc5265
SHA1 978d20be791af6317d985032a44dc4704e60542b
SHA256 5295154b06dd909e4ff60826bfa56e9171d4a514338a4e95b666cf03743c4e39
SHA512 ae428224e95a5552b6d1072748cadefedac736b7f7524f41aa801596f5b6b05dd855b8e74efe07a6016ad407d0fe22c7fa1aa117e0e96865b99a01d911b55217

C:\Users\Admin\AppData\Local\Temp\18254108\txi.ppt

MD5 885ee5a9ff7b9df7c7275e12402ad44f
SHA1 29b556b7fac7e3862f4af3970f3797da213c4a1a
SHA256 52d581da71384fe884368020db5da7574b03808b606af5593981ea95561f5de3
SHA512 b4f08003d391064b7b05233abc231fceb89b393ad1a2fa8b2ff0582c9dcec10df5156daedba58a2560627e177890402cb49776dc233aca473f16efde9b0da244

C:\Users\Admin\AppData\Local\Temp\18254108\twd.mp3

MD5 d1d0870ac71f993bbb0fe8eec6dafb8f
SHA1 247b0d7ec03768379955d506a59ff07074602e9f
SHA256 f9ec169dd56c402deee51e630a994923217d3bc523d0a19ed33a43f0e2d1e624
SHA512 87c367be11d69d250fbf6ea90088c4c8e782a1c29cf1830365e5ee748be00824faf0f24d827d43b87796f62285d9a7ee5650acf6dd7286338a7a9a63d01a8d64

C:\Users\Admin\AppData\Local\Temp\18254108\sac.bmp

MD5 eea3ede84a52dd9dae18137cfa3669cb
SHA1 1c38a22c1b32954f9a5bdd334a7aaead1da933ed
SHA256 39984e352a500125ec72247b11a5d82223c4c61d5c9688e2b8b08d409e247a63
SHA512 4c70c6b2a00e2d6c12abbfe12eed279ca4fe076cf5d023193997992057c15f95945290258b8e6f98028328e4298292bd9298fe4bee1bbec205e7194c0f37c691

C:\Users\Admin\AppData\Local\Temp\18254108\prr.xl

MD5 af91549bf62c3e2578349210c51c6fc9
SHA1 dbdbafbabd43f7189740d0590232c03aaedbe7bb
SHA256 8418d818ca58e7c5f944e0be6e478e064bd92111529c023a2a1da89d495bfe92
SHA512 f905ad8c3107aec8cafcc12dc9a98cfaa4f991a216bd93d77c90c094c220abeb08642cbe4883aa250488bd5068612e044cbade94825601c4052817193e686b90

C:\Users\Admin\AppData\Local\Temp\18254108\pjm.icm

MD5 b451f2ae04bef5e07111e0ee60113422
SHA1 cb5839b2ee181d1c84fd45d4e6ec764d5f7856b2
SHA256 6c0588917855d7be428860a1fdd1d616eaf48a107a730e9d8e6098d683372737
SHA512 395e0ce76fc803c2c26684d5e3d2d72a4b5e9dd799306011f25bbb3a988875bb6eb88d54e4bdda8b918820c85c71d3de9bd877d7b88727a2eb2acfb584cdb515

C:\Users\Admin\AppData\Local\Temp\18254108\okv.pdf

MD5 56d830e1c3df571ff3d952f25970d85d
SHA1 78e402c2c17a7e7a7d47ca438420510eee366f92
SHA256 9cb6ba8c5260cbe4d9590126f9f69986569072ff57607f932e24c5e4cef2994b
SHA512 c9aeefb020d848a0e8b35e2fa85c3d0bde3edaef69705eb79ef5416afe2e6364c82251612c3d4ab6a2e7031d67c57655315532a88741b2044363bda178862325

C:\Users\Admin\AppData\Local\Temp\18254108\odl.mp4

MD5 a0ba51acdf69aad794cda67359921d74
SHA1 6d5bda01eb08aa797680f91581602bbb0505aaeb
SHA256 2aec0a7bf87f18fcf6fcb0c45ee14092f31fbddaa364acf76ac496f093f411f4
SHA512 2c4e72537b8af4f345329e36cdc690b8dcdb9b83cf18b58c2d26e47563744ab324a33284655862ae7763a828e988d03e2db019a4983bbd56379185684b65f476

C:\Users\Admin\AppData\Local\Temp\18254108\nwc.docx

MD5 6557b7006c2f8fab59522dd54daa2d30
SHA1 0b8e193e7885e6f9dab8e5241ba4bfe0601eb295
SHA256 2336a184a8532e35af66ad8b0e0465ec47ca479268e25db1a7ead9453500e026
SHA512 16e00e26a12069b2cd7b95f280d3cbcadb1afda403ff48864ed29830f204f6333b076bbbdf6ee5c249870a3bed55d88fd07fdbfe60625a27d83f8a45f00aa850

C:\Users\Admin\AppData\Local\Temp\18254108\nks.docx

MD5 3e61da979d3d943090488e0d5de04914
SHA1 8c0e338278918beff46820b052284cefc2c1746c
SHA256 8cf5ac665c632b6ff66cf32633d603039868fe946000a328e0b54d4e80c2ee12
SHA512 26e2a722802cb6b3285b96cd34ffadbd43e989c02200599ba3cc63cce2d027e0f9773486adc0af9140351489e4f2c9866205e2f1d3d28c9c8915a3c8f76cbce4

C:\Users\Admin\AppData\Local\Temp\18254108\mdo.xl

MD5 2a78f3ff773b2305e2eb2aac0a9ab4c2
SHA1 61467abe3cad2ecaaf105b41162e9d4791341b73
SHA256 951067ef3dc0745b0ebb0e4187ee24e439087e42fac8294cd8878de7660b7e7e
SHA512 8a14b5e632d6c2079619e096bd80c9643d295390929355c849e8ee26170f6181319b5563386a75f351fd2005e454c1706099dbb7ddb95fcf39ebc44b76fe41db

C:\Users\Admin\AppData\Local\Temp\18254108\lgi.xl

MD5 63f90896f922e686bbb7f8aa36a5d821
SHA1 b79beedc85ddca79900c9829197f67aab726fa1e
SHA256 e3e9771ebb7ae86c136ee91165026d991c5543cadd6dd020d5471649a63b828b
SHA512 5b5356c4f614e53893dd4406811dabc3ca1a0a394ce900a54ae8f22ca4f46fe93d1e1f021a61123c83e957033f3af441246a3ad4eaa70dfbab8b2a78cbd2b199

C:\Users\Admin\AppData\Local\Temp\18254108\kbb.bmp

MD5 227a67de5dad71fe4ee860152d1149bc
SHA1 d732c2741906f877563e82e824c58639ddfb7c5f
SHA256 07c5526755185ee44747b69370482ddc38dd369f6647f9098dcea66ac696927a
SHA512 5877a1d72a862fa030737c900d87bd48ac38b8941374679da24a7f3a43c52e40f5bb7bee4186f1a00cbba35433f1160afa9357182a8baa5608adb16a2177f7b4

C:\Users\Admin\AppData\Local\Temp\18254108\jhr.ico

MD5 0da4c0fa87d546dd9c9bc629485bc385
SHA1 4f5b18072a6cf1acd92146427ce96319906531ba
SHA256 3d5ed2f337fe20de65f120d7b99944fc711627d5ac17adc3232af1ebc60bf936
SHA512 b6863bebfe13f203a3f04e12436609688f020cda7eda4bc460361b4a6013f035c920864cffa1fb0e2b2ad5fbbc38d9c18758757e0f6a4ae51f76c2d8fce7080d

C:\Users\Admin\AppData\Local\Temp\18254108\inl.bmp

MD5 52615e062402cafbbcdcc000119793fc
SHA1 6f45ada462048206ad5522cd88979e61cb93fedb
SHA256 4180440dfec7755e6a495ea0d30530327ccd8fabf228979feeb822636878445e
SHA512 354b2a2b841f583478e3ba6c02a109a7cf26531b5eacf30592865141a92818e19fb00d25bd0078b4b3620e737d44ecc7f4e51519532f33a0f299a9de690e0dc1

C:\Users\Admin\AppData\Local\Temp\18254108\htf.ico

MD5 4292ccc086181849fece06f7f6a6c103
SHA1 2215c667784d76da1be356f01ab66646f79f8a01
SHA256 06f6d9b7df617913346bfaaefe10191eda1187a7f16484a7fafcf436f89ba178
SHA512 693e3f28a89cea77655cb68b31232a062c49d99f50518f7580ac9068907ced86abd7ef57f056aa7f1a7f5693e7b1050e2d14a730806104704a6807737531ba76

C:\Users\Admin\AppData\Local\Temp\18254108\hll.bmp

MD5 8ea1e6775143560e6beffaca3cc8a854
SHA1 fe35f5bc90ac3c7bb73200681542639d4fb65a23
SHA256 ba29cb09c4b86b85f7db10adfe84111eb7551cd2306bbd871492dc11d6593bae
SHA512 787b54f12c78e34f254a0d2b55deb62f6de38a391413c3113a49bb6392d45012ec90abe255a31187d0d03fa6c530467b730300f670e26acc4cfd441044df80ec

C:\Users\Admin\AppData\Local\Temp\18254108\gsm.pdf

MD5 98bea26bd41a8c7181185950a1758c9a
SHA1 90615d2df7817626c10121469bd255b5b832f6c1
SHA256 ccece5de99b222e2ef157464a0073a67a6ff4884f4937451bdca496242701a25
SHA512 6fcdfdcbe256ed03114881aeaab14e1dad58eec064f85a249939cc5a64ff388d1f654a804e56e5f302a424bdef5432c7208fe8116f07c7b5fad374d44963adce

C:\Users\Admin\AppData\Local\Temp\18254108\gnk.mp3

MD5 21644daaf42ae78c145528efdfbd9f5f
SHA1 917ef347f2f53810357f0b434d96aec7a994c0c5
SHA256 dc2c8b4a12db9edf0bf2d0ed31efa53b90ebd0ee0388eab611b96cd6790bad2c
SHA512 d4f479f3ae0a4d3e3f7370c12c91feeaea572123b5c74f4e103742983401864f5159a57e48e561ba5ca31e8eb323afc3434a883369895b93778854afba3e2fef

C:\Users\Admin\AppData\Local\Temp\18254108\gmu.jpg

MD5 8cdec7d62286345591054f42456572de
SHA1 ee83ce90033afe216aeb4f36b057c23b75d7fb91
SHA256 e48d6b9bb4366cf87f70c248cc6a932966a5834218d569e95201f49e6f6060ef
SHA512 cc67691db1c770c390e1e89e087585f1c416d76845847c9b72bab53c6c7c1c070194d0e2175b0d566476eefa93b2d908ed3a0a30eade9f763451cb7838baec95

C:\Users\Admin\AppData\Local\Temp\18254108\glu.ico

MD5 1b59123e20ad7eab809ed27970f0812b
SHA1 a7b6c808a9579cad09788c57f763952198680f5e
SHA256 e75260a146f2b17a01d73e11327df072eed6a5f360d3fbcef6dae7c9572fb3a3
SHA512 aaff78894444c10c2793bcc72f7ce1044744696b652e4ca99250d0d46067e021e40541e2e8c95d5f52179cc9cf6f677950ad7c6af7c70b49d595a7e80a8f5941

C:\Users\Admin\AppData\Local\Temp\18254108\esc.pdf

MD5 feb284d14d4e167b8a7a825d236e4a91
SHA1 d78759da0f934222244aed10e26dcc68e93fb491
SHA256 fe156c85f7bc0d45baa96835969ee52c91d10e4bebc154bf66b58b48b980f0d7
SHA512 cbb9dda9a6fa06d99a91fbd21dae6e065c5345e3b8fd25cacbf5e7dcd40f3785f32b04536d170d396fd0241d5d573f5c4cf8a0652f2ffcad330bb0c18a0f29c9

C:\Users\Admin\AppData\Local\Temp\18254108\eno.bmp

MD5 c41d230171cc99d10aaf6e5198a1c719
SHA1 a0f2645cef83f05c05ffbd1463535552c78c7248
SHA256 308b086866ca6582a893f1916c534fbf8ea206baa56103ca47e19f8036716067
SHA512 7bed236446b3110e228e705c00d1c968de7e8f5de9bec36819b97e9f89adf56f751341b7c8d0b5d64512d8ad2302568fb2539ef54eb55eee90af57342584984a

C:\Users\Admin\AppData\Local\Temp\18254108\efn.jpg

MD5 c676902b0ecb9f9ce689494cbb61c285
SHA1 5ce6557bc5c33b93421f7d1865c41040b1c589dd
SHA256 7a676d597ed1e40536859c396c150196fae06369d7e6d8871a366921f59a3daa
SHA512 4dad4c9ce492303dcdeb5148707c731d1f5878e5c6189f07b302a2655bda6d62e650a02674a0583491a436e1808b779580fca36192615786d2e4b7ea04b8cbb9

C:\Users\Admin\AppData\Local\Temp\18254108\dih.dat

MD5 aca5bfabe99b206f35183aa2f6c12c69
SHA1 d93a63f3c361ca715ef7125378a32bf9fd4f17dd
SHA256 1a38eb8e889bf55549e04d3871779ad835f0436a4fa9b82dd9f150e8c98a2014
SHA512 fc120f1db195ac47b20e74729a5679b1167ec93be39e1193163dac3f81f3d9c1bfa62a12fa1a34bcd3be72e2761067283d6623f3e27a271b2c51c5b6bd9812c6

C:\Users\Admin\AppData\Local\Temp\18254108\deu.jpg

MD5 aa7e5a0d476351b03424dff6e5c3d643
SHA1 dad375f213c8503bb3a8506c14ab3ebbf9a7b0f1
SHA256 405ebcefee547fe10d30968e06b6efd73cb93a3b0c0caf8d7ee8ef22ff06883d
SHA512 2964a50b87c54a28c334ee63f16b6ef4040d99d7feccb732eff18f18066d8216a5292758b5eb1b1e85103c886f1025cea10df360d9b5884bd63302577f915359

C:\Users\Admin\AppData\Local\Temp\18254108\ddp.docx

MD5 ba1d06eabb3e2d65eec6a8c987f207f4
SHA1 86304fd7994a56f79af283fa38943e1fe384b984
SHA256 51b2b414ed0316821cec5fb597e78bf235bce8dd6907dde2d72e57242384befd
SHA512 9e23975b04b9e0523ff1e9935d926558be3cf28ddaa2ee142211dc6250f5f84c0dbf3158bd8ce31f4ba58c303a559b1ee4f814f234a442e23993f3359682c349

C:\Users\Admin\AppData\Local\Temp\18254108\cre.txt

MD5 e16f8c478e4a983546b30c957fde56d2
SHA1 222eacc4593b1d80ed8a3bb3e05f74542075b9b3
SHA256 f6ca93a5569353e667dd4c85ec6ffd20ce0f7ce336cc4eb3fa555fc5d0e12ab8
SHA512 30860553620e6c44b9f0b2c9fe89d04eb0ba26091610fad746f0a04dd5f81c352ef3dc066fc05de23194a363055223e55b6f70e8214aa6ea5580e77c1159a589

C:\Users\Admin\AppData\Local\Temp\18254108\cpo.mp3

MD5 daa89c4a95d3136d808fbd969de48b4c
SHA1 07bc81586f77da8dd6981b92daf0b3a8eb6d953a
SHA256 ef5e3df6a70559e8d59b5d491eb507d63c8193719f2c067ce6c8dd2acf0116f2
SHA512 b45cd6a85b9fc6bdfda435c792fc556f20e47e833ccb8154bbc3ed209f22262cfb3f418667cd2120afa6c6e7d699b24df3b38a6ea4ed8102ab6b553f0da6a1c0

C:\Users\Admin\AppData\Local\Temp\18254108\ceq.ppt

MD5 a38b2e33a0d3cd39fed41bdbe6aca3bc
SHA1 02c2b280f3bb1e2acd44ac2ab45488997bb59e84
SHA256 8f5be524ee3211aab1c589853228a46a5239b8e5cfb666600ca0e6ff1347c46b
SHA512 29b4b9571ea88888b193a8c5ab166aae724ce886518ee928c45a245edaf3f04fa1b3fcab36fb3284281378e66763497f29222e00c84cbee5eb7faa95a3e7f1ab

C:\Users\Admin\AppData\Local\Temp\18254108\ccw.ico

MD5 3567773ed785722ee8c56c305e8caa25
SHA1 df9e71768503493ff8e37c0db54521c707c230bc
SHA256 c04fb6562b3df8835a218816250f0164d758e712fa394528b220a08760da0a00
SHA512 1e37f34d403e4c86f7cc0aa9a3771b1cd7840b6d36def4a83ef063963a9460863da7ee52a58ae32ada1e1d7ceeb127e6379637f8aa8ea1f240768876dda7bed4

C:\Users\Admin\AppData\Local\Temp\18254108\bfm.txt

MD5 f4a729622f6e3ef8584c01f3217a3c48
SHA1 cb8a6d638465f6c637bc232aa5a3aa0392ac749f
SHA256 4d0be49c58a53f703605e4e550a093a65288d4a069c9e0e07dd84308bd2d1c76
SHA512 68a5f483390826610204d1a5b75dad85253199e2a174010a8328cb6f7a609e39c176ab990e13ea2eecef46702d5b29f17495c2b1497a2fb9a148fc49555ff80c

C:\Users\Admin\AppData\Local\Temp\18254108\asa.ico

MD5 c451bb23ed8b448f76a5b8b0c4c33b29
SHA1 93bceaf4e4d1131621114ee5245ca53954974fd9
SHA256 c23de7cfeb902faedd2f701bc7e5d11dcd0ee5e16e6951d0e4490fc823144e48
SHA512 103c5162f913df09e9d1d5f9738d265b4fa3221998fc78b3f8eb9fc9b8772c8d72a9a0ba02d36fe509f4e1a41b23537e1dc4f9cee5c439d40af85345acf20a61

C:\Users\Admin\AppData\Local\Temp\18254108\arj.ppt

MD5 2c80c221c13f2446c346a46aa5884081
SHA1 397bc2ad1dc9d386d727c2b213231b5221c0532d
SHA256 ee1b14ae9753c1edd496041bc973487ca7cd0cc37c7b8a9f821f9db74d39508d
SHA512 a895b1d24aea17eafe2edf01dcb5386b3bc4ebdf6e578af3c6b84dec33d9dc0cdd77a8091e512ca4573dc07adc87e8e4d08cbf9353de06fcf434d293de4048bb

C:\Users\Admin\AppData\Local\Temp\18254108\alt.dat

MD5 e9973de3b365d78cd3f093c552ed16b5
SHA1 a1ac2ea67364e15772321a4b8300df80c9a4d3ca
SHA256 5cfc502e1cde50f9148b6f395b191a0896ba540bf4935c62e9d0106ceddfd20f
SHA512 a24a01ce2118bb310e94bcba38e97ca3ccd5ced1691ad04b267f1aca38001179ececfeb8e10e8ea51138348794f724f4b1984959250a269fe64962ed77a718e1

C:\Users\Admin\AppData\Local\Temp\18254108\alp.xl

MD5 c0050548ec07897e43f21b855bd64145
SHA1 73517e613c60a0160d00c5a09e8bc17c070e60fe
SHA256 ee09b9ce37d97b57a05cb5d46e517669e5c32509831b67352e8895511be8261a
SHA512 196faff0d5fc33106d2b78a1ce43045f0401972815b911ec2b2510fdbe1801208c6fd8844dd599ee843f3d2204d9fe4f081bce8c23d29f4aaf845e9b215ee410

C:\Users\Admin\AppData\Local\Temp\18254108\adq.xl

MD5 2b21b183081e453d608acb2a8063205e
SHA1 8a92dadc1dcb3f69cfe99c96bca2a2c4b9760c41
SHA256 cfb8b2b204098098c31117cba9fef3b1dee7f49923f1623b05d5bea7b95adea5
SHA512 c88f8f3658186fd37bda8d09d2a61f64847771f48f769849b71982bc87ccf4ae47b3378777b8eb592e9edef5e9a5262bfedd2d2348e8f45b58715f4d8838a127

C:\Users\Admin\AppData\Local\Temp\18254108\aak.ico

MD5 4b7d936bb8f97601411d30bcabcd55fc
SHA1 dfd3f1aa73f33db7c01a813a8385d6057a9bdcfb
SHA256 7dc80aad3b07cf4743db3395d95aec6d91a144f9d101daa3152230bc686f4535
SHA512 f6db1032d5300c9645366103c5d6f7d99f054f9bbcad90370e3042ecbe9abb500ca4c7c362ac9cf1877d76eabe2805a86c1f66ab555e193cf990e42461f7a87e

C:\Users\Admin\AppData\Local\Temp\18254108\jhv.ppt

MD5 a7d240d3baf033adbe819e6a8b6e4bf2
SHA1 6d8a5aaa5d2c3b7c771ad7fe24f8c329fb79f079
SHA256 3e40d67d48f35e6c530984dffdc53f810612c6e23fbe988db8074e9343ea92c6
SHA512 2bd5abf3c23b1651515c967c9b52c94edafd40e6651ff489367876dce32ffcb5667d94ceb57040ef36d480f58894e10f01882f4669747c42f19c165b44168fee