Malware Analysis Report

2025-06-16 07:18

Sample ID 240602-b3bt9aee5x
Target 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118
SHA256 20880bb6f71040cecbb2d9a79c3071f5fea80c50d35cbcf9f0e5783461adc893
Tags
evasion trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20880bb6f71040cecbb2d9a79c3071f5fea80c50d35cbcf9f0e5783461adc893

Threat Level: Known bad

The file 8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion trojan persistence

UAC bypass

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:39

Reported

2024-06-02 01:42

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wulmrcma\jkiaaaa.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts.Lists C:\Windows\wulmrcma\jkiaaaa.exe N/A
File created C:\Windows\wulmrcma\conf.ini C:\Windows\wulmrcma\jkiaaaa.exe N/A
File opened for modification C:\Windows\wulmrcma C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
File created C:\Windows\wulmrcma\jkiaaaa.exe C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\wulmrcma\jkiaaaa.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe"

C:\Windows\wulmrcma\jkiaaaa.exe

C:\Windows\wulmrcma\jkiaaaa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 568

Network

Country Destination Domain Proto
JP 210.134.66.83:55554 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
JP 210.134.66.83:55554 tcp
JP 210.134.66.83:55554 tcp
JP 210.134.66.83:55554 tcp
JP 210.134.66.83:55554 tcp
JP 210.134.66.83:55554 tcp
JP 210.134.66.83:55554 tcp
JP 210.134.66.83:55554 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Config.ini

MD5 d2daea27ed35c95855500b083fbb9401
SHA1 6b46107eca4365f90a3f2e86fbe89fc92dd8e575
SHA256 b455afa508f6e005c3111dfd599348e1b64d7a2215e3970eb888dfd740640696
SHA512 663c79911de565f8a3eae1ff7a340a1c564d8b2bd6e89df47a5c6d7dc2b707077a1c21304338ac908c7dfb21d90e09764141fd927d985329f059cbe9665515c6

\Windows\wulmrcma\jkiaaaa.exe

MD5 5243fa11db5e0f7ab6bdbc4243fedd2a
SHA1 22709d5eb3b82412220d94fcbc2086230b578edc
SHA256 4b59b435e6be9d2c8d15237f285e5d163b5a8aae0fd07378fa85f38237c23d8b
SHA512 23cb4e45d5293c407dfc4f3b0a9b2874608d7efe076606ab06194114f6571902b4336ce07f80ac98f0d12221fdb2261fd35b35bbc02fe614fc20c3544e853ebd

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\3310a4fa6cb9c60504498d7eea986fc2_4456596e-0528-4680-8940-5edc26c0ff50

MD5 45218adff3ea5bde8a8f61987f0f458b
SHA1 cf7fffa410795cc2f7703755f0acd17b51a44ad7
SHA256 f95361b82464704675f559b13c007c9567e5914984042f537122383e747194d4
SHA512 8442cac48931075ec5bd31ea82faffc4f64d7b6845d5c477d06fc3d7eefeac1fa366b6880a85709a520a343b5dd3771e69bc4b7482cde50e69e04215927a2018

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:39

Reported

2024-06-02 01:42

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\mmodyaox\znsaaaa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plus = "C:\\Windows\\mmodyaox\\znsaaaa.exe" C:\Windows\mmodyaox\znsaaaa.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\mmodyaox\znsaaaa.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\NlsLexicons00ssx.dll C:\Windows\mmodyaox\znsaaaa.exe N/A
File created C:\Windows\system32\NlsLexicons00mmx.dll C:\Windows\mmodyaox\znsaaaa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mmodyaox C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Fonts.Lists C:\Windows\mmodyaox\znsaaaa.exe N/A
File created C:\Windows\mmodyaox\conf.ini C:\Windows\mmodyaox\znsaaaa.exe N/A
File opened for modification C:\Windows\system\system.log C:\Windows\mmodyaox\znsaaaa.exe N/A
File created C:\Windows\PLA\userplus.exe C:\Windows\mmodyaox\znsaaaa.exe N/A
File opened for modification C:\Windows\Media\shomll.log C:\Windows\mmodyaox\znsaaaa.exe N/A
File created C:\Windows\Media\shomll.log C:\Windows\mmodyaox\znsaaaa.exe N/A
File created C:\Windows\mmodyaox\znsaaaa.exe C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
File created C:\Windows\Setup\Extensionm.dll C:\Windows\mmodyaox\znsaaaa.exe N/A
File created C:\Windows\mmodyaox\Tempznsaaaa.exe C:\Windows\PLA\userplus.exe N/A
File opened for modification C:\Windows\mmodyaox\Tempznsaaaa.exe C:\Windows\PLA\userplus.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Windows\mmodyaox\znsaaaa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\mmodyaox\znsaaaa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A
N/A N/A C:\Windows\PLA\userplus.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\mmodyaox\znsaaaa.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\PLA\userplus.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\mmodyaox\znsaaaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\mmodyaox\znsaaaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8c7d811fbbf83e6dcb7a717a8b3cc973_JaffaCakes118.exe"

C:\Windows\mmodyaox\znsaaaa.exe

C:\Windows\mmodyaox\znsaaaa.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userplus.exe"

C:\Windows\PLA\userplus.exe

C:\Windows\PLA\userplus.exe

Network

Country Destination Domain Proto
JP 210.134.66.83:55554 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 bibiballf.zz.am udp
US 8.8.8.8:53 bibiballd.zz.am udp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
JP 210.134.71.220:55551 bibiballd.zz.am tcp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
JP 210.134.66.83:55554 tcp
JP 210.134.71.220:55551 bibiballd.zz.am tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
JP 210.134.66.83:55554 tcp
JP 210.134.71.220:55551 bibiballd.zz.am tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
JP 210.134.66.83:55554 tcp
JP 210.134.71.220:55551 bibiballd.zz.am tcp
US 52.111.227.11:443 tcp
JP 210.134.66.83:55554 tcp
JP 210.134.71.220:55551 bibiballd.zz.am tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
JP 210.134.66.83:55554 tcp
JP 210.134.71.220:55551 bibiballd.zz.am tcp
JP 210.134.66.83:55554 tcp
JP 210.134.71.220:55551 bibiballd.zz.am tcp
JP 210.134.66.83:55554 tcp
JP 210.134.71.220:55551 bibiballd.zz.am tcp

Files

C:\Users\Admin\AppData\Local\Temp\Config.ini

MD5 d2daea27ed35c95855500b083fbb9401
SHA1 6b46107eca4365f90a3f2e86fbe89fc92dd8e575
SHA256 b455afa508f6e005c3111dfd599348e1b64d7a2215e3970eb888dfd740640696
SHA512 663c79911de565f8a3eae1ff7a340a1c564d8b2bd6e89df47a5c6d7dc2b707077a1c21304338ac908c7dfb21d90e09764141fd927d985329f059cbe9665515c6

C:\Windows\mmodyaox\znsaaaa.exe

MD5 5243fa11db5e0f7ab6bdbc4243fedd2a
SHA1 22709d5eb3b82412220d94fcbc2086230b578edc
SHA256 4b59b435e6be9d2c8d15237f285e5d163b5a8aae0fd07378fa85f38237c23d8b
SHA512 23cb4e45d5293c407dfc4f3b0a9b2874608d7efe076606ab06194114f6571902b4336ce07f80ac98f0d12221fdb2261fd35b35bbc02fe614fc20c3544e853ebd

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-540404634-651139247-2967210625-1000\3310a4fa6cb9c60504498d7eea986fc2_41e50f4a-4a76-42e1-a3df-51306e426307

MD5 45218adff3ea5bde8a8f61987f0f458b
SHA1 cf7fffa410795cc2f7703755f0acd17b51a44ad7
SHA256 f95361b82464704675f559b13c007c9567e5914984042f537122383e747194d4
SHA512 8442cac48931075ec5bd31ea82faffc4f64d7b6845d5c477d06fc3d7eefeac1fa366b6880a85709a520a343b5dd3771e69bc4b7482cde50e69e04215927a2018

C:\Windows\mmodyaox\conf.ini

MD5 9ca8e9158e2cd31e6756c86265ff89de
SHA1 f0747b4b325833c743c5ed799d8a94ee7a043429
SHA256 029afa1b15c77ae61a2ec68c66ffd439ca7d4687fa4c968a746c756d895532b6
SHA512 6becdda182d7f4a2252b548220159eb5300904b5c6eef598b3e7c442808080d5e686fced68f83f1762a904b3227669f82b3196538ab569762ff5560e22e2801e

C:\Windows\PLA\userplus.exe

MD5 ba44267754b92c5afeb5ec2df0c5876f
SHA1 55b402f471cc6330cf92ca8ed15f40f5e6a5b0a5
SHA256 a0b260886f386461d170f8c150038ccfa7a2a21543312c0acdce835f87474877
SHA512 a4dff971570c05d5a54419b6186796fc15e1fc888a460a4d53c1b5c43e0bcf499f16fa30aa6e795b0ee1d6d521b5267e705087fb61ea59ffaf27e1e41adb003b

C:\Windows\system32\NlsLexicons00mmx.dll

MD5 ca43974f638606af7259397a344e0434
SHA1 02b7cf6e2a7fd77f619e27c7584180a950aa7fe8
SHA256 4f394c128557a3f05c817aae8ddd005e2f462b298b858b1d49277fe574ce6752
SHA512 ab986229c156f1404895983399c64513cc13be3083309b9b61413024922fbf3322e203184e19bb5090c78b813a28362d345a1cb229e61e67d91dd803512a4786

C:\Windows\system32\NlsLexicons00ssx.dll

MD5 b1a562ae50903a943e6e0884a7c3aa28
SHA1 57fcd5de222c7f99bd82372056127841fbc80e6e
SHA256 8402155eb3a3fb0fdc7ce7bbea87e8a59d81ae03e46d5d2ff041663d7051d3fc
SHA512 a1b7bcce916e80c2cf83029471f665bb0dfe411341c1817a0a3b0bdc758f24a45676b2b000890578320cbb6c4457ed23535188cff2d7fddcacedebcd8a414dab

memory/2604-173-0x00007FFA72B60000-0x00007FFA72B70000-memory.dmp

memory/2604-177-0x00007FFA72C0D000-0x00007FFA72C0E000-memory.dmp

memory/2604-178-0x00007FFA72B70000-0x00007FFA72D65000-memory.dmp