Malware Analysis Report

2024-09-23 11:55

Sample ID 240612-1mh13avgpn
Target a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118
SHA256 7b58dcbc568ce1400784f2101525498fc37a77ef03ab0f59b280a294daba9615
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

7b58dcbc568ce1400784f2101525498fc37a77ef03ab0f59b280a294daba9615

Threat Level: Shows suspicious behavior

The file a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Executes dropped EXE

Loads dropped DLL

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 21:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 21:45

Reported

2024-06-12 21:48

Platform

win7-20240419-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\downloader.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -aoa

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP

Network

Country Destination Domain Proto
US 8.8.8.8:53 r.yx-s.net udp
US 8.8.8.8:53 gametool.down.yx-g.com udp
US 8.8.8.8:53 hub5pnc.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 gametool.down.360-g.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 pmap.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 hub5pr.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 imhub5pr.hz.sandai.net udp
US 8.8.8.8:53 pmap.hz.sandai.net udp
US 8.8.8.8:53 score.phub.hz.sandai.net udp
US 8.8.8.8:53 hub5pr.hz.sandai.net udp
US 8.8.8.8:53 imhub5pr.hz.sandai.net udp
US 8.8.8.8:53 score.phub.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 pmap.hz.sandai.net udp
US 8.8.8.8:53 imhub5pr.hz.sandai.net udp
US 8.8.8.8:53 hub5pr.hz.sandai.net udp
US 8.8.8.8:53 score.phub.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 pmap.hz.sandai.net udp
US 8.8.8.8:53 gametool.down.yx-g.com udp
US 8.8.8.8:53 hub5pr.hz.sandai.net udp
US 8.8.8.8:53 score.phub.hz.sandai.net udp
US 8.8.8.8:53 imhub5pr.hz.sandai.net udp
US 8.8.8.8:53 relay.phub.hz.sandai.net udp
US 8.8.8.8:53 pmap.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 score.phub.hz.sandai.net udp
US 8.8.8.8:53 hub5pr.hz.sandai.net udp
US 8.8.8.8:53 imhub5pr.hz.sandai.net udp
US 8.8.8.8:53 gametool.down.360-g.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 relay.phub.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 relay.phub.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 hub5pnc.hz.sandai.net udp
US 8.8.8.8:53 relay.phub.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp

Files

C:\Users\Admin\AppData\Roaming\youxi_gjol_downloader\skin\skin.sk

MD5 02c16754cef237c180a8dc2e1eef934a
SHA1 b97881f8e621952e71d96f5816e623af4a037e55
SHA256 48246af06eb4e33ade0d615e5d91fdd706ec1c67f9f303d27b26bbc844639bc3
SHA512 6e3d24b83cc51eff1246cf59550aeff5ac9c1b4ffd43843995b62b8293946dca5ffc36732aab215d6280f1c034d8c869469983e6751646d4ede10b92f569f466

C:\Users\Admin\AppData\Roaming\youxi_gjol_downloader\config.ini

MD5 4b34f6359a652c7596a0a9cf7f74a5dc
SHA1 8ff7816666bd495136ef83a0d2da2132f27f8e60
SHA256 558d9528e417795f961dd65bde725a873b6a70780e217742abb42aa936dbcbbe
SHA512 f784ad2f891b3602a12f7a078db4ab701778363688cb38947160fd8713663117e4ccb7a32cef246fc2fffbbcfe500f21d5e43dd138e42481d90846bf4e101a9d

memory/2768-14-0x0000000000E20000-0x0000000000E21000-memory.dmp

\Users\Admin\AppData\Local\Temp\7za.exe

MD5 ea1ee87d7eb2d36ba9fdcf24263cd528
SHA1 ff22c6ac17187c0af8155000d1937cd6f5a5b34d
SHA256 9706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9
SHA512 2f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc

C:\Users\Admin\AppData\Local\Temp\downloader.7z

MD5 50a4726d12aed1ccea812c928f625cc6
SHA1 7adc625d70adbc685d7363cafcd9781ea7fbbc11
SHA256 f8efe43c4635d278041d4c41f098827ab79189c16df93203a5f13c31d5019527
SHA512 f2140c1cd49b56a170aef22267f2621c8d790b3cd95f4d53c5448bf5b029d6b673bbb3ff4477699a59c2405019e63741d16724a655f0c1284c852a0bd0909e61

C:\Users\Admin\AppData\Local\Temp\DlMgr.dll

MD5 1341d73573697c6af12d21911f913511
SHA1 d48fedeea2cc8c60c3518af8741c7c9b0bad4f32
SHA256 295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03
SHA512 d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf

C:\Users\Admin\AppData\Local\Temp\xldl.dll

MD5 e914a9df187d217c0a1715eaba4eec2a
SHA1 db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63
SHA256 95934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660
SHA512 996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

MD5 a83ef2375ccc10030e64508e1a802ad4
SHA1 58f46307be974f0e2ed2e9115bc1243ba6538e3c
SHA256 e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3
SHA512 c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

memory/2768-60-0x0000000004F60000-0x0000000004FB4000-memory.dmp

memory/2768-59-0x0000000004F60000-0x0000000004FB4000-memory.dmp

\Users\Admin\AppData\Local\Temp\download\msvcr71.dll

MD5 ca2f560921b7b8be1cf555a5a18d54c3
SHA1 432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256 c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA512 23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

\Users\Admin\AppData\Local\Temp\download\msvcp71.dll

MD5 a94dc60a90efd7a35c36d971e3ee7470
SHA1 f936f612bc779e4ba067f77514b68c329180a380
SHA256 6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512 ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

MD5 dba9a19752b52943a0850a7e19ac600a
SHA1 3485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA256 69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512 a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

memory/2588-64-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2588-75-0x000000006FFF0000-0x0000000070000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll

MD5 3c2b7b3ff7de18fe47a77b712ff00a00
SHA1 6d1768acfdee1efb942ef3c28934e127659125ef
SHA256 4360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06
SHA512 6a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce

\Users\Admin\AppData\Local\Temp\download\XLBugHandler.dll

MD5 92154e720998acb6fa0f7bad63309470
SHA1 385817793b9f894ca3dd3bac20b269652df6cbc6
SHA256 1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096
SHA512 37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

C:\Users\Admin\AppData\Local\Temp\download\XLBugReport.exe

MD5 67c767470d0893c4a2e46be84c9afcbb
SHA1 00291089b13a93f82ee49a11156521f13ea605cd
SHA256 64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0
SHA512 d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

memory/2588-78-0x0000000002A10000-0x0000000002D4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL

MD5 79cb6457c81ada9eb7f2087ce799aaa7
SHA1 322ddde439d9254182f5945be8d97e9d897561ae
SHA256 a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512 eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

C:\Users\Admin\AppData\Local\Temp\download\id.dat

MD5 86092aebe0515cc017bc94d41ec484d7
SHA1 faf2ae219e716bb657a9efe7e110a505a669acc9
SHA256 f777dbd890ca94566d95d21d0398bff7c52f2d8c8825218322910d7b913687ce
SHA512 bce95deabef04d2c3ebf85fa8ea9b2a2739bbac89d803316273cfb56dc08b5090d91b20296363b0ccfd427bc7448a717393490f3b11b50420c03c7cf918b0323

\Users\Admin\AppData\Local\Temp\download\zlib1.dll

MD5 89f6488524eaa3e5a66c5f34f3b92405
SHA1 330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256 bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512 cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

memory/2768-94-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/2768-95-0x0000000004F60000-0x0000000004FB4000-memory.dmp

memory/2588-97-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 21:45

Reported

2024-06-12 21:48

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7za.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a2893fa205e3e21051e634f7ebe1a405_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\downloader.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -aoa

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 r.yx-s.net udp
US 8.8.8.8:53 gametool.down.yx-g.com udp
US 8.8.8.8:53 hub5pnc.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 gametool.down.360-g.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 hub5c.hz.sandai.net udp
US 8.8.8.8:53 pmap.hz.sandai.net udp
US 8.8.8.8:53 hub5pr.hz.sandai.net udp
US 8.8.8.8:53 imhub5pr.hz.sandai.net udp
US 8.8.8.8:53 score.phub.hz.sandai.net udp
US 8.8.8.8:53 gametool.down.yx-g.com udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5u.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp
US 8.8.8.8:53 hub5pnc.hz.sandai.net udp
US 8.8.8.8:53 hub5pn.hz.sandai.net udp

Files

C:\Users\Admin\AppData\Roaming\youxi_gjol_downloader\skin\skin.sk

MD5 02c16754cef237c180a8dc2e1eef934a
SHA1 b97881f8e621952e71d96f5816e623af4a037e55
SHA256 48246af06eb4e33ade0d615e5d91fdd706ec1c67f9f303d27b26bbc844639bc3
SHA512 6e3d24b83cc51eff1246cf59550aeff5ac9c1b4ffd43843995b62b8293946dca5ffc36732aab215d6280f1c034d8c869469983e6751646d4ede10b92f569f466

C:\Users\Admin\AppData\Roaming\youxi_gjol_downloader\config.ini

MD5 4b34f6359a652c7596a0a9cf7f74a5dc
SHA1 8ff7816666bd495136ef83a0d2da2132f27f8e60
SHA256 558d9528e417795f961dd65bde725a873b6a70780e217742abb42aa936dbcbbe
SHA512 f784ad2f891b3602a12f7a078db4ab701778363688cb38947160fd8713663117e4ccb7a32cef246fc2fffbbcfe500f21d5e43dd138e42481d90846bf4e101a9d

C:\Users\Admin\AppData\Local\Temp\7za.exe

MD5 ea1ee87d7eb2d36ba9fdcf24263cd528
SHA1 ff22c6ac17187c0af8155000d1937cd6f5a5b34d
SHA256 9706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9
SHA512 2f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc

C:\Users\Admin\AppData\Local\Temp\downloader.7z

MD5 50a4726d12aed1ccea812c928f625cc6
SHA1 7adc625d70adbc685d7363cafcd9781ea7fbbc11
SHA256 f8efe43c4635d278041d4c41f098827ab79189c16df93203a5f13c31d5019527
SHA512 f2140c1cd49b56a170aef22267f2621c8d790b3cd95f4d53c5448bf5b029d6b673bbb3ff4477699a59c2405019e63741d16724a655f0c1284c852a0bd0909e61

C:\Users\Admin\AppData\Local\Temp\DlMgr.dll

MD5 1341d73573697c6af12d21911f913511
SHA1 d48fedeea2cc8c60c3518af8741c7c9b0bad4f32
SHA256 295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03
SHA512 d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf

C:\Users\Admin\AppData\Local\Temp\xldl.dll

MD5 e914a9df187d217c0a1715eaba4eec2a
SHA1 db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63
SHA256 95934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660
SHA512 996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

MD5 a83ef2375ccc10030e64508e1a802ad4
SHA1 58f46307be974f0e2ed2e9115bc1243ba6538e3c
SHA256 e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3
SHA512 c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll

MD5 a94dc60a90efd7a35c36d971e3ee7470
SHA1 f936f612bc779e4ba067f77514b68c329180a380
SHA256 6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512 ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll

MD5 ca2f560921b7b8be1cf555a5a18d54c3
SHA1 432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256 c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA512 23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

memory/2028-55-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

MD5 dba9a19752b52943a0850a7e19ac600a
SHA1 3485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA256 69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512 a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

C:\Users\Admin\AppData\Local\Temp\download\XLBugHandler.dll

MD5 92154e720998acb6fa0f7bad63309470
SHA1 385817793b9f894ca3dd3bac20b269652df6cbc6
SHA256 1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096
SHA512 37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll

MD5 89f6488524eaa3e5a66c5f34f3b92405
SHA1 330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256 bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512 cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

C:\Users\Admin\AppData\Local\Temp\download\id.dat

MD5 86092aebe0515cc017bc94d41ec484d7
SHA1 faf2ae219e716bb657a9efe7e110a505a669acc9
SHA256 f777dbd890ca94566d95d21d0398bff7c52f2d8c8825218322910d7b913687ce
SHA512 bce95deabef04d2c3ebf85fa8ea9b2a2739bbac89d803316273cfb56dc08b5090d91b20296363b0ccfd427bc7448a717393490f3b11b50420c03c7cf918b0323

memory/2028-71-0x00000000028F0000-0x0000000002C2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll

MD5 3c2b7b3ff7de18fe47a77b712ff00a00
SHA1 6d1768acfdee1efb942ef3c28934e127659125ef
SHA256 4360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06
SHA512 6a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce

memory/2028-67-0x000000006FFF0000-0x0000000070000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download\XLBugReport.exe

MD5 67c767470d0893c4a2e46be84c9afcbb
SHA1 00291089b13a93f82ee49a11156521f13ea605cd
SHA256 64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0
SHA512 d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

C:\Users\Admin\AppData\Local\Temp\download\atl71.dll

MD5 79cb6457c81ada9eb7f2087ce799aaa7
SHA1 322ddde439d9254182f5945be8d97e9d897561ae
SHA256 a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512 eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

memory/2028-88-0x0000000000400000-0x0000000000454000-memory.dmp