Malware Analysis Report

2024-09-23 10:32

Sample ID 240614-lqxajayfmk
Target a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118
SHA256 788f64aca414214dddfb7e213559ad8f112c388d4a1d60907a3bda94e1f96a63
Tags
upx bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

788f64aca414214dddfb7e213559ad8f112c388d4a1d60907a3bda94e1f96a63

Threat Level: Shows suspicious behavior

The file a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx bootkit persistence

UPX packed file

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 09:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 09:44

Reported

2024-06-14 09:47

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1852 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp
PID 1852 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp
PID 1852 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp
PID 1852 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp
PID 1852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe
PID 1852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe
PID 1852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe
PID 1852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~8090210575028580872"

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe

"C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.360.cn udp
US 8.8.8.8:53 s.conf.wsm.360.cn udp
US 8.8.8.8:53 s.conf.wsm.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 u.qurl.f.360.cn udp
US 8.8.8.8:53 cdn.api.ip.360.cn udp
US 8.8.8.8:53 qurl.f.360.cn udp
US 8.8.8.8:53 kdjs.fangyb.com udp
US 8.8.8.8:53 qurl.f.360.cn udp
US 8.8.8.8:53 qurl.f.360.cn udp
US 8.8.8.8:53 s.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
N/A 255.255.255.255:3600 udp
US 8.8.8.8:53 dldir1.qq.com udp
US 8.8.8.8:53 st.p.360.cn udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 bigsoftdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 dldir1.qq.com udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 bigsoftdlc.360tpcdn.com udp
US 8.8.8.8:53 bigsoftdlc.360tpcdn.com udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 tr.p.360.cn udp
US 8.8.8.8:53 agt.p.360.cn udp
N/A 127.0.0.1:3601 udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 bigsoftdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 bigsoftdlc.360tpcdn.com udp
US 8.8.8.8:53 bigsoftdlc.360tpcdn.com udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 dldir1.qq.com udp
US 8.8.8.8:53 dldir1.qq.com udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 agd2.p.360.cn udp
CN 180.153.227.168:80 udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speedtest.360.cn udp

Files

memory/1852-0-0x0000000000400000-0x0000000000549000-memory.dmp

\Users\Admin\AppData\Local\Temp\~3734550675943398405~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.exe

MD5 3f9d76758b9840641d2a0c77903cd00f
SHA1 ad460937ded63ab52ab5475346e62750521e4b9e
SHA256 1f46e635f5bf22424bfbd06359e10ad16badd872d6b7d6d11809653315cb8dde
SHA512 83c3280a7dffe2c58742fff681e8ac5850225085f70b1701447bb6f640819a87e9f1525ca6b79a919d38247b3209d3685c41971cd0ed25344b2a9c71750125e7

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\360Base.dll

MD5 3d5428389f04ce1f35b1ea5b637db05c
SHA1 187313f4e32e14f6ebb7b8258e40075f9f7fa246
SHA256 50773f6c715015e63cbd17148477f1025a5972ceb80abfacae74fbd89b7de01f
SHA512 7a04b0cc8099c965d2bb050ac095094909900e323aaf7eeb945158bfc8c833a5e3ff83a4e41878cd10313dab9f8bd2f62c562d4e2787d8e8182e91e1b1f57658

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\360util.dll

MD5 f676120a9d9df0f992d7a1f093226dc1
SHA1 530da6dec17ae45092eff48ce808daafa12c818f
SHA256 cb330b1befd0fbe89359dcd50d4a06f763537a7d217d75270f3c63a5ee6ce5a1
SHA512 07d213ac771b025f8868b234fde52ccc91f75b62d73b4fdb2bc9619e98931568f6ced0e6c1997671dee8b168765db9f3dee6f55b0636ee3c00cf8d0037d284fc

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\CrashReport.dll

MD5 361ee0170374127e396e7ab4d839bdb3
SHA1 44430877438ca137b0386de1223349b8e86a3270
SHA256 bb393ebae1fd656b019cd086c05fcece979405c4616989bfdde6d60044d08b8d
SHA512 617b80214537675a5964f0cbc3d8e5bec53afb7ce8c5a7de18ad4ea9389767294c11407f85c72a08dd400020ed06f37e6898c85bcea74c06e9d43f84cc4caafa

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\360conf.dll

MD5 b98a1e65f209fe1f10f8564dec0f0c42
SHA1 cab41605d9b7241c134798723ecdf9d3dc2f2615
SHA256 885aa4f58297382396717563137d212fbcb4299f95426c40c43abcdcecf54246
SHA512 35cd81aaa9fbadb8b174f6b2d30fa6c2c0c91786e6714073598cb09f1028790f03609de63b51c2e966021bd7da8521ec06612f0582fc1a5752ee0df7b8259b59

memory/2584-80-0x00000000006F0000-0x00000000006F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360Speedr.ini

MD5 1fd698eda55b404d7365ba91763e3184
SHA1 db38e2bcfcef0fe6ee8d5e638a5877a1eacc175d
SHA256 e74aea2dbd0114db5386fcaf2d4871d6a19b6c00be71a4ae2171b8160b87f07b
SHA512 d8bb1cab300cdb6f262b172fe7ad749f2675ac7448aaa8c058c456dcf2ff98095da7cc9b477ed7afa974087083eea20dcc45d96a0ec7628da225374aa8c60840

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTest.his

MD5 6d45ceae03e9e0dceaef1bdde8ddbd35
SHA1 e0ff5bfa3a719bdfd6bd02a97b230549482b9958
SHA256 ac40859c3ece9c3c144838031eb7d7d6011a47c713c50614f74a10fcbd3e6cb2
SHA512 9c67e7a54a35b1accac82c721ee642116f7fc95d830170ac0a44c26275d8cebc45051d33cbeb9512cd9459d7d3113270409d1b9614e957b7e287bdf2e9de79c1

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360Netmon.ini

MD5 d852ecab7fc1f46e684c278caa8604d4
SHA1 c457ea5e1a6c00167e43daf83a9bd4c11d97c909
SHA256 3102da9330e700d895957cf4381a38fd17af3ed0275aa1119ae1da07dea4ea69
SHA512 95387c092ff7cb9aff5047dbb2b1e923d403aa43f681da17bbc799bae640707fadb1aa18654bc60c3ad487fb5cb61e4a78663594d8e219d3b122bc6f53104827

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\ipc\ipcService.dll

MD5 7297ae402359e3416108e5a70c048ebe
SHA1 692b7ad091ea1d52e2c21a05e65ec6c55c54dd5f
SHA256 f525005d0697f68236bd1530242397a1fc364fb3f1018274b4e1163650db6a1c
SHA512 c151acd9e8580ab5749e87277c6d06117b96dfca1f544764d76715f5fc0c97f1a86fa783e63d8d6261f40248702c1bb1648b66125abc41a61bbfb19b95bd28e4

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\netspeed.dll

MD5 46a4a3e3d3f57454ff93c5872eadc9b9
SHA1 10ec428616d000f99ff723039fd75f7c0f563b8d
SHA256 ce874c4695f41c622b985d2add6b293bc87879370cdfbf7702cbed648860cf76
SHA512 65063d60a2a2620397ce0be508c5064551857dc8e1e76fe07fd4fdac682271676431ae3d1ca418409f1bb2919c40b9905a7b07ff00f2d90c0bbb13987bd17dc2

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360SpeedTestWebList.dat

MD5 06e6a779881ae8b1d718332ff546163a
SHA1 58acc91288c2588ee6963062a1d99831d25f8fd3
SHA256 6ba6e90f34327a4d509dfbfda26589ec24512430c20c0fc2a02452e3c2693b06
SHA512 54cee3a31af097f8fdba824b46bd494cd8d2949a062dba50571f213fff72849a1fc38e2609948435d413560cab40185bf72359926db113db002f0a9acc29d15f

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\360NetBase.dll

MD5 14c6b4bbd31f6fd13530bc941cc71d1a
SHA1 ce4e38ac82a54f64d318507ddc28f9ffbb378f0f
SHA256 401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5
SHA512 c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\PDown.dll

MD5 a22728deb2aadc1f2903d4498f156dbd
SHA1 7219d46e0a1ff8b0d13bee56611cd715daba1d55
SHA256 c7ac2ff0ac102f8ae1f43cc75db94edb20b2773416f5063ea8a32db503623ca6
SHA512 4abb066d5d135c49347cf2b2377be9203e03ad6f561fc83a600b6e22fc7f3f88bcd3898836c8df4c69260f1d867aec5f768dce7839085bf8bd3feeb38ba8853c

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\360net.dll

MD5 d5f22fc1beff60f5fa9398effca73e2f
SHA1 f84c5f048b5269381a8c6d1dc21905458856543b
SHA256 214a5e9aab33148866db82ab51c5bcce9e4240794c2c2850fa0f7b3bc3aa34e6
SHA512 b031336bf42a55e738a412b39acff8b57892f8d2b49c3ec4eadc9f7c9ad45cbc0f5b06a921fd07cfed2faf2de07c6957dfd8975de5e322f0f82c558ee9dcf1c3

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\360NetSpd3.dat

MD5 1ffe5dd76ac1d4dd936b8151ddbf5652
SHA1 088872b18dced9412e8f2133e8838593356cecd5
SHA256 e59a6726de15cf823a3c8062a0722131c4d9a298202ec88f9baef894cf9be437
SHA512 3280edb08f115d6e50193e4c3ac438627f3a7e4c892968311f66d74b96a4a0610537e88b108a9fdd16f33ed70347c38e165351da1cdad0712d2da64c8a8d709c

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\netspeed.npl

MD5 56f4784817a52d0d873933c114ab9af1
SHA1 05fa94986dcef47383957cf00112cd6cdc142a6a
SHA256 e07de8ac8d8314f37665d518d6b611b63b9ec12a86c08f14376d72ce7ad37344
SHA512 6d69bf0e47bd1f3d80dc9fe9c580a9540137fdc73cea0ea90c451df9843d8a3111c8788adfd2f506e0b2d83d730e00a5c85a87b150450c16efd45e6254b39236

\Users\Admin\AppData\Local\Temp\~8090210575028580872\360NetUL.dll

MD5 2586f41adfba6687e18e52b75f69c839
SHA1 88d1099afd28ed6c3943107904dc766bb509ec40
SHA256 e692bb1cabb48bd7652f7fcc17c10f0c421304677128e199347ca54c75340ce5
SHA512 b16bd522fd69f8190362e4003513cb0401544a5c89bee6b5eaa569e2262e88f405d9c84425b3cb1afd74b3d2771062e37e7ac367246ca69686c8414632a17f06

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\safemon\urlproc.dll

MD5 75db43606be4fe1a65eb81f68735c1c5
SHA1 f6bb420370ccef7b6a20b42f486b0874af3d99c9
SHA256 ff8c3e0055c40f2f83f6d72c3563d3f6e00933200277de30cc905e0e0ce2700a
SHA512 2b9ad86dd3a8989e552c5fa8cb5909b9791b389c4688606af1f6042bceb12676e9409b881e9c6a34a30465ed6a075f2cc6470f21abab108619c7cc16df90dbb2

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\netmon\netspeedtmp.npl

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\360Verify.dll

MD5 c6d8d10683083094a44081cdff3acc89
SHA1 7fbe2de22d6971bd0e250b98fba85553203b238a
SHA256 ad06ba38f929be5d3527c2003f3fb44a457d77e4ad136c75b559f84d1d366ee5
SHA512 1f3bbe36d0650171920dbc73f4ec4775aa6ab3154ada2d1f47e71732cd56f4b0d19b740157dd86d687b19c8256a48ccbbfefe0686a20e2301c1041f38985ce21

memory/1852-110-0x0000000000400000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~8090210575028580872\LiveUpd360.dll

MD5 1e801ff172ce300810f126ff998ef84d
SHA1 3d7a5a8f3c8feb167079744480c59b061ca100a8
SHA256 dcda5db8e5d2b7b5664b7b315b147c347c55f13821c23dc1d20c93bf83112b6c
SHA512 22c4382b4ab70cf5862f60e8f3769057c619b762770cb014156eb42a1216fecaf4a563664116b85e1398d209f1830c80a087663df8169b1d08bf0fd2fe9d243e

\Users\Admin\AppData\Local\Temp\~8090210575028580872\360P2SP.dll

MD5 01c3370a28ca91a9cdf817ea75a193f4
SHA1 30311d34f7716c361c4355b2cead17fc5d68bf82
SHA256 39ba7e809c6fafe1187fb7b925d03b736975e35e5ae907adf3622ef467d7dade
SHA512 11e64c998755e90c81d58cafd3d894c5b40123e455079a7b705c38cc7cb56b6204e46779c12ade3a9eac3a6d02c561a0d9e19768f77d86b13d1a0ad3a3f2cdd5

memory/2584-118-0x00000000006F0000-0x00000000006F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 09:44

Reported

2024-06-14 09:47

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Windows\SYSTEM32\cmd.exe
PID 116 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Windows\SYSTEM32\cmd.exe
PID 116 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp
PID 116 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp
PID 116 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp
PID 116 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe
PID 116 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe
PID 116 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\a906ec29b3aca3698c50749a8ddda7bc_JaffaCakes118.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~5735785932928376586"

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe

"C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.360.cn udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 s.conf.wsm.360.cn udp
US 8.8.8.8:53 u.qurl.f.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 qurl.f.360.cn udp
US 8.8.8.8:53 cdn.api.ip.360.cn udp
US 8.8.8.8:53 kdjs.fangyb.com udp
US 8.8.8.8:53 s.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
N/A 255.255.255.255:3600 udp
US 8.8.8.8:53 st.p.360.cn udp
US 8.8.8.8:53 dldir1.qq.com udp
US 8.8.8.8:53 agd2.p.360.cn udp
US 8.8.8.8:53 softdlc.360tpcdn.com udp
US 8.8.8.8:53 bigsoftdlc.360tpcdn.com udp
US 8.8.8.8:53 tr.p.360.cn udp
US 8.8.8.8:53 agt.p.360.cn udp
N/A 127.0.0.1:3601 udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
CN 180.153.227.168:80 udp
US 8.8.8.8:53 168.227.153.180.in-addr.arpa udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speed.netmon.360safe.com udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speedtest.360.cn udp
US 8.8.8.8:53 speedtest.360.cn udp

Files

memory/116-0-0x0000000000400000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~7074603145434275314~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.exe

MD5 3f9d76758b9840641d2a0c77903cd00f
SHA1 ad460937ded63ab52ab5475346e62750521e4b9e
SHA256 1f46e635f5bf22424bfbd06359e10ad16badd872d6b7d6d11809653315cb8dde
SHA512 83c3280a7dffe2c58742fff681e8ac5850225085f70b1701447bb6f640819a87e9f1525ca6b79a919d38247b3209d3685c41971cd0ed25344b2a9c71750125e7

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\360Base.dll

MD5 3d5428389f04ce1f35b1ea5b637db05c
SHA1 187313f4e32e14f6ebb7b8258e40075f9f7fa246
SHA256 50773f6c715015e63cbd17148477f1025a5972ceb80abfacae74fbd89b7de01f
SHA512 7a04b0cc8099c965d2bb050ac095094909900e323aaf7eeb945158bfc8c833a5e3ff83a4e41878cd10313dab9f8bd2f62c562d4e2787d8e8182e91e1b1f57658

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\360util.dll

MD5 f676120a9d9df0f992d7a1f093226dc1
SHA1 530da6dec17ae45092eff48ce808daafa12c818f
SHA256 cb330b1befd0fbe89359dcd50d4a06f763537a7d217d75270f3c63a5ee6ce5a1
SHA512 07d213ac771b025f8868b234fde52ccc91f75b62d73b4fdb2bc9619e98931568f6ced0e6c1997671dee8b168765db9f3dee6f55b0636ee3c00cf8d0037d284fc

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\CrashReport.dll

MD5 361ee0170374127e396e7ab4d839bdb3
SHA1 44430877438ca137b0386de1223349b8e86a3270
SHA256 bb393ebae1fd656b019cd086c05fcece979405c4616989bfdde6d60044d08b8d
SHA512 617b80214537675a5964f0cbc3d8e5bec53afb7ce8c5a7de18ad4ea9389767294c11407f85c72a08dd400020ed06f37e6898c85bcea74c06e9d43f84cc4caafa

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\360conf.dll

MD5 b98a1e65f209fe1f10f8564dec0f0c42
SHA1 cab41605d9b7241c134798723ecdf9d3dc2f2615
SHA256 885aa4f58297382396717563137d212fbcb4299f95426c40c43abcdcecf54246
SHA512 35cd81aaa9fbadb8b174f6b2d30fa6c2c0c91786e6714073598cb09f1028790f03609de63b51c2e966021bd7da8521ec06612f0582fc1a5752ee0df7b8259b59

memory/3688-77-0x0000000003440000-0x0000000003441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360Speedr.ini

MD5 1fd698eda55b404d7365ba91763e3184
SHA1 db38e2bcfcef0fe6ee8d5e638a5877a1eacc175d
SHA256 e74aea2dbd0114db5386fcaf2d4871d6a19b6c00be71a4ae2171b8160b87f07b
SHA512 d8bb1cab300cdb6f262b172fe7ad749f2675ac7448aaa8c058c456dcf2ff98095da7cc9b477ed7afa974087083eea20dcc45d96a0ec7628da225374aa8c60840

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTest.his

MD5 6d45ceae03e9e0dceaef1bdde8ddbd35
SHA1 e0ff5bfa3a719bdfd6bd02a97b230549482b9958
SHA256 ac40859c3ece9c3c144838031eb7d7d6011a47c713c50614f74a10fcbd3e6cb2
SHA512 9c67e7a54a35b1accac82c721ee642116f7fc95d830170ac0a44c26275d8cebc45051d33cbeb9512cd9459d7d3113270409d1b9614e957b7e287bdf2e9de79c1

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360Netmon.ini

MD5 d852ecab7fc1f46e684c278caa8604d4
SHA1 c457ea5e1a6c00167e43daf83a9bd4c11d97c909
SHA256 3102da9330e700d895957cf4381a38fd17af3ed0275aa1119ae1da07dea4ea69
SHA512 95387c092ff7cb9aff5047dbb2b1e923d403aa43f681da17bbc799bae640707fadb1aa18654bc60c3ad487fb5cb61e4a78663594d8e219d3b122bc6f53104827

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\ipc\ipcService.dll

MD5 7297ae402359e3416108e5a70c048ebe
SHA1 692b7ad091ea1d52e2c21a05e65ec6c55c54dd5f
SHA256 f525005d0697f68236bd1530242397a1fc364fb3f1018274b4e1163650db6a1c
SHA512 c151acd9e8580ab5749e87277c6d06117b96dfca1f544764d76715f5fc0c97f1a86fa783e63d8d6261f40248702c1bb1648b66125abc41a61bbfb19b95bd28e4

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360SpeedTestWebList.dat

MD5 06e6a779881ae8b1d718332ff546163a
SHA1 58acc91288c2588ee6963062a1d99831d25f8fd3
SHA256 6ba6e90f34327a4d509dfbfda26589ec24512430c20c0fc2a02452e3c2693b06
SHA512 54cee3a31af097f8fdba824b46bd494cd8d2949a062dba50571f213fff72849a1fc38e2609948435d413560cab40185bf72359926db113db002f0a9acc29d15f

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\netspeed.dll

MD5 46a4a3e3d3f57454ff93c5872eadc9b9
SHA1 10ec428616d000f99ff723039fd75f7c0f563b8d
SHA256 ce874c4695f41c622b985d2add6b293bc87879370cdfbf7702cbed648860cf76
SHA512 65063d60a2a2620397ce0be508c5064551857dc8e1e76fe07fd4fdac682271676431ae3d1ca418409f1bb2919c40b9905a7b07ff00f2d90c0bbb13987bd17dc2

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\360NetBase.dll

MD5 14c6b4bbd31f6fd13530bc941cc71d1a
SHA1 ce4e38ac82a54f64d318507ddc28f9ffbb378f0f
SHA256 401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5
SHA512 c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\PDown.dll

MD5 a22728deb2aadc1f2903d4498f156dbd
SHA1 7219d46e0a1ff8b0d13bee56611cd715daba1d55
SHA256 c7ac2ff0ac102f8ae1f43cc75db94edb20b2773416f5063ea8a32db503623ca6
SHA512 4abb066d5d135c49347cf2b2377be9203e03ad6f561fc83a600b6e22fc7f3f88bcd3898836c8df4c69260f1d867aec5f768dce7839085bf8bd3feeb38ba8853c

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\360net.dll

MD5 d5f22fc1beff60f5fa9398effca73e2f
SHA1 f84c5f048b5269381a8c6d1dc21905458856543b
SHA256 214a5e9aab33148866db82ab51c5bcce9e4240794c2c2850fa0f7b3bc3aa34e6
SHA512 b031336bf42a55e738a412b39acff8b57892f8d2b49c3ec4eadc9f7c9ad45cbc0f5b06a921fd07cfed2faf2de07c6957dfd8975de5e322f0f82c558ee9dcf1c3

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\360NetSpd3.dat

MD5 1ffe5dd76ac1d4dd936b8151ddbf5652
SHA1 088872b18dced9412e8f2133e8838593356cecd5
SHA256 e59a6726de15cf823a3c8062a0722131c4d9a298202ec88f9baef894cf9be437
SHA512 3280edb08f115d6e50193e4c3ac438627f3a7e4c892968311f66d74b96a4a0610537e88b108a9fdd16f33ed70347c38e165351da1cdad0712d2da64c8a8d709c

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\360NetUL.dll

MD5 2586f41adfba6687e18e52b75f69c839
SHA1 88d1099afd28ed6c3943107904dc766bb509ec40
SHA256 e692bb1cabb48bd7652f7fcc17c10f0c421304677128e199347ca54c75340ce5
SHA512 b16bd522fd69f8190362e4003513cb0401544a5c89bee6b5eaa569e2262e88f405d9c84425b3cb1afd74b3d2771062e37e7ac367246ca69686c8414632a17f06

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\safemon\urlproc.dll

MD5 75db43606be4fe1a65eb81f68735c1c5
SHA1 f6bb420370ccef7b6a20b42f486b0874af3d99c9
SHA256 ff8c3e0055c40f2f83f6d72c3563d3f6e00933200277de30cc905e0e0ce2700a
SHA512 2b9ad86dd3a8989e552c5fa8cb5909b9791b389c4688606af1f6042bceb12676e9409b881e9c6a34a30465ed6a075f2cc6470f21abab108619c7cc16df90dbb2

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\netspeed.npl

MD5 56f4784817a52d0d873933c114ab9af1
SHA1 05fa94986dcef47383957cf00112cd6cdc142a6a
SHA256 e07de8ac8d8314f37665d518d6b611b63b9ec12a86c08f14376d72ce7ad37344
SHA512 6d69bf0e47bd1f3d80dc9fe9c580a9540137fdc73cea0ea90c451df9843d8a3111c8788adfd2f506e0b2d83d730e00a5c85a87b150450c16efd45e6254b39236

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\netmon\netspeedtmp.npl

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\360Verify.dll

MD5 c6d8d10683083094a44081cdff3acc89
SHA1 7fbe2de22d6971bd0e250b98fba85553203b238a
SHA256 ad06ba38f929be5d3527c2003f3fb44a457d77e4ad136c75b559f84d1d366ee5
SHA512 1f3bbe36d0650171920dbc73f4ec4775aa6ab3154ada2d1f47e71732cd56f4b0d19b740157dd86d687b19c8256a48ccbbfefe0686a20e2301c1041f38985ce21

memory/116-103-0x0000000000400000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\LiveUpd360.dll

MD5 1e801ff172ce300810f126ff998ef84d
SHA1 3d7a5a8f3c8feb167079744480c59b061ca100a8
SHA256 dcda5db8e5d2b7b5664b7b315b147c347c55f13821c23dc1d20c93bf83112b6c
SHA512 22c4382b4ab70cf5862f60e8f3769057c619b762770cb014156eb42a1216fecaf4a563664116b85e1398d209f1830c80a087663df8169b1d08bf0fd2fe9d243e

C:\Users\Admin\AppData\Local\Temp\~5735785932928376586\360P2SP.dll

MD5 01c3370a28ca91a9cdf817ea75a193f4
SHA1 30311d34f7716c361c4355b2cead17fc5d68bf82
SHA256 39ba7e809c6fafe1187fb7b925d03b736975e35e5ae907adf3622ef467d7dade
SHA512 11e64c998755e90c81d58cafd3d894c5b40123e455079a7b705c38cc7cb56b6204e46779c12ade3a9eac3a6d02c561a0d9e19768f77d86b13d1a0ad3a3f2cdd5

memory/3688-109-0x0000000003440000-0x0000000003441000-memory.dmp