Malware Analysis Report

2025-01-03 09:24

Sample ID 240620-qxr2lsvbrm
Target 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118
SHA256 43257dbb1e6e811091f595d08030509f64f34a3fdb434912594ca23527f58467
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

43257dbb1e6e811091f595d08030509f64f34a3fdb434912594ca23527f58467

Threat Level: Shows suspicious behavior

The file 067e52f8f51d0ebc3500386943f3891c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 13:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 13:38

Reported

2024-06-20 13:41

Platform

win7-20240508-en

Max time kernel

141s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Hacker.com.cn.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Hacker.com.cn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Hacker.com.cn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Hacker.com.cn.exe C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Hacker.com.cn.exe C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A
File created C:\Windows\uninstal.bat C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Hacker.com.cn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecision = "0" C:\Windows\Hacker.com.cn.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDetectedUrl C:\Windows\Hacker.com.cn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Hacker.com.cn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecisionTime = b0e0b27d17c3da01 C:\Windows\Hacker.com.cn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecisionTime = 503ac83217c3da01 C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecision = "0" C:\Windows\Hacker.com.cn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecisionTime = 503ac83217c3da01 C:\Windows\Hacker.com.cn.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Hacker.com.cn.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Hacker.com.cn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Hacker.com.cn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\Hacker.com.cn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Hacker.com.cn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Hacker.com.cn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecisionReason = "1" C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Hacker.com.cn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\c2-ec-e7-c5-a8-51 C:\Windows\Hacker.com.cn.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Hacker.com.cn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51 C:\Windows\Hacker.com.cn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Hacker.com.cn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621} C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecisionReason = "1" C:\Windows\Hacker.com.cn.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadNetworkName = "Network 3" C:\Windows\Hacker.com.cn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecisionTime = b0e0b27d17c3da01 C:\Windows\Hacker.com.cn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Hacker.com.cn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Hacker.com.cn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe"

C:\Windows\Hacker.com.cn.exe

C:\Windows\Hacker.com.cn.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\uninstal.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.531140.com udp
US 8.8.8.8:53 www.531140.com udp
US 8.8.8.8:53 www.531140.com udp

Files

memory/2908-0-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2908-1-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2908-2-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2908-3-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2908-6-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2908-7-0x0000000000400000-0x00000000004E8000-memory.dmp

C:\Windows\Hacker.com.cn.exe

MD5 067e52f8f51d0ebc3500386943f3891c
SHA1 79cf4bb78b46a77d21b12bf7032c2fbf4a7ed0a2
SHA256 43257dbb1e6e811091f595d08030509f64f34a3fdb434912594ca23527f58467
SHA512 b96394357f6f898e7a2528b0c2804b6814aa386fc625fe4d519e0b6b23876633d8471a27d31ba844667b36125fa51fce727feb399075553beb46c4a2b5c76856

memory/2160-12-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2160-11-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2160-10-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2160-9-0x0000000000400000-0x00000000004E8000-memory.dmp

C:\Windows\uninstal.bat

MD5 53fac45070988c2db633617ac2217025
SHA1 38812f982c7c84cd392165b46f51d70a0cd76b32
SHA256 23c950293e0983f6bab3a1ba52af275a06c6a445e542ac45fe438b975213677f
SHA512 9a1eeac606a56141201fc9d6b5a1a1ea444b0c4619fb0743d2e5ccf4143d9459b59e4863ac201072e8bae02f93d23c2135ffdaceee2cf3c460b3a2975ba81d0f

memory/2908-21-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2160-23-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2160-24-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/2160-30-0x0000000000400000-0x00000000004E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 13:38

Reported

2024-06-20 13:41

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Hacker.com.cn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Hacker.com.cn.exe C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A
File created C:\Windows\uninstal.bat C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A
File created C:\Windows\Hacker.com.cn.exe C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Hacker.com.cn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Hacker.com.cn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Hacker.com.cn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Hacker.com.cn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Hacker.com.cn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\067e52f8f51d0ebc3500386943f3891c_JaffaCakes118.exe"

C:\Windows\Hacker.com.cn.exe

C:\Windows\Hacker.com.cn.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.531140.com udp
US 8.8.8.8:53 www.531140.com udp
US 8.8.8.8:53 www.531140.com udp
US 8.8.8.8:53 www.531140.com udp

Files

memory/5000-0-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/5000-5-0x0000000002380000-0x0000000002381000-memory.dmp

memory/5000-16-0x0000000002460000-0x0000000002461000-memory.dmp

memory/5000-45-0x0000000002850000-0x0000000002851000-memory.dmp

memory/5000-44-0x0000000002820000-0x0000000002821000-memory.dmp

memory/5000-43-0x0000000002350000-0x0000000002351000-memory.dmp

memory/5000-42-0x0000000002330000-0x0000000002331000-memory.dmp

memory/5000-41-0x0000000002840000-0x0000000002841000-memory.dmp

memory/5000-40-0x0000000002810000-0x0000000002811000-memory.dmp

memory/5000-38-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/5000-39-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/5000-37-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/5000-36-0x00000000026B0000-0x00000000026B1000-memory.dmp

memory/5000-35-0x0000000002680000-0x0000000002681000-memory.dmp

memory/5000-34-0x0000000002690000-0x0000000002691000-memory.dmp

memory/5000-33-0x0000000002650000-0x0000000002651000-memory.dmp

memory/5000-32-0x0000000002660000-0x0000000002661000-memory.dmp

memory/5000-31-0x0000000002630000-0x0000000002631000-memory.dmp

memory/5000-30-0x0000000002640000-0x0000000002641000-memory.dmp

memory/5000-29-0x0000000002610000-0x0000000002611000-memory.dmp

memory/5000-28-0x0000000002620000-0x0000000002621000-memory.dmp

memory/5000-27-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/5000-26-0x0000000002500000-0x0000000002501000-memory.dmp

memory/5000-25-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/5000-24-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/5000-23-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/5000-22-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/5000-21-0x0000000002490000-0x0000000002491000-memory.dmp

memory/5000-20-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/5000-19-0x0000000002470000-0x0000000002471000-memory.dmp

memory/5000-18-0x0000000002480000-0x0000000002481000-memory.dmp

memory/5000-17-0x0000000002450000-0x0000000002451000-memory.dmp

memory/5000-15-0x0000000002430000-0x0000000002431000-memory.dmp

memory/5000-14-0x0000000002440000-0x0000000002441000-memory.dmp

memory/5000-13-0x0000000002410000-0x0000000002411000-memory.dmp

memory/5000-12-0x0000000002420000-0x0000000002421000-memory.dmp

memory/5000-11-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/5000-10-0x0000000002400000-0x0000000002401000-memory.dmp

memory/5000-9-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/5000-8-0x0000000002370000-0x0000000002371000-memory.dmp

memory/5000-7-0x0000000002360000-0x0000000002361000-memory.dmp

memory/5000-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/5000-3-0x0000000002130000-0x0000000002131000-memory.dmp

memory/5000-2-0x0000000002140000-0x0000000002141000-memory.dmp

memory/5000-1-0x0000000002180000-0x00000000021C3000-memory.dmp

memory/5000-4-0x0000000002390000-0x0000000002393000-memory.dmp

memory/5000-48-0x0000000002830000-0x0000000002831000-memory.dmp

memory/5000-84-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/5000-83-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/5000-82-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/5000-81-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/5000-80-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/5000-79-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

memory/5000-78-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/5000-77-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/5000-76-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/5000-75-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/5000-74-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/5000-73-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/5000-72-0x0000000002D10000-0x0000000002D11000-memory.dmp

memory/5000-71-0x0000000002D20000-0x0000000002D21000-memory.dmp

memory/5000-70-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

memory/5000-69-0x0000000002D00000-0x0000000002D01000-memory.dmp

memory/5000-68-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

memory/5000-67-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/5000-66-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/5000-65-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

memory/5000-64-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/5000-63-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/5000-62-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/5000-61-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/5000-60-0x0000000002910000-0x0000000002911000-memory.dmp

memory/5000-59-0x0000000002920000-0x0000000002921000-memory.dmp

memory/5000-58-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/5000-57-0x0000000002900000-0x0000000002901000-memory.dmp

memory/5000-56-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/5000-55-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/5000-54-0x00000000028B0000-0x00000000028B1000-memory.dmp

memory/5000-53-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/5000-52-0x0000000002890000-0x0000000002891000-memory.dmp

memory/5000-51-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/5000-50-0x0000000002870000-0x0000000002871000-memory.dmp

memory/5000-49-0x0000000002880000-0x0000000002881000-memory.dmp

memory/5000-86-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/5000-85-0x0000000002E00000-0x0000000002E01000-memory.dmp

C:\Windows\Hacker.com.cn.exe

MD5 067e52f8f51d0ebc3500386943f3891c
SHA1 79cf4bb78b46a77d21b12bf7032c2fbf4a7ed0a2
SHA256 43257dbb1e6e811091f595d08030509f64f34a3fdb434912594ca23527f58467
SHA512 b96394357f6f898e7a2528b0c2804b6814aa386fc625fe4d519e0b6b23876633d8471a27d31ba844667b36125fa51fce727feb399075553beb46c4a2b5c76856

memory/4952-89-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/4952-90-0x00000000007C0000-0x0000000000803000-memory.dmp

memory/5000-93-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/5000-94-0x0000000002180000-0x00000000021C3000-memory.dmp

C:\Windows\uninstal.bat

MD5 53fac45070988c2db633617ac2217025
SHA1 38812f982c7c84cd392165b46f51d70a0cd76b32
SHA256 23c950293e0983f6bab3a1ba52af275a06c6a445e542ac45fe438b975213677f
SHA512 9a1eeac606a56141201fc9d6b5a1a1ea444b0c4619fb0743d2e5ccf4143d9459b59e4863ac201072e8bae02f93d23c2135ffdaceee2cf3c460b3a2975ba81d0f

memory/4952-96-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/4952-97-0x0000000000400000-0x00000000004E8000-memory.dmp

memory/4952-98-0x00000000007C0000-0x0000000000803000-memory.dmp

memory/4952-102-0x0000000000400000-0x00000000004E8000-memory.dmp