Malware Analysis Report

2025-01-03 09:24

Sample ID 240620-r16vlsxapm
Target 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118
SHA256 75ddb6531734dac744769578fb12c7be3a37a090716a14676122ecccc19328d6
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

75ddb6531734dac744769578fb12c7be3a37a090716a14676122ecccc19328d6

Threat Level: Shows suspicious behavior

The file 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:40

Reported

2024-06-20 14:43

Platform

win7-20240419-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\lsass.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\lsass.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\lsass.exe C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A
File created C:\Windows\GUOCYOKl.BAT C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\lsass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\lsass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe"

C:\Windows\lsass.exe

C:\Windows\lsass.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\GUOCYOKl.BAT

Network

Country Destination Domain Proto
US 8.8.8.8:53 willianzjy0809.vicp.net udp

Files

memory/2936-0-0x0000000000400000-0x00000000004F4200-memory.dmp

memory/2936-4-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2936-7-0x0000000001F50000-0x0000000001F53000-memory.dmp

memory/2936-6-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2936-5-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2936-3-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2936-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2936-1-0x0000000000370000-0x00000000003B3000-memory.dmp

memory/2936-8-0x0000000001F40000-0x0000000001F41000-memory.dmp

memory/2936-15-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/2936-14-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2936-13-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/2936-12-0x0000000001F70000-0x0000000001F71000-memory.dmp

memory/2936-11-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2936-17-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/2936-18-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/2936-20-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2936-19-0x0000000002010000-0x0000000002011000-memory.dmp

memory/2936-16-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2936-10-0x0000000001F20000-0x0000000001F21000-memory.dmp

memory/2936-9-0x0000000001F60000-0x0000000001F61000-memory.dmp

memory/2936-21-0x0000000002030000-0x0000000002031000-memory.dmp

memory/2936-25-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/2936-47-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/2936-46-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/2936-45-0x0000000002610000-0x0000000002611000-memory.dmp

memory/2936-44-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2936-43-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/2936-42-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/2936-41-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/2936-40-0x0000000002190000-0x0000000002191000-memory.dmp

memory/2936-39-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/2936-38-0x0000000002170000-0x0000000002171000-memory.dmp

memory/2936-37-0x0000000002180000-0x0000000002181000-memory.dmp

memory/2936-36-0x0000000002150000-0x0000000002151000-memory.dmp

memory/2936-35-0x0000000002160000-0x0000000002161000-memory.dmp

memory/2936-34-0x0000000002130000-0x0000000002131000-memory.dmp

memory/2936-33-0x0000000002140000-0x0000000002141000-memory.dmp

memory/2936-32-0x0000000002110000-0x0000000002111000-memory.dmp

memory/2936-31-0x0000000002120000-0x0000000002121000-memory.dmp

memory/2936-30-0x00000000020F0000-0x00000000020F1000-memory.dmp

memory/2936-29-0x0000000002100000-0x0000000002101000-memory.dmp

memory/2936-28-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/2936-27-0x00000000020E0000-0x00000000020E1000-memory.dmp

memory/2936-26-0x0000000002060000-0x0000000002061000-memory.dmp

memory/2936-24-0x0000000002040000-0x0000000002041000-memory.dmp

memory/2936-23-0x0000000002050000-0x0000000002051000-memory.dmp

memory/2936-22-0x0000000002020000-0x0000000002021000-memory.dmp

memory/2936-51-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2936-50-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2936-53-0x0000000002650000-0x0000000002651000-memory.dmp

memory/2936-52-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2936-54-0x0000000002680000-0x0000000002681000-memory.dmp

memory/2936-56-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2936-55-0x0000000002670000-0x0000000002671000-memory.dmp

memory/2936-57-0x0000000002690000-0x0000000002691000-memory.dmp

memory/2936-58-0x0000000002800000-0x0000000002801000-memory.dmp

memory/2936-59-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/2936-60-0x0000000003560000-0x0000000003561000-memory.dmp

memory/2936-62-0x0000000003580000-0x0000000003581000-memory.dmp

memory/2936-61-0x0000000003550000-0x0000000003551000-memory.dmp

memory/2936-65-0x0000000003590000-0x0000000003591000-memory.dmp

memory/2936-64-0x00000000035A0000-0x00000000035A1000-memory.dmp

memory/2936-63-0x0000000003570000-0x0000000003571000-memory.dmp

memory/2936-66-0x00000000035C0000-0x00000000035C1000-memory.dmp

memory/2936-68-0x00000000035E0000-0x00000000035E1000-memory.dmp

memory/2936-67-0x00000000035B0000-0x00000000035B1000-memory.dmp

memory/2936-69-0x00000000035D0000-0x00000000035D1000-memory.dmp

memory/2936-70-0x0000000003600000-0x0000000003601000-memory.dmp

memory/2936-72-0x0000000003620000-0x0000000003621000-memory.dmp

memory/2936-71-0x00000000035F0000-0x00000000035F1000-memory.dmp

memory/2936-73-0x0000000003610000-0x0000000003611000-memory.dmp

memory/2936-74-0x0000000003640000-0x0000000003641000-memory.dmp

memory/2936-75-0x0000000003630000-0x0000000003631000-memory.dmp

memory/2936-76-0x0000000003660000-0x0000000003661000-memory.dmp

memory/2936-77-0x0000000003650000-0x0000000003651000-memory.dmp

memory/2936-78-0x0000000003680000-0x0000000003681000-memory.dmp

memory/2936-79-0x0000000003670000-0x0000000003671000-memory.dmp

memory/2936-80-0x0000000003690000-0x0000000003691000-memory.dmp

memory/2936-81-0x00000000036C0000-0x00000000036C1000-memory.dmp

memory/2936-82-0x00000000036D0000-0x00000000036D1000-memory.dmp

memory/2936-83-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2936-84-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2936-85-0x00000000036E0000-0x00000000036E1000-memory.dmp

memory/2936-87-0x00000000036F0000-0x00000000036F1000-memory.dmp

memory/2936-86-0x0000000003700000-0x0000000003701000-memory.dmp

C:\Windows\lsass.exe

MD5 06eac92f6b9f34702c3d3bd2bd9555e7
SHA1 390bc1b081fcc49ec8b4f5839f7b289e582027c8
SHA256 75ddb6531734dac744769578fb12c7be3a37a090716a14676122ecccc19328d6
SHA512 125b3c361c2d89bb6eaa5c95ee822268612c0d85341667a9ff53df18451723f995f4445c498da94f7521125a6cfb852f5ffd8c1efc933b9e3f607ba1c4f053c1

memory/2936-91-0x0000000000400000-0x00000000004F4200-memory.dmp

memory/2228-90-0x0000000000360000-0x00000000003A3000-memory.dmp

memory/2228-89-0x0000000000400000-0x00000000004F4200-memory.dmp

C:\Windows\GUOCYOKl.BAT

MD5 01e30256c4b18e4eb53ab1f6d4ad9683
SHA1 450a08357c2774faadf58bf2a2c5280b17865994
SHA256 162553d33363b4da8ebf32823247727a0fb7c198e28f9d50e7ec81ebd9209267
SHA512 4a78426f8ba4b63b3add0b834e928c315a023237a81588e699f6cb6062c2dd50517a1605a6d05b505a24bf9e31c272f9e64e934aac49ca39e651479bee075e57

memory/2936-101-0x0000000000370000-0x00000000003B3000-memory.dmp

memory/2936-100-0x0000000000400000-0x00000000004F4200-memory.dmp

memory/2228-103-0x0000000000400000-0x00000000004F4200-memory.dmp

memory/2228-105-0x0000000000360000-0x00000000003A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:40

Reported

2024-06-20 14:43

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\lsass.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\lsass.exe C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A
File created C:\Windows\GUOCYOKl.BAT C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\lsass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\lsass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe"

C:\Windows\lsass.exe

C:\Windows\lsass.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 willianzjy0809.vicp.net udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 willianzjy0809.vicp.net udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 willianzjy0809.vicp.net udp
US 8.8.8.8:53 willianzjy0809.vicp.net udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/2320-0-0x0000000000400000-0x00000000004F4200-memory.dmp

memory/2320-1-0x0000000000B10000-0x0000000000B53000-memory.dmp

memory/2320-5-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2320-4-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2320-3-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/2320-2-0x0000000002470000-0x0000000002471000-memory.dmp

memory/2320-6-0x0000000002490000-0x0000000002491000-memory.dmp

memory/2320-7-0x00000000024D0000-0x00000000024D3000-memory.dmp

memory/2320-9-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/2320-8-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2320-10-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/2320-37-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/2320-42-0x0000000002810000-0x0000000002811000-memory.dmp

memory/2320-41-0x0000000002820000-0x0000000002821000-memory.dmp

memory/2320-40-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/2320-39-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/2320-38-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/2320-36-0x0000000002690000-0x0000000002691000-memory.dmp

memory/2320-35-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2320-34-0x0000000002670000-0x0000000002671000-memory.dmp

memory/2320-33-0x0000000002680000-0x0000000002681000-memory.dmp

memory/2320-32-0x0000000002650000-0x0000000002651000-memory.dmp

memory/2320-31-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2320-30-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2320-29-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2320-28-0x0000000002610000-0x0000000002611000-memory.dmp

memory/2320-27-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2320-26-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2320-25-0x0000000002600000-0x0000000002601000-memory.dmp

memory/2320-24-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/2320-23-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/2320-22-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2320-21-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2320-20-0x0000000002590000-0x0000000002591000-memory.dmp

memory/2320-19-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2320-18-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2320-17-0x0000000002580000-0x0000000002581000-memory.dmp

memory/2320-16-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2320-15-0x0000000002560000-0x0000000002561000-memory.dmp

memory/2320-14-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2320-13-0x0000000002540000-0x0000000002541000-memory.dmp

memory/2320-12-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2320-11-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/2320-43-0x0000000000400000-0x00000000004F4200-memory.dmp

memory/2320-45-0x0000000002960000-0x0000000002961000-memory.dmp

memory/2320-44-0x0000000002970000-0x0000000002971000-memory.dmp

memory/2320-47-0x0000000002990000-0x0000000002991000-memory.dmp

memory/2320-46-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/2320-48-0x0000000002980000-0x0000000002981000-memory.dmp

memory/2320-49-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/2320-50-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2320-56-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/2320-55-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/2320-54-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/2320-53-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2320-52-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/2320-51-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/2320-57-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/2320-58-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/2320-60-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/2320-59-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/2320-61-0x0000000000B10000-0x0000000000B53000-memory.dmp

memory/2320-65-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/2320-64-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/2320-63-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/2320-62-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/2320-66-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/2320-68-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/2320-77-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/2320-76-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/2320-75-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/2320-74-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/2320-73-0x0000000002E60000-0x0000000002E61000-memory.dmp

memory/2320-67-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/2320-72-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/2320-71-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/2320-70-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/2320-69-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/2320-83-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/2320-81-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/2320-80-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/2320-82-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/2320-85-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/2320-84-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/2320-86-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/2320-87-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/2320-90-0x0000000002F40000-0x0000000002F41000-memory.dmp

memory/2320-89-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/2320-88-0x0000000000400000-0x00000000004F4200-memory.dmp

C:\Windows\lsass.exe

MD5 06eac92f6b9f34702c3d3bd2bd9555e7
SHA1 390bc1b081fcc49ec8b4f5839f7b289e582027c8
SHA256 75ddb6531734dac744769578fb12c7be3a37a090716a14676122ecccc19328d6
SHA512 125b3c361c2d89bb6eaa5c95ee822268612c0d85341667a9ff53df18451723f995f4445c498da94f7521125a6cfb852f5ffd8c1efc933b9e3f607ba1c4f053c1

memory/1280-93-0x0000000001180000-0x00000000011C3000-memory.dmp

memory/2320-94-0x0000000002980000-0x0000000002981000-memory.dmp

C:\Windows\GUOCYOKl.BAT

MD5 01e30256c4b18e4eb53ab1f6d4ad9683
SHA1 450a08357c2774faadf58bf2a2c5280b17865994
SHA256 162553d33363b4da8ebf32823247727a0fb7c198e28f9d50e7ec81ebd9209267
SHA512 4a78426f8ba4b63b3add0b834e928c315a023237a81588e699f6cb6062c2dd50517a1605a6d05b505a24bf9e31c272f9e64e934aac49ca39e651479bee075e57

memory/2320-98-0x0000000000400000-0x00000000004F4200-memory.dmp

memory/2320-99-0x0000000000B10000-0x0000000000B53000-memory.dmp

memory/1280-100-0x0000000000400000-0x00000000004F4200-memory.dmp

memory/1280-102-0x0000000001180000-0x00000000011C3000-memory.dmp