Malware Analysis Report

2025-01-22 13:51

Sample ID 240831-cxlyps1aqd
Target cc15a4328fd432864596951111205eac_JaffaCakes118
SHA256 fb600ea4c6c05fcd6ad853d797541fe97b5af09c0bdc76591974585900f334fe
Tags
njrat hacked discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb600ea4c6c05fcd6ad853d797541fe97b5af09c0bdc76591974585900f334fe

Threat Level: Known bad

The file cc15a4328fd432864596951111205eac_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery persistence trojan

njRAT/Bladabindi

Loads dropped DLL

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 02:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 02:27

Reported

2024-08-31 02:29

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc15a4328fd432864596951111205eac_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\x_protected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Encrypted.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cc15a4328fd432864596951111205eac_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc15a4328fd432864596951111205eac_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Encrypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\x_protected.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\x_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cc15a4328fd432864596951111205eac_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 4796 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cc15a4328fd432864596951111205eac_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 4796 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cc15a4328fd432864596951111205eac_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 2780 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2780 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2780 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2940 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Local\Temp\Encrypted.exe
PID 2940 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Local\Temp\Encrypted.exe
PID 2940 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Local\Temp\Encrypted.exe
PID 1228 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\Encrypted.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
PID 1228 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\Encrypted.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
PID 1228 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\Encrypted.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
PID 3964 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
PID 3964 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
PID 3964 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
PID 4560 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe C:\Users\Admin\AppData\Local\Temp\x_protected.exe
PID 4560 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe C:\Users\Admin\AppData\Local\Temp\x_protected.exe
PID 4560 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe C:\Users\Admin\AppData\Local\Temp\x_protected.exe
PID 4088 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\x_protected.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4088 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\x_protected.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4088 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\x_protected.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1672 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc15a4328fd432864596951111205eac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cc15a4328fd432864596951111205eac_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4cc 0x2ec

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\Encrypted.exe

"C:\Users\Admin\AppData\Local\Temp\Encrypted.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\x_protected.exe

"C:\Users\Admin\AppData\Local\Temp\x_protected.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4392,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=1016 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Users\Admin\AppData\Local\Temp/Server.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Users\Admin\AppData\Local\Temp/Server.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 192.168.0.96:228 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
N/A 192.168.0.96:228 tcp
N/A 192.168.0.96:228 tcp
N/A 192.168.0.96:228 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.0.96:228 tcp
N/A 192.168.0.96:228 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5 3e7ecaeb51c2812d13b07ec852d74aaf
SHA1 e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256 e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5 340b294efc691d1b20c64175d565ebc7
SHA1 81cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA256 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA512 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5 31c98d6f87497ad5678940933c6fa92d
SHA1 484c4b83ae5a6a553272c4d70d7a0b063a673419
SHA256 c3644678930b553cbf661fac7ff29d17d84e51db47948d853df57f75cf5f3fed
SHA512 5545bd77f1ce8aea4f429d31975dca7ea856a500bde217e310b0e51ecbecf36d99d3f4fd8c56f0fc23687641bc1c06fe394acf5cc8f145463e9e4629546765c7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 886f296f0fa89947a64dc06a29d21a9f
SHA1 36b2349620cb3f21160b04237d05c335124eb3d9
SHA256 281c7f1a8529b2285cf13100a5dc86544eb61968cf1b21d5a7d1709882354fa8
SHA512 145ca42c170fd5773678df0905b153f8f1dd46d19d8fae32962f56ec795fc76ee691896dc012da50e6c2c8493df3ae816b0f8bf1a5b36399a4c12273ac737d76

C:\Users\Admin\AppData\Local\Temp\Encrypted.exe

MD5 a36f5c12488dfafe57097a60f7d83dd9
SHA1 71355632ffaad43a1f7b88e4ab1c7cbd43f30b02
SHA256 7a322eccb3bce396fe507ec0536e25d305bb4dc6688546452b405f06b05e8218
SHA512 9b21b0e8f798488d71cbdcbbd08f1d2de6930db0b70f8f999927ee621e7a6b976a0569a96145781d06fc2d4a66b8e2d4688f71014647621187cc3278d3a18069

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c.dat

MD5 7ab56a32661df54dbd0b55909bb535d0
SHA1 60ea0f683a8f5b1b6ea246d57c9ab0b1bb841a60
SHA256 072ce25b2d55dc9e7a08bad121fb7dd5546465427ea8c22bc8460fc67fac3fcb
SHA512 2d979ce0957d72a4f0d3d790e000e1b087d3dc0a0b8b0834cb6c1566b87ef8459cba9ed2f06ffbd4680a41b41670100fde390c06fee748868d29b892f39b1393

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe

MD5 da8581675128790f8212e325c5f311d8
SHA1 cbac61f7c4e732d56fc394b465b108ca665be078
SHA256 517034d3d74a8d6e0c927f0df3632309662dc7d5bc01a70de5f70d9f3aaf93fb
SHA512 06e468d0266214eef1b13e6c36d512c6012e5e89fc9557d85c6b291434714d74b1ddb9fb30ebda27fdf125c6517200e9a0804b08794d150598e690c671c580a0

C:\Users\Admin\AppData\Local\Temp\x_protected.exe

MD5 21e7a1c9247fe060180b44ed026e929c
SHA1 32c0e553bf5b009a792d93323b21a147bb652303
SHA256 dda9b7751458672ca4a5a8c83e78b400d914adbbb506cede1d6264674b258d2f
SHA512 85e47dd9a971d542a771ed6dd54859371b3ae94168dd74934f2be957877b9b71aac6c96323a5aa2e8373328dc56501c644115426ef0b0cdd4c60e1ef50afb92e

memory/4088-101-0x0000000000490000-0x0000000000808000-memory.dmp

memory/4088-102-0x0000000000490000-0x0000000000808000-memory.dmp

memory/4088-103-0x0000000005800000-0x000000000589C000-memory.dmp

memory/4088-104-0x0000000006140000-0x00000000066E4000-memory.dmp

memory/4088-105-0x0000000005C30000-0x0000000005CC2000-memory.dmp

memory/1672-115-0x0000000000250000-0x00000000005C8000-memory.dmp

memory/4088-117-0x0000000000490000-0x0000000000808000-memory.dmp

memory/1672-118-0x0000000000250000-0x00000000005C8000-memory.dmp

memory/1672-119-0x0000000000250000-0x00000000005C8000-memory.dmp

memory/1672-123-0x0000000000250000-0x00000000005C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ap2.dat

MD5 fc2a595f574b1ead82a6dcf06492c985
SHA1 400626784368fb9825a954ab8e14238054a277d1
SHA256 ee9a4903a8df90eff4c5b65a8073e564a3581cf73772a72eb82396e69932e769
SHA512 06506e70170a85a2d697550bfb555a19e210e93b972a38a482448cf8eca335605583d04f74f5fdd2911203c58aaca2f55b946c2dfe754ecf17c6b1763b7e37db

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua51.dll

MD5 7fa818f532effd80cf7c1c54676e5a0d
SHA1 05ce44c8d0672c9f3ce66436c592442377e69dba
SHA256 1c2d1ba8425139d45de89192d2ae4982e9581f8ae0f22b8497aa0055080237ca
SHA512 38baed895bc71bb890e91a92909f6e78ad34569ce6c7efd8bd9db50080da22697a085f98a3465c3e31165fb9029644e5a0f6bc5ba17d71d7f0dcd31784f0811d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ap1.dat

MD5 93270c4fa492e4e4edee872a2b961dde
SHA1 7b3c079d55d00aa5390662f0a2059e60546ed003
SHA256 25d49cbbd65d48ad462455f1143f73ee997df8f747e7d2213daab18e321c028b
SHA512 3d12721eb229d9227efc51c8e93d5f3ff6cabc305b643b764fcd6da76c031db4c8218b76b1f6158891995f23ce323c13826f59477924361cfb0dee2b9f94fb42

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ap3.dat

MD5 967fdfe0a01c083804673b4976ad6730
SHA1 5d05ade6dd0d1d67ea7879cd8f7779ef53abbd4c
SHA256 72eda9d49bcd0cd3b540f75c4215714378afbb1ce40afcbb7a0b246ab2a44f21
SHA512 50acacf15fa4cfa8319f789fb534cdb4a8d559ceb3e5e832b32015ff2fbee2c3902abfc83bc2493d57298ed32d0aeb6817e077758c4c2c956432b1d3f3c738d4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cdd.zip

MD5 1d5698b4e2dd3435d103865e881aa2dd
SHA1 d1cce8983325f009f859c24904ac3bc6c0d082ad
SHA256 064167b67acebca10b61531c2b8a6bc1539406f15002a2f56f3f8ecd29b10890
SHA512 088b3a42cc13c10f3867b13243170a97b9aaf7c1bd16d574f27ddee53e0ced62c5a643df2b03840676b621db6b001aa14e184ca6b27e657fbe5697bad43e7c4a

memory/1672-144-0x0000000003C30000-0x0000000003C3A000-memory.dmp

memory/2168-147-0x0000000000BC0000-0x0000000000F38000-memory.dmp

memory/2168-149-0x0000000000BC0000-0x0000000000F38000-memory.dmp

memory/2168-152-0x0000000000BC0000-0x0000000000F38000-memory.dmp

memory/5068-160-0x0000000000BC0000-0x0000000000F38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log

MD5 25d1b50e7c0d451f3d850eb54d27ca05
SHA1 a238807715c70a335f54e80d4855644b21a9e870
SHA256 650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5
SHA512 4223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5

memory/5068-162-0x0000000000BC0000-0x0000000000F38000-memory.dmp

memory/5068-164-0x0000000000BC0000-0x0000000000F38000-memory.dmp