Malware Analysis Report

2024-10-19 07:12

Sample ID 240506-kwyvwaaa87
Target 1bbab54c70efe5ef9438a1482ba2d9b1_JaffaCakes118
SHA256 c4166f3f398f28621eb722ba42651504c89ab29a8daaa7867d42959510a17157
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4166f3f398f28621eb722ba42651504c89ab29a8daaa7867d42959510a17157

Threat Level: Known bad

The file 1bbab54c70efe5ef9438a1482ba2d9b1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 08:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 08:57

Reported

2024-05-06 09:00

Platform

win7-20240419-en

Max time kernel

146s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Document.scr" /S

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37055590\\ijc.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\37055590\\CGQ_RW~1" C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DOS Manager\dosmgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DOS Manager\dosmgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 2704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 2704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 2704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 2704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 2704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 2704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 2704 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2336 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2184 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Document.scr

"C:\Users\Admin\AppData\Local\Temp\Document.scr" /S

C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe

"C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe" cgq=rws

C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe

C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\QVTGM

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tats2lou.ddns.net udp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp

Files

\Users\Admin\AppData\Local\Temp\37055590\ijc.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\37055590\cgq=rws

MD5 4bd53fc6da51f39038842f25eb91757e
SHA1 c9acbd93b67d8a0c1ac5b83d67f550662ef7d166
SHA256 0438e4d18eb96f9476b66a7257c16352d7df5aee1dabd31bc6df9260df64d902
SHA512 b6f04157dee0732d8c65c341c37b616829246d2a853e3eb5769de5504e8245abf2d925bd9ad2f64d5476af976adaf105480530a7ff8acdc0f5e06f12f5cce9ca

C:\Users\Admin\AppData\Local\Temp\37055590\ToolbarConstants.ppt

MD5 be67ba05bf48125fe58f83b115f77d3e
SHA1 c56ee1dc3614bbf6d44dfd88aef94e3fa347d0d4
SHA256 acab20e5e1d360c20503a169eeff2cd3ee9bbeb1bcd33851a488b68c3f10aa99
SHA512 90304b521116068d29e6dbe181ece57ee95016b1263459db8515e6840efd7f50a92fa2310c9287f784cc9e38eb1698ab82a08c22bb951a462899f126baf132a6

C:\Users\Admin\AppData\Local\Temp\37055590\GuiDateTimePicker.mp4

MD5 33b87affc703f2a4c7dcd179761961a0
SHA1 f49c72e410c99625fb9133c2b51579c4cd3d0cb2
SHA256 e9f3ccfc52b9fff846f546ce9e35a490bdf5bf64e456edfc1be41948ed9c4c66
SHA512 161f8d96384c8e87d553cc5f9779a8c7063b7ba7b8bcd3c55407ec6a4a77edc4b78e9d38580a3823df49e864292f10da339f0517e973f5bfd15d1145e3c56963

C:\Users\Admin\AppData\Local\Temp\37055590\nmb.icm

MD5 0a00cb54f9e5a0f157e248b23cb8442c
SHA1 2c250415e0f47b3262a21806963c3ca0a8286330
SHA256 b3176097db84333921c9909a961641e2fd06f9de321fce7c90c718987cb38629
SHA512 1709ac8b89e64c5f1fb53ba638000ff978d203ec3681aff61c5d0e889888a27ee040a60756ed8775077ed0d1d1ebf63f30026c277762ac6c23eed2a931f6526c

C:\Users\Admin\AppData\Local\Temp\37055590\xwn.pdf

MD5 60a13f1ea38fc50a4fb9fdc4daf75a40
SHA1 49d956689251ff19c128430461fba8afd4ee7473
SHA256 f70acdbd46d5f43c15b4f439683f3cd87850a498bb05f6935b9c001b1dfefb6d
SHA512 366cdcc57fbb2b2c1d702c745731a9c95cd6beb3ea204a27e99a746188eb362ef97b23e1f90a1be35ffa754d85f6224f4f5b237ee3f12e4c8d96f01487e0e758

C:\Users\Admin\AppData\Local\Temp\37055590\wsr.mp4

MD5 dd0c007bfc238377b0a88a8950d6e857
SHA1 4d681899bdcd9fdbbacb358cdc47998f2e3af517
SHA256 9434b3e31242878e299ce86e281b3387099aaca0ea7d1e38d25e29b2699360d5
SHA512 3baf916ec6ecd35e8924e3184219576c505b77af9c1c8a0f179d6ef54b276d30534965f11b306f1c0ac2e5c158da82d81f252ff240bd98b3f1ae2f6f5c068fe3

C:\Users\Admin\AppData\Local\Temp\37055590\wmd.icm

MD5 e473fe64604fc09e4d8897090f3469be
SHA1 6f7571550a3c688c56170d7b90cee2fabd500d55
SHA256 d4aed9c46e4893ebd52bfb049f1579967fce2c861c50e01540078a604d4bdc38
SHA512 db80d2387ffbd9f037bc793ab5efcc29fbb2f546e9d7c29521f279ce2640819a036fe34370b2472f1abb394af9c34e349f343f851c5ef0e39e1a648cf84c7c29

C:\Users\Admin\AppData\Local\Temp\37055590\wer.pdf

MD5 21542cf601a808fbe09ef5adb66eaaf3
SHA1 31efae33f1bc6ba7bd031471537b02e9d1e3098c
SHA256 58fb21a82d697530440a69107c612ed36044af50ba52ae60999891ab6a27d0eb
SHA512 0519a6093afdb152607eccf01011830db2ac5e910ac06347b2c2df93545f6a7d237f73ec32340f3423b8230b6e97a6de324d0d397555bc9ee92587b750023937

C:\Users\Admin\AppData\Local\Temp\37055590\vtp.ppt

MD5 d576a2b0c2ddd5a7203b5b53e230a853
SHA1 8de1dd22393961bafc476762e494dbf39ef5a988
SHA256 c50a460fe7853ceccfef8338d8b71599baff913723d9f6b2ca7a7460576dc557
SHA512 6435bd631a5b74329efb0390352e0405260d1f144f995692c82a605fecb24c49182afdff5cd2d00ad4cf218c545c96d8adea32f559c3800b51e9742693420e4f

C:\Users\Admin\AppData\Local\Temp\37055590\vqj.jpg

MD5 dfcb76a49c6b282d68aee9d44e2fcf26
SHA1 6e5035428def70e336606ed83b86d2d7d5f6b95d
SHA256 a382f26ce856c440e9776619c577f6a8b200db195ecdc52c65d5678de471ad0c
SHA512 d0d1fb1b353f76184dbf9b1059367ae9570a56fb45a0b86335a2546e972f143625db4143b2605841926fb271dc7b61493081aa5e88afb5a3621af0844d2fd813

C:\Users\Admin\AppData\Local\Temp\37055590\vhq.docx

MD5 27a3b1c3a4ce272b4a805888e6388368
SHA1 b3a8ac33ef55bdddcf974855eaf612478efc4dd2
SHA256 4c1cab44e6f68d7fdcf793f60a67eb9e10ac758a4191a607fd8ca18b695ed2bf
SHA512 cf2bbb346863b85bb26f4806882fcc8792233d8016deff991d66150ff550c8448e96d36ce69d1f57240379c3ba1354a32421bb6dbd1c1410da8c13647a9c0616

C:\Users\Admin\AppData\Local\Temp\37055590\vdn.icm

MD5 ca74270f98a84c0fda077c47ffdabf61
SHA1 45f65a84f5bcb740f01b9fd22e878599a5e834e5
SHA256 3fd624aee2f2cef1a553f6f7ed5c498dc46c0dc5a5bd18ad3be7b4ccf439fc27
SHA512 bed48b5a1b693f8ce9f282780949e2e5a79684aa29fbd3af1ee1b91d84b9f17149dfd98c176c58eb839dfa03cbb7a32f06f6153d512fede80e4574f3b5cfccf4

C:\Users\Admin\AppData\Local\Temp\37055590\ufs.txt

MD5 d63ead71d68431670b3fa660171eef84
SHA1 b03a43048401b2da5df8557cd61227aed8d4d20c
SHA256 bc1f257f8cc73ffc27359cd1d46aa57c95719d4a6541ed5c6ac59d58254b9fb5
SHA512 005ea60b408e821296b3b6cbc47d1fd4d76ec2cd8684744d89a6a37f77381bde34115b9551b224f7380aaabc5c1cf8eb1e6cf6d21bfac9b09574f0a76cfe3e7c

C:\Users\Admin\AppData\Local\Temp\37055590\ucv.dat

MD5 4e4ff5a3328a5e9e54aba0e590b8c4ba
SHA1 281f075b633a42a31fed13eb9e10d3267d4b77ca
SHA256 5cda23c903bb16c04732ae77584c8f0a39e1f0fc2d77d1cc51601d2c3d7ab679
SHA512 9de063abaa119f9d37a9d0f3fb78cc1ffc594d4298dc6700f4e5f722c075f0922acfe986ce9bfd70c0b4bb0823fce51b00fedf14b949798973310af3dfe7343f

C:\Users\Admin\AppData\Local\Temp\37055590\qln.bmp

MD5 7e6018e7f0fcfe9eab6544f5ab154c20
SHA1 1a8d2be63fe9450496402c4eab7776e323527206
SHA256 f89f0863fc57d340cb154f5a60debbaff125517cff993602512f3c2d8dea424a
SHA512 735a53e2dbad8d07ef39130f1689aa8636eadfaa10aec996d7a435baddd0eed1b81e21e025ba2d814386bea0590de03b39f5af6739a84e1682fff2e415d7a4ef

C:\Users\Admin\AppData\Local\Temp\37055590\qdl.txt

MD5 8cc6be507c8dac7c9d93d0af060b287b
SHA1 e596cb9dbf1780c99313eef20e4134e592d4627b
SHA256 5ea3d6d2ec0be25c963ee74b211c0592e78087cd9ef00c5f5e7fbde763ee21af
SHA512 45888b9cda1dc801a59b710b55bf2264a72e494748c26be0722f1c3467375ababb22345c3893af89868d227ef05536cf6263682bf5a4a322e3c6973d3ad4e885

C:\Users\Admin\AppData\Local\Temp\37055590\qah.pdf

MD5 0d45ab525b6a2774d8b9b211b45a0f81
SHA1 f8a0f0216bef41444d0609570ac8c4863fcf2a26
SHA256 d1c1170c67fc75fda8db2349b1fbd68dcebaaf5ae2b1875855514c7bd082526f
SHA512 a4f250da1709c55c86a8826361b818d90c91fb7a4ddc4e85cce28d6bd0b1e4465eaef098bf1cb553cda5927789da5aeca05a1ec28205fcb2636ce0c23ef5d4fb

C:\Users\Admin\AppData\Local\Temp\37055590\nlv.icm

MD5 5f6a399143b67780ec673c21a9a185ba
SHA1 a34f1b498728d4380939b6ed1f0c05b5f4c02efa
SHA256 883a918f7cd2ff738e6c32a93eaa7a27065de38623c1da62f651db12b3fe35ab
SHA512 ed5f3eded8cb388797a0e778fb5b56514d15b22e48528c172289371bc302c4383bb6797770642c2f5585be07e500d6be50922a305b6150d274cf4f310c0d7af6

C:\Users\Admin\AppData\Local\Temp\37055590\ndk.pdf

MD5 8544bc9cb1c66e068f47f9ff1241ab26
SHA1 55129b00367fea25ab2052924184e43bdd0c50fb
SHA256 d3f6652db5543c76be36cb42e9d027ae6904080ceead68976d9b3d4fe4df508d
SHA512 e5bca76c1dc6f772a28bf2271ca05c9d25400a290c0dc278d385eba31e38c6d875df47cd1da1ecf68ca94899a1fbd99169c28742e1089b697a25067b4b2c1949

C:\Users\Admin\AppData\Local\Temp\37055590\mwl.jpg

MD5 76dcafbe377cae264e16eb4fc83d3186
SHA1 2b9ebc3935f498cfde58af8d6b5cac1c9af075db
SHA256 49b27a25735b6dabc8ddee192297df8e1210aa0987db8ea20a1be135ef09c1de
SHA512 d1b6534722118e938cccac72d2be68457f46ad8afb27703c8c2f4fed7844ba6116f7279823274094e852e19446920d07db9b74641525ce9111ce6919b65494e9

C:\Users\Admin\AppData\Local\Temp\37055590\mtj.icm

MD5 2d5ad121bd454f864cfdd65be70760ee
SHA1 703d0646fd6fefcb7553084b5be80065540c5d4e
SHA256 726a42aeab7d23bff8eb387052587c0885b2e18403d5c44523ef0ea68c5386c8
SHA512 fb6d879a64bc25a571ee8a03466978e66dbbe78254251c407813bfebac46ba84d7e70f80c6db558c241acb251daae8dfeac872f009bdd9a82ec6641a2ef582af

C:\Users\Admin\AppData\Local\Temp\37055590\kfx.docx

MD5 be3acc06954cc668f3526bd9b4ff36fd
SHA1 0c489b133159e23c8e359bf1e9e65a41a52e2f2d
SHA256 beba9857c04739257aa94d445149c62e5b4dbbb535e56ba0b54419d9158f9ae7
SHA512 55b3a730c08ffd178cd570cc750e407edc0774a8746d55e25798ab6955f2e5d525c2d7cab9666fa48372b11c7872a0217e9f36fccaaa8d706f46eca1e8d919e6

C:\Users\Admin\AppData\Local\Temp\37055590\jvc.pdf

MD5 7de6a5c3cdc0907e9e4e84d14acdc165
SHA1 15e004f7c36da2e8246b75986f4c47825ec1912c
SHA256 39abec8d27c7e51b032beb56e6259748847656b2ffff9667a640fb4a3d934cd3
SHA512 202b28b13d840467b6147a577273d40173e7fd5557260bbca7232e2fb1f5280f62780a95501dfac41fe6532324a5c5e0e9863579731e6259ab84abb8b1f23c8c

C:\Users\Admin\AppData\Local\Temp\37055590\jkr.dat

MD5 a60faa7bbbc07cef4e054b758ed0736f
SHA1 da48c6b700ce076ad1a18d3e18f03d61cb8bd6d5
SHA256 70433e25def20137c1c189e31699246d084c1a53216fd0ce1f2fe04fe6879523
SHA512 6c7d0b83cb76be49138bba275c3ee03e10fd13e6177d74a878700a7868985e467244ab24823588b297feb45a46d2b1621868256320b1d64a9746c2e4599f7cb5

C:\Users\Admin\AppData\Local\Temp\37055590\jal.ppt

MD5 e741a2051e1cf574116c099c30c915f9
SHA1 413db5556d58ed8d30798cd56e5ae3ff8d60cda6
SHA256 0653e86decfab5ad8cb5c778d24fe90955f4f710c161bc2882599fa68f3d7a3b
SHA512 523b3256b6cdccfd588e5a93f4362ad53896d6a4efef15a822033e28fa7e4ddcef50ac3d26a46ba5bd09739dec091a45118007dda4ae7d3eadb9c6dee5fa8bfe

C:\Users\Admin\AppData\Local\Temp\37055590\jaf.dat

MD5 6855318e544c05dfbc18bd71664c502a
SHA1 ca18b28734de788be023277f0254da2e1d450e2a
SHA256 ce6b9b33dce03efd64b16eee939d0d423af0941fa1540f4d0f45d3259a60245d
SHA512 54c9f97498667b13dfd4363320cb1df96bec3fa0aa29e4b1deffe9e110976302d0a88c1284a8b03c2e85daff540e2b86b21d10bcf932bc78e0b4c78bc8427c93

C:\Users\Admin\AppData\Local\Temp\37055590\inl.txt

MD5 81bfca5be94dbb98be4c97a3a7547064
SHA1 ce256c7747a3d50262f7ea9d272b0bc6e621b8b7
SHA256 37f9577714864cf12a627ec9e35c2508e24f966997b02e543c30b2caed6eeabb
SHA512 8802bca2dd366a2ee1f7ecc2a9bf2c3635ebd9b8890c4191c548831a9b2ef19f5725dbcb0c40ab952a129f3116649ad4bd7f91cbccd9e6639c58c31202d6b4b6

C:\Users\Admin\AppData\Local\Temp\37055590\hot.ppt

MD5 55e52d5e41bf342700b3f77625bffdde
SHA1 093608dc12b65bde546783350987c8b5c44be259
SHA256 76398b8ed676046bb8a4a90a5678515ff9d7e6c2be89393c06b7d07e95d87be6
SHA512 f13ee28398c9d5a5e785f21a68ab3ddfda7b10edd534b0bbb3287fa89500d3147fecaefc88c8e7d6124991b015f2809c174bc2eca66c88d0276270b93fe3fc4f

C:\Users\Admin\AppData\Local\Temp\37055590\gqk.txt

MD5 9b19609a591a3f4058346aa9622f7c98
SHA1 0e171b588e73a4d70430b3816b1ef3d92a2152b1
SHA256 c05a084db4dc13c76dbf26bc88e998bb1aa18e9fbd2b8745f0dd0fc425113150
SHA512 0fc49446064c76c8a08b2ce0474608227f99a2ad16a01a0ca55cc0e8dd7d59d9f443d91bc24cc8419fd44fc0c5e19bbf45d7a4cba09ad0a0a41a96cf07d0d7bf

C:\Users\Admin\AppData\Local\Temp\37055590\gmq.dat

MD5 901c1c2e93414ed366021802e108820f
SHA1 109b124ffd079ba8dc6a9a52d532fb98a0e81af4
SHA256 3a94c6decce0253b12f4008520cdc8112887ff7a002ec3ff9b506c8b070301cd
SHA512 aacef0ee56627c508a87fbccdce011c7247c433aa8726f0b1f3c0a5e4793345a3596d7d85c9db3782e774d3d8ebf332525ffd6eda7eba557aeb3c6e45101b6c8

C:\Users\Admin\AppData\Local\Temp\37055590\frm.docx

MD5 de42df52f22cf8cb7b67210befcaa8de
SHA1 6fcf0415afc04fe7835f887b9be99ff4405fe8b5
SHA256 cd5deffa8a1d52cc836c8d04df43f4d8a53fbbca07449a216812ca5ee41b3395
SHA512 16969cc17930e9aa59cf532b6f1e6830fb396b540826497994d22b08cadb00b257d241b4b9c8dd6432c09d0bc152ff467a5648a04d87b3ee89d85ada0d011af1

C:\Users\Admin\AppData\Local\Temp\37055590\fel.ico

MD5 c594cfd180f3c04edcb8c6b1064a40a4
SHA1 7c02904abbbe86616a6c99babd4559142084d04b
SHA256 b633d9fd2c20dd779f5bea0f33e195c06c4e680d8a7f4806247656f3df4e1f38
SHA512 d18cdff4d981f6efc405b4b0518dde9de6d1cb048497b6d0667e775f97225535503ee44bcccbd806a51c7413cb2761e09ffb671c551f735f58d29d8107d6e4eb

C:\Users\Admin\AppData\Local\Temp\37055590\exu.docx

MD5 45bb02837157c49cd755103171e81a60
SHA1 cabfdaccad5f50a21b54612dc66c243db617ce75
SHA256 accbd2819486059107917e9daf7008d18fdfa0fac18660bb9be63d6a63f9edbe
SHA512 85e54aaeaf43249bcd8f3041e65d09fea73435ae56c12847b34ee6d39737fbb6c1223ef168bd2d190d7e9b4f62dca008900f168964c70e8230bc916858d23b21

C:\Users\Admin\AppData\Local\Temp\37055590\eur.docx

MD5 970ef821b8512a49b228f3f93aac551e
SHA1 7dfde3069e94c6bbdfbd7ad5690edeba229cb865
SHA256 dcd8c452b8c197d89546dbb123132075f1d0151a1dbee823f98657849c1433d0
SHA512 26bbd930847f6c7aefbd99517815cef5479930da10ae36204c94483fe29a0affa17b7203937867a9e9182a7bea429c135702264d2503d59cac8df0371015968a

C:\Users\Admin\AppData\Local\Temp\37055590\ecv.txt

MD5 ef79fe759bd67ef0f7ca6e1c454d7743
SHA1 5ec37189515b004d221800f8c7bb376a8045c1ee
SHA256 f8d8716fd2b10c21f61e0f8cacaa9efd64204754787eb32d1c8170992ce524be
SHA512 61df9ab5aa639a9a3420e6f72f66058c83927dc313d2aaac9cd7da7f1e1ce091194cbae509fd7643e64fa2cab50b0413a0437279950ddc5db464ed8b4bf95a98

C:\Users\Admin\AppData\Local\Temp\37055590\ecc.ppt

MD5 08c89fcfaf9542bca763a483cadab317
SHA1 f7195355a5e3257bf38d89bfbd0695f6d43ec504
SHA256 dff277a980973e2c3b194f6c40c6af56a04f945f6c1ae4da60c46e7f74dd8d36
SHA512 44575e8012e2858c19be2bf3a3d12b50e8b0308535d1c71c1850d2800b68e6648000943db4cfc5b78db823f5ee17c56edf293a023b4953f6b9e94cab2ab1a27c

C:\Users\Admin\AppData\Local\Temp\37055590\dmp.ppt

MD5 1a35bb44cbc55dd23807cca7af25cc6b
SHA1 21976f4b6736200bcb6211912a8a113f857164bb
SHA256 63c01d23ba2646c089a94a40129483df24693da9ada59b5158ee3ec1efba9289
SHA512 33122e78997ff436103d772b9517c12e23ab45487d397685c6b06b22101905b605b49a4408a6325f3862b94f3f2fbc84f5413aa4e7683f4458a938de65fbadfb

C:\Users\Admin\AppData\Local\Temp\37055590\dkm.mp4

MD5 7650b7a50089f3f55a05ac285aaed14c
SHA1 82196cb2a0b5a1163147312201770a95d10025d9
SHA256 2ee4565e14e19330c336a66fea29a428ee6bd1b46da1d05bffe91910a7dc50dc
SHA512 f2c0ac9d9f0804cae7ddbd8fda8d4b9ef06d26f30dfc741fd57df79e013df594959cc6da5fb21d2676d189616a17478033096c408df496b4f1bc7537ce851250

C:\Users\Admin\AppData\Local\Temp\37055590\cvg.docx

MD5 fc3df18a145761ea411486dd4f74e19a
SHA1 11bba3306b6c75e83585cff9d92bf4b945ed733b
SHA256 8a5e9999ad4f44d85fffb83672866cc993481aa357cf0b7435654eb4133ebeec
SHA512 d1a5719563e65a6d8edc1de2bd68b3f18e105b35e5e8eb322334dd281aecf4e1e8d0d828bed1934b9b583bf9d46e0b0ceee158092316346340fbfc12d734bd6a

C:\Users\Admin\AppData\Local\Temp\37055590\cju.ico

MD5 77de495f535a602d61ba5d2afe9bc2c0
SHA1 d4a7606fe06b18b8f6f706743be2ca24cbb97467
SHA256 a0e8c978d49cb961990975f0770489822ad35dda008710b27b814a653bfb0976
SHA512 dcd19fde447f1b0859bf7eba001f041d5f2880b4e6a53b9e29d01289b3b2aa29b44fe7475ad5f6d07566e79e72d2abbd1d1217ebc4e8601cbefadec4aeadce89

C:\Users\Admin\AppData\Local\Temp\37055590\ceg.bmp

MD5 ad977aeb966453e3813d3b5ced1b6b34
SHA1 731669750e8a4c9f0bee52f543f0766bb280a63b
SHA256 92cb2089a8a727a9bfae26861d2afb9dbfad58fad33462ab84eaf21f9d02c4bd
SHA512 599ed0315fc1e01b3300f39b40ae7ec1929fb46c872089e12c2ada7cecc2709f57c9d0592e14fe30b8c68ea6fc18ba2f67fa2f93adc56fbbbeca56973d5c07d1

C:\Users\Admin\AppData\Local\Temp\37055590\cat.docx

MD5 bff21e7cf606a76be21d1a0d6bf5fd7f
SHA1 3d881bc8cf2bb11b265478869daad3c3b6c5a39d
SHA256 9dbd8cfa319be70feacbe22b06f347502e9076eef2ef1410f1d08a2e33441892
SHA512 00dbc5523f1baf55bdb566d09130d30f7f377af21a49308a2aaa4c37eb17ecb80cb3d9fa6a6821b71c198a64168037409a23af77ab76deeb95bc7c148a6f2da1

C:\Users\Admin\AppData\Local\Temp\37055590\bve.ppt

MD5 c0381f1eb67d69be5439670dc852ae83
SHA1 1adbfc34187c899733073d4d2603bdc964991f92
SHA256 04ad2e556a6a5ce37c37e05314c2cd745d6667761939cd1e1f83c47235d8397d
SHA512 5a200424423d1b50a702b41d93002e71f16a5c7d6a9a1b094e8ccf22bc205d98900fe8972b4033ca6f62007550a1c0221fd54735d83b540eb452613721d74b08

C:\Users\Admin\AppData\Local\Temp\37055590\bfl.ppt

MD5 64c8e864867396d8d73410fdfed81e93
SHA1 0e560ce0d867d74485169c901b2c477c19909e35
SHA256 b19288f1adcfd0130f7544d02bb06466b68c743b5cfb5a0787c9748bc3ffdb8a
SHA512 52bf2471656c6b8fa677dbaac0eb0f583bebe82207ebb1093262dcda6ae56d9a45ad5da2aa3071984bd9a3401f9bcf8f353ba29da1da152459e8299fe287cece

C:\Users\Admin\AppData\Local\Temp\37055590\aic.pdf

MD5 1ac2881bc680dcc5cb656133409437b2
SHA1 e7d48b4503dbd0796a5d36bd3b2ff03d51bc2b49
SHA256 f039cc9ae192c058e7f9deb1bf4e88d6ffbef7749aad16ca68ef44cf14d3672a
SHA512 c3386eb003f229478fd4de679a173992dcda471485150f07489638be7b1a661ab06007ee0f9fa0b1fce44afa5ba3599b4f67cf694f4ffaf9d2f69385ba710ed6

C:\Users\Admin\AppData\Local\Temp\37055590\jkq.xl

MD5 83a1603d52dbedbfc80a0584a216efc2
SHA1 cd96b0c0b1b5fcff234b4d9614ce008e4ae614e6
SHA256 5338f8c5b476c548388c96637fdbb2ce970f3cc77839e1238e6d41785841ba8c
SHA512 d87e1f21470b3334d198adae595ebd7ebdda08a5e42e44eb4a2b3627149fba9326ca1fa21dea2b6126b78c476fc89101859f242400a686ced3e5311cf0a3ece4

C:\Users\Admin\AppData\Local\Temp\37055590\QVTGM

MD5 4e7ee9293681efa179b4f80cc7bab672
SHA1 b5b8741731b4ecccc65ef5101d44dfc1bf9da765
SHA256 cf6f59b7736838169e515e7f2f9a67cb062a4ec62a0ecdfd3de0cce732d79a42
SHA512 743e86ae030558ef922ebe16e33fbe95fc36a33547e72ebe188d201f0d5f7a85aae8d6957efd49053b8a3a0e65ea5b023d5fcaae6c9cb9a90fd2502e0f2818b7

memory/2184-158-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2184-162-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2184-169-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2184-168-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2184-167-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2184-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2184-164-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2184-160-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp

MD5 8f5713b14cee3089852f6c8d2a7a7d57
SHA1 8bffbea05715c6434ad593cce8a2c737f80ff788
SHA256 ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c
SHA512 82bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72

memory/2184-177-0x0000000000440000-0x000000000044A000-memory.dmp

memory/2184-178-0x0000000000490000-0x000000000049C000-memory.dmp

memory/2184-179-0x0000000000520000-0x000000000053E000-memory.dmp

memory/2184-180-0x0000000000560000-0x000000000056A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 08:57

Reported

2024-05-06 09:00

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Document.scr" /S

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Document.scr N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37055590\\ijc.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\37055590\\CGQ_RW~1" C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasvc.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5456 set thread context of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WPA Service\wpasvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\WPA Service\wpasvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 752 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 752 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Document.scr C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 3812 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 3812 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 3812 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe
PID 5456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5456 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4356 wrote to memory of 1828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 1828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 1828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Document.scr

"C:\Users\Admin\AppData\Local\Temp\Document.scr" /S

C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe

"C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe" cgq=rws

C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe

C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe C:\Users\Admin\AppData\Local\Temp\37055590\QVTGM

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D74.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4DC3.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 tats2lou.ddns.net udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp
CH 91.192.100.55:56098 tcp

Files

C:\Users\Admin\AppData\Local\Temp\37055590\ijc.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\37055590\ToolbarConstants.ppt

MD5 be67ba05bf48125fe58f83b115f77d3e
SHA1 c56ee1dc3614bbf6d44dfd88aef94e3fa347d0d4
SHA256 acab20e5e1d360c20503a169eeff2cd3ee9bbeb1bcd33851a488b68c3f10aa99
SHA512 90304b521116068d29e6dbe181ece57ee95016b1263459db8515e6840efd7f50a92fa2310c9287f784cc9e38eb1698ab82a08c22bb951a462899f126baf132a6

C:\Users\Admin\AppData\Local\Temp\37055590\GuiDateTimePicker.mp4

MD5 33b87affc703f2a4c7dcd179761961a0
SHA1 f49c72e410c99625fb9133c2b51579c4cd3d0cb2
SHA256 e9f3ccfc52b9fff846f546ce9e35a490bdf5bf64e456edfc1be41948ed9c4c66
SHA512 161f8d96384c8e87d553cc5f9779a8c7063b7ba7b8bcd3c55407ec6a4a77edc4b78e9d38580a3823df49e864292f10da339f0517e973f5bfd15d1145e3c56963

C:\Users\Admin\AppData\Local\Temp\37055590\cgq=rws

MD5 4bd53fc6da51f39038842f25eb91757e
SHA1 c9acbd93b67d8a0c1ac5b83d67f550662ef7d166
SHA256 0438e4d18eb96f9476b66a7257c16352d7df5aee1dabd31bc6df9260df64d902
SHA512 b6f04157dee0732d8c65c341c37b616829246d2a853e3eb5769de5504e8245abf2d925bd9ad2f64d5476af976adaf105480530a7ff8acdc0f5e06f12f5cce9ca

C:\Users\Admin\AppData\Local\Temp\37055590\jkq.xl

MD5 83a1603d52dbedbfc80a0584a216efc2
SHA1 cd96b0c0b1b5fcff234b4d9614ce008e4ae614e6
SHA256 5338f8c5b476c548388c96637fdbb2ce970f3cc77839e1238e6d41785841ba8c
SHA512 d87e1f21470b3334d198adae595ebd7ebdda08a5e42e44eb4a2b3627149fba9326ca1fa21dea2b6126b78c476fc89101859f242400a686ced3e5311cf0a3ece4

C:\Users\Admin\AppData\Local\Temp\37055590\bve.ppt

MD5 c0381f1eb67d69be5439670dc852ae83
SHA1 1adbfc34187c899733073d4d2603bdc964991f92
SHA256 04ad2e556a6a5ce37c37e05314c2cd745d6667761939cd1e1f83c47235d8397d
SHA512 5a200424423d1b50a702b41d93002e71f16a5c7d6a9a1b094e8ccf22bc205d98900fe8972b4033ca6f62007550a1c0221fd54735d83b540eb452613721d74b08

C:\Users\Admin\AppData\Local\Temp\37055590\xwn.pdf

MD5 60a13f1ea38fc50a4fb9fdc4daf75a40
SHA1 49d956689251ff19c128430461fba8afd4ee7473
SHA256 f70acdbd46d5f43c15b4f439683f3cd87850a498bb05f6935b9c001b1dfefb6d
SHA512 366cdcc57fbb2b2c1d702c745731a9c95cd6beb3ea204a27e99a746188eb362ef97b23e1f90a1be35ffa754d85f6224f4f5b237ee3f12e4c8d96f01487e0e758

C:\Users\Admin\AppData\Local\Temp\37055590\wsr.mp4

MD5 dd0c007bfc238377b0a88a8950d6e857
SHA1 4d681899bdcd9fdbbacb358cdc47998f2e3af517
SHA256 9434b3e31242878e299ce86e281b3387099aaca0ea7d1e38d25e29b2699360d5
SHA512 3baf916ec6ecd35e8924e3184219576c505b77af9c1c8a0f179d6ef54b276d30534965f11b306f1c0ac2e5c158da82d81f252ff240bd98b3f1ae2f6f5c068fe3

C:\Users\Admin\AppData\Local\Temp\37055590\wmd.icm

MD5 e473fe64604fc09e4d8897090f3469be
SHA1 6f7571550a3c688c56170d7b90cee2fabd500d55
SHA256 d4aed9c46e4893ebd52bfb049f1579967fce2c861c50e01540078a604d4bdc38
SHA512 db80d2387ffbd9f037bc793ab5efcc29fbb2f546e9d7c29521f279ce2640819a036fe34370b2472f1abb394af9c34e349f343f851c5ef0e39e1a648cf84c7c29

C:\Users\Admin\AppData\Local\Temp\37055590\wer.pdf

MD5 21542cf601a808fbe09ef5adb66eaaf3
SHA1 31efae33f1bc6ba7bd031471537b02e9d1e3098c
SHA256 58fb21a82d697530440a69107c612ed36044af50ba52ae60999891ab6a27d0eb
SHA512 0519a6093afdb152607eccf01011830db2ac5e910ac06347b2c2df93545f6a7d237f73ec32340f3423b8230b6e97a6de324d0d397555bc9ee92587b750023937

C:\Users\Admin\AppData\Local\Temp\37055590\vtp.ppt

MD5 d576a2b0c2ddd5a7203b5b53e230a853
SHA1 8de1dd22393961bafc476762e494dbf39ef5a988
SHA256 c50a460fe7853ceccfef8338d8b71599baff913723d9f6b2ca7a7460576dc557
SHA512 6435bd631a5b74329efb0390352e0405260d1f144f995692c82a605fecb24c49182afdff5cd2d00ad4cf218c545c96d8adea32f559c3800b51e9742693420e4f

C:\Users\Admin\AppData\Local\Temp\37055590\vqj.jpg

MD5 dfcb76a49c6b282d68aee9d44e2fcf26
SHA1 6e5035428def70e336606ed83b86d2d7d5f6b95d
SHA256 a382f26ce856c440e9776619c577f6a8b200db195ecdc52c65d5678de471ad0c
SHA512 d0d1fb1b353f76184dbf9b1059367ae9570a56fb45a0b86335a2546e972f143625db4143b2605841926fb271dc7b61493081aa5e88afb5a3621af0844d2fd813

C:\Users\Admin\AppData\Local\Temp\37055590\vhq.docx

MD5 27a3b1c3a4ce272b4a805888e6388368
SHA1 b3a8ac33ef55bdddcf974855eaf612478efc4dd2
SHA256 4c1cab44e6f68d7fdcf793f60a67eb9e10ac758a4191a607fd8ca18b695ed2bf
SHA512 cf2bbb346863b85bb26f4806882fcc8792233d8016deff991d66150ff550c8448e96d36ce69d1f57240379c3ba1354a32421bb6dbd1c1410da8c13647a9c0616

C:\Users\Admin\AppData\Local\Temp\37055590\vdn.icm

MD5 ca74270f98a84c0fda077c47ffdabf61
SHA1 45f65a84f5bcb740f01b9fd22e878599a5e834e5
SHA256 3fd624aee2f2cef1a553f6f7ed5c498dc46c0dc5a5bd18ad3be7b4ccf439fc27
SHA512 bed48b5a1b693f8ce9f282780949e2e5a79684aa29fbd3af1ee1b91d84b9f17149dfd98c176c58eb839dfa03cbb7a32f06f6153d512fede80e4574f3b5cfccf4

C:\Users\Admin\AppData\Local\Temp\37055590\ufs.txt

MD5 d63ead71d68431670b3fa660171eef84
SHA1 b03a43048401b2da5df8557cd61227aed8d4d20c
SHA256 bc1f257f8cc73ffc27359cd1d46aa57c95719d4a6541ed5c6ac59d58254b9fb5
SHA512 005ea60b408e821296b3b6cbc47d1fd4d76ec2cd8684744d89a6a37f77381bde34115b9551b224f7380aaabc5c1cf8eb1e6cf6d21bfac9b09574f0a76cfe3e7c

C:\Users\Admin\AppData\Local\Temp\37055590\ucv.dat

MD5 4e4ff5a3328a5e9e54aba0e590b8c4ba
SHA1 281f075b633a42a31fed13eb9e10d3267d4b77ca
SHA256 5cda23c903bb16c04732ae77584c8f0a39e1f0fc2d77d1cc51601d2c3d7ab679
SHA512 9de063abaa119f9d37a9d0f3fb78cc1ffc594d4298dc6700f4e5f722c075f0922acfe986ce9bfd70c0b4bb0823fce51b00fedf14b949798973310af3dfe7343f

C:\Users\Admin\AppData\Local\Temp\37055590\QVTGM

MD5 4e7ee9293681efa179b4f80cc7bab672
SHA1 b5b8741731b4ecccc65ef5101d44dfc1bf9da765
SHA256 cf6f59b7736838169e515e7f2f9a67cb062a4ec62a0ecdfd3de0cce732d79a42
SHA512 743e86ae030558ef922ebe16e33fbe95fc36a33547e72ebe188d201f0d5f7a85aae8d6957efd49053b8a3a0e65ea5b023d5fcaae6c9cb9a90fd2502e0f2818b7

C:\Users\Admin\AppData\Local\Temp\37055590\qln.bmp

MD5 7e6018e7f0fcfe9eab6544f5ab154c20
SHA1 1a8d2be63fe9450496402c4eab7776e323527206
SHA256 f89f0863fc57d340cb154f5a60debbaff125517cff993602512f3c2d8dea424a
SHA512 735a53e2dbad8d07ef39130f1689aa8636eadfaa10aec996d7a435baddd0eed1b81e21e025ba2d814386bea0590de03b39f5af6739a84e1682fff2e415d7a4ef

C:\Users\Admin\AppData\Local\Temp\37055590\qdl.txt

MD5 8cc6be507c8dac7c9d93d0af060b287b
SHA1 e596cb9dbf1780c99313eef20e4134e592d4627b
SHA256 5ea3d6d2ec0be25c963ee74b211c0592e78087cd9ef00c5f5e7fbde763ee21af
SHA512 45888b9cda1dc801a59b710b55bf2264a72e494748c26be0722f1c3467375ababb22345c3893af89868d227ef05536cf6263682bf5a4a322e3c6973d3ad4e885

C:\Users\Admin\AppData\Local\Temp\37055590\qah.pdf

MD5 0d45ab525b6a2774d8b9b211b45a0f81
SHA1 f8a0f0216bef41444d0609570ac8c4863fcf2a26
SHA256 d1c1170c67fc75fda8db2349b1fbd68dcebaaf5ae2b1875855514c7bd082526f
SHA512 a4f250da1709c55c86a8826361b818d90c91fb7a4ddc4e85cce28d6bd0b1e4465eaef098bf1cb553cda5927789da5aeca05a1ec28205fcb2636ce0c23ef5d4fb

C:\Users\Admin\AppData\Local\Temp\37055590\nmb.icm

MD5 0a00cb54f9e5a0f157e248b23cb8442c
SHA1 2c250415e0f47b3262a21806963c3ca0a8286330
SHA256 b3176097db84333921c9909a961641e2fd06f9de321fce7c90c718987cb38629
SHA512 1709ac8b89e64c5f1fb53ba638000ff978d203ec3681aff61c5d0e889888a27ee040a60756ed8775077ed0d1d1ebf63f30026c277762ac6c23eed2a931f6526c

C:\Users\Admin\AppData\Local\Temp\37055590\nlv.icm

MD5 5f6a399143b67780ec673c21a9a185ba
SHA1 a34f1b498728d4380939b6ed1f0c05b5f4c02efa
SHA256 883a918f7cd2ff738e6c32a93eaa7a27065de38623c1da62f651db12b3fe35ab
SHA512 ed5f3eded8cb388797a0e778fb5b56514d15b22e48528c172289371bc302c4383bb6797770642c2f5585be07e500d6be50922a305b6150d274cf4f310c0d7af6

C:\Users\Admin\AppData\Local\Temp\37055590\ndk.pdf

MD5 8544bc9cb1c66e068f47f9ff1241ab26
SHA1 55129b00367fea25ab2052924184e43bdd0c50fb
SHA256 d3f6652db5543c76be36cb42e9d027ae6904080ceead68976d9b3d4fe4df508d
SHA512 e5bca76c1dc6f772a28bf2271ca05c9d25400a290c0dc278d385eba31e38c6d875df47cd1da1ecf68ca94899a1fbd99169c28742e1089b697a25067b4b2c1949

C:\Users\Admin\AppData\Local\Temp\37055590\mwl.jpg

MD5 76dcafbe377cae264e16eb4fc83d3186
SHA1 2b9ebc3935f498cfde58af8d6b5cac1c9af075db
SHA256 49b27a25735b6dabc8ddee192297df8e1210aa0987db8ea20a1be135ef09c1de
SHA512 d1b6534722118e938cccac72d2be68457f46ad8afb27703c8c2f4fed7844ba6116f7279823274094e852e19446920d07db9b74641525ce9111ce6919b65494e9

C:\Users\Admin\AppData\Local\Temp\37055590\mtj.icm

MD5 2d5ad121bd454f864cfdd65be70760ee
SHA1 703d0646fd6fefcb7553084b5be80065540c5d4e
SHA256 726a42aeab7d23bff8eb387052587c0885b2e18403d5c44523ef0ea68c5386c8
SHA512 fb6d879a64bc25a571ee8a03466978e66dbbe78254251c407813bfebac46ba84d7e70f80c6db558c241acb251daae8dfeac872f009bdd9a82ec6641a2ef582af

C:\Users\Admin\AppData\Local\Temp\37055590\kfx.docx

MD5 be3acc06954cc668f3526bd9b4ff36fd
SHA1 0c489b133159e23c8e359bf1e9e65a41a52e2f2d
SHA256 beba9857c04739257aa94d445149c62e5b4dbbb535e56ba0b54419d9158f9ae7
SHA512 55b3a730c08ffd178cd570cc750e407edc0774a8746d55e25798ab6955f2e5d525c2d7cab9666fa48372b11c7872a0217e9f36fccaaa8d706f46eca1e8d919e6

C:\Users\Admin\AppData\Local\Temp\37055590\jvc.pdf

MD5 7de6a5c3cdc0907e9e4e84d14acdc165
SHA1 15e004f7c36da2e8246b75986f4c47825ec1912c
SHA256 39abec8d27c7e51b032beb56e6259748847656b2ffff9667a640fb4a3d934cd3
SHA512 202b28b13d840467b6147a577273d40173e7fd5557260bbca7232e2fb1f5280f62780a95501dfac41fe6532324a5c5e0e9863579731e6259ab84abb8b1f23c8c

C:\Users\Admin\AppData\Local\Temp\37055590\jkr.dat

MD5 a60faa7bbbc07cef4e054b758ed0736f
SHA1 da48c6b700ce076ad1a18d3e18f03d61cb8bd6d5
SHA256 70433e25def20137c1c189e31699246d084c1a53216fd0ce1f2fe04fe6879523
SHA512 6c7d0b83cb76be49138bba275c3ee03e10fd13e6177d74a878700a7868985e467244ab24823588b297feb45a46d2b1621868256320b1d64a9746c2e4599f7cb5

C:\Users\Admin\AppData\Local\Temp\37055590\jal.ppt

MD5 e741a2051e1cf574116c099c30c915f9
SHA1 413db5556d58ed8d30798cd56e5ae3ff8d60cda6
SHA256 0653e86decfab5ad8cb5c778d24fe90955f4f710c161bc2882599fa68f3d7a3b
SHA512 523b3256b6cdccfd588e5a93f4362ad53896d6a4efef15a822033e28fa7e4ddcef50ac3d26a46ba5bd09739dec091a45118007dda4ae7d3eadb9c6dee5fa8bfe

C:\Users\Admin\AppData\Local\Temp\37055590\jaf.dat

MD5 6855318e544c05dfbc18bd71664c502a
SHA1 ca18b28734de788be023277f0254da2e1d450e2a
SHA256 ce6b9b33dce03efd64b16eee939d0d423af0941fa1540f4d0f45d3259a60245d
SHA512 54c9f97498667b13dfd4363320cb1df96bec3fa0aa29e4b1deffe9e110976302d0a88c1284a8b03c2e85daff540e2b86b21d10bcf932bc78e0b4c78bc8427c93

C:\Users\Admin\AppData\Local\Temp\37055590\inl.txt

MD5 81bfca5be94dbb98be4c97a3a7547064
SHA1 ce256c7747a3d50262f7ea9d272b0bc6e621b8b7
SHA256 37f9577714864cf12a627ec9e35c2508e24f966997b02e543c30b2caed6eeabb
SHA512 8802bca2dd366a2ee1f7ecc2a9bf2c3635ebd9b8890c4191c548831a9b2ef19f5725dbcb0c40ab952a129f3116649ad4bd7f91cbccd9e6639c58c31202d6b4b6

C:\Users\Admin\AppData\Local\Temp\37055590\hot.ppt

MD5 55e52d5e41bf342700b3f77625bffdde
SHA1 093608dc12b65bde546783350987c8b5c44be259
SHA256 76398b8ed676046bb8a4a90a5678515ff9d7e6c2be89393c06b7d07e95d87be6
SHA512 f13ee28398c9d5a5e785f21a68ab3ddfda7b10edd534b0bbb3287fa89500d3147fecaefc88c8e7d6124991b015f2809c174bc2eca66c88d0276270b93fe3fc4f

C:\Users\Admin\AppData\Local\Temp\37055590\gqk.txt

MD5 9b19609a591a3f4058346aa9622f7c98
SHA1 0e171b588e73a4d70430b3816b1ef3d92a2152b1
SHA256 c05a084db4dc13c76dbf26bc88e998bb1aa18e9fbd2b8745f0dd0fc425113150
SHA512 0fc49446064c76c8a08b2ce0474608227f99a2ad16a01a0ca55cc0e8dd7d59d9f443d91bc24cc8419fd44fc0c5e19bbf45d7a4cba09ad0a0a41a96cf07d0d7bf

C:\Users\Admin\AppData\Local\Temp\37055590\gmq.dat

MD5 901c1c2e93414ed366021802e108820f
SHA1 109b124ffd079ba8dc6a9a52d532fb98a0e81af4
SHA256 3a94c6decce0253b12f4008520cdc8112887ff7a002ec3ff9b506c8b070301cd
SHA512 aacef0ee56627c508a87fbccdce011c7247c433aa8726f0b1f3c0a5e4793345a3596d7d85c9db3782e774d3d8ebf332525ffd6eda7eba557aeb3c6e45101b6c8

C:\Users\Admin\AppData\Local\Temp\37055590\frm.docx

MD5 de42df52f22cf8cb7b67210befcaa8de
SHA1 6fcf0415afc04fe7835f887b9be99ff4405fe8b5
SHA256 cd5deffa8a1d52cc836c8d04df43f4d8a53fbbca07449a216812ca5ee41b3395
SHA512 16969cc17930e9aa59cf532b6f1e6830fb396b540826497994d22b08cadb00b257d241b4b9c8dd6432c09d0bc152ff467a5648a04d87b3ee89d85ada0d011af1

C:\Users\Admin\AppData\Local\Temp\37055590\fel.ico

MD5 c594cfd180f3c04edcb8c6b1064a40a4
SHA1 7c02904abbbe86616a6c99babd4559142084d04b
SHA256 b633d9fd2c20dd779f5bea0f33e195c06c4e680d8a7f4806247656f3df4e1f38
SHA512 d18cdff4d981f6efc405b4b0518dde9de6d1cb048497b6d0667e775f97225535503ee44bcccbd806a51c7413cb2761e09ffb671c551f735f58d29d8107d6e4eb

C:\Users\Admin\AppData\Local\Temp\37055590\exu.docx

MD5 45bb02837157c49cd755103171e81a60
SHA1 cabfdaccad5f50a21b54612dc66c243db617ce75
SHA256 accbd2819486059107917e9daf7008d18fdfa0fac18660bb9be63d6a63f9edbe
SHA512 85e54aaeaf43249bcd8f3041e65d09fea73435ae56c12847b34ee6d39737fbb6c1223ef168bd2d190d7e9b4f62dca008900f168964c70e8230bc916858d23b21

C:\Users\Admin\AppData\Local\Temp\37055590\eur.docx

MD5 970ef821b8512a49b228f3f93aac551e
SHA1 7dfde3069e94c6bbdfbd7ad5690edeba229cb865
SHA256 dcd8c452b8c197d89546dbb123132075f1d0151a1dbee823f98657849c1433d0
SHA512 26bbd930847f6c7aefbd99517815cef5479930da10ae36204c94483fe29a0affa17b7203937867a9e9182a7bea429c135702264d2503d59cac8df0371015968a

C:\Users\Admin\AppData\Local\Temp\37055590\ecv.txt

MD5 ef79fe759bd67ef0f7ca6e1c454d7743
SHA1 5ec37189515b004d221800f8c7bb376a8045c1ee
SHA256 f8d8716fd2b10c21f61e0f8cacaa9efd64204754787eb32d1c8170992ce524be
SHA512 61df9ab5aa639a9a3420e6f72f66058c83927dc313d2aaac9cd7da7f1e1ce091194cbae509fd7643e64fa2cab50b0413a0437279950ddc5db464ed8b4bf95a98

C:\Users\Admin\AppData\Local\Temp\37055590\ecc.ppt

MD5 08c89fcfaf9542bca763a483cadab317
SHA1 f7195355a5e3257bf38d89bfbd0695f6d43ec504
SHA256 dff277a980973e2c3b194f6c40c6af56a04f945f6c1ae4da60c46e7f74dd8d36
SHA512 44575e8012e2858c19be2bf3a3d12b50e8b0308535d1c71c1850d2800b68e6648000943db4cfc5b78db823f5ee17c56edf293a023b4953f6b9e94cab2ab1a27c

C:\Users\Admin\AppData\Local\Temp\37055590\dmp.ppt

MD5 1a35bb44cbc55dd23807cca7af25cc6b
SHA1 21976f4b6736200bcb6211912a8a113f857164bb
SHA256 63c01d23ba2646c089a94a40129483df24693da9ada59b5158ee3ec1efba9289
SHA512 33122e78997ff436103d772b9517c12e23ab45487d397685c6b06b22101905b605b49a4408a6325f3862b94f3f2fbc84f5413aa4e7683f4458a938de65fbadfb

C:\Users\Admin\AppData\Local\Temp\37055590\dkm.mp4

MD5 7650b7a50089f3f55a05ac285aaed14c
SHA1 82196cb2a0b5a1163147312201770a95d10025d9
SHA256 2ee4565e14e19330c336a66fea29a428ee6bd1b46da1d05bffe91910a7dc50dc
SHA512 f2c0ac9d9f0804cae7ddbd8fda8d4b9ef06d26f30dfc741fd57df79e013df594959cc6da5fb21d2676d189616a17478033096c408df496b4f1bc7537ce851250

C:\Users\Admin\AppData\Local\Temp\37055590\cvg.docx

MD5 fc3df18a145761ea411486dd4f74e19a
SHA1 11bba3306b6c75e83585cff9d92bf4b945ed733b
SHA256 8a5e9999ad4f44d85fffb83672866cc993481aa357cf0b7435654eb4133ebeec
SHA512 d1a5719563e65a6d8edc1de2bd68b3f18e105b35e5e8eb322334dd281aecf4e1e8d0d828bed1934b9b583bf9d46e0b0ceee158092316346340fbfc12d734bd6a

C:\Users\Admin\AppData\Local\Temp\37055590\cju.ico

MD5 77de495f535a602d61ba5d2afe9bc2c0
SHA1 d4a7606fe06b18b8f6f706743be2ca24cbb97467
SHA256 a0e8c978d49cb961990975f0770489822ad35dda008710b27b814a653bfb0976
SHA512 dcd19fde447f1b0859bf7eba001f041d5f2880b4e6a53b9e29d01289b3b2aa29b44fe7475ad5f6d07566e79e72d2abbd1d1217ebc4e8601cbefadec4aeadce89

C:\Users\Admin\AppData\Local\Temp\37055590\ceg.bmp

MD5 ad977aeb966453e3813d3b5ced1b6b34
SHA1 731669750e8a4c9f0bee52f543f0766bb280a63b
SHA256 92cb2089a8a727a9bfae26861d2afb9dbfad58fad33462ab84eaf21f9d02c4bd
SHA512 599ed0315fc1e01b3300f39b40ae7ec1929fb46c872089e12c2ada7cecc2709f57c9d0592e14fe30b8c68ea6fc18ba2f67fa2f93adc56fbbbeca56973d5c07d1

C:\Users\Admin\AppData\Local\Temp\37055590\cat.docx

MD5 bff21e7cf606a76be21d1a0d6bf5fd7f
SHA1 3d881bc8cf2bb11b265478869daad3c3b6c5a39d
SHA256 9dbd8cfa319be70feacbe22b06f347502e9076eef2ef1410f1d08a2e33441892
SHA512 00dbc5523f1baf55bdb566d09130d30f7f377af21a49308a2aaa4c37eb17ecb80cb3d9fa6a6821b71c198a64168037409a23af77ab76deeb95bc7c148a6f2da1

C:\Users\Admin\AppData\Local\Temp\37055590\bfl.ppt

MD5 64c8e864867396d8d73410fdfed81e93
SHA1 0e560ce0d867d74485169c901b2c477c19909e35
SHA256 b19288f1adcfd0130f7544d02bb06466b68c743b5cfb5a0787c9748bc3ffdb8a
SHA512 52bf2471656c6b8fa677dbaac0eb0f583bebe82207ebb1093262dcda6ae56d9a45ad5da2aa3071984bd9a3401f9bcf8f353ba29da1da152459e8299fe287cece

C:\Users\Admin\AppData\Local\Temp\37055590\aic.pdf

MD5 1ac2881bc680dcc5cb656133409437b2
SHA1 e7d48b4503dbd0796a5d36bd3b2ff03d51bc2b49
SHA256 f039cc9ae192c058e7f9deb1bf4e88d6ffbef7749aad16ca68ef44cf14d3672a
SHA512 c3386eb003f229478fd4de679a173992dcda471485150f07489638be7b1a661ab06007ee0f9fa0b1fce44afa5ba3599b4f67cf694f4ffaf9d2f69385ba710ed6

memory/4356-153-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4356-154-0x0000000005E00000-0x00000000063A4000-memory.dmp

memory/4356-155-0x0000000005850000-0x00000000058E2000-memory.dmp

memory/4356-156-0x00000000058F0000-0x000000000598C000-memory.dmp

memory/4356-157-0x00000000057D0000-0x00000000057DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4D74.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp4DC3.tmp

MD5 1c18d34e4c00b9a6b81126a2f10bbb74
SHA1 9c975e7627bdb8d7af3615684d59fa02c3b81902
SHA256 ee68aecf2917fd9ddd167e6403d3149ac3dd7f346f3c9c66b6d75620b0ccd621
SHA512 75a3ecebd55c8e433199122925c7c612fe3ea23a93fbca10ed83c80f11396da428581e36c42e98a0eef5210630cea040ed0da076bfcb620ddb38dee7152b816d

memory/4356-165-0x0000000005820000-0x000000000582A000-memory.dmp

memory/4356-167-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/4356-166-0x0000000005830000-0x000000000583C000-memory.dmp

memory/4356-168-0x0000000005DF0000-0x0000000005DFA000-memory.dmp