Malware Analysis Report

2024-08-06 13:48

Sample ID 240517-hsvb6seh77
Target 4ee7dc7527d02ec2297d576f54342c7f_JaffaCakes118
SHA256 09981f1a1ee710b22755868112d23dbc5d39b5f342e373ac745361c521cb8408
Tags
azorult infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09981f1a1ee710b22755868112d23dbc5d39b5f342e373ac745361c521cb8408

Threat Level: Known bad

The file 4ee7dc7527d02ec2297d576f54342c7f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult infostealer persistence trojan

Azorult

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-17 07:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 07:00

Reported

2024-05-17 07:02

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ori.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RUN C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\vvu.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\\\rsg=gcw" C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 940 set thread context of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2884 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2884 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2884 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2884 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2884 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2884 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2644 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2644 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2644 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2644 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2644 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2644 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2644 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ori.exe

"C:\Users\Admin\AppData\Local\Temp\Ori.exe"

C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe

"C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe" rsg=gcw

C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe

C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\TFBKA

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
GB 193.56.28.129:80 tcp
GB 193.56.28.129:80 tcp
GB 193.56.28.129:80 tcp

Files

\Users\Admin\AppData\Local\Temp\02060885\vvu.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\02060885\rsg=gcw

MD5 ac9f05c0cf791be53a6e7603db32782a
SHA1 f49917314ebeac78f4443bb419fab313902e9ec2
SHA256 b27f9f75d92f71fd820ce86df4c0d48643fc4f95d634ab2fe2ede830d9aa7fcf
SHA512 6f3f112c696a8fc11b77017967fca210982a4451800422b3b0e7c7d449484ba3f3706ea55d035f7eb752015a467aae13eaf826ac369ccf6ca3f780622a4b85d2

C:\Users\Admin\AppData\Local\Temp\02060885\brc.docx

MD5 19efa2061347097a058aaa96114b90fe
SHA1 f8ca5d9adaeccdac2367c00794c08587762a7418
SHA256 2e9544991a020f27d3c8ec320a919d134e8add288fa7d0a2e821325d1322129e
SHA512 6093f1e6e92e421b0e5a91bd868993cce626df981dc59b15d7158b19813a26f8009ed3954264760c6f085496e091c8b8d0093ef719a5c3babe6aab4fc704a0a1

C:\Users\Admin\AppData\Local\Temp\02060885\bqb.xl

MD5 eacc055c8151aadfe525c60d32f3844d
SHA1 00573d9b9f4b3f7830063b7c97cfb4dc4efba9c9
SHA256 1a4430370304547b167c137d25b87bcca2f435926a3f2cc5f905847eece2381c
SHA512 35698739d38a25efe48be665aed8e6be9f89deb2822a94626c09f95981d4761205d888ddb64a1b98ef6211bd0628456b8f4b056fc6a3d2839dda269a14adaacb

C:\Users\Admin\AppData\Local\Temp\02060885\nqp.xl

MD5 e9d07ae06a1baa6bf316b1cbb94a7325
SHA1 aa2d48757f2b183cf5ea95a63252887c5e4ff79f
SHA256 cf6f04cba35e406f17024baea1a512a97fc07dc4b961c25247198f46b56d359b
SHA512 ade6a09ceebe54910f188ed8d7f033e195434436ac30763ed93ad9db4f8327b05adbbca28bc25ae6e946233b2c342e4f526aae455d057c2b6efcd315089f2c8e

C:\Users\Admin\AppData\Local\Temp\02060885\thd.docx

MD5 650e276e2225320ae4d5ec2555cc1fc0
SHA1 b2330386fd9b24b68554164ceaf18f62e2342ac0
SHA256 6df216cc0ddfc624413b306cc16a7bdc48b610a99f35e52d7a1620c11c3e49fd
SHA512 040e6c0b182cd9400905e45da1d67820beaae164a743223e888c7268122433945af94b8acdcea86a2fcb8556025398bf5b842d25767d6ba8998cf77e84a27c8a

C:\Users\Admin\AppData\Local\Temp\02060885\xvt.ppt

MD5 a0f2d7f163205a3acbfac91f335dd0bb
SHA1 e10574d06b357a5e576687dc56c840174fe150a5
SHA256 d42ab3d4c92b6ed5f7fc209a5502a9c72dea5068263bdaa9ba3afebe0e7aa7ba
SHA512 c62a60e6e7b5b4aa4d7ec23796b8fd6dc9c12b5669c69586ba7e83aa333867197432dd7e5805506b285371bb6b96fdf62d46b6d206a2600f953f439efea02e20

C:\Users\Admin\AppData\Local\Temp\02060885\xux.dat

MD5 2c7f485fb9f906bc440e611210d5d795
SHA1 60f5a370d6e253af54748872e283f43bfa4ab0a8
SHA256 0ff5de531702d00278c597c872509dd2c327d4212d379f653977fa97e912e306
SHA512 0390552f1f1d60a923cc46d3099b3cd79796ab806ac84cfab40558f024689c3fe595ded741a16c4df23abe7f29aaceca385682a12b250b550696107ce64f7a3b

C:\Users\Admin\AppData\Local\Temp\02060885\xng.jpg

MD5 01e0d4564dfb2050fd478fa8ee6885af
SHA1 4b1102f3c9be85626413dd5b82d9ea064c24830b
SHA256 41de1efe59dc949caa022b6b06f259b7b98ecd5d79d97b9b8aecc205c0bb6ff3
SHA512 f2177e4ca8cc675a56966b8bdd8f9049f42faf1aee2adb6b89457d671ac50b2050d28217770161a61753eaea38efb204e80208f469ebbb83cbc7e7db6dab043f

C:\Users\Admin\AppData\Local\Temp\02060885\vxu.dat

MD5 3c4eddef5ee0e1c398869cfc33ab0cf8
SHA1 d1660e9c0a26a3ea821aa01d3a093751b118c130
SHA256 4389d560e296459121f28f373b1b979d383007809bf50a43d9e42b09b64fbde4
SHA512 8be9e97951a79fa7b0f3f8b3e41a2ddb6e5b3764f7ec923eb8013aeb9b3d230809f531743fabbe056c870cc0950f67b1eaebc551ad9882cbf0ff43899ca7db2f

C:\Users\Admin\AppData\Local\Temp\02060885\vro.ppt

MD5 b440823fa1e561a8868b38af90e87259
SHA1 ff61646f4d15c5c7efdbd0c4b09bb5108173aeeb
SHA256 d7cdc8a2653f9959abec226f384d2515751be950ddb1a2814792436f8762deb1
SHA512 96da45607458cdea01834024a9485759be407c172f9c84cc5de9be83285659ad62464d31338c8fd8f99126b977b60268598fc2edb0e2b73bcf7e888eb0b3e2df

C:\Users\Admin\AppData\Local\Temp\02060885\vbk.mp3

MD5 e5b1897ef85a4b4512cb71a5a36754ec
SHA1 96022d3c1e22ed08a56a7a4b3ffb0d71bfd859cc
SHA256 a5f61dd9a52c159ad730b384fb1e129ebf51a71c255c53b0f22c646086508c02
SHA512 1ab2c97f11c983f50d9a2de4f2e15769079d2129facf6dc3ba11a3ca5c12ddb4a83c5d2f60c1b13dff879132e694b400d8d602f957d0d5bd8a55893d4dcad732

C:\Users\Admin\AppData\Local\Temp\02060885\trb.icm

MD5 3258fa48c91452f49644b12f1d771407
SHA1 16cf2cfbc4d12a9f58565e574e1f5a455ba1a6c7
SHA256 8c00a782f454443a9c5c8f7f34c1f9a8414873d3b54b5995f3e1ec4c9fdd5f55
SHA512 2b24efac988a3715a0c176be53f1d735ea316d83e91c41c1bf47112ba62dc9e0ee1cc4b70ea72c9a42517a45eae61c321c5767ec2941c175e3e07df0ac16eb20

C:\Users\Admin\AppData\Local\Temp\02060885\teq.dat

MD5 d35342a8746432e600be4f2d681d66ad
SHA1 3c28a128563452d91e29fa0d1affad41cd078874
SHA256 f9e7884a625654ef4b8bbcc72acb613688f24fc4922800ef81ab1c38b621702a
SHA512 43b7b0b3cfd651fc8047629409a509c1ce23e06e6288f60001483641f455493c0664bd1d53986b43cc136782753f7a8246cc993e1001b04095f99e9b135424e7

C:\Users\Admin\AppData\Local\Temp\02060885\sti.bmp

MD5 3b64c5b44eaf08ad497bf3a909270c17
SHA1 30d349f389aacbac780838cf289984d3c3d630d2
SHA256 206fcb042e2d3d305ca5de492df0bcab799dc21ff3f0482fb1420206b8bff13b
SHA512 20d75e5ef99bcbc2aee7de783662124473d78fbd0db1c368a756e602d38ff4a1759560fa00469c0c7d8bff7bf1615ff08ebcbaeea14043e7e2ef5e61847c1021

C:\Users\Admin\AppData\Local\Temp\02060885\src.mp3

MD5 823ec7fe28d0140f636b9ac11ec37248
SHA1 b9203a784bb2ef1e7336a9110856402af64f022c
SHA256 a5f52f18349df5232e962502816a76934124af63ebd75b40d7399531c85099ad
SHA512 c6d0c03f769213438804b5e575077f276697c56eb00e621fac1fd073e2bd48704d92d53c9f632de50acf38cc28e55132b9767ccbaadd5d6c9f66224e7c056c7c

C:\Users\Admin\AppData\Local\Temp\02060885\TFBKA

MD5 3543386f5ce915094d66fcb91ee98136
SHA1 de97e837fe5cfe5a9665ebdfb65c39397692c03b
SHA256 ae75e240fa8d6ee79c9739ffad4b63c5efccb4566d79cd77a82e47c56e77ec1f
SHA512 42df6262bbea8ad33364b111412f16e1ee0fae4c601e235b372adbd85b0a5fc93d4a3a5e90fa8b2cecd07f6c1c07736736a868f00d8073e59b02b77669156298

C:\Users\Admin\AppData\Local\Temp\02060885\sjl.docx

MD5 98250d992f3bd9e3b89aa140825b1a2f
SHA1 20eef4660789408746eeb72118adffb5de8c26d0
SHA256 20bff0db6c066b96697f6e4dcdb1b6304d2d1664a2a43edec32b687813a322a8
SHA512 a3c1c03be335e270851a23b79dc13b15cc67d555e35f527778074530a8f1bd8817c930992ef2716dffac150df9d688ba6856a840fced346c2cbbca68fb4b6b60

C:\Users\Admin\AppData\Local\Temp\02060885\rls.mp3

MD5 316ba189fb1d1ebab0441b9c47f4f31e
SHA1 065706e5a28be485124474ac841f51cdca373b04
SHA256 b295b2334afe33a5e6699db9baba659f46c3a88811507e2fcccc6c5ed946ff72
SHA512 097e19f28bd81ffa4fbda885654d17e693b3775be92a6f274642beae736a5e35d2415a74f3550925f849d8f9c409dd17c6921e4594a99054ac4b658073d01309

C:\Users\Admin\AppData\Local\Temp\02060885\qti.icm

MD5 9b3f11beb95466ecff2b002f3334d3b4
SHA1 3db61aa8f83fd8aa04b5e603abc16187fb66b65d
SHA256 a7f50a635e66d9a9e9abf069257525be1848428825a9792936d58fc7a6465349
SHA512 580fec142c19f046d368f1fab36f51be9287c47534539c3f26793fa1ceeaafa04ce3be8ab4543eff45129b390bf524253291c9c1383ed44da211356b7016b437

C:\Users\Admin\AppData\Local\Temp\02060885\qos.docx

MD5 e7728a442563635466eb2d85e9396b72
SHA1 f564d78db62c820ac4b7f1c37902aaf0b6fcec4b
SHA256 5a91e6fea8e65716343c228e544b440f9e91f5813c15c83493bfbb128f225162
SHA512 64ae21475cfba3ec86116a31995c08363ca1cd67738f83160f3c794ddc4c270e4c9e758b128c97a193cdc93cc64372b8e1d640f06399072911a77e952e1b7e94

C:\Users\Admin\AppData\Local\Temp\02060885\qaw.pdf

MD5 a578c6186650ed25bb5bf0ec975ab5c9
SHA1 174fd099b0924fc09982dc49845856f9a40ac749
SHA256 753955fe2e6d2db278a1ca72fda97790519bb40d8001abb605aa585a51e3760d
SHA512 4d12260caefb548395c7e50ad1401e30202e0d8433c7566cd4ef054cdeddbf603285e55aa4b1b17cd0ab0f842f79db313266a52ac52d36e8be67101166372dd7

C:\Users\Admin\AppData\Local\Temp\02060885\pli.bmp

MD5 3766f30ce8bc4902c68ef3338563f4a5
SHA1 0348cc40020b511684035a17a27070b0c005b558
SHA256 618b7a9b416938314152aee2e9f1504bb121ccbf3286406a5d0c038b334e062c
SHA512 3d8901ec6907a64651dd9700a35a12e342a5607dabd309a3e8ad6127c69c01ecd4d5d801a770510ce6ab81e2d53a7ce7cbab067a39d31232052a2fcad5d5ed47

C:\Users\Admin\AppData\Local\Temp\02060885\pdw.mp4

MD5 b01fdab3af6028070ba8a13db5cfccbd
SHA1 3e041e78079cc77c66314a1677e2c230677c08ff
SHA256 3392b0ffd1fa70c9c8124383a97a9c0ba60de5a42814128aaefad1ea06b70266
SHA512 2eef3a726702d56d61e0f2c34ca73576964183b7a7a7a2fbeb6c50733a61724a395a31b6f2d3bc992906aa8af6245aabad689972b5b28d131e2e9656df3a8d6c

C:\Users\Admin\AppData\Local\Temp\02060885\mus.ico

MD5 e19e3a7638401ad8c10139b1a79b3b18
SHA1 dbebfb724641259c17b780d9fa178f5fc05c52df
SHA256 1507db98c6f256fae88aef7a391cc65452cada09224937160f1f84f721d0ce15
SHA512 5ff7c86534f72aaadd6b6b20147328f0f9659706a98049c105d0e25f86e744332ae8a0b744a2155562bb0d752e7a62d614231832ed5e53c55c9abb14601a08ec

C:\Users\Admin\AppData\Local\Temp\02060885\mpl.pdf

MD5 22b659e017044a01f0d272915d026f9c
SHA1 684a4feaa676675733480476eb5917cf01913364
SHA256 99306dca058d59acf8334062b62872a84bb777bb957df11851aa4cb943705777
SHA512 4a68868765ab7a0ec3518bb231f7d4cc612e9b88ea74fc4f6f0c4bd02d080f825c209d02c943eef63c40e65e00810c155549b7d5c3a70a9dc2a6947176252232

C:\Users\Admin\AppData\Local\Temp\02060885\lis.ico

MD5 8a71895dfc95f659dd083299e9656857
SHA1 d8258a656c4c944149748a94c82ad8d5a88dd20c
SHA256 afbd2c0acc9bc1d7074039cda22086a68503537b888e4f700c27f081dfb472a1
SHA512 9c0ef623d603a8ba23e2ad92e34ca2b75ad96673f0ef79b93a0d197e8cc06e3e1d1d56af1b6a274382b77cd6904ef9d4d0e076f209ef360315afb056a49a70f0

C:\Users\Admin\AppData\Local\Temp\02060885\lbj.xl

MD5 ed5c1a2f1aaaa72cec1ed58428861cd1
SHA1 2b1f8c65a96105f52dee70895cbbd09c5f753ecc
SHA256 269764120d067c62992d8dbe319e10f360a47c77ac632c3d8cb1e596f1fd4d7a
SHA512 b145d24dc482b15ef5e59d4d131b657ae7d2af0f80cc9f382883e70b7176b7eac06950c68c1ed5a70e2176afb516ab96a377dca4ac23fb31804ecb83c37b3740

C:\Users\Admin\AppData\Local\Temp\02060885\jqr.mp4

MD5 c8b1dcaf787c13ab2ada2ae75a68664b
SHA1 6550be65034026d6beb38ca95c2910698e1555db
SHA256 67d90ca6293b2ecd4751a8387159bda6ff4c9b2af8dfe6f5970a66e4e78b43bc
SHA512 b3c6ab846eb6d8d52500d1c2c1edf40f5fc9c2274708cc2f53bea6ae6f4bced8c6bc33265a632dbc59cd1d6f7bf36212d41dd9c75ef5a9a025b61155792c1679

C:\Users\Admin\AppData\Local\Temp\02060885\jga.ppt

MD5 28293e0033c37d3b8e3145b33c3774e6
SHA1 04188158288e84e364b6ad439a8ee5bd7586d433
SHA256 61341623e593af54dcfd6d0d287b8a8c173bbd4d71a5e1aab47c60987537f589
SHA512 573848e0d099773cf559c340fbc1f2787caffbf392ef6d77e27864e57a91140b3c0f6f5de8e2fa02c8297ec957fa438a1811ad1ce1d6de09fb322f4254026771

C:\Users\Admin\AppData\Local\Temp\02060885\hmg.pdf

MD5 662088a1d1401f1f8d49aba9e53561f7
SHA1 11c2ffaf424d26b1c4430c381bd0e970c8e809a5
SHA256 f375c1bb94a1ef1a4d0a5238a3861828045229bf190005d6caa1988da33db417
SHA512 63f2224f61af1983067df0fb8e8a620b0374a89ad43633231114a44bb4dcddcf7b568e4b8cc80e530ac25839e704008b0d4194994d95c05a48dd9b232514ba4f

C:\Users\Admin\AppData\Local\Temp\02060885\gmb.icm

MD5 9964b6112ee4de0ac0edcd234b811b3a
SHA1 ae88baeca721c88f9bb16c4755da33e400f15592
SHA256 332b9dc4e536b50bc65069f7a82902493c049f6ebeebce2a3a5c815e067aa922
SHA512 50e11ff1e1a869f8e2191c6a96e708132272f966af0f042c60ddbda9e970f27c50f619d3d608fe0507d358ad29ca544031650b5ea224410ed8b9063946736ee8

C:\Users\Admin\AppData\Local\Temp\02060885\gch.bmp

MD5 a2810de9f123a76b046b291c90cd6d1c
SHA1 3e535849f4b655f16e815dd8625ca7eadf167fcd
SHA256 6e1ac6c9550a3141e442d730755421ba3420fb2f4c014c2e977420a16f550d93
SHA512 3643167d7a2af3b7499561fede787a8648ca81d33067908fee41a419588eb3ed8a376fe817be118c210fe5eb4e45247e1801680776a222e0ddf4ee5033ef3427

C:\Users\Admin\AppData\Local\Temp\02060885\efp.jpg

MD5 d1aabac5934c07b82c448ca5d9d3205d
SHA1 fdf1d44d9d7d9b502632c6088d54ff134730673e
SHA256 077cffd4fa6f405c44468fa2a6f93b697754500943ab632c19427e93031cd873
SHA512 2f76d99b2ce423bf2dbd3dacb7fa16af46c6ed1712954c491351beae453882507853c426652e758c9b44519656bc90a2517a3f2371f40b4053d576c8fcd05aec

C:\Users\Admin\AppData\Local\Temp\02060885\edi.ppt

MD5 b56799e395d14ba4f47ffb59f098a356
SHA1 0b64f57d65c2d8bb441fc4920774243843121eb6
SHA256 76a2e6e817db5f0a1b521f33d02939a3ad791ca05fa92cee7abb0f63270cee1b
SHA512 523271a2863eb2749ce6d3784171ddd7669baca5103887d9cc6109c25b8d6c2c0cec6de739cdce153fc1a56f2219d9bbced38d7027d7fd5c44b1f8e04435ce91

C:\Users\Admin\AppData\Local\Temp\02060885\eax.pdf

MD5 6901fa8239a999f7ac803b0ed1887bed
SHA1 791c28c252dd6ac0f196b6cd05a6f11a3e3ee27d
SHA256 98f0137bd503ee9c44607d1dc92d9ed2906a2892a101c122989051570593adea
SHA512 06631862aa5eaa072e2880164fe6ab1b1b14307c40afa3cf6ade295a8341ce8d7f0e224a916f1415d421759a57cc12993bf7389dfe569495d38bf709756b015f

C:\Users\Admin\AppData\Local\Temp\02060885\dpe.xl

MD5 dbe07586af6e0d8e536bf0057511b402
SHA1 0995c962094039f5cf800cb16ff75643fb34abad
SHA256 ba76dfef2180c841c23f64ca9efb66c523f062ccd3c1c26460cf695ce647a56b
SHA512 43369ee0524b44f20c2ea5d6f73ffe913f6ea42d91b6374c27caf2b7725d78b64bd7cc4ce5117c6b68a23cf8a3091233ff4994820ad3c7de8ba6ef4c7251cd21

C:\Users\Admin\AppData\Local\Temp\02060885\dij.jpg

MD5 a9a41f060d31128993d6bc3b4b27be07
SHA1 f0c62efa7d8f4589fea5e4472983154ddb0afb49
SHA256 c3e2ea4423eed651c1773a0d950482fb108e8e70d95869baa08ba6924e115eeb
SHA512 2a7e22c5d15c1269a0e22584d2218ecca91ab46e55cc2ebc22e6b343de0d202010c012945454fa6715595578f4f3c63da35381ed873d6603e5059bedfd2b8a8d

C:\Users\Admin\AppData\Local\Temp\02060885\dhn.mp3

MD5 aae08ef7a64ba3403d0dc82045a12433
SHA1 1f090d19df81a1845850502cf7144313e5652e03
SHA256 4ec7894f59148180eab426a6b7f00aa96e8933ca1033722a4414c13ed13ab323
SHA512 4603a096e1b64f3728adbc2ac3f05a9d5e110c1af6c09dbe9a7d7ac4089cfdaeaf870083087561905396b18ebc4f4a62b0f2f60cdde8133edd0533f51c3ea931

C:\Users\Admin\AppData\Local\Temp\02060885\crv.icm

MD5 1b38b58547084f843c97dbd90b0b16ca
SHA1 6bb52c63682837a74c796019990f83a70c70d2f5
SHA256 7a63e6ac3346b9abeb69a467d9ae4627205d4969010ab59b1f9030dd83941cd5
SHA512 1f76c53b765fecee0418a86473644dc00d5899c8dddb9bc84ef39d86a1e3584230f9f3a8a01afc70694eeecb97b3e8a7df2524c9cae7b3a95c28305636cec089

C:\Users\Admin\AppData\Local\Temp\02060885\cjo.dat

MD5 dd76c7b27b424d292bd337daef4fe05c
SHA1 2659ef366132ef17a00c7ff0abb137b6ad3688a8
SHA256 8b335b1e23fa46fa6b7b9e91ce721b10a016d07ce81d55b3a876f7a4572e79a3
SHA512 d0ef029222da09aaae95e6fad0590c060a163756230a86e569e1e2f2015660349ab831c85cd0c42271bcb8540280de9ebad6af3ae44c7fe3df4545f67ef4a0ee

C:\Users\Admin\AppData\Local\Temp\02060885\cdp.pdf

MD5 78d6d8890c9366438633085062b4454a
SHA1 ff4b9cc74eca3a2816e4845ccb3cc2ebff78132b
SHA256 dadf12aff1c2848e9789c8f0e826383451239a0109ef140a7afc8bcf759e14de
SHA512 9e690c8d0501be278344a13f7950a0313db0baee4d296376dc4c10da11d0c07631bfbaa0bbd0fb5480c773d2b75fea85f7a0eec81c938e154f4d195cd0146893

C:\Users\Admin\AppData\Local\Temp\02060885\bdo.dat

MD5 1f083f57dfe2031ca1c4ba681721407b
SHA1 a8c7cbf8dcfcd04eb1b021a1cb1f7ec3b4c6510e
SHA256 9a91e95b7e56274ccfc04878d418e410d0c0ea8e061fc539717446983c6c5343
SHA512 55decd1dd56c1ad939ea8c117f5186dace537f65e4c6a08856f37972feb14e4ec0894bbac9afaab2cbe2a3cdab2fc3cbc7c5a5d2b39a51fdc9737360109feeda

C:\Users\Admin\AppData\Local\Temp\02060885\bct.dat

MD5 2c9d6f5ce1ffcd663275fecd12bff169
SHA1 57468730c7ed17d732fcd5a5dd67d211dab2461d
SHA256 2c479e01570516a890737a6542246c904c2f0548da97c269c3f4bbf841c53f62
SHA512 68c412b8e51ee8811ea9693f686f39f07908bfaf8b91f6b79d63a7d2a5ae58b9d36ba9676a6a0335a10845a119892e84ac5d834bd35fb0ab786f53cfb06932e7

C:\Users\Admin\AppData\Local\Temp\02060885\avt.txt

MD5 05062d868d0109889487b2929c10565c
SHA1 502715533a5a64c75d354e8ebf982f51ab669492
SHA256 5a3ae6bd375ee65f226184e4682314fb2959acfafe0cd972df5ca68160db0c89
SHA512 3a5c5726894c6ec688b63f3457e831fa0e2c77010ced294ddbc119dae66f09e94ac9a3acb58c488cd2a8a5af73dafcca49e3325e45db78bf198f0ea0db3ae23d

C:\Users\Admin\AppData\Local\Temp\02060885\age.mp3

MD5 607e8632b848d7d1179d977ea8dc6c62
SHA1 450329d0c279630ec9b6baa1e6de4d8dc55072af
SHA256 05f5fbc560e06b938d1e6ff52a4cbbfaf33b75a0e601a0a967c971c79716c8fc
SHA512 c4ec4b3ddb38080fd174ad7df31895860aed71fd27ca759516832be2147300efd060061d9586a736cf860c98ae492f8289d026bda3b987a88910704e17d63222

C:\Users\Admin\AppData\Local\Temp\02060885\ank.mp4

MD5 ba3a91cbc77452fc4720fb3362df8922
SHA1 b69d861886884a7b79afb506b2ddd52c4dde47ff
SHA256 4984e73865d16905a72c52e13acb26ff0758c343a09599e8a29617fce177c44b
SHA512 c78af8d9eed7e506d145d7091d19a1060eecede292ddb9b394197acb1cfafb0dada8aa446cbace1cd0a5f92dc43db500654fd2d9107f20fe396922d856f23eb0

C:\Users\Admin\AppData\Local\Temp\02060885\acw.txt

MD5 d3bdd07d98248be71311f6cb911f8e4d
SHA1 fcb9480e217c165b386d3c690bd20988743e911a
SHA256 96cd29d599aa85006821bbcc2772a9c3bcf8a1a2ff7d4626d3ab840f1afbf7f4
SHA512 c7a4508068b4206e4d3714190335a61c67f76af32059a33e86cd6175be8242c0ead4cf5aeb9290987aac51b79327a9d29f7f499be8d3b1d15a7cb89d15f27c95

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/2656-174-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2656-176-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2656-173-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2656-171-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2656-169-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2656-163-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2656-167-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2656-165-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2656-177-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 07:00

Reported

2024-05-17 07:02

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ori.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ori.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\vvu.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\\\rsg=gcw" C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 936 set thread context of 432 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 3448 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 3448 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Ori.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2864 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2864 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 2864 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe
PID 936 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 936 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 936 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 936 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ori.exe

"C:\Users\Admin\AppData\Local\Temp\Ori.exe"

C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe

"C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe" rsg=gcw

C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe

C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe C:\Users\Admin\AppData\Local\Temp\02060885\NAMMS

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\02060885\vvu.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\02060885\rsg=gcw

MD5 ac9f05c0cf791be53a6e7603db32782a
SHA1 f49917314ebeac78f4443bb419fab313902e9ec2
SHA256 b27f9f75d92f71fd820ce86df4c0d48643fc4f95d634ab2fe2ede830d9aa7fcf
SHA512 6f3f112c696a8fc11b77017967fca210982a4451800422b3b0e7c7d449484ba3f3706ea55d035f7eb752015a467aae13eaf826ac369ccf6ca3f780622a4b85d2

C:\Users\Admin\AppData\Local\Temp\02060885\brc.docx

MD5 19efa2061347097a058aaa96114b90fe
SHA1 f8ca5d9adaeccdac2367c00794c08587762a7418
SHA256 2e9544991a020f27d3c8ec320a919d134e8add288fa7d0a2e821325d1322129e
SHA512 6093f1e6e92e421b0e5a91bd868993cce626df981dc59b15d7158b19813a26f8009ed3954264760c6f085496e091c8b8d0093ef719a5c3babe6aab4fc704a0a1

C:\Users\Admin\AppData\Local\Temp\02060885\vxu.dat

MD5 3c4eddef5ee0e1c398869cfc33ab0cf8
SHA1 d1660e9c0a26a3ea821aa01d3a093751b118c130
SHA256 4389d560e296459121f28f373b1b979d383007809bf50a43d9e42b09b64fbde4
SHA512 8be9e97951a79fa7b0f3f8b3e41a2ddb6e5b3764f7ec923eb8013aeb9b3d230809f531743fabbe056c870cc0950f67b1eaebc551ad9882cbf0ff43899ca7db2f

C:\Users\Admin\AppData\Local\Temp\02060885\xvt.ppt

MD5 a0f2d7f163205a3acbfac91f335dd0bb
SHA1 e10574d06b357a5e576687dc56c840174fe150a5
SHA256 d42ab3d4c92b6ed5f7fc209a5502a9c72dea5068263bdaa9ba3afebe0e7aa7ba
SHA512 c62a60e6e7b5b4aa4d7ec23796b8fd6dc9c12b5669c69586ba7e83aa333867197432dd7e5805506b285371bb6b96fdf62d46b6d206a2600f953f439efea02e20

C:\Users\Admin\AppData\Local\Temp\02060885\xux.dat

MD5 2c7f485fb9f906bc440e611210d5d795
SHA1 60f5a370d6e253af54748872e283f43bfa4ab0a8
SHA256 0ff5de531702d00278c597c872509dd2c327d4212d379f653977fa97e912e306
SHA512 0390552f1f1d60a923cc46d3099b3cd79796ab806ac84cfab40558f024689c3fe595ded741a16c4df23abe7f29aaceca385682a12b250b550696107ce64f7a3b

C:\Users\Admin\AppData\Local\Temp\02060885\xng.jpg

MD5 01e0d4564dfb2050fd478fa8ee6885af
SHA1 4b1102f3c9be85626413dd5b82d9ea064c24830b
SHA256 41de1efe59dc949caa022b6b06f259b7b98ecd5d79d97b9b8aecc205c0bb6ff3
SHA512 f2177e4ca8cc675a56966b8bdd8f9049f42faf1aee2adb6b89457d671ac50b2050d28217770161a61753eaea38efb204e80208f469ebbb83cbc7e7db6dab043f

C:\Users\Admin\AppData\Local\Temp\02060885\vro.ppt

MD5 b440823fa1e561a8868b38af90e87259
SHA1 ff61646f4d15c5c7efdbd0c4b09bb5108173aeeb
SHA256 d7cdc8a2653f9959abec226f384d2515751be950ddb1a2814792436f8762deb1
SHA512 96da45607458cdea01834024a9485759be407c172f9c84cc5de9be83285659ad62464d31338c8fd8f99126b977b60268598fc2edb0e2b73bcf7e888eb0b3e2df

C:\Users\Admin\AppData\Local\Temp\02060885\NAMMS

MD5 3543386f5ce915094d66fcb91ee98136
SHA1 de97e837fe5cfe5a9665ebdfb65c39397692c03b
SHA256 ae75e240fa8d6ee79c9739ffad4b63c5efccb4566d79cd77a82e47c56e77ec1f
SHA512 42df6262bbea8ad33364b111412f16e1ee0fae4c601e235b372adbd85b0a5fc93d4a3a5e90fa8b2cecd07f6c1c07736736a868f00d8073e59b02b77669156298

C:\Users\Admin\AppData\Local\Temp\02060885\vbk.mp3

MD5 e5b1897ef85a4b4512cb71a5a36754ec
SHA1 96022d3c1e22ed08a56a7a4b3ffb0d71bfd859cc
SHA256 a5f61dd9a52c159ad730b384fb1e129ebf51a71c255c53b0f22c646086508c02
SHA512 1ab2c97f11c983f50d9a2de4f2e15769079d2129facf6dc3ba11a3ca5c12ddb4a83c5d2f60c1b13dff879132e694b400d8d602f957d0d5bd8a55893d4dcad732

C:\Users\Admin\AppData\Local\Temp\02060885\trb.icm

MD5 3258fa48c91452f49644b12f1d771407
SHA1 16cf2cfbc4d12a9f58565e574e1f5a455ba1a6c7
SHA256 8c00a782f454443a9c5c8f7f34c1f9a8414873d3b54b5995f3e1ec4c9fdd5f55
SHA512 2b24efac988a3715a0c176be53f1d735ea316d83e91c41c1bf47112ba62dc9e0ee1cc4b70ea72c9a42517a45eae61c321c5767ec2941c175e3e07df0ac16eb20

C:\Users\Admin\AppData\Local\Temp\02060885\thd.docx

MD5 650e276e2225320ae4d5ec2555cc1fc0
SHA1 b2330386fd9b24b68554164ceaf18f62e2342ac0
SHA256 6df216cc0ddfc624413b306cc16a7bdc48b610a99f35e52d7a1620c11c3e49fd
SHA512 040e6c0b182cd9400905e45da1d67820beaae164a743223e888c7268122433945af94b8acdcea86a2fcb8556025398bf5b842d25767d6ba8998cf77e84a27c8a

C:\Users\Admin\AppData\Local\Temp\02060885\teq.dat

MD5 d35342a8746432e600be4f2d681d66ad
SHA1 3c28a128563452d91e29fa0d1affad41cd078874
SHA256 f9e7884a625654ef4b8bbcc72acb613688f24fc4922800ef81ab1c38b621702a
SHA512 43b7b0b3cfd651fc8047629409a509c1ce23e06e6288f60001483641f455493c0664bd1d53986b43cc136782753f7a8246cc993e1001b04095f99e9b135424e7

C:\Users\Admin\AppData\Local\Temp\02060885\sti.bmp

MD5 3b64c5b44eaf08ad497bf3a909270c17
SHA1 30d349f389aacbac780838cf289984d3c3d630d2
SHA256 206fcb042e2d3d305ca5de492df0bcab799dc21ff3f0482fb1420206b8bff13b
SHA512 20d75e5ef99bcbc2aee7de783662124473d78fbd0db1c368a756e602d38ff4a1759560fa00469c0c7d8bff7bf1615ff08ebcbaeea14043e7e2ef5e61847c1021

C:\Users\Admin\AppData\Local\Temp\02060885\src.mp3

MD5 823ec7fe28d0140f636b9ac11ec37248
SHA1 b9203a784bb2ef1e7336a9110856402af64f022c
SHA256 a5f52f18349df5232e962502816a76934124af63ebd75b40d7399531c85099ad
SHA512 c6d0c03f769213438804b5e575077f276697c56eb00e621fac1fd073e2bd48704d92d53c9f632de50acf38cc28e55132b9767ccbaadd5d6c9f66224e7c056c7c

C:\Users\Admin\AppData\Local\Temp\02060885\sjl.docx

MD5 98250d992f3bd9e3b89aa140825b1a2f
SHA1 20eef4660789408746eeb72118adffb5de8c26d0
SHA256 20bff0db6c066b96697f6e4dcdb1b6304d2d1664a2a43edec32b687813a322a8
SHA512 a3c1c03be335e270851a23b79dc13b15cc67d555e35f527778074530a8f1bd8817c930992ef2716dffac150df9d688ba6856a840fced346c2cbbca68fb4b6b60

C:\Users\Admin\AppData\Local\Temp\02060885\rls.mp3

MD5 316ba189fb1d1ebab0441b9c47f4f31e
SHA1 065706e5a28be485124474ac841f51cdca373b04
SHA256 b295b2334afe33a5e6699db9baba659f46c3a88811507e2fcccc6c5ed946ff72
SHA512 097e19f28bd81ffa4fbda885654d17e693b3775be92a6f274642beae736a5e35d2415a74f3550925f849d8f9c409dd17c6921e4594a99054ac4b658073d01309

C:\Users\Admin\AppData\Local\Temp\02060885\qti.icm

MD5 9b3f11beb95466ecff2b002f3334d3b4
SHA1 3db61aa8f83fd8aa04b5e603abc16187fb66b65d
SHA256 a7f50a635e66d9a9e9abf069257525be1848428825a9792936d58fc7a6465349
SHA512 580fec142c19f046d368f1fab36f51be9287c47534539c3f26793fa1ceeaafa04ce3be8ab4543eff45129b390bf524253291c9c1383ed44da211356b7016b437

C:\Users\Admin\AppData\Local\Temp\02060885\qos.docx

MD5 e7728a442563635466eb2d85e9396b72
SHA1 f564d78db62c820ac4b7f1c37902aaf0b6fcec4b
SHA256 5a91e6fea8e65716343c228e544b440f9e91f5813c15c83493bfbb128f225162
SHA512 64ae21475cfba3ec86116a31995c08363ca1cd67738f83160f3c794ddc4c270e4c9e758b128c97a193cdc93cc64372b8e1d640f06399072911a77e952e1b7e94

C:\Users\Admin\AppData\Local\Temp\02060885\qaw.pdf

MD5 a578c6186650ed25bb5bf0ec975ab5c9
SHA1 174fd099b0924fc09982dc49845856f9a40ac749
SHA256 753955fe2e6d2db278a1ca72fda97790519bb40d8001abb605aa585a51e3760d
SHA512 4d12260caefb548395c7e50ad1401e30202e0d8433c7566cd4ef054cdeddbf603285e55aa4b1b17cd0ab0f842f79db313266a52ac52d36e8be67101166372dd7

C:\Users\Admin\AppData\Local\Temp\02060885\pli.bmp

MD5 3766f30ce8bc4902c68ef3338563f4a5
SHA1 0348cc40020b511684035a17a27070b0c005b558
SHA256 618b7a9b416938314152aee2e9f1504bb121ccbf3286406a5d0c038b334e062c
SHA512 3d8901ec6907a64651dd9700a35a12e342a5607dabd309a3e8ad6127c69c01ecd4d5d801a770510ce6ab81e2d53a7ce7cbab067a39d31232052a2fcad5d5ed47

C:\Users\Admin\AppData\Local\Temp\02060885\pdw.mp4

MD5 b01fdab3af6028070ba8a13db5cfccbd
SHA1 3e041e78079cc77c66314a1677e2c230677c08ff
SHA256 3392b0ffd1fa70c9c8124383a97a9c0ba60de5a42814128aaefad1ea06b70266
SHA512 2eef3a726702d56d61e0f2c34ca73576964183b7a7a7a2fbeb6c50733a61724a395a31b6f2d3bc992906aa8af6245aabad689972b5b28d131e2e9656df3a8d6c

C:\Users\Admin\AppData\Local\Temp\02060885\nqp.xl

MD5 e9d07ae06a1baa6bf316b1cbb94a7325
SHA1 aa2d48757f2b183cf5ea95a63252887c5e4ff79f
SHA256 cf6f04cba35e406f17024baea1a512a97fc07dc4b961c25247198f46b56d359b
SHA512 ade6a09ceebe54910f188ed8d7f033e195434436ac30763ed93ad9db4f8327b05adbbca28bc25ae6e946233b2c342e4f526aae455d057c2b6efcd315089f2c8e

C:\Users\Admin\AppData\Local\Temp\02060885\mus.ico

MD5 e19e3a7638401ad8c10139b1a79b3b18
SHA1 dbebfb724641259c17b780d9fa178f5fc05c52df
SHA256 1507db98c6f256fae88aef7a391cc65452cada09224937160f1f84f721d0ce15
SHA512 5ff7c86534f72aaadd6b6b20147328f0f9659706a98049c105d0e25f86e744332ae8a0b744a2155562bb0d752e7a62d614231832ed5e53c55c9abb14601a08ec

C:\Users\Admin\AppData\Local\Temp\02060885\mpl.pdf

MD5 22b659e017044a01f0d272915d026f9c
SHA1 684a4feaa676675733480476eb5917cf01913364
SHA256 99306dca058d59acf8334062b62872a84bb777bb957df11851aa4cb943705777
SHA512 4a68868765ab7a0ec3518bb231f7d4cc612e9b88ea74fc4f6f0c4bd02d080f825c209d02c943eef63c40e65e00810c155549b7d5c3a70a9dc2a6947176252232

C:\Users\Admin\AppData\Local\Temp\02060885\lis.ico

MD5 8a71895dfc95f659dd083299e9656857
SHA1 d8258a656c4c944149748a94c82ad8d5a88dd20c
SHA256 afbd2c0acc9bc1d7074039cda22086a68503537b888e4f700c27f081dfb472a1
SHA512 9c0ef623d603a8ba23e2ad92e34ca2b75ad96673f0ef79b93a0d197e8cc06e3e1d1d56af1b6a274382b77cd6904ef9d4d0e076f209ef360315afb056a49a70f0

C:\Users\Admin\AppData\Local\Temp\02060885\lbj.xl

MD5 ed5c1a2f1aaaa72cec1ed58428861cd1
SHA1 2b1f8c65a96105f52dee70895cbbd09c5f753ecc
SHA256 269764120d067c62992d8dbe319e10f360a47c77ac632c3d8cb1e596f1fd4d7a
SHA512 b145d24dc482b15ef5e59d4d131b657ae7d2af0f80cc9f382883e70b7176b7eac06950c68c1ed5a70e2176afb516ab96a377dca4ac23fb31804ecb83c37b3740

C:\Users\Admin\AppData\Local\Temp\02060885\jqr.mp4

MD5 c8b1dcaf787c13ab2ada2ae75a68664b
SHA1 6550be65034026d6beb38ca95c2910698e1555db
SHA256 67d90ca6293b2ecd4751a8387159bda6ff4c9b2af8dfe6f5970a66e4e78b43bc
SHA512 b3c6ab846eb6d8d52500d1c2c1edf40f5fc9c2274708cc2f53bea6ae6f4bced8c6bc33265a632dbc59cd1d6f7bf36212d41dd9c75ef5a9a025b61155792c1679

C:\Users\Admin\AppData\Local\Temp\02060885\jga.ppt

MD5 28293e0033c37d3b8e3145b33c3774e6
SHA1 04188158288e84e364b6ad439a8ee5bd7586d433
SHA256 61341623e593af54dcfd6d0d287b8a8c173bbd4d71a5e1aab47c60987537f589
SHA512 573848e0d099773cf559c340fbc1f2787caffbf392ef6d77e27864e57a91140b3c0f6f5de8e2fa02c8297ec957fa438a1811ad1ce1d6de09fb322f4254026771

C:\Users\Admin\AppData\Local\Temp\02060885\hmg.pdf

MD5 662088a1d1401f1f8d49aba9e53561f7
SHA1 11c2ffaf424d26b1c4430c381bd0e970c8e809a5
SHA256 f375c1bb94a1ef1a4d0a5238a3861828045229bf190005d6caa1988da33db417
SHA512 63f2224f61af1983067df0fb8e8a620b0374a89ad43633231114a44bb4dcddcf7b568e4b8cc80e530ac25839e704008b0d4194994d95c05a48dd9b232514ba4f

C:\Users\Admin\AppData\Local\Temp\02060885\gmb.icm

MD5 9964b6112ee4de0ac0edcd234b811b3a
SHA1 ae88baeca721c88f9bb16c4755da33e400f15592
SHA256 332b9dc4e536b50bc65069f7a82902493c049f6ebeebce2a3a5c815e067aa922
SHA512 50e11ff1e1a869f8e2191c6a96e708132272f966af0f042c60ddbda9e970f27c50f619d3d608fe0507d358ad29ca544031650b5ea224410ed8b9063946736ee8

C:\Users\Admin\AppData\Local\Temp\02060885\gch.bmp

MD5 a2810de9f123a76b046b291c90cd6d1c
SHA1 3e535849f4b655f16e815dd8625ca7eadf167fcd
SHA256 6e1ac6c9550a3141e442d730755421ba3420fb2f4c014c2e977420a16f550d93
SHA512 3643167d7a2af3b7499561fede787a8648ca81d33067908fee41a419588eb3ed8a376fe817be118c210fe5eb4e45247e1801680776a222e0ddf4ee5033ef3427

C:\Users\Admin\AppData\Local\Temp\02060885\efp.jpg

MD5 d1aabac5934c07b82c448ca5d9d3205d
SHA1 fdf1d44d9d7d9b502632c6088d54ff134730673e
SHA256 077cffd4fa6f405c44468fa2a6f93b697754500943ab632c19427e93031cd873
SHA512 2f76d99b2ce423bf2dbd3dacb7fa16af46c6ed1712954c491351beae453882507853c426652e758c9b44519656bc90a2517a3f2371f40b4053d576c8fcd05aec

C:\Users\Admin\AppData\Local\Temp\02060885\edi.ppt

MD5 b56799e395d14ba4f47ffb59f098a356
SHA1 0b64f57d65c2d8bb441fc4920774243843121eb6
SHA256 76a2e6e817db5f0a1b521f33d02939a3ad791ca05fa92cee7abb0f63270cee1b
SHA512 523271a2863eb2749ce6d3784171ddd7669baca5103887d9cc6109c25b8d6c2c0cec6de739cdce153fc1a56f2219d9bbced38d7027d7fd5c44b1f8e04435ce91

C:\Users\Admin\AppData\Local\Temp\02060885\eax.pdf

MD5 6901fa8239a999f7ac803b0ed1887bed
SHA1 791c28c252dd6ac0f196b6cd05a6f11a3e3ee27d
SHA256 98f0137bd503ee9c44607d1dc92d9ed2906a2892a101c122989051570593adea
SHA512 06631862aa5eaa072e2880164fe6ab1b1b14307c40afa3cf6ade295a8341ce8d7f0e224a916f1415d421759a57cc12993bf7389dfe569495d38bf709756b015f

C:\Users\Admin\AppData\Local\Temp\02060885\dpe.xl

MD5 dbe07586af6e0d8e536bf0057511b402
SHA1 0995c962094039f5cf800cb16ff75643fb34abad
SHA256 ba76dfef2180c841c23f64ca9efb66c523f062ccd3c1c26460cf695ce647a56b
SHA512 43369ee0524b44f20c2ea5d6f73ffe913f6ea42d91b6374c27caf2b7725d78b64bd7cc4ce5117c6b68a23cf8a3091233ff4994820ad3c7de8ba6ef4c7251cd21

C:\Users\Admin\AppData\Local\Temp\02060885\dij.jpg

MD5 a9a41f060d31128993d6bc3b4b27be07
SHA1 f0c62efa7d8f4589fea5e4472983154ddb0afb49
SHA256 c3e2ea4423eed651c1773a0d950482fb108e8e70d95869baa08ba6924e115eeb
SHA512 2a7e22c5d15c1269a0e22584d2218ecca91ab46e55cc2ebc22e6b343de0d202010c012945454fa6715595578f4f3c63da35381ed873d6603e5059bedfd2b8a8d

C:\Users\Admin\AppData\Local\Temp\02060885\dhn.mp3

MD5 aae08ef7a64ba3403d0dc82045a12433
SHA1 1f090d19df81a1845850502cf7144313e5652e03
SHA256 4ec7894f59148180eab426a6b7f00aa96e8933ca1033722a4414c13ed13ab323
SHA512 4603a096e1b64f3728adbc2ac3f05a9d5e110c1af6c09dbe9a7d7ac4089cfdaeaf870083087561905396b18ebc4f4a62b0f2f60cdde8133edd0533f51c3ea931

C:\Users\Admin\AppData\Local\Temp\02060885\crv.icm

MD5 1b38b58547084f843c97dbd90b0b16ca
SHA1 6bb52c63682837a74c796019990f83a70c70d2f5
SHA256 7a63e6ac3346b9abeb69a467d9ae4627205d4969010ab59b1f9030dd83941cd5
SHA512 1f76c53b765fecee0418a86473644dc00d5899c8dddb9bc84ef39d86a1e3584230f9f3a8a01afc70694eeecb97b3e8a7df2524c9cae7b3a95c28305636cec089

C:\Users\Admin\AppData\Local\Temp\02060885\cjo.dat

MD5 dd76c7b27b424d292bd337daef4fe05c
SHA1 2659ef366132ef17a00c7ff0abb137b6ad3688a8
SHA256 8b335b1e23fa46fa6b7b9e91ce721b10a016d07ce81d55b3a876f7a4572e79a3
SHA512 d0ef029222da09aaae95e6fad0590c060a163756230a86e569e1e2f2015660349ab831c85cd0c42271bcb8540280de9ebad6af3ae44c7fe3df4545f67ef4a0ee

C:\Users\Admin\AppData\Local\Temp\02060885\cdp.pdf

MD5 78d6d8890c9366438633085062b4454a
SHA1 ff4b9cc74eca3a2816e4845ccb3cc2ebff78132b
SHA256 dadf12aff1c2848e9789c8f0e826383451239a0109ef140a7afc8bcf759e14de
SHA512 9e690c8d0501be278344a13f7950a0313db0baee4d296376dc4c10da11d0c07631bfbaa0bbd0fb5480c773d2b75fea85f7a0eec81c938e154f4d195cd0146893

C:\Users\Admin\AppData\Local\Temp\02060885\bqb.xl

MD5 eacc055c8151aadfe525c60d32f3844d
SHA1 00573d9b9f4b3f7830063b7c97cfb4dc4efba9c9
SHA256 1a4430370304547b167c137d25b87bcca2f435926a3f2cc5f905847eece2381c
SHA512 35698739d38a25efe48be665aed8e6be9f89deb2822a94626c09f95981d4761205d888ddb64a1b98ef6211bd0628456b8f4b056fc6a3d2839dda269a14adaacb

C:\Users\Admin\AppData\Local\Temp\02060885\bdo.dat

MD5 1f083f57dfe2031ca1c4ba681721407b
SHA1 a8c7cbf8dcfcd04eb1b021a1cb1f7ec3b4c6510e
SHA256 9a91e95b7e56274ccfc04878d418e410d0c0ea8e061fc539717446983c6c5343
SHA512 55decd1dd56c1ad939ea8c117f5186dace537f65e4c6a08856f37972feb14e4ec0894bbac9afaab2cbe2a3cdab2fc3cbc7c5a5d2b39a51fdc9737360109feeda

C:\Users\Admin\AppData\Local\Temp\02060885\bct.dat

MD5 2c9d6f5ce1ffcd663275fecd12bff169
SHA1 57468730c7ed17d732fcd5a5dd67d211dab2461d
SHA256 2c479e01570516a890737a6542246c904c2f0548da97c269c3f4bbf841c53f62
SHA512 68c412b8e51ee8811ea9693f686f39f07908bfaf8b91f6b79d63a7d2a5ae58b9d36ba9676a6a0335a10845a119892e84ac5d834bd35fb0ab786f53cfb06932e7

C:\Users\Admin\AppData\Local\Temp\02060885\avt.txt

MD5 05062d868d0109889487b2929c10565c
SHA1 502715533a5a64c75d354e8ebf982f51ab669492
SHA256 5a3ae6bd375ee65f226184e4682314fb2959acfafe0cd972df5ca68160db0c89
SHA512 3a5c5726894c6ec688b63f3457e831fa0e2c77010ced294ddbc119dae66f09e94ac9a3acb58c488cd2a8a5af73dafcca49e3325e45db78bf198f0ea0db3ae23d

C:\Users\Admin\AppData\Local\Temp\02060885\ank.mp4

MD5 ba3a91cbc77452fc4720fb3362df8922
SHA1 b69d861886884a7b79afb506b2ddd52c4dde47ff
SHA256 4984e73865d16905a72c52e13acb26ff0758c343a09599e8a29617fce177c44b
SHA512 c78af8d9eed7e506d145d7091d19a1060eecede292ddb9b394197acb1cfafb0dada8aa446cbace1cd0a5f92dc43db500654fd2d9107f20fe396922d856f23eb0

C:\Users\Admin\AppData\Local\Temp\02060885\age.mp3

MD5 607e8632b848d7d1179d977ea8dc6c62
SHA1 450329d0c279630ec9b6baa1e6de4d8dc55072af
SHA256 05f5fbc560e06b938d1e6ff52a4cbbfaf33b75a0e601a0a967c971c79716c8fc
SHA512 c4ec4b3ddb38080fd174ad7df31895860aed71fd27ca759516832be2147300efd060061d9586a736cf860c98ae492f8289d026bda3b987a88910704e17d63222

C:\Users\Admin\AppData\Local\Temp\02060885\acw.txt

MD5 d3bdd07d98248be71311f6cb911f8e4d
SHA1 fcb9480e217c165b386d3c690bd20988743e911a
SHA256 96cd29d599aa85006821bbcc2772a9c3bcf8a1a2ff7d4626d3ab840f1afbf7f4
SHA512 c7a4508068b4206e4d3714190335a61c67f76af32059a33e86cd6175be8242c0ead4cf5aeb9290987aac51b79327a9d29f7f499be8d3b1d15a7cb89d15f27c95

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b