Malware Analysis Report

2024-08-06 15:24

Sample ID 240518-syb3wsad53
Target 3764f61dd92f5f521bc221985d4aeed8049f19de67c017e1df6c29e27c5c650f
SHA256 3764f61dd92f5f521bc221985d4aeed8049f19de67c017e1df6c29e27c5c650f
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3764f61dd92f5f521bc221985d4aeed8049f19de67c017e1df6c29e27c5c650f

Threat Level: Known bad

The file 3764f61dd92f5f521bc221985d4aeed8049f19de67c017e1df6c29e27c5c650f was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-18 15:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 15:31

Reported

2024-05-18 15:34

Platform

win7-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateChrom.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\96683180\\plw.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\96683180\\QLB_KP~1" C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2156 set thread context of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAN Service\lansv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\LAN Service\lansv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 3056 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2156 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1600 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1600 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe"

C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe

"C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe" qlb=kpm

C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe

C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\GTEUV

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp32C4.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp33BE.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp

Files

\Users\Admin\AppData\Local\Temp\96683180\plw.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\96683180\qlb=kpm

MD5 18748daaf86389ec495117f06ce004f3
SHA1 9305d1ec13c3c836b9807090ac493fce0b02a106
SHA256 1010fe4faf209916b095a78505159b5460c85aafb7db6ef179e2aadbc9c59f1b
SHA512 4112b71aedfaa1e7efd9cb09939a6b000ede667727ea2e88c79879cc4597240d49fa486b71a533ae4d1709538974e22353e867b7c7e35d29650381650112909a

C:\Users\Admin\AppData\Local\Temp\96683180\hlj.mp4

MD5 bbc852e0d7805ea993332a5b47a4d284
SHA1 b15d14bbc2ed018bc469d56d8692d71d761604bc
SHA256 6d90db12c1a9363955434b486c121ffda1c04b2c0d633e54173a830dd33b0a56
SHA512 9d46b008b938415c0f62d499ec5d12ed62f4b74f6355b8bbd69a16041eefa9159b925bcda03128bac69358485d8c6c154dfdd36ff6a48cfbdff376e4b37a247d

C:\Users\Admin\AppData\Local\Temp\96683180\xpm.pdf

MD5 a7bec5b327c936c6988922950e24211b
SHA1 4e6764dfa409cabd4d83cb9860d73611a481906e
SHA256 ae2440d6aeb846c4b54ff62f1dcecef67f81979e1580d84d4d2fe7c342d91d80
SHA512 43ef3eb2bd63311d594f30984e34dcd42122f9858caa4dd4b035aa7496d7bf156ccb92a20dac4dfb05ca89464f9040799d85a06b923131ccb35eafb1229e8cdb

C:\Users\Admin\AppData\Local\Temp\96683180\wtb.dat

MD5 19ebc247892249d4d638779fcd48bc57
SHA1 1b7330d563176520e1da9a21061a217132ef0c50
SHA256 c8c65d30fdadba622a46e7d81c33e0d4ee41ccb996ea0e53e0b272b80789eca2
SHA512 c430704b130ffbc16379643a74691dc65bd17c67042f36d7f0af963d3fcd6dc4e3b17b9fab288d85db767f43a4744a4a7f06480a08ecaa6bacd69c0995d8913a

C:\Users\Admin\AppData\Local\Temp\96683180\waa.bmp

MD5 4911395f3e1f8b6d3960cd7646ea902d
SHA1 416c1f0cf776ab47a3ee4b11b02028436c291e8f
SHA256 1f32e0c3eb60781e6de007009e494c2b12e696792ca2ca476818d20e3316289b
SHA512 13d31fd8d89318a4086f7d1b687dd44372ec8a604657ca8fe67b14613efc75f8a572d38489cba55dd9f669e35e9d76b1ce9e9ab8b0a252f647e1e801d3c09415

C:\Users\Admin\AppData\Local\Temp\96683180\vro.ico

MD5 e67f0fe6163c472e611c76cac59a892a
SHA1 25ef2f78090a17c787ff075d0e1238b3272c50e5
SHA256 533f7f5ec3e46cb8b884cddd2daf2cc161a360870070f9b45d52c009c208a50b
SHA512 51b83eee5f7f360363b80091929cd6fa20f8b88488dfc6c0039190e92e38e6bf771f678fb2e086db967f3094206f45488ea46f4c0377e64e7ac1775376a0ca73

C:\Users\Admin\AppData\Local\Temp\96683180\vkx.ppt

MD5 4a41b506504461e1be8c9ec639ac9e33
SHA1 5a40330552d53149cfefddbf5748b018f0a2bc43
SHA256 dafa385401de3db46ab80303a7ab6e990f8e39ff13db35fdf7d3b236c4a30086
SHA512 61e49ae406801b94603c59b3ee35b50da1a0962ca1707b89f646cab66892b6b33947124608d3e5a07b9015ea8fa3e82ccac41264a7f3c83a7e884ed93c370c54

C:\Users\Admin\AppData\Local\Temp\96683180\vho.xl

MD5 d7a0eeb278eed18b09655d07cd7f9064
SHA1 8170da0c6ca419295ba311816016aea01a8b05db
SHA256 2219ad96bca0fae2b91f0037090f931355a776d174f1152f271327417a2ecd2b
SHA512 b922f84cbfe53e461313d5747b4b561edc7ba7b769a7de84db6ccdb78fe2bcec8cd8d829a2cd3e7a31dc511c2c2a1109214384648dda594bbad219ca01a369a5

C:\Users\Admin\AppData\Local\Temp\96683180\uom.bmp

MD5 62724ee70dc7d8eda827be75b594102f
SHA1 ee3c3ef1d36f3f9f805377d21ec7c2637000fa16
SHA256 6ca5be9551a8310e9d715b59637159494fa156b6315eaf85fb8c6b28faa3738f
SHA512 7de2320271469c52145471cc522b5aa157c529bed84033f153aee1391e3c63b017b7882060a9102aa6992ecd31139541433879e8c7dbfd58efc44f2175afdbaa

C:\Users\Admin\AppData\Local\Temp\96683180\tpm.ico

MD5 af6f1976599fd24c28391f3dd1b94012
SHA1 1b34e1d2c20c279f2b968fb3c39608c3fe286efc
SHA256 c030dcc81a822fabacc4b5d11b9f58dff52eb4cea7bbecfa38986471822c7642
SHA512 cf1e594103a9bdd92225793c804fe1269766167f11417b43d072d6a49aeedc298be9ada5ebb2fc9834389d2bea2667bae2293a874e6defb1e706c722ed4d0252

C:\Users\Admin\AppData\Local\Temp\96683180\tog.pdf

MD5 caa25d9c704b67ae4bd1056cbd99b597
SHA1 18fb9661db413aa2bb0d2b12b3ae47c01399d612
SHA256 592abe4ba990dbdd20d60756243875e3963a30a4bfe8a4d7175458c4cd603b73
SHA512 2e0962c277cb856f2d4227997fed43ffabbc4fedecab1ecf0f9ea8bf9daab80743877d5d07dcacf7cc214e04ca2e57b9acef7cd6b55d7a49d3c468491a693713

C:\Users\Admin\AppData\Local\Temp\96683180\tlt.bmp

MD5 8d07c6d61959b82e1de8dca9fa3cee92
SHA1 5c8d79b107f47a78b28bea9985dfdd1eba429734
SHA256 abb0fb5dcf44a6c9191b544842cacdb2f51ed5596a265e1685e5652b6f3c0664
SHA512 96cb2b53f2dac50a39399d10847766d482c41c9bb73d099435c43f813d96f4d8ae8bc6b496a8dbe670896f2c9c4f8d9a03408da64526b309fcdd2e811aeb0730

C:\Users\Admin\AppData\Local\Temp\96683180\tlk.icm

MD5 d2e7b667721e16aadcbef303b1446f38
SHA1 a6c88c50582fec78721b8539a1927b9addcb1126
SHA256 19605369dc506d8fa50e9579afea131b59a380d4972f256d1f96f55ebdd9b9df
SHA512 ac8aa970260dc188ad78b5a3b8df7be0f981cc3703dc2a3fc26e446dbd100b0bd03f33c24d094f1e2f638ce2069748db11a34406e4ec9378a8172395efff1ad5

C:\Users\Admin\AppData\Local\Temp\96683180\tkl.mp4

MD5 e7422054b4d5f5381d11aeb5ec1f373d
SHA1 09f405a02c5c734062a02f0a949989abe9e20133
SHA256 7e58eb93257e0d928ac37a83cf220aa4bb35c38a4199905867dfe37d38c0d182
SHA512 5b8fded996b5506535d2fd2328d2acfb6c159a1158729bdde64dc1c6aa876b510848d71c51ed6d9599feb9cfb277b078818afd9e5ea9a2582c762b6b75315569

C:\Users\Admin\AppData\Local\Temp\96683180\tjm.icm

MD5 c9f7bd7d6bca54cd138cbd95e0656c83
SHA1 16b69c3760d401652227553e93a0ab137102242e
SHA256 b1281dab6d8e276f9fe3349c30b6d4a7ed48172997194a9f8041ac03622bef07
SHA512 e86bada41c82b7f9ae772822a08a510cabe31c4daa03a9d12e93fc5be80666e5cea1edb9923ba9743863f95300e55b3f02be0766139b49f05a9f3d3b56d933ae

C:\Users\Admin\AppData\Local\Temp\96683180\rma.pdf

MD5 d365e298c5cd1ea186554f977104fc8b
SHA1 d32199f762e6390f16aa1c8a54157a484ab17efc
SHA256 d2acd0246a6e67f032328d72b374cefb1de24afb5664fe7e75e7ad057d67c10f
SHA512 e11a26ec81a0ec826a2426234512e2e1678a76094adc5ae5049ab9b34514d810c80d94381840210eed4b834cb31195c10669bb1afb9747381202b436ef1fb69d

C:\Users\Admin\AppData\Local\Temp\96683180\qst.jpg

MD5 42a1f782c49f13cbca74fe11d3ba6f51
SHA1 20acf9aca42462801ea024bed46e44a47158f946
SHA256 7f802e1dac17fa974ad05abb3da066b70e82773405b5a8925db41636695c8fff
SHA512 939e566c91727679b8fd9908d830a64cb680d675bd6a477bf1b4e21e24d83eb9578ebb5c17cdccf5407dbbb7903f995f2f0c5788bb924116cd03c8d2011f1501

C:\Users\Admin\AppData\Local\Temp\96683180\qrr.mp3

MD5 800b5564c7918cb435bb69ceccb62265
SHA1 b83dff7cfc3c806121ca5f1712044d54b0cf45d3
SHA256 54d83af94634fdd99467a341737e15b86dddee5446b353f0b8ee68628647aaa9
SHA512 1b9cae330348eb33845cf76406e82fe99987668ee06b8ff8530b28b42dc0c5b62187a7c12264670ceb4ae1b4604d779865e887070f711b3e1f9b460dfd1aa616

C:\Users\Admin\AppData\Local\Temp\96683180\ppo.ppt

MD5 9de83e0f8146842b10452fb8419bb65a
SHA1 001bce9a0e6b1c653ebf5ec7c46d66a5619d9881
SHA256 8c5bbb42661bc982a4b49d765c65d3ad0d33b7008de4fb2e50a449e86fef12ed
SHA512 c7ae601931f6cffa19c5565076aaae63e784901a1ed98a24cda7c13d4dac98b8c6c6204909cecebf236312f6a8508e845e76f6f347b4e97b193c869a2ad937fb

C:\Users\Admin\AppData\Local\Temp\96683180\oks.icm

MD5 afb4b454c9a7072089d9d8e05d5e20a9
SHA1 5bf8b36f498614973fb9fa71db74aacdd7b24a29
SHA256 4740d7c7c97949ee7628c8fe8c53da5f3d8ae56a222f678612c1ad7246b2b92c
SHA512 8fe939c8e4f75b2348870fef048aec5981c780e4069bf784f6f7b4e837a9a10f73cedff39e07be40a4b5bc2eec929f0d1f06db7a78f03e9f0cdcaabf1995dabd

C:\Users\Admin\AppData\Local\Temp\96683180\odg.pdf

MD5 8b4f273e2b8e9bb18b3b0a657dce9603
SHA1 0bc83f6bbfad83edd179b48cd0270b75ad5cdb52
SHA256 3b0b1ef0e9b410aef1c4abac6eccc33a8b43139867232cf5f0c1b5e7b53ce0f6
SHA512 894f1accac37ec619697facce6091899fb59864811579017808e2c956ba3056de307392c4568ee00f29a7b11b00651ee4eb4f76db6a0cad8e516b12be14a664f

C:\Users\Admin\AppData\Local\Temp\96683180\kwk.icm

MD5 e76dcd79dd28c84e3b11745405d65c93
SHA1 478fca7478fa84cca2fdeda32782f7c20194a57a
SHA256 88bd344424169cd0414ecced07f3a9145fdfd051b1eb5d2ce7d5c96c99f17a31
SHA512 939ba33dda49df2453d5eb047346e3f632dc05f2100e4438de99e5e2f91d2f2af5a5a573d50ff7ff2e96e09488854db2db82f5acf3ac4dd39dcb191e1123ee6d

C:\Users\Admin\AppData\Local\Temp\96683180\ktd.bmp

MD5 a6605e1176298330b01e52cc9515407b
SHA1 f7662dea3535490673b37d377e4209cab8d06875
SHA256 b09e20a2ef95cd41e0a4e8d2c21f32c466e920d706d8d69acd7add0c9d6ffe51
SHA512 7b255b6a8bbf821af3434a933fdcea77df3e5d4a9e9b27b7428c1575d24f75a7153a0877c938eea480ca1b9f317dd586259e0c7053d331c378d8f4ec89e86825

C:\Users\Admin\AppData\Local\Temp\96683180\krw.icm

MD5 7d8ca94b8d41091b9135cdb4b77b1e85
SHA1 5ae5275efec88c36bb3fe22262a1f1a8bf602af9
SHA256 41c0e9bc16db0b93da53bee7d1eb9deb7757e1537e1458f4ce826f92fa3167a3
SHA512 40395e6c96639705969010de9cc5b2d31a7ff443fa5f8b9b99fcec13a8bf240a08dfaceb1bc2fc5f3f0a27174e3e0edc410818be476b55c8ff64b5e01598ffa2

C:\Users\Admin\AppData\Local\Temp\96683180\kqh.xl

MD5 3915423516f2a58a89deb5f369ff636e
SHA1 15eb7be4fb799051b195a4b2ee3ddac178276b6d
SHA256 8099f65d5f7b579f24cef4cfbea5e77bddd35fac72e8063ac5475da02ae59de1
SHA512 3f638aa7b69e707863c0548c92343864d5255637cfa585ec55b5d7abe512297a02648cefcb618880744af67436eeca92ad027d8b1674897de3c5a191aec27c29

C:\Users\Admin\AppData\Local\Temp\96683180\kkr.ico

MD5 79f82df0621815273766f76d81d7c015
SHA1 85adeb92a7ec361a17e8d7ba3b6bb8a7f4837cc5
SHA256 21c1de66c1b038cd1b8733702ab496a1b053ee98f47385b2e5115127044f8706
SHA512 707d0ddd8baf58be2db26f9cdef79a05d4a2282af22034698418d7bf26324549bffcc73b4c8a6aaa5610933734c075dcee75dcfcf30cb3999f3813357204622b

C:\Users\Admin\AppData\Local\Temp\96683180\kci.icm

MD5 fbd25c6a6c9d63a2d79b790160061637
SHA1 72f2a9604407c2f556c9a83f675657a00296ac5c
SHA256 cd4a3805317b7b2f5b69b52cd16ca04291b6fa6f38a884890e79a25d02903fa9
SHA512 e4150cb545dafb4b7ac5a92bc6e42d60fe0f7884e88a27373594761b6f60c554454544d063e6efd0f360bee311e68b7fcbc2e097ce5410cbabd315e6b5b9cc1e

C:\Users\Admin\AppData\Local\Temp\96683180\jqu.xl

MD5 48a87ea7257dba1af300b97e2079d5e9
SHA1 4ef326772b68475b75cca2520f7f67cd5c83cc53
SHA256 b3dedc350502e82db4f9788f4878e8c46e5c909d3337b3a88d85bc626d471c25
SHA512 5205193e1a55697f51c020dddf0e9ecc34c298f19b32ab02084fcf8e5108ca7a8cbb68378cae765a8c011e51c85ccdeb978d01dde56c372136fffd3a20f72a9c

C:\Users\Admin\AppData\Local\Temp\96683180\jdd.docx

MD5 766daeccd93c87c211cf420144fb3656
SHA1 2c4253872453cb88e539317c7914e14f6422d773
SHA256 7043909ca56b5318c77ae404a8e82806e02149a34272c858469c13f1ade497c3
SHA512 b3d28f718957a66098290c06b8b9432c427fcc804016529c6f96b2637bd1faa17a8f1bd07cb13fb60fc892f04b17b5f72b42ffb12bdf153fab333885ec71abb8

C:\Users\Admin\AppData\Local\Temp\96683180\jbf.xl

MD5 4e931db543b8b604d1c4202d39496ef9
SHA1 6068aa1f138798a6942251d5499d87b0bcb7df5b
SHA256 3e1aa0fe93853013e19ab8ddab498d68ae81e7056b5722b70287761aeab11884
SHA512 e04f5b7cf809153492779db1f20a01dbb48aad5efeffbc6840a76d7b659fa138e8ef25daf893ffe029f761f805796245a3108e70f9d91a83ad9ac89a6389cb0f

C:\Users\Admin\AppData\Local\Temp\96683180\iiw.ppt

MD5 1f4c01526839139ffcfcf19d7cdac4c2
SHA1 0813a55841aa7befaf07ce41ab74b32183152f34
SHA256 76539e5a5200b602ecc8ed43c21406c4980272323885ff5cb3cdf6ebcca314bc
SHA512 863694afd01a24949d4c5cdf69a7e3e93f0941436d648f6a8cf3d6964d626d5bccb357218da426c939f0a9ab07edcbd0be27fbf47bd6bc293d0d7b46917c3959

C:\Users\Admin\AppData\Local\Temp\96683180\hfc.jpg

MD5 2bb4d95818d103238b3259c45fa5c9eb
SHA1 12a8cb2141870cfe9d1560bd5bd58f77087a9d6f
SHA256 cb7e1b87b43905bb42540ac07339cd24ef717693fd86e7c2c686fef0ec187d0e
SHA512 eec95e0e29d71d4b569c3c9406241cb8de47063c9cc032964de14bf9c720ef8f56c128a3499b9db8401cf7d56ef150010895573c27a2d241f4760c12f1b20620

C:\Users\Admin\AppData\Local\Temp\96683180\fvx.docx

MD5 2a5c61b0c57e42b0c3f955dad997404c
SHA1 9a934972961f5ea058cbc709c9214b3481e48a5a
SHA256 98d4bb779aa2d23386973e21c0a9b8f05ff6ace1e6ec3f380f4e9553ca7a33c9
SHA512 a2d602294d4fa8d118e6ea8eeeacf1d259b3d45b3f1404f92946f41fae8dfcbfbcca2bf4a644908cbd3d50cb069d2a4d977b9ae6a0068f61a57a4a5f092e1a7b

C:\Users\Admin\AppData\Local\Temp\96683180\fvv.mp4

MD5 2fe951542104aa461d64c6d742f412c8
SHA1 1ef220ee11cdb711f5482ded6f4094886503dc51
SHA256 f548ce8805f21f9ca121a5f1f1b4c5c6049aa6c0238d9a7cb68465873b194f03
SHA512 dae453cf20f83971df3ecee8f5f338d7633487c12b2ec1ba962181852d8814af2bea868a9ae2dd4f9f1542ed3b1b511c98c311fe2f6dd2298dec7ff6767866a5

C:\Users\Admin\AppData\Local\Temp\96683180\ftv.dat

MD5 5d69ef276ea48a8e519d586cdd48f350
SHA1 d0c6334b58033b3e2417f505fffd93a543168c2e
SHA256 c67f03ada1f069861a6998aad33ca818a52d7b2c0359507f541a2f4c04944652
SHA512 8da6419ed36c9798287f385536448983647b9339129c85163bf0dec902b790eed9acc1f5ce878abc56a03d678a1a89935629374ee14315bf8607d862f1d14058

C:\Users\Admin\AppData\Local\Temp\96683180\frh.bmp

MD5 9ee9a4fabdc5cf52c4089e40a4b50eb2
SHA1 19c9018916ce35a5d9fc34aee4cded679b250bfb
SHA256 1338976087f699d0cd76adba158c0e2ff30a42732cd8e6c0fa9ef9b2f368dd4d
SHA512 65a9154f7a38c37304731c9e39e23f47654cb7a569aee343fbec846d74f6c7e68dd09da9e8b522226a182d4c2f306d2213c6a649302c159f7296fe9f1047f9a6

C:\Users\Admin\AppData\Local\Temp\96683180\feb.ppt

MD5 eb512ee0b0ac057c7a2a0cf3badcb21e
SHA1 85ff5d0a53425d8bd14bb1b3527dede90faa907c
SHA256 13ffc72e416716e1c72d035688ce31037a7dba53cd6dae1020f93da8fd7fe598
SHA512 6747a2e2f2aab094b7f815682b36966d7fc2b62b0b4660e7368f2fcac05e3e2730b5f4090b489ed1879038a82d1f9f102ede87c29f7e99b7261f70e0fc6dfd8c

C:\Users\Admin\AppData\Local\Temp\96683180\dqu.ico

MD5 9ee288f1121560250bebf8a48045213e
SHA1 6ab3ce30391dd63fbb6c21952458c710e60e050f
SHA256 a2feeec04eb0c05cdf94dbc71256b5b91dbcb6521075afc62f9faf8f1c0ba14a
SHA512 64062dfd2aa224e753aa2dfc75bb11a0897b2012a0beb820105f37d2bdf8429bbc1c28ebb77b89bd2f41f6b3d53213649e6a1061e8188356d8f49a96b881d378

C:\Users\Admin\AppData\Local\Temp\96683180\dna.ppt

MD5 ec1fef96c7eee53df7c38dfc56493265
SHA1 a4d3c0b731ead8fd4c3fa0bec2b6176c87de4344
SHA256 f4b58b5a33af5b318a5772c8e0f17a34904e0d858d6eb399108488d7db0199d3
SHA512 f63e61b42dbe8e5523f8fcabcf4ff381e46ec5ee342bd19023a4576339ef1386589b90ead6ac85040295675301aebd6b661567bc6b9693654c31a53d6291f2d9

C:\Users\Admin\AppData\Local\Temp\96683180\cul.ico

MD5 2c294e68ceed491cfa90bde6f2f7fbd7
SHA1 66c27f40da3e938d6f6aa369b1ff649dbaaafbbc
SHA256 c49737481d8a5f743482959ae8301dee8d0947893806c28cbd7fd74394dd4048
SHA512 535dde3cda310127ea7cf2bd8e70ceaa6fddecbef506d8ed0abc5ad63cb3cb994b9f7bc2137368e038a3fb6859ca0896efb346671f1a650b1108127eb1899110

C:\Users\Admin\AppData\Local\Temp\96683180\brl.xl

MD5 19847baf2d15f885455748ef8d30bc1d
SHA1 14b82a55acccbab859a1d4fb2c58a42822f6b399
SHA256 3209d7e3c0eefd25ae7a44bbfb4cd47be3683e7b9aa3539c855af29ebd766565
SHA512 b22701977a37902e17fe81df148b0dd79946a7f7c3e4816b44a8f1883360d229b2bd3b8caf76d76df6d0414f37cb446b2141c7da930cffdc44f8eb53038e0ebd

C:\Users\Admin\AppData\Local\Temp\96683180\blf.txt

MD5 6393a4854b2a4d6a7fb603b8ccd12419
SHA1 ecc9c40af3089ea79f4c7ba2dd68571399fef5f0
SHA256 58c4534a8807841a65c4570c8f263a99554a43066b54a35b7d3ff9413a100df6
SHA512 6a6095c2b402f1c38ce61d51f18bede30a8ad70382cbdc81d001d9ccc6f7344bec9b7be409007c9c33f845152db2ce21de37b2ab68248f208699a98792807743

C:\Users\Admin\AppData\Local\Temp\96683180\bki.pdf

MD5 656a80570d8e9095a4af51e19ab06d4a
SHA1 8b26073c6f1d0958d29468688052986d1c76f5e5
SHA256 59f5167ad45221305f7f804e57af6d1a8273cbcade32b23563cfceed588a9cad
SHA512 aa05e66b6a8a776bc1d89493caaba0737059917b8f55a040890781896799ab6a72b60652ab36865b348f75174a5dd17b23e444e6f57c6a85540eb1defbcfcd6d

C:\Users\Admin\AppData\Local\Temp\96683180\biw.mp3

MD5 658d0d01fd2c1f838af7cc456aa3f9c4
SHA1 ebd304fc4f945475cb11e6933a52845917facb26
SHA256 d1d2e2bad4ea6028601e05db22e66908b949b6845291d3bc4270dd38497237f3
SHA512 5c49a811f38af02010575d6e65598674968916d8cb606077d85e84d2d05ecb49f4c14cff03daba3b2248d2b5d87ecfe9f38d69466280ae08b82b7477582fa64c

C:\Users\Admin\AppData\Local\Temp\96683180\aps.ico

MD5 fbb0ecb9959d43df066ae76ed44ffa83
SHA1 6f77ebe61ba7397fee233b134cafac15f5fdab8a
SHA256 12379f6bc04b11c74917cd4e44855e24dcdde7b564796f208472ff0a51d9d76f
SHA512 d93e7d952bb8f7a680b155b77aef484d054510d0ac63f58f3c0ed7de73bff96e9fd67fa879d88b9fcc7544765e8682ca02d2a196f6466f22aa007100f224e853

C:\Users\Admin\AppData\Local\Temp\96683180\GTEUV

MD5 646f9860f48bb14ec42cd07dc37de4cd
SHA1 664504ca656986c2a27670d2c109adcdf5000a11
SHA256 df8220f8486c18af9dc5bbfc69a86f28a7f703dc4c3ed1d12356163e11e8ff1f
SHA512 0bbcf83fbc221ae99e818b3fdaec996c277f03a8fa3fa2a97fe86dd469b674fcd8218fbd10725bd0d4e8caf813cf3be410bd59771c5ec92c176a8fef15185404

memory/1600-157-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1600-161-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1600-166-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1600-165-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1600-164-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1600-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1600-159-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1600-155-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp32C4.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp33BE.tmp

MD5 6b30dba7972c92c9a1b881e88c108b15
SHA1 f76207985cc5a1f70edb2fb5bd45678f195a4564
SHA256 578f5b0ff051f02f8e0a67fc3424dad554fa9489875475ea624fbb63eabfcbf7
SHA512 e3dd368937f863cb07453de12173580fb63b8d3983db7119c24860f227c89ded76401c47607f5b1134d215d46fe2b40d4bc3d7299374f1e8abecdeaefc7b9099

memory/1600-174-0x0000000000440000-0x000000000044A000-memory.dmp

memory/1600-175-0x00000000004F0000-0x000000000050E000-memory.dmp

memory/1600-176-0x00000000004A0000-0x00000000004AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 15:31

Reported

2024-05-18 15:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateChrom.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\96683180\\plw.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\96683180\\QLB_KP~1" C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4796 set thread context of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 4020 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 4020 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2452 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2452 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 2452 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe
PID 4796 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4796 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4796 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4796 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4796 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4796 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4796 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4796 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2676 wrote to memory of 4000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 4000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 4000 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT039039049CONTRACTSCAN.exe"

C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe

"C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe" qlb=kpm

C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe

C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe C:\Users\Admin\AppData\Local\Temp\96683180\ATYKD

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5563.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp55C2.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 45.89.16.2.in-addr.arpa udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 stanadmin.nhlfan.net udp

Files

C:\Users\Admin\AppData\Local\Temp\96683180\plw.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\96683180\qlb=kpm

MD5 18748daaf86389ec495117f06ce004f3
SHA1 9305d1ec13c3c836b9807090ac493fce0b02a106
SHA256 1010fe4faf209916b095a78505159b5460c85aafb7db6ef179e2aadbc9c59f1b
SHA512 4112b71aedfaa1e7efd9cb09939a6b000ede667727ea2e88c79879cc4597240d49fa486b71a533ae4d1709538974e22353e867b7c7e35d29650381650112909a

C:\Users\Admin\AppData\Local\Temp\96683180\qrr.mp3

MD5 800b5564c7918cb435bb69ceccb62265
SHA1 b83dff7cfc3c806121ca5f1712044d54b0cf45d3
SHA256 54d83af94634fdd99467a341737e15b86dddee5446b353f0b8ee68628647aaa9
SHA512 1b9cae330348eb33845cf76406e82fe99987668ee06b8ff8530b28b42dc0c5b62187a7c12264670ceb4ae1b4604d779865e887070f711b3e1f9b460dfd1aa616

C:\Users\Admin\AppData\Local\Temp\96683180\xpm.pdf

MD5 a7bec5b327c936c6988922950e24211b
SHA1 4e6764dfa409cabd4d83cb9860d73611a481906e
SHA256 ae2440d6aeb846c4b54ff62f1dcecef67f81979e1580d84d4d2fe7c342d91d80
SHA512 43ef3eb2bd63311d594f30984e34dcd42122f9858caa4dd4b035aa7496d7bf156ccb92a20dac4dfb05ca89464f9040799d85a06b923131ccb35eafb1229e8cdb

C:\Users\Admin\AppData\Local\Temp\96683180\wtb.dat

MD5 19ebc247892249d4d638779fcd48bc57
SHA1 1b7330d563176520e1da9a21061a217132ef0c50
SHA256 c8c65d30fdadba622a46e7d81c33e0d4ee41ccb996ea0e53e0b272b80789eca2
SHA512 c430704b130ffbc16379643a74691dc65bd17c67042f36d7f0af963d3fcd6dc4e3b17b9fab288d85db767f43a4744a4a7f06480a08ecaa6bacd69c0995d8913a

C:\Users\Admin\AppData\Local\Temp\96683180\waa.bmp

MD5 4911395f3e1f8b6d3960cd7646ea902d
SHA1 416c1f0cf776ab47a3ee4b11b02028436c291e8f
SHA256 1f32e0c3eb60781e6de007009e494c2b12e696792ca2ca476818d20e3316289b
SHA512 13d31fd8d89318a4086f7d1b687dd44372ec8a604657ca8fe67b14613efc75f8a572d38489cba55dd9f669e35e9d76b1ce9e9ab8b0a252f647e1e801d3c09415

C:\Users\Admin\AppData\Local\Temp\96683180\vro.ico

MD5 e67f0fe6163c472e611c76cac59a892a
SHA1 25ef2f78090a17c787ff075d0e1238b3272c50e5
SHA256 533f7f5ec3e46cb8b884cddd2daf2cc161a360870070f9b45d52c009c208a50b
SHA512 51b83eee5f7f360363b80091929cd6fa20f8b88488dfc6c0039190e92e38e6bf771f678fb2e086db967f3094206f45488ea46f4c0377e64e7ac1775376a0ca73

C:\Users\Admin\AppData\Local\Temp\96683180\vkx.ppt

MD5 4a41b506504461e1be8c9ec639ac9e33
SHA1 5a40330552d53149cfefddbf5748b018f0a2bc43
SHA256 dafa385401de3db46ab80303a7ab6e990f8e39ff13db35fdf7d3b236c4a30086
SHA512 61e49ae406801b94603c59b3ee35b50da1a0962ca1707b89f646cab66892b6b33947124608d3e5a07b9015ea8fa3e82ccac41264a7f3c83a7e884ed93c370c54

C:\Users\Admin\AppData\Local\Temp\96683180\vho.xl

MD5 d7a0eeb278eed18b09655d07cd7f9064
SHA1 8170da0c6ca419295ba311816016aea01a8b05db
SHA256 2219ad96bca0fae2b91f0037090f931355a776d174f1152f271327417a2ecd2b
SHA512 b922f84cbfe53e461313d5747b4b561edc7ba7b769a7de84db6ccdb78fe2bcec8cd8d829a2cd3e7a31dc511c2c2a1109214384648dda594bbad219ca01a369a5

C:\Users\Admin\AppData\Local\Temp\96683180\uom.bmp

MD5 62724ee70dc7d8eda827be75b594102f
SHA1 ee3c3ef1d36f3f9f805377d21ec7c2637000fa16
SHA256 6ca5be9551a8310e9d715b59637159494fa156b6315eaf85fb8c6b28faa3738f
SHA512 7de2320271469c52145471cc522b5aa157c529bed84033f153aee1391e3c63b017b7882060a9102aa6992ecd31139541433879e8c7dbfd58efc44f2175afdbaa

C:\Users\Admin\AppData\Local\Temp\96683180\tpm.ico

MD5 af6f1976599fd24c28391f3dd1b94012
SHA1 1b34e1d2c20c279f2b968fb3c39608c3fe286efc
SHA256 c030dcc81a822fabacc4b5d11b9f58dff52eb4cea7bbecfa38986471822c7642
SHA512 cf1e594103a9bdd92225793c804fe1269766167f11417b43d072d6a49aeedc298be9ada5ebb2fc9834389d2bea2667bae2293a874e6defb1e706c722ed4d0252

C:\Users\Admin\AppData\Local\Temp\96683180\tog.pdf

MD5 caa25d9c704b67ae4bd1056cbd99b597
SHA1 18fb9661db413aa2bb0d2b12b3ae47c01399d612
SHA256 592abe4ba990dbdd20d60756243875e3963a30a4bfe8a4d7175458c4cd603b73
SHA512 2e0962c277cb856f2d4227997fed43ffabbc4fedecab1ecf0f9ea8bf9daab80743877d5d07dcacf7cc214e04ca2e57b9acef7cd6b55d7a49d3c468491a693713

C:\Users\Admin\AppData\Local\Temp\96683180\tlt.bmp

MD5 8d07c6d61959b82e1de8dca9fa3cee92
SHA1 5c8d79b107f47a78b28bea9985dfdd1eba429734
SHA256 abb0fb5dcf44a6c9191b544842cacdb2f51ed5596a265e1685e5652b6f3c0664
SHA512 96cb2b53f2dac50a39399d10847766d482c41c9bb73d099435c43f813d96f4d8ae8bc6b496a8dbe670896f2c9c4f8d9a03408da64526b309fcdd2e811aeb0730

C:\Users\Admin\AppData\Local\Temp\96683180\tlk.icm

MD5 d2e7b667721e16aadcbef303b1446f38
SHA1 a6c88c50582fec78721b8539a1927b9addcb1126
SHA256 19605369dc506d8fa50e9579afea131b59a380d4972f256d1f96f55ebdd9b9df
SHA512 ac8aa970260dc188ad78b5a3b8df7be0f981cc3703dc2a3fc26e446dbd100b0bd03f33c24d094f1e2f638ce2069748db11a34406e4ec9378a8172395efff1ad5

C:\Users\Admin\AppData\Local\Temp\96683180\ATYKD

MD5 646f9860f48bb14ec42cd07dc37de4cd
SHA1 664504ca656986c2a27670d2c109adcdf5000a11
SHA256 df8220f8486c18af9dc5bbfc69a86f28a7f703dc4c3ed1d12356163e11e8ff1f
SHA512 0bbcf83fbc221ae99e818b3fdaec996c277f03a8fa3fa2a97fe86dd469b674fcd8218fbd10725bd0d4e8caf813cf3be410bd59771c5ec92c176a8fef15185404

C:\Users\Admin\AppData\Local\Temp\96683180\tkl.mp4

MD5 e7422054b4d5f5381d11aeb5ec1f373d
SHA1 09f405a02c5c734062a02f0a949989abe9e20133
SHA256 7e58eb93257e0d928ac37a83cf220aa4bb35c38a4199905867dfe37d38c0d182
SHA512 5b8fded996b5506535d2fd2328d2acfb6c159a1158729bdde64dc1c6aa876b510848d71c51ed6d9599feb9cfb277b078818afd9e5ea9a2582c762b6b75315569

C:\Users\Admin\AppData\Local\Temp\96683180\tjm.icm

MD5 c9f7bd7d6bca54cd138cbd95e0656c83
SHA1 16b69c3760d401652227553e93a0ab137102242e
SHA256 b1281dab6d8e276f9fe3349c30b6d4a7ed48172997194a9f8041ac03622bef07
SHA512 e86bada41c82b7f9ae772822a08a510cabe31c4daa03a9d12e93fc5be80666e5cea1edb9923ba9743863f95300e55b3f02be0766139b49f05a9f3d3b56d933ae

C:\Users\Admin\AppData\Local\Temp\96683180\rma.pdf

MD5 d365e298c5cd1ea186554f977104fc8b
SHA1 d32199f762e6390f16aa1c8a54157a484ab17efc
SHA256 d2acd0246a6e67f032328d72b374cefb1de24afb5664fe7e75e7ad057d67c10f
SHA512 e11a26ec81a0ec826a2426234512e2e1678a76094adc5ae5049ab9b34514d810c80d94381840210eed4b834cb31195c10669bb1afb9747381202b436ef1fb69d

C:\Users\Admin\AppData\Local\Temp\96683180\qst.jpg

MD5 42a1f782c49f13cbca74fe11d3ba6f51
SHA1 20acf9aca42462801ea024bed46e44a47158f946
SHA256 7f802e1dac17fa974ad05abb3da066b70e82773405b5a8925db41636695c8fff
SHA512 939e566c91727679b8fd9908d830a64cb680d675bd6a477bf1b4e21e24d83eb9578ebb5c17cdccf5407dbbb7903f995f2f0c5788bb924116cd03c8d2011f1501

C:\Users\Admin\AppData\Local\Temp\96683180\ppo.ppt

MD5 9de83e0f8146842b10452fb8419bb65a
SHA1 001bce9a0e6b1c653ebf5ec7c46d66a5619d9881
SHA256 8c5bbb42661bc982a4b49d765c65d3ad0d33b7008de4fb2e50a449e86fef12ed
SHA512 c7ae601931f6cffa19c5565076aaae63e784901a1ed98a24cda7c13d4dac98b8c6c6204909cecebf236312f6a8508e845e76f6f347b4e97b193c869a2ad937fb

C:\Users\Admin\AppData\Local\Temp\96683180\oks.icm

MD5 afb4b454c9a7072089d9d8e05d5e20a9
SHA1 5bf8b36f498614973fb9fa71db74aacdd7b24a29
SHA256 4740d7c7c97949ee7628c8fe8c53da5f3d8ae56a222f678612c1ad7246b2b92c
SHA512 8fe939c8e4f75b2348870fef048aec5981c780e4069bf784f6f7b4e837a9a10f73cedff39e07be40a4b5bc2eec929f0d1f06db7a78f03e9f0cdcaabf1995dabd

C:\Users\Admin\AppData\Local\Temp\96683180\odg.pdf

MD5 8b4f273e2b8e9bb18b3b0a657dce9603
SHA1 0bc83f6bbfad83edd179b48cd0270b75ad5cdb52
SHA256 3b0b1ef0e9b410aef1c4abac6eccc33a8b43139867232cf5f0c1b5e7b53ce0f6
SHA512 894f1accac37ec619697facce6091899fb59864811579017808e2c956ba3056de307392c4568ee00f29a7b11b00651ee4eb4f76db6a0cad8e516b12be14a664f

C:\Users\Admin\AppData\Local\Temp\96683180\kwk.icm

MD5 e76dcd79dd28c84e3b11745405d65c93
SHA1 478fca7478fa84cca2fdeda32782f7c20194a57a
SHA256 88bd344424169cd0414ecced07f3a9145fdfd051b1eb5d2ce7d5c96c99f17a31
SHA512 939ba33dda49df2453d5eb047346e3f632dc05f2100e4438de99e5e2f91d2f2af5a5a573d50ff7ff2e96e09488854db2db82f5acf3ac4dd39dcb191e1123ee6d

C:\Users\Admin\AppData\Local\Temp\96683180\ktd.bmp

MD5 a6605e1176298330b01e52cc9515407b
SHA1 f7662dea3535490673b37d377e4209cab8d06875
SHA256 b09e20a2ef95cd41e0a4e8d2c21f32c466e920d706d8d69acd7add0c9d6ffe51
SHA512 7b255b6a8bbf821af3434a933fdcea77df3e5d4a9e9b27b7428c1575d24f75a7153a0877c938eea480ca1b9f317dd586259e0c7053d331c378d8f4ec89e86825

C:\Users\Admin\AppData\Local\Temp\96683180\krw.icm

MD5 7d8ca94b8d41091b9135cdb4b77b1e85
SHA1 5ae5275efec88c36bb3fe22262a1f1a8bf602af9
SHA256 41c0e9bc16db0b93da53bee7d1eb9deb7757e1537e1458f4ce826f92fa3167a3
SHA512 40395e6c96639705969010de9cc5b2d31a7ff443fa5f8b9b99fcec13a8bf240a08dfaceb1bc2fc5f3f0a27174e3e0edc410818be476b55c8ff64b5e01598ffa2

C:\Users\Admin\AppData\Local\Temp\96683180\kqh.xl

MD5 3915423516f2a58a89deb5f369ff636e
SHA1 15eb7be4fb799051b195a4b2ee3ddac178276b6d
SHA256 8099f65d5f7b579f24cef4cfbea5e77bddd35fac72e8063ac5475da02ae59de1
SHA512 3f638aa7b69e707863c0548c92343864d5255637cfa585ec55b5d7abe512297a02648cefcb618880744af67436eeca92ad027d8b1674897de3c5a191aec27c29

C:\Users\Admin\AppData\Local\Temp\96683180\kkr.ico

MD5 79f82df0621815273766f76d81d7c015
SHA1 85adeb92a7ec361a17e8d7ba3b6bb8a7f4837cc5
SHA256 21c1de66c1b038cd1b8733702ab496a1b053ee98f47385b2e5115127044f8706
SHA512 707d0ddd8baf58be2db26f9cdef79a05d4a2282af22034698418d7bf26324549bffcc73b4c8a6aaa5610933734c075dcee75dcfcf30cb3999f3813357204622b

C:\Users\Admin\AppData\Local\Temp\96683180\kci.icm

MD5 fbd25c6a6c9d63a2d79b790160061637
SHA1 72f2a9604407c2f556c9a83f675657a00296ac5c
SHA256 cd4a3805317b7b2f5b69b52cd16ca04291b6fa6f38a884890e79a25d02903fa9
SHA512 e4150cb545dafb4b7ac5a92bc6e42d60fe0f7884e88a27373594761b6f60c554454544d063e6efd0f360bee311e68b7fcbc2e097ce5410cbabd315e6b5b9cc1e

C:\Users\Admin\AppData\Local\Temp\96683180\jqu.xl

MD5 48a87ea7257dba1af300b97e2079d5e9
SHA1 4ef326772b68475b75cca2520f7f67cd5c83cc53
SHA256 b3dedc350502e82db4f9788f4878e8c46e5c909d3337b3a88d85bc626d471c25
SHA512 5205193e1a55697f51c020dddf0e9ecc34c298f19b32ab02084fcf8e5108ca7a8cbb68378cae765a8c011e51c85ccdeb978d01dde56c372136fffd3a20f72a9c

C:\Users\Admin\AppData\Local\Temp\96683180\jdd.docx

MD5 766daeccd93c87c211cf420144fb3656
SHA1 2c4253872453cb88e539317c7914e14f6422d773
SHA256 7043909ca56b5318c77ae404a8e82806e02149a34272c858469c13f1ade497c3
SHA512 b3d28f718957a66098290c06b8b9432c427fcc804016529c6f96b2637bd1faa17a8f1bd07cb13fb60fc892f04b17b5f72b42ffb12bdf153fab333885ec71abb8

C:\Users\Admin\AppData\Local\Temp\96683180\jbf.xl

MD5 4e931db543b8b604d1c4202d39496ef9
SHA1 6068aa1f138798a6942251d5499d87b0bcb7df5b
SHA256 3e1aa0fe93853013e19ab8ddab498d68ae81e7056b5722b70287761aeab11884
SHA512 e04f5b7cf809153492779db1f20a01dbb48aad5efeffbc6840a76d7b659fa138e8ef25daf893ffe029f761f805796245a3108e70f9d91a83ad9ac89a6389cb0f

C:\Users\Admin\AppData\Local\Temp\96683180\iiw.ppt

MD5 1f4c01526839139ffcfcf19d7cdac4c2
SHA1 0813a55841aa7befaf07ce41ab74b32183152f34
SHA256 76539e5a5200b602ecc8ed43c21406c4980272323885ff5cb3cdf6ebcca314bc
SHA512 863694afd01a24949d4c5cdf69a7e3e93f0941436d648f6a8cf3d6964d626d5bccb357218da426c939f0a9ab07edcbd0be27fbf47bd6bc293d0d7b46917c3959

C:\Users\Admin\AppData\Local\Temp\96683180\hfc.jpg

MD5 2bb4d95818d103238b3259c45fa5c9eb
SHA1 12a8cb2141870cfe9d1560bd5bd58f77087a9d6f
SHA256 cb7e1b87b43905bb42540ac07339cd24ef717693fd86e7c2c686fef0ec187d0e
SHA512 eec95e0e29d71d4b569c3c9406241cb8de47063c9cc032964de14bf9c720ef8f56c128a3499b9db8401cf7d56ef150010895573c27a2d241f4760c12f1b20620

C:\Users\Admin\AppData\Local\Temp\96683180\fvx.docx

MD5 2a5c61b0c57e42b0c3f955dad997404c
SHA1 9a934972961f5ea058cbc709c9214b3481e48a5a
SHA256 98d4bb779aa2d23386973e21c0a9b8f05ff6ace1e6ec3f380f4e9553ca7a33c9
SHA512 a2d602294d4fa8d118e6ea8eeeacf1d259b3d45b3f1404f92946f41fae8dfcbfbcca2bf4a644908cbd3d50cb069d2a4d977b9ae6a0068f61a57a4a5f092e1a7b

C:\Users\Admin\AppData\Local\Temp\96683180\fvv.mp4

MD5 2fe951542104aa461d64c6d742f412c8
SHA1 1ef220ee11cdb711f5482ded6f4094886503dc51
SHA256 f548ce8805f21f9ca121a5f1f1b4c5c6049aa6c0238d9a7cb68465873b194f03
SHA512 dae453cf20f83971df3ecee8f5f338d7633487c12b2ec1ba962181852d8814af2bea868a9ae2dd4f9f1542ed3b1b511c98c311fe2f6dd2298dec7ff6767866a5

C:\Users\Admin\AppData\Local\Temp\96683180\ftv.dat

MD5 5d69ef276ea48a8e519d586cdd48f350
SHA1 d0c6334b58033b3e2417f505fffd93a543168c2e
SHA256 c67f03ada1f069861a6998aad33ca818a52d7b2c0359507f541a2f4c04944652
SHA512 8da6419ed36c9798287f385536448983647b9339129c85163bf0dec902b790eed9acc1f5ce878abc56a03d678a1a89935629374ee14315bf8607d862f1d14058

C:\Users\Admin\AppData\Local\Temp\96683180\frh.bmp

MD5 9ee9a4fabdc5cf52c4089e40a4b50eb2
SHA1 19c9018916ce35a5d9fc34aee4cded679b250bfb
SHA256 1338976087f699d0cd76adba158c0e2ff30a42732cd8e6c0fa9ef9b2f368dd4d
SHA512 65a9154f7a38c37304731c9e39e23f47654cb7a569aee343fbec846d74f6c7e68dd09da9e8b522226a182d4c2f306d2213c6a649302c159f7296fe9f1047f9a6

C:\Users\Admin\AppData\Local\Temp\96683180\feb.ppt

MD5 eb512ee0b0ac057c7a2a0cf3badcb21e
SHA1 85ff5d0a53425d8bd14bb1b3527dede90faa907c
SHA256 13ffc72e416716e1c72d035688ce31037a7dba53cd6dae1020f93da8fd7fe598
SHA512 6747a2e2f2aab094b7f815682b36966d7fc2b62b0b4660e7368f2fcac05e3e2730b5f4090b489ed1879038a82d1f9f102ede87c29f7e99b7261f70e0fc6dfd8c

C:\Users\Admin\AppData\Local\Temp\96683180\dqu.ico

MD5 9ee288f1121560250bebf8a48045213e
SHA1 6ab3ce30391dd63fbb6c21952458c710e60e050f
SHA256 a2feeec04eb0c05cdf94dbc71256b5b91dbcb6521075afc62f9faf8f1c0ba14a
SHA512 64062dfd2aa224e753aa2dfc75bb11a0897b2012a0beb820105f37d2bdf8429bbc1c28ebb77b89bd2f41f6b3d53213649e6a1061e8188356d8f49a96b881d378

C:\Users\Admin\AppData\Local\Temp\96683180\dna.ppt

MD5 ec1fef96c7eee53df7c38dfc56493265
SHA1 a4d3c0b731ead8fd4c3fa0bec2b6176c87de4344
SHA256 f4b58b5a33af5b318a5772c8e0f17a34904e0d858d6eb399108488d7db0199d3
SHA512 f63e61b42dbe8e5523f8fcabcf4ff381e46ec5ee342bd19023a4576339ef1386589b90ead6ac85040295675301aebd6b661567bc6b9693654c31a53d6291f2d9

C:\Users\Admin\AppData\Local\Temp\96683180\cul.ico

MD5 2c294e68ceed491cfa90bde6f2f7fbd7
SHA1 66c27f40da3e938d6f6aa369b1ff649dbaaafbbc
SHA256 c49737481d8a5f743482959ae8301dee8d0947893806c28cbd7fd74394dd4048
SHA512 535dde3cda310127ea7cf2bd8e70ceaa6fddecbef506d8ed0abc5ad63cb3cb994b9f7bc2137368e038a3fb6859ca0896efb346671f1a650b1108127eb1899110

C:\Users\Admin\AppData\Local\Temp\96683180\brl.xl

MD5 19847baf2d15f885455748ef8d30bc1d
SHA1 14b82a55acccbab859a1d4fb2c58a42822f6b399
SHA256 3209d7e3c0eefd25ae7a44bbfb4cd47be3683e7b9aa3539c855af29ebd766565
SHA512 b22701977a37902e17fe81df148b0dd79946a7f7c3e4816b44a8f1883360d229b2bd3b8caf76d76df6d0414f37cb446b2141c7da930cffdc44f8eb53038e0ebd

C:\Users\Admin\AppData\Local\Temp\96683180\blf.txt

MD5 6393a4854b2a4d6a7fb603b8ccd12419
SHA1 ecc9c40af3089ea79f4c7ba2dd68571399fef5f0
SHA256 58c4534a8807841a65c4570c8f263a99554a43066b54a35b7d3ff9413a100df6
SHA512 6a6095c2b402f1c38ce61d51f18bede30a8ad70382cbdc81d001d9ccc6f7344bec9b7be409007c9c33f845152db2ce21de37b2ab68248f208699a98792807743

C:\Users\Admin\AppData\Local\Temp\96683180\bki.pdf

MD5 656a80570d8e9095a4af51e19ab06d4a
SHA1 8b26073c6f1d0958d29468688052986d1c76f5e5
SHA256 59f5167ad45221305f7f804e57af6d1a8273cbcade32b23563cfceed588a9cad
SHA512 aa05e66b6a8a776bc1d89493caaba0737059917b8f55a040890781896799ab6a72b60652ab36865b348f75174a5dd17b23e444e6f57c6a85540eb1defbcfcd6d

C:\Users\Admin\AppData\Local\Temp\96683180\biw.mp3

MD5 658d0d01fd2c1f838af7cc456aa3f9c4
SHA1 ebd304fc4f945475cb11e6933a52845917facb26
SHA256 d1d2e2bad4ea6028601e05db22e66908b949b6845291d3bc4270dd38497237f3
SHA512 5c49a811f38af02010575d6e65598674968916d8cb606077d85e84d2d05ecb49f4c14cff03daba3b2248d2b5d87ecfe9f38d69466280ae08b82b7477582fa64c

C:\Users\Admin\AppData\Local\Temp\96683180\aps.ico

MD5 fbb0ecb9959d43df066ae76ed44ffa83
SHA1 6f77ebe61ba7397fee233b134cafac15f5fdab8a
SHA256 12379f6bc04b11c74917cd4e44855e24dcdde7b564796f208472ff0a51d9d76f
SHA512 d93e7d952bb8f7a680b155b77aef484d054510d0ac63f58f3c0ed7de73bff96e9fd67fa879d88b9fcc7544765e8682ca02d2a196f6466f22aa007100f224e853

C:\Users\Admin\AppData\Local\Temp\96683180\hlj.mp4

MD5 bbc852e0d7805ea993332a5b47a4d284
SHA1 b15d14bbc2ed018bc469d56d8692d71d761604bc
SHA256 6d90db12c1a9363955434b486c121ffda1c04b2c0d633e54173a830dd33b0a56
SHA512 9d46b008b938415c0f62d499ec5d12ed62f4b74f6355b8bbd69a16041eefa9159b925bcda03128bac69358485d8c6c154dfdd36ff6a48cfbdff376e4b37a247d

memory/2676-150-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2676-151-0x00000000058F0000-0x0000000005E94000-memory.dmp

memory/2676-152-0x00000000053E0000-0x0000000005472000-memory.dmp

memory/2676-153-0x0000000005480000-0x000000000551C000-memory.dmp

memory/2676-154-0x00000000053B0000-0x00000000053BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5563.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp55C2.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/2676-162-0x0000000005640000-0x000000000564A000-memory.dmp

memory/2676-163-0x00000000058D0000-0x00000000058EE000-memory.dmp

memory/2676-164-0x0000000006720000-0x000000000672A000-memory.dmp