Malware Analysis Report

2024-08-06 14:48

Sample ID 240614-bn3pestbjl
Target a77f6cfb776ad670daca171a45cb5adf_JaffaCakes118
SHA256 d1284021af0b7767d4bd4d0228fb7b23ff2fc3f04d7b79d9a6e153ea632971e8
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1284021af0b7767d4bd4d0228fb7b23ff2fc3f04d7b79d9a6e153ea632971e8

Threat Level: Known bad

The file a77f6cfb776ad670daca171a45cb5adf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:18

Reported

2024-06-14 01:20

Platform

win7-20240220-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PII.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PII.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PII.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PII.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PII.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30333345\\hgl.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\30333345\\ECJ_BJ~1" C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1700 set thread context of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2040 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2040 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2040 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2040 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2040 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2040 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2616 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2616 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2616 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2616 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2616 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2616 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2616 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2460 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PII.exe

"C:\Users\Admin\AppData\Local\Temp\PII.exe"

C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe

"C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe" ecj=bjq

C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe

C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\CXITF

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1EE6.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1FC1.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 officef365.ddns.net udp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp

Files

\Users\Admin\AppData\Local\Temp\30333345\hgl.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\30333345\StructureConstants.xl

MD5 a1f54d7c642cb9f820739a092dd27e64
SHA1 e1553b09f8784f4be07eeeb6c8eab79b48ca8e55
SHA256 01759a055dbbdea86d76d67950c12d76c1ed53c75ae4ffa548ba4ee0e10cd50e
SHA512 32422bb2594376bcaac04f49ce914895ad4cc3a9ffda0060e5bf2f807136b51d03cf0798f0a9cb33bfb5d8b5be596f504b8eea1e63acaaaf8af0289d5cef3f3a

C:\Users\Admin\AppData\Local\Temp\30333345\UpDownConstants.mp4

MD5 b3ec5b95e906b6f89d5ba23c956c255a
SHA1 2025f830274f5eb3a2b28f952ca4dff2a52572df
SHA256 2bac2e1d5b30ab7110b4b636b2e2babf5fa2def05013d4b2a68d2affc3274e7f
SHA512 6a193804b05d9bc4ef51f581d505f94e6e490e7003de860e0b5bf63d348eb260ed89fb42f2f8a5c3c1f178a6dd5c9cfb6904c64b3b52a5a3a0a2fabbbf0d18b0

C:\Users\Admin\AppData\Local\Temp\30333345\ecj=bjq

MD5 e9e68f9d498d68e05212d140fd6f104d
SHA1 659eefeaf57fa258718e76012c72e46d7cf77b9a
SHA256 39292c8873c166e39b4406bddba7731d247fc2ae63afb5cdbe6de6c9ea7b01be
SHA512 927469bc596743b97dbd068ae1e025ab9b4328dc4dced11d2a2372bf90202f0cb758d974645d73872c16db43defe1c470c13084761c1820b5f65116321fb2700

C:\Users\Admin\AppData\Local\Temp\30333345\beo.mp4

MD5 786dfddb2ffeacf8511997b4d6fc24d0
SHA1 5d1a5eab88d309e0725c2b42ddad22908da9732b
SHA256 ec4d632e7e4a141bf1670184d85c868613ee34416729103ac4d404a1b6d4842a
SHA512 9ff3ccf50048f6c3f0fef568f1ae25f4473aaa22fef78cd809a0689fd2cd25e69ab9477d1646bc75861c37d6a0baed41fe82c7448d9a76ce801e341ab66b3895

C:\Users\Admin\AppData\Local\Temp\30333345\xdv.ppt

MD5 1cd9bae07603eeb82b9482774da78b25
SHA1 0840888ffa8d2c5029e85e986b2c03395a216681
SHA256 2fa6d7e0a9577cde295c0ffff212033ec0f5d0c2575374bac1f874febde24a65
SHA512 5cb4c53c5a925dc11064512021a5eab90afa45bf3e9af4ff1beddeecaa9385fcd05f72b03730551026367c0b3dd0d7bed90e147ea38548134aa4503cc2c254cd

C:\Users\Admin\AppData\Local\Temp\30333345\wrb.icm

MD5 dad59752761ae6c0d683c6a13707fb43
SHA1 b6a03703eda5ee588bba0bc5b7dd212d6192ffbe
SHA256 d62a37c5f232db6759c9b932b30ff299e6ac37d91c0daaa2631d893fe1724ce6
SHA512 ddec82be659cf1a0eaa66c712e28ae49b15f9021ced5efc03bcac233cd2702ecc0cfcbeeb5382b69dd5136999103b435eb16c872cd7bb36a74439d59f0e151dd

C:\Users\Admin\AppData\Local\Temp\30333345\wkc.bmp

MD5 a018ce02eef751dfaa6e7a84213e93c5
SHA1 eefbeb3b355485a78453333703cbe3d99193fe85
SHA256 652d95c82ab85a9ef708679a98ca46e9d7f1f0ec1e81e5e96a46cd038bd109d0
SHA512 fb2e4625e34d6e7eb11d67a9f82213c609f8311472f5c5b11a44ac70aecb7c496103d50c54a9d9ffa6f54c75170947e6ba28e2930c77202e090394d23f5c0797

C:\Users\Admin\AppData\Local\Temp\30333345\whg.pdf

MD5 65fe401bd371759c7a413f4bbd4f6d76
SHA1 0719cb16090355f199cc5e0a77a47fef7e1be182
SHA256 1dc3a6efe266e43fdf6e687261836a5189b0d939d96b0d4ee9dadf6de6856006
SHA512 42e0f4e44fbad610167033c29bfe0da69281be2cda89a72cd5a338157d8a9f7bf4ef8ed9734da61bd6fb86770025bec54c47d9f29bec9c9ac428c349a56974a3

C:\Users\Admin\AppData\Local\Temp\30333345\wgb.ppt

MD5 ee5bbbfb8568be655adbacfaa6fcb5a2
SHA1 224fcc9ceb8370e10eb1e77da89b0a2cf7c47a1b
SHA256 a45c7665c95dbb44be03aa69c8257ca7056efd43c328366154935b9e482ac3b9
SHA512 da931c6fdfb45bac722fa9bcf47d09e14d93a818f9dee5743f3077711a1803f54a8455f55deca6efa466d3ebeb0dccc36ca132fcdce7773273a5c90f35e0e4a5

C:\Users\Admin\AppData\Local\Temp\30333345\vmk.icm

MD5 9e72fce04bc804c3f86fa51d3c4e4559
SHA1 43941bdce7f225bc895857d852c02c7baaedf48e
SHA256 1eb2f4586fc22ce3aca7d9fd2c394173cb68e015fbce766383dbcb1ee5ff983a
SHA512 a15ee24348261e1b2c088799efd294ad450639465a82a61fbb9edd0e1aef542b57168430777fb00d13aa4e24d1f9a24759f7bc3c54466d2c166d01ac1adbf79c

C:\Users\Admin\AppData\Local\Temp\30333345\uvg.ppt

MD5 3ad8388162653ad12442845544630254
SHA1 7b34af530bdeb36d23cee98439e2c60c7bc825c9
SHA256 d0c351157354810a49db8f1f3665558f2c1b756a4203accc76d297244b0fbd96
SHA512 da61ab267ba9417c28fb7973311b462674a9fed98d186d4a449f4e4406c934c406cab225f6bb1fc676cd43c1f295add5a285d07a04c2871bc38df0594dc41327

C:\Users\Admin\AppData\Local\Temp\30333345\uke.mp4

MD5 5a613678c54d5b03733a1b04d23759e6
SHA1 1aedafc062f658a8c1eea90ae13883a7bd539d5e
SHA256 53d74d834a90e942dc4255f8df67e4d101074a5a178947886352d534379d50d4
SHA512 e1e3c4551575366d0e00c315a5803ed37596be934a85ab9a4ec6a8ef8779a83663e0b256a9199b157d96c221cec0dcc089bcdddbc76ccd33f9bca6bfbaaec66e

C:\Users\Admin\AppData\Local\Temp\30333345\tqo.ico

MD5 613620510c0ddfa4414903700a6ef821
SHA1 2aef41495ba1415c1e0584256acb841dd6aed861
SHA256 264e251f2b4275f3efdc05cc2f402328e1acf6910f6995b37e689cc24c39038e
SHA512 7646fdfac6216020bdffaf321c63abffdc9d174984a1c22592830b737d95b48333c5d276606718beccccda01af78c67bbb46be9f304e1e44827430b91898a0c0

C:\Users\Admin\AppData\Local\Temp\30333345\tmu.ppt

MD5 2f36e43fb3ea6eb2f2d754bece93d718
SHA1 cc484e388f482c1410705ecdcf273df056f8b147
SHA256 65af78b60ce953462b22bf48aacff517bec0eaf2db9c2943ab86fb0b3ba7e19c
SHA512 790e4379d623f860f02fb2cea7992bee87de149e95c70e1db31a15871fae13b08268d306f6262c53453397714966b6e8dd8bfb3915be3966a14d98f6d1ddf2e7

C:\Users\Admin\AppData\Local\Temp\30333345\sok.xl

MD5 1a748c987ac9c2e97a91b9f8ca24fd27
SHA1 5057f37d02dcb743befd10ddae5d3f080406aea2
SHA256 0e788bd1ffe9d2847c433b52711b069dd630464988db4a24308d331ad538127c
SHA512 0ffc9800c3d9a8d9a0539fa7592a4f2d46944d7e26465ea49f514aca3a4e081972f099330556dbd07f047277f8239e4a669a5dfc739c8a63d713ec48b83579c9

C:\Users\Admin\AppData\Local\Temp\30333345\rok.pdf

MD5 bfc326fbb999c7dee4ea5b151f14b69b
SHA1 688055e847ab178ad975272ae02e8ceabf7a009a
SHA256 24ba5b6ccde6b1630057ea19e59a000a1080ff5a5adc988514853cb46e38e87d
SHA512 86a5c18febe5dcd588402caec45b8ccfdd6d35f02759749aaad65b2552f1da1ae2fcb6f52912d3c20ca87ce55406644d0699dc967335e5d9d3be79a424aa82f8

C:\Users\Admin\AppData\Local\Temp\30333345\qvk.pdf

MD5 ee0786f929b330a8584d7dd7ca705887
SHA1 443aca91b07a8b02ace32efc92dc606bf5e112dc
SHA256 fed6cd125372199471f087ae9cb3b9b971c81fe99cfe9acc813418bb41c002f5
SHA512 27995c4a32f27a1baf56fd49e2fefc4f07daaad47625075177f82310fe6d510637f3cd0e96fc5b0d6a70c116076c34afeeeec844545468085f496f04abfe501c

C:\Users\Admin\AppData\Local\Temp\30333345\qum.docx

MD5 ec3df3b7af67cc359fecc93def677729
SHA1 efbb8a5f3aa41a5eff40a441e123c6795794d97c
SHA256 f448859915e2c6f15eb8d2d193a7df5c8f0d7fe05e2f2865a7f0c21ca92e4528
SHA512 23cfb25c4fdd892654415e9385e7c2b58fbffe03f1dfc1c6981595bc48e448146d43fc515a7c686a602ed388e2aebb3582e0a92d6a3be152c4fd64b8b32a3a1b

C:\Users\Admin\AppData\Local\Temp\30333345\qgb.icm

MD5 5977529f8fbe45700385024256d946f1
SHA1 e713bca0efa51e1ed68857f39e1ff3cd6ab961b7
SHA256 1742122c80aa5a4ad123e15b77433431a3a6a3cafdcec788bb2835c131a18bab
SHA512 7028dfcde1005e06164e39a0fe0a76cfd0fcf34aec926fe33bc5ac52cf1e63ca93bdbd9a4471d0e101ce9ad7548470afee4013e1757f8fc586690b8b37915406

C:\Users\Admin\AppData\Local\Temp\30333345\psm.ico

MD5 3c2c305345557b9b1ef5009d6f5c6ef8
SHA1 06fa8733a62b1d50bd12d31af8ca89638345c7c8
SHA256 f916a1cf5fbb33b3eb068e1de06278b0f4743e981f70a13328f52fc6dfae1625
SHA512 23cf5dd15712055b0e452c0b8b1de298f271be45cab6ba537bed3a7e4ab7ae0a27dfe1d2c6a18a7d002675de4797c18910188d6c359c9bc0ddf8e6b282ee582d

C:\Users\Admin\AppData\Local\Temp\30333345\nwd.ico

MD5 3b7daa9b8b2d37a5163f9e9a19fff3c5
SHA1 a4f1f4078890fd7ddd615d309d38068366fbc3f3
SHA256 3fe8435e1f1dfdb5dee898ad2c7cdeefef3175eee3ecabf60a8b8e49e14f598d
SHA512 15647db5ecab22bfd3aa30f315cf9acf10a7e1c94394fa12d29e8d32145fb7be8bf097118af4f7a39e7a98ad6d80d80159a0684e21b18a779a46a68c65eac863

C:\Users\Admin\AppData\Local\Temp\30333345\mqi.jpg

MD5 d97c0827e0a22758309737e6d81409cb
SHA1 5b894f826f7f886a514211b1ca02b26889f45236
SHA256 5bc34e4ea854866e0d00f6ac61289d7005575a92797373eac7b7dc8b27c01425
SHA512 20a4033d93e990be20f10551d4be71495272a4a206b1ab6d17cb14435353c861d0b3d60e20b5fa1d42411d52605e460236b4dbb8c95d4e05b858c5397f96cf73

C:\Users\Admin\AppData\Local\Temp\30333345\mqc.bmp

MD5 f371afe79836276c2f17650153ea4efb
SHA1 024b54dc42783e8c69d2d99282b7d793c99ee6d3
SHA256 9b1bbbba1bd8d0c468023a05699e99cd80af74f931b3d78387d7882f645e2bc7
SHA512 b6e3be4fe1514af2fce34459e50fe379108fef65309278b587e714d51d88843b8fe59241636a663905141857bd4be49fbd3f69804a70ecd6c83f2adba19e1753

C:\Users\Admin\AppData\Local\Temp\30333345\lsj.xl

MD5 81821568e94b6e9c17bbf5d9f5669f26
SHA1 e6213a0f8cf2875aba01db23e577bea7bebf128c
SHA256 2ac5bcdfdee1eb30219f06fc41badb14b8682d20767038b57881683a278e912c
SHA512 a80b9d26ab901a93bbe77d854ca6e25df8dbfdaf98b5e65bb4c194f0e84dc02977c7e5c5de609b436a73c009a42a8cbe7cc8ef6a69962fd49a00ffcd04b84259

C:\Users\Admin\AppData\Local\Temp\30333345\lcp.xl

MD5 326e0a398566a94374676e01ad5450cb
SHA1 1efed84046a51efc3fd35df549410e11d89865c4
SHA256 7b20b5b61130f6c18633edac37b5c9c0d9764be1ef54fed43e092f029c9b486d
SHA512 d6f7f06d87dc2b380d328be8d9899c631f4b59477706c80e242843945860313aa7d04e8205b6ae1344ef25a6e53451ca377f6ebb95f2b13e41b2dd19c6196ec2

C:\Users\Admin\AppData\Local\Temp\30333345\kqm.ico

MD5 3c075bc95165cae682af1b0a33db725a
SHA1 b0c1611bf5c7e94050e4065f2a52392c9ebfac7e
SHA256 aa870312adf9ff8dd4f53b718365a5fdc5611eb962e3eb1206cff83840683ccb
SHA512 87a1d5ed211aa9b6929d2595e6decd2d4c3289690b40ee085b565976536f5729dcece5fe390e09731fa6f6029ebe9df7f5bf169fb44b2109214aae713fcdae45

C:\Users\Admin\AppData\Local\Temp\30333345\jpl.dat

MD5 473384bb6b0be50c081d6d1847502613
SHA1 e3ff363d7eb2c3cf261e0a11b0a383726693ad46
SHA256 1a95e7980ae48c705b6c19ac0bd190263f1da0aa1228d9a10b68b86869cedf8a
SHA512 261beb0e3cc6c05c432c915ed07c8409c89e7b43b35199d9c9f503fd300d93d8c5c41026ea354529ec7c1067876a3ff2daafae171ff727430c8be8f96b49b169

C:\Users\Admin\AppData\Local\Temp\30333345\jop.ico

MD5 299e1c6e11eb23ea66f294bee659ea68
SHA1 06c6b8fd35dbd6152241703013a5ad12c8bbdff5
SHA256 fd6ff2d414a3a1a7044425ad26f2eec07316a7ddf5868c21d0c1a64ce5315cc4
SHA512 e39600ba8e6890b97f0d9ce570316e0fbcb7fbaa239681a0d1248d91ba90b17e97a35f24e85c440c639852cc3427b1982776298df7052bbb8f8017ef83118a84

C:\Users\Admin\AppData\Local\Temp\30333345\iit.bmp

MD5 2925b7ddd68289f456fe34e24a75cce0
SHA1 ee6538b2d06d1f6e03237369381212eb48f144d8
SHA256 9ae15b3829187ef52ffa3d3806acce02378535ccb6e3a3419e24b0f2833e5b1a
SHA512 f10ef24e496238e4d534cb6155bb6b394b6331cf2489704d48d90316f82e62de67a0b9e27b70a6f7f0b1c6be9e3bc11f9b5cd83c13da8ef44dd9d36ed9bda316

C:\Users\Admin\AppData\Local\Temp\30333345\hqo.mp3

MD5 1291f04165d7ebbedc5785760247bc1c
SHA1 d732745d94bd6dac4e2a62fe4e507dc68b4c7654
SHA256 b4c07f09cc69e2160076197a9773bd0b9e8a43fc420cf41604e08c9d2c44f523
SHA512 0390fc2558d140bba16e2a1652b2b348b117575f6ff97602c7d98663ab2481fcf1bb432419afb0671c28a5de5113e23b6b8c988a366490b4a96dcb71bd56f2b1

C:\Users\Admin\AppData\Local\Temp\30333345\hpm.docx

MD5 81752b97cbc5577fa5fa5299b4f87458
SHA1 1a76903fdb2f16bff9ceae66c71be875039d683d
SHA256 91074fc1bdfef254a902e13b21d47edb0a4a9a11a0720ab3f4041d2a3d458acd
SHA512 121bbaab36f97085e410359274c54d45b7aef7f9c24a5e2ee271d5432849b7351b70f6e889ba991f732e7e00d4b795cd2ba814b30585a0328cf6f9d58e766485

C:\Users\Admin\AppData\Local\Temp\30333345\hir.xl

MD5 7696cc9434e9bc92a4e82331fc6c4030
SHA1 489dd5db1225874be7c60eb5bb519b8967e0e95c
SHA256 975a1898cd8ba4207960b20e1ba72fe40ab1783dd3a3e4b883a13acddf91b9b8
SHA512 81f620963c2f52f1bd99c80f9d5a961025856736bc68181c1042bff2b2a5ffbda1d55fda2a12237bc4fbe051f4ead94668c87500d1d74d7e0901ce27e0ec34c2

C:\Users\Admin\AppData\Local\Temp\30333345\hhf.bmp

MD5 a996346df8f4c41bad494bebb0ead900
SHA1 c970e50c15bdbc40fbb71fd45f31e3f093352fef
SHA256 bf9d6b0fad9ea7af6b53e6da4593c7b323ce69b680c0850de8d8af47eb760b27
SHA512 01809991a661e79adf631aedaef36d616ee2951995dcc08a3d66c1b9dd792d2140bc41e97ebce58faa02c65a5f3f1330a1cc6e6070bc63d5d93b1862016b172c

C:\Users\Admin\AppData\Local\Temp\30333345\gwh.dat

MD5 b79d9c5abd9dd7e3c4b938337f0f7860
SHA1 01ed1fbc603c85c18b26617065283487b6fe9647
SHA256 1bd592970799e557d392357da4cecf158683a58ca9e5caf1025a30875c45e215
SHA512 110df5ed2bc4e1aa66f3bda42c35318f66fe3c96d4ee7d89d4780d85ac75eee50bdfe614a5abb2972263282bc6c177dc3b5c6df5538613b6ff891037f7d424a3

C:\Users\Admin\AppData\Local\Temp\30333345\fsh.txt

MD5 ec90e03f78ddd96bb6e0b84daa7345d1
SHA1 88b327ba8c97956b2cad45033cd79d59e207d754
SHA256 79004d40b79296fde08baf44e18a5334d353b4febbd88b9b3b4335423f4e1c9e
SHA512 d0835096d139abc0379ff7c1b3e51596d52e003ffb871b8035b507811d292275a6edc376a16d3b4db42d662c4b437b6bf1865e0b0c4dff2efba79017f5b70f7e

C:\Users\Admin\AppData\Local\Temp\30333345\flj.docx

MD5 ccf1c934bd61a4ba975bce7aca65797d
SHA1 41589cb58d7bfbd60d5c17feff367177b709aaba
SHA256 bb094204fb3d26b2520cdf4d59149c48b58b86285f03f851fd8a0f967adb22ec
SHA512 5aa3ffa838e1a8d492352be936f3ef4a53fb2ee02ee7d2beb1db994ec5adadc44bd95df21f635fe82c896c15326a4a24c6eee3f4a5f2efd4faf38b3df3358e9c

C:\Users\Admin\AppData\Local\Temp\30333345\fkj.pdf

MD5 6b75f30d2059dc2653e834310ad04e3e
SHA1 24dbb3dcfdd169fad5f877455cadd52ae0aeb820
SHA256 2755ee4249280790478906e595c7801da9c327b13cab5e003ef0d031dce7adb0
SHA512 dea468aa8188c6a82e62d71c8e3b9c3db8b4056e5e7e55bae9196176c777147b091306283b1dd286a4522c58140efc489916a29b3d1680c7a5a68f4b5ea3bd56

C:\Users\Admin\AppData\Local\Temp\30333345\fdo.mp4

MD5 fe9b25d68be442f8e8de5e83b1150526
SHA1 160e1fdc83e09ac889a0722efefa603464566bb0
SHA256 264dee27bfcbb311893c887608c1840e2a07fd95d9151843454e6da17c15095c
SHA512 9f2644c8b67a0a23c179c70572ce6ee4fea8c7bb79f44d565a7945099dd6d169f7ea64217581a7e424640bd9099f81deb65b75fcc769e2162e826fbfda3d62fb

C:\Users\Admin\AppData\Local\Temp\30333345\fdk.jpg

MD5 c23b18d582bada69c0709306d14a714c
SHA1 3f70a0dae1dbd50a0b525c0dc051b1fc15aa7ad0
SHA256 0519202384493a811ba5ee08f64238b5f6c5518bdc03c3b34ecdbb8f9a223ece
SHA512 680e46d2407eb08062eaf982d3f1b71ee370829904788c2c9223573a83138a0fb4f8ba1aef8341a0c9d95329b43ddd9ac0ea13f8339d432bcab3502bb2f4cca4

C:\Users\Admin\AppData\Local\Temp\30333345\fav.mp3

MD5 c3214724d524886f157dd05e70215bac
SHA1 763ec99d03e1e4f363efd5b3ad8586f33dfb4246
SHA256 b51cac2a84a629f92571ca64e6db05f029f308d436ebdf32aced85bc1bdade73
SHA512 5af6f35c8c60f5318ee65e04e0e46034a931bc7886dd47c5e68321e6f8af86fa2ffb81dd8194ba48124326df6cdf34bdf3184b2a10271eeb2f987d49b38b5f80

C:\Users\Admin\AppData\Local\Temp\30333345\eqm.mp3

MD5 7affa6d42c49d6ff50b1e7f915d88088
SHA1 150691f716f8b135ea3c1220514b9e9e2f48e357
SHA256 694fb933190fce6baee477954528d3aef118321d1c0ba6f5da919bc628d62b7b
SHA512 7120564d4ce8ee5ed398d61ed4c065c8e7d047a1b9692bf7a33cdfa38f8af7ad6e7fe55e7daae3c5aa14cb22d421c32e2d4c32e94ec1c444c59e08cd21b7bf76

C:\Users\Admin\AppData\Local\Temp\30333345\epe.xl

MD5 33660fa8f94e62fd7f1873f7e736dba4
SHA1 e03c57a20a8325cacd7929915122315e53ef3b66
SHA256 94ef715473d4ce53a65436ac4b89cd35f0ee9229695e5333d8bb38c50caccbfb
SHA512 1058cbe4b883d613a77590b6c43dd1a7e7f6f5673de822d30b931e52331c86b5e40e312498456eca57ccda7946061e47c74aa5bd6e75af08079fc01a1d69d4a9

C:\Users\Admin\AppData\Local\Temp\30333345\enp.xl

MD5 bd1406ccdc3e2d45c67d00c0adf1a20a
SHA1 bdc42cf86a96cb24debaa5d9d800c72ba5437541
SHA256 22edd1900fcb99ab5216a0757147294642a827d65428fb47b0abdeac3d37aa88
SHA512 5bfed339605fe3dc197c87b36076c6785a2753470db2c5194dd81527c4d40539330787f6d79d4361d654acac8fff3d2f4ffa6e03594f951dbf647b99ac60a5c7

C:\Users\Admin\AppData\Local\Temp\30333345\dun.icm

MD5 3453639310ebe5a383351dd59dc6fbdb
SHA1 3aad6898b06174aba2b64f82152053369ab34c29
SHA256 0836373a9a84f5205188493e85c318cf1502cdf2dfefb501ee8d5a3ac3df0b85
SHA512 4591664ce352f82249caf9c4daff9761723c05cbee42d3051e4ad755dc3e7c6ba203a592774209c6624b99099866bb6cdf8bf7daee7e5045f1c109147c0e4571

C:\Users\Admin\AppData\Local\Temp\30333345\dqo.jpg

MD5 7fc269d8b998aca268ed4abd1cc6382d
SHA1 6a3aeeace0ddd1e0cfbc9f0916601dd7f0ea41a1
SHA256 c712dba023cedb8a822b47b6dad88f8ffb873d746c653a974de70d47f09442bc
SHA512 05c7d832bdc2da0f46a8ed0f9b0462d31cfecfbecbf2bcf7631b374c8bb43bf964240125e097fbdb126c799a5941cf93e0c2d9296a656039ea03ef6c57788fbe

C:\Users\Admin\AppData\Local\Temp\30333345\deg.ppt

MD5 898dba4e52bb52ff9dff1aa9897f8ddd
SHA1 bb1c1e0f215358dad67a4c9cd6e4591e6af335d5
SHA256 63a06e68fffe048c5a027d5e21c0fb727e44404afd0f9682857ef84124b38525
SHA512 37c6c2a3cc993717a8bc9022647ab5f429641e5cbac3e24451388ad47d1504b6b07e07350440e4c394305a719c4f0e7ef8f6c38d3373f4a5a259b0b047ce84a2

C:\Users\Admin\AppData\Local\Temp\30333345\cnd.ico

MD5 2a5cccdbd6c6f41162b8c143811f238d
SHA1 50fdf854f94730a646cc3e0bed434a3b0fe17d79
SHA256 960078240f26e00ed4fbdc1302d1c8b608aebd98ee066dbf2f44f8e692b5535d
SHA512 5ecc5093e612bbfaf3486a9ea5c8b72631e4ce05d394a5dc3b889522d4d67bda348850aa89b039c0f1705abe689f9117a157394650498331ce76e37cd4be1df3

C:\Users\Admin\AppData\Local\Temp\30333345\bhl.xl

MD5 74d57fbaba916ace4e2ec2beb970ce2c
SHA1 d26de12b5549cb19992788d9fc0d7fb693e8bf7f
SHA256 45f83a15fcde0683ea7a91e4154a7ded48fe442068fffcdc9e972d1de4778ef0
SHA512 b3bb41494d6bb5a0827d74e9376b8277a55c29a551019e8bc1c4db968b9a31af35f6c861575ad1617281edf2b8a0ffbedbb24822490ced1be0b93f9eaed6f7db

C:\Users\Admin\AppData\Local\Temp\30333345\CXITF

MD5 7842c349ef94a7cbcd971b25f4eac3ab
SHA1 6ab8588d11a373eaae93c34ed268bf6fd6957fde
SHA256 ba0ed2b45ea779fa893bb1adf9ab208af61011cf1d3763876b831113869f7f80
SHA512 fd64e9d9d88bb0df1a6909c813691e8154ea2b2f85423e43b2b496ba7f4aed31320c0751d49d9702dfde719b5a0e03c48af798729a93d6c3ef1a91b406f1d814

memory/2460-165-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2460-168-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2460-175-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2460-174-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2460-173-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2460-172-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2460-170-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2460-166-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1EE6.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp1FC1.tmp

MD5 4b7ef560289c0f62d0baf6f14f48a57a
SHA1 8331acb90dde588aa3196919f6e847f398fd06d1
SHA256 062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512 ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

memory/2460-183-0x0000000000470000-0x000000000047A000-memory.dmp

memory/2460-184-0x0000000000480000-0x000000000048C000-memory.dmp

memory/2460-185-0x0000000000520000-0x000000000053E000-memory.dmp

memory/2460-186-0x0000000000610000-0x000000000061A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:18

Reported

2024-06-14 01:20

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PII.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PII.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30333345\\hgl.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\30333345\\ECJ_BJ~1" C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2192 set thread context of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 3448 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 3448 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\PII.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2764 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2764 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2764 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe
PID 2192 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2192 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2192 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2192 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2192 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2192 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2192 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2192 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2488 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PII.exe

"C:\Users\Admin\AppData\Local\Temp\PII.exe"

C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe

"C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe" ecj=bjq

C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe

C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe C:\Users\Admin\AppData\Local\Temp\30333345\CXITF

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5767.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp57C6.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 officef365.ddns.net udp
US 8.8.8.8:53 officef365.ddns.net udp
US 8.8.8.8:53 officef365.ddns.net udp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp
US 8.8.8.8:53 officef365.ddns.net udp
US 8.8.8.8:53 officef365.ddns.net udp
RS 95.140.125.119:45209 tcp
RS 95.140.125.119:45209 tcp

Files

C:\Users\Admin\AppData\Local\Temp\30333345\hgl.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\30333345\StructureConstants.xl

MD5 a1f54d7c642cb9f820739a092dd27e64
SHA1 e1553b09f8784f4be07eeeb6c8eab79b48ca8e55
SHA256 01759a055dbbdea86d76d67950c12d76c1ed53c75ae4ffa548ba4ee0e10cd50e
SHA512 32422bb2594376bcaac04f49ce914895ad4cc3a9ffda0060e5bf2f807136b51d03cf0798f0a9cb33bfb5d8b5be596f504b8eea1e63acaaaf8af0289d5cef3f3a

C:\Users\Admin\AppData\Local\Temp\30333345\UpDownConstants.mp4

MD5 b3ec5b95e906b6f89d5ba23c956c255a
SHA1 2025f830274f5eb3a2b28f952ca4dff2a52572df
SHA256 2bac2e1d5b30ab7110b4b636b2e2babf5fa2def05013d4b2a68d2affc3274e7f
SHA512 6a193804b05d9bc4ef51f581d505f94e6e490e7003de860e0b5bf63d348eb260ed89fb42f2f8a5c3c1f178a6dd5c9cfb6904c64b3b52a5a3a0a2fabbbf0d18b0

C:\Users\Admin\AppData\Local\Temp\30333345\ecj=bjq

MD5 e9e68f9d498d68e05212d140fd6f104d
SHA1 659eefeaf57fa258718e76012c72e46d7cf77b9a
SHA256 39292c8873c166e39b4406bddba7731d247fc2ae63afb5cdbe6de6c9ea7b01be
SHA512 927469bc596743b97dbd068ae1e025ab9b4328dc4dced11d2a2372bf90202f0cb758d974645d73872c16db43defe1c470c13084761c1820b5f65116321fb2700

C:\Users\Admin\AppData\Local\Temp\30333345\beo.mp4

MD5 786dfddb2ffeacf8511997b4d6fc24d0
SHA1 5d1a5eab88d309e0725c2b42ddad22908da9732b
SHA256 ec4d632e7e4a141bf1670184d85c868613ee34416729103ac4d404a1b6d4842a
SHA512 9ff3ccf50048f6c3f0fef568f1ae25f4473aaa22fef78cd809a0689fd2cd25e69ab9477d1646bc75861c37d6a0baed41fe82c7448d9a76ce801e341ab66b3895

C:\Users\Admin\AppData\Local\Temp\30333345\deg.ppt

MD5 898dba4e52bb52ff9dff1aa9897f8ddd
SHA1 bb1c1e0f215358dad67a4c9cd6e4591e6af335d5
SHA256 63a06e68fffe048c5a027d5e21c0fb727e44404afd0f9682857ef84124b38525
SHA512 37c6c2a3cc993717a8bc9022647ab5f429641e5cbac3e24451388ad47d1504b6b07e07350440e4c394305a719c4f0e7ef8f6c38d3373f4a5a259b0b047ce84a2

C:\Users\Admin\AppData\Local\Temp\30333345\xdv.ppt

MD5 1cd9bae07603eeb82b9482774da78b25
SHA1 0840888ffa8d2c5029e85e986b2c03395a216681
SHA256 2fa6d7e0a9577cde295c0ffff212033ec0f5d0c2575374bac1f874febde24a65
SHA512 5cb4c53c5a925dc11064512021a5eab90afa45bf3e9af4ff1beddeecaa9385fcd05f72b03730551026367c0b3dd0d7bed90e147ea38548134aa4503cc2c254cd

C:\Users\Admin\AppData\Local\Temp\30333345\cnd.ico

MD5 2a5cccdbd6c6f41162b8c143811f238d
SHA1 50fdf854f94730a646cc3e0bed434a3b0fe17d79
SHA256 960078240f26e00ed4fbdc1302d1c8b608aebd98ee066dbf2f44f8e692b5535d
SHA512 5ecc5093e612bbfaf3486a9ea5c8b72631e4ce05d394a5dc3b889522d4d67bda348850aa89b039c0f1705abe689f9117a157394650498331ce76e37cd4be1df3

C:\Users\Admin\AppData\Local\Temp\30333345\wrb.icm

MD5 dad59752761ae6c0d683c6a13707fb43
SHA1 b6a03703eda5ee588bba0bc5b7dd212d6192ffbe
SHA256 d62a37c5f232db6759c9b932b30ff299e6ac37d91c0daaa2631d893fe1724ce6
SHA512 ddec82be659cf1a0eaa66c712e28ae49b15f9021ced5efc03bcac233cd2702ecc0cfcbeeb5382b69dd5136999103b435eb16c872cd7bb36a74439d59f0e151dd

C:\Users\Admin\AppData\Local\Temp\30333345\wkc.bmp

MD5 a018ce02eef751dfaa6e7a84213e93c5
SHA1 eefbeb3b355485a78453333703cbe3d99193fe85
SHA256 652d95c82ab85a9ef708679a98ca46e9d7f1f0ec1e81e5e96a46cd038bd109d0
SHA512 fb2e4625e34d6e7eb11d67a9f82213c609f8311472f5c5b11a44ac70aecb7c496103d50c54a9d9ffa6f54c75170947e6ba28e2930c77202e090394d23f5c0797

C:\Users\Admin\AppData\Local\Temp\30333345\whg.pdf

MD5 65fe401bd371759c7a413f4bbd4f6d76
SHA1 0719cb16090355f199cc5e0a77a47fef7e1be182
SHA256 1dc3a6efe266e43fdf6e687261836a5189b0d939d96b0d4ee9dadf6de6856006
SHA512 42e0f4e44fbad610167033c29bfe0da69281be2cda89a72cd5a338157d8a9f7bf4ef8ed9734da61bd6fb86770025bec54c47d9f29bec9c9ac428c349a56974a3

C:\Users\Admin\AppData\Local\Temp\30333345\wgb.ppt

MD5 ee5bbbfb8568be655adbacfaa6fcb5a2
SHA1 224fcc9ceb8370e10eb1e77da89b0a2cf7c47a1b
SHA256 a45c7665c95dbb44be03aa69c8257ca7056efd43c328366154935b9e482ac3b9
SHA512 da931c6fdfb45bac722fa9bcf47d09e14d93a818f9dee5743f3077711a1803f54a8455f55deca6efa466d3ebeb0dccc36ca132fcdce7773273a5c90f35e0e4a5

C:\Users\Admin\AppData\Local\Temp\30333345\vmk.icm

MD5 9e72fce04bc804c3f86fa51d3c4e4559
SHA1 43941bdce7f225bc895857d852c02c7baaedf48e
SHA256 1eb2f4586fc22ce3aca7d9fd2c394173cb68e015fbce766383dbcb1ee5ff983a
SHA512 a15ee24348261e1b2c088799efd294ad450639465a82a61fbb9edd0e1aef542b57168430777fb00d13aa4e24d1f9a24759f7bc3c54466d2c166d01ac1adbf79c

C:\Users\Admin\AppData\Local\Temp\30333345\uvg.ppt

MD5 3ad8388162653ad12442845544630254
SHA1 7b34af530bdeb36d23cee98439e2c60c7bc825c9
SHA256 d0c351157354810a49db8f1f3665558f2c1b756a4203accc76d297244b0fbd96
SHA512 da61ab267ba9417c28fb7973311b462674a9fed98d186d4a449f4e4406c934c406cab225f6bb1fc676cd43c1f295add5a285d07a04c2871bc38df0594dc41327

C:\Users\Admin\AppData\Local\Temp\30333345\uke.mp4

MD5 5a613678c54d5b03733a1b04d23759e6
SHA1 1aedafc062f658a8c1eea90ae13883a7bd539d5e
SHA256 53d74d834a90e942dc4255f8df67e4d101074a5a178947886352d534379d50d4
SHA512 e1e3c4551575366d0e00c315a5803ed37596be934a85ab9a4ec6a8ef8779a83663e0b256a9199b157d96c221cec0dcc089bcdddbc76ccd33f9bca6bfbaaec66e

C:\Users\Admin\AppData\Local\Temp\30333345\tqo.ico

MD5 613620510c0ddfa4414903700a6ef821
SHA1 2aef41495ba1415c1e0584256acb841dd6aed861
SHA256 264e251f2b4275f3efdc05cc2f402328e1acf6910f6995b37e689cc24c39038e
SHA512 7646fdfac6216020bdffaf321c63abffdc9d174984a1c22592830b737d95b48333c5d276606718beccccda01af78c67bbb46be9f304e1e44827430b91898a0c0

C:\Users\Admin\AppData\Local\Temp\30333345\tmu.ppt

MD5 2f36e43fb3ea6eb2f2d754bece93d718
SHA1 cc484e388f482c1410705ecdcf273df056f8b147
SHA256 65af78b60ce953462b22bf48aacff517bec0eaf2db9c2943ab86fb0b3ba7e19c
SHA512 790e4379d623f860f02fb2cea7992bee87de149e95c70e1db31a15871fae13b08268d306f6262c53453397714966b6e8dd8bfb3915be3966a14d98f6d1ddf2e7

C:\Users\Admin\AppData\Local\Temp\30333345\sok.xl

MD5 1a748c987ac9c2e97a91b9f8ca24fd27
SHA1 5057f37d02dcb743befd10ddae5d3f080406aea2
SHA256 0e788bd1ffe9d2847c433b52711b069dd630464988db4a24308d331ad538127c
SHA512 0ffc9800c3d9a8d9a0539fa7592a4f2d46944d7e26465ea49f514aca3a4e081972f099330556dbd07f047277f8239e4a669a5dfc739c8a63d713ec48b83579c9

C:\Users\Admin\AppData\Local\Temp\30333345\rok.pdf

MD5 bfc326fbb999c7dee4ea5b151f14b69b
SHA1 688055e847ab178ad975272ae02e8ceabf7a009a
SHA256 24ba5b6ccde6b1630057ea19e59a000a1080ff5a5adc988514853cb46e38e87d
SHA512 86a5c18febe5dcd588402caec45b8ccfdd6d35f02759749aaad65b2552f1da1ae2fcb6f52912d3c20ca87ce55406644d0699dc967335e5d9d3be79a424aa82f8

C:\Users\Admin\AppData\Local\Temp\30333345\qvk.pdf

MD5 ee0786f929b330a8584d7dd7ca705887
SHA1 443aca91b07a8b02ace32efc92dc606bf5e112dc
SHA256 fed6cd125372199471f087ae9cb3b9b971c81fe99cfe9acc813418bb41c002f5
SHA512 27995c4a32f27a1baf56fd49e2fefc4f07daaad47625075177f82310fe6d510637f3cd0e96fc5b0d6a70c116076c34afeeeec844545468085f496f04abfe501c

C:\Users\Admin\AppData\Local\Temp\30333345\qum.docx

MD5 ec3df3b7af67cc359fecc93def677729
SHA1 efbb8a5f3aa41a5eff40a441e123c6795794d97c
SHA256 f448859915e2c6f15eb8d2d193a7df5c8f0d7fe05e2f2865a7f0c21ca92e4528
SHA512 23cfb25c4fdd892654415e9385e7c2b58fbffe03f1dfc1c6981595bc48e448146d43fc515a7c686a602ed388e2aebb3582e0a92d6a3be152c4fd64b8b32a3a1b

C:\Users\Admin\AppData\Local\Temp\30333345\qgb.icm

MD5 5977529f8fbe45700385024256d946f1
SHA1 e713bca0efa51e1ed68857f39e1ff3cd6ab961b7
SHA256 1742122c80aa5a4ad123e15b77433431a3a6a3cafdcec788bb2835c131a18bab
SHA512 7028dfcde1005e06164e39a0fe0a76cfd0fcf34aec926fe33bc5ac52cf1e63ca93bdbd9a4471d0e101ce9ad7548470afee4013e1757f8fc586690b8b37915406

C:\Users\Admin\AppData\Local\Temp\30333345\psm.ico

MD5 3c2c305345557b9b1ef5009d6f5c6ef8
SHA1 06fa8733a62b1d50bd12d31af8ca89638345c7c8
SHA256 f916a1cf5fbb33b3eb068e1de06278b0f4743e981f70a13328f52fc6dfae1625
SHA512 23cf5dd15712055b0e452c0b8b1de298f271be45cab6ba537bed3a7e4ab7ae0a27dfe1d2c6a18a7d002675de4797c18910188d6c359c9bc0ddf8e6b282ee582d

C:\Users\Admin\AppData\Local\Temp\30333345\nwd.ico

MD5 3b7daa9b8b2d37a5163f9e9a19fff3c5
SHA1 a4f1f4078890fd7ddd615d309d38068366fbc3f3
SHA256 3fe8435e1f1dfdb5dee898ad2c7cdeefef3175eee3ecabf60a8b8e49e14f598d
SHA512 15647db5ecab22bfd3aa30f315cf9acf10a7e1c94394fa12d29e8d32145fb7be8bf097118af4f7a39e7a98ad6d80d80159a0684e21b18a779a46a68c65eac863

C:\Users\Admin\AppData\Local\Temp\30333345\mqi.jpg

MD5 d97c0827e0a22758309737e6d81409cb
SHA1 5b894f826f7f886a514211b1ca02b26889f45236
SHA256 5bc34e4ea854866e0d00f6ac61289d7005575a92797373eac7b7dc8b27c01425
SHA512 20a4033d93e990be20f10551d4be71495272a4a206b1ab6d17cb14435353c861d0b3d60e20b5fa1d42411d52605e460236b4dbb8c95d4e05b858c5397f96cf73

C:\Users\Admin\AppData\Local\Temp\30333345\mqc.bmp

MD5 f371afe79836276c2f17650153ea4efb
SHA1 024b54dc42783e8c69d2d99282b7d793c99ee6d3
SHA256 9b1bbbba1bd8d0c468023a05699e99cd80af74f931b3d78387d7882f645e2bc7
SHA512 b6e3be4fe1514af2fce34459e50fe379108fef65309278b587e714d51d88843b8fe59241636a663905141857bd4be49fbd3f69804a70ecd6c83f2adba19e1753

C:\Users\Admin\AppData\Local\Temp\30333345\lsj.xl

MD5 81821568e94b6e9c17bbf5d9f5669f26
SHA1 e6213a0f8cf2875aba01db23e577bea7bebf128c
SHA256 2ac5bcdfdee1eb30219f06fc41badb14b8682d20767038b57881683a278e912c
SHA512 a80b9d26ab901a93bbe77d854ca6e25df8dbfdaf98b5e65bb4c194f0e84dc02977c7e5c5de609b436a73c009a42a8cbe7cc8ef6a69962fd49a00ffcd04b84259

C:\Users\Admin\AppData\Local\Temp\30333345\lcp.xl

MD5 326e0a398566a94374676e01ad5450cb
SHA1 1efed84046a51efc3fd35df549410e11d89865c4
SHA256 7b20b5b61130f6c18633edac37b5c9c0d9764be1ef54fed43e092f029c9b486d
SHA512 d6f7f06d87dc2b380d328be8d9899c631f4b59477706c80e242843945860313aa7d04e8205b6ae1344ef25a6e53451ca377f6ebb95f2b13e41b2dd19c6196ec2

C:\Users\Admin\AppData\Local\Temp\30333345\kqm.ico

MD5 3c075bc95165cae682af1b0a33db725a
SHA1 b0c1611bf5c7e94050e4065f2a52392c9ebfac7e
SHA256 aa870312adf9ff8dd4f53b718365a5fdc5611eb962e3eb1206cff83840683ccb
SHA512 87a1d5ed211aa9b6929d2595e6decd2d4c3289690b40ee085b565976536f5729dcece5fe390e09731fa6f6029ebe9df7f5bf169fb44b2109214aae713fcdae45

C:\Users\Admin\AppData\Local\Temp\30333345\jpl.dat

MD5 473384bb6b0be50c081d6d1847502613
SHA1 e3ff363d7eb2c3cf261e0a11b0a383726693ad46
SHA256 1a95e7980ae48c705b6c19ac0bd190263f1da0aa1228d9a10b68b86869cedf8a
SHA512 261beb0e3cc6c05c432c915ed07c8409c89e7b43b35199d9c9f503fd300d93d8c5c41026ea354529ec7c1067876a3ff2daafae171ff727430c8be8f96b49b169

C:\Users\Admin\AppData\Local\Temp\30333345\jop.ico

MD5 299e1c6e11eb23ea66f294bee659ea68
SHA1 06c6b8fd35dbd6152241703013a5ad12c8bbdff5
SHA256 fd6ff2d414a3a1a7044425ad26f2eec07316a7ddf5868c21d0c1a64ce5315cc4
SHA512 e39600ba8e6890b97f0d9ce570316e0fbcb7fbaa239681a0d1248d91ba90b17e97a35f24e85c440c639852cc3427b1982776298df7052bbb8f8017ef83118a84

C:\Users\Admin\AppData\Local\Temp\30333345\iit.bmp

MD5 2925b7ddd68289f456fe34e24a75cce0
SHA1 ee6538b2d06d1f6e03237369381212eb48f144d8
SHA256 9ae15b3829187ef52ffa3d3806acce02378535ccb6e3a3419e24b0f2833e5b1a
SHA512 f10ef24e496238e4d534cb6155bb6b394b6331cf2489704d48d90316f82e62de67a0b9e27b70a6f7f0b1c6be9e3bc11f9b5cd83c13da8ef44dd9d36ed9bda316

C:\Users\Admin\AppData\Local\Temp\30333345\hqo.mp3

MD5 1291f04165d7ebbedc5785760247bc1c
SHA1 d732745d94bd6dac4e2a62fe4e507dc68b4c7654
SHA256 b4c07f09cc69e2160076197a9773bd0b9e8a43fc420cf41604e08c9d2c44f523
SHA512 0390fc2558d140bba16e2a1652b2b348b117575f6ff97602c7d98663ab2481fcf1bb432419afb0671c28a5de5113e23b6b8c988a366490b4a96dcb71bd56f2b1

C:\Users\Admin\AppData\Local\Temp\30333345\hpm.docx

MD5 81752b97cbc5577fa5fa5299b4f87458
SHA1 1a76903fdb2f16bff9ceae66c71be875039d683d
SHA256 91074fc1bdfef254a902e13b21d47edb0a4a9a11a0720ab3f4041d2a3d458acd
SHA512 121bbaab36f97085e410359274c54d45b7aef7f9c24a5e2ee271d5432849b7351b70f6e889ba991f732e7e00d4b795cd2ba814b30585a0328cf6f9d58e766485

C:\Users\Admin\AppData\Local\Temp\30333345\hir.xl

MD5 7696cc9434e9bc92a4e82331fc6c4030
SHA1 489dd5db1225874be7c60eb5bb519b8967e0e95c
SHA256 975a1898cd8ba4207960b20e1ba72fe40ab1783dd3a3e4b883a13acddf91b9b8
SHA512 81f620963c2f52f1bd99c80f9d5a961025856736bc68181c1042bff2b2a5ffbda1d55fda2a12237bc4fbe051f4ead94668c87500d1d74d7e0901ce27e0ec34c2

C:\Users\Admin\AppData\Local\Temp\30333345\hhf.bmp

MD5 a996346df8f4c41bad494bebb0ead900
SHA1 c970e50c15bdbc40fbb71fd45f31e3f093352fef
SHA256 bf9d6b0fad9ea7af6b53e6da4593c7b323ce69b680c0850de8d8af47eb760b27
SHA512 01809991a661e79adf631aedaef36d616ee2951995dcc08a3d66c1b9dd792d2140bc41e97ebce58faa02c65a5f3f1330a1cc6e6070bc63d5d93b1862016b172c

C:\Users\Admin\AppData\Local\Temp\30333345\gwh.dat

MD5 b79d9c5abd9dd7e3c4b938337f0f7860
SHA1 01ed1fbc603c85c18b26617065283487b6fe9647
SHA256 1bd592970799e557d392357da4cecf158683a58ca9e5caf1025a30875c45e215
SHA512 110df5ed2bc4e1aa66f3bda42c35318f66fe3c96d4ee7d89d4780d85ac75eee50bdfe614a5abb2972263282bc6c177dc3b5c6df5538613b6ff891037f7d424a3

C:\Users\Admin\AppData\Local\Temp\30333345\fsh.txt

MD5 ec90e03f78ddd96bb6e0b84daa7345d1
SHA1 88b327ba8c97956b2cad45033cd79d59e207d754
SHA256 79004d40b79296fde08baf44e18a5334d353b4febbd88b9b3b4335423f4e1c9e
SHA512 d0835096d139abc0379ff7c1b3e51596d52e003ffb871b8035b507811d292275a6edc376a16d3b4db42d662c4b437b6bf1865e0b0c4dff2efba79017f5b70f7e

C:\Users\Admin\AppData\Local\Temp\30333345\flj.docx

MD5 ccf1c934bd61a4ba975bce7aca65797d
SHA1 41589cb58d7bfbd60d5c17feff367177b709aaba
SHA256 bb094204fb3d26b2520cdf4d59149c48b58b86285f03f851fd8a0f967adb22ec
SHA512 5aa3ffa838e1a8d492352be936f3ef4a53fb2ee02ee7d2beb1db994ec5adadc44bd95df21f635fe82c896c15326a4a24c6eee3f4a5f2efd4faf38b3df3358e9c

C:\Users\Admin\AppData\Local\Temp\30333345\fkj.pdf

MD5 6b75f30d2059dc2653e834310ad04e3e
SHA1 24dbb3dcfdd169fad5f877455cadd52ae0aeb820
SHA256 2755ee4249280790478906e595c7801da9c327b13cab5e003ef0d031dce7adb0
SHA512 dea468aa8188c6a82e62d71c8e3b9c3db8b4056e5e7e55bae9196176c777147b091306283b1dd286a4522c58140efc489916a29b3d1680c7a5a68f4b5ea3bd56

C:\Users\Admin\AppData\Local\Temp\30333345\fdo.mp4

MD5 fe9b25d68be442f8e8de5e83b1150526
SHA1 160e1fdc83e09ac889a0722efefa603464566bb0
SHA256 264dee27bfcbb311893c887608c1840e2a07fd95d9151843454e6da17c15095c
SHA512 9f2644c8b67a0a23c179c70572ce6ee4fea8c7bb79f44d565a7945099dd6d169f7ea64217581a7e424640bd9099f81deb65b75fcc769e2162e826fbfda3d62fb

C:\Users\Admin\AppData\Local\Temp\30333345\fdk.jpg

MD5 c23b18d582bada69c0709306d14a714c
SHA1 3f70a0dae1dbd50a0b525c0dc051b1fc15aa7ad0
SHA256 0519202384493a811ba5ee08f64238b5f6c5518bdc03c3b34ecdbb8f9a223ece
SHA512 680e46d2407eb08062eaf982d3f1b71ee370829904788c2c9223573a83138a0fb4f8ba1aef8341a0c9d95329b43ddd9ac0ea13f8339d432bcab3502bb2f4cca4

C:\Users\Admin\AppData\Local\Temp\30333345\fav.mp3

MD5 c3214724d524886f157dd05e70215bac
SHA1 763ec99d03e1e4f363efd5b3ad8586f33dfb4246
SHA256 b51cac2a84a629f92571ca64e6db05f029f308d436ebdf32aced85bc1bdade73
SHA512 5af6f35c8c60f5318ee65e04e0e46034a931bc7886dd47c5e68321e6f8af86fa2ffb81dd8194ba48124326df6cdf34bdf3184b2a10271eeb2f987d49b38b5f80

C:\Users\Admin\AppData\Local\Temp\30333345\eqm.mp3

MD5 7affa6d42c49d6ff50b1e7f915d88088
SHA1 150691f716f8b135ea3c1220514b9e9e2f48e357
SHA256 694fb933190fce6baee477954528d3aef118321d1c0ba6f5da919bc628d62b7b
SHA512 7120564d4ce8ee5ed398d61ed4c065c8e7d047a1b9692bf7a33cdfa38f8af7ad6e7fe55e7daae3c5aa14cb22d421c32e2d4c32e94ec1c444c59e08cd21b7bf76

C:\Users\Admin\AppData\Local\Temp\30333345\epe.xl

MD5 33660fa8f94e62fd7f1873f7e736dba4
SHA1 e03c57a20a8325cacd7929915122315e53ef3b66
SHA256 94ef715473d4ce53a65436ac4b89cd35f0ee9229695e5333d8bb38c50caccbfb
SHA512 1058cbe4b883d613a77590b6c43dd1a7e7f6f5673de822d30b931e52331c86b5e40e312498456eca57ccda7946061e47c74aa5bd6e75af08079fc01a1d69d4a9

C:\Users\Admin\AppData\Local\Temp\30333345\enp.xl

MD5 bd1406ccdc3e2d45c67d00c0adf1a20a
SHA1 bdc42cf86a96cb24debaa5d9d800c72ba5437541
SHA256 22edd1900fcb99ab5216a0757147294642a827d65428fb47b0abdeac3d37aa88
SHA512 5bfed339605fe3dc197c87b36076c6785a2753470db2c5194dd81527c4d40539330787f6d79d4361d654acac8fff3d2f4ffa6e03594f951dbf647b99ac60a5c7

C:\Users\Admin\AppData\Local\Temp\30333345\dun.icm

MD5 3453639310ebe5a383351dd59dc6fbdb
SHA1 3aad6898b06174aba2b64f82152053369ab34c29
SHA256 0836373a9a84f5205188493e85c318cf1502cdf2dfefb501ee8d5a3ac3df0b85
SHA512 4591664ce352f82249caf9c4daff9761723c05cbee42d3051e4ad755dc3e7c6ba203a592774209c6624b99099866bb6cdf8bf7daee7e5045f1c109147c0e4571

C:\Users\Admin\AppData\Local\Temp\30333345\dqo.jpg

MD5 7fc269d8b998aca268ed4abd1cc6382d
SHA1 6a3aeeace0ddd1e0cfbc9f0916601dd7f0ea41a1
SHA256 c712dba023cedb8a822b47b6dad88f8ffb873d746c653a974de70d47f09442bc
SHA512 05c7d832bdc2da0f46a8ed0f9b0462d31cfecfbecbf2bcf7631b374c8bb43bf964240125e097fbdb126c799a5941cf93e0c2d9296a656039ea03ef6c57788fbe

C:\Users\Admin\AppData\Local\Temp\30333345\bhl.xl

MD5 74d57fbaba916ace4e2ec2beb970ce2c
SHA1 d26de12b5549cb19992788d9fc0d7fb693e8bf7f
SHA256 45f83a15fcde0683ea7a91e4154a7ded48fe442068fffcdc9e972d1de4778ef0
SHA512 b3bb41494d6bb5a0827d74e9376b8277a55c29a551019e8bc1c4db968b9a31af35f6c861575ad1617281edf2b8a0ffbedbb24822490ced1be0b93f9eaed6f7db

C:\Users\Admin\AppData\Local\Temp\30333345\CXITF

MD5 7842c349ef94a7cbcd971b25f4eac3ab
SHA1 6ab8588d11a373eaae93c34ed268bf6fd6957fde
SHA256 ba0ed2b45ea779fa893bb1adf9ab208af61011cf1d3763876b831113869f7f80
SHA512 fd64e9d9d88bb0df1a6909c813691e8154ea2b2f85423e43b2b496ba7f4aed31320c0751d49d9702dfde719b5a0e03c48af798729a93d6c3ef1a91b406f1d814

memory/2488-159-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2488-160-0x0000000005430000-0x00000000059D4000-memory.dmp

memory/2488-161-0x0000000004F20000-0x0000000004FB2000-memory.dmp

memory/2488-162-0x0000000004FC0000-0x000000000505C000-memory.dmp

memory/2488-163-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5767.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp57C6.tmp

MD5 a77c223a0fc492dccd6fb9975f7a8766
SHA1 5e813636ae9b8138d78919348a5da3a6e8bd74b5
SHA256 589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e
SHA512 315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0

memory/2488-171-0x00000000051E0000-0x00000000051EA000-memory.dmp

memory/2488-172-0x0000000005400000-0x000000000540C000-memory.dmp

memory/2488-173-0x0000000005410000-0x000000000542E000-memory.dmp

memory/2488-174-0x0000000006060000-0x000000000606A000-memory.dmp