Malware Analysis Report

2024-08-06 14:46

Sample ID 240615-nsv7csygqb
Target ae41261fa9cc67203a2d70647cd4fe83_JaffaCakes118
SHA256 5c9e649c51ddee6a1318d75ce7c727b2b93c7299bdba128d2d4d712a743e362f
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c9e649c51ddee6a1318d75ce7c727b2b93c7299bdba128d2d4d712a743e362f

Threat Level: Known bad

The file ae41261fa9cc67203a2d70647cd4fe83_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 11:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 11:40

Reported

2024-06-15 11:42

Platform

win7-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28201371\\amu.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\28201371\\THQ_IO~1" C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1968 set thread context of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 2128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 3000 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 3000 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 3000 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 3000 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 3000 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 3000 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 3000 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1968 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 492 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe

"C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe"

C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe

"C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe" thq=ioq

C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe

C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\DUDWD

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp275E.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2859.tmp"

Network

Country Destination Domain Proto
RS 95.140.125.74:55702 tcp
RS 95.140.125.74:55702 tcp
RS 95.140.125.74:55702 tcp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.4.4:53 smithwems.ddns.net udp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.4.4:53 smithwems.ddns.net udp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.4.4:53 smithwems.ddns.net udp

Files

\Users\Admin\AppData\Local\Temp\28201371\amu.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\28201371\thq=ioq

MD5 4102f3aedffaddb915aa6ada7abe921d
SHA1 6cf62f4ea7535a76520c43773b41b3d2b06371f4
SHA256 857e15016a32017ccb336b178341982eb5823bf5a19a48a8239a569de6ded7f5
SHA512 37f9704d70491c4237ddadae8fa555ba1669ca7b2deebf8b2fe4909cfb1c327f387b89fe0aa44580b6e825d8f13c98fd83a63a2dd83a211e9061c328a645c057

C:\Users\Admin\AppData\Local\Temp\28201371\vgi.xl

MD5 83eec929f9a10beaa4674b4232a0fadd
SHA1 49db82adc8ad27df4d5854c23667defc9f5fdcee
SHA256 00e56b497957adcc2fd4d5302c04a96cca3056e083f23a49fd383feca0d98e24
SHA512 6f95d15d1aa02d32d6fb5317754a800088474ea8899d69c9a0855f17104f9fbadc7add64d243cafd4247457a93c31f0df3e1603fd98195a3110de7c9a2fb4fad

C:\Users\Admin\AppData\Local\Temp\28201371\xlx.icm

MD5 b2bdddb652081778f994cfcd8066604f
SHA1 0e58e24c0d83e8e0b2ee8d75d4c7e60929f523c3
SHA256 30de9f78b7627056dbcbb0100dcc124d6b24c8e906c17aa078e0ec8e963fd43d
SHA512 0dc731aa8c1dda899d64f7819ed456985607cfe00a268fe7b0269c9de8e5043d4e2c129ce95c03102642698bc5780d7df23585299d738fff5246e9dba3411cd8

C:\Users\Admin\AppData\Local\Temp\28201371\xbr.jpg

MD5 f71e729d43f389631f727d4d3275697e
SHA1 e407d1c76a878fc91b67bb87d39d861fd52fe642
SHA256 3ac8dc5f89aa254b697a9f70d763bbb3329c665bc96ea9f6e48a64b74e68f180
SHA512 5fbfa6accb26655a73840f4a6a2f91974fb9bfde2e0597ea0f631e9284e761b35ee33409b22e7d0bb6aff90baae87a9d28ee82b2a6c687954ac351411cb9e80c

C:\Users\Admin\AppData\Local\Temp\28201371\wxk.txt

MD5 fb589cef44a7549095c0e7ccb24d9c55
SHA1 4582949f1a6622a355242dad187d80a65f076af5
SHA256 dde011c6a9682ae10d2e6ebe9ab3f8c794e216568b24a84a44d121e691ee7181
SHA512 bf6d4ccc209b3fd32803cb69e71d592b0e22cefb361bdda735003d8e466128618e7c63780d0863b3fbc4b4f8102082a3370f711656151663461da5d7ffc89f04

C:\Users\Admin\AppData\Local\Temp\28201371\wss.dat

MD5 f9eb08bd58b9c9d5db055a96ce782b0e
SHA1 f8a05223a626219878bf74606d79eba5f0b212b5
SHA256 f49db73c2b3c270146f2aa582713f1bd570a9b3c30ecbec943a6886a073ac05e
SHA512 24dc76a1d89358ae2b0231a8e1f847ab3f874c4b8dd738b3c33d64c20bf9ac5a18d74a485a79901c0dcc759ae170504cb0d43c11fa8ca894801be57a08f0a51b

C:\Users\Admin\AppData\Local\Temp\28201371\wno.pdf

MD5 f48bd3d9f2513f99b4861002789621df
SHA1 896556190a2fd701f0f514239cdb3d1947b8b8a2
SHA256 e8d5f9914662f8c7e241d453e1b7e1425ef210719398b8901e976f96fa8e7b49
SHA512 6701fe0c1d504201fe0cfaa716321b0dd523cb9c9f493bf5b8ab74586e1bfb461a2b68febeca907172ba6a87567bb4bc24377160d9a3383e159dfeeab8117e0c

C:\Users\Admin\AppData\Local\Temp\28201371\whr.dat

MD5 62b27453b1b32a485dd84db075386fac
SHA1 4afff42a9d20860f1d5b564a4ea1c09fc99d8fd5
SHA256 a1545d9dbf109849e53c5af0b99ca853e0fb69ff16942af126f39db489898efb
SHA512 0fb20a6549b0a480486bfd11fcca42889cdb7c46121667c2b58d3138e01c2a78246ac86d65135b938cc6fcb284a9f46c0b4f417c05032500b71170e92e193115

C:\Users\Admin\AppData\Local\Temp\28201371\vpn.jpg

MD5 1dfa69e88dfab1d5ba561528ed06d4d6
SHA1 aeac77b945b87ecb1ab2a041ccf28f9368e65b11
SHA256 949f6c51010a289774045ac7d0925da1060ef6b02fc69ec07e84a111a9639113
SHA512 27a63bd5747bed9e76c9c2b62010bd646717072b296f25c4ddd7e74dd50fc629147b352ac7bbbb8fc9669309b2b366209acf6cd52926810263c9a6105e76a0ce

C:\Users\Admin\AppData\Local\Temp\28201371\vjp.mp4

MD5 23abf1158d95f3b76565b15ae376aff8
SHA1 ed4d3d4a66a754a4831844f83193fb85b6e5d892
SHA256 c8736087bc829c110ed354dd0ccc86f0ab9ba197a6f8e517e4f8dc22a0db77b9
SHA512 58a8f16da2f63ef3da513a4bdb351b47261ed76e7c9e56bdcc90ad52e08f0d7e3739dbbc42f79fb0f70bf69d4cc49b45988fec334689805d41424d6abc552f8d

C:\Users\Admin\AppData\Local\Temp\28201371\vit.icm

MD5 199ca30abe6037191b03a63cf0420c5f
SHA1 29f85bff5ba6a75a21e5f4ca545d259ca0d9e816
SHA256 29d6f017edd684ed4733ecc93c14d85c8ccf48e6a1fc62d3b20d17a5ffa836b5
SHA512 64211a342d693bdf5e3e0fe91bca3799ae5fbc521fe9dd621d35ff9f1d0196c7fca266a4786bc84d077feb3bc2ef064bc23e5e35af12743945748f0557d1fe14

C:\Users\Admin\AppData\Local\Temp\28201371\UpDownConstants.bmp

MD5 846373cd72ebb1198bd8f0a013f89cb7
SHA1 53250a560bb1252fbe8e21121f52d162d77db44a
SHA256 ecbf2c538b107f36dba2b15521e560a136abe0cd064991513c828e6ccd29ac71
SHA512 e36b21d413799b30d275e8e47ba13c54ad7d7a47008aed5e36bd2eddbbf3349d7023004d47e70d3a3d1ac69000808e7f01645e5931c18d9384aa5d1903d56567

C:\Users\Admin\AppData\Local\Temp\28201371\uni.txt

MD5 5e322c0474f22ccab11316f4700f1f7a
SHA1 0b9d2306b76d756de51474868e586c5ca7648b81
SHA256 d240265104d4be110f26c91428b3132d8fbb7542ec9e86b7168f38b671ef6409
SHA512 bebb2b503e1d581aed9a4c38edaf8e8228ebc89d2bc1df36829ec589ce57cf1f76224b7954d6590a6278c51a06f426584bcbc415580c96eca5cb3fb94fb78cda

C:\Users\Admin\AppData\Local\Temp\28201371\ubq.dat

MD5 bcfe42632f2a3274f2e63bd11e578138
SHA1 409c1c77bfa536559f95ba01937d2c0512f17874
SHA256 243526562b495d370158c6c7f774f244f476f533229c382c518882296cdc8e90
SHA512 363cafadb21c842ad808014ab117d686a91bc8d80225aebfd28ed079ee90fbc5422337add7c635617af4ba88282972998476d6993b41e5eb8945f853042c1f99

C:\Users\Admin\AppData\Local\Temp\28201371\tgg.ppt

MD5 31f49f6f77e5c6879f448ce2a96cd3d7
SHA1 e5752fe217a2b9b6c7fb2f6301f33fc8ec2e3ca9
SHA256 1dd9d147a6aeb501bbf1ae17ea131b51fbef2967c8e38c32a4f12362c549a35f
SHA512 3e7769ab097a214684d69bc5017d5ba3bab4bb4e95139e84efb58ccdcd289e8f1c3cd0de9ce934c037e701074b3ef097c07e4519c0ee9f3889f1f9aea0e6f425

C:\Users\Admin\AppData\Local\Temp\28201371\sna.pdf

MD5 53fb517a9d85acdf000eac6d10d0a8d5
SHA1 3545babeae070e7f0a296519a2290f5d622519b0
SHA256 ce1d8ee510a165414ba643f8adafa8b604d8d26914a09a5816e0a060f1da7068
SHA512 6b17aee330fe77f4a3d536b01c463932b8e2800b75d124ecf82338b8a7cdecaeb620dfc9ef5535df8697ddb02baeaa071c236702ed564c32f331edf4548a1d72

C:\Users\Admin\AppData\Local\Temp\28201371\she.bmp

MD5 f0c870fce3cc5a48a9eddcc078b961dd
SHA1 fbd2268e787103bb552d830a2c913439af8f5fbe
SHA256 415b689ad51eb337785f2c61a31c88d39d0b54bbd019a9b44f3623e90eb2ae91
SHA512 bea8c31c79dfb552cfb3e03b702d537cb5af8d9e088d821c25b5445a53183f2ce0a40cded85704a45543f2ea850d22132ee4b55e2221a72bea9f1ff8c5cb7672

C:\Users\Admin\AppData\Local\Temp\28201371\rrf.dat

MD5 18ba8cc3e019c800ff31188c28edd999
SHA1 9cf1cd8f9786b75576d43fbc334f1405c2e6a06c
SHA256 14b78425dd9affea1ecc201d7231ea8f7970e738a06cd0c226ce4fd33072a379
SHA512 eb6e49ad0bd5e9f35ba249269b01968f4deadc6271f3a9c7bb9ba1b498e3ebaae82906f0b63c02619e2720ef4e8d743a8bbed044d59af35ca40cd94d18ba7f6a

C:\Users\Admin\AppData\Local\Temp\28201371\qls.mp4

MD5 2d64a1e2f0e0e6ceb7673951e7c43043
SHA1 bb518dfc40b4278a891de8bb73e5b10d3e7fe7b4
SHA256 463902d77e12b76e26625fcb403895f6ab32d481eb512e623f4bdc72d08ca439
SHA512 41a06bd9e5682824062fbd70bb45e478f9dbd022ea5b77180aa1b139919f29943ad3bdea85e75c340b4ab6420b4ce26e761f88a87c1b4ce0b9e153ae0607910f

C:\Users\Admin\AppData\Local\Temp\28201371\qku.ico

MD5 9d749aa222a8b859fdf42709f10412a7
SHA1 c5aa56d24d9a9931be4fa211c687fedc42206a62
SHA256 a189dec20b4d037d20dc2506e8b0f11f952731017a2837460ae8e9d8f993b749
SHA512 11634be7698ee102e2f4c1f85c4d786564f1da713bc063f4a4c304353453aea6330133d1c87dab67c972f5b6751df00b886c71a21e42c4d62976b5c297969cf5

C:\Users\Admin\AppData\Local\Temp\28201371\qdx.icm

MD5 4d17f9f604f2400a59f86f518696e6ce
SHA1 66fdf54ff71fd50db5488f1185974c11df74d6c1
SHA256 f1e5dfbc373ac9c111fa36729a4458890b5845fee36ce8d230e93ac54f0e6d08
SHA512 71746b750b4f6d5c1046000595e2732f1082cc37b8d215990e5b6103f5bda91c7f8d30fe80fa30b7685caa08cac30d560d4277d6bf18f7efca56f9cbb46b980f

C:\Users\Admin\AppData\Local\Temp\28201371\osm.docx

MD5 3c6217ecb2c526e9a25d9b52e785e899
SHA1 2592497fdb1cdfafc8698702420ecd605b5838c2
SHA256 75ff5eec1fd5106c9efb4df9dba36733298cfc5b5915f0749bd25e3111fada93
SHA512 c7d0c803d31946d0bdc048a1c3040eff2ebbde52052c4827df2116e1108b1b096477d8709a3a73cd8638595e5088017bcd43523c0cbc5d230549545d48ffe49d

C:\Users\Admin\AppData\Local\Temp\28201371\ols.docx

MD5 f96a3c907d78d1991f269cc30a88b2c9
SHA1 9ac86de4dacb837635bffa02ed12c05054630fcf
SHA256 5376cea1572f1c780eec5158567853e066a00b7d9ff6441645f8ec9dd8028827
SHA512 8b5956810ae872f1178d47690ee811d34bab178c88261e35286467dfa6133014fe4523ffa723ee35e2f3e482e7b2c3b6aecfeb55dc38626b416de4f26699d579

C:\Users\Admin\AppData\Local\Temp\28201371\ods.jpg

MD5 baf3ce5ecb5b990255e80248b321e8cb
SHA1 380d36a5e5dc3243da5bdd9e6a9e0231b3aea1f3
SHA256 0b0c46c8e58aacb851fa0675365bf395a7991eb23c66e50b9895f233347de3e1
SHA512 65ce122691f72d0e18ea61ef3021a8868fb54cb07bd905e315361f93ac0b18602a0524223fd0fa4f54c6d61e5b6482a514fa0f59dda9d9e0e94d86294d86e4ca

C:\Users\Admin\AppData\Local\Temp\28201371\ntr.txt

MD5 f5333cc68140fdb27662ed35cd7c078f
SHA1 92e8c46e021ef539c34e9b7a2c12ad80d134ffbf
SHA256 42112c0c2824c09365319cecac7adea81458c6b5e374caf28a904ebc82a40be0
SHA512 3bfbee6e032eff3a60402e3f41f7876750110179a866a2d2ff7f117755cb2265efa2b003fc039ecfe1dc424292a772073b3d442c23c09e1479a7e91d54962323

C:\Users\Admin\AppData\Local\Temp\28201371\nlg.docx

MD5 54eb704a872535d7b6d274876e959e09
SHA1 22eff8e4e52813722a8e27a0258185348a2b2ad5
SHA256 b26b5a66cc9a57927cf400f612691e8504c3cc03f983be70ad827691afdecc9a
SHA512 431edaabeff6f4b4b9e1a22f213d979932f3e8a6569ff216244100d754afe38b8a0b586a68b60ed678771d297c08bb30dcc681c7af2ae3c089c28021ceb505f8

C:\Users\Admin\AppData\Local\Temp\28201371\nka.icm

MD5 887d2807fbe9d0e99c4a3108cd7be8bd
SHA1 01c205315100807754b148841d39ba77535d0af3
SHA256 7ca71cc328b02065aec6eac5bb794df1df781436e65d48ac70d51279018358c4
SHA512 252af8e010ad5c7528ced2c384b0efe887cfe47e24f72f7160f1cd37ef427f3e106da63fd06ade7286476647a5fb99224b328d01bf2359f70bff17204c3dde5d

C:\Users\Admin\AppData\Local\Temp\28201371\ngw.dat

MD5 045a85ed843b00b1eef2ab442c025255
SHA1 71e036faafbac14ea9b752986bc3df0ca2a55bdc
SHA256 0d6af1d08fdf231a1647877235d8c6c09fdcab62c869a2204de6af684dc49b39
SHA512 f2ec19569bcbf2170ce2b8091f58cb5322965eab44cccaf5971e37954f2ba4a5a8ffda406143d22b8c2f7b0cc6675c7029460cd88aae152d369e450103b6bfc5

C:\Users\Admin\AppData\Local\Temp\28201371\mrv.mp3

MD5 f6bf83707b9921f2b39462fc71708645
SHA1 78830a78c5d7f5f8e97ae6fc77ae9ef4a3a54149
SHA256 f0b60296642a17ce2df93ce1dc027f2b05c414c49a91216abc496d996a28b018
SHA512 817babe9af57b5e0ac8bc14c6cf67819a843b70414797b5b4fa53119692ba2d4b9d89d87d24b569c8f3b3ce4f198b5a7d1c48faffc60438ad40891a239de6616

C:\Users\Admin\AppData\Local\Temp\28201371\mgp.icm

MD5 90b926b5aafeb05ed406fedd23d18c8c
SHA1 610a0fb222f5e688b957481565872e9651bc8448
SHA256 c5b559290e4f292ebda31cc3671d2232987b02b0cfdbedead4393a383b4ff319
SHA512 78548c6c5678c605b36922e2dbfc6b20e242e5c358717cb782885ba1681d3a0cc815f3899501a481d4006d9395e18c715099fe5895862d0a4e88d04ed401b509

C:\Users\Admin\AppData\Local\Temp\28201371\lcc.txt

MD5 1d1537f3cdfc5451d7c22ce43c34e6e8
SHA1 83000e18cef73a7cd57ce31306b62b50937f8e1f
SHA256 fd1dec922cd55fe3335583edf6e104450ad1c2e87aa166a569e537d074ca667a
SHA512 3fb3f49364aaef16dbccbdc81b4ce7c4e6230d58dfd8e1c394111462e4629a63c5fc3e9bfd2b0d1b9c0fe48378e333da65d67f54ac28ec21d45abb4c92d4a40f

C:\Users\Admin\AppData\Local\Temp\28201371\lbi.mp3

MD5 0a03ff81fe70b306e6b4128a4b095679
SHA1 884628847e5759b0a94f82e76710fbb8606a71b7
SHA256 b1db0708e9638c4de64d6ca539e2ad8c69a68f746ad461dd63640ced8935fb75
SHA512 f103a13a1375384a6d93dd88d7a12c19e458b839d9835bcd70bdcdfbe251b5099e80d1d4362d3372698069f10461bb39dabec69dcfad85f460e35d3818ade027

C:\Users\Admin\AppData\Local\Temp\28201371\kjk.dat

MD5 35ae40ee88aae59203d4e0b4a8e648aa
SHA1 455fd2c166486fcf58012b8b2e6df4fe7c85ca6f
SHA256 8010d197ffd6340f1b78e0f3b72e8b32887b8e1c837f44f8a05a3228344a68bc
SHA512 fed1ed12aa0c79155e2795e40bdc3e3159ce1ef4f5a2fabf9b64d80f69db7208457addafd5040f18bf4907d2f3fef97acdf62381ae4828003b02cef798bf043f

C:\Users\Admin\AppData\Local\Temp\28201371\kat.icm

MD5 20fda609bf39a840c426b7279f6fd759
SHA1 ab48a618b25b9e4c992da9693821fd6d1922c007
SHA256 e4d7c8bba4b7be77085e46548ca77d3c1cfc85bcb878a5350439fda37fb7f415
SHA512 4060a665e1283c58c06ab0561d561a79d735f53beaa71eb9031a62b38aae46373b944140b921dbccabd14540beb00ca5ee9b31207a87b7bd5fc5babf439d58dd

C:\Users\Admin\AppData\Local\Temp\28201371\jnj.docx

MD5 ff5260fb73691563a2444384ae233a61
SHA1 948e86735319fb3cb68bf4e1883df50d65902ffc
SHA256 214a9df9b45a4cc1c081639f05a44cd05154d89db62dcad420e30a1342ea8fef
SHA512 ee1712a4aca353111b3c041317e0789af42138f8efa464ab75187dbe477bc640da3da8c3d0cbab0ae286fbd48857657feb2c9ad5081182b4c3afc66f29e8e051

C:\Users\Admin\AppData\Local\Temp\28201371\ist.docx

MD5 12daa33f51467ed6e04bdd1db75f4dd9
SHA1 b780b38ce9e0f0329bc01e36569af95d18123da2
SHA256 3e7772b8ba62c615db033271f0d3947c6e77b3bc0c57541ac19e11cb0da06b82
SHA512 fcdc9dd01080bfa56675b463ab735fb6b33ed42cff12e5dd8fb66d3d79997eb6aeaf7c49b482fa5f2fcf72365a6e620bd8f73dec8ad0b84b0d76af340845ae42

C:\Users\Admin\AppData\Local\Temp\28201371\imm.ppt

MD5 443eed386f8cd96acaa71221aca97945
SHA1 2e7d77712f341945d41b4d309a6445993eb875e5
SHA256 4b30fbec85f85fb66c3d9ccdb44d39458971084581be7d500a139016b5477e36
SHA512 fd10afe9df2cd0b25546d3683186f46edda4ad8d5e6c63e846fd29cdc6e9c7eeca711287d675159349775d3f32f947329184cf9c08f612a6bad1ba9543d806c8

C:\Users\Admin\AppData\Local\Temp\28201371\hsi.pdf

MD5 3da3884949cac9a6b3578a847408674b
SHA1 15b57b93e5c4f647b92564c4ac34f6a842f68312
SHA256 9a401faa2edb4b6765a878fca3ae8923cbdc26d402514a9410af03510c3fd70a
SHA512 9caabf52d42b6d17755a2cfbd45655bff6c276502f5e14fa0accaef42cb6e2fe9878c5555304d3fcf55e8921803a119e28ff13d0b9030e5616671daa39caaebb

C:\Users\Admin\AppData\Local\Temp\28201371\hsb.txt

MD5 95bc1d8672a6e13250322026d7116a9a
SHA1 16413b495184dcca4ecb2c92b4b127e89dd5b5a0
SHA256 832d29a343fb45db44ab3a724ca3b63e0c53b0f3956ed2f757e9ac98dab236d0
SHA512 70c2b99db643f52b0b3e754b13ffc762a93da8ebe7e7921b16318bac47c2ea6c4441d9d37092ee5013b2d6ee9956f1cc344af83b2e35b3f449c2630628ce9b02

C:\Users\Admin\AppData\Local\Temp\28201371\hjf.pdf

MD5 eef2aedcee79e3b005824abe18665284
SHA1 5746a1c9e8a25f5128044f65c06a8da9dfa86542
SHA256 c15cc1f7bbaef624660d0d32fee8d35a5348c3793ff610de41900944f1c5b5d2
SHA512 d5b4bc3ed3f42fb0f0fbab24ac14332f0eeee562d46e07416a68484d47db4d029904b52bb808738af38f06a24e14d909d356c2d15c1d00234b6bde6dc14c85aa

C:\Users\Admin\AppData\Local\Temp\28201371\gxa.txt

MD5 654dbd0d27f867ed0927dd7d05e72359
SHA1 39e1b4cf4bc3e569b8e0e5403532089b54e529bb
SHA256 393f5f5b9f367bab505350dd3aba25e5289eb08fc05f07ea95289aaa11dc0cfb
SHA512 0741ec0764e1843febf101cb401c72d5c419be866d4a86e17ab09b69ca10f69caa2a3a4765ba5853663f09a7ec99fd6c0db39aa8c8c3663fd575a3e81dba2739

C:\Users\Admin\AppData\Local\Temp\28201371\GuiDateTimePicker.bmp

MD5 d7e99bbdd60fb09a2d66c4c384aaf830
SHA1 53fe4395c970cf328b446256625a4444363ed39a
SHA256 a1166ccdd98f0e4b93327500257f405e8ebff4720e7176292ad408b782966fa8
SHA512 cfad26e6e8c078425a6e6573eebc076bd120c0719f6474e0bf18b876bb0e9263a14ae2262dfef83218b5c3e802ba2073f2205559b81478a3e995a9f81d71a0b6

C:\Users\Admin\AppData\Local\Temp\28201371\ftk.mp3

MD5 d3bf6e2f4110725a72b1362c0686a43d
SHA1 213b710770cbc93480f634aafb13de03cc980913
SHA256 2040e3da07c8c81639bd31d591e5ea05384f085b88c6347f91e2f220068127c4
SHA512 724233188d8d0d33d87bbe00f9dfc40f12a4e3d16cb5ea6647a571dffb5b04fbfbdf0701fe0108651fd494e1abfb08ba1bb4b44b0d57841d75d8bfa8c3b2f85a

C:\Users\Admin\AppData\Local\Temp\28201371\fpp.mp3

MD5 4bd1c11eca9aa812cd4785e96d6fde2e
SHA1 cc2b40fe143f6e6ebe610cb620afbd1739cd385a
SHA256 ef55921d5ce8cbe4c236b3d1c9af6b295261ad87f93eb17fee3f833c53965227
SHA512 4d56928966f192e9e31a6afec8d64a82f3b5678684432e36bad8d9df3215a7d4764185a7be11b54fcecbc15e122b7f7738d09141e37a4d4cd8d12266a385b4ee

C:\Users\Admin\AppData\Local\Temp\28201371\fdg.pdf

MD5 a237e1c412766328614e690202dc30b7
SHA1 18a7042f7f4a1b6a0e2cb6dd194609414bc8d9a0
SHA256 6aa5e9346931fc846809e0adaa1e7f4c5af7e8129a63af35b6fe8d37d389da6c
SHA512 63f2fd2c36bbc3e364c5e9a25086d8c211156aac9f123e7140718be2339b101637e4f33fee3463a2eb65d67f80e94ae160673349bb3ddf91ceaddc534ac03cb0

C:\Users\Admin\AppData\Local\Temp\28201371\ets.ppt

MD5 470948381aa1498dd89ee7953a08fe2e
SHA1 70102ee5a8921f19dc0679872ff66cdb42084904
SHA256 44f9bed2ae7f21b1ae99f672addd7e3e86acf3fc255f58e315f123555867101e
SHA512 15d9fc032179530f511b0ff6362d00f9465bf0f2b5d74e89840162bf64c8a47f6a7a206a84efc96463b8e04fa6770bb7ebf3354f067629e279cd308d3894e620

C:\Users\Admin\AppData\Local\Temp\28201371\dlu.docx

MD5 a993c43f0149f37928358d9b879222b6
SHA1 7c90a77cbcad173784f9b143d05cec155f46a248
SHA256 df74bc6ba79cd98844948c1d2ca362f8cbd8798c63b8e7bcb7f7468cf98d88de
SHA512 a8591948b1d812b5840a7dc890331d614bef24f71a9d3e2584534613f2fec229b8f7b47ca757c0909c6a9c63cfaf375a145953afb840ab9c2a9e77a4fbfa8f77

C:\Users\Admin\AppData\Local\Temp\28201371\cxx.pdf

MD5 607477739b4ed19c960d43c96afad0cb
SHA1 203bbe80f29c5be95edfd60e8363a6e42950f34b
SHA256 7104aff70da89a7200ca9fd25d1a3ae29bfefa011a8c8ef35ad5d7054b07028f
SHA512 18f9fc3ad68c16a847b09a2a5826de31b1a25aba58b69ccd39e712fabed0b02915aa6d9c61828153fdef19f0eb5ffd0f4a7e3df2f1a0649ce7fc3ffeedfebed9

C:\Users\Admin\AppData\Local\Temp\28201371\cmr.xl

MD5 1f97f3548dfc823858baff75d25434df
SHA1 f0b9ba6f91e686a2c2b4ca681a74c866f6a9b9d0
SHA256 0d2cb02be3a10816022344f947f4ac6ae2b536db3fc4d7dd1d88751893a312ca
SHA512 c15412c911b2726aac97540af506d9fec433db4fef7c95fb9b4d6dfda87f6b578d5c71b182c54966d0de4cacf099c9e6e229a61906b8d2092119991919a4f0b6

C:\Users\Admin\AppData\Local\Temp\28201371\ckr.pdf

MD5 be22495f0b5e2ef6004788a870c9bb61
SHA1 ed9c0ea6fe6f3cabb5e2c45f1e39bbabd1aa8af7
SHA256 4c650822f1fd3244c181e12179aec728c7bb936101398dd702307d85ab18aede
SHA512 5bfb8de2bfeab964792fc064f603029dc7f0113aef0763f8a2e6653b6ddf4ef6b52fcce791a06c9b5c2fefe3a2541239155b28bd5891711ea65f6d0f5b6fe4bd

C:\Users\Admin\AppData\Local\Temp\28201371\cbi.jpg

MD5 c073e62dfaa31736b727697154757bf8
SHA1 2d43fa2a4474243f04b4131384d9e84970a83d3b
SHA256 327731e3ea7d24101f683ae651efe6f7594106281cc140feb2bafe6d9f24c179
SHA512 4a27fcb9b117184ff789f4bda6b46d073e32e5550e8274449dc48074134b90096db945a062ea8710234162aab8d2ae77093410756466010684d8338360b2d774

C:\Users\Admin\AppData\Local\Temp\28201371\app.mp3

MD5 ffb97d7599c6ecc626b526b7c1f1a61e
SHA1 adea4cf424289ceab9c2d59c4a62443f12a8eb9a
SHA256 585fe832fa8fe2bc35f23caa07246aaa53bdc551a47187ad910f348e81cc6336
SHA512 841ddeab62307171c8b7780fef5fda3fbddbd3f63767a064c9681f2e0e375ada72b5448a9b887c7ca0ffb744432f4a24527395819da9b1c2977798f41fe2caa1

C:\Users\Admin\AppData\Local\Temp\28201371\and.dat

MD5 72b8454b9e5b452821cb481670d7e23c
SHA1 56f4349d4a1aeb965d5cb13e2e1f05035948ae80
SHA256 bdac86651a78d9bbccec9aca93713cffe9cddf7814dc264c6cde0fe9afb32562
SHA512 38d9fff27bc1f54ba45213e4c52f5f3b6c5fb25737a39bcb9b17110b53a44b7c55bc1c85bc2e925de8dea51a4f281058b962f80965a6dadccec546df6f5962f8

C:\Users\Admin\AppData\Local\Temp\28201371\ami.pdf

MD5 380b1af8d001efe036949812faf8cc0e
SHA1 d58dc7fab7dff68299c7e99da6937012844dba93
SHA256 1a912ce1f3b01a5ce2cabccdf2cfe1221574a20715fbf7fda14631531b529078
SHA512 c8bc893cc47d92550c0cd7c7c55620c99458771ade83f2f33e409240e278eeadb3aa7aeb68e860f1847742264f227bbdbe74ed18f8e9eb8e34c45deb40410e5e

C:\Users\Admin\AppData\Local\Temp\28201371\DUDWD

MD5 837536ffc3370856dba5f8b848b3c80b
SHA1 201696ba9121c2a6863b54c3fd91e0c903be587b
SHA256 53dcdc02fa7a48d377ff7b4a200e97db63fe3821e35f57a1a4bebcbca7d153c9
SHA512 5e4fe20d61b1875f8766762b71e61289de873d920c35b1605bb84e1252032560e3dc4b199037f941c9cabeffb90a01918c28aa679aa0127272c384c600a3b5d1

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/492-187-0x0000000000400000-0x000000000043A000-memory.dmp

memory/492-193-0x0000000000400000-0x000000000043A000-memory.dmp

memory/492-198-0x0000000000400000-0x000000000043A000-memory.dmp

memory/492-197-0x0000000000400000-0x000000000043A000-memory.dmp

memory/492-196-0x0000000000400000-0x000000000043A000-memory.dmp

memory/492-195-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/492-191-0x0000000000400000-0x000000000043A000-memory.dmp

memory/492-189-0x0000000000400000-0x000000000043A000-memory.dmp

memory/492-204-0x00000000009D0000-0x00000000009DA000-memory.dmp

memory/492-205-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/492-206-0x0000000000A30000-0x0000000000A4E000-memory.dmp

memory/492-207-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 11:40

Reported

2024-06-15 11:42

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28201371\\amu.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\28201371\\THQ_IO~1" C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5044 set thread context of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 1376 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 1376 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 4940 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 4940 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 4940 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe
PID 5044 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5044 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5044 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5044 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5044 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5044 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5044 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5044 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 660 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 660 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 660 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 660 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 660 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 660 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe

"C:\Users\Admin\AppData\Local\Temp\FYI_INVOICE #82749002_COPY.exe"

C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe

"C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe" thq=ioq

C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe

C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe C:\Users\Admin\AppData\Local\Temp\28201371\GMVMC

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp64A5.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp64F5.tmp"

Network

Country Destination Domain Proto
RS 95.140.125.74:55702 tcp
RS 95.140.125.74:55702 tcp
RS 95.140.125.74:55702 tcp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.4.4:53 smithwems.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.4.4:53 smithwems.ddns.net udp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.8.8:53 smithwems.ddns.net udp
US 8.8.4.4:53 smithwems.ddns.net udp

Files

C:\Users\Admin\AppData\Local\Temp\28201371\amu.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\28201371\thq=ioq

MD5 4102f3aedffaddb915aa6ada7abe921d
SHA1 6cf62f4ea7535a76520c43773b41b3d2b06371f4
SHA256 857e15016a32017ccb336b178341982eb5823bf5a19a48a8239a569de6ded7f5
SHA512 37f9704d70491c4237ddadae8fa555ba1669ca7b2deebf8b2fe4909cfb1c327f387b89fe0aa44580b6e825d8f13c98fd83a63a2dd83a211e9061c328a645c057

C:\Users\Admin\AppData\Local\Temp\28201371\vgi.xl

MD5 83eec929f9a10beaa4674b4232a0fadd
SHA1 49db82adc8ad27df4d5854c23667defc9f5fdcee
SHA256 00e56b497957adcc2fd4d5302c04a96cca3056e083f23a49fd383feca0d98e24
SHA512 6f95d15d1aa02d32d6fb5317754a800088474ea8899d69c9a0855f17104f9fbadc7add64d243cafd4247457a93c31f0df3e1603fd98195a3110de7c9a2fb4fad

C:\Users\Admin\AppData\Local\Temp\28201371\ami.pdf

MD5 380b1af8d001efe036949812faf8cc0e
SHA1 d58dc7fab7dff68299c7e99da6937012844dba93
SHA256 1a912ce1f3b01a5ce2cabccdf2cfe1221574a20715fbf7fda14631531b529078
SHA512 c8bc893cc47d92550c0cd7c7c55620c99458771ade83f2f33e409240e278eeadb3aa7aeb68e860f1847742264f227bbdbe74ed18f8e9eb8e34c45deb40410e5e

C:\Users\Admin\AppData\Local\Temp\28201371\xlx.icm

MD5 b2bdddb652081778f994cfcd8066604f
SHA1 0e58e24c0d83e8e0b2ee8d75d4c7e60929f523c3
SHA256 30de9f78b7627056dbcbb0100dcc124d6b24c8e906c17aa078e0ec8e963fd43d
SHA512 0dc731aa8c1dda899d64f7819ed456985607cfe00a268fe7b0269c9de8e5043d4e2c129ce95c03102642698bc5780d7df23585299d738fff5246e9dba3411cd8

C:\Users\Admin\AppData\Local\Temp\28201371\app.mp3

MD5 ffb97d7599c6ecc626b526b7c1f1a61e
SHA1 adea4cf424289ceab9c2d59c4a62443f12a8eb9a
SHA256 585fe832fa8fe2bc35f23caa07246aaa53bdc551a47187ad910f348e81cc6336
SHA512 841ddeab62307171c8b7780fef5fda3fbddbd3f63767a064c9681f2e0e375ada72b5448a9b887c7ca0ffb744432f4a24527395819da9b1c2977798f41fe2caa1

C:\Users\Admin\AppData\Local\Temp\28201371\xbr.jpg

MD5 f71e729d43f389631f727d4d3275697e
SHA1 e407d1c76a878fc91b67bb87d39d861fd52fe642
SHA256 3ac8dc5f89aa254b697a9f70d763bbb3329c665bc96ea9f6e48a64b74e68f180
SHA512 5fbfa6accb26655a73840f4a6a2f91974fb9bfde2e0597ea0f631e9284e761b35ee33409b22e7d0bb6aff90baae87a9d28ee82b2a6c687954ac351411cb9e80c

C:\Users\Admin\AppData\Local\Temp\28201371\wxk.txt

MD5 fb589cef44a7549095c0e7ccb24d9c55
SHA1 4582949f1a6622a355242dad187d80a65f076af5
SHA256 dde011c6a9682ae10d2e6ebe9ab3f8c794e216568b24a84a44d121e691ee7181
SHA512 bf6d4ccc209b3fd32803cb69e71d592b0e22cefb361bdda735003d8e466128618e7c63780d0863b3fbc4b4f8102082a3370f711656151663461da5d7ffc89f04

C:\Users\Admin\AppData\Local\Temp\28201371\wss.dat

MD5 f9eb08bd58b9c9d5db055a96ce782b0e
SHA1 f8a05223a626219878bf74606d79eba5f0b212b5
SHA256 f49db73c2b3c270146f2aa582713f1bd570a9b3c30ecbec943a6886a073ac05e
SHA512 24dc76a1d89358ae2b0231a8e1f847ab3f874c4b8dd738b3c33d64c20bf9ac5a18d74a485a79901c0dcc759ae170504cb0d43c11fa8ca894801be57a08f0a51b

C:\Users\Admin\AppData\Local\Temp\28201371\wno.pdf

MD5 f48bd3d9f2513f99b4861002789621df
SHA1 896556190a2fd701f0f514239cdb3d1947b8b8a2
SHA256 e8d5f9914662f8c7e241d453e1b7e1425ef210719398b8901e976f96fa8e7b49
SHA512 6701fe0c1d504201fe0cfaa716321b0dd523cb9c9f493bf5b8ab74586e1bfb461a2b68febeca907172ba6a87567bb4bc24377160d9a3383e159dfeeab8117e0c

C:\Users\Admin\AppData\Local\Temp\28201371\whr.dat

MD5 62b27453b1b32a485dd84db075386fac
SHA1 4afff42a9d20860f1d5b564a4ea1c09fc99d8fd5
SHA256 a1545d9dbf109849e53c5af0b99ca853e0fb69ff16942af126f39db489898efb
SHA512 0fb20a6549b0a480486bfd11fcca42889cdb7c46121667c2b58d3138e01c2a78246ac86d65135b938cc6fcb284a9f46c0b4f417c05032500b71170e92e193115

C:\Users\Admin\AppData\Local\Temp\28201371\vpn.jpg

MD5 1dfa69e88dfab1d5ba561528ed06d4d6
SHA1 aeac77b945b87ecb1ab2a041ccf28f9368e65b11
SHA256 949f6c51010a289774045ac7d0925da1060ef6b02fc69ec07e84a111a9639113
SHA512 27a63bd5747bed9e76c9c2b62010bd646717072b296f25c4ddd7e74dd50fc629147b352ac7bbbb8fc9669309b2b366209acf6cd52926810263c9a6105e76a0ce

C:\Users\Admin\AppData\Local\Temp\28201371\vjp.mp4

MD5 23abf1158d95f3b76565b15ae376aff8
SHA1 ed4d3d4a66a754a4831844f83193fb85b6e5d892
SHA256 c8736087bc829c110ed354dd0ccc86f0ab9ba197a6f8e517e4f8dc22a0db77b9
SHA512 58a8f16da2f63ef3da513a4bdb351b47261ed76e7c9e56bdcc90ad52e08f0d7e3739dbbc42f79fb0f70bf69d4cc49b45988fec334689805d41424d6abc552f8d

C:\Users\Admin\AppData\Local\Temp\28201371\vit.icm

MD5 199ca30abe6037191b03a63cf0420c5f
SHA1 29f85bff5ba6a75a21e5f4ca545d259ca0d9e816
SHA256 29d6f017edd684ed4733ecc93c14d85c8ccf48e6a1fc62d3b20d17a5ffa836b5
SHA512 64211a342d693bdf5e3e0fe91bca3799ae5fbc521fe9dd621d35ff9f1d0196c7fca266a4786bc84d077feb3bc2ef064bc23e5e35af12743945748f0557d1fe14

C:\Users\Admin\AppData\Local\Temp\28201371\UpDownConstants.bmp

MD5 846373cd72ebb1198bd8f0a013f89cb7
SHA1 53250a560bb1252fbe8e21121f52d162d77db44a
SHA256 ecbf2c538b107f36dba2b15521e560a136abe0cd064991513c828e6ccd29ac71
SHA512 e36b21d413799b30d275e8e47ba13c54ad7d7a47008aed5e36bd2eddbbf3349d7023004d47e70d3a3d1ac69000808e7f01645e5931c18d9384aa5d1903d56567

C:\Users\Admin\AppData\Local\Temp\28201371\uni.txt

MD5 5e322c0474f22ccab11316f4700f1f7a
SHA1 0b9d2306b76d756de51474868e586c5ca7648b81
SHA256 d240265104d4be110f26c91428b3132d8fbb7542ec9e86b7168f38b671ef6409
SHA512 bebb2b503e1d581aed9a4c38edaf8e8228ebc89d2bc1df36829ec589ce57cf1f76224b7954d6590a6278c51a06f426584bcbc415580c96eca5cb3fb94fb78cda

C:\Users\Admin\AppData\Local\Temp\28201371\ubq.dat

MD5 bcfe42632f2a3274f2e63bd11e578138
SHA1 409c1c77bfa536559f95ba01937d2c0512f17874
SHA256 243526562b495d370158c6c7f774f244f476f533229c382c518882296cdc8e90
SHA512 363cafadb21c842ad808014ab117d686a91bc8d80225aebfd28ed079ee90fbc5422337add7c635617af4ba88282972998476d6993b41e5eb8945f853042c1f99

C:\Users\Admin\AppData\Local\Temp\28201371\tgg.ppt

MD5 31f49f6f77e5c6879f448ce2a96cd3d7
SHA1 e5752fe217a2b9b6c7fb2f6301f33fc8ec2e3ca9
SHA256 1dd9d147a6aeb501bbf1ae17ea131b51fbef2967c8e38c32a4f12362c549a35f
SHA512 3e7769ab097a214684d69bc5017d5ba3bab4bb4e95139e84efb58ccdcd289e8f1c3cd0de9ce934c037e701074b3ef097c07e4519c0ee9f3889f1f9aea0e6f425

C:\Users\Admin\AppData\Local\Temp\28201371\sna.pdf

MD5 53fb517a9d85acdf000eac6d10d0a8d5
SHA1 3545babeae070e7f0a296519a2290f5d622519b0
SHA256 ce1d8ee510a165414ba643f8adafa8b604d8d26914a09a5816e0a060f1da7068
SHA512 6b17aee330fe77f4a3d536b01c463932b8e2800b75d124ecf82338b8a7cdecaeb620dfc9ef5535df8697ddb02baeaa071c236702ed564c32f331edf4548a1d72

C:\Users\Admin\AppData\Local\Temp\28201371\she.bmp

MD5 f0c870fce3cc5a48a9eddcc078b961dd
SHA1 fbd2268e787103bb552d830a2c913439af8f5fbe
SHA256 415b689ad51eb337785f2c61a31c88d39d0b54bbd019a9b44f3623e90eb2ae91
SHA512 bea8c31c79dfb552cfb3e03b702d537cb5af8d9e088d821c25b5445a53183f2ce0a40cded85704a45543f2ea850d22132ee4b55e2221a72bea9f1ff8c5cb7672

C:\Users\Admin\AppData\Local\Temp\28201371\rrf.dat

MD5 18ba8cc3e019c800ff31188c28edd999
SHA1 9cf1cd8f9786b75576d43fbc334f1405c2e6a06c
SHA256 14b78425dd9affea1ecc201d7231ea8f7970e738a06cd0c226ce4fd33072a379
SHA512 eb6e49ad0bd5e9f35ba249269b01968f4deadc6271f3a9c7bb9ba1b498e3ebaae82906f0b63c02619e2720ef4e8d743a8bbed044d59af35ca40cd94d18ba7f6a

C:\Users\Admin\AppData\Local\Temp\28201371\qls.mp4

MD5 2d64a1e2f0e0e6ceb7673951e7c43043
SHA1 bb518dfc40b4278a891de8bb73e5b10d3e7fe7b4
SHA256 463902d77e12b76e26625fcb403895f6ab32d481eb512e623f4bdc72d08ca439
SHA512 41a06bd9e5682824062fbd70bb45e478f9dbd022ea5b77180aa1b139919f29943ad3bdea85e75c340b4ab6420b4ce26e761f88a87c1b4ce0b9e153ae0607910f

C:\Users\Admin\AppData\Local\Temp\28201371\qku.ico

MD5 9d749aa222a8b859fdf42709f10412a7
SHA1 c5aa56d24d9a9931be4fa211c687fedc42206a62
SHA256 a189dec20b4d037d20dc2506e8b0f11f952731017a2837460ae8e9d8f993b749
SHA512 11634be7698ee102e2f4c1f85c4d786564f1da713bc063f4a4c304353453aea6330133d1c87dab67c972f5b6751df00b886c71a21e42c4d62976b5c297969cf5

C:\Users\Admin\AppData\Local\Temp\28201371\qdx.icm

MD5 4d17f9f604f2400a59f86f518696e6ce
SHA1 66fdf54ff71fd50db5488f1185974c11df74d6c1
SHA256 f1e5dfbc373ac9c111fa36729a4458890b5845fee36ce8d230e93ac54f0e6d08
SHA512 71746b750b4f6d5c1046000595e2732f1082cc37b8d215990e5b6103f5bda91c7f8d30fe80fa30b7685caa08cac30d560d4277d6bf18f7efca56f9cbb46b980f

C:\Users\Admin\AppData\Local\Temp\28201371\osm.docx

MD5 3c6217ecb2c526e9a25d9b52e785e899
SHA1 2592497fdb1cdfafc8698702420ecd605b5838c2
SHA256 75ff5eec1fd5106c9efb4df9dba36733298cfc5b5915f0749bd25e3111fada93
SHA512 c7d0c803d31946d0bdc048a1c3040eff2ebbde52052c4827df2116e1108b1b096477d8709a3a73cd8638595e5088017bcd43523c0cbc5d230549545d48ffe49d

C:\Users\Admin\AppData\Local\Temp\28201371\ols.docx

MD5 f96a3c907d78d1991f269cc30a88b2c9
SHA1 9ac86de4dacb837635bffa02ed12c05054630fcf
SHA256 5376cea1572f1c780eec5158567853e066a00b7d9ff6441645f8ec9dd8028827
SHA512 8b5956810ae872f1178d47690ee811d34bab178c88261e35286467dfa6133014fe4523ffa723ee35e2f3e482e7b2c3b6aecfeb55dc38626b416de4f26699d579

C:\Users\Admin\AppData\Local\Temp\28201371\ods.jpg

MD5 baf3ce5ecb5b990255e80248b321e8cb
SHA1 380d36a5e5dc3243da5bdd9e6a9e0231b3aea1f3
SHA256 0b0c46c8e58aacb851fa0675365bf395a7991eb23c66e50b9895f233347de3e1
SHA512 65ce122691f72d0e18ea61ef3021a8868fb54cb07bd905e315361f93ac0b18602a0524223fd0fa4f54c6d61e5b6482a514fa0f59dda9d9e0e94d86294d86e4ca

C:\Users\Admin\AppData\Local\Temp\28201371\ntr.txt

MD5 f5333cc68140fdb27662ed35cd7c078f
SHA1 92e8c46e021ef539c34e9b7a2c12ad80d134ffbf
SHA256 42112c0c2824c09365319cecac7adea81458c6b5e374caf28a904ebc82a40be0
SHA512 3bfbee6e032eff3a60402e3f41f7876750110179a866a2d2ff7f117755cb2265efa2b003fc039ecfe1dc424292a772073b3d442c23c09e1479a7e91d54962323

C:\Users\Admin\AppData\Local\Temp\28201371\nlg.docx

MD5 54eb704a872535d7b6d274876e959e09
SHA1 22eff8e4e52813722a8e27a0258185348a2b2ad5
SHA256 b26b5a66cc9a57927cf400f612691e8504c3cc03f983be70ad827691afdecc9a
SHA512 431edaabeff6f4b4b9e1a22f213d979932f3e8a6569ff216244100d754afe38b8a0b586a68b60ed678771d297c08bb30dcc681c7af2ae3c089c28021ceb505f8

C:\Users\Admin\AppData\Local\Temp\28201371\nka.icm

MD5 887d2807fbe9d0e99c4a3108cd7be8bd
SHA1 01c205315100807754b148841d39ba77535d0af3
SHA256 7ca71cc328b02065aec6eac5bb794df1df781436e65d48ac70d51279018358c4
SHA512 252af8e010ad5c7528ced2c384b0efe887cfe47e24f72f7160f1cd37ef427f3e106da63fd06ade7286476647a5fb99224b328d01bf2359f70bff17204c3dde5d

C:\Users\Admin\AppData\Local\Temp\28201371\ngw.dat

MD5 045a85ed843b00b1eef2ab442c025255
SHA1 71e036faafbac14ea9b752986bc3df0ca2a55bdc
SHA256 0d6af1d08fdf231a1647877235d8c6c09fdcab62c869a2204de6af684dc49b39
SHA512 f2ec19569bcbf2170ce2b8091f58cb5322965eab44cccaf5971e37954f2ba4a5a8ffda406143d22b8c2f7b0cc6675c7029460cd88aae152d369e450103b6bfc5

C:\Users\Admin\AppData\Local\Temp\28201371\mrv.mp3

MD5 f6bf83707b9921f2b39462fc71708645
SHA1 78830a78c5d7f5f8e97ae6fc77ae9ef4a3a54149
SHA256 f0b60296642a17ce2df93ce1dc027f2b05c414c49a91216abc496d996a28b018
SHA512 817babe9af57b5e0ac8bc14c6cf67819a843b70414797b5b4fa53119692ba2d4b9d89d87d24b569c8f3b3ce4f198b5a7d1c48faffc60438ad40891a239de6616

C:\Users\Admin\AppData\Local\Temp\28201371\mgp.icm

MD5 90b926b5aafeb05ed406fedd23d18c8c
SHA1 610a0fb222f5e688b957481565872e9651bc8448
SHA256 c5b559290e4f292ebda31cc3671d2232987b02b0cfdbedead4393a383b4ff319
SHA512 78548c6c5678c605b36922e2dbfc6b20e242e5c358717cb782885ba1681d3a0cc815f3899501a481d4006d9395e18c715099fe5895862d0a4e88d04ed401b509

C:\Users\Admin\AppData\Local\Temp\28201371\lcc.txt

MD5 1d1537f3cdfc5451d7c22ce43c34e6e8
SHA1 83000e18cef73a7cd57ce31306b62b50937f8e1f
SHA256 fd1dec922cd55fe3335583edf6e104450ad1c2e87aa166a569e537d074ca667a
SHA512 3fb3f49364aaef16dbccbdc81b4ce7c4e6230d58dfd8e1c394111462e4629a63c5fc3e9bfd2b0d1b9c0fe48378e333da65d67f54ac28ec21d45abb4c92d4a40f

C:\Users\Admin\AppData\Local\Temp\28201371\lbi.mp3

MD5 0a03ff81fe70b306e6b4128a4b095679
SHA1 884628847e5759b0a94f82e76710fbb8606a71b7
SHA256 b1db0708e9638c4de64d6ca539e2ad8c69a68f746ad461dd63640ced8935fb75
SHA512 f103a13a1375384a6d93dd88d7a12c19e458b839d9835bcd70bdcdfbe251b5099e80d1d4362d3372698069f10461bb39dabec69dcfad85f460e35d3818ade027

C:\Users\Admin\AppData\Local\Temp\28201371\kjk.dat

MD5 35ae40ee88aae59203d4e0b4a8e648aa
SHA1 455fd2c166486fcf58012b8b2e6df4fe7c85ca6f
SHA256 8010d197ffd6340f1b78e0f3b72e8b32887b8e1c837f44f8a05a3228344a68bc
SHA512 fed1ed12aa0c79155e2795e40bdc3e3159ce1ef4f5a2fabf9b64d80f69db7208457addafd5040f18bf4907d2f3fef97acdf62381ae4828003b02cef798bf043f

C:\Users\Admin\AppData\Local\Temp\28201371\kat.icm

MD5 20fda609bf39a840c426b7279f6fd759
SHA1 ab48a618b25b9e4c992da9693821fd6d1922c007
SHA256 e4d7c8bba4b7be77085e46548ca77d3c1cfc85bcb878a5350439fda37fb7f415
SHA512 4060a665e1283c58c06ab0561d561a79d735f53beaa71eb9031a62b38aae46373b944140b921dbccabd14540beb00ca5ee9b31207a87b7bd5fc5babf439d58dd

C:\Users\Admin\AppData\Local\Temp\28201371\jnj.docx

MD5 ff5260fb73691563a2444384ae233a61
SHA1 948e86735319fb3cb68bf4e1883df50d65902ffc
SHA256 214a9df9b45a4cc1c081639f05a44cd05154d89db62dcad420e30a1342ea8fef
SHA512 ee1712a4aca353111b3c041317e0789af42138f8efa464ab75187dbe477bc640da3da8c3d0cbab0ae286fbd48857657feb2c9ad5081182b4c3afc66f29e8e051

C:\Users\Admin\AppData\Local\Temp\28201371\ist.docx

MD5 12daa33f51467ed6e04bdd1db75f4dd9
SHA1 b780b38ce9e0f0329bc01e36569af95d18123da2
SHA256 3e7772b8ba62c615db033271f0d3947c6e77b3bc0c57541ac19e11cb0da06b82
SHA512 fcdc9dd01080bfa56675b463ab735fb6b33ed42cff12e5dd8fb66d3d79997eb6aeaf7c49b482fa5f2fcf72365a6e620bd8f73dec8ad0b84b0d76af340845ae42

C:\Users\Admin\AppData\Local\Temp\28201371\imm.ppt

MD5 443eed386f8cd96acaa71221aca97945
SHA1 2e7d77712f341945d41b4d309a6445993eb875e5
SHA256 4b30fbec85f85fb66c3d9ccdb44d39458971084581be7d500a139016b5477e36
SHA512 fd10afe9df2cd0b25546d3683186f46edda4ad8d5e6c63e846fd29cdc6e9c7eeca711287d675159349775d3f32f947329184cf9c08f612a6bad1ba9543d806c8

C:\Users\Admin\AppData\Local\Temp\28201371\hsi.pdf

MD5 3da3884949cac9a6b3578a847408674b
SHA1 15b57b93e5c4f647b92564c4ac34f6a842f68312
SHA256 9a401faa2edb4b6765a878fca3ae8923cbdc26d402514a9410af03510c3fd70a
SHA512 9caabf52d42b6d17755a2cfbd45655bff6c276502f5e14fa0accaef42cb6e2fe9878c5555304d3fcf55e8921803a119e28ff13d0b9030e5616671daa39caaebb

C:\Users\Admin\AppData\Local\Temp\28201371\hsb.txt

MD5 95bc1d8672a6e13250322026d7116a9a
SHA1 16413b495184dcca4ecb2c92b4b127e89dd5b5a0
SHA256 832d29a343fb45db44ab3a724ca3b63e0c53b0f3956ed2f757e9ac98dab236d0
SHA512 70c2b99db643f52b0b3e754b13ffc762a93da8ebe7e7921b16318bac47c2ea6c4441d9d37092ee5013b2d6ee9956f1cc344af83b2e35b3f449c2630628ce9b02

C:\Users\Admin\AppData\Local\Temp\28201371\hjf.pdf

MD5 eef2aedcee79e3b005824abe18665284
SHA1 5746a1c9e8a25f5128044f65c06a8da9dfa86542
SHA256 c15cc1f7bbaef624660d0d32fee8d35a5348c3793ff610de41900944f1c5b5d2
SHA512 d5b4bc3ed3f42fb0f0fbab24ac14332f0eeee562d46e07416a68484d47db4d029904b52bb808738af38f06a24e14d909d356c2d15c1d00234b6bde6dc14c85aa

C:\Users\Admin\AppData\Local\Temp\28201371\gxa.txt

MD5 654dbd0d27f867ed0927dd7d05e72359
SHA1 39e1b4cf4bc3e569b8e0e5403532089b54e529bb
SHA256 393f5f5b9f367bab505350dd3aba25e5289eb08fc05f07ea95289aaa11dc0cfb
SHA512 0741ec0764e1843febf101cb401c72d5c419be866d4a86e17ab09b69ca10f69caa2a3a4765ba5853663f09a7ec99fd6c0db39aa8c8c3663fd575a3e81dba2739

C:\Users\Admin\AppData\Local\Temp\28201371\GuiDateTimePicker.bmp

MD5 d7e99bbdd60fb09a2d66c4c384aaf830
SHA1 53fe4395c970cf328b446256625a4444363ed39a
SHA256 a1166ccdd98f0e4b93327500257f405e8ebff4720e7176292ad408b782966fa8
SHA512 cfad26e6e8c078425a6e6573eebc076bd120c0719f6474e0bf18b876bb0e9263a14ae2262dfef83218b5c3e802ba2073f2205559b81478a3e995a9f81d71a0b6

C:\Users\Admin\AppData\Local\Temp\28201371\ftk.mp3

MD5 d3bf6e2f4110725a72b1362c0686a43d
SHA1 213b710770cbc93480f634aafb13de03cc980913
SHA256 2040e3da07c8c81639bd31d591e5ea05384f085b88c6347f91e2f220068127c4
SHA512 724233188d8d0d33d87bbe00f9dfc40f12a4e3d16cb5ea6647a571dffb5b04fbfbdf0701fe0108651fd494e1abfb08ba1bb4b44b0d57841d75d8bfa8c3b2f85a

C:\Users\Admin\AppData\Local\Temp\28201371\fpp.mp3

MD5 4bd1c11eca9aa812cd4785e96d6fde2e
SHA1 cc2b40fe143f6e6ebe610cb620afbd1739cd385a
SHA256 ef55921d5ce8cbe4c236b3d1c9af6b295261ad87f93eb17fee3f833c53965227
SHA512 4d56928966f192e9e31a6afec8d64a82f3b5678684432e36bad8d9df3215a7d4764185a7be11b54fcecbc15e122b7f7738d09141e37a4d4cd8d12266a385b4ee

C:\Users\Admin\AppData\Local\Temp\28201371\fdg.pdf

MD5 a237e1c412766328614e690202dc30b7
SHA1 18a7042f7f4a1b6a0e2cb6dd194609414bc8d9a0
SHA256 6aa5e9346931fc846809e0adaa1e7f4c5af7e8129a63af35b6fe8d37d389da6c
SHA512 63f2fd2c36bbc3e364c5e9a25086d8c211156aac9f123e7140718be2339b101637e4f33fee3463a2eb65d67f80e94ae160673349bb3ddf91ceaddc534ac03cb0

C:\Users\Admin\AppData\Local\Temp\28201371\ets.ppt

MD5 470948381aa1498dd89ee7953a08fe2e
SHA1 70102ee5a8921f19dc0679872ff66cdb42084904
SHA256 44f9bed2ae7f21b1ae99f672addd7e3e86acf3fc255f58e315f123555867101e
SHA512 15d9fc032179530f511b0ff6362d00f9465bf0f2b5d74e89840162bf64c8a47f6a7a206a84efc96463b8e04fa6770bb7ebf3354f067629e279cd308d3894e620

C:\Users\Admin\AppData\Local\Temp\28201371\dlu.docx

MD5 a993c43f0149f37928358d9b879222b6
SHA1 7c90a77cbcad173784f9b143d05cec155f46a248
SHA256 df74bc6ba79cd98844948c1d2ca362f8cbd8798c63b8e7bcb7f7468cf98d88de
SHA512 a8591948b1d812b5840a7dc890331d614bef24f71a9d3e2584534613f2fec229b8f7b47ca757c0909c6a9c63cfaf375a145953afb840ab9c2a9e77a4fbfa8f77

C:\Users\Admin\AppData\Local\Temp\28201371\cxx.pdf

MD5 607477739b4ed19c960d43c96afad0cb
SHA1 203bbe80f29c5be95edfd60e8363a6e42950f34b
SHA256 7104aff70da89a7200ca9fd25d1a3ae29bfefa011a8c8ef35ad5d7054b07028f
SHA512 18f9fc3ad68c16a847b09a2a5826de31b1a25aba58b69ccd39e712fabed0b02915aa6d9c61828153fdef19f0eb5ffd0f4a7e3df2f1a0649ce7fc3ffeedfebed9

C:\Users\Admin\AppData\Local\Temp\28201371\cmr.xl

MD5 1f97f3548dfc823858baff75d25434df
SHA1 f0b9ba6f91e686a2c2b4ca681a74c866f6a9b9d0
SHA256 0d2cb02be3a10816022344f947f4ac6ae2b536db3fc4d7dd1d88751893a312ca
SHA512 c15412c911b2726aac97540af506d9fec433db4fef7c95fb9b4d6dfda87f6b578d5c71b182c54966d0de4cacf099c9e6e229a61906b8d2092119991919a4f0b6

C:\Users\Admin\AppData\Local\Temp\28201371\ckr.pdf

MD5 be22495f0b5e2ef6004788a870c9bb61
SHA1 ed9c0ea6fe6f3cabb5e2c45f1e39bbabd1aa8af7
SHA256 4c650822f1fd3244c181e12179aec728c7bb936101398dd702307d85ab18aede
SHA512 5bfb8de2bfeab964792fc064f603029dc7f0113aef0763f8a2e6653b6ddf4ef6b52fcce791a06c9b5c2fefe3a2541239155b28bd5891711ea65f6d0f5b6fe4bd

C:\Users\Admin\AppData\Local\Temp\28201371\cbi.jpg

MD5 c073e62dfaa31736b727697154757bf8
SHA1 2d43fa2a4474243f04b4131384d9e84970a83d3b
SHA256 327731e3ea7d24101f683ae651efe6f7594106281cc140feb2bafe6d9f24c179
SHA512 4a27fcb9b117184ff789f4bda6b46d073e32e5550e8274449dc48074134b90096db945a062ea8710234162aab8d2ae77093410756466010684d8338360b2d774

C:\Users\Admin\AppData\Local\Temp\28201371\and.dat

MD5 72b8454b9e5b452821cb481670d7e23c
SHA1 56f4349d4a1aeb965d5cb13e2e1f05035948ae80
SHA256 bdac86651a78d9bbccec9aca93713cffe9cddf7814dc264c6cde0fe9afb32562
SHA512 38d9fff27bc1f54ba45213e4c52f5f3b6c5fb25737a39bcb9b17110b53a44b7c55bc1c85bc2e925de8dea51a4f281058b962f80965a6dadccec546df6f5962f8

C:\Users\Admin\AppData\Local\Temp\28201371\GMVMC

MD5 837536ffc3370856dba5f8b848b3c80b
SHA1 201696ba9121c2a6863b54c3fd91e0c903be587b
SHA256 53dcdc02fa7a48d377ff7b4a200e97db63fe3821e35f57a1a4bebcbca7d153c9
SHA512 5e4fe20d61b1875f8766762b71e61289de873d920c35b1605bb84e1252032560e3dc4b199037f941c9cabeffb90a01918c28aa679aa0127272c384c600a3b5d1

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/660-180-0x0000000000400000-0x000000000043A000-memory.dmp

memory/660-183-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/660-184-0x0000000005180000-0x0000000005212000-memory.dmp

memory/660-185-0x00000000052F0000-0x000000000538C000-memory.dmp

memory/660-186-0x0000000005230000-0x000000000523A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp64A5.tmp

MD5 95aceabc58acad5d73372b0966ee1b35
SHA1 2293b7ad4793cf574b1a5220e85f329b5601040a
SHA256 8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA512 00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

C:\Users\Admin\AppData\Local\Temp\tmp64F5.tmp

MD5 a77c223a0fc492dccd6fb9975f7a8766
SHA1 5e813636ae9b8138d78919348a5da3a6e8bd74b5
SHA256 589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e
SHA512 315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0

memory/660-194-0x0000000005290000-0x000000000529A000-memory.dmp

memory/660-195-0x00000000052A0000-0x00000000052AC000-memory.dmp

memory/660-196-0x0000000005480000-0x000000000549E000-memory.dmp

memory/660-197-0x00000000054A0000-0x00000000054AA000-memory.dmp