Malware Analysis Report

2024-08-06 14:50

Sample ID 240616-alxvqavdqj
Target b0dbb40b7c8a4f2575fa7750dd442142_JaffaCakes118
SHA256 8c07b7c2b5f74cc996c21c1fb9b6e1679941832c1701ae0ad52a8e4dcd1f5ee7
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c07b7c2b5f74cc996c21c1fb9b6e1679941832c1701ae0ad52a8e4dcd1f5ee7

Threat Level: Known bad

The file b0dbb40b7c8a4f2575fa7750dd442142_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:18

Reported

2024-06-16 00:21

Platform

win7-20240611-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr" /S

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\72732627\\kix.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\72732627\\LUG_UL~1" C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2880 set thread context of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1428 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1428 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1428 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1428 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1428 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1428 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1284 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1284 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1284 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1284 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1284 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1284 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1284 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2880 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2488 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr

"C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr" /S

C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe

"C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe" lug=ull

C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe

C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\BLSSF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp13CF.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp14D9.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 udp

Files

\Users\Admin\AppData\Local\Temp\72732627\kix.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\72732627\lug=ull

MD5 641c71566ee0d49f4664c97db172c3e3
SHA1 ee8f034e814895c20c22d81e997307aabf841e0e
SHA256 8af8201ae525e9586723e9698755397e5630be8ed39b419c6796743e1df5ce91
SHA512 df1e953dee78d3e05c7ac34fdda8bc73691beca3fd1dca0d7d4a92f0001e6804713ba9289db724bf4f9f8f6384f969b0b1c79c13c741c1c5abd879855d2a1625

C:\Users\Admin\AppData\Local\Temp\72732627\omm.icm

MD5 2b80c13a0f53b168c26b07f087c27e31
SHA1 f4cc3c37967399118d3ad7df6278399b813b9974
SHA256 0c07b77f5fedcb202ca2216e61354e55dbcdf75a8d30b038600a3b05c9ba0930
SHA512 ec125bf9d84bb474371d6e367d66278fae020ad0aabb177feb658770ffcf3f5450f95cbc69076a1be6c321f949d8b95cae62405c47702b912202bf8affd384d0

C:\Users\Admin\AppData\Local\Temp\72732627\xta.jpg

MD5 35f9d52ca164563bc2988e39a8574845
SHA1 5ed1589170960bf1927a1b42a479da87760d2c85
SHA256 baf4a699099e460f48801d56aee5f73cea14caa820645676e2f275f64edd54f2
SHA512 1368c20fa608b0800c6803a25d92f7cf677183120ac33ef3ed8ddc49a8bc632594c5d95d72e9b59b694598d42ffa95104f5105635ec789c1eb86dde058326b65

C:\Users\Admin\AppData\Local\Temp\72732627\xra.icm

MD5 ff2112a0e6826dffb665be5cef2d3474
SHA1 7cb6a9e4a853f8683155cfb5261cdcdc02f10481
SHA256 b021fa1b12ad3806dbf84b7e589e7cbba82f22e7fc24610a50d1c9ca1ed0f240
SHA512 b643ea71b291a7ea5c823cc81602c954203ee8f673efbb6aa9f88ba29bc8162588ed1c51f200e03f102412c8cec777ccecae9742a8102282acb63f1f72769d4a

C:\Users\Admin\AppData\Local\Temp\72732627\xkt.ppt

MD5 fc5ab59afc9f58915d6be47e7a202d11
SHA1 16cd493511458480db05e0b6adf8ab9b50a41185
SHA256 50fe5009fa9b68b4236e3620f3ff46a70290311e4c4f8c2ab29705c8563507e8
SHA512 fb53e027da4f0ec379c614d8c4233c726bfc571e28bc7d2f17561b3d391b791278970882c3b330fb8f00b13ea61f7eb1e2739d874b2aa5e0f556003bd33df67c

C:\Users\Admin\AppData\Local\Temp\72732627\wwd.ppt

MD5 aa693165db37af05c5c8cc299f9fc23a
SHA1 6a8ad6446076c22b6e5d678b16eb69af4e612a42
SHA256 10e5c9324f9863b933992e03dd473b64513e7e77980405cf0236568c7b8c9355
SHA512 fff95a14cf578e74074e84d8fc79d3b913bbbe5e2c43916c7f6ebb0b0836f8a26b893232aaf1f4415d7951114055efd6f143b3f3aa70941208e4dd23afa65adc

C:\Users\Admin\AppData\Local\Temp\72732627\wwb.docx

MD5 fdb9de953707947b4f0ffb5cf8d5b18d
SHA1 c8b62a8bd1180f84401f4e178c24de02a71f276e
SHA256 bb1250e4fc690c86678dafa764859bc1b40b043f3b55007da31ad48f12c5cc65
SHA512 9ca8e681072abcaf11c3fb50d75cb0d73460d1275821bdf3354e212d9e0519de9781d15d2674ec7ad78bb4c194a42f18d78db888fccdec6761065d1573be4ba2

C:\Users\Admin\AppData\Local\Temp\72732627\wua.docx

MD5 59963133291ba2282de9df2ec421f371
SHA1 7a76f8e416b976e2cc3e0f986e0176f39d40e928
SHA256 7b982787414a6294294616fdc93d42a3292dbadb1cfdb55c3e6a332c43f704f1
SHA512 881a411313291d3894d31611601f6237ef96f56bb47de695314a0ae546a9388c46f78e4a15f26e2efe0b6926d23cb77dee513ffca6f46a9f10bcb10e320ea87e

C:\Users\Admin\AppData\Local\Temp\72732627\wfe.bmp

MD5 3d64ac7686d561286eb804f76ff4dfcd
SHA1 bc02f85e0d40495212b4db38640aeaeec9051d8a
SHA256 5b77086dd12d3da842dfb87459ac7914c2ea15bea24a088a801cccce07944a26
SHA512 5f0655fbe592f303313ee8474794c5c71544b5c0aacfb57b6f002c0852b5febb8c9a4ed1cd64dd1f0728e030ce32572b03b447fcb560aaae35d5c85d28965216

C:\Users\Admin\AppData\Local\Temp\72732627\vbw.mp3

MD5 de4683ae88c3457cfa306f40015cd2cd
SHA1 adbe4e41f6db0002de23aff36e5315adbdb02a16
SHA256 1703cf88376134356f7ceb2b7846b12834e3d685bc15a207390b4b0d4a3eafbb
SHA512 8f917cd1580350a7855a474ee9c99b1b3c17984091d7b9e5fcd1e4fb7eb5dc4c83968cdcba6c5cf2dd5f4e5b0c58f9b5ef8bcf0a6c848575808016b5b7b160e5

C:\Users\Admin\AppData\Local\Temp\72732627\txd.xl

MD5 b993b47c015a42edd9be6cd843c5534b
SHA1 762f03c2cc81a6c5588988625e9aa1f409a3f170
SHA256 24b3189264f83a912b5caec5e93a53cde8518414cae7ff198be15a05581900e9
SHA512 3a2e0991c1d98f3b4d3f3f97656acf574772f2563b677237b30b7eee2ac441c247b02772669a4dd571b77f43cc932453d45c3088aa74e309319df682e6996dc8

C:\Users\Admin\AppData\Local\Temp\72732627\twx.pdf

MD5 e5f03b5e83afd8c0113257b72add9c03
SHA1 45389fb93cc762e1f8cf3b3b84cc70f302fd9a5d
SHA256 15f272d78fdbffe969416a7ab9d034ec49ecf53b3c27e78e1a05abd41427f65a
SHA512 fe39d63f78522f43f315116f6851de45c8903a536bc4c550474bf1275ee56fc10e4a0a67218264bb8fe1dcdaf7a7270c3c436d7c9e55083723d7c70cc8559bb7

C:\Users\Admin\AppData\Local\Temp\72732627\thk.xl

MD5 8ef4acb4f9fe9defe1e27f4558c0e156
SHA1 81ae54d2a716254d6265fe6a28ff8f45eebc7137
SHA256 fbbb28cf055ad915fb0dcc5cd145d640d139f89f932b4345a47d81916ec65ce7
SHA512 47a3dad1c4936c4fb1bec813c40363e4be099c7091a5a86e3d467f3cc30a9792e10d92d226a2a8d63d0fd96e7a65425813e177f017ed3e40b3fadd333ed560e6

C:\Users\Admin\AppData\Local\Temp\72732627\tdi.dat

MD5 156ae49a6d01ef0c68ac0c1e33922398
SHA1 4046620e0f4d793f437e1f06405a6a5289dc2e8e
SHA256 2d28134e545ff51fde3f12cf330927eb03391fa6ab88c4b042ebf5926e26c769
SHA512 f7a24d0f47cec3bb8272c89807e771585ac4d0ada8af24d96e84223b3161dcb4bfcd850220098634c2ecb2e934cf530799c5114e38b44423b6fcc0228da25e6a

C:\Users\Admin\AppData\Local\Temp\72732627\smu.pdf

MD5 af3c020d4cbed2774eff2bbaea24b046
SHA1 2d738602c5819d2fa67756b1fe0cc54b4e984659
SHA256 2103d698400a918f1ac3a9f1feff235693da556575ab2c67c0cff2d9dc80d0ff
SHA512 bebf93ea0117763cfb5fd5d965933907e23cf6a3a4a9e7e14ed5a58891039d5d831d0a43b0c989314e756c8714c66d320295e1b7d8f5e1901e0a0f0ef22c6b4f

C:\Users\Admin\AppData\Local\Temp\72732627\rnm.pdf

MD5 757255fc5a87da9440ea293dddaefc25
SHA1 00dd3564daca4a42ee558c216e5157e87e751ae3
SHA256 513e4dcef15ccb68e9c95429dce5dfcdb3d37a8438fad2259e947d8320d4cd22
SHA512 8f9c810b2a26342d107db83ac9f7d820d21ba9ff89ecb8ef45e659a585add3f3522e2fdad6aaf78c35d6c83d6ad651cd22cd6d22d456756a5ed105e656187673

C:\Users\Admin\AppData\Local\Temp\72732627\qsa.mp4

MD5 57b0f13f05d25bdc612cbcf1987dd02c
SHA1 fcf2ba0c377ebdd409dd38021b15d705888cf2e5
SHA256 f1732dcc6660c6b1e317ab3d2e7eb67f1037aed76daee5d50d34656a795f7ebf
SHA512 f107f92d7a2fbeac9d6acbaabb7c3f84111c2c97eff24ac709b14e69b1da5a891b87531c4cec960becc60feff147303e76f749c2d138da5aff7e774b7099be72

C:\Users\Admin\AppData\Local\Temp\72732627\qqe.pdf

MD5 ffc58e306ed61bc39dd2b115e24004e4
SHA1 aed72efceeb7286598552f583bb29333ea8fdd89
SHA256 b43f2ffe516f5fd39afa41f6c317ba2d3e5bc5023eae4a84494b566c0f6d6572
SHA512 c0f590b3d9bd5f27422264428b3436c9f0f9e5bfeaf79209862f03885e54fe547751f135ae631461f393b59fbcb032633b937545b9c49152361acccd012bbce4

C:\Users\Admin\AppData\Local\Temp\72732627\pbj.docx

MD5 d3b66ec43e256c8197e3802ebe9327e3
SHA1 9428ea615a4ae57dcd70ed36a63043670fdd0123
SHA256 2ddd2e7d46c891f9e0f425a51aaeabb96301ca7939205a4a2c685e5364afa574
SHA512 bd2411d5876cea17f79163b2874ec6cd37128afd48e37c1c1f955bbc0d7385252cc7b5459c3daaf6d2881001d856cfec792e62424e6a05e9bea999c94d6eeef4

C:\Users\Admin\AppData\Local\Temp\72732627\oow.ppt

MD5 07bdb7ea5ff6b3b2d348681ac0fc4180
SHA1 06f5b5b450dfd3467f910b313fda50dd8c6a6da6
SHA256 a18a857d90191f5769819bcc9a57075b7d7d240fdc9999b3f441df44a6ac4132
SHA512 ffb781e4943f71114a6b86a68c920d76c892b6fcb920d1a75dccd48b8ed3b4c3a68faefe5a61ed04816a81a96594f202790779d8a829e3469c1120d634d280ae

C:\Users\Admin\AppData\Local\Temp\72732627\nub.ico

MD5 b83e8939ede73dc87b640dc65a0e1f3b
SHA1 7982e9706b150984ff9610a5d8dd66b5c9a3d275
SHA256 12938e01b8ceda3a8760bcc199e8529d8ff320b431f96e908d8aa105fe32e1ab
SHA512 d881abbbdf338b32d20f40c5be3b27bcb2f2e222ec85cca626be0c5718026e51550a8dc3e55ba23f855082242cd3b81069298f7631b448034f8592a26829064c

C:\Users\Admin\AppData\Local\Temp\72732627\ntr.docx

MD5 0e9881ebd1cc4b408c7d4b222e5b8813
SHA1 09f849af7994d141bf22a77a7ca4862c25bc3f2b
SHA256 78f2b7df055cc59af091ddab379831fc228b607a43829acde4942030c3afaf20
SHA512 e4289f1bacd5dfbbd8ee7e900c1030b7e432bf07e82a38a69316d024f3ab2b5dde72f513df6815212a6adabb063a91e31a7f5c7f34e5a3c3e010a788733ee535

C:\Users\Admin\AppData\Local\Temp\72732627\nqf.icm

MD5 37d2581fe939a85c252de27aa7e331c5
SHA1 0fe1d7cb5ce095a4ce5de63ab3881151d2b01ea6
SHA256 46be4978d4dbb547ff21abd9f0119dfb6256c3c5b3757d4215c259504bcadf3f
SHA512 25c425d8eecb97acd687a95918b8f03d4a704a6ca0172615a26884a010f3bcef406031c8062f4a6a81505f2eba4827fc2747071faa3d057778bbc68a2b658159

C:\Users\Admin\AppData\Local\Temp\72732627\nhc.dat

MD5 a8ea9a274936ce9ac3a175c82b2bacf2
SHA1 8e4e05ab8d8db878398eebb0e4e788a9a646d55d
SHA256 8b45ffb46cde3ea066baa98b8e765fc485cde109848efe8a528bedc0be3426f9
SHA512 490c1e9ff1f8e19d9628ea5cdf4ed985160fc772258f4884ae45bd6149e4bb6bf4ee8676acfec69794ad7f18a614e90778558dd8ad1794162f42684a0f1a3af5

C:\Users\Admin\AppData\Local\Temp\72732627\ngo.xl

MD5 905e5a644d617bb2f106d1cf1ba1afef
SHA1 5822d63ec6c2002e02670aacc4235b5f0005e4d2
SHA256 9747c3655e0c8f7d3d1a799a6edd0d8189d6991c0e25b57f6fca8074d923fe93
SHA512 8e9ba4ef29669e754ff8567780c192e9d5a29569630b4e393558850f681d2fdb8189df91153f89ac187f656a4ebb1713f842798e4e0ab06d456612b48f973fdc

C:\Users\Admin\AppData\Local\Temp\72732627\mic.jpg

MD5 987a8e3aca809c332971ca35fd95e6cb
SHA1 03295c9dfb6db56280e675787cb635c2fa13ceef
SHA256 d0e472048b12ed0b49fe592bb952e60af5757fea5f644a6178b21437da78ae05
SHA512 fd5e695ed8f1717964efeac091fef6f6a035509285d4ad9b0e9af65a3f6f1609428e245432c66e3f68ca3970e7b606b447a1b28c9b7d1d8e427dec0fa537121b

C:\Users\Admin\AppData\Local\Temp\72732627\lps.txt

MD5 f707b5eb28205bfe13dd737a978a01f1
SHA1 5f166c3de7413ccb41319a9d8e2c8f521ce366c3
SHA256 90bb616f93e6f23c22725792498446680a351a4797965406c3a03fe85efd205a
SHA512 28c7142606d2ce3e66299c59a807df99169df76f298af13a8d73da94d0aaf6b05324a8d32b4f8d5be0c2d1ee57cc16a3b120e09aa5171d856e09d0977b6c2a36

C:\Users\Admin\AppData\Local\Temp\72732627\lmc.ppt

MD5 59a29fc2921eceb794e8041d335b69b6
SHA1 f0a1a2510b593a1a65578e84f21c79f9bd184772
SHA256 579058e79496832f9fe4a3b09510481e3bfca3114392c664ef87921c6380f774
SHA512 118c11cae7a390b3742fcf161352961cf513bc0a27b3e7dabb4ebb0f94321bed0be9ca5aef6e3af9d662261a29164368114df4ce894b47aa8c122ba3b5a62d23

C:\Users\Admin\AppData\Local\Temp\72732627\kqx.bmp

MD5 8d8481d9d5e95ef48b2f8a9a9509ed6a
SHA1 06db9cb60b9ec5fb36f61ae4d251b3f252a87d8c
SHA256 400e581f8b12e1915f5818ce393693176b3330776aad49abff38c95a3feab7d7
SHA512 c623d6763bf4354ee2ed0c44bbe13d229dbd252c6bf7c3f601ae3695225dd3cf406b7944895578fd4e46341c075fb99c4fc9345eeab2141dae0c4a98e2237554

C:\Users\Admin\AppData\Local\Temp\72732627\kfv.dat

MD5 9b48dd751a4327fbb65a23b6ab624b0f
SHA1 691ac63b8f7286073b1acc9e0d147b5894825bfa
SHA256 761375485e097ea9c184d188cf0724839820b0dc519c7134df0abcaa83b09012
SHA512 ff94b60894f2714e63cbe815a905d64f5ca28b561c26f960107eb14da0f1da38b0d5fc647206af0b37616da93e14fe2399057344cdd506124b5d2731f19edb19

C:\Users\Admin\AppData\Local\Temp\72732627\jgi.docx

MD5 b5a6213d70ec2d4b7c515f9af2018314
SHA1 e896b1850a4497fa6bb8207ed3e15a67ab134587
SHA256 2ddc869938dc14bb7bd476aa1d7c70aea92114499842d623909977e89989ed03
SHA512 1d04510a4f1ee68375a25eb0fe4c451df786d20996a390f510eb024bf07d6959b594766df292e79ec165495f8bac0f75929acf52d4e3bfcb7b1b2137fd26c960

C:\Users\Admin\AppData\Local\Temp\72732627\jbk.mp4

MD5 432dfd6fef4e27194dcb9bd6b400293c
SHA1 241003fac11262b4254e5da921bba96cdd8aa928
SHA256 7752fde8ae7bb8d617480a4444eb6efafc968291a59519246317a2935ffee3a2
SHA512 49fd7ea2e7ca9d6d6731e5fbef2bd5537ff1d21a573e9fdff81203149cdc8be513a8bddf1662d177ba75d3acab1a011853699fba79a6e1fef845d0f8fca0fabd

C:\Users\Admin\AppData\Local\Temp\72732627\ixn.icm

MD5 3192ac3b459b6ffeb3a6e88654dd099a
SHA1 6377c7afb75c56c90340842deab86ededffe9e28
SHA256 c87222558dc9636c321c32d16798d05a5d518ea2de0bc7ea5de1833844dd761d
SHA512 071c6810d8512bdb93ce6a6e57a46e3c5519fd8a718917b19ca002d15cdd834018ad3a0669ebedcb542683e36843039a5226a4e0bc992bf3a36c1337cb27d51d

C:\Users\Admin\AppData\Local\Temp\72732627\ihq.txt

MD5 03cae344390a4760a1b259ed40630dce
SHA1 f7d8c6fcefad80b22423e7e47f16e94dde1381b2
SHA256 6ee2e64c4b699e0eeaf5e37ec3a23ce3a4f1d286bd60fa0e17e04c433ff9f587
SHA512 87d656c253918713578774024241ea5d41b99e466aade2c4500fb6c22343aac0f50ede9cb2eafbc8d41d30a967ef40f73f0ad782fd0142e02e5202384041e243

C:\Users\Admin\AppData\Local\Temp\72732627\ics.ppt

MD5 160fb05fd3f8ffd962591b90667c3cfb
SHA1 ae19af0c8f0d67fda9f3ea1a0468e80c14893a24
SHA256 c15cab2f00e247f3812f625d4565ca402f8edcb6302e494160e6661bb25d18df
SHA512 74f4e30ccf056b90163c3e41178d57cd6dbdb62f5e5fd4bb88169e1e15d4949ff717b4dc363140fd93f0a21ac5850eb2f0d6c5960fea22afadac31cd73731667

C:\Users\Admin\AppData\Local\Temp\72732627\hqe.mp4

MD5 3a17caa5134e412d71592a8349794d31
SHA1 fa9e6e6e0421cdc473f16a757b9a41410b73217a
SHA256 2fe1fe7a7f744956ff9725156c0b41d4f2b46e3d87446cdedbd0ad280558b9a4
SHA512 9883c5901aa40a1bb07366d186cfd092142508d62b33193e721220d195a2eb7283f4786c55c712056081e26a6d4a50a281c23be8ce20246542107edf7ed20a35

C:\Users\Admin\AppData\Local\Temp\72732627\hdq.icm

MD5 26375bd57d6025ffbee4bac44fc43599
SHA1 e2d9bb81656994e909e69602f476cf8fa0cbdb83
SHA256 d3ffbb6f7a0875917adc94c7d3a08f000513e75a72880493eac987dcde0282db
SHA512 14a835b1d5385b5b88fcc52a22078d2649534697aad30fc0f34a21762b6b526b370ec92fdfc5f108274ea8423175e7c50e7c8c898eca76ff87faa8374caba9f3

C:\Users\Admin\AppData\Local\Temp\72732627\gbm.pdf

MD5 b458d88c261c39279cf221c07cc1cf17
SHA1 6b14606a1b9bbcd1658d58d9a0845ab5ba14f756
SHA256 df9130e176c5176cfff9c88e45ab0462a71e5c51618825e31ef92d31d737262d
SHA512 e5f52532b71a78de4c935867af6811ab7a3bcde6e38d7d8e0f33250251b985ed905796e93ed596c595d457b094ed6bb646d9a87ee210598443c54f449d3ec2d8

C:\Users\Admin\AppData\Local\Temp\72732627\gab.txt

MD5 af2a62f68e36b910cb1f20c416940074
SHA1 723fac995d9bc4619d51739fc79b53489b4c2676
SHA256 75e7ef302d8cdab21ce62e930be9add2416a81ef4ce965ee146491a653c9f319
SHA512 eecb473e733c2ba1c1b247a8b326074c50e1c171c33c087c14b0612c0c42aad76485457f95fb1aa58e66ab239a19ac94e2e1d352bd686a737f39b7ab732ed4ee

C:\Users\Admin\AppData\Local\Temp\72732627\fld.docx

MD5 226ed8fc6a8d157836ee270f0267d94a
SHA1 0971a35938b4740240544e9cf5288989de309204
SHA256 52bdbdfbc2755577b30addc7e2bd20199bc7cf9bf195d0cbcec95d909e393f0b
SHA512 d482cbd5e933dc19d6a4d814f97457b4d157098a09e47d7ea1108bb9931303f2044adabcc224c40f7f5bec75264c7c7fd2274b3ffb5124f9a0de3076546db7fa

C:\Users\Admin\AppData\Local\Temp\72732627\faq.icm

MD5 0dd27c6e28bb49cfd33aa2466c778c07
SHA1 6052e4082981bd10a92b338b361f301ae9d5693d
SHA256 99df4ff69cd30a3a94968c04631f2709ad81b0c5f50bffff0d06f97aeec215c4
SHA512 3fa97228798ef50b368ba91268e58148db6499746bc88bb21a6d71cc05f77ef8198df4ac7c1a1d8bdc7c0d0c89449993dc6dff867ddadee0401def24755db4ca

C:\Users\Admin\AppData\Local\Temp\72732627\dfl.mp3

MD5 4b9e161574af2e7396b8faab73e9c3d1
SHA1 fb548f5308d0acfc8c9ece16245d8c2e29e4f54c
SHA256 7880d6a689733683dd879f29ac06176af214672667a1c5696ed78a3d1689e2ba
SHA512 a912f0efeb4187949daf5af0bb118b98674f098378a5541e8f5d935855aad88194db410bb8d7100f2edc5076f2a02bf0113a6249e472c74ca50b807c545fbdd9

C:\Users\Admin\AppData\Local\Temp\72732627\dae.mp3

MD5 2d2ed9964b014199c39997a0cbec0748
SHA1 fac4a62efb96c8a9fd561f7a3658417972cca8d1
SHA256 518371d02e4473d2a88c040f9ca001bbd8d76429814003756045f634e71617c3
SHA512 6a67cccd209158dc9a340994a889d170ae618121ba55620d8cb85afb587aea7ec47bd5792f085d4b8634076e9874ca50f5bafaa09f7881073852af14edae0d6b

C:\Users\Admin\AppData\Local\Temp\72732627\chx.docx

MD5 7d0550e8f385ff2ef10f2fd27dc375ce
SHA1 f85696802dc96ea5ff4c61cc3ce3f8d4b1bf613e
SHA256 1b218a9a71b8718bde6ba364d452227d5db2d896b0085de858963967d93eeaa5
SHA512 a13fd9774707ed1d630096fc104065b94bfc08ffbf597c3e6a4bf9880485f2aac6fa769a72551d301a5e58d5af3cdc7b9b6c0ffdb7332ad30d46dece66eecf18

C:\Users\Admin\AppData\Local\Temp\72732627\chw.dat

MD5 9f74cfbee62dca222e26dc55b47823ab
SHA1 827dbda14af0988e57a7ac184021c5cf4e62adb2
SHA256 6f6bccefe0ede491a0bbdf84e8eb185cb79929b45928c5106efd5680900f0081
SHA512 611978e34fd12d4fa7f4e2de5fe19a79576f48c6a935b844e822668ec23d91f4d3df54fd687cd292db3d6a1ce65b9f9320220e3221d6a9d57e79f64b58433d9e

C:\Users\Admin\AppData\Local\Temp\72732627\cfs.jpg

MD5 df18581d8e144c9280af6fa756f2f7c1
SHA1 ba4154d551554dbc27c1bb15bc02701886885012
SHA256 0f8e8923fdb9b818336b7bfe851059129f3617e15e99b8e5711eb5e596ce5843
SHA512 6a8d19b7452f892d7a66733394c19ca3a367efbb37dee8b181f2f1ec0ce6b3296c7013b9d4c7d15d327ac12760a2411c2d1e89fdcc85710a05f59a5ec663866c

C:\Users\Admin\AppData\Local\Temp\72732627\cem.pdf

MD5 4d3dec64a6cf061ec34ae47e4376ab66
SHA1 4ea5ce7da7a688aa17a381737b06dea9685afd9a
SHA256 4b20a7046aef0c6ad4469d77a072df111898d3a88c041ad7a410af2f089de74d
SHA512 45693401018a911cf002673f15618e3b4ae642255c6ae2a632299e7f151fd57ceef8f51d62a47229d80083fa8655617f03917a6254ca3b605c889b4b2fdb0c93

C:\Users\Admin\AppData\Local\Temp\72732627\caw.txt

MD5 78a0b9f986bcff32d799880f83f5c45b
SHA1 03bd3cea75905ffc2b73ea631271f8b1501073cc
SHA256 cca7ac0a4515cd6305f7e69745a822d10021e64e1b3d33e99ee7f1eacb138197
SHA512 037099e133d9dd37f586aa1312578e044e5b46c96e408cb56aebd5d931a989d067e9621670a9c3cf1df369f0f27967d13ea0de350ca34fbaad88c94dde51d5ea

C:\Users\Admin\AppData\Local\Temp\72732627\bjs.ico

MD5 a71d345121e42e357604a34799e5dffc
SHA1 24ac37b738d3506f60c330bd6a15f4b7e5de0148
SHA256 16fb82cb44e8e03067b3b2eeb32b0fb6c87b7f234e0e85978cc7ded41d9a08f5
SHA512 09936f457f48b94c8c8717f903b8ac2235e2cdc5d1fc5bd8ef4b99afa5146e7cebfae2b6e23da7f4b8b380060f4cffe1f544368326db63bc45c5dbbce046fe72

C:\Users\Admin\AppData\Local\Temp\72732627\ack.ico

MD5 c766af6676f25a697f1ef9bcbddc37df
SHA1 f3279532da397a248ed5d42e389ce3c47e0bffb7
SHA256 e799a325d50ca77fdec6fea2a61f82832d3a0bc4404689e9ab5e767272ad1124
SHA512 87cb4f5ecf3a74e1d460d9c46fd922430c6f5c139c2f5741facda26782f8ac08b1bfb8312fa22a95b3edd5a2d836ea5c642ec4c2789c901b504e63073fae4711

C:\Users\Admin\AppData\Local\Temp\72732627\abo.icm

MD5 7126335fba74ff5d59a673ec0abf64b4
SHA1 e3299af388d79afe2cf38b2e18cdd1e0b0d78430
SHA256 d4a86d0afbf4ecbd70c10727d3251097d3b16ee8337ed2f9ccb1c7ebe6e632eb
SHA512 e17727aaf219cf8cf09ddcfd6d904e27e7f7ca545037e77c6a4a7aad399d381b2613aea739fd16f2bcf5f238fe1265001a0d0d6f1b1e1aa961d89aa4fc8cd1aa

C:\Users\Admin\AppData\Local\Temp\72732627\BLSSF

MD5 c99687084e347e48e8fca5997ca13702
SHA1 6d944365a2de41ecec0b5618dd349de31c8fd84e
SHA256 09a18ee6e9bba42c7ad512bc68cce189b474fe099ae5777e5d393d839a0c64bf
SHA512 cd4810155baccdc30b69dc22fe0e6b20321674c92bb4ec68a4baa2f491c3b19c18d0f39e6c100646bb0533e1d61fb3fc0389cb9943dde35e435adac33af6bd65

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/2488-178-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2488-187-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2488-190-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2488-189-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2488-186-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2488-184-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2488-182-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2488-180-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp13CF.tmp

MD5 95aceabc58acad5d73372b0966ee1b35
SHA1 2293b7ad4793cf574b1a5220e85f329b5601040a
SHA256 8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA512 00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

memory/2488-198-0x00000000004E0000-0x00000000004EA000-memory.dmp

memory/2488-199-0x0000000000690000-0x00000000006AE000-memory.dmp

memory/2488-200-0x00000000006B0000-0x00000000006BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 00:18

Reported

2024-06-16 00:21

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr" /S

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\72732627\\kix.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\72732627\\LUG_UL~1" C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1728 set thread context of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1224 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1224 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 4100 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 4100 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 4100 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1728 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1884 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1884 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1884 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1884 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1884 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1884 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr

"C:\Users\Admin\AppData\Local\Temp\xlsx-Order.PO#80410..scr" /S

C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe

"C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe" lug=ull

C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe

C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe C:\Users\Admin\AppData\Local\Temp\72732627\BLSSF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5E3D.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5E8C.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.4.4:53 wilfred123.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.4.4:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.4.4:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.4.4:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp
US 8.8.8.8:53 wilfred123.ddns.net udp

Files

C:\Users\Admin\AppData\Local\Temp\72732627\kix.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\72732627\lug=ull

MD5 641c71566ee0d49f4664c97db172c3e3
SHA1 ee8f034e814895c20c22d81e997307aabf841e0e
SHA256 8af8201ae525e9586723e9698755397e5630be8ed39b419c6796743e1df5ce91
SHA512 df1e953dee78d3e05c7ac34fdda8bc73691beca3fd1dca0d7d4a92f0001e6804713ba9289db724bf4f9f8f6384f969b0b1c79c13c741c1c5abd879855d2a1625

C:\Users\Admin\AppData\Local\Temp\72732627\omm.icm

MD5 2b80c13a0f53b168c26b07f087c27e31
SHA1 f4cc3c37967399118d3ad7df6278399b813b9974
SHA256 0c07b77f5fedcb202ca2216e61354e55dbcdf75a8d30b038600a3b05c9ba0930
SHA512 ec125bf9d84bb474371d6e367d66278fae020ad0aabb177feb658770ffcf3f5450f95cbc69076a1be6c321f949d8b95cae62405c47702b912202bf8affd384d0

C:\Users\Admin\AppData\Local\Temp\72732627\xta.jpg

MD5 35f9d52ca164563bc2988e39a8574845
SHA1 5ed1589170960bf1927a1b42a479da87760d2c85
SHA256 baf4a699099e460f48801d56aee5f73cea14caa820645676e2f275f64edd54f2
SHA512 1368c20fa608b0800c6803a25d92f7cf677183120ac33ef3ed8ddc49a8bc632594c5d95d72e9b59b694598d42ffa95104f5105635ec789c1eb86dde058326b65

C:\Users\Admin\AppData\Local\Temp\72732627\xra.icm

MD5 ff2112a0e6826dffb665be5cef2d3474
SHA1 7cb6a9e4a853f8683155cfb5261cdcdc02f10481
SHA256 b021fa1b12ad3806dbf84b7e589e7cbba82f22e7fc24610a50d1c9ca1ed0f240
SHA512 b643ea71b291a7ea5c823cc81602c954203ee8f673efbb6aa9f88ba29bc8162588ed1c51f200e03f102412c8cec777ccecae9742a8102282acb63f1f72769d4a

C:\Users\Admin\AppData\Local\Temp\72732627\xkt.ppt

MD5 fc5ab59afc9f58915d6be47e7a202d11
SHA1 16cd493511458480db05e0b6adf8ab9b50a41185
SHA256 50fe5009fa9b68b4236e3620f3ff46a70290311e4c4f8c2ab29705c8563507e8
SHA512 fb53e027da4f0ec379c614d8c4233c726bfc571e28bc7d2f17561b3d391b791278970882c3b330fb8f00b13ea61f7eb1e2739d874b2aa5e0f556003bd33df67c

C:\Users\Admin\AppData\Local\Temp\72732627\wwd.ppt

MD5 aa693165db37af05c5c8cc299f9fc23a
SHA1 6a8ad6446076c22b6e5d678b16eb69af4e612a42
SHA256 10e5c9324f9863b933992e03dd473b64513e7e77980405cf0236568c7b8c9355
SHA512 fff95a14cf578e74074e84d8fc79d3b913bbbe5e2c43916c7f6ebb0b0836f8a26b893232aaf1f4415d7951114055efd6f143b3f3aa70941208e4dd23afa65adc

C:\Users\Admin\AppData\Local\Temp\72732627\wwb.docx

MD5 fdb9de953707947b4f0ffb5cf8d5b18d
SHA1 c8b62a8bd1180f84401f4e178c24de02a71f276e
SHA256 bb1250e4fc690c86678dafa764859bc1b40b043f3b55007da31ad48f12c5cc65
SHA512 9ca8e681072abcaf11c3fb50d75cb0d73460d1275821bdf3354e212d9e0519de9781d15d2674ec7ad78bb4c194a42f18d78db888fccdec6761065d1573be4ba2

C:\Users\Admin\AppData\Local\Temp\72732627\wua.docx

MD5 59963133291ba2282de9df2ec421f371
SHA1 7a76f8e416b976e2cc3e0f986e0176f39d40e928
SHA256 7b982787414a6294294616fdc93d42a3292dbadb1cfdb55c3e6a332c43f704f1
SHA512 881a411313291d3894d31611601f6237ef96f56bb47de695314a0ae546a9388c46f78e4a15f26e2efe0b6926d23cb77dee513ffca6f46a9f10bcb10e320ea87e

C:\Users\Admin\AppData\Local\Temp\72732627\wfe.bmp

MD5 3d64ac7686d561286eb804f76ff4dfcd
SHA1 bc02f85e0d40495212b4db38640aeaeec9051d8a
SHA256 5b77086dd12d3da842dfb87459ac7914c2ea15bea24a088a801cccce07944a26
SHA512 5f0655fbe592f303313ee8474794c5c71544b5c0aacfb57b6f002c0852b5febb8c9a4ed1cd64dd1f0728e030ce32572b03b447fcb560aaae35d5c85d28965216

C:\Users\Admin\AppData\Local\Temp\72732627\vbw.mp3

MD5 de4683ae88c3457cfa306f40015cd2cd
SHA1 adbe4e41f6db0002de23aff36e5315adbdb02a16
SHA256 1703cf88376134356f7ceb2b7846b12834e3d685bc15a207390b4b0d4a3eafbb
SHA512 8f917cd1580350a7855a474ee9c99b1b3c17984091d7b9e5fcd1e4fb7eb5dc4c83968cdcba6c5cf2dd5f4e5b0c58f9b5ef8bcf0a6c848575808016b5b7b160e5

C:\Users\Admin\AppData\Local\Temp\72732627\txd.xl

MD5 b993b47c015a42edd9be6cd843c5534b
SHA1 762f03c2cc81a6c5588988625e9aa1f409a3f170
SHA256 24b3189264f83a912b5caec5e93a53cde8518414cae7ff198be15a05581900e9
SHA512 3a2e0991c1d98f3b4d3f3f97656acf574772f2563b677237b30b7eee2ac441c247b02772669a4dd571b77f43cc932453d45c3088aa74e309319df682e6996dc8

C:\Users\Admin\AppData\Local\Temp\72732627\twx.pdf

MD5 e5f03b5e83afd8c0113257b72add9c03
SHA1 45389fb93cc762e1f8cf3b3b84cc70f302fd9a5d
SHA256 15f272d78fdbffe969416a7ab9d034ec49ecf53b3c27e78e1a05abd41427f65a
SHA512 fe39d63f78522f43f315116f6851de45c8903a536bc4c550474bf1275ee56fc10e4a0a67218264bb8fe1dcdaf7a7270c3c436d7c9e55083723d7c70cc8559bb7

C:\Users\Admin\AppData\Local\Temp\72732627\thk.xl

MD5 8ef4acb4f9fe9defe1e27f4558c0e156
SHA1 81ae54d2a716254d6265fe6a28ff8f45eebc7137
SHA256 fbbb28cf055ad915fb0dcc5cd145d640d139f89f932b4345a47d81916ec65ce7
SHA512 47a3dad1c4936c4fb1bec813c40363e4be099c7091a5a86e3d467f3cc30a9792e10d92d226a2a8d63d0fd96e7a65425813e177f017ed3e40b3fadd333ed560e6

C:\Users\Admin\AppData\Local\Temp\72732627\tdi.dat

MD5 156ae49a6d01ef0c68ac0c1e33922398
SHA1 4046620e0f4d793f437e1f06405a6a5289dc2e8e
SHA256 2d28134e545ff51fde3f12cf330927eb03391fa6ab88c4b042ebf5926e26c769
SHA512 f7a24d0f47cec3bb8272c89807e771585ac4d0ada8af24d96e84223b3161dcb4bfcd850220098634c2ecb2e934cf530799c5114e38b44423b6fcc0228da25e6a

C:\Users\Admin\AppData\Local\Temp\72732627\smu.pdf

MD5 af3c020d4cbed2774eff2bbaea24b046
SHA1 2d738602c5819d2fa67756b1fe0cc54b4e984659
SHA256 2103d698400a918f1ac3a9f1feff235693da556575ab2c67c0cff2d9dc80d0ff
SHA512 bebf93ea0117763cfb5fd5d965933907e23cf6a3a4a9e7e14ed5a58891039d5d831d0a43b0c989314e756c8714c66d320295e1b7d8f5e1901e0a0f0ef22c6b4f

C:\Users\Admin\AppData\Local\Temp\72732627\rnm.pdf

MD5 757255fc5a87da9440ea293dddaefc25
SHA1 00dd3564daca4a42ee558c216e5157e87e751ae3
SHA256 513e4dcef15ccb68e9c95429dce5dfcdb3d37a8438fad2259e947d8320d4cd22
SHA512 8f9c810b2a26342d107db83ac9f7d820d21ba9ff89ecb8ef45e659a585add3f3522e2fdad6aaf78c35d6c83d6ad651cd22cd6d22d456756a5ed105e656187673

C:\Users\Admin\AppData\Local\Temp\72732627\qsa.mp4

MD5 57b0f13f05d25bdc612cbcf1987dd02c
SHA1 fcf2ba0c377ebdd409dd38021b15d705888cf2e5
SHA256 f1732dcc6660c6b1e317ab3d2e7eb67f1037aed76daee5d50d34656a795f7ebf
SHA512 f107f92d7a2fbeac9d6acbaabb7c3f84111c2c97eff24ac709b14e69b1da5a891b87531c4cec960becc60feff147303e76f749c2d138da5aff7e774b7099be72

C:\Users\Admin\AppData\Local\Temp\72732627\qqe.pdf

MD5 ffc58e306ed61bc39dd2b115e24004e4
SHA1 aed72efceeb7286598552f583bb29333ea8fdd89
SHA256 b43f2ffe516f5fd39afa41f6c317ba2d3e5bc5023eae4a84494b566c0f6d6572
SHA512 c0f590b3d9bd5f27422264428b3436c9f0f9e5bfeaf79209862f03885e54fe547751f135ae631461f393b59fbcb032633b937545b9c49152361acccd012bbce4

C:\Users\Admin\AppData\Local\Temp\72732627\pbj.docx

MD5 d3b66ec43e256c8197e3802ebe9327e3
SHA1 9428ea615a4ae57dcd70ed36a63043670fdd0123
SHA256 2ddd2e7d46c891f9e0f425a51aaeabb96301ca7939205a4a2c685e5364afa574
SHA512 bd2411d5876cea17f79163b2874ec6cd37128afd48e37c1c1f955bbc0d7385252cc7b5459c3daaf6d2881001d856cfec792e62424e6a05e9bea999c94d6eeef4

C:\Users\Admin\AppData\Local\Temp\72732627\oow.ppt

MD5 07bdb7ea5ff6b3b2d348681ac0fc4180
SHA1 06f5b5b450dfd3467f910b313fda50dd8c6a6da6
SHA256 a18a857d90191f5769819bcc9a57075b7d7d240fdc9999b3f441df44a6ac4132
SHA512 ffb781e4943f71114a6b86a68c920d76c892b6fcb920d1a75dccd48b8ed3b4c3a68faefe5a61ed04816a81a96594f202790779d8a829e3469c1120d634d280ae

C:\Users\Admin\AppData\Local\Temp\72732627\nub.ico

MD5 b83e8939ede73dc87b640dc65a0e1f3b
SHA1 7982e9706b150984ff9610a5d8dd66b5c9a3d275
SHA256 12938e01b8ceda3a8760bcc199e8529d8ff320b431f96e908d8aa105fe32e1ab
SHA512 d881abbbdf338b32d20f40c5be3b27bcb2f2e222ec85cca626be0c5718026e51550a8dc3e55ba23f855082242cd3b81069298f7631b448034f8592a26829064c

C:\Users\Admin\AppData\Local\Temp\72732627\ntr.docx

MD5 0e9881ebd1cc4b408c7d4b222e5b8813
SHA1 09f849af7994d141bf22a77a7ca4862c25bc3f2b
SHA256 78f2b7df055cc59af091ddab379831fc228b607a43829acde4942030c3afaf20
SHA512 e4289f1bacd5dfbbd8ee7e900c1030b7e432bf07e82a38a69316d024f3ab2b5dde72f513df6815212a6adabb063a91e31a7f5c7f34e5a3c3e010a788733ee535

C:\Users\Admin\AppData\Local\Temp\72732627\nqf.icm

MD5 37d2581fe939a85c252de27aa7e331c5
SHA1 0fe1d7cb5ce095a4ce5de63ab3881151d2b01ea6
SHA256 46be4978d4dbb547ff21abd9f0119dfb6256c3c5b3757d4215c259504bcadf3f
SHA512 25c425d8eecb97acd687a95918b8f03d4a704a6ca0172615a26884a010f3bcef406031c8062f4a6a81505f2eba4827fc2747071faa3d057778bbc68a2b658159

C:\Users\Admin\AppData\Local\Temp\72732627\nhc.dat

MD5 a8ea9a274936ce9ac3a175c82b2bacf2
SHA1 8e4e05ab8d8db878398eebb0e4e788a9a646d55d
SHA256 8b45ffb46cde3ea066baa98b8e765fc485cde109848efe8a528bedc0be3426f9
SHA512 490c1e9ff1f8e19d9628ea5cdf4ed985160fc772258f4884ae45bd6149e4bb6bf4ee8676acfec69794ad7f18a614e90778558dd8ad1794162f42684a0f1a3af5

C:\Users\Admin\AppData\Local\Temp\72732627\ngo.xl

MD5 905e5a644d617bb2f106d1cf1ba1afef
SHA1 5822d63ec6c2002e02670aacc4235b5f0005e4d2
SHA256 9747c3655e0c8f7d3d1a799a6edd0d8189d6991c0e25b57f6fca8074d923fe93
SHA512 8e9ba4ef29669e754ff8567780c192e9d5a29569630b4e393558850f681d2fdb8189df91153f89ac187f656a4ebb1713f842798e4e0ab06d456612b48f973fdc

C:\Users\Admin\AppData\Local\Temp\72732627\mic.jpg

MD5 987a8e3aca809c332971ca35fd95e6cb
SHA1 03295c9dfb6db56280e675787cb635c2fa13ceef
SHA256 d0e472048b12ed0b49fe592bb952e60af5757fea5f644a6178b21437da78ae05
SHA512 fd5e695ed8f1717964efeac091fef6f6a035509285d4ad9b0e9af65a3f6f1609428e245432c66e3f68ca3970e7b606b447a1b28c9b7d1d8e427dec0fa537121b

C:\Users\Admin\AppData\Local\Temp\72732627\lps.txt

MD5 f707b5eb28205bfe13dd737a978a01f1
SHA1 5f166c3de7413ccb41319a9d8e2c8f521ce366c3
SHA256 90bb616f93e6f23c22725792498446680a351a4797965406c3a03fe85efd205a
SHA512 28c7142606d2ce3e66299c59a807df99169df76f298af13a8d73da94d0aaf6b05324a8d32b4f8d5be0c2d1ee57cc16a3b120e09aa5171d856e09d0977b6c2a36

C:\Users\Admin\AppData\Local\Temp\72732627\lmc.ppt

MD5 59a29fc2921eceb794e8041d335b69b6
SHA1 f0a1a2510b593a1a65578e84f21c79f9bd184772
SHA256 579058e79496832f9fe4a3b09510481e3bfca3114392c664ef87921c6380f774
SHA512 118c11cae7a390b3742fcf161352961cf513bc0a27b3e7dabb4ebb0f94321bed0be9ca5aef6e3af9d662261a29164368114df4ce894b47aa8c122ba3b5a62d23

C:\Users\Admin\AppData\Local\Temp\72732627\kqx.bmp

MD5 8d8481d9d5e95ef48b2f8a9a9509ed6a
SHA1 06db9cb60b9ec5fb36f61ae4d251b3f252a87d8c
SHA256 400e581f8b12e1915f5818ce393693176b3330776aad49abff38c95a3feab7d7
SHA512 c623d6763bf4354ee2ed0c44bbe13d229dbd252c6bf7c3f601ae3695225dd3cf406b7944895578fd4e46341c075fb99c4fc9345eeab2141dae0c4a98e2237554

C:\Users\Admin\AppData\Local\Temp\72732627\kfv.dat

MD5 9b48dd751a4327fbb65a23b6ab624b0f
SHA1 691ac63b8f7286073b1acc9e0d147b5894825bfa
SHA256 761375485e097ea9c184d188cf0724839820b0dc519c7134df0abcaa83b09012
SHA512 ff94b60894f2714e63cbe815a905d64f5ca28b561c26f960107eb14da0f1da38b0d5fc647206af0b37616da93e14fe2399057344cdd506124b5d2731f19edb19

C:\Users\Admin\AppData\Local\Temp\72732627\jgi.docx

MD5 b5a6213d70ec2d4b7c515f9af2018314
SHA1 e896b1850a4497fa6bb8207ed3e15a67ab134587
SHA256 2ddc869938dc14bb7bd476aa1d7c70aea92114499842d623909977e89989ed03
SHA512 1d04510a4f1ee68375a25eb0fe4c451df786d20996a390f510eb024bf07d6959b594766df292e79ec165495f8bac0f75929acf52d4e3bfcb7b1b2137fd26c960

C:\Users\Admin\AppData\Local\Temp\72732627\jbk.mp4

MD5 432dfd6fef4e27194dcb9bd6b400293c
SHA1 241003fac11262b4254e5da921bba96cdd8aa928
SHA256 7752fde8ae7bb8d617480a4444eb6efafc968291a59519246317a2935ffee3a2
SHA512 49fd7ea2e7ca9d6d6731e5fbef2bd5537ff1d21a573e9fdff81203149cdc8be513a8bddf1662d177ba75d3acab1a011853699fba79a6e1fef845d0f8fca0fabd

C:\Users\Admin\AppData\Local\Temp\72732627\ixn.icm

MD5 3192ac3b459b6ffeb3a6e88654dd099a
SHA1 6377c7afb75c56c90340842deab86ededffe9e28
SHA256 c87222558dc9636c321c32d16798d05a5d518ea2de0bc7ea5de1833844dd761d
SHA512 071c6810d8512bdb93ce6a6e57a46e3c5519fd8a718917b19ca002d15cdd834018ad3a0669ebedcb542683e36843039a5226a4e0bc992bf3a36c1337cb27d51d

C:\Users\Admin\AppData\Local\Temp\72732627\ihq.txt

MD5 03cae344390a4760a1b259ed40630dce
SHA1 f7d8c6fcefad80b22423e7e47f16e94dde1381b2
SHA256 6ee2e64c4b699e0eeaf5e37ec3a23ce3a4f1d286bd60fa0e17e04c433ff9f587
SHA512 87d656c253918713578774024241ea5d41b99e466aade2c4500fb6c22343aac0f50ede9cb2eafbc8d41d30a967ef40f73f0ad782fd0142e02e5202384041e243

C:\Users\Admin\AppData\Local\Temp\72732627\ics.ppt

MD5 160fb05fd3f8ffd962591b90667c3cfb
SHA1 ae19af0c8f0d67fda9f3ea1a0468e80c14893a24
SHA256 c15cab2f00e247f3812f625d4565ca402f8edcb6302e494160e6661bb25d18df
SHA512 74f4e30ccf056b90163c3e41178d57cd6dbdb62f5e5fd4bb88169e1e15d4949ff717b4dc363140fd93f0a21ac5850eb2f0d6c5960fea22afadac31cd73731667

C:\Users\Admin\AppData\Local\Temp\72732627\hqe.mp4

MD5 3a17caa5134e412d71592a8349794d31
SHA1 fa9e6e6e0421cdc473f16a757b9a41410b73217a
SHA256 2fe1fe7a7f744956ff9725156c0b41d4f2b46e3d87446cdedbd0ad280558b9a4
SHA512 9883c5901aa40a1bb07366d186cfd092142508d62b33193e721220d195a2eb7283f4786c55c712056081e26a6d4a50a281c23be8ce20246542107edf7ed20a35

C:\Users\Admin\AppData\Local\Temp\72732627\hdq.icm

MD5 26375bd57d6025ffbee4bac44fc43599
SHA1 e2d9bb81656994e909e69602f476cf8fa0cbdb83
SHA256 d3ffbb6f7a0875917adc94c7d3a08f000513e75a72880493eac987dcde0282db
SHA512 14a835b1d5385b5b88fcc52a22078d2649534697aad30fc0f34a21762b6b526b370ec92fdfc5f108274ea8423175e7c50e7c8c898eca76ff87faa8374caba9f3

C:\Users\Admin\AppData\Local\Temp\72732627\gbm.pdf

MD5 b458d88c261c39279cf221c07cc1cf17
SHA1 6b14606a1b9bbcd1658d58d9a0845ab5ba14f756
SHA256 df9130e176c5176cfff9c88e45ab0462a71e5c51618825e31ef92d31d737262d
SHA512 e5f52532b71a78de4c935867af6811ab7a3bcde6e38d7d8e0f33250251b985ed905796e93ed596c595d457b094ed6bb646d9a87ee210598443c54f449d3ec2d8

C:\Users\Admin\AppData\Local\Temp\72732627\gab.txt

MD5 af2a62f68e36b910cb1f20c416940074
SHA1 723fac995d9bc4619d51739fc79b53489b4c2676
SHA256 75e7ef302d8cdab21ce62e930be9add2416a81ef4ce965ee146491a653c9f319
SHA512 eecb473e733c2ba1c1b247a8b326074c50e1c171c33c087c14b0612c0c42aad76485457f95fb1aa58e66ab239a19ac94e2e1d352bd686a737f39b7ab732ed4ee

C:\Users\Admin\AppData\Local\Temp\72732627\fld.docx

MD5 226ed8fc6a8d157836ee270f0267d94a
SHA1 0971a35938b4740240544e9cf5288989de309204
SHA256 52bdbdfbc2755577b30addc7e2bd20199bc7cf9bf195d0cbcec95d909e393f0b
SHA512 d482cbd5e933dc19d6a4d814f97457b4d157098a09e47d7ea1108bb9931303f2044adabcc224c40f7f5bec75264c7c7fd2274b3ffb5124f9a0de3076546db7fa

C:\Users\Admin\AppData\Local\Temp\72732627\faq.icm

MD5 0dd27c6e28bb49cfd33aa2466c778c07
SHA1 6052e4082981bd10a92b338b361f301ae9d5693d
SHA256 99df4ff69cd30a3a94968c04631f2709ad81b0c5f50bffff0d06f97aeec215c4
SHA512 3fa97228798ef50b368ba91268e58148db6499746bc88bb21a6d71cc05f77ef8198df4ac7c1a1d8bdc7c0d0c89449993dc6dff867ddadee0401def24755db4ca

C:\Users\Admin\AppData\Local\Temp\72732627\dfl.mp3

MD5 4b9e161574af2e7396b8faab73e9c3d1
SHA1 fb548f5308d0acfc8c9ece16245d8c2e29e4f54c
SHA256 7880d6a689733683dd879f29ac06176af214672667a1c5696ed78a3d1689e2ba
SHA512 a912f0efeb4187949daf5af0bb118b98674f098378a5541e8f5d935855aad88194db410bb8d7100f2edc5076f2a02bf0113a6249e472c74ca50b807c545fbdd9

C:\Users\Admin\AppData\Local\Temp\72732627\dae.mp3

MD5 2d2ed9964b014199c39997a0cbec0748
SHA1 fac4a62efb96c8a9fd561f7a3658417972cca8d1
SHA256 518371d02e4473d2a88c040f9ca001bbd8d76429814003756045f634e71617c3
SHA512 6a67cccd209158dc9a340994a889d170ae618121ba55620d8cb85afb587aea7ec47bd5792f085d4b8634076e9874ca50f5bafaa09f7881073852af14edae0d6b

C:\Users\Admin\AppData\Local\Temp\72732627\chx.docx

MD5 7d0550e8f385ff2ef10f2fd27dc375ce
SHA1 f85696802dc96ea5ff4c61cc3ce3f8d4b1bf613e
SHA256 1b218a9a71b8718bde6ba364d452227d5db2d896b0085de858963967d93eeaa5
SHA512 a13fd9774707ed1d630096fc104065b94bfc08ffbf597c3e6a4bf9880485f2aac6fa769a72551d301a5e58d5af3cdc7b9b6c0ffdb7332ad30d46dece66eecf18

C:\Users\Admin\AppData\Local\Temp\72732627\chw.dat

MD5 9f74cfbee62dca222e26dc55b47823ab
SHA1 827dbda14af0988e57a7ac184021c5cf4e62adb2
SHA256 6f6bccefe0ede491a0bbdf84e8eb185cb79929b45928c5106efd5680900f0081
SHA512 611978e34fd12d4fa7f4e2de5fe19a79576f48c6a935b844e822668ec23d91f4d3df54fd687cd292db3d6a1ce65b9f9320220e3221d6a9d57e79f64b58433d9e

C:\Users\Admin\AppData\Local\Temp\72732627\cfs.jpg

MD5 df18581d8e144c9280af6fa756f2f7c1
SHA1 ba4154d551554dbc27c1bb15bc02701886885012
SHA256 0f8e8923fdb9b818336b7bfe851059129f3617e15e99b8e5711eb5e596ce5843
SHA512 6a8d19b7452f892d7a66733394c19ca3a367efbb37dee8b181f2f1ec0ce6b3296c7013b9d4c7d15d327ac12760a2411c2d1e89fdcc85710a05f59a5ec663866c

C:\Users\Admin\AppData\Local\Temp\72732627\cem.pdf

MD5 4d3dec64a6cf061ec34ae47e4376ab66
SHA1 4ea5ce7da7a688aa17a381737b06dea9685afd9a
SHA256 4b20a7046aef0c6ad4469d77a072df111898d3a88c041ad7a410af2f089de74d
SHA512 45693401018a911cf002673f15618e3b4ae642255c6ae2a632299e7f151fd57ceef8f51d62a47229d80083fa8655617f03917a6254ca3b605c889b4b2fdb0c93

C:\Users\Admin\AppData\Local\Temp\72732627\caw.txt

MD5 78a0b9f986bcff32d799880f83f5c45b
SHA1 03bd3cea75905ffc2b73ea631271f8b1501073cc
SHA256 cca7ac0a4515cd6305f7e69745a822d10021e64e1b3d33e99ee7f1eacb138197
SHA512 037099e133d9dd37f586aa1312578e044e5b46c96e408cb56aebd5d931a989d067e9621670a9c3cf1df369f0f27967d13ea0de350ca34fbaad88c94dde51d5ea

C:\Users\Admin\AppData\Local\Temp\72732627\bjs.ico

MD5 a71d345121e42e357604a34799e5dffc
SHA1 24ac37b738d3506f60c330bd6a15f4b7e5de0148
SHA256 16fb82cb44e8e03067b3b2eeb32b0fb6c87b7f234e0e85978cc7ded41d9a08f5
SHA512 09936f457f48b94c8c8717f903b8ac2235e2cdc5d1fc5bd8ef4b99afa5146e7cebfae2b6e23da7f4b8b380060f4cffe1f544368326db63bc45c5dbbce046fe72

C:\Users\Admin\AppData\Local\Temp\72732627\ack.ico

MD5 c766af6676f25a697f1ef9bcbddc37df
SHA1 f3279532da397a248ed5d42e389ce3c47e0bffb7
SHA256 e799a325d50ca77fdec6fea2a61f82832d3a0bc4404689e9ab5e767272ad1124
SHA512 87cb4f5ecf3a74e1d460d9c46fd922430c6f5c139c2f5741facda26782f8ac08b1bfb8312fa22a95b3edd5a2d836ea5c642ec4c2789c901b504e63073fae4711

C:\Users\Admin\AppData\Local\Temp\72732627\abo.icm

MD5 7126335fba74ff5d59a673ec0abf64b4
SHA1 e3299af388d79afe2cf38b2e18cdd1e0b0d78430
SHA256 d4a86d0afbf4ecbd70c10727d3251097d3b16ee8337ed2f9ccb1c7ebe6e632eb
SHA512 e17727aaf219cf8cf09ddcfd6d904e27e7f7ca545037e77c6a4a7aad399d381b2613aea739fd16f2bcf5f238fe1265001a0d0d6f1b1e1aa961d89aa4fc8cd1aa

C:\Users\Admin\AppData\Local\Temp\72732627\BLSSF

MD5 c99687084e347e48e8fca5997ca13702
SHA1 6d944365a2de41ecec0b5618dd349de31c8fd84e
SHA256 09a18ee6e9bba42c7ad512bc68cce189b474fe099ae5777e5d393d839a0c64bf
SHA512 cd4810155baccdc30b69dc22fe0e6b20321674c92bb4ec68a4baa2f491c3b19c18d0f39e6c100646bb0533e1d61fb3fc0389cb9943dde35e435adac33af6bd65

memory/1884-171-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/1884-174-0x0000000005270000-0x0000000005814000-memory.dmp

memory/1884-175-0x0000000004DE0000-0x0000000004E72000-memory.dmp

memory/1884-176-0x0000000004F20000-0x0000000004FBC000-memory.dmp

memory/1884-177-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5E3D.tmp

MD5 95aceabc58acad5d73372b0966ee1b35
SHA1 2293b7ad4793cf574b1a5220e85f329b5601040a
SHA256 8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA512 00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

C:\Users\Admin\AppData\Local\Temp\tmp5E8C.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/1884-185-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

memory/1884-186-0x0000000005040000-0x000000000505E000-memory.dmp

memory/1884-187-0x0000000004F10000-0x0000000004F1A000-memory.dmp