Malware Analysis Report

2024-08-06 14:47

Sample ID 240619-v3qg7azejn
Target bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118
SHA256 336009737626da1944572bffb6779a295b043b65a4fd1d732f714d0ecda318ff
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

336009737626da1944572bffb6779a295b043b65a4fd1d732f714d0ecda318ff

Threat Level: Known bad

The file bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 17:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 17:31

Reported

2024-06-19 17:33

Platform

win7-20240508-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\33993187\\bqg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\33993187\\MGJ_DR~1" C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1808 set thread context of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 1744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 1744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 1744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 1744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 1744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 1744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 3020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 3020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 3020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 3020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 3020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 3020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 3020 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe

"C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe" mgj=drm

C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe

C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\GDTGT

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 femolampa.tk udp
US 8.8.4.4:53 femolampa.tk udp
US 8.8.8.8:53 femolampa.tk udp
US 8.8.8.8:53 femolampa.tk udp
US 8.8.4.4:53 femolampa.tk udp
US 8.8.8.8:53 femolampa.tk udp
US 8.8.8.8:53 femolampa.tk udp
US 8.8.4.4:53 femolampa.tk udp
US 8.8.8.8:53 femolampa.tk udp
US 8.8.8.8:53 tojah77.duckdns.org udp
US 8.8.4.4:53 tojah77.duckdns.org udp

Files

\Users\Admin\AppData\Local\Temp\33993187\bqg.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\33993187\mgj=drm

MD5 6b34f0b8ba4c68f64d26c8424b5733af
SHA1 e92f129a1c4a5d1b80c6f9a057a656b8f293c944
SHA256 251362ba78357ecf89fb217ce004c8d7d651239f39b58baa0af7de6cbfd31f97
SHA512 9887c3ae3daa774ad991c31bae03c8b2024112711586c2c8f6f2b4cdda1b4de239f1880137b68f200881d47344ebee1e06c6ccc175accb2cf572d470110be5be

C:\Users\Admin\AppData\Local\Temp\33993187\ufk.mp4

MD5 df957500f98a8701c96947a9277b7743
SHA1 5ab3b90e999820c914afd0ca1d28b36da5003221
SHA256 0eaa8fb7e9df87f4a47b1a20974980a41706d578f27bae3c94f9cd72408ebc02
SHA512 ceb92581ea9ae7257fa8592500f3f1b2c98aa477bde496561195d31808917d9ba230f62f36039b04a9a7a40e5948de6540eaed9315b3164313cc2f43b2ecfa94

C:\Users\Admin\AppData\Local\Temp\33993187\xvs.dat

MD5 1afe60e26aad5c095d2d8758c4b71921
SHA1 3652460f058004ebdd3ca973e8b116637bfd87e5
SHA256 995989b1d03ff0b843eac087da46737d6e90da059e5e4be6f94587d4d4070aa2
SHA512 4bcfd19d1f44a2cc234714bd9d428ee1c249ff611253764b74704036de12c5e1ff039884bbe684be0e6e5fffd705e33a67ed691ef5627a137518951f242feacc

C:\Users\Admin\AppData\Local\Temp\33993187\xuf.ppt

MD5 e519d1ae5d9cf2053d6a69a193f333f4
SHA1 b41168348d83c74fa15ebb686a5b7dc8b181b3b7
SHA256 31360ea8d277ee0daad49258419703f11a1027b6d9da7d84965aadc097b41bcf
SHA512 2cd7f44d3ac552beec46c54525e90d8a54c0725334f36449f663a3f94f5a5d41ec3444eb0b82b5a0e2c1a6b09bdfb6c3c31fa5621d4ab68ae29c3ef24d155643

C:\Users\Admin\AppData\Local\Temp\33993187\xoe.txt

MD5 343e0231e6456661302066b0ac6aac73
SHA1 cfabb5a4a722fb4f9f864bff92a3fd4cdb56f0d3
SHA256 b89b1633bb08513e19920e1da89902549cea29f15ea12d3582f92a48b9471629
SHA512 d8f37d69bf5e277167353700453fd5b164680217c2be7413e6a22a5b1422c1a116254664010d92b85d74496e3e817a2fa5f1d10c67f9110ba48f2cb410356690

C:\Users\Admin\AppData\Local\Temp\33993187\xdx.bmp

MD5 1eb9c35becee9121849f7ba26c28886c
SHA1 1451256605102d4e804dbcccf1bd480f61c4a5fe
SHA256 d57bf4bddc9cc2bc6c00aadea6866e48c0b0f305fbc68ae122702d38b337daf8
SHA512 a8aab601d69f46f59013e054261de609fedd870f00ffa103c81efbd380cfbfa6929b98c1005903e6a00708f52543ab2dfb64c0de5975548553a2e2f7209e38c5

C:\Users\Admin\AppData\Local\Temp\33993187\wqw.mp3

MD5 e8c253402ba790239a5a0d8f4cb1c85d
SHA1 c21325fc643e1707ddbf4cde583a30a2b209dc40
SHA256 21b507879cb4c5a2c86c06529dc7105bbe2c6e32f3e204388c94e5d2bc7ab4b0
SHA512 36eea5dde5ed67683af624e4e3304aa5e15ffa0c997505d9169b76289f462c44c05e086285bf33da5b4765055d60b69add93bb5878167523e66863b40dc6f8cd

C:\Users\Admin\AppData\Local\Temp\33993187\wjk.jpg

MD5 d114514ca292146ab8c8d6f366c18994
SHA1 f0ea7dc06339130a093266a4ceabd1c2710bdcfb
SHA256 bbd17fff6dbd8c265228dc341cf282ad36422b13c35f25a633774e51cbaf79bc
SHA512 5b748596e50dd8005ee72d067f8508532d229881006899b30a79af96b4346b1d10957cd95cde5b36f1d80825bca3d5be2124395af1a1ac39b0b66223e34415e9

C:\Users\Admin\AppData\Local\Temp\33993187\vmh.icm

MD5 1cd68a1a77a6474b0af6d812da09650c
SHA1 f357c89eb8db543bdee1f48cf8793b6cb3c36879
SHA256 7f659a8e24a7a1717c215895bfb46ab13444dcce2a30adf0f73cb05d3dd9765c
SHA512 d01749372ffbf9d3c914152793d415c7b0adb932de9d192f7bf64913d0de23eaef7d8917159f0c20bbb558162532ec4c63588a478bfdf8d077f97d8d816c972c

C:\Users\Admin\AppData\Local\Temp\33993187\vme.dat

MD5 e58abf2f8da65514323e47c1afa3ecb0
SHA1 fedd4112894f74cc58ed24717c5cf6afce7065c9
SHA256 6d3dea4842352998a4bdb4bbe6a2987b1b4b4af40e098e5682a8ece12ebc9593
SHA512 d70d083b94cae9fd29805477dbaa7d2775cf01da30de417d8077810d83a621dc8070f10229a9b4d5b2a70b9dac776ef4235c6f43a9ee4d0ae2d5a01e539488e5

C:\Users\Admin\AppData\Local\Temp\33993187\ucd.docx

MD5 b1e4b53444daf073e91d8a83793bfea5
SHA1 ffb5f9e081a3b77167cd2269447469f0fb715175
SHA256 0207b629e65ed14f4b53679da61eb7ced970f24fd1eadcc580c31667f56d52f0
SHA512 fdd95cbd3f3cb24fb14fdd2350da5fdf48dd0751b11ef43b13df0d79df8a97ad49376eed4f4380c7d4afdb42e276af60e70cc157903e63dce9b75d30b3d6ce27

C:\Users\Admin\AppData\Local\Temp\33993187\tru.pdf

MD5 ab90374e5946c7c2a12afd250fb7e2e1
SHA1 5afcdf0c41b13367cf1bcd2e083a790f8c076187
SHA256 934cb49bef30063fbdead95ca883ed439b31d66167a5f9b37db82c99701e98ce
SHA512 12871373cf8dbf7addc078beba4257412c9d446851f7c3f6436316c2aac5b1a89bf50a1cbee3fdbdd18ce03e4d2b50ce2bf8014e6b3f45a962b708ac5856393b

C:\Users\Admin\AppData\Local\Temp\33993187\tgn.bmp

MD5 a7670b04a896ebf71a058179f202a576
SHA1 649cc7e9831b32131cb9507a2de855485ca88b84
SHA256 b195b72f963e0adbcb5e410a70fff9b760803379934145e783fe04f2433c82b1
SHA512 5256225c2f8a2c96f1f03453bd86183d9f4b576d65f10190afeca1e9f730b9eadcbe6ec3e37837a56aed503f9b7ed8fb707f4e1d5dd6c7c2ab29579026627786

C:\Users\Admin\AppData\Local\Temp\33993187\tdx.ppt

MD5 5629e03f911b9291775a6b488609af64
SHA1 7f83f6e5d9b1e00368c780197686aaab8c5f61f2
SHA256 ffbcea342ac6b764162203749675988c99b33a93123ed657976bd5d5f1842fcd
SHA512 14fc4f0b4ec148190be304ee422a5ad66cc5edf5dbcca492e159489753c0b73172cb2e884d90a76374008ccd2d4b02678857dc8056b86a1beeaaec71e0cc85cc

C:\Users\Admin\AppData\Local\Temp\33993187\swr.ppt

MD5 fe4812832b89786910347f2bc051f344
SHA1 f609449df743cb740b87aee717ce8d4d8d8c6325
SHA256 bd94537290dfebb28583ab42aade441dd73af384d6758ca88cd89ff79bb32ee9
SHA512 7b37f1cb28c3fbd825121a56b734abc0388d8aa53f8b0be8c18e783fbb1bad6dbe293d56016c578e2f935de257ea83cd83866996542b625e50ab4a4a0a15133f

C:\Users\Admin\AppData\Local\Temp\33993187\sia.dat

MD5 daa66525c8ceaa3b19b07db03fbc3cb7
SHA1 ef75efc435d09c03f0e1aa4e5f923cb0c3675136
SHA256 25e7e86b5d023a337308887a3a58018bc38e4a70dd85c85d3edb0a7ed0aa9337
SHA512 7bee96f219d9a1897635a252dd8b0f91c4888baee132501468e4cb125b9365123290029a3d60f3cb6d545ef98bdd62fb7fbf783c98253fd556fe5db9879bbb80

C:\Users\Admin\AppData\Local\Temp\33993187\rvf.mp3

MD5 dfcc476981a87b58ef532043537c282d
SHA1 3defe1473686a7d87ea506307066f2ae2dea3dc4
SHA256 f9986a5db55e1cf6defdcdd0cfac430b903f4de0b0a17d84fe0e3c0c94f3321b
SHA512 a92e8b04750808ec307a7398fcb4761a1cad110678d3b7a29a0c5fcaf07196b518fc9fee84039b927727f42680018d2a4c753e9896948362f773b18e7562c4c7

C:\Users\Admin\AppData\Local\Temp\33993187\rhi.mp4

MD5 14a3bf6de6d94a3583214752561d9b34
SHA1 107bdf82af51403e47a8a0aa8f4575a9b8b78e08
SHA256 eebfb028b400548730ab4997fa348945350ffba005c0d9e235ce637e1f5ec1d0
SHA512 1a3175ccb38087a129d15dcedf366747b36cd8874019b826018de6a44785671332ac5a6f42fdb6aaf8aca06bd0a879816fe89a621392256c1a3659f349a99791

C:\Users\Admin\AppData\Local\Temp\33993187\qno.dat

MD5 444fc41c4e31b4c683f4668757643da8
SHA1 4800727b40c79ba539dd4836256517b304e11685
SHA256 ac93ccf690db794df74a25f3d92a55f4a87577766308456f99615ff77ba839da
SHA512 c3c8a16cad686be47100425c9d28185313304287989fbc9d19869905c4356e9094184d2063533439ba81ae6031fa26824bc086a5efed7f7675814765c57bfe21

C:\Users\Admin\AppData\Local\Temp\33993187\qcd.mp3

MD5 8d76d102fca74058f01dbaea056631d4
SHA1 752de93ba5324fe7bc57e0009eaadd37e4a1c235
SHA256 0b72ea281d470aff63690c40f9e967206c3d61e9dea24de7e11e32299e038199
SHA512 cc19269a477653c755e8f911a52c5585bbf29abe09c9e8b4ea5f7736bde02bcce908a2689aa4ddaefc3e309ac2fcea5ed538922bd02c4655ed974acee2631d74

C:\Users\Admin\AppData\Local\Temp\33993187\pkq.icm

MD5 1b6a6ad52081fb543c49361e619fc1d2
SHA1 2092c490f8ddc07f603d8eba2f915ee65f1ddc95
SHA256 20250f1be9df4bc96533c051568c1ba9f13113153a705877163babcb9c9001c2
SHA512 7847a867cd192d407e0e5736d57cddf5e7d89389c247cc6ea2f43ad2ac9ed3e8d749ffdf1a3735ba7f9e87bf82393ddd6d37f0f529f3f76c23775337afd490e3

C:\Users\Admin\AppData\Local\Temp\33993187\oij.ppt

MD5 b7594040cd7ecbf9c29979cf487bfbd6
SHA1 71d2d6683445bcd1926b70c6a5b98943885594bd
SHA256 145d3b65f012bf1efbee5e04c99d548cfe1204b498b627a7ae3628577fa4f140
SHA512 742b5bb91404f0a1fc6c4dddf0b4a4205cf603d62b9415441bd37ba2e0bdd53b3483b5709b071928b0533df20d66305ef0853562119e48b987a41211a59ed067

C:\Users\Admin\AppData\Local\Temp\33993187\nxx.xl

MD5 9463a2fb0952ae27d491d9ea844588a1
SHA1 c687e10d08656df91b045c0a41ccb780b0c49158
SHA256 c8a3afa4c6e696ad344a6dd371c609cc6b0fd259289e99846685e39ef23b0be7
SHA512 d877683b5ff1b1b6bf555821ba5506f62cfee75d64a1d9305afd9ec9174b50ac9f23bc0acca8a19d73b6c9e7bbc4c63f9c58d1009b06779f55b03a51cb06a108

C:\Users\Admin\AppData\Local\Temp\33993187\nxm.bmp

MD5 6108abd96427bd26f794887e723c44ff
SHA1 86e23eb34020be47e569e406dee978cd829a80bb
SHA256 7a00984ad89f65c7d34d60b2b4bf2901e24ce7fae27a741669da288b6bab2957
SHA512 768d7d93cd33ee9dd020b20eb85893ab710131c724eb8593f9da2766e84d08d683fa2a5d6a44ea40dd655273d78f31fd306f01b80f45a3c810d791699503f19d

C:\Users\Admin\AppData\Local\Temp\33993187\nmv.xl

MD5 690c1494cca5788a0fbbe1fcbe98dc35
SHA1 aaa19fce0cccb56f6932a0d3c4b58a1a0462bd07
SHA256 8152b37f3768a797df41d33fe13aa0f0d234ba80427a7b088365675b146ff8c7
SHA512 ad1328e718a289e6a092783a0025ad411c155e62e40a7856aadec4deac1ec9ac42207ec6b28314386ab2b719a0143f70514ee40f5b8a83e99854ffca66cab5af

C:\Users\Admin\AppData\Local\Temp\33993187\nac.txt

MD5 d78eb5ad7d2b0e1caf89d30f5ba1a7a2
SHA1 4952ecfa805aa10aee824fec11a1c05830450241
SHA256 4bd81dd3cb6cb86fe3765976d1656605a3639eb6960e8f739ce6fb0335ee8d6e
SHA512 ebcaddda8c7df8ba4c4fe31fa4de6f52c613c82e4a7a9ae2faee1041ad3f5fb3e85880c38704aa0c0452e2469d04f448f2e5e958dad1398e633b90e9b9e66430

C:\Users\Admin\AppData\Local\Temp\33993187\kur.icm

MD5 af38578ab56c2e2ae28d454d12780491
SHA1 5b4f150e51c6ada03ffd18b79c25510ea591d469
SHA256 740be9a69f8174b64395689c09a00448695bacea633491270935ae65ace9825c
SHA512 da47b5972ecf336b297058e7949dd85a63e6c11be9f4f547e43acfc1f5e322fb80d3b0820b6484e1254e67c8a71bed6f07f36cadaecfbd612862c4f5a7aea7c9

C:\Users\Admin\AppData\Local\Temp\33993187\kcl.mp4

MD5 101b2693adcd2d71c3e9d133d51006a8
SHA1 3e9cd8c6dce08985a3bfaa5eaa3eaf2481d5b02d
SHA256 83f71e7e68e4b49c148c7542e52f903862a44c18a5bc1556ae4827610044061a
SHA512 56c0ac7cd4a4f50a2153368b90027374b1cd0478ff11e735c99d070541adcf4edb2604d4d81c831ae733d02224b39d98f7c2b4c8d9693ef5033e858ff69181c6

C:\Users\Admin\AppData\Local\Temp\33993187\jio.ppt

MD5 9aa349f5f3b6037d0538b4999d4a1fb8
SHA1 747973a800b5a840f5e8baaafd62465f68975b8e
SHA256 c0d5a30977ce2ac16be549a00e0a077b5facfdd56ef9dfb7f3670a18f404e0b1
SHA512 b90cee660031fea009d806e5c37157f66d1f1fa7e2c03042d0eef6d4b08351cdb2bb39daa3380475e20fd72397767300ec9f78e474d851cd4d7d9710b5c1b891

C:\Users\Admin\AppData\Local\Temp\33993187\jca.docx

MD5 cd6e3f5efee860e280819bb7ccc1f580
SHA1 e7fc36518cefe99673998b5e30b2c00e2eafc76b
SHA256 7e3d9afdf2653949623d1350a0c2a897af1d7c0bc16165719fcaf0353a5ec751
SHA512 8965079bfd750ff537ce54ef7f2087d03d0ba41b2e3ed93a47091f0f6322b715b2af372258b1e42ab3c5cad2165dbca472b81ce0a53a750e34e3a5c8556f995f

C:\Users\Admin\AppData\Local\Temp\33993187\imt.dat

MD5 7a719cf5e801be402ff34a9b529aa802
SHA1 782e970a8b59f3089ee0e73967de7118c7f5e6fc
SHA256 6a789dd601ee48f5b7183430466edd6ac1ec69d7faedd315ca22de5e2e1105a8
SHA512 b25c182122a7448c49c27f7cbd4498abeece7e701785f90ead7e03d4ed36640a97c1cbd23057294fa8b38b9f730ac9f4fc1a2a66d0ff9925f6813ac1272b6628

C:\Users\Admin\AppData\Local\Temp\33993187\huw.mp4

MD5 d5aa677c474ba3d31b54bbf37ec83f41
SHA1 0a5c756c826f8e3f0c7ac89614a6236cdb1812ec
SHA256 afa793961bc1fd139083e7567b96dac2407ceebcafbb519a2dd9a4ea7ccf1ff9
SHA512 308de37448f09a7c4cc7c038896260a43fbbd6436e5fc20d5ed597aad46511b87f6b797e5e493d41ecdf924fe2aa0a864f1d8960a083a8f3568513b4198a7be5

C:\Users\Admin\AppData\Local\Temp\33993187\hof.jpg

MD5 57b90575f6588502cbce75ab1f81f734
SHA1 ac1db500bbef78e05bb06c2de9f17fd598fa4a89
SHA256 6ad2f19af6268ed2f849b561259a5139dc0930650e058e345cdb2c1b2d862963
SHA512 7447a061ef87456d9e829b1e5f42bb83671e7cb732e373843b01c15fecbc3904b9871d133883f1b324fc79fab2a1565c7053ccca527a8820fb47884adfc079b5

C:\Users\Admin\AppData\Local\Temp\33993187\hab.txt

MD5 4e8515515eebef6639abbf1ff623c104
SHA1 efbf999b0fa526d54fccff17276390cce21c8de9
SHA256 2163b8140de5e19899132ad828b80ee85bbabae7b22a3abde41a9c9403f04a92
SHA512 66736c7d82bc18bd6bb3ad08338267802cfa30d7ec80930503668e243fb10d277f95843abbd271bb0af9e356a30034def28e781f2971d10274a89fc485b193f7

C:\Users\Admin\AppData\Local\Temp\33993187\gxs.jpg

MD5 f33689eef290711d99dbd93955728d3f
SHA1 6bb36f4175ceb6633249f58d64f0bddba3fa908b
SHA256 b5441f2fe7d59331d2b9c7de9a505afbf9db44a4fd3a940d90784a7815cd2c92
SHA512 549a71ccd525efceecffbb755f50541539b07212c631d10f4d1595ec5addcb1bd359862caea4489984e1ccc7c0bb538b1a0ff1021441fa4e9c4b478c66f93ecc

C:\Users\Admin\AppData\Local\Temp\33993187\grj.mp4

MD5 14d7a5cbc00f802424ded78973a40cf7
SHA1 1e5468a04c7763ae230ed889c0d989d318fa4901
SHA256 dd034588cefddfe1fd862b5bf7a38509e1e702f6da46e0c39e93e3979257ee48
SHA512 cc873a7e3bdf6b2a1c988f0950e67772c713d010a23c2fa16098880dabc95f34016bd6cd1e769a8f5ca171b0524661fbfae76cc2ad151a16d18ca9652e0984d7

C:\Users\Admin\AppData\Local\Temp\33993187\FileConstants.mp4

MD5 b8e44a08c805c00f7e19b5c79b9eddf3
SHA1 eca6521c916d699307dd61ff174c941c2bfa6fe4
SHA256 270b0da13a9a6830f1c23fdfe5030652355c59b3138c7d0d62e93662c43848c8
SHA512 d34e926a1e64dbf9e75e4e1f145fbc8c1aab50c01396cc36bba52a9f924e33c4d46a970139d68a65f669f81a6729524ed561442eed5f2183c0391cf7861d5d60

C:\Users\Admin\AppData\Local\Temp\33993187\fhh.jpg

MD5 5a423b0525f9186b4f47c1f0ca1fdf27
SHA1 ad6cd7f3781b5396e3a4730967380edb0a738504
SHA256 c6acc6b38303238642c179a9ccc79fc55cc53ec3b189c6fb5de9201326ae224d
SHA512 f92f24887bb70dc5d3e0e0c4c41c448bc05e606e4303fd80c399f6088afa779b27e228be994c324ce02987240d2ab00c1c0282dd3daceb41422f5afe7d7c6fd7

C:\Users\Admin\AppData\Local\Temp\33993187\fdf.pdf

MD5 17071fc30ecff876ad708618aec7c682
SHA1 ca6734941c8ea76f4e334f068645f71637c9599d
SHA256 c720cf1d4946e806cbe2d45745bfcc17496772bc64309bbd6878d8f9edfb2a73
SHA512 ed2e5a7643ee333a0603a4dd15f40e6aedcabb8bdbb977c06af1e9dc374ac83de958f34f56e782ced1ff97d46c4b693025f9aec2d930068ffec042412fc6b2e2

C:\Users\Admin\AppData\Local\Temp\33993187\eus.txt

MD5 4bb945af1ca9402fa639cb53f4729d94
SHA1 6423ea921cd2060148cc3db0acbcf780728a0695
SHA256 053e2f313d14f043459114604481a02c5390f6738d8821d8faa97fbd31f382aa
SHA512 5194229285991b363fe2374f1f79c2026781bd06ca6199dfaeddac25dccfc6fb0f28f49b5f21176c3d5e5cdebd9f7a6ecfd4e40031b556ea2dcb7fa27b0183d1

C:\Users\Admin\AppData\Local\Temp\33993187\cnl.pdf

MD5 fa40f41a5905b1d2356b9f50ef9d3a4a
SHA1 544c85c4e0f130365ef5e406bfe9335edd8c963e
SHA256 aefbeac798efd1ea1f6890a29e7aab28e29732ebab93fcfdfd65f45ff9f02d4c
SHA512 75b87948ca25e4eccaeb62a2babf51d608f3df95d3b062cf078b4ec9701750d46c6f3a17cb993fb4e9bd12bd8d7a14c618b8c880a514acd71c2fcb5a4e8fbf58

C:\Users\Admin\AppData\Local\Temp\33993187\chs.ppt

MD5 06f63689704f30e0be8f757d5063c3aa
SHA1 b529ec3b519ed0aa8636a2e252c920c6bad22655
SHA256 bdcf6915ddf3a8ed6cc2ed20cc315d4e8d5012d93751f7ab43f3c1e494a1c702
SHA512 51aea37c3eb4f9ac693d898d776925883f7280afe2999b3613d80d546b5940553daaff9609203cdaf0745a98386c2919d4abb594dc118b5db6390b022919e8b4

C:\Users\Admin\AppData\Local\Temp\33993187\cah.txt

MD5 57fa4e1772cf2261354b2fd38d680252
SHA1 8801e958f276ebb8d82bfa8cd9cc031aac14e091
SHA256 5fd9601a80ca513a901793a0338488d9d3a1847cb934822efaeff3e66b0754fc
SHA512 7c43b674ede54294c886a29328bbdf2a9ccb43532d38651f4aa7b5835415ac7ef30667a4d36a77c4452fa8aae0963333a563b26fbd50632826c1adc36c04ae9c

C:\Users\Admin\AppData\Local\Temp\33993187\ButtonConstants.mp3

MD5 34c1ab5f47a147c9ce90ea5deb408899
SHA1 d78727d4fa9aa5defca4ddbac4074413b3f4efa4
SHA256 287b76db02013bc3a06aea31d2cb8b0bd4058222bebe9148f8470dfba2e9a4da
SHA512 2353f3013764e32777b1ff28b09c0c0de20e15d75642855b8d5ed6accd6a9e28be4fab37d6b1da71979665e62c5760496eace4246332e96ea114f2c5c2b9e6c2

C:\Users\Admin\AppData\Local\Temp\33993187\bpo.mp4

MD5 47c9f27ae572c7336c6203c6ffb7abe7
SHA1 4e42fbcaf18ab127869e8341a380af39ecb29a61
SHA256 6b96fb8098eb71f5fba8fe5d5cfd4fe49f75e31f6a661e66f8715637be4eb71d
SHA512 68b0264352d02f1a7cab96f5c4a76a50a1d296c78fe4bb16121096be747d7ea9265fbc5545643ecc60e58a0fb062ad378b6c4337f5089f8f6a250e10f3eeb22b

C:\Users\Admin\AppData\Local\Temp\33993187\bhc.txt

MD5 e4f5ea4d53412d3d9dd58da384c24bdb
SHA1 58efcf79d871e32233b78d6bec38af33f9d93ff4
SHA256 bd7cdd51194f4489b0e9ed65d20758a50b6c714c13e12885a265a5a31f6f2344
SHA512 d27f259703decd9d1354ab97f0b9ab634894fd9e7a056443e1c31870d15aec9fc846f17d20d7b2d3a0898acb0c3d9c55f718d1da93309c5a902c07d66135cc92

C:\Users\Admin\AppData\Local\Temp\33993187\aim.pdf

MD5 f5700ac25208dc69acaf6317eb6bd0f0
SHA1 3cca132bbc40b6ec3d787b2db04e90739060a88e
SHA256 88d0490a5eaf7e49cab8cd7ef395ca5a2d70e382f91f19a6394de7509b7515f4
SHA512 035f6ffc8545a45743786a0f48c3e7d05b8568a1c0e5ea3aa296b2ec002ca265f4759a8db7d28b8f028eecc6bc80d597354167fd30eced794ba7364f7e695f4a

C:\Users\Admin\AppData\Local\Temp\33993187\GDTGT

MD5 4b82ae0ba97a44211c6c69647f4ba940
SHA1 69b789ba5e16a725192b7f61dbf7b7a2ee7c0644
SHA256 79d2cfe4ad67ad74629b0ac1203a065998c4921a17a34b5207301d45ada7ec91
SHA512 66efe938f637dfaba5c9d61cb92a55bb0607bf8ef38a8f3f06994cdb2514f54f6fbddb865abb521af9ab4057a4c3af493c436fe5c1630ea1ee5597d5422b2f7b

memory/1796-161-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1796-167-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1796-172-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1796-170-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1796-169-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1796-165-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1796-171-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1796-163-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1796-174-0x0000000000470000-0x000000000047A000-memory.dmp

memory/1796-175-0x0000000000480000-0x000000000049E000-memory.dmp

memory/1796-176-0x00000000004A0000-0x00000000004AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 17:31

Reported

2024-06-19 17:33

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\33993187\\bqg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\33993187\\MGJ_DR~1" C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1940 set thread context of 2296 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 4268 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 4268 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 4968 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 4968 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 4968 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe
PID 1940 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1940 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1940 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1940 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bd85a97474c10ee1b3697e1a3d36ffeb_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe

"C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe" mgj=drm

C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe

C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe C:\Users\Admin\AppData\Local\Temp\33993187\GDTGT

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2296 -ip 2296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 80

Network

Files

C:\Users\Admin\AppData\Local\Temp\33993187\bqg.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\33993187\mgj=drm

MD5 6b34f0b8ba4c68f64d26c8424b5733af
SHA1 e92f129a1c4a5d1b80c6f9a057a656b8f293c944
SHA256 251362ba78357ecf89fb217ce004c8d7d651239f39b58baa0af7de6cbfd31f97
SHA512 9887c3ae3daa774ad991c31bae03c8b2024112711586c2c8f6f2b4cdda1b4de239f1880137b68f200881d47344ebee1e06c6ccc175accb2cf572d470110be5be

C:\Users\Admin\AppData\Local\Temp\33993187\ufk.mp4

MD5 df957500f98a8701c96947a9277b7743
SHA1 5ab3b90e999820c914afd0ca1d28b36da5003221
SHA256 0eaa8fb7e9df87f4a47b1a20974980a41706d578f27bae3c94f9cd72408ebc02
SHA512 ceb92581ea9ae7257fa8592500f3f1b2c98aa477bde496561195d31808917d9ba230f62f36039b04a9a7a40e5948de6540eaed9315b3164313cc2f43b2ecfa94

C:\Users\Admin\AppData\Local\Temp\33993187\hab.txt

MD5 4e8515515eebef6639abbf1ff623c104
SHA1 efbf999b0fa526d54fccff17276390cce21c8de9
SHA256 2163b8140de5e19899132ad828b80ee85bbabae7b22a3abde41a9c9403f04a92
SHA512 66736c7d82bc18bd6bb3ad08338267802cfa30d7ec80930503668e243fb10d277f95843abbd271bb0af9e356a30034def28e781f2971d10274a89fc485b193f7

C:\Users\Admin\AppData\Local\Temp\33993187\xvs.dat

MD5 1afe60e26aad5c095d2d8758c4b71921
SHA1 3652460f058004ebdd3ca973e8b116637bfd87e5
SHA256 995989b1d03ff0b843eac087da46737d6e90da059e5e4be6f94587d4d4070aa2
SHA512 4bcfd19d1f44a2cc234714bd9d428ee1c249ff611253764b74704036de12c5e1ff039884bbe684be0e6e5fffd705e33a67ed691ef5627a137518951f242feacc

C:\Users\Admin\AppData\Local\Temp\33993187\xuf.ppt

MD5 e519d1ae5d9cf2053d6a69a193f333f4
SHA1 b41168348d83c74fa15ebb686a5b7dc8b181b3b7
SHA256 31360ea8d277ee0daad49258419703f11a1027b6d9da7d84965aadc097b41bcf
SHA512 2cd7f44d3ac552beec46c54525e90d8a54c0725334f36449f663a3f94f5a5d41ec3444eb0b82b5a0e2c1a6b09bdfb6c3c31fa5621d4ab68ae29c3ef24d155643

C:\Users\Admin\AppData\Local\Temp\33993187\xoe.txt

MD5 343e0231e6456661302066b0ac6aac73
SHA1 cfabb5a4a722fb4f9f864bff92a3fd4cdb56f0d3
SHA256 b89b1633bb08513e19920e1da89902549cea29f15ea12d3582f92a48b9471629
SHA512 d8f37d69bf5e277167353700453fd5b164680217c2be7413e6a22a5b1422c1a116254664010d92b85d74496e3e817a2fa5f1d10c67f9110ba48f2cb410356690

C:\Users\Admin\AppData\Local\Temp\33993187\xdx.bmp

MD5 1eb9c35becee9121849f7ba26c28886c
SHA1 1451256605102d4e804dbcccf1bd480f61c4a5fe
SHA256 d57bf4bddc9cc2bc6c00aadea6866e48c0b0f305fbc68ae122702d38b337daf8
SHA512 a8aab601d69f46f59013e054261de609fedd870f00ffa103c81efbd380cfbfa6929b98c1005903e6a00708f52543ab2dfb64c0de5975548553a2e2f7209e38c5

C:\Users\Admin\AppData\Local\Temp\33993187\wqw.mp3

MD5 e8c253402ba790239a5a0d8f4cb1c85d
SHA1 c21325fc643e1707ddbf4cde583a30a2b209dc40
SHA256 21b507879cb4c5a2c86c06529dc7105bbe2c6e32f3e204388c94e5d2bc7ab4b0
SHA512 36eea5dde5ed67683af624e4e3304aa5e15ffa0c997505d9169b76289f462c44c05e086285bf33da5b4765055d60b69add93bb5878167523e66863b40dc6f8cd

C:\Users\Admin\AppData\Local\Temp\33993187\wjk.jpg

MD5 d114514ca292146ab8c8d6f366c18994
SHA1 f0ea7dc06339130a093266a4ceabd1c2710bdcfb
SHA256 bbd17fff6dbd8c265228dc341cf282ad36422b13c35f25a633774e51cbaf79bc
SHA512 5b748596e50dd8005ee72d067f8508532d229881006899b30a79af96b4346b1d10957cd95cde5b36f1d80825bca3d5be2124395af1a1ac39b0b66223e34415e9

C:\Users\Admin\AppData\Local\Temp\33993187\vmh.icm

MD5 1cd68a1a77a6474b0af6d812da09650c
SHA1 f357c89eb8db543bdee1f48cf8793b6cb3c36879
SHA256 7f659a8e24a7a1717c215895bfb46ab13444dcce2a30adf0f73cb05d3dd9765c
SHA512 d01749372ffbf9d3c914152793d415c7b0adb932de9d192f7bf64913d0de23eaef7d8917159f0c20bbb558162532ec4c63588a478bfdf8d077f97d8d816c972c

C:\Users\Admin\AppData\Local\Temp\33993187\vme.dat

MD5 e58abf2f8da65514323e47c1afa3ecb0
SHA1 fedd4112894f74cc58ed24717c5cf6afce7065c9
SHA256 6d3dea4842352998a4bdb4bbe6a2987b1b4b4af40e098e5682a8ece12ebc9593
SHA512 d70d083b94cae9fd29805477dbaa7d2775cf01da30de417d8077810d83a621dc8070f10229a9b4d5b2a70b9dac776ef4235c6f43a9ee4d0ae2d5a01e539488e5

C:\Users\Admin\AppData\Local\Temp\33993187\ucd.docx

MD5 b1e4b53444daf073e91d8a83793bfea5
SHA1 ffb5f9e081a3b77167cd2269447469f0fb715175
SHA256 0207b629e65ed14f4b53679da61eb7ced970f24fd1eadcc580c31667f56d52f0
SHA512 fdd95cbd3f3cb24fb14fdd2350da5fdf48dd0751b11ef43b13df0d79df8a97ad49376eed4f4380c7d4afdb42e276af60e70cc157903e63dce9b75d30b3d6ce27

C:\Users\Admin\AppData\Local\Temp\33993187\tru.pdf

MD5 ab90374e5946c7c2a12afd250fb7e2e1
SHA1 5afcdf0c41b13367cf1bcd2e083a790f8c076187
SHA256 934cb49bef30063fbdead95ca883ed439b31d66167a5f9b37db82c99701e98ce
SHA512 12871373cf8dbf7addc078beba4257412c9d446851f7c3f6436316c2aac5b1a89bf50a1cbee3fdbdd18ce03e4d2b50ce2bf8014e6b3f45a962b708ac5856393b

C:\Users\Admin\AppData\Local\Temp\33993187\tgn.bmp

MD5 a7670b04a896ebf71a058179f202a576
SHA1 649cc7e9831b32131cb9507a2de855485ca88b84
SHA256 b195b72f963e0adbcb5e410a70fff9b760803379934145e783fe04f2433c82b1
SHA512 5256225c2f8a2c96f1f03453bd86183d9f4b576d65f10190afeca1e9f730b9eadcbe6ec3e37837a56aed503f9b7ed8fb707f4e1d5dd6c7c2ab29579026627786

C:\Users\Admin\AppData\Local\Temp\33993187\tdx.ppt

MD5 5629e03f911b9291775a6b488609af64
SHA1 7f83f6e5d9b1e00368c780197686aaab8c5f61f2
SHA256 ffbcea342ac6b764162203749675988c99b33a93123ed657976bd5d5f1842fcd
SHA512 14fc4f0b4ec148190be304ee422a5ad66cc5edf5dbcca492e159489753c0b73172cb2e884d90a76374008ccd2d4b02678857dc8056b86a1beeaaec71e0cc85cc

C:\Users\Admin\AppData\Local\Temp\33993187\swr.ppt

MD5 fe4812832b89786910347f2bc051f344
SHA1 f609449df743cb740b87aee717ce8d4d8d8c6325
SHA256 bd94537290dfebb28583ab42aade441dd73af384d6758ca88cd89ff79bb32ee9
SHA512 7b37f1cb28c3fbd825121a56b734abc0388d8aa53f8b0be8c18e783fbb1bad6dbe293d56016c578e2f935de257ea83cd83866996542b625e50ab4a4a0a15133f

C:\Users\Admin\AppData\Local\Temp\33993187\sia.dat

MD5 daa66525c8ceaa3b19b07db03fbc3cb7
SHA1 ef75efc435d09c03f0e1aa4e5f923cb0c3675136
SHA256 25e7e86b5d023a337308887a3a58018bc38e4a70dd85c85d3edb0a7ed0aa9337
SHA512 7bee96f219d9a1897635a252dd8b0f91c4888baee132501468e4cb125b9365123290029a3d60f3cb6d545ef98bdd62fb7fbf783c98253fd556fe5db9879bbb80

C:\Users\Admin\AppData\Local\Temp\33993187\rvf.mp3

MD5 dfcc476981a87b58ef532043537c282d
SHA1 3defe1473686a7d87ea506307066f2ae2dea3dc4
SHA256 f9986a5db55e1cf6defdcdd0cfac430b903f4de0b0a17d84fe0e3c0c94f3321b
SHA512 a92e8b04750808ec307a7398fcb4761a1cad110678d3b7a29a0c5fcaf07196b518fc9fee84039b927727f42680018d2a4c753e9896948362f773b18e7562c4c7

C:\Users\Admin\AppData\Local\Temp\33993187\rhi.mp4

MD5 14a3bf6de6d94a3583214752561d9b34
SHA1 107bdf82af51403e47a8a0aa8f4575a9b8b78e08
SHA256 eebfb028b400548730ab4997fa348945350ffba005c0d9e235ce637e1f5ec1d0
SHA512 1a3175ccb38087a129d15dcedf366747b36cd8874019b826018de6a44785671332ac5a6f42fdb6aaf8aca06bd0a879816fe89a621392256c1a3659f349a99791

C:\Users\Admin\AppData\Local\Temp\33993187\qno.dat

MD5 444fc41c4e31b4c683f4668757643da8
SHA1 4800727b40c79ba539dd4836256517b304e11685
SHA256 ac93ccf690db794df74a25f3d92a55f4a87577766308456f99615ff77ba839da
SHA512 c3c8a16cad686be47100425c9d28185313304287989fbc9d19869905c4356e9094184d2063533439ba81ae6031fa26824bc086a5efed7f7675814765c57bfe21

C:\Users\Admin\AppData\Local\Temp\33993187\qcd.mp3

MD5 8d76d102fca74058f01dbaea056631d4
SHA1 752de93ba5324fe7bc57e0009eaadd37e4a1c235
SHA256 0b72ea281d470aff63690c40f9e967206c3d61e9dea24de7e11e32299e038199
SHA512 cc19269a477653c755e8f911a52c5585bbf29abe09c9e8b4ea5f7736bde02bcce908a2689aa4ddaefc3e309ac2fcea5ed538922bd02c4655ed974acee2631d74

C:\Users\Admin\AppData\Local\Temp\33993187\pkq.icm

MD5 1b6a6ad52081fb543c49361e619fc1d2
SHA1 2092c490f8ddc07f603d8eba2f915ee65f1ddc95
SHA256 20250f1be9df4bc96533c051568c1ba9f13113153a705877163babcb9c9001c2
SHA512 7847a867cd192d407e0e5736d57cddf5e7d89389c247cc6ea2f43ad2ac9ed3e8d749ffdf1a3735ba7f9e87bf82393ddd6d37f0f529f3f76c23775337afd490e3

C:\Users\Admin\AppData\Local\Temp\33993187\oij.ppt

MD5 b7594040cd7ecbf9c29979cf487bfbd6
SHA1 71d2d6683445bcd1926b70c6a5b98943885594bd
SHA256 145d3b65f012bf1efbee5e04c99d548cfe1204b498b627a7ae3628577fa4f140
SHA512 742b5bb91404f0a1fc6c4dddf0b4a4205cf603d62b9415441bd37ba2e0bdd53b3483b5709b071928b0533df20d66305ef0853562119e48b987a41211a59ed067

C:\Users\Admin\AppData\Local\Temp\33993187\nxx.xl

MD5 9463a2fb0952ae27d491d9ea844588a1
SHA1 c687e10d08656df91b045c0a41ccb780b0c49158
SHA256 c8a3afa4c6e696ad344a6dd371c609cc6b0fd259289e99846685e39ef23b0be7
SHA512 d877683b5ff1b1b6bf555821ba5506f62cfee75d64a1d9305afd9ec9174b50ac9f23bc0acca8a19d73b6c9e7bbc4c63f9c58d1009b06779f55b03a51cb06a108

C:\Users\Admin\AppData\Local\Temp\33993187\nxm.bmp

MD5 6108abd96427bd26f794887e723c44ff
SHA1 86e23eb34020be47e569e406dee978cd829a80bb
SHA256 7a00984ad89f65c7d34d60b2b4bf2901e24ce7fae27a741669da288b6bab2957
SHA512 768d7d93cd33ee9dd020b20eb85893ab710131c724eb8593f9da2766e84d08d683fa2a5d6a44ea40dd655273d78f31fd306f01b80f45a3c810d791699503f19d

C:\Users\Admin\AppData\Local\Temp\33993187\nmv.xl

MD5 690c1494cca5788a0fbbe1fcbe98dc35
SHA1 aaa19fce0cccb56f6932a0d3c4b58a1a0462bd07
SHA256 8152b37f3768a797df41d33fe13aa0f0d234ba80427a7b088365675b146ff8c7
SHA512 ad1328e718a289e6a092783a0025ad411c155e62e40a7856aadec4deac1ec9ac42207ec6b28314386ab2b719a0143f70514ee40f5b8a83e99854ffca66cab5af

C:\Users\Admin\AppData\Local\Temp\33993187\nac.txt

MD5 d78eb5ad7d2b0e1caf89d30f5ba1a7a2
SHA1 4952ecfa805aa10aee824fec11a1c05830450241
SHA256 4bd81dd3cb6cb86fe3765976d1656605a3639eb6960e8f739ce6fb0335ee8d6e
SHA512 ebcaddda8c7df8ba4c4fe31fa4de6f52c613c82e4a7a9ae2faee1041ad3f5fb3e85880c38704aa0c0452e2469d04f448f2e5e958dad1398e633b90e9b9e66430

C:\Users\Admin\AppData\Local\Temp\33993187\kur.icm

MD5 af38578ab56c2e2ae28d454d12780491
SHA1 5b4f150e51c6ada03ffd18b79c25510ea591d469
SHA256 740be9a69f8174b64395689c09a00448695bacea633491270935ae65ace9825c
SHA512 da47b5972ecf336b297058e7949dd85a63e6c11be9f4f547e43acfc1f5e322fb80d3b0820b6484e1254e67c8a71bed6f07f36cadaecfbd612862c4f5a7aea7c9

C:\Users\Admin\AppData\Local\Temp\33993187\kcl.mp4

MD5 101b2693adcd2d71c3e9d133d51006a8
SHA1 3e9cd8c6dce08985a3bfaa5eaa3eaf2481d5b02d
SHA256 83f71e7e68e4b49c148c7542e52f903862a44c18a5bc1556ae4827610044061a
SHA512 56c0ac7cd4a4f50a2153368b90027374b1cd0478ff11e735c99d070541adcf4edb2604d4d81c831ae733d02224b39d98f7c2b4c8d9693ef5033e858ff69181c6

C:\Users\Admin\AppData\Local\Temp\33993187\jio.ppt

MD5 9aa349f5f3b6037d0538b4999d4a1fb8
SHA1 747973a800b5a840f5e8baaafd62465f68975b8e
SHA256 c0d5a30977ce2ac16be549a00e0a077b5facfdd56ef9dfb7f3670a18f404e0b1
SHA512 b90cee660031fea009d806e5c37157f66d1f1fa7e2c03042d0eef6d4b08351cdb2bb39daa3380475e20fd72397767300ec9f78e474d851cd4d7d9710b5c1b891

C:\Users\Admin\AppData\Local\Temp\33993187\jca.docx

MD5 cd6e3f5efee860e280819bb7ccc1f580
SHA1 e7fc36518cefe99673998b5e30b2c00e2eafc76b
SHA256 7e3d9afdf2653949623d1350a0c2a897af1d7c0bc16165719fcaf0353a5ec751
SHA512 8965079bfd750ff537ce54ef7f2087d03d0ba41b2e3ed93a47091f0f6322b715b2af372258b1e42ab3c5cad2165dbca472b81ce0a53a750e34e3a5c8556f995f

C:\Users\Admin\AppData\Local\Temp\33993187\imt.dat

MD5 7a719cf5e801be402ff34a9b529aa802
SHA1 782e970a8b59f3089ee0e73967de7118c7f5e6fc
SHA256 6a789dd601ee48f5b7183430466edd6ac1ec69d7faedd315ca22de5e2e1105a8
SHA512 b25c182122a7448c49c27f7cbd4498abeece7e701785f90ead7e03d4ed36640a97c1cbd23057294fa8b38b9f730ac9f4fc1a2a66d0ff9925f6813ac1272b6628

C:\Users\Admin\AppData\Local\Temp\33993187\huw.mp4

MD5 d5aa677c474ba3d31b54bbf37ec83f41
SHA1 0a5c756c826f8e3f0c7ac89614a6236cdb1812ec
SHA256 afa793961bc1fd139083e7567b96dac2407ceebcafbb519a2dd9a4ea7ccf1ff9
SHA512 308de37448f09a7c4cc7c038896260a43fbbd6436e5fc20d5ed597aad46511b87f6b797e5e493d41ecdf924fe2aa0a864f1d8960a083a8f3568513b4198a7be5

C:\Users\Admin\AppData\Local\Temp\33993187\hof.jpg

MD5 57b90575f6588502cbce75ab1f81f734
SHA1 ac1db500bbef78e05bb06c2de9f17fd598fa4a89
SHA256 6ad2f19af6268ed2f849b561259a5139dc0930650e058e345cdb2c1b2d862963
SHA512 7447a061ef87456d9e829b1e5f42bb83671e7cb732e373843b01c15fecbc3904b9871d133883f1b324fc79fab2a1565c7053ccca527a8820fb47884adfc079b5

C:\Users\Admin\AppData\Local\Temp\33993187\gxs.jpg

MD5 f33689eef290711d99dbd93955728d3f
SHA1 6bb36f4175ceb6633249f58d64f0bddba3fa908b
SHA256 b5441f2fe7d59331d2b9c7de9a505afbf9db44a4fd3a940d90784a7815cd2c92
SHA512 549a71ccd525efceecffbb755f50541539b07212c631d10f4d1595ec5addcb1bd359862caea4489984e1ccc7c0bb538b1a0ff1021441fa4e9c4b478c66f93ecc

C:\Users\Admin\AppData\Local\Temp\33993187\grj.mp4

MD5 14d7a5cbc00f802424ded78973a40cf7
SHA1 1e5468a04c7763ae230ed889c0d989d318fa4901
SHA256 dd034588cefddfe1fd862b5bf7a38509e1e702f6da46e0c39e93e3979257ee48
SHA512 cc873a7e3bdf6b2a1c988f0950e67772c713d010a23c2fa16098880dabc95f34016bd6cd1e769a8f5ca171b0524661fbfae76cc2ad151a16d18ca9652e0984d7

C:\Users\Admin\AppData\Local\Temp\33993187\FileConstants.mp4

MD5 b8e44a08c805c00f7e19b5c79b9eddf3
SHA1 eca6521c916d699307dd61ff174c941c2bfa6fe4
SHA256 270b0da13a9a6830f1c23fdfe5030652355c59b3138c7d0d62e93662c43848c8
SHA512 d34e926a1e64dbf9e75e4e1f145fbc8c1aab50c01396cc36bba52a9f924e33c4d46a970139d68a65f669f81a6729524ed561442eed5f2183c0391cf7861d5d60

C:\Users\Admin\AppData\Local\Temp\33993187\fhh.jpg

MD5 5a423b0525f9186b4f47c1f0ca1fdf27
SHA1 ad6cd7f3781b5396e3a4730967380edb0a738504
SHA256 c6acc6b38303238642c179a9ccc79fc55cc53ec3b189c6fb5de9201326ae224d
SHA512 f92f24887bb70dc5d3e0e0c4c41c448bc05e606e4303fd80c399f6088afa779b27e228be994c324ce02987240d2ab00c1c0282dd3daceb41422f5afe7d7c6fd7

C:\Users\Admin\AppData\Local\Temp\33993187\fdf.pdf

MD5 17071fc30ecff876ad708618aec7c682
SHA1 ca6734941c8ea76f4e334f068645f71637c9599d
SHA256 c720cf1d4946e806cbe2d45745bfcc17496772bc64309bbd6878d8f9edfb2a73
SHA512 ed2e5a7643ee333a0603a4dd15f40e6aedcabb8bdbb977c06af1e9dc374ac83de958f34f56e782ced1ff97d46c4b693025f9aec2d930068ffec042412fc6b2e2

C:\Users\Admin\AppData\Local\Temp\33993187\eus.txt

MD5 4bb945af1ca9402fa639cb53f4729d94
SHA1 6423ea921cd2060148cc3db0acbcf780728a0695
SHA256 053e2f313d14f043459114604481a02c5390f6738d8821d8faa97fbd31f382aa
SHA512 5194229285991b363fe2374f1f79c2026781bd06ca6199dfaeddac25dccfc6fb0f28f49b5f21176c3d5e5cdebd9f7a6ecfd4e40031b556ea2dcb7fa27b0183d1

C:\Users\Admin\AppData\Local\Temp\33993187\cnl.pdf

MD5 fa40f41a5905b1d2356b9f50ef9d3a4a
SHA1 544c85c4e0f130365ef5e406bfe9335edd8c963e
SHA256 aefbeac798efd1ea1f6890a29e7aab28e29732ebab93fcfdfd65f45ff9f02d4c
SHA512 75b87948ca25e4eccaeb62a2babf51d608f3df95d3b062cf078b4ec9701750d46c6f3a17cb993fb4e9bd12bd8d7a14c618b8c880a514acd71c2fcb5a4e8fbf58

C:\Users\Admin\AppData\Local\Temp\33993187\chs.ppt

MD5 06f63689704f30e0be8f757d5063c3aa
SHA1 b529ec3b519ed0aa8636a2e252c920c6bad22655
SHA256 bdcf6915ddf3a8ed6cc2ed20cc315d4e8d5012d93751f7ab43f3c1e494a1c702
SHA512 51aea37c3eb4f9ac693d898d776925883f7280afe2999b3613d80d546b5940553daaff9609203cdaf0745a98386c2919d4abb594dc118b5db6390b022919e8b4

C:\Users\Admin\AppData\Local\Temp\33993187\cah.txt

MD5 57fa4e1772cf2261354b2fd38d680252
SHA1 8801e958f276ebb8d82bfa8cd9cc031aac14e091
SHA256 5fd9601a80ca513a901793a0338488d9d3a1847cb934822efaeff3e66b0754fc
SHA512 7c43b674ede54294c886a29328bbdf2a9ccb43532d38651f4aa7b5835415ac7ef30667a4d36a77c4452fa8aae0963333a563b26fbd50632826c1adc36c04ae9c

C:\Users\Admin\AppData\Local\Temp\33993187\ButtonConstants.mp3

MD5 34c1ab5f47a147c9ce90ea5deb408899
SHA1 d78727d4fa9aa5defca4ddbac4074413b3f4efa4
SHA256 287b76db02013bc3a06aea31d2cb8b0bd4058222bebe9148f8470dfba2e9a4da
SHA512 2353f3013764e32777b1ff28b09c0c0de20e15d75642855b8d5ed6accd6a9e28be4fab37d6b1da71979665e62c5760496eace4246332e96ea114f2c5c2b9e6c2

C:\Users\Admin\AppData\Local\Temp\33993187\bpo.mp4

MD5 47c9f27ae572c7336c6203c6ffb7abe7
SHA1 4e42fbcaf18ab127869e8341a380af39ecb29a61
SHA256 6b96fb8098eb71f5fba8fe5d5cfd4fe49f75e31f6a661e66f8715637be4eb71d
SHA512 68b0264352d02f1a7cab96f5c4a76a50a1d296c78fe4bb16121096be747d7ea9265fbc5545643ecc60e58a0fb062ad378b6c4337f5089f8f6a250e10f3eeb22b

C:\Users\Admin\AppData\Local\Temp\33993187\bhc.txt

MD5 e4f5ea4d53412d3d9dd58da384c24bdb
SHA1 58efcf79d871e32233b78d6bec38af33f9d93ff4
SHA256 bd7cdd51194f4489b0e9ed65d20758a50b6c714c13e12885a265a5a31f6f2344
SHA512 d27f259703decd9d1354ab97f0b9ab634894fd9e7a056443e1c31870d15aec9fc846f17d20d7b2d3a0898acb0c3d9c55f718d1da93309c5a902c07d66135cc92

C:\Users\Admin\AppData\Local\Temp\33993187\aim.pdf

MD5 f5700ac25208dc69acaf6317eb6bd0f0
SHA1 3cca132bbc40b6ec3d787b2db04e90739060a88e
SHA256 88d0490a5eaf7e49cab8cd7ef395ca5a2d70e382f91f19a6394de7509b7515f4
SHA512 035f6ffc8545a45743786a0f48c3e7d05b8568a1c0e5ea3aa296b2ec002ca265f4759a8db7d28b8f028eecc6bc80d597354167fd30eced794ba7364f7e695f4a

C:\Users\Admin\AppData\Local\Temp\33993187\GDTGT

MD5 4b82ae0ba97a44211c6c69647f4ba940
SHA1 69b789ba5e16a725192b7f61dbf7b7a2ee7c0644
SHA256 79d2cfe4ad67ad74629b0ac1203a065998c4921a17a34b5207301d45ada7ec91
SHA512 66efe938f637dfaba5c9d61cb92a55bb0607bf8ef38a8f3f06994cdb2514f54f6fbddb865abb521af9ab4057a4c3af493c436fe5c1630ea1ee5597d5422b2f7b