Analysis Overview
SHA256
cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0
Threat Level: Known bad
The file cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-12 18:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-12 18:48
Reported
2024-07-12 18:51
Platform
win7-20240708-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\cchn\\FHVNLE~1.EXE c:\\cchn\\ncjehr.icm" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\MUJ\logs.dat | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 992 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe
"C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\tckc.vbe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c fhvnleke.dat ncjehr.icm
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
fhvnleke.dat ncjehr.icm
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "c:\cchn\FHVNLE~1.EXE c:\cchn\ncjehr.icm"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "c:\cchn\FHVNLE~1.EXE c:\cchn\ncjehr.icm"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 75.127.7.188:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 75.127.7.188:2404 | tcp | |
| US | 75.127.7.188:2404 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tckc.vbe
| MD5 | 95a4c0c1755c731cb1175e9b0139702c |
| SHA1 | db9ae17cf73c51ed43ed1b57cae96a5f837633ed |
| SHA256 | 7419a058ffe3a840555d3aa05b3f7520b5dbb9f6a2e81493e17d8868a9bde5dc |
| SHA512 | 5a698c0e0912635e180338e2a9314fc5f6788996e4bc6476cbdd62a7e3b008d3ff8b1588acd8ec9390aa00e6544b81ac19f5976467bcc0dd3589ea4cb676c409 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
| MD5 | 31db1d81c80c66640b773c535cdfa762 |
| SHA1 | 9cfffe3e21ab746e18db1447bf339d1af2118570 |
| SHA256 | 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211 |
| SHA512 | c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xkurnq.msc
| MD5 | 1633f32568e3bde537bba6dd99671ceb |
| SHA1 | 97aceb61c2952dae60ec37186be2888db3e031a7 |
| SHA256 | 10b680536b0109746d03127b9d6894282f773a0d5a82578f7b1455943cb28ce7 |
| SHA512 | f198ef173246445d1ba6d28c65d2b979f20eec6ee869715fe1a4de6823c93ba7a10c1ffa66b5182ca1a93a5b04f7e75c1146666263aeeaae97da43eb9c906a46 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\foshgpdw.pdf
| MD5 | e7135d10d102e4c8325c21ee85f04e9c |
| SHA1 | a9c53ac5887e4944de235b962c162253434f0a9b |
| SHA256 | cb04bf39ffe4ecb053e550a69f61b123c525d69eed9a332e0519cfd40bcad749 |
| SHA512 | c9a15bfbf142972e29299360f814269be33185d269c3b361af52d14daa2b47d762486753c1b011f85ce2a3576bb751feab4ee0c70092dbb25248b7fc55641fe6 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fjvvkggf.dll
| MD5 | ae6c81318c935f5f2686d77127b36ffb |
| SHA1 | 09e6b467d2d85480d4e71368b18c7b61bcfb1edf |
| SHA256 | 2659700b56e78ea7ccde71822f140776d9b6b76bffac44a1dc3cf1b1957a3ecc |
| SHA512 | 8d46b0a42730931d86cd1a7f60dbeda615cc2c44b18ee041981d949762f09c5de7a8194a8a9b557c206943f5aaab5ec600b9d6ca6deb149d1e2d632117b8f62a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clkodnsw.txt
| MD5 | fe17ec9b0ddcf4b1b9ed816909fab4b3 |
| SHA1 | 01548306eca2a55b2e209dfbd9229a96a7d77837 |
| SHA256 | 56d2c0a423d0e25c366401f67b5b363699b06561f7de51dcfc86181f3fdd571c |
| SHA512 | 082935074c4b3819faab75c811791621c0d3bf14785d2d7d3c08f04bdabf12012b1ac7f2c51ae529f2a09afb0d0dd8e1211934491b4086285608c6511f991acd |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atjl.mp2
| MD5 | d6349b47a7d1853aef2021247111e4ce |
| SHA1 | 7de49d41b73f2110f16de90c6cc4adb78c3ecff7 |
| SHA256 | 0b653b877eb55386f30313107489de7f15090e51589afaf7e5504e11d3269329 |
| SHA512 | 8cc6a5acd15ab747406366f6c0127e158e10ae7687352c25b4c5de53077f0d658263054915a843a75ba40497e97edc6616030b4dd05e14ab7afa935356e90762 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ftsxtpkuci.msc
| MD5 | c75006d243b6f10d50120f9a5f7b4ac0 |
| SHA1 | 47abf77308a99ff9f67aeee6070080e7fb2f5df7 |
| SHA256 | 8bd5d72f4c378fc7b185c4d355c5449c0e9e5b0a88d33449bfb6ac321e7fa6d4 |
| SHA512 | 3b844cd83ed2fff71debd865631f78a3f3f781cd58c419cac005829c93af42e31dc91b67c7901f691a47434f3094329577e9c619b091b4a5fa4c181e676f87d0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaixlatqi.docx
| MD5 | 21ea8d814c36e64201c6e009bd6285ac |
| SHA1 | f39c8795f6d68b13f967820f8ee66bd385ef8d95 |
| SHA256 | a97c5ff9fbc31c7ddc409645bf091924daa06182d8370285d52cbe2eaf2d612e |
| SHA512 | a39ef08a6761cc4370661ff8770110237321467bfc9eddf6749f24d6aec4a3b5a62721023ac20cb3f258df460117147b63661d24d543df697708ecab56c807fe |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hmsaf.3gp
| MD5 | d2ad3df96aa34af12040e7eb23e19602 |
| SHA1 | b0af79b8a50bcc572405dd500a8bb76315f136e8 |
| SHA256 | 8b42f41fa9dcb635a294d1692fa514d6f732ae6298816f9ada27a987329c22ba |
| SHA512 | a66295fdbc6a92c72a1d97aab91e5f9d8e9fe228e81bb5fa9271d44920975de5adf460b223b92eeb4cb02cd9c6f6e8e787f1cca508cb645a8071debdc04b1935 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gjgoq.bmp
| MD5 | a021329fdd5956e6dca8fb89147e0d00 |
| SHA1 | 664c32ed8ee46ba01ba62996189b7c4cae84b377 |
| SHA256 | 568b93b08346a96b14d8b8b10e7834385359b1ce77353f6c411a5a6f4685fbe0 |
| SHA512 | 70ea6be254c2a5d051b90df8886af12fdaf433638c22dd1244ce2ed293a0b7ff63ffd5f8e214f3831b50a9e0acf41d831fadf915923e1573150c1a1847afbfa7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msxm.mp3
| MD5 | c203df8c58dcc521ff1a5959033a896c |
| SHA1 | 5e34d499a60594c50c9dba5f88e981306a02cac8 |
| SHA256 | 8b9dba34f2c45187b68842a547f710f019045adee53236a40ed7b74e88a80d59 |
| SHA512 | 034e45d51e51d95022d1468d0211fd9a7559fd14eefb5c70857f97ab9331678fd51fa9c3200481949948552dceb1c77b8e81404418da1a3e45532893fa0ee509 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mspa.msc
| MD5 | fe1daa6d203273dd57d3b71fb34e62c4 |
| SHA1 | 80f58b75db83ffbb39ebc1f508eab3d2248c2581 |
| SHA256 | 6812e247cc4997dc3210c250c560e67c08bfbc591a45cc7b523f042d82a3a66b |
| SHA512 | d405ce7b934899ac8d87fa2f60fdbe17d9406c96e55ce2278d3aeb8a6adeedf80cf1eb75e16df08102731d61139562ffc1479c2c46260449baf3e54b62d97635 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lawlraea.jpg
| MD5 | 0ea283e51a26ebee9b5b0ce3501a0f78 |
| SHA1 | fe521bec054a4558cfa57b0957a8f443c4bc89b8 |
| SHA256 | 1ddc3c1bbbb3d7555af19b1adcbef741e8a2405c0aaaa7facb1f70ed25501de6 |
| SHA512 | 18bbf40136dcf4d24125e7c540d715195eaffeed892e880d880cdebf74124c2bc4fcd9daf517f3d6eba4e7131e88cff64fd4d039dbe6b2989a2ff78c4db627c6 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kswn.xl
| MD5 | bb3af83d198af53d8e8865c4cf90a634 |
| SHA1 | 0a4c316542b0ac348b28bbd079e754aa68ce13bc |
| SHA256 | dcba54a098d1f6e337532205b849ab27b16401a73bd0f1c82f394333f94b8c32 |
| SHA512 | 226cfd639707da01b2e8fd81cd0b9dc16f107decdf91ea80f2845dbc69e39eec6107faa8ff88a3125185eb6aeb85402de4dc4c198e06e020ae89811e05aaffb2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\navdn.jpg
| MD5 | d481f50cac12130673df83534e7ec743 |
| SHA1 | e255c5d9bf9545466dcd448bc3e2bfd018caf4d6 |
| SHA256 | c097a0919eb4b37348f8ea42bae1dd0bde9ae879402a170a668bb78ca8fe262d |
| SHA512 | cf70a6941f764205aee926fb7edadf0f8b41f63d4fcd2b5a20e8042294a7d00371abd7e50f85dc237802cb51292ee144bc61c0f308ce4ca3c4ff4ee1884a780e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oxqg.exe
| MD5 | 5e9707562e9a88352c732e9a6049d486 |
| SHA1 | e4593f2ad0795b6edda90d60f09a6fc481993e65 |
| SHA256 | 8ed8b5c171af40b35876c889ee07804de0d2c5d44f2a0755e151b39fc03b1cf2 |
| SHA512 | b0749ce0c5cafb706208525c5b81c291306139ffa1608d4c714c0344a6aaf7d217dea2c583d027f56dcfa5364814fd30e7a3899409d2c938b851fdde7652d078 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oiswfne.icm
| MD5 | ccfc02352a97fc37e2e8a7868a766a17 |
| SHA1 | 0971d1638faf9856340c7b276d3d80de18fe552f |
| SHA256 | 638f8a50aa09868ac19addbeb095ef3aa0e062d6dff78a89ee1605a5342016eb |
| SHA512 | b72a8c92eb51b6e05deebef90acd572ceaa6422894d898a162d68fcaee411a8bac780f8e60a74a5fccf31f1bc4db8680ce3863f8e4d9314118014440a26f3940 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxwrjjkj.dat
| MD5 | e411d1e00aa8304add2744e2b3b03eaa |
| SHA1 | c6e68e4cff15d70a9db1e26720ad45f3dc4e7d82 |
| SHA256 | 4b3c8816f5c634be27bb37247ca614b886c8a0d563093c22aced3b32c19ba728 |
| SHA512 | 0102902a2e47b9fe5d7f1b36547589406127d52e547980353d885b366cf47800c0bd4ab1bf4f94cc490f07a65ad2d3ebaa073dc031fd91992bfa6b82bc4e5f2d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxbqmg.jpg
| MD5 | 12f7ad173f9c2bc52fbb0be142f4971f |
| SHA1 | 6b83d523dd2a17620aca2f44723999ed39e27ffe |
| SHA256 | 2c4a9138cabc51873812fb663b1b86c2d2bdd2a69558cd03d5bf896b4ebbc973 |
| SHA512 | 854970a446594f932a2a021406de294f738be3baf984add2ce095b868fd27a664d579d17c9f904314aecdf8f247e9f2c6184414e186de9ec603bb4d3dccf5915 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xnul.ppt
| MD5 | 364ca7b798b58524adf7ceac90967434 |
| SHA1 | c541fb4a61bb3420fbea6dbb27a2546e62d80d83 |
| SHA256 | 3dba637b888d739ddd2bdb4c1363d1630517e1395514dc3349a1ed6d25548d80 |
| SHA512 | 067a6ee4031eacb425657c1e3ce688e0be12ed44097f67e2126c6da42603b090beedd18a78090d195d30538069e23e53940618f18da5635b7715a35dfc13df31 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xkurnq.msc
| MD5 | faa2749611de93321011355f75ced356 |
| SHA1 | 572b290782a0e604758e9511c3725192a696c7a3 |
| SHA256 | 1f000264821a46020be193ea0c57ef929c5f1fa198202449926de417502354fc |
| SHA512 | 22a2cd9e0f37ecbae70bcfc1bcfb9bb9bedcf866530a50463b42df5f13b0ad08a7c5e57cfe227686559ac474adc2d2711f6971b37bf47d5486c0bf441a23aae1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wsssookr.hem
| MD5 | 56c1b41b3322dd4018d24f1e38d6b126 |
| SHA1 | ec063537db26e581b1a6ec632f83fa3686b832c5 |
| SHA256 | d6459e8b70a13dfc105eabfbc5512c60dc85f8f63207b2f4e451980aa3a44b4b |
| SHA512 | c7d1482ae63a21924234e88436e1f24ba26604b74b23c53728e57356799254affb26656772a1b3e90e1801a17096d963baf3f1bee137d5fe518deffcd8e68cd2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wqhswhin.pdf
| MD5 | 60a86df180b60fe4c9345c495dabc1de |
| SHA1 | ec012087ee69fe04169270f1144ba89d243a0195 |
| SHA256 | 2936720b255a930cf63e6772e73dee254cda0fb6a3c396b699d4ad495378e5b9 |
| SHA512 | 4b197d8b2e245eb9786356dfca37e464237a565afed9b0317c71305121b962dfbd6060d484531656563f97ec90a75cb7785b741d222c3eb1688e2c9b5719e45d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wiholsrnv.xl
| MD5 | e63e624e580570f42405239a7431e1f9 |
| SHA1 | 1a6cf95f8c7704f7b48268efd337e0ebaeb44821 |
| SHA256 | 08519611ecc95be2e68a746a3aa8a333bfb5c3a7e1b3dc611fdb65b732af2d37 |
| SHA512 | e79a3b20c33b4f9eb3a60b31d33d8f393d633be4fce715bfd4de06012af6ea7479a00fe22bd89222dffe0d7dc2963e498547dbf44f5ca6d5dccfc3e430c23dd3 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toafuvgmcu.txt
| MD5 | b1e6cacd5466cf31ac951174d70b65ed |
| SHA1 | ab67c8977319316e3b37ab3cc02aa414ff1ffe97 |
| SHA256 | 614828ba79c603e81e853d285147023591d8c31bb4cf132d37cbd860f5aa5d43 |
| SHA512 | 5215af4f4a7fede74e0f8620b287d2506af72d080ee30c6c61220b54eb8ce323fb2f6cc3d718a91c5c6d34d92f357e51a40647af417a1fd7a50b754faf8a6cb3 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sxdhjeq.msc
| MD5 | 66eb9113d939530be9abe06b8d46edaa |
| SHA1 | 2d60c01ba8eb080b8dbd9fe6694727da1db21a9a |
| SHA256 | 5b7609ba739729b94486274f866be66ecd21de47bd56614e23593b3f54e02ff4 |
| SHA512 | 9b2b6125c1311c27cf898c2e4a01eb36979e15cb330ac4a857c352b3952a51a8f47be9c6ec8114d71ae083c07145e58541c9eeef13ecd20eb8bbdfe2fe0881ff |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\soktlaq.msc
| MD5 | d22c26946baeef2ec95cdae7497bad66 |
| SHA1 | 538779f3e21d10e5c874713a02985f871b8a3637 |
| SHA256 | 3e32f48ab7ce46785a2ff2fae2dadc6084a32f62965c4fc3f712b0d781d6ee1a |
| SHA512 | 5c7068d5c66516977c657fdc9cd6d3e9697e2f9454acdc20d3eca88542238222752f550c55503682d1d036ef702696fed326a6c9152917b31a43477931ac2879 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\roqwnfmf.dat
| MD5 | 9c6922f01aa1b9c595a5800d9af41e92 |
| SHA1 | 135a94d51b1b818319e35132f3dee3fd70c0d401 |
| SHA256 | 367fdf18a6a5f193f9a9c38acc5a154b33d7372b868add997e912449b28bc22d |
| SHA512 | 5c941ce2da8f57a0115bf98bf38d6a62688cbfc1970ae9ffa55801de9e05934d465c8cf079b3b2e5ec9f84465194dd85cf3d17f02771ef43346fc00e64cbbe68 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rldhm.pdf
| MD5 | 976e46ae2b703fc8693fe13ec2ccb752 |
| SHA1 | ec7245488a7c844ee829627c1289c62361f215bc |
| SHA256 | 7c71c2ff4869230355138e445d96f892d30a71fef346dbf1d2607315828353ed |
| SHA512 | d25ba5e4b41020b6255a9b19cb07786e584dd9a2e231a6d06533c1a7fae31ffeb5ba4be9fbe8ea03aacec4a8f3721611a1bf13be2f0662e5a62471746f2fd09d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\peauqq.docx
| MD5 | d11c4e5e6ade3320daa901652a64855b |
| SHA1 | 9c608291994144d3d90a92aff8055d6ab2b414c5 |
| SHA256 | 05716bd97f70d96b2a1d8ad10c4a791020daa91e639dee0422d2030169288a51 |
| SHA512 | bd222a7ec2a54ec11368d36efc313c23e1000c8ecff2592b2eedf2a36be4213d941e7eb2113bd3437641d0f4f7602a62cfc4e543306a5e6812e7948408522400 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pcxvnjlu.exe
| MD5 | 6c9a83c77562620b653f4836ab6126dc |
| SHA1 | cb5cc673b728f6e9a60de4a1e0d9e6c834324c8f |
| SHA256 | 693612ba1d2854746f60c97a0135761c29ab479cee41b8570ee163a7dbb36576 |
| SHA512 | 40d6dc4aca80bb9806cd377d9d338f5ede671de73ffa881646f542e86f03a24d1f470b813b24bb281630c5e9e075a1123b384080fc5d1cc0b7731ecdd8656f47 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 59d582e833b772d14643c563cedb52a7 |
| SHA1 | 230d1314d36f7e065559191a87117263ee29e407 |
| SHA256 | e55fea58505f2f3bd6fc9184d4cdd396bb83d856e00513b15ae83bc4a919177a |
| SHA512 | 18abe1acf9650fb0e207b6b55f8a979eb38c1802778209ae92fd96ced6001003a395e47f8fd9571a37c1b4e49c81a68fb9dafec416400167a6a5e9e30e12a905 |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/992-239-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/992-238-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-246-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-244-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-242-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-240-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-247-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-248-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-249-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-250-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-255-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-256-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-257-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-258-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-259-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-260-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-261-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-262-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-263-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-264-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-265-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-266-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
memory/992-267-0x0000000000EF0000-0x0000000001EF0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-12 18:48
Reported
2024-07-12 18:51
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\cchn\\FHVNLE~1.EXE c:\\cchn\\ncjehr.icm" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\MUJ\logs.dat | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1904 set thread context of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe
"C:\Users\Admin\AppData\Local\Temp\cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\tckc.vbe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c fhvnleke.dat ncjehr.icm
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
fhvnleke.dat ncjehr.icm
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 30 /tn WindowsRepaire /tr "c:\cchn\FHVNLE~1.EXE c:\cchn\ncjehr.icm"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 75.127.7.188:2404 | tcp | |
| US | 8.8.8.8:53 | 188.7.127.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 75.127.7.188:2404 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 75.127.7.188:2404 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tckc.vbe
| MD5 | 95a4c0c1755c731cb1175e9b0139702c |
| SHA1 | db9ae17cf73c51ed43ed1b57cae96a5f837633ed |
| SHA256 | 7419a058ffe3a840555d3aa05b3f7520b5dbb9f6a2e81493e17d8868a9bde5dc |
| SHA512 | 5a698c0e0912635e180338e2a9314fc5f6788996e4bc6476cbdd62a7e3b008d3ff8b1588acd8ec9390aa00e6544b81ac19f5976467bcc0dd3589ea4cb676c409 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fhvnleke.dat
| MD5 | 31db1d81c80c66640b773c535cdfa762 |
| SHA1 | 9cfffe3e21ab746e18db1447bf339d1af2118570 |
| SHA256 | 7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211 |
| SHA512 | c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xkurnq.msc
| MD5 | 1633f32568e3bde537bba6dd99671ceb |
| SHA1 | 97aceb61c2952dae60ec37186be2888db3e031a7 |
| SHA256 | 10b680536b0109746d03127b9d6894282f773a0d5a82578f7b1455943cb28ce7 |
| SHA512 | f198ef173246445d1ba6d28c65d2b979f20eec6ee869715fe1a4de6823c93ba7a10c1ffa66b5182ca1a93a5b04f7e75c1146666263aeeaae97da43eb9c906a46 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\foshgpdw.pdf
| MD5 | e7135d10d102e4c8325c21ee85f04e9c |
| SHA1 | a9c53ac5887e4944de235b962c162253434f0a9b |
| SHA256 | cb04bf39ffe4ecb053e550a69f61b123c525d69eed9a332e0519cfd40bcad749 |
| SHA512 | c9a15bfbf142972e29299360f814269be33185d269c3b361af52d14daa2b47d762486753c1b011f85ce2a3576bb751feab4ee0c70092dbb25248b7fc55641fe6 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fjvvkggf.dll
| MD5 | ae6c81318c935f5f2686d77127b36ffb |
| SHA1 | 09e6b467d2d85480d4e71368b18c7b61bcfb1edf |
| SHA256 | 2659700b56e78ea7ccde71822f140776d9b6b76bffac44a1dc3cf1b1957a3ecc |
| SHA512 | 8d46b0a42730931d86cd1a7f60dbeda615cc2c44b18ee041981d949762f09c5de7a8194a8a9b557c206943f5aaab5ec600b9d6ca6deb149d1e2d632117b8f62a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clkodnsw.txt
| MD5 | fe17ec9b0ddcf4b1b9ed816909fab4b3 |
| SHA1 | 01548306eca2a55b2e209dfbd9229a96a7d77837 |
| SHA256 | 56d2c0a423d0e25c366401f67b5b363699b06561f7de51dcfc86181f3fdd571c |
| SHA512 | 082935074c4b3819faab75c811791621c0d3bf14785d2d7d3c08f04bdabf12012b1ac7f2c51ae529f2a09afb0d0dd8e1211934491b4086285608c6511f991acd |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\atjl.mp2
| MD5 | d6349b47a7d1853aef2021247111e4ce |
| SHA1 | 7de49d41b73f2110f16de90c6cc4adb78c3ecff7 |
| SHA256 | 0b653b877eb55386f30313107489de7f15090e51589afaf7e5504e11d3269329 |
| SHA512 | 8cc6a5acd15ab747406366f6c0127e158e10ae7687352c25b4c5de53077f0d658263054915a843a75ba40497e97edc6616030b4dd05e14ab7afa935356e90762 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\navdn.jpg
| MD5 | d481f50cac12130673df83534e7ec743 |
| SHA1 | e255c5d9bf9545466dcd448bc3e2bfd018caf4d6 |
| SHA256 | c097a0919eb4b37348f8ea42bae1dd0bde9ae879402a170a668bb78ca8fe262d |
| SHA512 | cf70a6941f764205aee926fb7edadf0f8b41f63d4fcd2b5a20e8042294a7d00371abd7e50f85dc237802cb51292ee144bc61c0f308ce4ca3c4ff4ee1884a780e |
memory/3892-108-0x0000000002630000-0x0000000002666000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msxm.mp3
| MD5 | c203df8c58dcc521ff1a5959033a896c |
| SHA1 | 5e34d499a60594c50c9dba5f88e981306a02cac8 |
| SHA256 | 8b9dba34f2c45187b68842a547f710f019045adee53236a40ed7b74e88a80d59 |
| SHA512 | 034e45d51e51d95022d1468d0211fd9a7559fd14eefb5c70857f97ab9331678fd51fa9c3200481949948552dceb1c77b8e81404418da1a3e45532893fa0ee509 |
memory/2400-109-0x0000000004C10000-0x0000000005238000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mspa.msc
| MD5 | fe1daa6d203273dd57d3b71fb34e62c4 |
| SHA1 | 80f58b75db83ffbb39ebc1f508eab3d2248c2581 |
| SHA256 | 6812e247cc4997dc3210c250c560e67c08bfbc591a45cc7b523f042d82a3a66b |
| SHA512 | d405ce7b934899ac8d87fa2f60fdbe17d9406c96e55ce2278d3aeb8a6adeedf80cf1eb75e16df08102731d61139562ffc1479c2c46260449baf3e54b62d97635 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lawlraea.jpg
| MD5 | 0ea283e51a26ebee9b5b0ce3501a0f78 |
| SHA1 | fe521bec054a4558cfa57b0957a8f443c4bc89b8 |
| SHA256 | 1ddc3c1bbbb3d7555af19b1adcbef741e8a2405c0aaaa7facb1f70ed25501de6 |
| SHA512 | 18bbf40136dcf4d24125e7c540d715195eaffeed892e880d880cdebf74124c2bc4fcd9daf517f3d6eba4e7131e88cff64fd4d039dbe6b2989a2ff78c4db627c6 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\peauqq.docx
| MD5 | d11c4e5e6ade3320daa901652a64855b |
| SHA1 | 9c608291994144d3d90a92aff8055d6ab2b414c5 |
| SHA256 | 05716bd97f70d96b2a1d8ad10c4a791020daa91e639dee0422d2030169288a51 |
| SHA512 | bd222a7ec2a54ec11368d36efc313c23e1000c8ecff2592b2eedf2a36be4213d941e7eb2113bd3437641d0f4f7602a62cfc4e543306a5e6812e7948408522400 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pcxvnjlu.exe
| MD5 | 6c9a83c77562620b653f4836ab6126dc |
| SHA1 | cb5cc673b728f6e9a60de4a1e0d9e6c834324c8f |
| SHA256 | 693612ba1d2854746f60c97a0135761c29ab479cee41b8570ee163a7dbb36576 |
| SHA512 | 40d6dc4aca80bb9806cd377d9d338f5ede671de73ffa881646f542e86f03a24d1f470b813b24bb281630c5e9e075a1123b384080fc5d1cc0b7731ecdd8656f47 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toafuvgmcu.txt
| MD5 | b1e6cacd5466cf31ac951174d70b65ed |
| SHA1 | ab67c8977319316e3b37ab3cc02aa414ff1ffe97 |
| SHA256 | 614828ba79c603e81e853d285147023591d8c31bb4cf132d37cbd860f5aa5d43 |
| SHA512 | 5215af4f4a7fede74e0f8620b287d2506af72d080ee30c6c61220b54eb8ce323fb2f6cc3d718a91c5c6d34d92f357e51a40647af417a1fd7a50b754faf8a6cb3 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wqhswhin.pdf
| MD5 | 60a86df180b60fe4c9345c495dabc1de |
| SHA1 | ec012087ee69fe04169270f1144ba89d243a0195 |
| SHA256 | 2936720b255a930cf63e6772e73dee254cda0fb6a3c396b699d4ad495378e5b9 |
| SHA512 | 4b197d8b2e245eb9786356dfca37e464237a565afed9b0317c71305121b962dfbd6060d484531656563f97ec90a75cb7785b741d222c3eb1688e2c9b5719e45d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxwrjjkj.dat
| MD5 | e411d1e00aa8304add2744e2b3b03eaa |
| SHA1 | c6e68e4cff15d70a9db1e26720ad45f3dc4e7d82 |
| SHA256 | 4b3c8816f5c634be27bb37247ca614b886c8a0d563093c22aced3b32c19ba728 |
| SHA512 | 0102902a2e47b9fe5d7f1b36547589406127d52e547980353d885b366cf47800c0bd4ab1bf4f94cc490f07a65ad2d3ebaa073dc031fd91992bfa6b82bc4e5f2d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxbqmg.jpg
| MD5 | 12f7ad173f9c2bc52fbb0be142f4971f |
| SHA1 | 6b83d523dd2a17620aca2f44723999ed39e27ffe |
| SHA256 | 2c4a9138cabc51873812fb663b1b86c2d2bdd2a69558cd03d5bf896b4ebbc973 |
| SHA512 | 854970a446594f932a2a021406de294f738be3baf984add2ce095b868fd27a664d579d17c9f904314aecdf8f247e9f2c6184414e186de9ec603bb4d3dccf5915 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xnul.ppt
| MD5 | 364ca7b798b58524adf7ceac90967434 |
| SHA1 | c541fb4a61bb3420fbea6dbb27a2546e62d80d83 |
| SHA256 | 3dba637b888d739ddd2bdb4c1363d1630517e1395514dc3349a1ed6d25548d80 |
| SHA512 | 067a6ee4031eacb425657c1e3ce688e0be12ed44097f67e2126c6da42603b090beedd18a78090d195d30538069e23e53940618f18da5635b7715a35dfc13df31 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xkurnq.msc
| MD5 | faa2749611de93321011355f75ced356 |
| SHA1 | 572b290782a0e604758e9511c3725192a696c7a3 |
| SHA256 | 1f000264821a46020be193ea0c57ef929c5f1fa198202449926de417502354fc |
| SHA512 | 22a2cd9e0f37ecbae70bcfc1bcfb9bb9bedcf866530a50463b42df5f13b0ad08a7c5e57cfe227686559ac474adc2d2711f6971b37bf47d5486c0bf441a23aae1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wsssookr.hem
| MD5 | 56c1b41b3322dd4018d24f1e38d6b126 |
| SHA1 | ec063537db26e581b1a6ec632f83fa3686b832c5 |
| SHA256 | d6459e8b70a13dfc105eabfbc5512c60dc85f8f63207b2f4e451980aa3a44b4b |
| SHA512 | c7d1482ae63a21924234e88436e1f24ba26604b74b23c53728e57356799254affb26656772a1b3e90e1801a17096d963baf3f1bee137d5fe518deffcd8e68cd2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wiholsrnv.xl
| MD5 | e63e624e580570f42405239a7431e1f9 |
| SHA1 | 1a6cf95f8c7704f7b48268efd337e0ebaeb44821 |
| SHA256 | 08519611ecc95be2e68a746a3aa8a333bfb5c3a7e1b3dc611fdb65b732af2d37 |
| SHA512 | e79a3b20c33b4f9eb3a60b31d33d8f393d633be4fce715bfd4de06012af6ea7479a00fe22bd89222dffe0d7dc2963e498547dbf44f5ca6d5dccfc3e430c23dd3 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sxdhjeq.msc
| MD5 | 66eb9113d939530be9abe06b8d46edaa |
| SHA1 | 2d60c01ba8eb080b8dbd9fe6694727da1db21a9a |
| SHA256 | 5b7609ba739729b94486274f866be66ecd21de47bd56614e23593b3f54e02ff4 |
| SHA512 | 9b2b6125c1311c27cf898c2e4a01eb36979e15cb330ac4a857c352b3952a51a8f47be9c6ec8114d71ae083c07145e58541c9eeef13ecd20eb8bbdfe2fe0881ff |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\soktlaq.msc
| MD5 | d22c26946baeef2ec95cdae7497bad66 |
| SHA1 | 538779f3e21d10e5c874713a02985f871b8a3637 |
| SHA256 | 3e32f48ab7ce46785a2ff2fae2dadc6084a32f62965c4fc3f712b0d781d6ee1a |
| SHA512 | 5c7068d5c66516977c657fdc9cd6d3e9697e2f9454acdc20d3eca88542238222752f550c55503682d1d036ef702696fed326a6c9152917b31a43477931ac2879 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\roqwnfmf.dat
| MD5 | 9c6922f01aa1b9c595a5800d9af41e92 |
| SHA1 | 135a94d51b1b818319e35132f3dee3fd70c0d401 |
| SHA256 | 367fdf18a6a5f193f9a9c38acc5a154b33d7372b868add997e912449b28bc22d |
| SHA512 | 5c941ce2da8f57a0115bf98bf38d6a62688cbfc1970ae9ffa55801de9e05934d465c8cf079b3b2e5ec9f84465194dd85cf3d17f02771ef43346fc00e64cbbe68 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rldhm.pdf
| MD5 | 976e46ae2b703fc8693fe13ec2ccb752 |
| SHA1 | ec7245488a7c844ee829627c1289c62361f215bc |
| SHA256 | 7c71c2ff4869230355138e445d96f892d30a71fef346dbf1d2607315828353ed |
| SHA512 | d25ba5e4b41020b6255a9b19cb07786e584dd9a2e231a6d06533c1a7fae31ffeb5ba4be9fbe8ea03aacec4a8f3721611a1bf13be2f0662e5a62471746f2fd09d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oxqg.exe
| MD5 | 5e9707562e9a88352c732e9a6049d486 |
| SHA1 | e4593f2ad0795b6edda90d60f09a6fc481993e65 |
| SHA256 | 8ed8b5c171af40b35876c889ee07804de0d2c5d44f2a0755e151b39fc03b1cf2 |
| SHA512 | b0749ce0c5cafb706208525c5b81c291306139ffa1608d4c714c0344a6aaf7d217dea2c583d027f56dcfa5364814fd30e7a3899409d2c938b851fdde7652d078 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oiswfne.icm
| MD5 | ccfc02352a97fc37e2e8a7868a766a17 |
| SHA1 | 0971d1638faf9856340c7b276d3d80de18fe552f |
| SHA256 | 638f8a50aa09868ac19addbeb095ef3aa0e062d6dff78a89ee1605a5342016eb |
| SHA512 | b72a8c92eb51b6e05deebef90acd572ceaa6422894d898a162d68fcaee411a8bac780f8e60a74a5fccf31f1bc4db8680ce3863f8e4d9314118014440a26f3940 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kswn.xl
| MD5 | bb3af83d198af53d8e8865c4cf90a634 |
| SHA1 | 0a4c316542b0ac348b28bbd079e754aa68ce13bc |
| SHA256 | dcba54a098d1f6e337532205b849ab27b16401a73bd0f1c82f394333f94b8c32 |
| SHA512 | 226cfd639707da01b2e8fd81cd0b9dc16f107decdf91ea80f2845dbc69e39eec6107faa8ff88a3125185eb6aeb85402de4dc4c198e06e020ae89811e05aaffb2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hmsaf.3gp
| MD5 | d2ad3df96aa34af12040e7eb23e19602 |
| SHA1 | b0af79b8a50bcc572405dd500a8bb76315f136e8 |
| SHA256 | 8b42f41fa9dcb635a294d1692fa514d6f732ae6298816f9ada27a987329c22ba |
| SHA512 | a66295fdbc6a92c72a1d97aab91e5f9d8e9fe228e81bb5fa9271d44920975de5adf460b223b92eeb4cb02cd9c6f6e8e787f1cca508cb645a8071debdc04b1935 |
memory/408-179-0x00000000057F0000-0x0000000005812000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gjgoq.bmp
| MD5 | a021329fdd5956e6dca8fb89147e0d00 |
| SHA1 | 664c32ed8ee46ba01ba62996189b7c4cae84b377 |
| SHA256 | 568b93b08346a96b14d8b8b10e7834385359b1ce77353f6c411a5a6f4685fbe0 |
| SHA512 | 70ea6be254c2a5d051b90df8886af12fdaf433638c22dd1244ce2ed293a0b7ff63ffd5f8e214f3831b50a9e0acf41d831fadf915923e1573150c1a1847afbfa7 |
memory/408-181-0x0000000005900000-0x0000000005966000-memory.dmp
memory/2400-182-0x0000000005500000-0x0000000005854000-memory.dmp
memory/408-180-0x0000000005890000-0x00000000058F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaixlatqi.docx
| MD5 | 21ea8d814c36e64201c6e009bd6285ac |
| SHA1 | f39c8795f6d68b13f967820f8ee66bd385ef8d95 |
| SHA256 | a97c5ff9fbc31c7ddc409645bf091924daa06182d8370285d52cbe2eaf2d612e |
| SHA512 | a39ef08a6761cc4370661ff8770110237321467bfc9eddf6749f24d6aec4a3b5a62721023ac20cb3f258df460117147b63661d24d543df697708ecab56c807fe |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ftsxtpkuci.msc
| MD5 | c75006d243b6f10d50120f9a5f7b4ac0 |
| SHA1 | 47abf77308a99ff9f67aeee6070080e7fb2f5df7 |
| SHA256 | 8bd5d72f4c378fc7b185c4d355c5449c0e9e5b0a88d33449bfb6ac321e7fa6d4 |
| SHA512 | 3b844cd83ed2fff71debd865631f78a3f3f781cd58c419cac005829c93af42e31dc91b67c7901f691a47434f3094329577e9c619b091b4a5fa4c181e676f87d0 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_peuzslub.is2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1600-237-0x00000000063A0000-0x00000000063BE000-memory.dmp
memory/1600-238-0x0000000006960000-0x00000000069AC000-memory.dmp
memory/3892-266-0x000000006E740000-0x000000006E78C000-memory.dmp
memory/3892-265-0x0000000006DB0000-0x0000000006DE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/4664-294-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-301-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-300-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-297-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/3892-303-0x0000000006DF0000-0x0000000006E93000-memory.dmp
memory/3892-302-0x00000000061C0000-0x00000000061DE000-memory.dmp
memory/4664-296-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/3892-313-0x0000000007580000-0x0000000007BFA000-memory.dmp
memory/3892-314-0x0000000006F40000-0x0000000006F5A000-memory.dmp
memory/3892-315-0x0000000006FB0000-0x0000000006FBA000-memory.dmp
memory/3892-316-0x00000000071C0000-0x0000000007256000-memory.dmp
memory/4664-318-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-317-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-320-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/3892-319-0x0000000007140000-0x0000000007151000-memory.dmp
memory/4664-323-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4592-324-0x000000006E740000-0x000000006E78C000-memory.dmp
memory/1316-335-0x000000006E740000-0x000000006E78C000-memory.dmp
memory/3892-334-0x0000000007190000-0x000000000719E000-memory.dmp
memory/3892-345-0x00000000071A0000-0x00000000071B4000-memory.dmp
memory/2740-346-0x000000006E740000-0x000000006E78C000-memory.dmp
memory/3068-356-0x000000006E740000-0x000000006E78C000-memory.dmp
memory/1980-367-0x000000006E740000-0x000000006E78C000-memory.dmp
memory/3892-366-0x00000000072A0000-0x00000000072BA000-memory.dmp
memory/3892-377-0x0000000007280000-0x0000000007288000-memory.dmp
memory/1316-381-0x00000000078B0000-0x00000000078C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e0949569ba7a0eed0fb8803cd8c7c8fe |
| SHA1 | 5f1e1a2de52f5168f1f168ea1943d1f05b1c5ccb |
| SHA256 | 3b8325fb38df29f6d8b8d9acc6e31b504e725e38b142461ab67d9a9111444060 |
| SHA512 | 345117d3f6048742f5d9417b6fcb13e0de56a51c57a8d643ab562fd31396dd25e69511cc80c69def0f2313972cfe07ed01ad13f8134ce09dff17cb8d96ad8d71 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 92d22f7c65117dda8f271c3b298a4e64 |
| SHA1 | c7b5c22098e769bc5bceb8cc44be7402ed330df9 |
| SHA256 | 7e45d768663e7652a06f85b18df8c66490bb1a782642e2c58630bffbafadb7ab |
| SHA512 | 58f7648e797d7c05e94dc840dd09f255bb4e35d71aa49164651da84bcfb94102a6afe065c035fce759d97a2148d522301cdee30a78ef91f64a04f26b09ff8494 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 71b90cab8bcbe2970084b053653498af |
| SHA1 | 590f900c791f190385e3149234455a4b8bb8537a |
| SHA256 | d127bf22d2d51ee49536c298231f096afc685441031d24f37f662c2f86b76759 |
| SHA512 | f6cbfab03955499ea5fbb620c257f06a41516ae866b1e0eee6a7e62b990f69572a1f9b93f557bad8371f4706d80b31cc7a023d343e12ae78a98462f02326be72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4943364cee6001897ba087435055c17e |
| SHA1 | c2dd045b2df08eb772f74a45c2397647e4c471d3 |
| SHA256 | d1c4eb3086f4db40c3ae74443198ae063755de3b7dd46b8c8a084ee4521a7905 |
| SHA512 | 942d8df5668d7ec0f62c46aae9e0a621c1e26c44d1166591a3f82ae37e6bf2109b4afca2ac42058fe1d6779ee4bc909819851daed2a692958d5b616f7f44103f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 44db4c0f55eed364c3a4a4371274e074 |
| SHA1 | ec9cb0e6a6efbf095949f2da30bc898a6dc92c86 |
| SHA256 | 286f494d1c1f5e51143f0b8eb655080c18202b997ed993525b92404eee96d566 |
| SHA512 | 2e57c19620d71cd4894adc24f6ea5a4b67725fd60637095dfda2da3eca63f3ca720aebb89cbd6be1677c750a91c1dfdd56e60815518ec443be584092e58d4d25 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6a2340c9f493862b167a1279fa1c9f66 |
| SHA1 | 9f70b7247e874834c109994f1fe6905b181944f4 |
| SHA256 | e72d68f050243864f3d67f32bb54a2148a769bed6d926cde7e76bfa0f94aeffa |
| SHA512 | b126bdd6d6aa1b1adefb54ec70906fe7f75e44312e72042be8546b46e0c9ecd33a47aea691e511e611cdee7ec40703b0ff01344973588de2b9c131e16431449f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f67d80707c3af7e0972d7e41805a1829 |
| SHA1 | 840f999511c018aa237260ea0fb66e1a6b160f3a |
| SHA256 | ecddaa32813a0a09d1dd22dc9b298aaacdc1c8c0fd4e75c55972d2ebd54f57a9 |
| SHA512 | a1dbae690bb09e741404b7415e59000fa7cb599beb9cb6dddee663a361d905534927065a9529d67e3b40cfd61677d035e5d62dc41c407193f602ce4115424f5e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6f4db18aad49c1127c267aee6665b42 |
| SHA1 | f957500bfdaebd12149b759aa610395c0cb98e56 |
| SHA256 | 5c4fa192a47b41e7169f1ee39ab318acd727b9f1752ced0bbd9da886f3c9766a |
| SHA512 | 319faa2b9c036bd9abfcaac99838239fd2bb46e4f81d102d4d9b06ea5b96d2e53edbc6e8d38c0c2eb8fb4b277a29a956026556bec708b1066bc28b709580ec32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1152fed10e8e8ad8cf11348008c27ad8 |
| SHA1 | 24fb1d41e8c0d849c59b6dabc5729d07a891e50e |
| SHA256 | 37de3ebf9654410f5ced06047818072c79523258286d3d635abac6d975ff5cf7 |
| SHA512 | 5b132de6b9da6586f1d59b46e86912ee29c371db6235451575021d1ef344c8c3e35200647943debea86766d72a8bba0158b4a95a4701136639414f8f33f54e88 |
memory/4664-403-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-404-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-405-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-406-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-407-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-408-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-409-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-410-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-413-0x0000000000B00000-0x0000000001B00000-memory.dmp
memory/4664-414-0x0000000000B00000-0x0000000001B00000-memory.dmp