Malware Analysis Report

2024-12-07 22:13

Sample ID 240806-ytrwfaygkn
Target bf73a21ed17fb1c6f4adae074d0c18a1573e6d8f218f6f00314f30be7a65abe3
SHA256 bf73a21ed17fb1c6f4adae074d0c18a1573e6d8f218f6f00314f30be7a65abe3
Tags
remcos remotehost discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf73a21ed17fb1c6f4adae074d0c18a1573e6d8f218f6f00314f30be7a65abe3

Threat Level: Known bad

The file bf73a21ed17fb1c6f4adae074d0c18a1573e6d8f218f6f00314f30be7a65abe3 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery persistence rat

Remcos

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Gathers network information

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 20:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 20:04

Reported

2024-08-06 20:07

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\giwq\\MANONI~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\giwq\\DIELC~1.DOC" C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4280 set thread context of 3164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe C:\Windows\SysWOW64\WScript.exe
PID 1400 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe C:\Windows\SysWOW64\WScript.exe
PID 1400 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe C:\Windows\SysWOW64\WScript.exe
PID 2988 wrote to memory of 1360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1360 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1360 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2268 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm
PID 2268 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm
PID 2268 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm
PID 4280 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4280 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4280 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4280 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2988 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3516 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3516 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3516 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe

"C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\weuo.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c manon.icm dielc.docx

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm

manon.icm dielc.docx

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 b64c611.ddnss.eu udp
FR 194.59.31.54:3154 b64c611.ddnss.eu tcp
US 8.8.8.8:53 54.31.59.194.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\weuo.vbe

MD5 14c3a40a623c5ea792bc0c354f08990e
SHA1 ba61262e87978549b4df60966b3399e9e3d0c99e
SHA256 d7b7f2beee7ed33f85f24db5ea1cae2e35683b1762e8a2392300e87c704b8f00
SHA512 d8581c9c8ac97c92a75736cfd61a7564a33c757e0f6eda6e5d29683e5497be4c06be22f49c0fd5a18c61688fba2a070a482ac1a8dbea78cd77108f69d55fb484

C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qmqxcturfd.bmp

MD5 646c1978eef935ca548b4d14ffbc9d63
SHA1 f683c152c0c43340f9a65899d8de4d494415e2e5
SHA256 e1cd43b16f448c4439a52c59aef5fef519a3cf471b05c2191b161e8e43eb5efa
SHA512 d869812266c4aad9a77483813fe89b378866db9c68c8e59148b2287c8a4335b34e4f4fc72d27371bd3823ff24403394420451112118e3b2a8a5a72d88d172951

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cimnqjmrcc.dll

MD5 1eb5d6d651ecb868640d67c5fc7cb326
SHA1 6f87413ed5f1fec2769ab183b42edea554deb446
SHA256 088de983ed99f356b847d2d638e9fb2aa2cfc29f046805e2afe40b7d0ed135e3
SHA512 e00fa43ac127e6297fb9a4fd7625cb75a65a38d04a5a4e2954c6748040be3ac135f0bba3c5649e38a4c1b1b0b0ab543fda577d3796719495a9650e87219fbe62

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cjbqmgn.xaa

MD5 e171c9f38793118e7905b2f02689d3de
SHA1 74536f29cce7dbb80c54f885edb260847185a8ae
SHA256 b7a631d237298b76fc459dc3046bd310a3e9dcb57112caf478b08592a9e0d143
SHA512 d5d6041babb8ff290485ebd43e01e39fd21014ebd77ec5114a687cdf7d70179136cab304e76780ffd7971303343f868442d25f453e8674744fc8a0cb4a951961

C:\Users\Admin\AppData\Local\Temp\RarSFX0\asbqap.msc

MD5 0708600871e9096b1d17a8624ee84d30
SHA1 51d6cac65dc7193179929ead3f51b6ade5d2d57a
SHA256 025e7aebb446e35505eed35ca3ae2ac5b73f7f634d2d6189365add314f81d000
SHA512 9e4d2cd395687c097e548b04ef2964ed77a1e544d57c092c0debe4e20468164095df27d66fae222ccd037e937e145a152dfc039b491880aaaee3e015791ff82e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\efpckc.xls

MD5 d9456890171d22ba0a92841bf6e446ea
SHA1 1b059f02a38f2025aa52ae4194f4e38a175c8651
SHA256 11c4e89dbff78fec73f2d054dbfbabdecb0ce62345872edfecc2e3df6322924d
SHA512 8cffa8d3d06e8208a3f8ddeeff6e8ccd0727c01117fb8181af9f8eb5c9ba0debe4a3ab1fb1c0f28f004ab4d1c933a4acf71a149c472d88f4752ac0eaec8d060a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjufvipaxw.icm

MD5 a08dc9099f4e46f5e8b887abfde172ae
SHA1 17d3f8c1bf34ddc4176572257a6b32dddf993195
SHA256 43985ca760ca56803564fd5e207ea2d31df65982d8f1c740c92c0f0bb0915ade
SHA512 518d0ceab4858cb9e9ff057e44a3868a7de755e832023cd96c80b6e4f8222c3e7d78b9168d4d65be97a7059b23db872235991cebdd4c27b9087b57bbe75a1840

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fqak.icm

MD5 fe7370cd2eee003093477dd6d32fc551
SHA1 f3f7ee783e7f074d8f7b9109fc3518662f097b02
SHA256 558e55eb43601802edb96303cfc572c41a5f5d41672e684c9495f574295cf6ba
SHA512 303fa0dd33ffee3b7ac5bd5041ab2d19d73a5d147105d62649f3554f972a98a5f0d1b88d3c1bff1f7a60f919bf8e9ed51a7c6fc803a8060e4373f723e677f4ae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jxbjqiecl.icm

MD5 acf46e4f5ed37946a76f982aae1470a6
SHA1 cc50c1fb87f7d7d26acd3202b644b0ce4d9941fb
SHA256 c0c7191ada31abaf6a537363b9f9aedab643c6823ee13125e936b12ec8db27df
SHA512 728043d2b7846b8357f5f6a236e4607112eee0f07d3c2d93db4039707558e06564e1ea3eb49e22594279bf4c66937a805b05845fb1d9f0b8e23f59c2277f6c18

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kfrpmbp.xl

MD5 9fcd55436e6616a4b09bf7791977a104
SHA1 317c4ebc95cb646ed5a6e41706ca29d59fb79680
SHA256 ebc6df0b09b5e20e15b396caf7d3de423ce8fdbddcaaf3190a4d700a816c4903
SHA512 1b8debaa7fdda252a58ec8219e968f65da7498ed3a3e915819ee32ec6fda821d13affb5141366da3ff075fa503736a459adc3b67ca98fc296238c33e50b1cea9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nslurwi.3gp

MD5 0df0fbd4c055883bac6b95b263889e4c
SHA1 89a81a589cec22a01373711f099bf04b311f186d
SHA256 4c917ec63257b3164b4f30c383085c4519869f5f5131347ab1bb8a09b773b867
SHA512 e6c8346b366d82f59ff061eafb696d4c1a1c46f993bfd8f9fa598f2a162884e4012f993eb25226da69f2f45fbd21e2c28d722690f1f84f1ff6e061b672089cd9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ngnpi.xls

MD5 97fa369e2b81e4f29bb219addbad9219
SHA1 cd8484155230b57dfca75904136ff5b6db304924
SHA256 84e13274617cec8fc588a0362ad4f36344fdc6bc94f7b1a88ce0960367423d60
SHA512 118534d7ec6dc0dfe88db969d7b7d5a7d9828b9e3cec52464945fc88d31a95878a19ffec3b370eb3a1f5d0985c8c0610bda4f1ee43231123d8208168406d20a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\meclmc.mp3

MD5 c212df87d903afc759f15480d45e2946
SHA1 d22bf2f3860d0a872fef74885ece4b7092cde99e
SHA256 c6b5f346ed115ae89b3b5aa7e1afecc2c1f2552ebfe0345990578701a4bc0e9a
SHA512 41d543fdc41ea1fa855000bdf31163cbef079b5ab31a9a67b4d05f9001a33f91fcd12725fbd2ea0ef2b58b9d4e2db87cea26994fa8c31b6075c457e579bc60d1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mbmx.mp3

MD5 587d506811f8c2e6f2d13e0aca3c849f
SHA1 d694fcbf5684b88a24a91bd152122238908c24e0
SHA256 bbca1389349cd6579eee7174f1a6ff311c2392c552fc1b6120c52424963011ea
SHA512 80b0c62a8d606030b5c2bd4324418e656fc9f5748a74954c86d286a22b16d9d5ec9b735b53c6d73d2a20b9ba5002d51a512a7ae2b9bae00b2b02ff5bc0cc63ef

C:\Users\Admin\AppData\Local\Temp\RarSFX0\omnjmwbl.dat

MD5 58e12df29854f23fbd3eff9873065e3e
SHA1 ddd67d1f77bb442cd633f91f114d936635513d50
SHA256 eb7d2963f367fd4321989c9ea04b67026e18d0d00e527aefbf6fc53938c78270
SHA512 4b49de8b599a5a22b78e9a89ff192e92282287a1f929e81777841cc1e0ea1bc254b34eb47aba66d7077d7447adabb8f67651d8578fdd6ea6d78ec512da8d2aa1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\onfv.pdf

MD5 5f086284a395a5e0931045760a91d67a
SHA1 ea475d4b96915cdf70d00647d47455550581b083
SHA256 bf37a3393e08479f5914335796caf53d334b749991c7c68e7458e42875f6d96a
SHA512 ea2f8b90e33faf85f0600ce315e11e8ecd59e0a0eb96ccd77aefa490b47c0076a5c4eb65ec2d6a27a839cb85157e1e43e148433009dbd3cfe2fef0adc653fd43

C:\Users\Admin\AppData\Local\Temp\RarSFX0\peikto.mp3

MD5 c588ef0b2d019b3e74196b3b1a33df73
SHA1 6ebb896a72d51f82bfbfba3f5ada98d332cbd6d8
SHA256 16d6215429fc44a7424bc39d88751627e590f4bb5743fca4427a3a01202bf4d3
SHA512 7d830c25074411150602c651b3e2db6527c91fe17fb93673920276fd72eb1e73cc55beae89108db18fe3abe35f7d682aac96431a72fc744314ba21836bc2adea

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pbobe.msc

MD5 c75cbbda199969beb06df22969c59ad8
SHA1 ef4d29c205ae42c123ec8f1c053b9568deee2f4c
SHA256 cc2de9a673d7a551bb978471c8aa3c05011017a4e9576ee35eda870a2ceecb3a
SHA512 f540cf258443f6467f353547071137c2e4001bc5b05e880431c7cf74039f64d9a1d7e5513aa35a8aa2d9399df348f56b18859709d0147ec2a122a00b7a86e5c7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qmqxcturfd.bmp

MD5 b707eb172a1d4fc226192e692c20054e
SHA1 1614f7e542adf8db5d3cbd26cc3c5c4a6c8fa08e
SHA256 b0979a7428f77eabf9f70d5de88b6c23d1459e3da2c4f1b436d5a13c426d2f89
SHA512 50ed270997bacf587126f0873ea8c75406744fb902bd26ace484c29cf82f581568976cc8d34f4004c84609c74514cd68c4eb722eb809031e755918a2bd0a22ad

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rkwujjevh.ppt

MD5 1a0b5d3a97bc8665da243d9660ddf45b
SHA1 fe5b382ec25c5142d5756ecaf9dbb71d722e2fbb
SHA256 8057f93bd07e1c649813fef78bbd0617445da020b4ff6117047723d5c3978f9a
SHA512 fa626c9b4e05ba9e720f9464d29fc7d934ddae4d6868262f015e38ea1909b747dc2da8db475bf240d9480f68ddd194c440c30cd595f6da96da2fc1338867d025

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rrgixdv.ppt

MD5 61e67e8590ad5c9db876607a2501237d
SHA1 27705a42100286f75861e50898870a8a7bff3511
SHA256 d033944d112e5316559d8c61a95614d6a14a71013f2108852c02ce339125b0c5
SHA512 1ca01b241caa86bfc1410f652c810ddadb4d158fa760006a7d5912c1c70831b2827a00be3b865422306a3852682eddebcb5caa8509ae05c8b52e23054dbef2dd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwshkai.icm

MD5 876fd572f8bfbb02de3a73c37525860f
SHA1 ff8c7d972e432d28622e55352ca2798d3bc788da
SHA256 6e1172c995b5bb2c587937173c6cfb823505f7789c36f242b7571674c62e439e
SHA512 898e2219fc987e2fc14a760a67ea9ff56616c2ddcd5e2aa7292f62c1dfcc5b4958820f837b828144c8ce1392bb4cebac3a7cb0135ea2769dc3a4bf9b8799cd32

C:\Users\Admin\AppData\Local\Temp\RarSFX0\seat.docx

MD5 bd9ec5661723c85523db404292b243e2
SHA1 77d467c13a4d4816343b98873a58c1c7f8aba1c9
SHA256 cd0e3c58c462418b897c32f4b39f254d40e9d10bc9396aaa6f515179461a5985
SHA512 b75a75710679d3651ec1f4f1ed52722a8128d7d5ed096836a782d81261f6adc2e93150ca289d32978b6c8ed000fd32df0b49207d125d2e15eaf67fdc9d1ffc24

C:\Users\Admin\AppData\Local\Temp\RarSFX0\slivsi.bin

MD5 ebea5e4d48ea32163be8dcff9622c00f
SHA1 053f90f497b051df11053a12e144ac1baddc4050
SHA256 c76ddb35775ca2ec4b96458b1decef5ad32464f3dd7781f10d7105b71a68e894
SHA512 9f7c66f0bb9a5cbd1a37958820ce55f212ab700a1bb4165114cf29a53c62a10df493dd50ca980a1ca5bb8f6f5c8c21869f0eb136132977caad4404f10c1ac2a0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tdoodpfof.bmp

MD5 ac93d865a2295ab052c6b21777c64750
SHA1 20f497fb44fb356a0b333368171d2754108db9be
SHA256 ca0cc307b312013023f3b47dbe3012b927d5dda586ad5b3881a22728130edfe8
SHA512 2c7bd84534825e43e9b92a9ea0ba5eeaaa9e19975b522ab62d0a890e762b48b5cb47abb2e017c74df24ff75d369e5a4a498fd5784287fd344f68c51e3c91bdfb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uduu.docx

MD5 c5f03c203a6775b65915d44025709386
SHA1 b685af37b76c5fd57449c4dccbe65a154fdb5d9f
SHA256 05cd5cee94e3d4816522fb8ea731064cc2b83243fe68c8ebbd0e3c2bcbfc94f9
SHA512 cac00b540282cd47aeaeb01431ad237dff742536987163d16cacaeaf5cce0e6688397ca23a66980af3034012aaf6f855014b898de88c4cc0823237ffd687f007

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vpnore.bin

MD5 077fce0655f1824edddf6d1dbb2c0a2c
SHA1 e2a79748ba792a2f31b3b9382288bbd7d65f5f91
SHA256 04747d2c430f272bfa4def77041aa4ac4dc26e23d650977e6d56fa257338d7dc
SHA512 077d8ddea45b42c2332d2d0cc10685fb40ed03958f5ab2c6770b8d7530aaa065bf11e4e8af5cee7615c524ae1d236d7e0c3de2adc6819b9130937f68422024df

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/3164-163-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-169-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-165-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-168-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-170-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-172-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-173-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-174-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-176-0x0000000001100000-0x0000000002100000-memory.dmp

C:\ProgramData\87y6trf\u8tus.dat

MD5 edafaea3cc161570a2d5633c9c640a23
SHA1 57b69ac1a111aa50565411c54a3aeffd874783ec
SHA256 b25ffd53e6a210ed7170159d134663b9a768e95970e8b69b8cd6a90d4c53f3bc
SHA512 35b8922aa2321ba9b59c693bf8ffab9fd10ba29a2cb6754f2900a55611814ed3c0d6d7e044a02d3b58d354f6f5b13bbd578eff48fc836d73e6d86fbc695b7a08

memory/3164-183-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-184-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-190-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-191-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-199-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-198-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-206-0x0000000001100000-0x0000000002100000-memory.dmp

memory/3164-207-0x0000000001100000-0x0000000002100000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 20:04

Reported

2024-08-06 20:07

Platform

win7-20240729-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\giwq\\MANONI~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\giwq\\DIELC~1.DOC" C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 448 set thread context of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe C:\Windows\SysWOW64\WScript.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe C:\Windows\SysWOW64\WScript.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe C:\Windows\SysWOW64\WScript.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe C:\Windows\SysWOW64\WScript.exe
PID 2444 wrote to memory of 2944 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2944 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2944 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2944 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 328 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 328 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 328 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 328 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2944 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2944 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2944 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 328 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm
PID 328 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm
PID 328 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm
PID 328 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm
PID 2444 wrote to memory of 2376 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2376 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2376 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2376 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2376 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2376 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2376 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 448 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe

"C:\Users\Admin\AppData\Local\Temp\06f15416dae3c0176353df2ce939e41e3d29c6899ef842bd89c50adde8de9e06.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\weuo.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c manon.icm dielc.docx

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm

manon.icm dielc.docx

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 b64c611.ddnss.eu udp
FR 194.59.31.54:3154 b64c611.ddnss.eu tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\weuo.vbe

MD5 14c3a40a623c5ea792bc0c354f08990e
SHA1 ba61262e87978549b4df60966b3399e9e3d0c99e
SHA256 d7b7f2beee7ed33f85f24db5ea1cae2e35683b1762e8a2392300e87c704b8f00
SHA512 d8581c9c8ac97c92a75736cfd61a7564a33c757e0f6eda6e5d29683e5497be4c06be22f49c0fd5a18c61688fba2a070a482ac1a8dbea78cd77108f69d55fb484

C:\Users\Admin\AppData\Local\Temp\RarSFX0\manon.icm

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qmqxcturfd.bmp

MD5 646c1978eef935ca548b4d14ffbc9d63
SHA1 f683c152c0c43340f9a65899d8de4d494415e2e5
SHA256 e1cd43b16f448c4439a52c59aef5fef519a3cf471b05c2191b161e8e43eb5efa
SHA512 d869812266c4aad9a77483813fe89b378866db9c68c8e59148b2287c8a4335b34e4f4fc72d27371bd3823ff24403394420451112118e3b2a8a5a72d88d172951

C:\Users\Admin\AppData\Local\Temp\RarSFX0\asbqap.msc

MD5 0708600871e9096b1d17a8624ee84d30
SHA1 51d6cac65dc7193179929ead3f51b6ade5d2d57a
SHA256 025e7aebb446e35505eed35ca3ae2ac5b73f7f634d2d6189365add314f81d000
SHA512 9e4d2cd395687c097e548b04ef2964ed77a1e544d57c092c0debe4e20468164095df27d66fae222ccd037e937e145a152dfc039b491880aaaee3e015791ff82e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cimnqjmrcc.dll

MD5 1eb5d6d651ecb868640d67c5fc7cb326
SHA1 6f87413ed5f1fec2769ab183b42edea554deb446
SHA256 088de983ed99f356b847d2d638e9fb2aa2cfc29f046805e2afe40b7d0ed135e3
SHA512 e00fa43ac127e6297fb9a4fd7625cb75a65a38d04a5a4e2954c6748040be3ac135f0bba3c5649e38a4c1b1b0b0ab543fda577d3796719495a9650e87219fbe62

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cjbqmgn.xaa

MD5 e171c9f38793118e7905b2f02689d3de
SHA1 74536f29cce7dbb80c54f885edb260847185a8ae
SHA256 b7a631d237298b76fc459dc3046bd310a3e9dcb57112caf478b08592a9e0d143
SHA512 d5d6041babb8ff290485ebd43e01e39fd21014ebd77ec5114a687cdf7d70179136cab304e76780ffd7971303343f868442d25f453e8674744fc8a0cb4a951961

C:\Users\Admin\AppData\Local\Temp\RarSFX0\efpckc.xls

MD5 d9456890171d22ba0a92841bf6e446ea
SHA1 1b059f02a38f2025aa52ae4194f4e38a175c8651
SHA256 11c4e89dbff78fec73f2d054dbfbabdecb0ce62345872edfecc2e3df6322924d
SHA512 8cffa8d3d06e8208a3f8ddeeff6e8ccd0727c01117fb8181af9f8eb5c9ba0debe4a3ab1fb1c0f28f004ab4d1c933a4acf71a149c472d88f4752ac0eaec8d060a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fqak.icm

MD5 fe7370cd2eee003093477dd6d32fc551
SHA1 f3f7ee783e7f074d8f7b9109fc3518662f097b02
SHA256 558e55eb43601802edb96303cfc572c41a5f5d41672e684c9495f574295cf6ba
SHA512 303fa0dd33ffee3b7ac5bd5041ab2d19d73a5d147105d62649f3554f972a98a5f0d1b88d3c1bff1f7a60f919bf8e9ed51a7c6fc803a8060e4373f723e677f4ae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjufvipaxw.icm

MD5 a08dc9099f4e46f5e8b887abfde172ae
SHA1 17d3f8c1bf34ddc4176572257a6b32dddf993195
SHA256 43985ca760ca56803564fd5e207ea2d31df65982d8f1c740c92c0f0bb0915ade
SHA512 518d0ceab4858cb9e9ff057e44a3868a7de755e832023cd96c80b6e4f8222c3e7d78b9168d4d65be97a7059b23db872235991cebdd4c27b9087b57bbe75a1840

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jxbjqiecl.icm

MD5 acf46e4f5ed37946a76f982aae1470a6
SHA1 cc50c1fb87f7d7d26acd3202b644b0ce4d9941fb
SHA256 c0c7191ada31abaf6a537363b9f9aedab643c6823ee13125e936b12ec8db27df
SHA512 728043d2b7846b8357f5f6a236e4607112eee0f07d3c2d93db4039707558e06564e1ea3eb49e22594279bf4c66937a805b05845fb1d9f0b8e23f59c2277f6c18

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kfrpmbp.xl

MD5 9fcd55436e6616a4b09bf7791977a104
SHA1 317c4ebc95cb646ed5a6e41706ca29d59fb79680
SHA256 ebc6df0b09b5e20e15b396caf7d3de423ce8fdbddcaaf3190a4d700a816c4903
SHA512 1b8debaa7fdda252a58ec8219e968f65da7498ed3a3e915819ee32ec6fda821d13affb5141366da3ff075fa503736a459adc3b67ca98fc296238c33e50b1cea9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mbmx.mp3

MD5 587d506811f8c2e6f2d13e0aca3c849f
SHA1 d694fcbf5684b88a24a91bd152122238908c24e0
SHA256 bbca1389349cd6579eee7174f1a6ff311c2392c552fc1b6120c52424963011ea
SHA512 80b0c62a8d606030b5c2bd4324418e656fc9f5748a74954c86d286a22b16d9d5ec9b735b53c6d73d2a20b9ba5002d51a512a7ae2b9bae00b2b02ff5bc0cc63ef

C:\Users\Admin\AppData\Local\Temp\RarSFX0\meclmc.mp3

MD5 c212df87d903afc759f15480d45e2946
SHA1 d22bf2f3860d0a872fef74885ece4b7092cde99e
SHA256 c6b5f346ed115ae89b3b5aa7e1afecc2c1f2552ebfe0345990578701a4bc0e9a
SHA512 41d543fdc41ea1fa855000bdf31163cbef079b5ab31a9a67b4d05f9001a33f91fcd12725fbd2ea0ef2b58b9d4e2db87cea26994fa8c31b6075c457e579bc60d1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ngnpi.xls

MD5 97fa369e2b81e4f29bb219addbad9219
SHA1 cd8484155230b57dfca75904136ff5b6db304924
SHA256 84e13274617cec8fc588a0362ad4f36344fdc6bc94f7b1a88ce0960367423d60
SHA512 118534d7ec6dc0dfe88db969d7b7d5a7d9828b9e3cec52464945fc88d31a95878a19ffec3b370eb3a1f5d0985c8c0610bda4f1ee43231123d8208168406d20a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nslurwi.3gp

MD5 0df0fbd4c055883bac6b95b263889e4c
SHA1 89a81a589cec22a01373711f099bf04b311f186d
SHA256 4c917ec63257b3164b4f30c383085c4519869f5f5131347ab1bb8a09b773b867
SHA512 e6c8346b366d82f59ff061eafb696d4c1a1c46f993bfd8f9fa598f2a162884e4012f993eb25226da69f2f45fbd21e2c28d722690f1f84f1ff6e061b672089cd9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\omnjmwbl.dat

MD5 58e12df29854f23fbd3eff9873065e3e
SHA1 ddd67d1f77bb442cd633f91f114d936635513d50
SHA256 eb7d2963f367fd4321989c9ea04b67026e18d0d00e527aefbf6fc53938c78270
SHA512 4b49de8b599a5a22b78e9a89ff192e92282287a1f929e81777841cc1e0ea1bc254b34eb47aba66d7077d7447adabb8f67651d8578fdd6ea6d78ec512da8d2aa1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\onfv.pdf

MD5 5f086284a395a5e0931045760a91d67a
SHA1 ea475d4b96915cdf70d00647d47455550581b083
SHA256 bf37a3393e08479f5914335796caf53d334b749991c7c68e7458e42875f6d96a
SHA512 ea2f8b90e33faf85f0600ce315e11e8ecd59e0a0eb96ccd77aefa490b47c0076a5c4eb65ec2d6a27a839cb85157e1e43e148433009dbd3cfe2fef0adc653fd43

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pbobe.msc

MD5 c75cbbda199969beb06df22969c59ad8
SHA1 ef4d29c205ae42c123ec8f1c053b9568deee2f4c
SHA256 cc2de9a673d7a551bb978471c8aa3c05011017a4e9576ee35eda870a2ceecb3a
SHA512 f540cf258443f6467f353547071137c2e4001bc5b05e880431c7cf74039f64d9a1d7e5513aa35a8aa2d9399df348f56b18859709d0147ec2a122a00b7a86e5c7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\peikto.mp3

MD5 c588ef0b2d019b3e74196b3b1a33df73
SHA1 6ebb896a72d51f82bfbfba3f5ada98d332cbd6d8
SHA256 16d6215429fc44a7424bc39d88751627e590f4bb5743fca4427a3a01202bf4d3
SHA512 7d830c25074411150602c651b3e2db6527c91fe17fb93673920276fd72eb1e73cc55beae89108db18fe3abe35f7d682aac96431a72fc744314ba21836bc2adea

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qmqxcturfd.bmp

MD5 b707eb172a1d4fc226192e692c20054e
SHA1 1614f7e542adf8db5d3cbd26cc3c5c4a6c8fa08e
SHA256 b0979a7428f77eabf9f70d5de88b6c23d1459e3da2c4f1b436d5a13c426d2f89
SHA512 50ed270997bacf587126f0873ea8c75406744fb902bd26ace484c29cf82f581568976cc8d34f4004c84609c74514cd68c4eb722eb809031e755918a2bd0a22ad

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rkwujjevh.ppt

MD5 1a0b5d3a97bc8665da243d9660ddf45b
SHA1 fe5b382ec25c5142d5756ecaf9dbb71d722e2fbb
SHA256 8057f93bd07e1c649813fef78bbd0617445da020b4ff6117047723d5c3978f9a
SHA512 fa626c9b4e05ba9e720f9464d29fc7d934ddae4d6868262f015e38ea1909b747dc2da8db475bf240d9480f68ddd194c440c30cd595f6da96da2fc1338867d025

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rrgixdv.ppt

MD5 61e67e8590ad5c9db876607a2501237d
SHA1 27705a42100286f75861e50898870a8a7bff3511
SHA256 d033944d112e5316559d8c61a95614d6a14a71013f2108852c02ce339125b0c5
SHA512 1ca01b241caa86bfc1410f652c810ddadb4d158fa760006a7d5912c1c70831b2827a00be3b865422306a3852682eddebcb5caa8509ae05c8b52e23054dbef2dd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rwshkai.icm

MD5 876fd572f8bfbb02de3a73c37525860f
SHA1 ff8c7d972e432d28622e55352ca2798d3bc788da
SHA256 6e1172c995b5bb2c587937173c6cfb823505f7789c36f242b7571674c62e439e
SHA512 898e2219fc987e2fc14a760a67ea9ff56616c2ddcd5e2aa7292f62c1dfcc5b4958820f837b828144c8ce1392bb4cebac3a7cb0135ea2769dc3a4bf9b8799cd32

C:\Users\Admin\AppData\Local\Temp\RarSFX0\seat.docx

MD5 bd9ec5661723c85523db404292b243e2
SHA1 77d467c13a4d4816343b98873a58c1c7f8aba1c9
SHA256 cd0e3c58c462418b897c32f4b39f254d40e9d10bc9396aaa6f515179461a5985
SHA512 b75a75710679d3651ec1f4f1ed52722a8128d7d5ed096836a782d81261f6adc2e93150ca289d32978b6c8ed000fd32df0b49207d125d2e15eaf67fdc9d1ffc24

C:\Users\Admin\AppData\Local\Temp\RarSFX0\slivsi.bin

MD5 ebea5e4d48ea32163be8dcff9622c00f
SHA1 053f90f497b051df11053a12e144ac1baddc4050
SHA256 c76ddb35775ca2ec4b96458b1decef5ad32464f3dd7781f10d7105b71a68e894
SHA512 9f7c66f0bb9a5cbd1a37958820ce55f212ab700a1bb4165114cf29a53c62a10df493dd50ca980a1ca5bb8f6f5c8c21869f0eb136132977caad4404f10c1ac2a0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tdoodpfof.bmp

MD5 ac93d865a2295ab052c6b21777c64750
SHA1 20f497fb44fb356a0b333368171d2754108db9be
SHA256 ca0cc307b312013023f3b47dbe3012b927d5dda586ad5b3881a22728130edfe8
SHA512 2c7bd84534825e43e9b92a9ea0ba5eeaaa9e19975b522ab62d0a890e762b48b5cb47abb2e017c74df24ff75d369e5a4a498fd5784287fd344f68c51e3c91bdfb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uduu.docx

MD5 c5f03c203a6775b65915d44025709386
SHA1 b685af37b76c5fd57449c4dccbe65a154fdb5d9f
SHA256 05cd5cee94e3d4816522fb8ea731064cc2b83243fe68c8ebbd0e3c2bcbfc94f9
SHA512 cac00b540282cd47aeaeb01431ad237dff742536987163d16cacaeaf5cce0e6688397ca23a66980af3034012aaf6f855014b898de88c4cc0823237ffd687f007

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vpnore.bin

MD5 077fce0655f1824edddf6d1dbb2c0a2c
SHA1 e2a79748ba792a2f31b3b9382288bbd7d65f5f91
SHA256 04747d2c430f272bfa4def77041aa4ac4dc26e23d650977e6d56fa257338d7dc
SHA512 077d8ddea45b42c2332d2d0cc10685fb40ed03958f5ab2c6770b8d7530aaa065bf11e4e8af5cee7615c524ae1d236d7e0c3de2adc6819b9130937f68422024df

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/2892-165-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2892-169-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-168-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-172-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-166-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-163-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-173-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-175-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-176-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-177-0x0000000000310000-0x0000000001310000-memory.dmp

C:\ProgramData\87y6trf\u8tus.dat

MD5 86d583a7f593e92dfa2845e6e656fccc
SHA1 24d466ed25ecc8bcb08a93033ade028a9fb44c27
SHA256 672792f46e21e41da773a30dd36f17541810b72d96f7ac1c2ee654c31ceacb8d
SHA512 967baea3b597107579091acf6279e37c9ddf567b739cfb01dba1085fe52d85a6204943a8c1c39f6cfb8664b5ad006c3266e8ae02101e263ec8549d354d423e07

memory/2892-186-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-185-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-193-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-202-0x0000000000310000-0x0000000001310000-memory.dmp

memory/2892-201-0x0000000000310000-0x0000000001310000-memory.dmp