Malware Analysis Report

2024-11-15 06:02

Sample ID 240928-17mvraydmk
Target 5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350
SHA256 5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350
Tags
rhadamanthys discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350

Threat Level: Known bad

The file 5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350 was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery persistence stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-28 22:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-28 22:17

Reported

2024-09-28 22:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1344 created 1216 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\Explorer.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wlnk\\QWLVPM~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\wlnk\\tnlupe.mp3" C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe C:\Windows\SysWOW64\WScript.exe
PID 2136 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe C:\Windows\SysWOW64\WScript.exe
PID 2136 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe C:\Windows\SysWOW64\WScript.exe
PID 2136 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe C:\Windows\SysWOW64\WScript.exe
PID 2416 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3052 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3052 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3052 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2340 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
PID 2340 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
PID 2340 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
PID 2340 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
PID 2416 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1080 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1080 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1080 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1080 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2712 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1344 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\dialer.exe
PID 1344 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\dialer.exe
PID 1344 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\dialer.exe
PID 1344 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\dialer.exe
PID 1344 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\dialer.exe
PID 1344 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe

"C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rmxb.vbe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3

qwlvpmrupf.mp3 tnlupe.mp3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rmxb.vbe

MD5 be932d231ef60dcf6ad6c579873b550c
SHA1 ca37ae517c7d341e008cbd71beab29aca839002c
SHA256 d47ed1047e043162e221d1a21b5e19d8a24641442bcb17c6c8a51f9456998751
SHA512 21385ada5436112899aaa4651a6d561499735e6e59674258c9de6b38a50e671276ae9e8b5c7f70e60321cf41846ae34e299d179fbf6226027d9a9c99751ad09b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3

MD5 0adb9b817f1df7807576c2d7068dd931
SHA1 4a1b94a9a5113106f40cd8ea724703734d15f118
SHA256 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uraspfn.bin

MD5 f1d3c3dae4987deb8f2b79c08da81b67
SHA1 f5809aebc70a2f23c8ee6b466b5293199545bcf4
SHA256 fd491ea65d887c3f3fc2aac3197280e4135c8f571b7d6df63212097783254ea5
SHA512 e552d8114e09ab7655e7fcb1549e1f18b3027558024a0e565a1261f7f075e56ce40b37fe70893875da75ca298bf174940756b91ffbf8e991b13bc02da3d4c00c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\anxv.ppt

MD5 d391f8b614a342cff9fcbf8f4e41c934
SHA1 fc045f44973b9000f63808abd1e59c66ed6755b7
SHA256 36568784a413d46056fac31e259c41f4429f08b1564a72ceb777cc80a0aa9f1c
SHA512 e446d6f17e9765ac260f4bd429ffe901c47c46fdfdefba25269a33e570e98b24469b529b815322e1d17ae3b4589ecf5561519d39d3ad65fd164aa8fca50e62ad

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bvtesegdgq.3gp

MD5 c3a02fe4f358078606a02b7d8c069957
SHA1 4cb6fc80ac829fcdb8088cc95f6c109c719cfa5d
SHA256 d8abe1326e449ca4d9c330a900ce393ee32101793d91e7f556d0c87e77adba0c
SHA512 c016ded65e5a728e3eff1e66ae913ff81677b197b4c809a9f9e509304dc2747a581597760b0d4b79e60c03647dc3569cae21c413152c6e4af8b4dede10e8bb9d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crbvulcpak.msc

MD5 83ca8d8bac38af12453f9d9ff1d02916
SHA1 dcc6e7ab9858eb9ff63f4cd2dd7e9b84ec694a22
SHA256 58412d427987a11c362fc7d921804f58277c3a5e4ea7ce98d4dc260e9aeb6302
SHA512 1bf89f1196b9c41e5781f118ce657aec2194d48b0c4d15672a55093778c660e609626a9e5ea5336064590a9bd21f8fa1d9cf6f6435e866a0facf50e438d5d3f0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iutol.das

MD5 8344337d8607eef8ba26fc751f8e0122
SHA1 2ab2afce50e3553637aec0b5a65aa2e72d0ce51a
SHA256 ecb2d582d697d033a5e5bd06387df5725af74707c0e4b596d564be2bdb1221a7
SHA512 da3cab35922c97d3d03c073f51915792278919775c9690ad95a8bd7143cd45a5b0fcbb5216ed53dfc3eee1265bb91ddcdd875699ab23b3d95fccc991190caf2b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jmfhuve.bin

MD5 73cdc398766b26d5b3fc2a732b633e80
SHA1 4e8178167362c791d19b8dd90284751e6294c041
SHA256 d078345688738bc731ee73004ac6ad2670cfd6343b570fa5b7c0ab7ad30f0b48
SHA512 ab55cecf628450ee0e07591c8a6b7e1ebd6f1e1ff0c3184a14bf297c64153c8507b331a391020a5068d7c23cb55e73125e7582d204ce6f5c1e26f3ee3cd32705

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jwphnktqhh.xl

MD5 25b3d4f1279923fd4780981605bce9fb
SHA1 12257bd64a5ab12eafd4679bdbdf9bcf2903b160
SHA256 df4f76d702170095fa752d69f1ab793604e9dcce7adcad7c83fdae623f0c0093
SHA512 f3579a94ebabd59b055d7170e3f9fbaec7d645e3cbe0eff514413621fec6811fb07264e4a5048222e8a84bdeb671d7580989b7e2d6b8987795782b4c7c7e9920

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ldrtopp.msc

MD5 ac53ee172cc20f1bc979fd4710cbfa00
SHA1 5c83524e42270883ff05c434f3ab62ada8931f51
SHA256 774c4cc458e33020b29fa28fc91db540c86f55142d716ca1613da20670435198
SHA512 70df2bfe2300aae5bec804e7f0235c1b9601fc1447df84248b6eff030a4f36b908d00d089911d082c7ca10f7f9d30239b1414b754b32cb1adc8f8a5a7286341d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ltmdgplto.3gp

MD5 62a55b40d10bc4ccdf643e624b90d003
SHA1 1aafd527e1b40b555b1e68e1f6d9f6c594586913
SHA256 9401c3d0cbd1fbb5fb740ea9eff7b4f7af764574a6cbc487c97f99f610ba9852
SHA512 421b3694a2f2e080a03459973fe05a2b23f4fa67323529ee8d9afdb6b5e9b8d082193a31f7c2b58d3368158fcdef49d60dbabd3a4f7e656c8ed5b3b95f6bb181

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nbmn.lmk

MD5 35a5cc0e4d021890e72a070ee02dfdc4
SHA1 ba20de52cdc21e3d8bd69470381b7d0cb53f1d05
SHA256 51e725c19b88d14e3d978b54d810398993242c959145f323fde92cfa55557ada
SHA512 afe5510b3a27cf5e308cde1e000289777ab9cfd592052b37c990028f51f4d5113e15fccf7b13cf9a13ed06e3d134ed2009bbd18ddd5b508fa20d050d8d2719c2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nhjdnx.3gp

MD5 e3c40d261a890a50e8616efbce725df6
SHA1 51087dd64e5c3f673c47a3b03ccaffadb77dce6d
SHA256 a1c8b7a1408638a385956edaaf4ec1defb98e94784a5aeaec9f63fd24cf3f83b
SHA512 114de87085139632a912f2bdc2700eb60f166623641c460e818ce7a29edc2dac24f9c01b186cfb268976b7605fe496addb4300e6ec20507b101659df2add69f8

C:\Users\Admin\AppData\Local\Temp\RarSFX0\opioxoqv.bmp

MD5 c4cea733ef0f8c84e8c7081cdcb01b5e
SHA1 66050a0f1a5c5a17532e8d449573a31be8e8c693
SHA256 b75166289cc3acd2e7ecb722f91792cead7bccbe5d230a3aaf211c2027f7e8b4
SHA512 013a885c743cae8bc941d76374745d18498cf5f53aeb7c4e02232130a552cc1553c2d3051d85b0494033da2f5367ba078333659823a7ac236254420eea0706da

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qbjid.xls

MD5 4c854c21a4e83906af7ae0b83d1d797b
SHA1 52a423c95344186d45c66780cd55890820e755e0
SHA256 613c53a8e742366747a9253dd19fab2527258f08e40699aaab85d920787a717b
SHA512 bfea86080cffec1e69ec7f5a1371796a656b8a129a1fef437fadc8d170cdfd07c6f1ba514fcd14a138d943d89e26621686c366592d9bf6890c83c22a0efa1963

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qlgigdt.xls

MD5 135f39e327b474dfcf9139f5a9de5a9b
SHA1 0d70afd4762c1296355dd9e7579eb57b833d4c0c
SHA256 0988ff10c9f291f32009ca04929c0156a0e10c5003d30ae266b865e56c064b17
SHA512 4cd5747c41ef013c5cc884536864c35c45beeb3fbb794ca6cd891c1f787ace6a261a0b2e45bbc87677cf6540e5413564d98c2510ee30ec163e8ee3d0e4863e2b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qlmgqepgjl.xls

MD5 0e969295487775daa7d03b33829684f8
SHA1 613cf0518a258ce3ed5bb2aac7bac1fda71b1ec4
SHA256 5badefdf6c9490d5ed3a5181bb87a30536776827bf7a155957c62b01028fd4fb
SHA512 7efcfcee6e15af372a6a57f66531feb1c1873dc22399ce05228369ee3e7e49d69453d75d78131d50217761539bfce82245140163c50abafa1790eec69f1665e1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\srnkdleah.exe

MD5 834d7436b1908047fbc4801e3d9ea735
SHA1 8cc6441f6a4a65902ae20c8d0d73a59048227253
SHA256 056d4c251de76715737124ccb63e6652840ee3ee66a41f45b109b3f413ee864b
SHA512 effc86ef8949e1c231f9c18c807afc39882cafa2beb5e87f10e2ac5d8378d2f2ac3c94679eefcfe9f4af6c260e524bac051fc789d147215ccd552a1d44edae7a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wbaxv.jpg

MD5 4daa3e600c4d2c162ffe78c5df68ab8e
SHA1 c1f052eb1577599b89b70ae99bd9e6c8dde4f822
SHA256 c2b1869137e2e69e3969c50a0918eb71c5797f84faf4093aef0c890957a193ea
SHA512 35c537693df896c6b62118bd38bbdc6c0b4233c391fa11fec0e49373e08e7baedc9fab07489bc9c55d7d69797820aefc6c21c62b5a8669ee8aef297dbf89ed6f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uraspfn.bin

MD5 5fe3c2e677e90b8971dcaec9d9cf973d
SHA1 cccefd97b61b17f2bc60983d2437925a7b063b20
SHA256 762982a2b57b2a93dd63fbf230da414b6c3abc6240d4b0af7bb940dc81b74512
SHA512 2c204731cc1bdb18259e737cdce622833367413bf10a75a73e23d3c531e3739093d0e4227c032aab61ea8f26a8d65175ac3072eaf61116ff07bc623e0d402727

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xddkunhuro.msc

MD5 992c91b45a9f3472868d47e61cb8675e
SHA1 fcdfbc8ec428982b4cb0b09fb00244de0bc78073
SHA256 a8a5116542d33261544e18c4431c11a45f77ab24a7f06a2c1d06480066ec6e62
SHA512 24054844512035ab6962f3abe2da36d56ac7e182a72a19d8a38f1c356d7bde30f14fe6fe3ef057c602a73e53a5d9131676c01f1ef99b545877015a4d3243b9eb

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1344-128-0x0000000000290000-0x00000000008EF000-memory.dmp

memory/1344-133-0x0000000000290000-0x00000000008EF000-memory.dmp

memory/1344-131-0x0000000000290000-0x00000000008EF000-memory.dmp

memory/1344-130-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1344-134-0x0000000000290000-0x00000000008EF000-memory.dmp

memory/1344-136-0x0000000000290000-0x0000000000340000-memory.dmp

memory/1344-137-0x00000000009C0000-0x00000000009C8000-memory.dmp

memory/1344-138-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/1344-139-0x0000000005260000-0x0000000005660000-memory.dmp

memory/1344-140-0x0000000005260000-0x0000000005660000-memory.dmp

memory/1344-141-0x0000000077820000-0x00000000779C9000-memory.dmp

memory/1344-143-0x00000000760F0000-0x0000000076137000-memory.dmp

memory/2780-144-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2780-146-0x0000000001D00000-0x0000000002100000-memory.dmp

memory/2780-147-0x0000000077820000-0x00000000779C9000-memory.dmp

memory/2780-149-0x00000000760F0000-0x0000000076137000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-28 22:17

Reported

2024-09-28 22:20

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

132s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4760 created 2608 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\system32\sihost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wlnk\\QWLVPM~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\wlnk\\tnlupe.mp3" C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 4760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3656 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe C:\Windows\SysWOW64\WScript.exe
PID 3656 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe C:\Windows\SysWOW64\WScript.exe
PID 3656 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe C:\Windows\SysWOW64\WScript.exe
PID 992 wrote to memory of 1336 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 1336 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 1336 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 3988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 3988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 3988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1336 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1336 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3988 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
PID 3988 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
PID 3988 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
PID 992 wrote to memory of 840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 840 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 840 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 840 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2124 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2124 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2124 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2124 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2124 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4760 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\openwith.exe
PID 4760 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\openwith.exe
PID 4760 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\openwith.exe
PID 4760 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\openwith.exe
PID 4760 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\openwith.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe

"C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rmxb.vbe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3

qwlvpmrupf.mp3 tnlupe.mp3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rmxb.vbe

MD5 be932d231ef60dcf6ad6c579873b550c
SHA1 ca37ae517c7d341e008cbd71beab29aca839002c
SHA256 d47ed1047e043162e221d1a21b5e19d8a24641442bcb17c6c8a51f9456998751
SHA512 21385ada5436112899aaa4651a6d561499735e6e59674258c9de6b38a50e671276ae9e8b5c7f70e60321cf41846ae34e299d179fbf6226027d9a9c99751ad09b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3

MD5 0adb9b817f1df7807576c2d7068dd931
SHA1 4a1b94a9a5113106f40cd8ea724703734d15f118
SHA256 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uraspfn.bin

MD5 f1d3c3dae4987deb8f2b79c08da81b67
SHA1 f5809aebc70a2f23c8ee6b466b5293199545bcf4
SHA256 fd491ea65d887c3f3fc2aac3197280e4135c8f571b7d6df63212097783254ea5
SHA512 e552d8114e09ab7655e7fcb1549e1f18b3027558024a0e565a1261f7f075e56ce40b37fe70893875da75ca298bf174940756b91ffbf8e991b13bc02da3d4c00c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bvtesegdgq.3gp

MD5 c3a02fe4f358078606a02b7d8c069957
SHA1 4cb6fc80ac829fcdb8088cc95f6c109c719cfa5d
SHA256 d8abe1326e449ca4d9c330a900ce393ee32101793d91e7f556d0c87e77adba0c
SHA512 c016ded65e5a728e3eff1e66ae913ff81677b197b4c809a9f9e509304dc2747a581597760b0d4b79e60c03647dc3569cae21c413152c6e4af8b4dede10e8bb9d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\anxv.ppt

MD5 d391f8b614a342cff9fcbf8f4e41c934
SHA1 fc045f44973b9000f63808abd1e59c66ed6755b7
SHA256 36568784a413d46056fac31e259c41f4429f08b1564a72ceb777cc80a0aa9f1c
SHA512 e446d6f17e9765ac260f4bd429ffe901c47c46fdfdefba25269a33e570e98b24469b529b815322e1d17ae3b4589ecf5561519d39d3ad65fd164aa8fca50e62ad

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jmfhuve.bin

MD5 73cdc398766b26d5b3fc2a732b633e80
SHA1 4e8178167362c791d19b8dd90284751e6294c041
SHA256 d078345688738bc731ee73004ac6ad2670cfd6343b570fa5b7c0ab7ad30f0b48
SHA512 ab55cecf628450ee0e07591c8a6b7e1ebd6f1e1ff0c3184a14bf297c64153c8507b331a391020a5068d7c23cb55e73125e7582d204ce6f5c1e26f3ee3cd32705

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iutol.das

MD5 8344337d8607eef8ba26fc751f8e0122
SHA1 2ab2afce50e3553637aec0b5a65aa2e72d0ce51a
SHA256 ecb2d582d697d033a5e5bd06387df5725af74707c0e4b596d564be2bdb1221a7
SHA512 da3cab35922c97d3d03c073f51915792278919775c9690ad95a8bd7143cd45a5b0fcbb5216ed53dfc3eee1265bb91ddcdd875699ab23b3d95fccc991190caf2b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crbvulcpak.msc

MD5 83ca8d8bac38af12453f9d9ff1d02916
SHA1 dcc6e7ab9858eb9ff63f4cd2dd7e9b84ec694a22
SHA256 58412d427987a11c362fc7d921804f58277c3a5e4ea7ce98d4dc260e9aeb6302
SHA512 1bf89f1196b9c41e5781f118ce657aec2194d48b0c4d15672a55093778c660e609626a9e5ea5336064590a9bd21f8fa1d9cf6f6435e866a0facf50e438d5d3f0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\jwphnktqhh.xl

MD5 25b3d4f1279923fd4780981605bce9fb
SHA1 12257bd64a5ab12eafd4679bdbdf9bcf2903b160
SHA256 df4f76d702170095fa752d69f1ab793604e9dcce7adcad7c83fdae623f0c0093
SHA512 f3579a94ebabd59b055d7170e3f9fbaec7d645e3cbe0eff514413621fec6811fb07264e4a5048222e8a84bdeb671d7580989b7e2d6b8987795782b4c7c7e9920

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ldrtopp.msc

MD5 ac53ee172cc20f1bc979fd4710cbfa00
SHA1 5c83524e42270883ff05c434f3ab62ada8931f51
SHA256 774c4cc458e33020b29fa28fc91db540c86f55142d716ca1613da20670435198
SHA512 70df2bfe2300aae5bec804e7f0235c1b9601fc1447df84248b6eff030a4f36b908d00d089911d082c7ca10f7f9d30239b1414b754b32cb1adc8f8a5a7286341d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ltmdgplto.3gp

MD5 62a55b40d10bc4ccdf643e624b90d003
SHA1 1aafd527e1b40b555b1e68e1f6d9f6c594586913
SHA256 9401c3d0cbd1fbb5fb740ea9eff7b4f7af764574a6cbc487c97f99f610ba9852
SHA512 421b3694a2f2e080a03459973fe05a2b23f4fa67323529ee8d9afdb6b5e9b8d082193a31f7c2b58d3368158fcdef49d60dbabd3a4f7e656c8ed5b3b95f6bb181

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nbmn.lmk

MD5 35a5cc0e4d021890e72a070ee02dfdc4
SHA1 ba20de52cdc21e3d8bd69470381b7d0cb53f1d05
SHA256 51e725c19b88d14e3d978b54d810398993242c959145f323fde92cfa55557ada
SHA512 afe5510b3a27cf5e308cde1e000289777ab9cfd592052b37c990028f51f4d5113e15fccf7b13cf9a13ed06e3d134ed2009bbd18ddd5b508fa20d050d8d2719c2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\nhjdnx.3gp

MD5 e3c40d261a890a50e8616efbce725df6
SHA1 51087dd64e5c3f673c47a3b03ccaffadb77dce6d
SHA256 a1c8b7a1408638a385956edaaf4ec1defb98e94784a5aeaec9f63fd24cf3f83b
SHA512 114de87085139632a912f2bdc2700eb60f166623641c460e818ce7a29edc2dac24f9c01b186cfb268976b7605fe496addb4300e6ec20507b101659df2add69f8

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qlmgqepgjl.xls

MD5 0e969295487775daa7d03b33829684f8
SHA1 613cf0518a258ce3ed5bb2aac7bac1fda71b1ec4
SHA256 5badefdf6c9490d5ed3a5181bb87a30536776827bf7a155957c62b01028fd4fb
SHA512 7efcfcee6e15af372a6a57f66531feb1c1873dc22399ce05228369ee3e7e49d69453d75d78131d50217761539bfce82245140163c50abafa1790eec69f1665e1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qlgigdt.xls

MD5 135f39e327b474dfcf9139f5a9de5a9b
SHA1 0d70afd4762c1296355dd9e7579eb57b833d4c0c
SHA256 0988ff10c9f291f32009ca04929c0156a0e10c5003d30ae266b865e56c064b17
SHA512 4cd5747c41ef013c5cc884536864c35c45beeb3fbb794ca6cd891c1f787ace6a261a0b2e45bbc87677cf6540e5413564d98c2510ee30ec163e8ee3d0e4863e2b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qbjid.xls

MD5 4c854c21a4e83906af7ae0b83d1d797b
SHA1 52a423c95344186d45c66780cd55890820e755e0
SHA256 613c53a8e742366747a9253dd19fab2527258f08e40699aaab85d920787a717b
SHA512 bfea86080cffec1e69ec7f5a1371796a656b8a129a1fef437fadc8d170cdfd07c6f1ba514fcd14a138d943d89e26621686c366592d9bf6890c83c22a0efa1963

C:\Users\Admin\AppData\Local\Temp\RarSFX0\opioxoqv.bmp

MD5 c4cea733ef0f8c84e8c7081cdcb01b5e
SHA1 66050a0f1a5c5a17532e8d449573a31be8e8c693
SHA256 b75166289cc3acd2e7ecb722f91792cead7bccbe5d230a3aaf211c2027f7e8b4
SHA512 013a885c743cae8bc941d76374745d18498cf5f53aeb7c4e02232130a552cc1553c2d3051d85b0494033da2f5367ba078333659823a7ac236254420eea0706da

C:\Users\Admin\AppData\Local\Temp\RarSFX0\srnkdleah.exe

MD5 834d7436b1908047fbc4801e3d9ea735
SHA1 8cc6441f6a4a65902ae20c8d0d73a59048227253
SHA256 056d4c251de76715737124ccb63e6652840ee3ee66a41f45b109b3f413ee864b
SHA512 effc86ef8949e1c231f9c18c807afc39882cafa2beb5e87f10e2ac5d8378d2f2ac3c94679eefcfe9f4af6c260e524bac051fc789d147215ccd552a1d44edae7a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xddkunhuro.msc

MD5 992c91b45a9f3472868d47e61cb8675e
SHA1 fcdfbc8ec428982b4cb0b09fb00244de0bc78073
SHA256 a8a5116542d33261544e18c4431c11a45f77ab24a7f06a2c1d06480066ec6e62
SHA512 24054844512035ab6962f3abe2da36d56ac7e182a72a19d8a38f1c356d7bde30f14fe6fe3ef057c602a73e53a5d9131676c01f1ef99b545877015a4d3243b9eb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wbaxv.jpg

MD5 4daa3e600c4d2c162ffe78c5df68ab8e
SHA1 c1f052eb1577599b89b70ae99bd9e6c8dde4f822
SHA256 c2b1869137e2e69e3969c50a0918eb71c5797f84faf4093aef0c890957a193ea
SHA512 35c537693df896c6b62118bd38bbdc6c0b4233c391fa11fec0e49373e08e7baedc9fab07489bc9c55d7d69797820aefc6c21c62b5a8669ee8aef297dbf89ed6f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uraspfn.bin

MD5 5fe3c2e677e90b8971dcaec9d9cf973d
SHA1 cccefd97b61b17f2bc60983d2437925a7b063b20
SHA256 762982a2b57b2a93dd63fbf230da414b6c3abc6240d4b0af7bb940dc81b74512
SHA512 2c204731cc1bdb18259e737cdce622833367413bf10a75a73e23d3c531e3739093d0e4227c032aab61ea8f26a8d65175ac3072eaf61116ff07bc623e0d402727

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/4760-128-0x0000000000E20000-0x0000000001445000-memory.dmp

memory/4760-131-0x0000000000E20000-0x0000000000ED0000-memory.dmp

memory/4760-132-0x0000000005A60000-0x0000000005AF2000-memory.dmp

memory/4760-133-0x0000000005A00000-0x0000000005A08000-memory.dmp

memory/4760-134-0x0000000005A10000-0x0000000005A20000-memory.dmp

memory/4760-135-0x0000000005CA0000-0x00000000060A0000-memory.dmp

memory/4760-136-0x0000000005CA0000-0x00000000060A0000-memory.dmp

memory/4760-137-0x00007FFDC2EF0000-0x00007FFDC30E5000-memory.dmp

memory/452-140-0x0000000000B10000-0x0000000000B19000-memory.dmp

memory/4760-139-0x00000000750C0000-0x00000000752D5000-memory.dmp

memory/452-143-0x00000000027A0000-0x0000000002BA0000-memory.dmp

memory/452-144-0x00007FFDC2EF0000-0x00007FFDC30E5000-memory.dmp

memory/452-146-0x00000000750C0000-0x00000000752D5000-memory.dmp