Analysis Overview
SHA256
944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821
Threat Level: Likely malicious
The file 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821 was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-11 20:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-11 20:00
Reported
2023-10-12 14:01
Platform
win10v2004-20230915-en
Max time kernel
208s
Max time network
231s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\ProgramData\dogspoofer\dogspoofer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\dogspoofer\dogspoofer.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\dogspoofer\dogspoofer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
"C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\dogspoofer\start.vbs"
C:\ProgramData\dogspoofer\dogspoofer.exe
"C:\ProgramData\dogspoofer\dogspoofer.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Fixer-obf.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
Files
C:\ProgramData\dogspoofer\start.vbs
| MD5 | 352d6901cba440f85d84f13c24dfc302 |
| SHA1 | 68d4be78fcaa36d4976aef75eed2b1d579684e08 |
| SHA256 | 0633a17dceb02cc2052fb46846fc838e954d04cebf244121cecd29cdcf76aa91 |
| SHA512 | 7f5b637dcf9cc453d335fb997f6aa761d16b1ef2f8fd934bc22c2d9c16ec90ec05ef8399b0982d5172b692ca85337c72433eff7847ad6c15a187c6c1e00d2308 |
C:\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
C:\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
C:\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
memory/2436-19-0x0000000000A30000-0x00000000016A4000-memory.dmp
memory/2436-20-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp
memory/2436-21-0x0000000003830000-0x0000000003840000-memory.dmp
memory/2436-22-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp
memory/2436-23-0x0000000003830000-0x0000000003840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycfgvewz.5ot.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4612-33-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp
memory/4612-34-0x000002ACBC280000-0x000002ACBC290000-memory.dmp
memory/4612-35-0x000002ACD6A40000-0x000002ACD6A62000-memory.dmp
memory/4612-36-0x000002ACBC280000-0x000002ACBC290000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-11 20:00
Reported
2023-10-12 13:57
Platform
win7-20230831-en
Max time kernel
77s
Max time network
117s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\svchost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\dogspoofer\dogspoofer.exe | N/A |
| N/A | N/A | C:\Windows\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svchost.exe | C:\ProgramData\dogspoofer\dogspoofer.exe | N/A |
| File opened for modification | C:\Windows\svchost.exe | C:\ProgramData\dogspoofer\dogspoofer.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\dogspoofer\dogspoofer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe
"C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\dogspoofer\start.vbs"
C:\ProgramData\dogspoofer\dogspoofer.exe
"C:\ProgramData\dogspoofer\dogspoofer.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Fixer-obf.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
"C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
"C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
C:\ProgramData\dogspoofer\start.vbs
| MD5 | 352d6901cba440f85d84f13c24dfc302 |
| SHA1 | 68d4be78fcaa36d4976aef75eed2b1d579684e08 |
| SHA256 | 0633a17dceb02cc2052fb46846fc838e954d04cebf244121cecd29cdcf76aa91 |
| SHA512 | 7f5b637dcf9cc453d335fb997f6aa761d16b1ef2f8fd934bc22c2d9c16ec90ec05ef8399b0982d5172b692ca85337c72433eff7847ad6c15a187c6c1e00d2308 |
C:\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
C:\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
C:\ProgramData\dogspoofer\dogspoofer.exe
| MD5 | 82f84cc34f16c05b67812823777a72de |
| SHA1 | 74594ba6fefcd3f9690d4852732ecb7e6619bff7 |
| SHA256 | 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86 |
| SHA512 | fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183 |
memory/2660-22-0x0000000000D60000-0x00000000019D4000-memory.dmp
memory/2660-23-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
memory/2660-24-0x000000001C500000-0x000000001C580000-memory.dmp
memory/2716-29-0x000000001B260000-0x000000001B542000-memory.dmp
memory/2716-30-0x0000000002590000-0x0000000002598000-memory.dmp
memory/2716-31-0x000007FEEF4D0000-0x000007FEEFE6D000-memory.dmp
memory/2716-32-0x00000000028D0000-0x0000000002950000-memory.dmp
memory/2716-33-0x00000000028D0000-0x0000000002950000-memory.dmp
memory/2716-34-0x00000000028D0000-0x0000000002950000-memory.dmp
memory/2660-35-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
memory/2716-36-0x000007FEEF4D0000-0x000007FEEFE6D000-memory.dmp
memory/2716-37-0x00000000028D0000-0x0000000002950000-memory.dmp
memory/2660-38-0x000000001C500000-0x000000001C580000-memory.dmp
memory/2716-39-0x000007FEEF4D0000-0x000007FEEFE6D000-memory.dmp
C:\Windows\svchost.exe
| MD5 | b6ad80e1f76cc416cb10abad3d28993b |
| SHA1 | 0006bf448e403858a37a760c9c76634c2f8b90ac |
| SHA256 | 521e27b8da9701ebd1c3391f4c150a3829d84febd1930a45a45f6743ca39fb88 |
| SHA512 | ad34c09b378d2172200a7a18fa5a20d8c4b4760c20b7ed96cf08900d6376a9057f0715c188a3e2205a2f53518d028f772caaad5d01c01ea9d19b91e005a285c9 |
C:\Windows\svchost.exe
| MD5 | b6ad80e1f76cc416cb10abad3d28993b |
| SHA1 | 0006bf448e403858a37a760c9c76634c2f8b90ac |
| SHA256 | 521e27b8da9701ebd1c3391f4c150a3829d84febd1930a45a45f6743ca39fb88 |
| SHA512 | ad34c09b378d2172200a7a18fa5a20d8c4b4760c20b7ed96cf08900d6376a9057f0715c188a3e2205a2f53518d028f772caaad5d01c01ea9d19b91e005a285c9 |
memory/2240-46-0x0000000000E00000-0x0000000001506000-memory.dmp
memory/2240-47-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
memory/2240-50-0x000000001B3A0000-0x000000001B420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
| MD5 | 5c53f19c749a497ab5bcbe6212c4ad32 |
| SHA1 | f6d637d48f29f147fc36079c13307a328316aebe |
| SHA256 | 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab |
| SHA512 | e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6 |
C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
| MD5 | 5c53f19c749a497ab5bcbe6212c4ad32 |
| SHA1 | f6d637d48f29f147fc36079c13307a328316aebe |
| SHA256 | 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab |
| SHA512 | e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6 |
\Users\Admin\AppData\Local\Temp\dogspoofer.exe
| MD5 | 5c53f19c749a497ab5bcbe6212c4ad32 |
| SHA1 | f6d637d48f29f147fc36079c13307a328316aebe |
| SHA256 | 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab |
| SHA512 | e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6 |
C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp.bat
| MD5 | bec3af95a006c661e78ab974843f8f59 |
| SHA1 | 27061fee3bf4b83c72cb7dd2f25f559ea4259dbb |
| SHA256 | a456d038505b622c8093950802bf68c910bfec0b5749d06fe2d652079434f188 |
| SHA512 | 67bd5d3ac1456b9a20cf17d6997b46a9cdf2bac34ad291e86d94caed8ec9334420aa59150dfb5819ed178f4641f2310855e1de921c02adadaeef45b38c005673 |
memory/2660-70-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fb49e848-6b19-4566-a421-80890ee88751\AgileDotNetRT64.dll
| MD5 | 05b012457488a95a05d0541e0470d392 |
| SHA1 | 74f541d6a8365508c794ef7b4ac7c297457f9ce3 |
| SHA256 | 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d |
| SHA512 | 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6 |
\Users\Admin\AppData\Local\Temp\dogspoofer.exe
| MD5 | 5c53f19c749a497ab5bcbe6212c4ad32 |
| SHA1 | f6d637d48f29f147fc36079c13307a328316aebe |
| SHA256 | 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab |
| SHA512 | e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6 |
\Users\Admin\AppData\Local\Temp\fb49e848-6b19-4566-a421-80890ee88751\AgileDotNetRT64.dll
| MD5 | 05b012457488a95a05d0541e0470d392 |
| SHA1 | 74f541d6a8365508c794ef7b4ac7c297457f9ce3 |
| SHA256 | 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d |
| SHA512 | 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6 |
memory/2240-88-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp.bat
| MD5 | bec3af95a006c661e78ab974843f8f59 |
| SHA1 | 27061fee3bf4b83c72cb7dd2f25f559ea4259dbb |
| SHA256 | a456d038505b622c8093950802bf68c910bfec0b5749d06fe2d652079434f188 |
| SHA512 | 67bd5d3ac1456b9a20cf17d6997b46a9cdf2bac34ad291e86d94caed8ec9334420aa59150dfb5819ed178f4641f2310855e1de921c02adadaeef45b38c005673 |
C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
| MD5 | 5c53f19c749a497ab5bcbe6212c4ad32 |
| SHA1 | f6d637d48f29f147fc36079c13307a328316aebe |
| SHA256 | 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab |
| SHA512 | e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6 |
C:\Users\Admin\AppData\Local\Temp\_MEI8642\python310.dll
| MD5 | deaf0c0cc3369363b800d2e8e756a402 |
| SHA1 | 3085778735dd8badad4e39df688139f4eed5f954 |
| SHA256 | 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d |
| SHA512 | 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989 |
memory/2240-87-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp
memory/2240-89-0x0000000077C40000-0x0000000077DE9000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI8642\python310.dll
| MD5 | deaf0c0cc3369363b800d2e8e756a402 |
| SHA1 | 3085778735dd8badad4e39df688139f4eed5f954 |
| SHA256 | 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d |
| SHA512 | 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989 |
memory/2240-91-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp
memory/2240-92-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
memory/2240-93-0x000000001B3A0000-0x000000001B420000-memory.dmp
memory/2240-94-0x0000000077C40000-0x0000000077DE9000-memory.dmp
memory/2240-116-0x000007FEF48D0000-0x000007FEF49FC000-memory.dmp
memory/2240-117-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp
memory/2240-118-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp
memory/2240-119-0x0000000077C40000-0x0000000077DE9000-memory.dmp
memory/2240-120-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp