Malware Analysis Report

2025-05-05 22:25

Sample ID 231011-yrd7kaab2t
Target 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821
SHA256 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821
Tags
agilenet evasion pyinstaller themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821

Threat Level: Likely malicious

The file 944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821 was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion pyinstaller themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 20:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 20:00

Reported

2023-10-12 14:01

Platform

win10v2004-20230915-en

Max time kernel

208s

Max time network

231s

Command Line

"C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\ProgramData\dogspoofer\dogspoofer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\dogspoofer\dogspoofer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\dogspoofer\dogspoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\Windows\SysWOW64\WScript.exe
PID 2524 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\Windows\SysWOW64\WScript.exe
PID 2524 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\Windows\SysWOW64\WScript.exe
PID 2524 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\ProgramData\dogspoofer\dogspoofer.exe
PID 2524 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\ProgramData\dogspoofer\dogspoofer.exe
PID 2172 wrote to memory of 4952 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4952 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4952 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 4612 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 4612 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe

"C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\dogspoofer\start.vbs"

C:\ProgramData\dogspoofer\dogspoofer.exe

"C:\ProgramData\dogspoofer\dogspoofer.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c Fixer-obf.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp

Files

C:\ProgramData\dogspoofer\start.vbs

MD5 352d6901cba440f85d84f13c24dfc302
SHA1 68d4be78fcaa36d4976aef75eed2b1d579684e08
SHA256 0633a17dceb02cc2052fb46846fc838e954d04cebf244121cecd29cdcf76aa91
SHA512 7f5b637dcf9cc453d335fb997f6aa761d16b1ef2f8fd934bc22c2d9c16ec90ec05ef8399b0982d5172b692ca85337c72433eff7847ad6c15a187c6c1e00d2308

C:\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

C:\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

C:\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

memory/2436-19-0x0000000000A30000-0x00000000016A4000-memory.dmp

memory/2436-20-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp

memory/2436-21-0x0000000003830000-0x0000000003840000-memory.dmp

memory/2436-22-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp

memory/2436-23-0x0000000003830000-0x0000000003840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycfgvewz.5ot.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4612-33-0x00007FFFC08D0000-0x00007FFFC1391000-memory.dmp

memory/4612-34-0x000002ACBC280000-0x000002ACBC290000-memory.dmp

memory/4612-35-0x000002ACD6A40000-0x000002ACD6A62000-memory.dmp

memory/4612-36-0x000002ACBC280000-0x000002ACBC290000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 20:00

Reported

2023-10-12 13:57

Platform

win7-20230831-en

Max time kernel

77s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\svchost.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\ProgramData\dogspoofer\dogspoofer.exe N/A
File opened for modification C:\Windows\svchost.exe C:\ProgramData\dogspoofer\dogspoofer.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\dogspoofer\dogspoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\Windows\SysWOW64\WScript.exe
PID 1796 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\Windows\SysWOW64\WScript.exe
PID 1796 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\Windows\SysWOW64\WScript.exe
PID 1796 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\Windows\SysWOW64\WScript.exe
PID 1796 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\ProgramData\dogspoofer\dogspoofer.exe
PID 1796 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\ProgramData\dogspoofer\dogspoofer.exe
PID 1796 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\ProgramData\dogspoofer\dogspoofer.exe
PID 1796 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe C:\ProgramData\dogspoofer\dogspoofer.exe
PID 2120 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 2768 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2716 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2716 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2716 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2240 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\svchost.exe
PID 2660 wrote to memory of 2240 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\svchost.exe
PID 2660 wrote to memory of 2240 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\svchost.exe
PID 2660 wrote to memory of 864 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
PID 2660 wrote to memory of 864 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
PID 2660 wrote to memory of 864 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
PID 2660 wrote to memory of 700 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 700 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 700 N/A C:\ProgramData\dogspoofer\dogspoofer.exe C:\Windows\system32\cmd.exe
PID 864 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
PID 864 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
PID 864 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe
PID 700 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 700 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 700 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe

"C:\Users\Admin\AppData\Local\Temp\944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\dogspoofer\start.vbs"

C:\ProgramData\dogspoofer\dogspoofer.exe

"C:\ProgramData\dogspoofer\dogspoofer.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c Fixer-obf.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe

"C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe

"C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

C:\ProgramData\dogspoofer\start.vbs

MD5 352d6901cba440f85d84f13c24dfc302
SHA1 68d4be78fcaa36d4976aef75eed2b1d579684e08
SHA256 0633a17dceb02cc2052fb46846fc838e954d04cebf244121cecd29cdcf76aa91
SHA512 7f5b637dcf9cc453d335fb997f6aa761d16b1ef2f8fd934bc22c2d9c16ec90ec05ef8399b0982d5172b692ca85337c72433eff7847ad6c15a187c6c1e00d2308

C:\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

C:\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

C:\ProgramData\dogspoofer\dogspoofer.exe

MD5 82f84cc34f16c05b67812823777a72de
SHA1 74594ba6fefcd3f9690d4852732ecb7e6619bff7
SHA256 94e44e3431588237ad4f60c72e7ad0e1b3b33e25c1ddccae40c9b5e281889a86
SHA512 fcea05d26679288de651a12ff6f2e3c00f73a3ab3203b63c4b93bad11dcbb272c5476a2769eee7b351ddd32b05404b7bc11783ef1edbc97691bc9e91c0be3183

memory/2660-22-0x0000000000D60000-0x00000000019D4000-memory.dmp

memory/2660-23-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2660-24-0x000000001C500000-0x000000001C580000-memory.dmp

memory/2716-29-0x000000001B260000-0x000000001B542000-memory.dmp

memory/2716-30-0x0000000002590000-0x0000000002598000-memory.dmp

memory/2716-31-0x000007FEEF4D0000-0x000007FEEFE6D000-memory.dmp

memory/2716-32-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2716-33-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2716-34-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2660-35-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2716-36-0x000007FEEF4D0000-0x000007FEEFE6D000-memory.dmp

memory/2716-37-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/2660-38-0x000000001C500000-0x000000001C580000-memory.dmp

memory/2716-39-0x000007FEEF4D0000-0x000007FEEFE6D000-memory.dmp

C:\Windows\svchost.exe

MD5 b6ad80e1f76cc416cb10abad3d28993b
SHA1 0006bf448e403858a37a760c9c76634c2f8b90ac
SHA256 521e27b8da9701ebd1c3391f4c150a3829d84febd1930a45a45f6743ca39fb88
SHA512 ad34c09b378d2172200a7a18fa5a20d8c4b4760c20b7ed96cf08900d6376a9057f0715c188a3e2205a2f53518d028f772caaad5d01c01ea9d19b91e005a285c9

C:\Windows\svchost.exe

MD5 b6ad80e1f76cc416cb10abad3d28993b
SHA1 0006bf448e403858a37a760c9c76634c2f8b90ac
SHA256 521e27b8da9701ebd1c3391f4c150a3829d84febd1930a45a45f6743ca39fb88
SHA512 ad34c09b378d2172200a7a18fa5a20d8c4b4760c20b7ed96cf08900d6376a9057f0715c188a3e2205a2f53518d028f772caaad5d01c01ea9d19b91e005a285c9

memory/2240-46-0x0000000000E00000-0x0000000001506000-memory.dmp

memory/2240-47-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2240-50-0x000000001B3A0000-0x000000001B420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe

MD5 5c53f19c749a497ab5bcbe6212c4ad32
SHA1 f6d637d48f29f147fc36079c13307a328316aebe
SHA256 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512 e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6

C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe

MD5 5c53f19c749a497ab5bcbe6212c4ad32
SHA1 f6d637d48f29f147fc36079c13307a328316aebe
SHA256 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512 e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6

\Users\Admin\AppData\Local\Temp\dogspoofer.exe

MD5 5c53f19c749a497ab5bcbe6212c4ad32
SHA1 f6d637d48f29f147fc36079c13307a328316aebe
SHA256 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512 e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6

C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp.bat

MD5 bec3af95a006c661e78ab974843f8f59
SHA1 27061fee3bf4b83c72cb7dd2f25f559ea4259dbb
SHA256 a456d038505b622c8093950802bf68c910bfec0b5749d06fe2d652079434f188
SHA512 67bd5d3ac1456b9a20cf17d6997b46a9cdf2bac34ad291e86d94caed8ec9334420aa59150dfb5819ed178f4641f2310855e1de921c02adadaeef45b38c005673

memory/2660-70-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fb49e848-6b19-4566-a421-80890ee88751\AgileDotNetRT64.dll

MD5 05b012457488a95a05d0541e0470d392
SHA1 74f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA256 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA512 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

\Users\Admin\AppData\Local\Temp\dogspoofer.exe

MD5 5c53f19c749a497ab5bcbe6212c4ad32
SHA1 f6d637d48f29f147fc36079c13307a328316aebe
SHA256 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512 e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6

\Users\Admin\AppData\Local\Temp\fb49e848-6b19-4566-a421-80890ee88751\AgileDotNetRT64.dll

MD5 05b012457488a95a05d0541e0470d392
SHA1 74f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA256 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA512 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

memory/2240-88-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3553.tmp.bat

MD5 bec3af95a006c661e78ab974843f8f59
SHA1 27061fee3bf4b83c72cb7dd2f25f559ea4259dbb
SHA256 a456d038505b622c8093950802bf68c910bfec0b5749d06fe2d652079434f188
SHA512 67bd5d3ac1456b9a20cf17d6997b46a9cdf2bac34ad291e86d94caed8ec9334420aa59150dfb5819ed178f4641f2310855e1de921c02adadaeef45b38c005673

C:\Users\Admin\AppData\Local\Temp\dogspoofer.exe

MD5 5c53f19c749a497ab5bcbe6212c4ad32
SHA1 f6d637d48f29f147fc36079c13307a328316aebe
SHA256 13d00d25d67b38895587ece29f4db7ae51fc3142ad3d77b6b603b7d23eb2aaab
SHA512 e2ae5f49e6cf92b2335b15eaafb364ebdb7a3acc3e121686ca7a612035ba9ebde018400d331eb98fc90ce21530591a11ce5f2a2204f25777f48562aab7e63ac6

C:\Users\Admin\AppData\Local\Temp\_MEI8642\python310.dll

MD5 deaf0c0cc3369363b800d2e8e756a402
SHA1 3085778735dd8badad4e39df688139f4eed5f954
SHA256 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA512 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

memory/2240-87-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp

memory/2240-89-0x0000000077C40000-0x0000000077DE9000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI8642\python310.dll

MD5 deaf0c0cc3369363b800d2e8e756a402
SHA1 3085778735dd8badad4e39df688139f4eed5f954
SHA256 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA512 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

memory/2240-91-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp

memory/2240-92-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2240-93-0x000000001B3A0000-0x000000001B420000-memory.dmp

memory/2240-94-0x0000000077C40000-0x0000000077DE9000-memory.dmp

memory/2240-116-0x000007FEF48D0000-0x000007FEF49FC000-memory.dmp

memory/2240-117-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp

memory/2240-118-0x000007FEEE1A0000-0x000007FEEED24000-memory.dmp

memory/2240-119-0x0000000077C40000-0x0000000077DE9000-memory.dmp

memory/2240-120-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp