Malware Analysis Report

2024-11-30 02:16

Sample ID 240328-dv86wsbd32
Target ChromeSetup.exe
SHA256 9e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef

Threat Level: Known bad

The file ChromeSetup.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 03:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 03:20

Reported

2024-03-28 03:41

Platform

win10-20240319-en

Max time kernel

315s

Max time network

888s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3896 created 3144 N/A C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif c:\windows\system32\sihost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2096 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2096 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif
PID 2096 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif
PID 2096 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif
PID 2096 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3896 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 3896 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 3896 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 3896 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 3896 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif C:\Windows\SysWOW64\dialer.exe

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 16592

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16592\Donations.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Src + Expressions + Safari + Treasury 16592\x

C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif

16592\Donations.pif 16592\x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 832

Network

Country Destination Domain Proto
US 8.8.8.8:53 nmkrkibbwxQ.nmkrkibbwxQ udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Bathrooms

MD5 b51276964bb7d7ced0ca782c1505d9ca
SHA1 961d8f2ed348d6bfe38f109e97ab8b55db14591c
SHA256 55cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403
SHA512 fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547

C:\Users\Admin\AppData\Local\Temp\Compound

MD5 d63c5479fd18f86817d489744a338751
SHA1 82385a52bb5485fab0a3d1e7f9a3661bf35d3098
SHA256 3f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037
SHA512 da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361

C:\Users\Admin\AppData\Local\Temp\Injection

MD5 ec92f2e791b5ca001d95fdd601cd73b3
SHA1 4aec16ee635e9eea9732a45d79f9ab8393e966fa
SHA256 ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179
SHA512 6a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 569505062321992f4e2803461c40e724
SHA1 b62f7987f92b4397b02b6894e759096fdee1f7db
SHA256 748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434
SHA512 2d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd

C:\Users\Admin\AppData\Local\Temp\Worm

MD5 aa48266704d06ef9043c5521d52fddd0
SHA1 37754ad688f17e227ba8028efe9127d15c08b922
SHA256 5970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444
SHA512 017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 2e6d79912a858f8e13ce1384b18495d1
SHA1 a509ff203fcd463cc11ec1ebbe5cee251a2d3c04
SHA256 a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace
SHA512 707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5

C:\Users\Admin\AppData\Local\Temp\Src

MD5 bca8514ec872114f197260671806ec5d
SHA1 b61846c56e14ed5e819050bd638a49505133889b
SHA256 862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5
SHA512 3a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b

C:\Users\Admin\AppData\Local\Temp\Expressions

MD5 6ff11c454a1191120b1f963b120ae6b1
SHA1 9476d445caccd7a725836c102154e4ba17cbc969
SHA256 b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898
SHA512 fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754

C:\Users\Admin\AppData\Local\Temp\Safari

MD5 0d90f78364d6b146463b6238e692b0f9
SHA1 241f0eec297841a66f19e29d322533dc59088272
SHA256 ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540
SHA512 169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610

C:\Users\Admin\AppData\Local\Temp\Treasury

MD5 3443eaa164d930308366fbc11d04c2fc
SHA1 9470e59283644f44d76ecb945c394d43bb09e15e
SHA256 6fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b
SHA512 7ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a

C:\Users\Admin\AppData\Local\Temp\16592\Donations.pif

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\16592\x

MD5 a91c6eadc37c8082fcd0d8fd1762b8fe
SHA1 73ce49f75160ed5dafb1b8483111f5d383e919c2
SHA256 4b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69
SHA512 0a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8

memory/3896-25-0x0000000077941000-0x0000000077A54000-memory.dmp

memory/3896-26-0x0000000000820000-0x0000000000821000-memory.dmp

memory/3896-27-0x0000000005410000-0x000000000547D000-memory.dmp

memory/3896-28-0x0000000005410000-0x000000000547D000-memory.dmp

memory/3896-29-0x0000000005410000-0x000000000547D000-memory.dmp

memory/3896-31-0x0000000005410000-0x000000000547D000-memory.dmp

memory/3896-32-0x0000000005410000-0x000000000547D000-memory.dmp

memory/3896-33-0x0000000005410000-0x000000000547D000-memory.dmp

memory/3896-34-0x0000000005410000-0x000000000547D000-memory.dmp

memory/3896-36-0x0000000005410000-0x000000000547D000-memory.dmp

memory/3896-35-0x00000000064F0000-0x00000000068F0000-memory.dmp

memory/3896-38-0x00000000064F0000-0x00000000068F0000-memory.dmp

memory/3896-37-0x00000000064F0000-0x00000000068F0000-memory.dmp

memory/3896-39-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp

memory/3896-40-0x00000000064F0000-0x00000000068F0000-memory.dmp

memory/3896-42-0x0000000076100000-0x00000000762C2000-memory.dmp

memory/4628-43-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

memory/4628-45-0x0000000000660000-0x0000000000A60000-memory.dmp

memory/4628-46-0x0000000000660000-0x0000000000A60000-memory.dmp

memory/3896-48-0x00000000064F0000-0x00000000068F0000-memory.dmp

memory/4628-49-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp

memory/4628-50-0x0000000000660000-0x0000000000A60000-memory.dmp

memory/4628-52-0x00007FFCD6590000-0x00007FFCD676B000-memory.dmp

memory/4628-53-0x0000000076100000-0x00000000762C2000-memory.dmp

memory/4628-54-0x0000000000660000-0x0000000000A60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 03:20

Reported

2024-03-28 03:41

Platform

win10v2004-20240226-en

Max time kernel

1195s

Max time network

1204s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1916 created 2524 N/A C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif C:\Windows\system32\sihost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2948 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2948 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2948 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2948 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2948 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2948 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2948 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2948 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2948 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2948 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2948 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2948 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif
PID 2948 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif
PID 2948 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif
PID 2948 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2948 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2948 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1916 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 1916 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 1916 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 1916 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 1916 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 16582

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16582\Donations.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Src + Expressions + Safari + Treasury 16582\x

C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif

16582\Donations.pif 16582\x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 nmkrkibbwxQ.nmkrkibbwxQ udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
GB 142.250.200.10:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 103.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Bathrooms

MD5 b51276964bb7d7ced0ca782c1505d9ca
SHA1 961d8f2ed348d6bfe38f109e97ab8b55db14591c
SHA256 55cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403
SHA512 fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547

C:\Users\Admin\AppData\Local\Temp\Compound

MD5 d63c5479fd18f86817d489744a338751
SHA1 82385a52bb5485fab0a3d1e7f9a3661bf35d3098
SHA256 3f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037
SHA512 da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361

C:\Users\Admin\AppData\Local\Temp\Injection

MD5 ec92f2e791b5ca001d95fdd601cd73b3
SHA1 4aec16ee635e9eea9732a45d79f9ab8393e966fa
SHA256 ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179
SHA512 6a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 2e6d79912a858f8e13ce1384b18495d1
SHA1 a509ff203fcd463cc11ec1ebbe5cee251a2d3c04
SHA256 a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace
SHA512 707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5

C:\Users\Admin\AppData\Local\Temp\Worm

MD5 aa48266704d06ef9043c5521d52fddd0
SHA1 37754ad688f17e227ba8028efe9127d15c08b922
SHA256 5970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444
SHA512 017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 569505062321992f4e2803461c40e724
SHA1 b62f7987f92b4397b02b6894e759096fdee1f7db
SHA256 748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434
SHA512 2d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd

C:\Users\Admin\AppData\Local\Temp\Src

MD5 bca8514ec872114f197260671806ec5d
SHA1 b61846c56e14ed5e819050bd638a49505133889b
SHA256 862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5
SHA512 3a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b

C:\Users\Admin\AppData\Local\Temp\Expressions

MD5 6ff11c454a1191120b1f963b120ae6b1
SHA1 9476d445caccd7a725836c102154e4ba17cbc969
SHA256 b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898
SHA512 fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754

C:\Users\Admin\AppData\Local\Temp\Safari

MD5 0d90f78364d6b146463b6238e692b0f9
SHA1 241f0eec297841a66f19e29d322533dc59088272
SHA256 ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540
SHA512 169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610

C:\Users\Admin\AppData\Local\Temp\Treasury

MD5 3443eaa164d930308366fbc11d04c2fc
SHA1 9470e59283644f44d76ecb945c394d43bb09e15e
SHA256 6fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b
SHA512 7ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a

C:\Users\Admin\AppData\Local\Temp\16582\Donations.pif

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\16582\x

MD5 a91c6eadc37c8082fcd0d8fd1762b8fe
SHA1 73ce49f75160ed5dafb1b8483111f5d383e919c2
SHA256 4b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69
SHA512 0a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8

memory/1916-25-0x0000000077D31000-0x0000000077E51000-memory.dmp

memory/1916-26-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/1916-27-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

memory/1916-28-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

memory/1916-29-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

memory/1916-31-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

memory/1916-32-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

memory/1916-33-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

memory/1916-34-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

memory/1916-35-0x0000000005C60000-0x0000000006060000-memory.dmp

memory/1916-36-0x0000000004BA0000-0x0000000004C0D000-memory.dmp

memory/1916-38-0x0000000005C60000-0x0000000006060000-memory.dmp

memory/1916-37-0x0000000005C60000-0x0000000006060000-memory.dmp

memory/1916-39-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

memory/1916-40-0x0000000005C60000-0x0000000006060000-memory.dmp

memory/1916-42-0x0000000075DF0000-0x0000000076005000-memory.dmp

memory/3096-43-0x0000000000A20000-0x0000000000A29000-memory.dmp

memory/3096-45-0x0000000002730000-0x0000000002B30000-memory.dmp

memory/3096-46-0x0000000002730000-0x0000000002B30000-memory.dmp

memory/3096-48-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

memory/3096-50-0x0000000002730000-0x0000000002B30000-memory.dmp

memory/3096-51-0x0000000075DF0000-0x0000000076005000-memory.dmp

memory/3096-52-0x0000000002730000-0x0000000002B30000-memory.dmp

memory/1916-53-0x0000000005C60000-0x0000000006060000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-28 03:20

Reported

2024-03-28 03:41

Platform

win11-20240221-en

Max time kernel

454s

Max time network

1177s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1860 created 2456 N/A C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif C:\Windows\system32\sihost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3808 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3808 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3808 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3808 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3808 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3808 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3808 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3808 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3808 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3808 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3808 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3808 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif
PID 3808 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif
PID 3808 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif
PID 3808 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3808 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3808 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1860 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 1860 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 1860 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 1860 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif C:\Windows\SysWOW64\dialer.exe
PID 1860 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 16562

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Compound + Injection + Emotions + Worm + Participants 16562\Donations.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Src + Expressions + Safari + Treasury 16562\x

C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif

16562\Donations.pif 16562\x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 968

Network

Country Destination Domain Proto
US 8.8.8.8:53 nmkrkibbwxQ.nmkrkibbwxQ udp

Files

C:\Users\Admin\AppData\Local\Temp\Bathrooms

MD5 b51276964bb7d7ced0ca782c1505d9ca
SHA1 961d8f2ed348d6bfe38f109e97ab8b55db14591c
SHA256 55cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403
SHA512 fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547

C:\Users\Admin\AppData\Local\Temp\Compound

MD5 d63c5479fd18f86817d489744a338751
SHA1 82385a52bb5485fab0a3d1e7f9a3661bf35d3098
SHA256 3f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037
SHA512 da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361

C:\Users\Admin\AppData\Local\Temp\Injection

MD5 ec92f2e791b5ca001d95fdd601cd73b3
SHA1 4aec16ee635e9eea9732a45d79f9ab8393e966fa
SHA256 ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179
SHA512 6a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b

C:\Users\Admin\AppData\Local\Temp\Participants

MD5 2e6d79912a858f8e13ce1384b18495d1
SHA1 a509ff203fcd463cc11ec1ebbe5cee251a2d3c04
SHA256 a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace
SHA512 707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5

C:\Users\Admin\AppData\Local\Temp\Worm

MD5 aa48266704d06ef9043c5521d52fddd0
SHA1 37754ad688f17e227ba8028efe9127d15c08b922
SHA256 5970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444
SHA512 017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840

C:\Users\Admin\AppData\Local\Temp\Emotions

MD5 569505062321992f4e2803461c40e724
SHA1 b62f7987f92b4397b02b6894e759096fdee1f7db
SHA256 748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434
SHA512 2d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd

C:\Users\Admin\AppData\Local\Temp\Treasury

MD5 3443eaa164d930308366fbc11d04c2fc
SHA1 9470e59283644f44d76ecb945c394d43bb09e15e
SHA256 6fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b
SHA512 7ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a

C:\Users\Admin\AppData\Local\Temp\Safari

MD5 0d90f78364d6b146463b6238e692b0f9
SHA1 241f0eec297841a66f19e29d322533dc59088272
SHA256 ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540
SHA512 169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610

C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\Expressions

MD5 6ff11c454a1191120b1f963b120ae6b1
SHA1 9476d445caccd7a725836c102154e4ba17cbc969
SHA256 b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898
SHA512 fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754

C:\Users\Admin\AppData\Local\Temp\Src

MD5 bca8514ec872114f197260671806ec5d
SHA1 b61846c56e14ed5e819050bd638a49505133889b
SHA256 862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5
SHA512 3a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b

C:\Users\Admin\AppData\Local\Temp\16562\x

MD5 a91c6eadc37c8082fcd0d8fd1762b8fe
SHA1 73ce49f75160ed5dafb1b8483111f5d383e919c2
SHA256 4b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69
SHA512 0a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8

memory/1860-25-0x0000000077521000-0x0000000077643000-memory.dmp

memory/1860-26-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1860-27-0x0000000005580000-0x00000000055ED000-memory.dmp

memory/1860-28-0x0000000005580000-0x00000000055ED000-memory.dmp

memory/1860-29-0x0000000005580000-0x00000000055ED000-memory.dmp

memory/1860-31-0x0000000005580000-0x00000000055ED000-memory.dmp

memory/1860-32-0x0000000005580000-0x00000000055ED000-memory.dmp

memory/1860-33-0x0000000005580000-0x00000000055ED000-memory.dmp

memory/1860-34-0x0000000005580000-0x00000000055ED000-memory.dmp

memory/1860-35-0x00000000067A0000-0x0000000006BA0000-memory.dmp

memory/1860-37-0x0000000005580000-0x00000000055ED000-memory.dmp

memory/1860-36-0x00000000067A0000-0x0000000006BA0000-memory.dmp

memory/1860-38-0x00000000067A0000-0x0000000006BA0000-memory.dmp

memory/1860-40-0x00007FFB96180000-0x00007FFB96389000-memory.dmp

memory/1860-42-0x00000000067A0000-0x0000000006BA0000-memory.dmp

memory/780-44-0x0000000000E10000-0x0000000000E19000-memory.dmp

memory/1860-43-0x00000000768B0000-0x0000000076B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16562\Donations.pif

MD5 0d1d68f4d9d55edd7571fd468140fcfc
SHA1 4c4607b45637b299032a407682c9d2a844bed807
SHA256 4544412b19ad66f0ff8396d178da58557f4826289ed3c802338e45e51d3d99a7
SHA512 8be744f4c51bb6401f20ef1f87ddb68599a88e601bd07452f0270848fc7aa5e5fe5720dc22954fe782714040a286ccf2e39f220b301ddb7a766faddabfc5bc70

memory/780-50-0x00007FFB96180000-0x00007FFB96389000-memory.dmp

memory/780-47-0x0000000002B20000-0x0000000002F20000-memory.dmp

memory/780-53-0x0000000002B20000-0x0000000002F20000-memory.dmp

memory/780-52-0x00000000768B0000-0x0000000076B02000-memory.dmp

memory/1860-55-0x00000000067A0000-0x0000000006BA0000-memory.dmp

memory/780-56-0x00007FFB96180000-0x00007FFB96389000-memory.dmp

memory/780-54-0x0000000002B20000-0x0000000002F20000-memory.dmp