Malware Analysis Report

2024-09-11 15:31

Sample ID 240614-qgnz1ssbqa
Target Setup (6).zip
SHA256 03a0f1b34e5688e65e394ac4e242b5e287817afd351d973bcb495d533166568e
Tags
stealc vidar discovery spyware stealer amadey xmrig ffb1b9 execution miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03a0f1b34e5688e65e394ac4e242b5e287817afd351d973bcb495d533166568e

Threat Level: Known bad

The file Setup (6).zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer amadey xmrig ffb1b9 execution miner trojan upx

Detect Vidar Stealer

Stealc

Amadey

Vidar

xmrig

Suspicious use of NtCreateUserProcessOtherParentProcess

XMRig Miner payload

Downloads MZ/PE file

Blocklisted process makes network request

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Executes dropped EXE

Reads user/profile data of local email clients

Checks computer location settings

UPX packed file

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Process Discovery
T1057
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:14

Reported

2024-06-14 13:17

Platform

win7-20240508-en

Max time kernel

119s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1792 created 1136 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1792 set thread context of 2164 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2600 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2600 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2600 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2600 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2600 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2600 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2600 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1792 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1792 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1792 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1792 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1792 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1792 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2164 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2852 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2852 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2852 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup (6).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Northeast Northeast.cmd & Northeast.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 328159

C:\Windows\SysWOW64\findstr.exe

findstr /V "EnclosedVisibilityDuringBrilliant" Peter

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Urge 328159\g

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

328159\Prototype.pif 328159\g

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif" & rd /s /q "C:\ProgramData\DAAAFBKECAKE" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 HHdFGUjAaebMiQpHnNQPUq.HHdFGUjAaebMiQpHnNQPUq udp
US 8.8.8.8:53 theemir.xyz udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Northeast

MD5 b45202591b60b052447886eb104577f0
SHA1 afa16d62ffd59c86e63e8dd3060baf34a57e7cf1
SHA256 997fc2668f5943d35d2b435e4270a2576b2ef275710f885066a25cc9cd1213e0
SHA512 9d0496c339dfa022115959cbe86ede08ee7f8f97bae31aa5b2e4af63768e4032b526745197bcce5104c2de983f58a9932827481b76c09addade6074c89f14775

C:\Users\Admin\AppData\Local\Temp\Peter

MD5 8bf9404a2322b0a2bcd19382cf90ebc2
SHA1 ac84d7e0ef6aedeb925b53dbd10a085be6760cec
SHA256 1d04056759eef1c0e886bde0d53277f2e248e1f3158f08158151ed27a74efcdc
SHA512 6df401889e198484dfbf03e94eb408fea6dcb3cf9470457f42c16795d4660f906ecbcbcde2ec0c44f3261a839b9137e6050035d656236f5f9164b3239ba881a8

C:\Users\Admin\AppData\Local\Temp\Showers

MD5 de37f7dfee32a6745cad440181cc795e
SHA1 69bd1675df2b06946e0d5da452b5c0d808e76ebd
SHA256 1692192f6fbe9a0757027029c9773196ec6bfb53781336a9164e66510b9de5cc
SHA512 a6a44be54cc0c00904a058808237700a223d78254e6ef1c844f6beb66ec5d17955a47757f8cb039571c7b1da213f5c39e5be54112bb6a772bdcce4e1403376ae

C:\Users\Admin\AppData\Local\Temp\Donor

MD5 165c9fef67a01106cb4a15a8f73ff06e
SHA1 94b530edfc27c9010871d96c4eccd1c3e0708c9f
SHA256 a69c145a5b5b20eb93b7d82e9440d7a0beba53072b83ecc4cddb9e2137a9fe96
SHA512 0648396ae2e4cc86db49b2e3980affa69ddf4b0b607ac5aa80c0611b3df5dac415653a94486cb2eb05d00a1eed680b547d58f489d62f6a2d19f0d910e2a82f42

C:\Users\Admin\AppData\Local\Temp\Eleven

MD5 b8e5f0ae5af9b75bf009885a32a042cc
SHA1 88c1820f1ba8065871ffdc250a8a0463887dddb8
SHA256 2e83d333c7566963ce675a32b42a6c4b99a907ca2c34c1a8213730e4ad461a24
SHA512 b1b699f38efe9e5794325aeed1758e0492eff6c5e8539412d66e185ab1d2b1cdb2301210278e7658b25dd04d70b13c010d1f92d8476e34d23b9efa5983851005

C:\Users\Admin\AppData\Local\Temp\Johnston

MD5 103d119aa8a89d75d8d087599c321fe9
SHA1 f38f558952f028f3b64b758d2a6570d09d25eb5f
SHA256 d85b39bc6ef094b7a7d4247b5eacb44f1f32ea887614324f5fa882ff61f0bbcf
SHA512 32dddd0981a9ce9404ecd1224fd57e5f65e4110946d21c911ef5e726d285a398ba4e1b86b1f95511edf55689ff80a21804724593e44a1646e248b694d6c54be6

C:\Users\Admin\AppData\Local\Temp\Piss

MD5 93131f960f434fa2c6ed8310b80c952c
SHA1 c5fb6e077d03598457031585793381ae1abab8df
SHA256 c1376889ec8b5cd3e710146be003a3ff51940d6a7e1cb943b8c5c04a7da98e40
SHA512 ed67a586f73b5f1773f5b312436275a30fc26c936f368926ee295c0508f7bc02d34b5c049f6a51d2f6937fd7b4341680038bd0a2f1d03a7a07a404ef58244cbb

C:\Users\Admin\AppData\Local\Temp\Brass

MD5 cfbeb50abeb4b45cae9a85881deafdeb
SHA1 a2679acd6055a0bf07fc34a38cf92df1d8b47bcb
SHA256 93406ff30fe7c1a9f8300d4ed6097b15515fa2b421f09b32e9c3b44f71d85b10
SHA512 f46734ab6e917a213a5083f69a5f41b823bc0687b6f77e84cb1016183c74c1af0331c431b9655fc368cb4bfaec16a7284cdcc4f3be2880306f7aadfcef5739f8

C:\Users\Admin\AppData\Local\Temp\Thong

MD5 e85daf9e828a54404f20e99b13b50fb1
SHA1 c4596f5531659d2d985ab07f8a83b5bf7046c7ad
SHA256 02ae86086ce07d7fa62afb52a7cb300b7aab300293740a218427245fe249a16c
SHA512 8eca39efccbe97fad55665c48f39ddb0b1fb3f8d25daaf076b36fb5f01f925752150ac2e15939f82b9987f88859148aa425850a581018fbb2283bbf6f752f0d2

C:\Users\Admin\AppData\Local\Temp\Verify

MD5 d2c6e84f2b8208dcef9027b697736a87
SHA1 23807b3fdfa56512273b22677ed1742ca1d97f67
SHA256 28b9354f9812c980d345d9fca164458e5745c2f41b03fc17f26f5c9070ae4ab2
SHA512 f12efe8547372048f5a4e6ab1b17eb2c0c7edb5e6d2c7a494e80a90b800f0e365555f7e9ef84950ae3807abf8179f13d718885f349198c1f7ac26bb9cc62de29

C:\Users\Admin\AppData\Local\Temp\Accredited

MD5 5fe6dff8f4824b74d5b55b91234d2ad2
SHA1 4ff5c6aa348c63720a951cf2ae797786b7f7d53b
SHA256 d8b24570072e032030d6f4dcf403e056a33334eb1c77e7497a46dffbac44338e
SHA512 0f18eacd293524086086ecd8a06c387ffdcfa14bf613637bf33ceaf6071b7dfecf03d803a038271c7271bdecf42979358fb0d99b5141d83cc5d2e1c603a11173

C:\Users\Admin\AppData\Local\Temp\Rivers

MD5 fbc978cdd7879bb3177a5951b9ebc202
SHA1 a79984bfe14dbbcf273caac437e4ff853085cb94
SHA256 a48c0359f7a95e765b0759998d444bcf05848df6d70d49f216d73ad24520e9ed
SHA512 8f7e1cb2f65b94f1d35796b7845208566b0e7c685f53cdb3c67373871b906cdc4cc58043ac51073ceea335c7c0db155a91a0fff380adde8066cd39e3248e747c

C:\Users\Admin\AppData\Local\Temp\Monetary

MD5 fb207dd3daae6d70329b147cd27629f8
SHA1 31b24557f3a38fc2a6fac2356b9c84560f5a7eb4
SHA256 55e4055a761f6de72b67f65a7a9ef4aa904be7dbbd414dadfa1c2924f1f1c73d
SHA512 d615075db7f6b5019f04a78c7b8fcc090176821e5280be486cb5bc464fd7640db7c5ed3dfb9bbd807ac31b165945b7d49b4cc6fc0fce712f5f290c4b70f056e5

C:\Users\Admin\AppData\Local\Temp\Min

MD5 84b5cbc02b6784b589a1e732fab2eb11
SHA1 047cf1a36b734bdd2dd6c6be37e31c57eb801bed
SHA256 99a173e0ef78baefcf23c7e91d3420bd337d3cbd6f5438247108f99bdbca2314
SHA512 cae10222a0aad3771afd4d048d975fc7e187fc470bdb0cb1eba96eb8a7e4a6b03a00ad5ff1a8fcd0ff07ac3232fbdd8f0f28076b3d61950218ebfac8991e019b

C:\Users\Admin\AppData\Local\Temp\Trials

MD5 b61d86bf3beffab4d100c221f8b5d505
SHA1 7aaf57112aaddb0e6bda53e9881f88806917b44d
SHA256 544daa4eebc82abd4e6de0db4d74eaac30674206bb24249dad032a5440a9ed0c
SHA512 d0a40173e2df3569aaf25b5747b583651ef2c0eb54e0be79e71244cf9e7fecfa705f835d7dea2c97f2cb9f9523f9f8712f7b60ad1cd0a0dd43ae4dcac010e6fd

C:\Users\Admin\AppData\Local\Temp\Level

MD5 a4dadb8a544a089b4aee4a5748aaf235
SHA1 0104d996bec6261067d544dc3350e00708be80bf
SHA256 9ea4dba08ff6119c3f8615527df474e335d54c07c010498eb9b4490e5a9e5c2c
SHA512 63ba6ea32f27bfcbb698e10d8709a841046a72a2bf78f26ea8d3a4b862dfd3aee1d416cec22b5c79b34a2c2bb5e5f2da1020889f1c9b6143f0a4f9bf6e9af71e

C:\Users\Admin\AppData\Local\Temp\Costs

MD5 e2da627e46f2a55408826eb2594fb43b
SHA1 c19e0b76395ef2925773aebc0a50a321767969f9
SHA256 ebb816fcde52ecfa80be03363350a879aa8d01a894ab4a920fe77185e74e561c
SHA512 5329a74fe6b7f76742fda2cb83d26fc7201da7cf8e473a4124c5976351d3df520ab001f8caeef809f6f16314ad722bd0329470745b5f7bee436235f682639556

C:\Users\Admin\AppData\Local\Temp\Spirit

MD5 45b7c6db4c4212296c0f409e050f497f
SHA1 085ac7a8e2a695186cfe5c43a3e6db58588f91ce
SHA256 f55b826fa11826340d240a7df59c94c3ae34bc2b209a54ec6c19757ae8b0f1a2
SHA512 65ddef8c13450a27cb55ab4fde8da3b5526547f704950bd85c3854d223ab22624e5d11c08750baa5e603a9ef7254fdd6a9209548dbba824577c8b4ab6d304c0d

C:\Users\Admin\AppData\Local\Temp\Beach

MD5 5941c44b1fc2813ab474e88e9106c241
SHA1 a328363081d9ffd7e14413ed7cd7af75b3d42368
SHA256 661b5c7db73b2a3e8b9a20e7b54d26b73b8a3463b9387d8675d399fd1a8d8bad
SHA512 19b0d470bcb7b19ad589231f6d03db62eef4e66b3eb8d0d87a4c1dce20bad8f404ecb703250f55e8bfdc1429d59008524a5f687c47e36504b68fd70a281cb427

C:\Users\Admin\AppData\Local\Temp\Penguin

MD5 888388580b16210569adcef464f2327e
SHA1 3c98fa3319589c23e26e11b078072ebaa5de1b76
SHA256 b6903261df9e0ea6aa198c7e7b41472057fe22d751588c115ec938d3e42dfc13
SHA512 288ccbac5cc5db5127a9d280ca4771e136396a98a1ac0ce601ac2e688a15e00507f00db84689a99ee1a649ec0774eeb4b522374c41b8983a8a7bdf2c3089e2f1

C:\Users\Admin\AppData\Local\Temp\Connections

MD5 1bf949f7fd95cff659a03139086f7d87
SHA1 b712712a2944c32875c48d010a3301188ba90d14
SHA256 7d8ad83805f6d996e0dd9fd6f41c4f4195049dc1dbc836a0c524e68685e8cb49
SHA512 a66c1abad745ae88b1a94d94c2a4a1e7a37985d19fe9d36efdc9ec1aaa2883a5409c91c0b37c901864d72ae616da86cfdabedfb0ccfa695804fc0715d1ac5130

C:\Users\Admin\AppData\Local\Temp\Ali

MD5 716407bf663adacaef5d04814488026c
SHA1 12499ea9481fb26bc58ab34f1295d83d5855b424
SHA256 04f0ca51092b541a82289d054ada19e52c40da4434b827f03b6b7b70766abc30
SHA512 84bcd384bbd5dd4535015e82a1ed799135d86633ccfebad36f0f399e2e1b02c140259e223d18c81e6b4bb8d1f774b7b03d7e30acb2ec6727b39de79363d8e98a

C:\Users\Admin\AppData\Local\Temp\Volleyball

MD5 24e47a1999e17f9f0f259fcdacd4df25
SHA1 ed7c655c0c386eb7dd63613a1004b9425e2d7977
SHA256 ba73de3122a0bf1c500b19be79793b7fe18a28db957524e6e85f48953f453007
SHA512 63066255479c7cd33bdae5571eb27c608580290a14fa5804f78748dd4d0f787794009cd085f3f30b4f9e068e233a1939390f1ed0550e4bd8d28d9a2b4e09f8ea

C:\Users\Admin\AppData\Local\Temp\Miss

MD5 0829f71740aab1ab98b33eae21dee122
SHA1 0631457264ff7f8d5fb1edc2c0211992a67c73e6
SHA256 9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47
SHA512 18790c279e0ca614c2b57a215fecc23a6c3d2d308ce77f314378cb2d1b0f413acd3a9cd353aa6da86ec9f51916925c7210f7dfabc0ef726779f8d44f227f03b1

C:\Users\Admin\AppData\Local\Temp\Broker

MD5 4a73cbddfd3263424187b29dd0356182
SHA1 c14e63ee586e70134fa24432b6d3966ff483b78a
SHA256 6090a3dc60ec7a84c1c946c62c024b422c6bd116fd15d763e9fe59072b838627
SHA512 ff03ffe59016a8f1b08c0fca64a29a748034d4f5933e36b1e5d359a9b60e5499f2575ce9e1bccf80dd368c20c4f38fbd3f3425c1ef799dd993076c67fa0e32e8

C:\Users\Admin\AppData\Local\Temp\Mauritius

MD5 ba27e2d8c8494f275c741457bc15f533
SHA1 42468740d544b6785068d47f4587b36109b6f519
SHA256 1beb1b2c2af505ac359cf66ee6895b645480238bd5f40cee072fc85b0019f24d
SHA512 96f48e59f26b89564269265a3acd29ba5645ffdbe153e3c4fbaad84785bd97ede9a49931d0c3ae909fc27e18e680bf7f879ad5332183e706ce58f1da79300aa6

C:\Users\Admin\AppData\Local\Temp\Initiative

MD5 68d718bc0a5b98e7003a1ee5dafe1210
SHA1 6b0c348a4ae6e734de65a05649ec18e9ba183e7d
SHA256 15f7faefcd8d2c2aceaf1da0f3b8b5ac7db4d868eced2b999ccc42bb579f83c4
SHA512 086873e11b7083afc236aba4d817b638f40df25b5bc4af50963d0fc01808735c60b54d6cbb56e11624cc61309ae95b0ccf906a487051f98150fef0fbf75c7252

C:\Users\Admin\AppData\Local\Temp\Salvador

MD5 c9bdd9c82c3ed58946eba402b537c847
SHA1 9564a227f3950a0898437476c224886579369678
SHA256 600d9d7edda40ee5bf3c6bee9987b2c288f547c33637ef72a23a831708f4dfdb
SHA512 ff40cc3cc18364bbf7bdde8f525b7bc23e669513c743d8acf58b45671c119aca279a554727c1e200cc146ea90ffe19330a65bb992065c820520bafd475a0a6fa

C:\Users\Admin\AppData\Local\Temp\Camel

MD5 7d82d3900c8ba40cf122071c37f0cf9c
SHA1 0008970f1a960a8fdfe55b678a5f9b45048f8e0e
SHA256 af9abccf8d3abc3abb9820f19e7aa6bd603d1f47ce5a7aba58a2b5e5e55ed7cf
SHA512 efd0d18903d1cfb9d1bd3b6103924a743bd8da38c2e00a9367f079ea5140f5df6b82d424aa2129e0e095bc48eaf038f89d90db23fb914723ca9b4cfce48a5a87

C:\Users\Admin\AppData\Local\Temp\Al

MD5 2332eef605c2bf44201d0f839155b887
SHA1 bb92bc1b42b4d1799c0c7f551a04137ffa280c69
SHA256 521a256a47610774a9eb2fa85441789d7e595ca9f662e074042ec9df12fa66f3
SHA512 388fe1ea427cf3c4b3b85e22ae8e6bf034f457682fba6b0ab82a113a2589754d1b1d8d6fbddd70f79f007036b3bc7750c89d190fc96ff70dd3ce4f97724e47aa

C:\Users\Admin\AppData\Local\Temp\Urge

MD5 b4164811733d945f464aded1dcd862fa
SHA1 238bfcc1dca54e80ababa6676d21bf12894ecba5
SHA256 755f1572c8f0e5e9ef789774dace4faae388fbd4380c5f99d5f073009fdbed01
SHA512 d4ab05cdedc215e6185b7b959e1951011346345071c69f3237c2fd0a0eefd4e8c0a792538b5d1e2a5ab8e8c2598ace162ed66be0bb94f10de7aa49790facc727

\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2164-368-0x0000000000830000-0x0000000000F7A000-memory.dmp

memory/2164-369-0x0000000000830000-0x0000000000F7A000-memory.dmp

memory/2164-371-0x0000000000830000-0x0000000000F7A000-memory.dmp

memory/2164-372-0x0000000000830000-0x0000000000F7A000-memory.dmp

memory/2164-374-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2164-373-0x0000000000830000-0x0000000000F7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 13:14

Reported

2024-06-14 13:17

Platform

win10v2004-20240611-en

Max time kernel

153s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1172 created 3332 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\ProgramData\JJJEGHDAEC.exe N/A
N/A N/A C:\ProgramData\FIIEGDBAEB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1172 set thread context of 2536 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 4264 set thread context of 4860 N/A C:\ProgramData\FIIEGDBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 4652 set thread context of 2312 N/A C:\ProgramData\JJJEGHDAEC.exe C:\Windows\SysWOW64\ftp.exe
PID 4860 set thread context of 4428 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4428 set thread context of 540 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\ProgramData\JJJEGHDAEC.exe N/A
N/A N/A C:\ProgramData\FIIEGDBAEB.exe N/A
N/A N/A C:\ProgramData\FIIEGDBAEB.exe N/A
N/A N/A C:\ProgramData\JJJEGHDAEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\FIIEGDBAEB.exe N/A
N/A N/A C:\ProgramData\JJJEGHDAEC.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2036 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2036 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2036 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2036 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2036 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2036 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 3452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2036 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2036 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2036 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2036 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2036 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2036 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 1172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif
PID 2536 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\JJJEGHDAEC.exe
PID 2536 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\JJJEGHDAEC.exe
PID 2536 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\JJJEGHDAEC.exe
PID 2536 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\FIIEGDBAEB.exe
PID 2536 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\FIIEGDBAEB.exe
PID 2536 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\ProgramData\FIIEGDBAEB.exe
PID 4264 wrote to memory of 4860 N/A C:\ProgramData\FIIEGDBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 4264 wrote to memory of 4860 N/A C:\ProgramData\FIIEGDBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 4264 wrote to memory of 4860 N/A C:\ProgramData\FIIEGDBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 4652 wrote to memory of 2312 N/A C:\ProgramData\JJJEGHDAEC.exe C:\Windows\SysWOW64\ftp.exe
PID 4652 wrote to memory of 2312 N/A C:\ProgramData\JJJEGHDAEC.exe C:\Windows\SysWOW64\ftp.exe
PID 4652 wrote to memory of 2312 N/A C:\ProgramData\JJJEGHDAEC.exe C:\Windows\SysWOW64\ftp.exe
PID 4264 wrote to memory of 4860 N/A C:\ProgramData\FIIEGDBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 4652 wrote to memory of 2312 N/A C:\ProgramData\JJJEGHDAEC.exe C:\Windows\SysWOW64\ftp.exe
PID 2536 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1036 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1036 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2312 wrote to memory of 1048 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2312 wrote to memory of 1048 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2312 wrote to memory of 1048 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4860 wrote to memory of 4428 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4860 wrote to memory of 4428 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2312 wrote to memory of 1048 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4860 wrote to memory of 4428 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4860 wrote to memory of 4428 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4428 wrote to memory of 540 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup (6).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Northeast Northeast.cmd & Northeast.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 328159

C:\Windows\SysWOW64\findstr.exe

findstr /V "EnclosedVisibilityDuringBrilliant" Peter

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Urge 328159\g

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

328159\Prototype.pif 328159\g

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

C:\ProgramData\JJJEGHDAEC.exe

"C:\ProgramData\JJJEGHDAEC.exe"

C:\ProgramData\FIIEGDBAEB.exe

"C:\ProgramData\FIIEGDBAEB.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDAFBAEBKJKF" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 232.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 HHdFGUjAaebMiQpHnNQPUq.HHdFGUjAaebMiQpHnNQPUq udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 theemir.xyz udp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 243.81.21.104.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 172.67.212.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.212.67.172.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp
US 8.8.8.8:53 250.197.67.172.in-addr.arpa udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
N/A 224.0.0.251:5353 udp
FI 65.109.127.181:3333 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Northeast

MD5 b45202591b60b052447886eb104577f0
SHA1 afa16d62ffd59c86e63e8dd3060baf34a57e7cf1
SHA256 997fc2668f5943d35d2b435e4270a2576b2ef275710f885066a25cc9cd1213e0
SHA512 9d0496c339dfa022115959cbe86ede08ee7f8f97bae31aa5b2e4af63768e4032b526745197bcce5104c2de983f58a9932827481b76c09addade6074c89f14775

C:\Users\Admin\AppData\Local\Temp\Peter

MD5 8bf9404a2322b0a2bcd19382cf90ebc2
SHA1 ac84d7e0ef6aedeb925b53dbd10a085be6760cec
SHA256 1d04056759eef1c0e886bde0d53277f2e248e1f3158f08158151ed27a74efcdc
SHA512 6df401889e198484dfbf03e94eb408fea6dcb3cf9470457f42c16795d4660f906ecbcbcde2ec0c44f3261a839b9137e6050035d656236f5f9164b3239ba881a8

C:\Users\Admin\AppData\Local\Temp\Showers

MD5 de37f7dfee32a6745cad440181cc795e
SHA1 69bd1675df2b06946e0d5da452b5c0d808e76ebd
SHA256 1692192f6fbe9a0757027029c9773196ec6bfb53781336a9164e66510b9de5cc
SHA512 a6a44be54cc0c00904a058808237700a223d78254e6ef1c844f6beb66ec5d17955a47757f8cb039571c7b1da213f5c39e5be54112bb6a772bdcce4e1403376ae

C:\Users\Admin\AppData\Local\Temp\Donor

MD5 165c9fef67a01106cb4a15a8f73ff06e
SHA1 94b530edfc27c9010871d96c4eccd1c3e0708c9f
SHA256 a69c145a5b5b20eb93b7d82e9440d7a0beba53072b83ecc4cddb9e2137a9fe96
SHA512 0648396ae2e4cc86db49b2e3980affa69ddf4b0b607ac5aa80c0611b3df5dac415653a94486cb2eb05d00a1eed680b547d58f489d62f6a2d19f0d910e2a82f42

C:\Users\Admin\AppData\Local\Temp\Eleven

MD5 b8e5f0ae5af9b75bf009885a32a042cc
SHA1 88c1820f1ba8065871ffdc250a8a0463887dddb8
SHA256 2e83d333c7566963ce675a32b42a6c4b99a907ca2c34c1a8213730e4ad461a24
SHA512 b1b699f38efe9e5794325aeed1758e0492eff6c5e8539412d66e185ab1d2b1cdb2301210278e7658b25dd04d70b13c010d1f92d8476e34d23b9efa5983851005

C:\Users\Admin\AppData\Local\Temp\Johnston

MD5 103d119aa8a89d75d8d087599c321fe9
SHA1 f38f558952f028f3b64b758d2a6570d09d25eb5f
SHA256 d85b39bc6ef094b7a7d4247b5eacb44f1f32ea887614324f5fa882ff61f0bbcf
SHA512 32dddd0981a9ce9404ecd1224fd57e5f65e4110946d21c911ef5e726d285a398ba4e1b86b1f95511edf55689ff80a21804724593e44a1646e248b694d6c54be6

C:\Users\Admin\AppData\Local\Temp\Piss

MD5 93131f960f434fa2c6ed8310b80c952c
SHA1 c5fb6e077d03598457031585793381ae1abab8df
SHA256 c1376889ec8b5cd3e710146be003a3ff51940d6a7e1cb943b8c5c04a7da98e40
SHA512 ed67a586f73b5f1773f5b312436275a30fc26c936f368926ee295c0508f7bc02d34b5c049f6a51d2f6937fd7b4341680038bd0a2f1d03a7a07a404ef58244cbb

C:\Users\Admin\AppData\Local\Temp\Brass

MD5 cfbeb50abeb4b45cae9a85881deafdeb
SHA1 a2679acd6055a0bf07fc34a38cf92df1d8b47bcb
SHA256 93406ff30fe7c1a9f8300d4ed6097b15515fa2b421f09b32e9c3b44f71d85b10
SHA512 f46734ab6e917a213a5083f69a5f41b823bc0687b6f77e84cb1016183c74c1af0331c431b9655fc368cb4bfaec16a7284cdcc4f3be2880306f7aadfcef5739f8

C:\Users\Admin\AppData\Local\Temp\Thong

MD5 e85daf9e828a54404f20e99b13b50fb1
SHA1 c4596f5531659d2d985ab07f8a83b5bf7046c7ad
SHA256 02ae86086ce07d7fa62afb52a7cb300b7aab300293740a218427245fe249a16c
SHA512 8eca39efccbe97fad55665c48f39ddb0b1fb3f8d25daaf076b36fb5f01f925752150ac2e15939f82b9987f88859148aa425850a581018fbb2283bbf6f752f0d2

C:\Users\Admin\AppData\Local\Temp\Accredited

MD5 5fe6dff8f4824b74d5b55b91234d2ad2
SHA1 4ff5c6aa348c63720a951cf2ae797786b7f7d53b
SHA256 d8b24570072e032030d6f4dcf403e056a33334eb1c77e7497a46dffbac44338e
SHA512 0f18eacd293524086086ecd8a06c387ffdcfa14bf613637bf33ceaf6071b7dfecf03d803a038271c7271bdecf42979358fb0d99b5141d83cc5d2e1c603a11173

C:\Users\Admin\AppData\Local\Temp\Verify

MD5 d2c6e84f2b8208dcef9027b697736a87
SHA1 23807b3fdfa56512273b22677ed1742ca1d97f67
SHA256 28b9354f9812c980d345d9fca164458e5745c2f41b03fc17f26f5c9070ae4ab2
SHA512 f12efe8547372048f5a4e6ab1b17eb2c0c7edb5e6d2c7a494e80a90b800f0e365555f7e9ef84950ae3807abf8179f13d718885f349198c1f7ac26bb9cc62de29

C:\Users\Admin\AppData\Local\Temp\Rivers

MD5 fbc978cdd7879bb3177a5951b9ebc202
SHA1 a79984bfe14dbbcf273caac437e4ff853085cb94
SHA256 a48c0359f7a95e765b0759998d444bcf05848df6d70d49f216d73ad24520e9ed
SHA512 8f7e1cb2f65b94f1d35796b7845208566b0e7c685f53cdb3c67373871b906cdc4cc58043ac51073ceea335c7c0db155a91a0fff380adde8066cd39e3248e747c

C:\Users\Admin\AppData\Local\Temp\Monetary

MD5 fb207dd3daae6d70329b147cd27629f8
SHA1 31b24557f3a38fc2a6fac2356b9c84560f5a7eb4
SHA256 55e4055a761f6de72b67f65a7a9ef4aa904be7dbbd414dadfa1c2924f1f1c73d
SHA512 d615075db7f6b5019f04a78c7b8fcc090176821e5280be486cb5bc464fd7640db7c5ed3dfb9bbd807ac31b165945b7d49b4cc6fc0fce712f5f290c4b70f056e5

C:\Users\Admin\AppData\Local\Temp\Trials

MD5 b61d86bf3beffab4d100c221f8b5d505
SHA1 7aaf57112aaddb0e6bda53e9881f88806917b44d
SHA256 544daa4eebc82abd4e6de0db4d74eaac30674206bb24249dad032a5440a9ed0c
SHA512 d0a40173e2df3569aaf25b5747b583651ef2c0eb54e0be79e71244cf9e7fecfa705f835d7dea2c97f2cb9f9523f9f8712f7b60ad1cd0a0dd43ae4dcac010e6fd

C:\Users\Admin\AppData\Local\Temp\Costs

MD5 e2da627e46f2a55408826eb2594fb43b
SHA1 c19e0b76395ef2925773aebc0a50a321767969f9
SHA256 ebb816fcde52ecfa80be03363350a879aa8d01a894ab4a920fe77185e74e561c
SHA512 5329a74fe6b7f76742fda2cb83d26fc7201da7cf8e473a4124c5976351d3df520ab001f8caeef809f6f16314ad722bd0329470745b5f7bee436235f682639556

C:\Users\Admin\AppData\Local\Temp\Min

MD5 84b5cbc02b6784b589a1e732fab2eb11
SHA1 047cf1a36b734bdd2dd6c6be37e31c57eb801bed
SHA256 99a173e0ef78baefcf23c7e91d3420bd337d3cbd6f5438247108f99bdbca2314
SHA512 cae10222a0aad3771afd4d048d975fc7e187fc470bdb0cb1eba96eb8a7e4a6b03a00ad5ff1a8fcd0ff07ac3232fbdd8f0f28076b3d61950218ebfac8991e019b

C:\Users\Admin\AppData\Local\Temp\Level

MD5 a4dadb8a544a089b4aee4a5748aaf235
SHA1 0104d996bec6261067d544dc3350e00708be80bf
SHA256 9ea4dba08ff6119c3f8615527df474e335d54c07c010498eb9b4490e5a9e5c2c
SHA512 63ba6ea32f27bfcbb698e10d8709a841046a72a2bf78f26ea8d3a4b862dfd3aee1d416cec22b5c79b34a2c2bb5e5f2da1020889f1c9b6143f0a4f9bf6e9af71e

C:\Users\Admin\AppData\Local\Temp\Spirit

MD5 45b7c6db4c4212296c0f409e050f497f
SHA1 085ac7a8e2a695186cfe5c43a3e6db58588f91ce
SHA256 f55b826fa11826340d240a7df59c94c3ae34bc2b209a54ec6c19757ae8b0f1a2
SHA512 65ddef8c13450a27cb55ab4fde8da3b5526547f704950bd85c3854d223ab22624e5d11c08750baa5e603a9ef7254fdd6a9209548dbba824577c8b4ab6d304c0d

C:\Users\Admin\AppData\Local\Temp\Beach

MD5 5941c44b1fc2813ab474e88e9106c241
SHA1 a328363081d9ffd7e14413ed7cd7af75b3d42368
SHA256 661b5c7db73b2a3e8b9a20e7b54d26b73b8a3463b9387d8675d399fd1a8d8bad
SHA512 19b0d470bcb7b19ad589231f6d03db62eef4e66b3eb8d0d87a4c1dce20bad8f404ecb703250f55e8bfdc1429d59008524a5f687c47e36504b68fd70a281cb427

C:\Users\Admin\AppData\Local\Temp\Penguin

MD5 888388580b16210569adcef464f2327e
SHA1 3c98fa3319589c23e26e11b078072ebaa5de1b76
SHA256 b6903261df9e0ea6aa198c7e7b41472057fe22d751588c115ec938d3e42dfc13
SHA512 288ccbac5cc5db5127a9d280ca4771e136396a98a1ac0ce601ac2e688a15e00507f00db84689a99ee1a649ec0774eeb4b522374c41b8983a8a7bdf2c3089e2f1

C:\Users\Admin\AppData\Local\Temp\Connections

MD5 1bf949f7fd95cff659a03139086f7d87
SHA1 b712712a2944c32875c48d010a3301188ba90d14
SHA256 7d8ad83805f6d996e0dd9fd6f41c4f4195049dc1dbc836a0c524e68685e8cb49
SHA512 a66c1abad745ae88b1a94d94c2a4a1e7a37985d19fe9d36efdc9ec1aaa2883a5409c91c0b37c901864d72ae616da86cfdabedfb0ccfa695804fc0715d1ac5130

C:\Users\Admin\AppData\Local\Temp\Volleyball

MD5 24e47a1999e17f9f0f259fcdacd4df25
SHA1 ed7c655c0c386eb7dd63613a1004b9425e2d7977
SHA256 ba73de3122a0bf1c500b19be79793b7fe18a28db957524e6e85f48953f453007
SHA512 63066255479c7cd33bdae5571eb27c608580290a14fa5804f78748dd4d0f787794009cd085f3f30b4f9e068e233a1939390f1ed0550e4bd8d28d9a2b4e09f8ea

C:\Users\Admin\AppData\Local\Temp\Ali

MD5 716407bf663adacaef5d04814488026c
SHA1 12499ea9481fb26bc58ab34f1295d83d5855b424
SHA256 04f0ca51092b541a82289d054ada19e52c40da4434b827f03b6b7b70766abc30
SHA512 84bcd384bbd5dd4535015e82a1ed799135d86633ccfebad36f0f399e2e1b02c140259e223d18c81e6b4bb8d1f774b7b03d7e30acb2ec6727b39de79363d8e98a

C:\Users\Admin\AppData\Local\Temp\Miss

MD5 0829f71740aab1ab98b33eae21dee122
SHA1 0631457264ff7f8d5fb1edc2c0211992a67c73e6
SHA256 9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47
SHA512 18790c279e0ca614c2b57a215fecc23a6c3d2d308ce77f314378cb2d1b0f413acd3a9cd353aa6da86ec9f51916925c7210f7dfabc0ef726779f8d44f227f03b1

C:\Users\Admin\AppData\Local\Temp\Broker

MD5 4a73cbddfd3263424187b29dd0356182
SHA1 c14e63ee586e70134fa24432b6d3966ff483b78a
SHA256 6090a3dc60ec7a84c1c946c62c024b422c6bd116fd15d763e9fe59072b838627
SHA512 ff03ffe59016a8f1b08c0fca64a29a748034d4f5933e36b1e5d359a9b60e5499f2575ce9e1bccf80dd368c20c4f38fbd3f3425c1ef799dd993076c67fa0e32e8

C:\Users\Admin\AppData\Local\Temp\Initiative

MD5 68d718bc0a5b98e7003a1ee5dafe1210
SHA1 6b0c348a4ae6e734de65a05649ec18e9ba183e7d
SHA256 15f7faefcd8d2c2aceaf1da0f3b8b5ac7db4d868eced2b999ccc42bb579f83c4
SHA512 086873e11b7083afc236aba4d817b638f40df25b5bc4af50963d0fc01808735c60b54d6cbb56e11624cc61309ae95b0ccf906a487051f98150fef0fbf75c7252

C:\Users\Admin\AppData\Local\Temp\Mauritius

MD5 ba27e2d8c8494f275c741457bc15f533
SHA1 42468740d544b6785068d47f4587b36109b6f519
SHA256 1beb1b2c2af505ac359cf66ee6895b645480238bd5f40cee072fc85b0019f24d
SHA512 96f48e59f26b89564269265a3acd29ba5645ffdbe153e3c4fbaad84785bd97ede9a49931d0c3ae909fc27e18e680bf7f879ad5332183e706ce58f1da79300aa6

C:\Users\Admin\AppData\Local\Temp\Camel

MD5 7d82d3900c8ba40cf122071c37f0cf9c
SHA1 0008970f1a960a8fdfe55b678a5f9b45048f8e0e
SHA256 af9abccf8d3abc3abb9820f19e7aa6bd603d1f47ce5a7aba58a2b5e5e55ed7cf
SHA512 efd0d18903d1cfb9d1bd3b6103924a743bd8da38c2e00a9367f079ea5140f5df6b82d424aa2129e0e095bc48eaf038f89d90db23fb914723ca9b4cfce48a5a87

C:\Users\Admin\AppData\Local\Temp\Salvador

MD5 c9bdd9c82c3ed58946eba402b537c847
SHA1 9564a227f3950a0898437476c224886579369678
SHA256 600d9d7edda40ee5bf3c6bee9987b2c288f547c33637ef72a23a831708f4dfdb
SHA512 ff40cc3cc18364bbf7bdde8f525b7bc23e669513c743d8acf58b45671c119aca279a554727c1e200cc146ea90ffe19330a65bb992065c820520bafd475a0a6fa

C:\Users\Admin\AppData\Local\Temp\Al

MD5 2332eef605c2bf44201d0f839155b887
SHA1 bb92bc1b42b4d1799c0c7f551a04137ffa280c69
SHA256 521a256a47610774a9eb2fa85441789d7e595ca9f662e074042ec9df12fa66f3
SHA512 388fe1ea427cf3c4b3b85e22ae8e6bf034f457682fba6b0ab82a113a2589754d1b1d8d6fbddd70f79f007036b3bc7750c89d190fc96ff70dd3ce4f97724e47aa

C:\Users\Admin\AppData\Local\Temp\Urge

MD5 b4164811733d945f464aded1dcd862fa
SHA1 238bfcc1dca54e80ababa6676d21bf12894ecba5
SHA256 755f1572c8f0e5e9ef789774dace4faae388fbd4380c5f99d5f073009fdbed01
SHA512 d4ab05cdedc215e6185b7b959e1951011346345071c69f3237c2fd0a0eefd4e8c0a792538b5d1e2a5ab8e8c2598ace162ed66be0bb94f10de7aa49790facc727

C:\Users\Admin\AppData\Local\Temp\328159\Prototype.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2536-365-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-366-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-368-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-375-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-377-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2536-376-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-390-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-391-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-399-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-406-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-416-0x0000000000C00000-0x000000000134A000-memory.dmp

C:\ProgramData\HDAFBAEBKJKF\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\HDAFBAEBKJKF\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2536-417-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-439-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-440-0x0000000000C00000-0x000000000134A000-memory.dmp

C:\ProgramData\JJJEGHDAEC.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/4652-463-0x0000000000A70000-0x0000000000F83000-memory.dmp

C:\ProgramData\FIIEGDBAEB.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/4264-474-0x0000000000DC0000-0x0000000001008000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13d94425

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/4264-480-0x0000000072B30000-0x0000000072CAB000-memory.dmp

memory/4264-481-0x00007FFAAE4D0000-0x00007FFAAE6C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19983b57

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/4652-487-0x0000000072B30000-0x0000000072CAB000-memory.dmp

memory/4652-488-0x00007FFAAE4D0000-0x00007FFAAE6C5000-memory.dmp

memory/2536-492-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-493-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/4264-495-0x0000000072B30000-0x0000000072CAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\170befcb

MD5 3576c86111170e5c2bc01ef20b645a55
SHA1 bde323d286ebdbbfb25e32a7d3f7d64919944bd3
SHA256 3ec33f7e0d30962dd52b1019b0d4cd6d6229711c0088605534979d1d05669bb0
SHA512 a96f530ff47da3a31e2beb5311e12dc9c99d5a7b856f070c47aa479b4ac15514e7bc0f00aa4d28d2fc0a26b111cd1532d4d011dcd629d2c815ad93aa7177358b

memory/4652-498-0x0000000072B30000-0x0000000072CAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1b79c271

MD5 a6981f0c612d930708c1e5c7f3d6a4d6
SHA1 e281261df24f227a762025b57d5fad57652d2ef9
SHA256 56c6233aafc352a89e9171eeca1f802c7bba5635bd92279645fec0e8d5ec8c9d
SHA512 23da2f19be2157f76bffa15c3118f4c64595b019ac141a42594c54762faac56bd55b387d8e01b36e873d50a1d85701730d45447e0eac672ba93d8e5604b4ba17

memory/2536-504-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-505-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-506-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/2536-507-0x0000000000C00000-0x000000000134A000-memory.dmp

memory/4860-512-0x00007FFAAE4D0000-0x00007FFAAE6C5000-memory.dmp

memory/2312-517-0x00007FFAAE4D0000-0x00007FFAAE6C5000-memory.dmp

memory/4860-518-0x0000000072B30000-0x0000000072CAB000-memory.dmp

C:\ProgramData\HDAFBAEBKJKF\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\HDAFBAEBKJKF\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\HDAFBAEBKJKF\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/2312-533-0x0000000072B30000-0x0000000072CAB000-memory.dmp

memory/4428-537-0x00007FFA8F400000-0x00007FFA90A77000-memory.dmp

memory/1048-540-0x00007FFAAE4D0000-0x00007FFAAE6C5000-memory.dmp

memory/4428-541-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1048-542-0x0000000000C80000-0x0000000000CF1000-memory.dmp

memory/540-548-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/540-550-0x000002855FE70000-0x000002855FE90000-memory.dmp

memory/540-546-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/540-549-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/540-551-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/540-553-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/540-552-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/540-554-0x0000000140000000-0x00000001407DC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 baf343d633d8301ab692e96473167bbb
SHA1 cbbb9f4986f2d7d9e7895a4274679d338922dbd0
SHA256 5bdc1a7392fb5bc434f13bab852a82142aa06ee49fbe41c11da56b9e53713d8c
SHA512 711c001c5491ba98bb9ca4582dc2460f3461357117bbdb1c4923dd861fa2a9592fb26459f36ce89c89ed1fca09a52dab9f64b280503e1078dcf8c13e779e2865

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 1e49c49df1e9bb5a3646fbdd72fff72d
SHA1 ca3b2f92797030ad96341c5551812e679e9746d3
SHA256 df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
SHA512 b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d

memory/3792-570-0x0000000002440000-0x0000000002476000-memory.dmp

memory/3792-572-0x0000000004FF0000-0x0000000005618000-memory.dmp

memory/3792-573-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

memory/3792-574-0x0000000005690000-0x00000000056F6000-memory.dmp

memory/3792-575-0x0000000005770000-0x00000000057D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjga3f1m.lrl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3792-585-0x00000000058E0000-0x0000000005C34000-memory.dmp

memory/3792-586-0x0000000005D80000-0x0000000005D9E000-memory.dmp

memory/3792-587-0x0000000005E10000-0x0000000005E5C000-memory.dmp

memory/3792-589-0x0000000006FD0000-0x0000000007066000-memory.dmp

memory/3792-590-0x00000000062B0000-0x00000000062CA000-memory.dmp

memory/3792-591-0x0000000006320000-0x0000000006342000-memory.dmp

memory/3792-592-0x0000000007620000-0x0000000007BC4000-memory.dmp

memory/3792-593-0x0000000008250000-0x00000000088CA000-memory.dmp