Malware Analysis Report

2024-10-23 21:42

Sample ID 240906-b7j2eszera
Target daisy's destruction.7z
SHA256 1999d63ff6c6410393142abcaa016a13a1e584817eade724d90f289ec619d1a8
Tags
redline stealc vidar default leva logsdiller cloud (tg: @logsdillabot) w9 credential_access discovery evasion execution infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1999d63ff6c6410393142abcaa016a13a1e584817eade724d90f289ec619d1a8

Threat Level: Known bad

The file daisy's destruction.7z was found to be: Known bad.

Malicious Activity Summary

redline stealc vidar default leva logsdiller cloud (tg: @logsdillabot) w9 credential_access discovery evasion execution infostealer persistence spyware stealer

Detect Vidar Stealer

RedLine payload

Stealc

Vidar

RedLine

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Downloads MZ/PE file

Creates new service(s)

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Identifies Wine through registry keys

Checks BIOS information in registry

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Power Settings

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-06 01:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-06 01:47

Reported

2024-09-06 02:08

Platform

win7-20240704-en

Max time kernel

74s

Max time network

1189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api64.ipify.org N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SourcesShowing C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\BehaviourVibrator C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\AtomBoobs C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\AntarcticaTucson C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\WonderAvailable C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\DecreaseHands C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VUQ9H.tmp\ZxsDXXrM9OIe_zneFxLM655G.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2400 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2400 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2400 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2400 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2400 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2400 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2400 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2400 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2400 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2400 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2400 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2400 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2400 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2400 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2400 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2400 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 2212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe
PID 2212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe
PID 2212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe
PID 2212 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe
PID 2212 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe
PID 2212 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe
PID 2212 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe
PID 2212 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe
PID 2212 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe
PID 2212 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe
PID 2212 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe
PID 2212 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe
PID 2212 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
PID 2212 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
PID 2212 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
PID 2212 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
PID 2212 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe
PID 2212 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe

Processes

C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe

"C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Desktop Desktop.bat & Desktop.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 799275

C:\Windows\SysWOW64\findstr.exe

findstr /V "TransformationComponentBrideInvasion" Calculate

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Evaluations + ..\Kansas + ..\Monkey + ..\Cookies + ..\Frontpage + ..\Ownership + ..\Thu + ..\Momentum + ..\Nvidia + ..\Kits + ..\Take + ..\Statements + ..\Earlier + ..\Presentations + ..\Runs + ..\Deviant + ..\Indicate + ..\Award + ..\Engineer + ..\Ty + ..\Feb + ..\Ads + ..\Sounds + ..\M + ..\Logan + ..\Pixel + ..\Atm + ..\Ports + ..\Ireland + ..\Chance + ..\Stewart + ..\Puzzle + ..\Milf + ..\Basics + ..\Invitations O

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

Saudi.pif O

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe

C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe

C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe

C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe

C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe

C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe

C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe

C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe

C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe

C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe

C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe

C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe

C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe

C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe

C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe

C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe

C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe

C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe

C:\Users\Admin\Documents\iofolko5\qi866flZxG1ikcUHB9kpnJgi.exe

C:\Users\Admin\Documents\iofolko5\qi866flZxG1ikcUHB9kpnJgi.exe

C:\Users\Admin\Documents\iofolko5\An3F1TbHnH_2dNMOncuz2wrt.exe

C:\Users\Admin\Documents\iofolko5\An3F1TbHnH_2dNMOncuz2wrt.exe

C:\Users\Admin\AppData\Local\Temp\is-VUQ9H.tmp\ZxsDXXrM9OIe_zneFxLM655G.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VUQ9H.tmp\ZxsDXXrM9OIe_zneFxLM655G.tmp" /SL5="$90122,3387544,54272,C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe

"C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe

"C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe"

C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe

"C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAEGHCFIDAK.exe"

C:\Users\AdminAEGHCFIDAK.exe

"C:\Users\AdminAEGHCFIDAK.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCBGCBGCAFI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe" & rd /s /q "C:\ProgramData\EBFHJEGDAFHI" & exit

C:\Users\AdminCBGCBGCAFI.exe

"C:\Users\AdminCBGCBGCAFI.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "VIFLJRPW"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "VIFLJRPW"

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fOBoUGVOdhpeJ.fOBoUGVOdhpeJ udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 file-link-iota.vercel.app udp
US 8.8.8.8:53 240902180529931.tyr.zont16.com udp
RU 31.41.244.9:80 31.41.244.9 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
DK 46.29.235.52:80 46.29.235.52 tcp
RU 176.111.174.109:80 176.111.174.109 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
DK 46.29.235.52:80 46.29.235.52 tcp
US 76.76.21.241:80 file-link-iota.vercel.app tcp
US 76.76.21.241:80 file-link-iota.vercel.app tcp
US 76.76.21.241:80 file-link-iota.vercel.app tcp
CH 179.43.188.227:80 240902180529931.tyr.zont16.com tcp
US 76.76.21.241:80 file-link-iota.vercel.app tcp
US 76.76.21.241:443 file-link-iota.vercel.app tcp
US 76.76.21.241:443 file-link-iota.vercel.app tcp
US 76.76.21.241:443 file-link-iota.vercel.app tcp
US 76.76.21.241:443 file-link-iota.vercel.app tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 45.152.113.10:80 45.152.113.10 tcp
DE 77.105.164.24:50505 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 147.45.47.36:30035 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
FI 95.216.107.53:12311 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
CZ 46.8.231.109:80 46.8.231.109 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
DE 116.203.6.46:443 tcp
DE 116.203.6.46:443 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
GB 23.214.143.155:443 steamcommunity.com tcp
DK 46.29.235.52:80 46.29.235.52 tcp
US 8.8.8.8:53 gacan.zapto.org udp
RU 45.132.206.251:80 gacan.zapto.org tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 traineiwnqo.shop udp
US 8.8.8.8:53 locatedblsoqp.shop udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 condedqpwqm.shop udp
US 172.67.146.35:443 condedqpwqm.shop tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 116.203.6.46:443 tcp
DE 116.203.6.46:443 tcp
DE 116.203.6.46:443 tcp
DE 116.203.6.46:443 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:443 pool.hashvault.pro tcp
DE 116.203.6.46:443 tcp
DE 116.203.6.46:443 tcp
DE 116.203.6.46:443 tcp
DE 116.203.6.46:443 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Desktop

MD5 c02234632af315d6f7836aa9384a0c73
SHA1 ac31913f0d0a359447bbe3f2975137662c38f980
SHA256 5cdce3385e52af077cda84889bf670ecae40075017493c7c5fc949b4c5872bd5
SHA512 0b65fc6f024a67984f6cd48710ef2ceddf8a9c49c2d9d9d42c95b46f77d8e9f72b41b75d213cb4f38ea0f64bcfd346c3eb5641b48629eb6141a8870e0c613496

C:\Users\Admin\AppData\Local\Temp\Calculate

MD5 20db8abb0b58bfce2d12ff899e819402
SHA1 75deb5a682ba679460c177cf1e01d3a8d0306770
SHA256 d4f1f749b022682097ac05deef61b6a78d78bd7aa8829209fb0b057f082cbd03
SHA512 bfb2e8579ab90ae5a46f9246048ecba231150fccaa4107afc9bfa243d1a43b2ceb8baf85d5a88cd338b5986b8f4c6141eb5777c9f7299371f8a73a9fbf5dc246

C:\Users\Admin\AppData\Local\Temp\Grad

MD5 d4f9f9bddbc23ec4b089e8c8b9552141
SHA1 087a35fad96b427ad23eb86fcaca77270477b754
SHA256 b3733786e1a273f7da72579b4a26c10a8b569219c765c09ca5a4170e4b83321a
SHA512 9eea0909dac7fd0fdaee5864ff247844f4a9b690057e5ab82fcac98959b03af75229c622e46a97b4fd916055c0f65f6ca1610c4d4f396a83815977d85b9102e9

C:\Users\Admin\AppData\Local\Temp\Evaluations

MD5 3d738ac6cfcadcdacceb6a1f7339e48b
SHA1 3340454640e8900a07dedaed6d92de5e560bb098
SHA256 c490ec35c8d09289bbe6f81df6abb99317d63ba950f36fccd96a122045e24e91
SHA512 a89daf894e21a31d7f0c63b4ba86b1f92f7b3a37dba37283d203c20ea2f34a6ee9a23716d442e8b70da234236d4b8fd4a29b6dc99c3285fc4071a3f6add807b0

C:\Users\Admin\AppData\Local\Temp\Kansas

MD5 e5863b510e4b784dd5c92aaec8bc6cd4
SHA1 7cc1404717757a2f729f71ca010072ef403d370e
SHA256 58288091bddbde712eae66ecf92c078dad75d19892055c6de942fdecec26eaf9
SHA512 366bc746917db2141f8fb6e00f6528c0026710ec42c4e9c6e1d3dd170a1b05a18814a5a10df7a565355b3515eea404a71c82aa77db164b114b15dcfd969df3cf

C:\Users\Admin\AppData\Local\Temp\Monkey

MD5 366da4e20f6973a658850d0cb0560140
SHA1 7463be54871d0a728a36d955b5e4b4935f832539
SHA256 2fdc969a47a50f3260018e708fde26e93c2b8b9b56a5f2d1e75d8ba2fcc0dbec
SHA512 fa733e99ee72c39b643f9db1594c73f4928b9aa7a1f0b543409a16de7fb7ecfff26c3e2f0070a1c386f3ede03c214371fcc968231f6c969b23c063257eed4e83

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 c8f43801d3fea6fa84b15e661eb57de8
SHA1 748e0ee1c29144374e89b7912134e1c9511962ba
SHA256 e0d1ee2e3cffccc5f3732e19557959c0d39603d011f8cbcbbb56f0d9dc7ff30f
SHA512 3b51abd920843e33d702f7104a42b738e3605f7d65b0c5cebd6649563ddd4ff451d050f5b1acb5118f25066cde3cc6d44a472ae59edfb7daa1b64f705f90a5fc

C:\Users\Admin\AppData\Local\Temp\Frontpage

MD5 aa6a8c0dae15c0f592500bd8facad795
SHA1 a3464148458fa47000a922610613ec4566251632
SHA256 23404b7a1724c8c224fada5a0c7429cdd0a62f3b17e5c45a913ae1b0b1a77f65
SHA512 c617859708e14b35ef4280c57a814ea6e0765b3499e32d4a014d871092f5d62ad8c416a308cd07475642fc1656d24839fba094ad4c7e604feafd276487207e32

C:\Users\Admin\AppData\Local\Temp\Ownership

MD5 2720a96bfc6c052ffbee90eddd29b91c
SHA1 b707906e1c6327d91da83b2637de9b526ce8421d
SHA256 97bf82b8f22ce2f8ca3fb29a5a8039e9b679655c62077cd1465bd0dd4baaa061
SHA512 9a7817a69f7240e0d8db0447ea0382ed6d0c9741471b4e242fb92447a6bc447bdecfc672664ed924128f3d632821f03a05798c3ca74d91268a955e0e5a228d4a

C:\Users\Admin\AppData\Local\Temp\Thu

MD5 3f9e5757f9c3ef75e75310416c72c35f
SHA1 ae7449c0c4f3f0ca5480ad391219ba989d2e0dbe
SHA256 f656b202b7682064680a2b3b7e4305ef8b378aea601ae7530db148bb6f9a6400
SHA512 ecaefaa239cf44306134b4618e1d82b80e6ade1f58583c9098a0ed3fa219fe6a87b9af977062d3f654dca1618256a132c80d7aad579b66affa6836c2be64c8df

C:\Users\Admin\AppData\Local\Temp\Momentum

MD5 98eff6fdbaf188ff8bb9c230612e7ab9
SHA1 4c55318bcc31980134c5455b7f736522481e7865
SHA256 bf06e2f8f8e360f5e8fd7cd39ee631cf2156d7d67e45c54e6ac3638117c30c84
SHA512 9b928a550ab978609323b41b0da1f8018a980c3fa50658fd3ce74ce888a2fb6880a480e844c7c9be3921f478fc06cc0e4a6e87c5cfbda6d5cd2ddcb5331eafd8

C:\Users\Admin\AppData\Local\Temp\Nvidia

MD5 ca2b98b4b4bdfcc2ffb39176fc62faed
SHA1 44b13597a8c63849fc318ea82b612a3b48714514
SHA256 6d0392db8f087952b0e8f81a6beec3b6d888272b4ebf0d55b6736d04c4d2b0bf
SHA512 5c7b466a4bf02882566a05294acc9d8057340ff420f62a08d509e9d229765b3735e425268ae16147d6ca64e65e0285701f3edef6fcfabbd87b4a6973157d78be

C:\Users\Admin\AppData\Local\Temp\Kits

MD5 f30d40c6dc021747ec711cec5c540c67
SHA1 3a59f151d44058c609b987847d192509df506abe
SHA256 da25e600fb5b831ba7e9ea97922aa93e39e48918ff1ef73bbcc8fc9637811a05
SHA512 a4ec445f8776cead5a23ae85932dd21f56d394323455e4be28a78c12fefe7d7e3b8859dafd7e1a7aeb5abab5cc53de249ff1b9597244a98215a0b267feb0bd80

C:\Users\Admin\AppData\Local\Temp\Take

MD5 57668416f8e93c60f4abb89d1c517ce4
SHA1 6d2b23395aecfc9ee45cbd69469e946b77eaf3a2
SHA256 0e8cb087ea27ae4af9360c478822260600d9af234ca0e9521f5b05904142705f
SHA512 da7e61d9cd89886fcfae4f406e983622d2ecb5714b9398776e65da24f7c91d43915aa1e6e8a45a9713d3865a8be0f15ff2bb34dc45643158c3cf8c7e0395f354

C:\Users\Admin\AppData\Local\Temp\Statements

MD5 8f7b991c8211319025ab7a549f997d41
SHA1 28f6af2157090dddf26ac677410409904e3e4c21
SHA256 21297aa5fab44bb0d2a1fd086b7c1bb9540147ac886d961ad194d1658da94431
SHA512 84c641f39b28fa8fcc4a7066aef3bacbba9aa6d1fd77610a1db17ed89fab77532e1eaf9336fe9509ac2fc1dadb7c8a2804b6ef8967daba9100379e0d11d1ab75

C:\Users\Admin\AppData\Local\Temp\Earlier

MD5 b91d435bbaffb5687bfe3058658285bd
SHA1 ea435f4c116ded230376706c569d8daa900bbd89
SHA256 b35b27d72e588627174ca07464955396575af36e24e4e546d78309fc7add3b5e
SHA512 2d97ee33e25517f1d9c1a6d1a6894d077a9e8c9e2696ebc4b5b9ec68825e9c84c7f01e115dbc930829759038da7121e3fd56aa67b00d9cca300ecf7a86a077de

C:\Users\Admin\AppData\Local\Temp\Presentations

MD5 67757b0d30bede0af4631b56ff072809
SHA1 eb6735867fe0f5f9ffeb42a2372799cdf1e364bb
SHA256 860014b58934b74971388c4fa01f3bc0eb90c424e689f4df009521d162bd5924
SHA512 b82c3fdaa1906b57d92286ba345bdf0a84aa56d5e9c59f79f16d6167cb8accb37001f5223f712d39321fad70cb26b71da34cc9703df4082aa80d679afb541df2

C:\Users\Admin\AppData\Local\Temp\Runs

MD5 35f48790b74e042b3edb9b34e3a5f8fd
SHA1 8006268733957ac11d3af06856388ee6b84739ba
SHA256 3d98ae96420747ce126d7fe2f1e9b210de27ad38f4802e9a42b390429a1697dd
SHA512 63a0514bac44b9d5ca60602cf8ea80fdfffa6733ec7ba13fee81736748050bb12d747b35368c7ed2a5364b34bd669281abf8c9444dbf36b092bf45605596be4b

C:\Users\Admin\AppData\Local\Temp\Deviant

MD5 e48388dd9e0aedd98363a8ee899d31c0
SHA1 4d08a1c34c2f83371c2324997f4d5d5c2b4f6f46
SHA256 7f222b2266e5661b511c38253a06785cdeb4960d1ac50b8a2d2b44b3fd6ff783
SHA512 52ad9ceef3d67b7a8abf450a208d166413a54c63d659b2f983c2beaf5b6f89e9dfd490a8569d1febb9e8e708c979bf247c9d14973b710a6b9c3fe8a05bce12be

C:\Users\Admin\AppData\Local\Temp\Indicate

MD5 616e36dba3e3e214ed1aee198167a4a6
SHA1 2b0febf3b291c157ca3190aefc35722094da1532
SHA256 946ea516a4ccf57c61daf07a0e68d12ff8c78c85265c87e0deef81bdf8f78c12
SHA512 3b6e4fad2da9ef68f026f8489a459d56985c5591476a2f36d5d4c83c3b110a6e95b1d6401f29a6b45d7ee1dad4e18340e0792d6e3bd788bbbe4cadb276c6f198

C:\Users\Admin\AppData\Local\Temp\Award

MD5 9ea019a50d3f99eda1ac5a023f5bfb3f
SHA1 c2bcdb92b5591a8f81a58199752283bba61fe27b
SHA256 f9b572b644728ae7766826fb9e23e4b697ed2410eba03932e38581a2b15a482a
SHA512 86a7287dcfa4309ca28804e4ab469758804dba43709465f8d7a341ef45be6df10e57d9851430c2864675fabded8244737223d6061a98ab03ee2e61b26a864de4

C:\Users\Admin\AppData\Local\Temp\Engineer

MD5 ff1d4e381695d48100a92e77680e3bac
SHA1 ce7158b1618f1a4c4ce17f8e20500b038484120f
SHA256 8b6cdaec997e5d31133e0df353ff0f9f3171c81d61094fb368c3454680f9367c
SHA512 482f180801140f345726efcdddde9dc77ce695a48a27b3811fc8a043c450c4eef9364fc6b60e9a7675e0d7f16b511f2de54c649e22b716c5a4abdb4077922040

C:\Users\Admin\AppData\Local\Temp\Ty

MD5 3260fe976c04ac1cdb493cd611b08005
SHA1 ebe4cc15f418825da444be729091c472e5b51c73
SHA256 5494bb02fb31b7008904ae3398ae33e15a6fc8444fe4d7d06279b88e1b466e02
SHA512 9959f975feceb743553f1daf8c6814181e361877d2aabc80127628e45c11c70b3fb5d55567c392e13c16626099b18411a99dc2f86fdec0556fa34e0072f521c5

C:\Users\Admin\AppData\Local\Temp\Feb

MD5 55698cca8dba864e09d9464c67a38029
SHA1 725f70b0e0c7fcdb2102351919206969274b6e66
SHA256 37e40f3163834d1d135d24420c2b470a5d7ac0c7454ed5f3bcd47493dd843fe5
SHA512 cfee11b90e1d6f6f160a4323ce500d5683cc9c31ad1f107e20cab3ebd3f6e7d77e2c9b52b9ad854ea553cf67d261bfa85de2d82fe82b5c25f709f12a1120dca2

C:\Users\Admin\AppData\Local\Temp\Ads

MD5 a39632492bdd563525ff001f1b86f0e4
SHA1 2f2adcb9e9c3d113cc0423ed3d6c5a92c87b6663
SHA256 318f36657f1cd378d54e0076449141abd81b9342ed71069295f0b76286a97bf7
SHA512 7182b63e5544c1176d71fd60e469fd8a4c4b32806ac8acc9405a4c06227dee52b86adfd7219f3a52179f42aa84fe7ff9bbcbea3c6503a543cb9c6498e0c48c0c

C:\Users\Admin\AppData\Local\Temp\Sounds

MD5 35451d20e34907863dc1efc7caa019fc
SHA1 c15a690db71ac5f21fbf2186939c36c6caf87dff
SHA256 05586615c257451ffd0730829d376be051c505ea5e73525c9a3e539d5c1145ef
SHA512 de3552af3ca3d90a846107cc7596d9f29ed75dcbe4308aa636952d662162d36b3b5e5b0c19739554fa68a3c39405dcbf07c5f28bfcdfb4bb50829048322f66e6

C:\Users\Admin\AppData\Local\Temp\M

MD5 13c53091b190c9b9df321d61659721d7
SHA1 183767c89c56082a91457774033a983e8821db63
SHA256 bc02e43d1e838339185c837c651861ec01cfa7da7195fe6fdc42fcb14ad08a4d
SHA512 7122035aa3f19c9f0a8a87db1ad3b20484f88cc681be9f9540813ab5e859b1fe9a39ab4aa3b8b1acc05b8ab5483170f31f0cc305ffb637c72b68505b0107d49f

C:\Users\Admin\AppData\Local\Temp\Logan

MD5 cc16c91de5771b6bb13b0b0d3d1b36ed
SHA1 6153fce28df72327bb47fefc62881bf2fe2a8f04
SHA256 6d0109dc4ac50969a74455ab3470e9ab1e1e9db36fba806086cde963c92deb05
SHA512 9a5c6c11500cb30208392b32a4434ed8a6ef6a0016bb78c7fecd64bfcc7da3b1c5cce5e1c8148da122e2077de7a2f0e0466c2a74a3edfd678442d0f5bc6e55f0

C:\Users\Admin\AppData\Local\Temp\Pixel

MD5 b870a2f983186cda64ca0a0443fdbebf
SHA1 70cd2505beca64a15454723c8fb185562dfbb594
SHA256 5d8b919ef4f7ba8aee86a32d1b5e23f1c3e67d8b16a5b75e0f6d68735d03af95
SHA512 bbd130c726fd439993673d2d577df8d79f938c914c17ecbfcec41341fca60d0afceb1d67d27b52d9c43490fc4213dd37f0353f901af99ca9db46016a5e386b45

C:\Users\Admin\AppData\Local\Temp\Atm

MD5 a6f61d79975cb2b509719c66141b6585
SHA1 1be912e6a4ccb6ff68534c928d189d40f753da29
SHA256 34f21e76ff95e314d32f4c57c02b9f1e127c60f5713ac90ff6b83ca89e722152
SHA512 7c22142ef2d2da4cf54a74840a44437bd8fbdb0651210dd7a07785a7ccef5e743d4a5ca7032890f5c0ff04c02c75ed19076cf250c8789d4ab0e8bd3ea0259d5c

C:\Users\Admin\AppData\Local\Temp\Ports

MD5 fa483b9a86de25df5b733f502e92fe7d
SHA1 67ade79afed62eaf24b814f4c1436fadbce363e3
SHA256 c02e0aa3ad116a6ec3d7ebc0572500135339beab871783efb8ce8f02fbeef7c2
SHA512 4df99695dab8d8e0571d8a6d1bba5fce17c8d5bb6ce44e4151e99141589dba9e4715dbb72fce470dd386c6768863cca98ed4b0e79d53ce3f738b2a6e11a028ed

C:\Users\Admin\AppData\Local\Temp\Ireland

MD5 a443cc49cc739f07a01f812c6df56bf1
SHA1 39a16793a3bc225f4452ccd8d0aba365ee593278
SHA256 07c18c7636b6fc4feab3263d4544a04fc8ac51162bee1ce9a8fcf08c3a22bb5c
SHA512 0fa9295754730beb47cb7e7a668ce67c5408eafab18151031046e5f814057c86da72d575925fb4b4634fc68a6fba50b3a298ec7cb4db4a9cc7d7049376d671bc

C:\Users\Admin\AppData\Local\Temp\Chance

MD5 350486fb745a1f810f0a28a53f0dddc5
SHA1 580b192862da85a1a3ba1266f4d502298d5baf4f
SHA256 270ecffb55583dd2f0daf3d2d81e6e99a70926be93591295bb630deed46b15ae
SHA512 25747d567e6eb39a7b564b66839f9c7560e9fe052db73cc34f1212dc40a5164cc56fc906c084ce1731239484740b6935386aa10e02876ac03d5b79fc338fde1c

C:\Users\Admin\AppData\Local\Temp\Stewart

MD5 eb8f36865f16229dc775e9c00a4ec3f1
SHA1 824c6711705c7a75ce0a6904a38eabe7ddc6c7b4
SHA256 c3e3cf04f4501eeb37db51b7be288db941bc8f4497067a552af7b19aae1b17a3
SHA512 701d8bce6354780e52abca6772fa43c55888d2bbd983a13dc7c95935d52f874903767a5b2eb12bb97fd58460099b6b52f25336f47f4ff0849d081c7c3a1d3940

C:\Users\Admin\AppData\Local\Temp\Puzzle

MD5 8b88132864173b12be49544e452ea4b5
SHA1 299d8a3805f9a10c7f0c78b7674bba340b784711
SHA256 0b6dc43385223928d54f5d840d36c91564a36e7dc835fed0379f41fd4e646262
SHA512 352ed7c2ededc87dae45708698d4b1e8d803fe9cbd740b0744be71e48d0a6e0612babaf0a688e90003173a433f787cbae7220495d23d42916fbb6a6130b7901f

C:\Users\Admin\AppData\Local\Temp\Milf

MD5 1166cd50a320b6a52ca5660cd3ef4940
SHA1 ec1ccbeeb4bd5e74d3254fe476f5caf8225d9d6d
SHA256 f5297af98bce02876a971da5a312e0d659c43368bc8ca7bb4b6cc5a4469cd140
SHA512 d9e06782c54699776bb766a86c239d1a5b7c68c238241c9bae9023346ce20e509dd5f4a5c0ea3f6febe0db26ebb8d4f16d24c452b2b48452b727c589ff62c114

C:\Users\Admin\AppData\Local\Temp\Basics

MD5 7aba05f59455b446e95576b9a5db9cef
SHA1 15913d78c6f4acfca103781b90c4ddda5e8748ee
SHA256 5379782cd93b84b6e0783423b774b3fea7397fb10190f3424da8d40d479a11ed
SHA512 10594d23452b38c99da659a1e6d1f4cb6e880ca499a209816457404e96c9d4cd529800f060529654d7acf9b37aff95739e650e33545dc48534cb1abb95269166

C:\Users\Admin\AppData\Local\Temp\Invitations

MD5 327f5bdcd4541496d30a05f9a6fe842b
SHA1 9120d2cee8214f0d5ede22a7c65f99cd5f1183c3
SHA256 235670fab1d55058a0cc9eac2ff09b047769095e22bd18ba43bb9319b6c20bac
SHA512 3b4de8192878451c7293803f30ff4452a7dbc2993860e7cfdda48556b062a84e5de8de44700d8d7bdd7c41f7ed96733f8425794bbd9b9de9fcf2b72d0cd4301d

\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\799275\O

MD5 24f255fd8532d15d5b371acecb54ee5e
SHA1 e818d75277b108a6715af7aabf4151c6fe219dce
SHA256 c0e7af5284a6f6928e46b2d35bd2f3e258227fed21284396df570b94c9aefdf9
SHA512 4af6c424851c95fb17834558b7be61907415e312cbdcc1bc42cae4c739e5181aab5a49eeed4c41420dac6d8fb1d65dccab85677e6a349d56849f2685921bc11c

memory/2212-87-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-88-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-90-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-91-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-103-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-102-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-101-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-100-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-99-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-98-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-97-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-96-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-95-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-94-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-93-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-92-0x00000000006B0000-0x000000000088F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe

MD5 b81ac0bd6737adc5d296e9d86491d9f4
SHA1 d03ebb99ec66922afde8db9d215951cdc0efb4e1
SHA256 67e2d5803b527df56d0c9cede90c29aeecfd0b3910d45fbd46c26e6cbf0e8a89
SHA512 5894b140ec2e40b070a5d116d8d021aab9e675f1280924b9b6d9545d8b2c2dfeb96b6cc8ad60b396ebf6ef4b946aa76addbd2d15cf97e5248976394b8d6068ba

memory/2212-115-0x00000000006B0000-0x000000000088F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe

MD5 e600b6015b0312b52214f459fcc6f3c2
SHA1 0e763e33524e467b46d27e5f0603cd2165c47fed
SHA256 65bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad
SHA512 b1c1a68128c2cd75df9cb1d890358fd6bb85d9a62288468a19db3295cc25e6cb97c05fa0b5bc3b1dd2b88bd39b343ce5cd1494ca8ab56352c1e375e88fe7e464

memory/2212-131-0x00000000006B0000-0x000000000088F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe

MD5 20c0e4911043acdf83cd6f5818060b6d
SHA1 b38d5071947e729ea05caa84958b515b53da5db6
SHA256 656c58153302a82bdc4994a170163628f1aedd101b0efe6471b5af0d4173c1f5
SHA512 aece9c46c5274e3660016d2795ccc0eae9578fa40ec39679e8385398675fcfbc2d08d7ed105cbafb75ced2224ee8e76720e2bf41d2c25f4a7992fa245b71543b

C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe

MD5 58d17a7cb2bcd54c13cf1449ddfb0416
SHA1 025ceeafaa89fe4cf0f23d4786ec2b75202c1848
SHA256 23de941b07e247e342a4828471f23379f7df9e8e0a3361bd5f4ba50bcc612f7a
SHA512 090fca739aa8ed3658dd805e72f86e2be4e534ca0a7864f0fa5652d6908d547add2bc1e8f30b599cf9474b6ab3f4972ac2de80a736f42df23380096bc171444b

C:\Users\Admin\Documents\iofolko5\qi866flZxG1ikcUHB9kpnJgi.exe

MD5 f7ae445081e10267d2cec9b6b0e2d375
SHA1 e12892ea4d092e4b959617c6d00356ee23da0797
SHA256 569edae4e4c7f5df590c7ee0a96210942e2be22be73beda9bc1528addca234f4
SHA512 194a260edb0ce0d6c9b74484b55d64e8d593c990ca647acf4c24dd4b58abee0e586485fb06970557d83cc97159933b55a9fa3cc9316f52c28d86552aa039ab04

C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe

MD5 a79fa370fdeecbb187f96558a76534b5
SHA1 5ef78b7d2c21882cec551528c697f12abb1f8b23
SHA256 8ed135aff12b760792f13be121120dcbedad95c2f927289bcb8ae73bc338bda1
SHA512 e9388634726560299fc31b1e181c5308ac94b31c0656c9d49e5042ca7ff5996b7068b6faf5d09da8b4f4ff3d9d287f54fa3ff79589d6975a161d855c9d9d4846

C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe

MD5 c883436a51137626711481fed4be79c8
SHA1 57c7e6907219e8aae747f64343066963b57508b0
SHA256 7e33a3b6de352650c44163c2ff989cad764017c508e13b240f783c08c736f2c5
SHA512 8b6c00183876d0bd712e616fcb6db3f7d5ffae4eeeb25fbf6c0a17b725b44f82cf7e2e810404560ab2373cbaf053d7baa89aa999e6c0c59161cf1bf9ab1098b9

C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe

MD5 c4d092354c3f964ee1d9671f2517a6c9
SHA1 838f3a4d426ea72c2f5cf8164f8ff4fc9e694a1b
SHA256 1814f8b1c1223b93e9b6ae699f7f8f25fb543ad511e349f39219a4ec222f4f05
SHA512 c162ff7f53b3a095e779369fb00546dc62dcadb4e394593b40522369add2532274232bad920f5a65ab07636ed544bfce239a42d959dfea01c7c19e2bbfedd5ee

C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe

MD5 b5887a19fe50bfa32b524aaad0a453bc
SHA1 cd1f3905959cd596c83730a5b03ceef4e9f2a877
SHA256 fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
SHA512 5b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538

C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe

MD5 f10161c3acde4b7dadcd1eeddcf937f1
SHA1 ebf47c2e0916fbc430ddc8a90cdd1fe98112f979
SHA256 445a933766bf381ebe8530e0795e22ab2bccace28291388aba99808e101e8230
SHA512 5024f57f0bff356120598e7faa472c956d843d36a6d83d953c9a7345aee36a14d216f1bde61524a62a0dba4cb4fae4a67dcefaa0b2e8fa5526dfc9a218e985d9

memory/2212-226-0x00000000006B0000-0x000000000088F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\An3F1TbHnH_2dNMOncuz2wrt.exe

MD5 025ebe0a476fe1a27749e6da0eea724f
SHA1 fe844380280463b927b9368f9eace55eb97baab7
SHA256 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA512 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799

memory/2532-257-0x00000000001C0000-0x0000000000843000-memory.dmp

memory/2128-251-0x0000000000D30000-0x0000000001638000-memory.dmp

memory/2212-250-0x0000000008C80000-0x0000000009588000-memory.dmp

memory/2212-249-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-238-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-224-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-221-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-214-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-209-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-204-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-242-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-234-0x0000000008C80000-0x0000000009303000-memory.dmp

memory/2212-233-0x0000000009590000-0x0000000009C13000-memory.dmp

memory/2212-232-0x0000000008C80000-0x0000000009588000-memory.dmp

memory/2212-230-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2212-262-0x00000000006B0000-0x000000000088F000-memory.dmp

memory/2128-268-0x0000000000D30000-0x0000000001638000-memory.dmp

memory/2128-267-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2128-265-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2128-263-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1720-270-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2720-282-0x00000000776C0000-0x00000000776C2000-memory.dmp

memory/2720-284-0x00000000776C0000-0x00000000776C2000-memory.dmp

memory/2720-286-0x00000000776C0000-0x00000000776C2000-memory.dmp

memory/2128-373-0x0000000000D30000-0x0000000001638000-memory.dmp

memory/1088-375-0x0000000000560000-0x0000000000582000-memory.dmp

memory/1736-394-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1088-374-0x0000000005400000-0x00000000055B0000-memory.dmp

memory/2116-372-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2804-333-0x0000000000DA0000-0x0000000000E24000-memory.dmp

memory/2608-294-0x0000000005360000-0x000000000546A000-memory.dmp

memory/2692-293-0x0000000000AE0000-0x0000000000B2E000-memory.dmp

memory/2608-292-0x0000000000950000-0x0000000000CBC000-memory.dmp

memory/2828-316-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2828-314-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2828-312-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2828-310-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2608-309-0x00000000002A0000-0x00000000002C2000-memory.dmp

memory/1340-308-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1340-307-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1340-306-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1340-304-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1340-302-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1340-300-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1340-298-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1340-296-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1088-289-0x0000000000D50000-0x0000000001592000-memory.dmp

memory/1732-288-0x00000000010F0000-0x000000000112A000-memory.dmp

memory/1596-287-0x0000000001070000-0x00000000010C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpC3FC.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\CabC4C7.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC5D4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2532-457-0x00000000001C0000-0x0000000000843000-memory.dmp

memory/2532-497-0x00000000001C0000-0x0000000000843000-memory.dmp

memory/2704-726-0x0000000000F80000-0x0000000000FCE000-memory.dmp

memory/1920-750-0x0000000000F20000-0x0000000000F7A000-memory.dmp

C:\ProgramData\GHDBKJKJKKJD\FBAAAK

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-06 01:47

Reported

2024-09-06 02:08

Platform

win10v2004-20240802-en

Max time kernel

441s

Max time network

1171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api64.ipify.org N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3288 set thread context of 4516 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WonderAvailable C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\DecreaseHands C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\SourcesShowing C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\BehaviourVibrator C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\AtomBoobs C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
File opened for modification C:\Windows\AntarcticaTucson C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4212 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4212 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4212 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4212 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4212 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4212 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 4212 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 4212 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 4212 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4212 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4212 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3288 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 3288 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 3288 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 3288 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
PID 3288 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

Processes

C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe

"C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Desktop Desktop.bat & Desktop.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 799275

C:\Windows\SysWOW64\findstr.exe

findstr /V "TransformationComponentBrideInvasion" Calculate

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Evaluations + ..\Kansas + ..\Monkey + ..\Cookies + ..\Frontpage + ..\Ownership + ..\Thu + ..\Momentum + ..\Nvidia + ..\Kits + ..\Take + ..\Statements + ..\Earlier + ..\Presentations + ..\Runs + ..\Deviant + ..\Indicate + ..\Award + ..\Engineer + ..\Ty + ..\Feb + ..\Ads + ..\Sounds + ..\M + ..\Logan + ..\Pixel + ..\Atm + ..\Ports + ..\Ireland + ..\Chance + ..\Stewart + ..\Puzzle + ..\Milf + ..\Basics + ..\Invitations O

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

Saudi.pif O

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 fOBoUGVOdhpeJ.fOBoUGVOdhpeJ udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Desktop

MD5 c02234632af315d6f7836aa9384a0c73
SHA1 ac31913f0d0a359447bbe3f2975137662c38f980
SHA256 5cdce3385e52af077cda84889bf670ecae40075017493c7c5fc949b4c5872bd5
SHA512 0b65fc6f024a67984f6cd48710ef2ceddf8a9c49c2d9d9d42c95b46f77d8e9f72b41b75d213cb4f38ea0f64bcfd346c3eb5641b48629eb6141a8870e0c613496

C:\Users\Admin\AppData\Local\Temp\Calculate

MD5 20db8abb0b58bfce2d12ff899e819402
SHA1 75deb5a682ba679460c177cf1e01d3a8d0306770
SHA256 d4f1f749b022682097ac05deef61b6a78d78bd7aa8829209fb0b057f082cbd03
SHA512 bfb2e8579ab90ae5a46f9246048ecba231150fccaa4107afc9bfa243d1a43b2ceb8baf85d5a88cd338b5986b8f4c6141eb5777c9f7299371f8a73a9fbf5dc246

C:\Users\Admin\AppData\Local\Temp\Grad

MD5 d4f9f9bddbc23ec4b089e8c8b9552141
SHA1 087a35fad96b427ad23eb86fcaca77270477b754
SHA256 b3733786e1a273f7da72579b4a26c10a8b569219c765c09ca5a4170e4b83321a
SHA512 9eea0909dac7fd0fdaee5864ff247844f4a9b690057e5ab82fcac98959b03af75229c622e46a97b4fd916055c0f65f6ca1610c4d4f396a83815977d85b9102e9

C:\Users\Admin\AppData\Local\Temp\Evaluations

MD5 3d738ac6cfcadcdacceb6a1f7339e48b
SHA1 3340454640e8900a07dedaed6d92de5e560bb098
SHA256 c490ec35c8d09289bbe6f81df6abb99317d63ba950f36fccd96a122045e24e91
SHA512 a89daf894e21a31d7f0c63b4ba86b1f92f7b3a37dba37283d203c20ea2f34a6ee9a23716d442e8b70da234236d4b8fd4a29b6dc99c3285fc4071a3f6add807b0

C:\Users\Admin\AppData\Local\Temp\Kansas

MD5 e5863b510e4b784dd5c92aaec8bc6cd4
SHA1 7cc1404717757a2f729f71ca010072ef403d370e
SHA256 58288091bddbde712eae66ecf92c078dad75d19892055c6de942fdecec26eaf9
SHA512 366bc746917db2141f8fb6e00f6528c0026710ec42c4e9c6e1d3dd170a1b05a18814a5a10df7a565355b3515eea404a71c82aa77db164b114b15dcfd969df3cf

C:\Users\Admin\AppData\Local\Temp\Monkey

MD5 366da4e20f6973a658850d0cb0560140
SHA1 7463be54871d0a728a36d955b5e4b4935f832539
SHA256 2fdc969a47a50f3260018e708fde26e93c2b8b9b56a5f2d1e75d8ba2fcc0dbec
SHA512 fa733e99ee72c39b643f9db1594c73f4928b9aa7a1f0b543409a16de7fb7ecfff26c3e2f0070a1c386f3ede03c214371fcc968231f6c969b23c063257eed4e83

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 c8f43801d3fea6fa84b15e661eb57de8
SHA1 748e0ee1c29144374e89b7912134e1c9511962ba
SHA256 e0d1ee2e3cffccc5f3732e19557959c0d39603d011f8cbcbbb56f0d9dc7ff30f
SHA512 3b51abd920843e33d702f7104a42b738e3605f7d65b0c5cebd6649563ddd4ff451d050f5b1acb5118f25066cde3cc6d44a472ae59edfb7daa1b64f705f90a5fc

C:\Users\Admin\AppData\Local\Temp\Frontpage

MD5 aa6a8c0dae15c0f592500bd8facad795
SHA1 a3464148458fa47000a922610613ec4566251632
SHA256 23404b7a1724c8c224fada5a0c7429cdd0a62f3b17e5c45a913ae1b0b1a77f65
SHA512 c617859708e14b35ef4280c57a814ea6e0765b3499e32d4a014d871092f5d62ad8c416a308cd07475642fc1656d24839fba094ad4c7e604feafd276487207e32

C:\Users\Admin\AppData\Local\Temp\Ownership

MD5 2720a96bfc6c052ffbee90eddd29b91c
SHA1 b707906e1c6327d91da83b2637de9b526ce8421d
SHA256 97bf82b8f22ce2f8ca3fb29a5a8039e9b679655c62077cd1465bd0dd4baaa061
SHA512 9a7817a69f7240e0d8db0447ea0382ed6d0c9741471b4e242fb92447a6bc447bdecfc672664ed924128f3d632821f03a05798c3ca74d91268a955e0e5a228d4a

C:\Users\Admin\AppData\Local\Temp\Thu

MD5 3f9e5757f9c3ef75e75310416c72c35f
SHA1 ae7449c0c4f3f0ca5480ad391219ba989d2e0dbe
SHA256 f656b202b7682064680a2b3b7e4305ef8b378aea601ae7530db148bb6f9a6400
SHA512 ecaefaa239cf44306134b4618e1d82b80e6ade1f58583c9098a0ed3fa219fe6a87b9af977062d3f654dca1618256a132c80d7aad579b66affa6836c2be64c8df

C:\Users\Admin\AppData\Local\Temp\Momentum

MD5 98eff6fdbaf188ff8bb9c230612e7ab9
SHA1 4c55318bcc31980134c5455b7f736522481e7865
SHA256 bf06e2f8f8e360f5e8fd7cd39ee631cf2156d7d67e45c54e6ac3638117c30c84
SHA512 9b928a550ab978609323b41b0da1f8018a980c3fa50658fd3ce74ce888a2fb6880a480e844c7c9be3921f478fc06cc0e4a6e87c5cfbda6d5cd2ddcb5331eafd8

C:\Users\Admin\AppData\Local\Temp\Nvidia

MD5 ca2b98b4b4bdfcc2ffb39176fc62faed
SHA1 44b13597a8c63849fc318ea82b612a3b48714514
SHA256 6d0392db8f087952b0e8f81a6beec3b6d888272b4ebf0d55b6736d04c4d2b0bf
SHA512 5c7b466a4bf02882566a05294acc9d8057340ff420f62a08d509e9d229765b3735e425268ae16147d6ca64e65e0285701f3edef6fcfabbd87b4a6973157d78be

C:\Users\Admin\AppData\Local\Temp\Kits

MD5 f30d40c6dc021747ec711cec5c540c67
SHA1 3a59f151d44058c609b987847d192509df506abe
SHA256 da25e600fb5b831ba7e9ea97922aa93e39e48918ff1ef73bbcc8fc9637811a05
SHA512 a4ec445f8776cead5a23ae85932dd21f56d394323455e4be28a78c12fefe7d7e3b8859dafd7e1a7aeb5abab5cc53de249ff1b9597244a98215a0b267feb0bd80

C:\Users\Admin\AppData\Local\Temp\Statements

MD5 8f7b991c8211319025ab7a549f997d41
SHA1 28f6af2157090dddf26ac677410409904e3e4c21
SHA256 21297aa5fab44bb0d2a1fd086b7c1bb9540147ac886d961ad194d1658da94431
SHA512 84c641f39b28fa8fcc4a7066aef3bacbba9aa6d1fd77610a1db17ed89fab77532e1eaf9336fe9509ac2fc1dadb7c8a2804b6ef8967daba9100379e0d11d1ab75

C:\Users\Admin\AppData\Local\Temp\Take

MD5 57668416f8e93c60f4abb89d1c517ce4
SHA1 6d2b23395aecfc9ee45cbd69469e946b77eaf3a2
SHA256 0e8cb087ea27ae4af9360c478822260600d9af234ca0e9521f5b05904142705f
SHA512 da7e61d9cd89886fcfae4f406e983622d2ecb5714b9398776e65da24f7c91d43915aa1e6e8a45a9713d3865a8be0f15ff2bb34dc45643158c3cf8c7e0395f354

C:\Users\Admin\AppData\Local\Temp\Earlier

MD5 b91d435bbaffb5687bfe3058658285bd
SHA1 ea435f4c116ded230376706c569d8daa900bbd89
SHA256 b35b27d72e588627174ca07464955396575af36e24e4e546d78309fc7add3b5e
SHA512 2d97ee33e25517f1d9c1a6d1a6894d077a9e8c9e2696ebc4b5b9ec68825e9c84c7f01e115dbc930829759038da7121e3fd56aa67b00d9cca300ecf7a86a077de

C:\Users\Admin\AppData\Local\Temp\Presentations

MD5 67757b0d30bede0af4631b56ff072809
SHA1 eb6735867fe0f5f9ffeb42a2372799cdf1e364bb
SHA256 860014b58934b74971388c4fa01f3bc0eb90c424e689f4df009521d162bd5924
SHA512 b82c3fdaa1906b57d92286ba345bdf0a84aa56d5e9c59f79f16d6167cb8accb37001f5223f712d39321fad70cb26b71da34cc9703df4082aa80d679afb541df2

C:\Users\Admin\AppData\Local\Temp\Runs

MD5 35f48790b74e042b3edb9b34e3a5f8fd
SHA1 8006268733957ac11d3af06856388ee6b84739ba
SHA256 3d98ae96420747ce126d7fe2f1e9b210de27ad38f4802e9a42b390429a1697dd
SHA512 63a0514bac44b9d5ca60602cf8ea80fdfffa6733ec7ba13fee81736748050bb12d747b35368c7ed2a5364b34bd669281abf8c9444dbf36b092bf45605596be4b

C:\Users\Admin\AppData\Local\Temp\Deviant

MD5 e48388dd9e0aedd98363a8ee899d31c0
SHA1 4d08a1c34c2f83371c2324997f4d5d5c2b4f6f46
SHA256 7f222b2266e5661b511c38253a06785cdeb4960d1ac50b8a2d2b44b3fd6ff783
SHA512 52ad9ceef3d67b7a8abf450a208d166413a54c63d659b2f983c2beaf5b6f89e9dfd490a8569d1febb9e8e708c979bf247c9d14973b710a6b9c3fe8a05bce12be

C:\Users\Admin\AppData\Local\Temp\Indicate

MD5 616e36dba3e3e214ed1aee198167a4a6
SHA1 2b0febf3b291c157ca3190aefc35722094da1532
SHA256 946ea516a4ccf57c61daf07a0e68d12ff8c78c85265c87e0deef81bdf8f78c12
SHA512 3b6e4fad2da9ef68f026f8489a459d56985c5591476a2f36d5d4c83c3b110a6e95b1d6401f29a6b45d7ee1dad4e18340e0792d6e3bd788bbbe4cadb276c6f198

C:\Users\Admin\AppData\Local\Temp\Award

MD5 9ea019a50d3f99eda1ac5a023f5bfb3f
SHA1 c2bcdb92b5591a8f81a58199752283bba61fe27b
SHA256 f9b572b644728ae7766826fb9e23e4b697ed2410eba03932e38581a2b15a482a
SHA512 86a7287dcfa4309ca28804e4ab469758804dba43709465f8d7a341ef45be6df10e57d9851430c2864675fabded8244737223d6061a98ab03ee2e61b26a864de4

C:\Users\Admin\AppData\Local\Temp\Engineer

MD5 ff1d4e381695d48100a92e77680e3bac
SHA1 ce7158b1618f1a4c4ce17f8e20500b038484120f
SHA256 8b6cdaec997e5d31133e0df353ff0f9f3171c81d61094fb368c3454680f9367c
SHA512 482f180801140f345726efcdddde9dc77ce695a48a27b3811fc8a043c450c4eef9364fc6b60e9a7675e0d7f16b511f2de54c649e22b716c5a4abdb4077922040

C:\Users\Admin\AppData\Local\Temp\Ty

MD5 3260fe976c04ac1cdb493cd611b08005
SHA1 ebe4cc15f418825da444be729091c472e5b51c73
SHA256 5494bb02fb31b7008904ae3398ae33e15a6fc8444fe4d7d06279b88e1b466e02
SHA512 9959f975feceb743553f1daf8c6814181e361877d2aabc80127628e45c11c70b3fb5d55567c392e13c16626099b18411a99dc2f86fdec0556fa34e0072f521c5

C:\Users\Admin\AppData\Local\Temp\Feb

MD5 55698cca8dba864e09d9464c67a38029
SHA1 725f70b0e0c7fcdb2102351919206969274b6e66
SHA256 37e40f3163834d1d135d24420c2b470a5d7ac0c7454ed5f3bcd47493dd843fe5
SHA512 cfee11b90e1d6f6f160a4323ce500d5683cc9c31ad1f107e20cab3ebd3f6e7d77e2c9b52b9ad854ea553cf67d261bfa85de2d82fe82b5c25f709f12a1120dca2

C:\Users\Admin\AppData\Local\Temp\Ads

MD5 a39632492bdd563525ff001f1b86f0e4
SHA1 2f2adcb9e9c3d113cc0423ed3d6c5a92c87b6663
SHA256 318f36657f1cd378d54e0076449141abd81b9342ed71069295f0b76286a97bf7
SHA512 7182b63e5544c1176d71fd60e469fd8a4c4b32806ac8acc9405a4c06227dee52b86adfd7219f3a52179f42aa84fe7ff9bbcbea3c6503a543cb9c6498e0c48c0c

C:\Users\Admin\AppData\Local\Temp\Sounds

MD5 35451d20e34907863dc1efc7caa019fc
SHA1 c15a690db71ac5f21fbf2186939c36c6caf87dff
SHA256 05586615c257451ffd0730829d376be051c505ea5e73525c9a3e539d5c1145ef
SHA512 de3552af3ca3d90a846107cc7596d9f29ed75dcbe4308aa636952d662162d36b3b5e5b0c19739554fa68a3c39405dcbf07c5f28bfcdfb4bb50829048322f66e6

C:\Users\Admin\AppData\Local\Temp\M

MD5 13c53091b190c9b9df321d61659721d7
SHA1 183767c89c56082a91457774033a983e8821db63
SHA256 bc02e43d1e838339185c837c651861ec01cfa7da7195fe6fdc42fcb14ad08a4d
SHA512 7122035aa3f19c9f0a8a87db1ad3b20484f88cc681be9f9540813ab5e859b1fe9a39ab4aa3b8b1acc05b8ab5483170f31f0cc305ffb637c72b68505b0107d49f

C:\Users\Admin\AppData\Local\Temp\Logan

MD5 cc16c91de5771b6bb13b0b0d3d1b36ed
SHA1 6153fce28df72327bb47fefc62881bf2fe2a8f04
SHA256 6d0109dc4ac50969a74455ab3470e9ab1e1e9db36fba806086cde963c92deb05
SHA512 9a5c6c11500cb30208392b32a4434ed8a6ef6a0016bb78c7fecd64bfcc7da3b1c5cce5e1c8148da122e2077de7a2f0e0466c2a74a3edfd678442d0f5bc6e55f0

C:\Users\Admin\AppData\Local\Temp\Pixel

MD5 b870a2f983186cda64ca0a0443fdbebf
SHA1 70cd2505beca64a15454723c8fb185562dfbb594
SHA256 5d8b919ef4f7ba8aee86a32d1b5e23f1c3e67d8b16a5b75e0f6d68735d03af95
SHA512 bbd130c726fd439993673d2d577df8d79f938c914c17ecbfcec41341fca60d0afceb1d67d27b52d9c43490fc4213dd37f0353f901af99ca9db46016a5e386b45

C:\Users\Admin\AppData\Local\Temp\Atm

MD5 a6f61d79975cb2b509719c66141b6585
SHA1 1be912e6a4ccb6ff68534c928d189d40f753da29
SHA256 34f21e76ff95e314d32f4c57c02b9f1e127c60f5713ac90ff6b83ca89e722152
SHA512 7c22142ef2d2da4cf54a74840a44437bd8fbdb0651210dd7a07785a7ccef5e743d4a5ca7032890f5c0ff04c02c75ed19076cf250c8789d4ab0e8bd3ea0259d5c

C:\Users\Admin\AppData\Local\Temp\Ports

MD5 fa483b9a86de25df5b733f502e92fe7d
SHA1 67ade79afed62eaf24b814f4c1436fadbce363e3
SHA256 c02e0aa3ad116a6ec3d7ebc0572500135339beab871783efb8ce8f02fbeef7c2
SHA512 4df99695dab8d8e0571d8a6d1bba5fce17c8d5bb6ce44e4151e99141589dba9e4715dbb72fce470dd386c6768863cca98ed4b0e79d53ce3f738b2a6e11a028ed

C:\Users\Admin\AppData\Local\Temp\Ireland

MD5 a443cc49cc739f07a01f812c6df56bf1
SHA1 39a16793a3bc225f4452ccd8d0aba365ee593278
SHA256 07c18c7636b6fc4feab3263d4544a04fc8ac51162bee1ce9a8fcf08c3a22bb5c
SHA512 0fa9295754730beb47cb7e7a668ce67c5408eafab18151031046e5f814057c86da72d575925fb4b4634fc68a6fba50b3a298ec7cb4db4a9cc7d7049376d671bc

C:\Users\Admin\AppData\Local\Temp\Chance

MD5 350486fb745a1f810f0a28a53f0dddc5
SHA1 580b192862da85a1a3ba1266f4d502298d5baf4f
SHA256 270ecffb55583dd2f0daf3d2d81e6e99a70926be93591295bb630deed46b15ae
SHA512 25747d567e6eb39a7b564b66839f9c7560e9fe052db73cc34f1212dc40a5164cc56fc906c084ce1731239484740b6935386aa10e02876ac03d5b79fc338fde1c

C:\Users\Admin\AppData\Local\Temp\Stewart

MD5 eb8f36865f16229dc775e9c00a4ec3f1
SHA1 824c6711705c7a75ce0a6904a38eabe7ddc6c7b4
SHA256 c3e3cf04f4501eeb37db51b7be288db941bc8f4497067a552af7b19aae1b17a3
SHA512 701d8bce6354780e52abca6772fa43c55888d2bbd983a13dc7c95935d52f874903767a5b2eb12bb97fd58460099b6b52f25336f47f4ff0849d081c7c3a1d3940

C:\Users\Admin\AppData\Local\Temp\Puzzle

MD5 8b88132864173b12be49544e452ea4b5
SHA1 299d8a3805f9a10c7f0c78b7674bba340b784711
SHA256 0b6dc43385223928d54f5d840d36c91564a36e7dc835fed0379f41fd4e646262
SHA512 352ed7c2ededc87dae45708698d4b1e8d803fe9cbd740b0744be71e48d0a6e0612babaf0a688e90003173a433f787cbae7220495d23d42916fbb6a6130b7901f

C:\Users\Admin\AppData\Local\Temp\Milf

MD5 1166cd50a320b6a52ca5660cd3ef4940
SHA1 ec1ccbeeb4bd5e74d3254fe476f5caf8225d9d6d
SHA256 f5297af98bce02876a971da5a312e0d659c43368bc8ca7bb4b6cc5a4469cd140
SHA512 d9e06782c54699776bb766a86c239d1a5b7c68c238241c9bae9023346ce20e509dd5f4a5c0ea3f6febe0db26ebb8d4f16d24c452b2b48452b727c589ff62c114

C:\Users\Admin\AppData\Local\Temp\Basics

MD5 7aba05f59455b446e95576b9a5db9cef
SHA1 15913d78c6f4acfca103781b90c4ddda5e8748ee
SHA256 5379782cd93b84b6e0783423b774b3fea7397fb10190f3424da8d40d479a11ed
SHA512 10594d23452b38c99da659a1e6d1f4cb6e880ca499a209816457404e96c9d4cd529800f060529654d7acf9b37aff95739e650e33545dc48534cb1abb95269166

C:\Users\Admin\AppData\Local\Temp\Invitations

MD5 327f5bdcd4541496d30a05f9a6fe842b
SHA1 9120d2cee8214f0d5ede22a7c65f99cd5f1183c3
SHA256 235670fab1d55058a0cc9eac2ff09b047769095e22bd18ba43bb9319b6c20bac
SHA512 3b4de8192878451c7293803f30ff4452a7dbc2993860e7cfdda48556b062a84e5de8de44700d8d7bdd7c41f7ed96733f8425794bbd9b9de9fcf2b72d0cd4301d

C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\799275\O

MD5 24f255fd8532d15d5b371acecb54ee5e
SHA1 e818d75277b108a6715af7aabf4151c6fe219dce
SHA256 c0e7af5284a6f6928e46b2d35bd2f3e258227fed21284396df570b94c9aefdf9
SHA512 4af6c424851c95fb17834558b7be61907415e312cbdcc1bc42cae4c739e5181aab5a49eeed4c41420dac6d8fb1d65dccab85677e6a349d56849f2685921bc11c

memory/4516-84-0x0000000001440000-0x000000000161F000-memory.dmp

memory/4516-85-0x0000000001440000-0x000000000161F000-memory.dmp

memory/4516-87-0x0000000001440000-0x000000000161F000-memory.dmp