Analysis Overview
SHA256
1999d63ff6c6410393142abcaa016a13a1e584817eade724d90f289ec619d1a8
Threat Level: Known bad
The file daisy's destruction.7z was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
RedLine payload
Stealc
Vidar
RedLine
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Downloads MZ/PE file
Creates new service(s)
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Identifies Wine through registry keys
Checks BIOS information in registry
Looks up external IP address via web service
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Power Settings
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Modifies system certificate store
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-06 01:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-06 01:47
Reported
2024-09-06 02:08
Platform
win7-20240704-en
Max time kernel
74s
Max time network
1189s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine | C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SourcesShowing | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\BehaviourVibrator | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\AtomBoobs | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\AntarcticaTucson | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\WonderAvailable | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\DecreaseHands | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-VUQ9H.tmp\ZxsDXXrM9OIe_zneFxLM655G.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe
"C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Desktop Desktop.bat & Desktop.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 799275
C:\Windows\SysWOW64\findstr.exe
findstr /V "TransformationComponentBrideInvasion" Calculate
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Evaluations + ..\Kansas + ..\Monkey + ..\Cookies + ..\Frontpage + ..\Ownership + ..\Thu + ..\Momentum + ..\Nvidia + ..\Kits + ..\Take + ..\Statements + ..\Earlier + ..\Presentations + ..\Runs + ..\Deviant + ..\Indicate + ..\Award + ..\Engineer + ..\Ty + ..\Feb + ..\Ads + ..\Sounds + ..\M + ..\Logan + ..\Pixel + ..\Atm + ..\Ports + ..\Ireland + ..\Chance + ..\Stewart + ..\Puzzle + ..\Milf + ..\Basics + ..\Invitations O
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
Saudi.pif O
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe
C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe
C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe
C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe
C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe
C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe
C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe
C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe
C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe
C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe
C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe
C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe
C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe
C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe
C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe
C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe
C:\Users\Admin\Documents\iofolko5\qi866flZxG1ikcUHB9kpnJgi.exe
C:\Users\Admin\Documents\iofolko5\qi866flZxG1ikcUHB9kpnJgi.exe
C:\Users\Admin\Documents\iofolko5\An3F1TbHnH_2dNMOncuz2wrt.exe
C:\Users\Admin\Documents\iofolko5\An3F1TbHnH_2dNMOncuz2wrt.exe
C:\Users\Admin\AppData\Local\Temp\is-VUQ9H.tmp\ZxsDXXrM9OIe_zneFxLM655G.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VUQ9H.tmp\ZxsDXXrM9OIe_zneFxLM655G.tmp" /SL5="$90122,3387544,54272,C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe
"C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
"C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe"
C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
"C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAEGHCFIDAK.exe"
C:\Users\AdminAEGHCFIDAK.exe
"C:\Users\AdminAEGHCFIDAK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCBGCBGCAFI.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe" & rd /s /q "C:\ProgramData\EBFHJEGDAFHI" & exit
C:\Users\AdminCBGCBGCAFI.exe
"C:\Users\AdminCBGCBGCAFI.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VIFLJRPW"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VIFLJRPW"
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fOBoUGVOdhpeJ.fOBoUGVOdhpeJ | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | file-link-iota.vercel.app | udp |
| US | 8.8.8.8:53 | 240902180529931.tyr.zont16.com | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| DK | 46.29.235.52:80 | 46.29.235.52 | tcp |
| RU | 176.111.174.109:80 | 176.111.174.109 | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| DK | 46.29.235.52:80 | 46.29.235.52 | tcp |
| US | 76.76.21.241:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.241:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.241:80 | file-link-iota.vercel.app | tcp |
| CH | 179.43.188.227:80 | 240902180529931.tyr.zont16.com | tcp |
| US | 76.76.21.241:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.241:443 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.241:443 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.241:443 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.241:443 | file-link-iota.vercel.app | tcp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 45.152.113.10:80 | 45.152.113.10 | tcp |
| DE | 77.105.164.24:50505 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 147.45.47.36:30035 | tcp | |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| DE | 116.203.6.46:443 | tcp | |
| DE | 116.203.6.46:443 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DK | 46.29.235.52:80 | 46.29.235.52 | tcp |
| US | 8.8.8.8:53 | gacan.zapto.org | udp |
| RU | 45.132.206.251:80 | gacan.zapto.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 172.67.146.35:443 | condedqpwqm.shop | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 116.203.6.46:443 | tcp | |
| DE | 116.203.6.46:443 | tcp | |
| DE | 116.203.6.46:443 | tcp | |
| DE | 116.203.6.46:443 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| DE | 116.203.6.46:443 | tcp | |
| DE | 116.203.6.46:443 | tcp | |
| DE | 116.203.6.46:443 | tcp | |
| DE | 116.203.6.46:443 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Desktop
| MD5 | c02234632af315d6f7836aa9384a0c73 |
| SHA1 | ac31913f0d0a359447bbe3f2975137662c38f980 |
| SHA256 | 5cdce3385e52af077cda84889bf670ecae40075017493c7c5fc949b4c5872bd5 |
| SHA512 | 0b65fc6f024a67984f6cd48710ef2ceddf8a9c49c2d9d9d42c95b46f77d8e9f72b41b75d213cb4f38ea0f64bcfd346c3eb5641b48629eb6141a8870e0c613496 |
C:\Users\Admin\AppData\Local\Temp\Calculate
| MD5 | 20db8abb0b58bfce2d12ff899e819402 |
| SHA1 | 75deb5a682ba679460c177cf1e01d3a8d0306770 |
| SHA256 | d4f1f749b022682097ac05deef61b6a78d78bd7aa8829209fb0b057f082cbd03 |
| SHA512 | bfb2e8579ab90ae5a46f9246048ecba231150fccaa4107afc9bfa243d1a43b2ceb8baf85d5a88cd338b5986b8f4c6141eb5777c9f7299371f8a73a9fbf5dc246 |
C:\Users\Admin\AppData\Local\Temp\Grad
| MD5 | d4f9f9bddbc23ec4b089e8c8b9552141 |
| SHA1 | 087a35fad96b427ad23eb86fcaca77270477b754 |
| SHA256 | b3733786e1a273f7da72579b4a26c10a8b569219c765c09ca5a4170e4b83321a |
| SHA512 | 9eea0909dac7fd0fdaee5864ff247844f4a9b690057e5ab82fcac98959b03af75229c622e46a97b4fd916055c0f65f6ca1610c4d4f396a83815977d85b9102e9 |
C:\Users\Admin\AppData\Local\Temp\Evaluations
| MD5 | 3d738ac6cfcadcdacceb6a1f7339e48b |
| SHA1 | 3340454640e8900a07dedaed6d92de5e560bb098 |
| SHA256 | c490ec35c8d09289bbe6f81df6abb99317d63ba950f36fccd96a122045e24e91 |
| SHA512 | a89daf894e21a31d7f0c63b4ba86b1f92f7b3a37dba37283d203c20ea2f34a6ee9a23716d442e8b70da234236d4b8fd4a29b6dc99c3285fc4071a3f6add807b0 |
C:\Users\Admin\AppData\Local\Temp\Kansas
| MD5 | e5863b510e4b784dd5c92aaec8bc6cd4 |
| SHA1 | 7cc1404717757a2f729f71ca010072ef403d370e |
| SHA256 | 58288091bddbde712eae66ecf92c078dad75d19892055c6de942fdecec26eaf9 |
| SHA512 | 366bc746917db2141f8fb6e00f6528c0026710ec42c4e9c6e1d3dd170a1b05a18814a5a10df7a565355b3515eea404a71c82aa77db164b114b15dcfd969df3cf |
C:\Users\Admin\AppData\Local\Temp\Monkey
| MD5 | 366da4e20f6973a658850d0cb0560140 |
| SHA1 | 7463be54871d0a728a36d955b5e4b4935f832539 |
| SHA256 | 2fdc969a47a50f3260018e708fde26e93c2b8b9b56a5f2d1e75d8ba2fcc0dbec |
| SHA512 | fa733e99ee72c39b643f9db1594c73f4928b9aa7a1f0b543409a16de7fb7ecfff26c3e2f0070a1c386f3ede03c214371fcc968231f6c969b23c063257eed4e83 |
C:\Users\Admin\AppData\Local\Temp\Cookies
| MD5 | c8f43801d3fea6fa84b15e661eb57de8 |
| SHA1 | 748e0ee1c29144374e89b7912134e1c9511962ba |
| SHA256 | e0d1ee2e3cffccc5f3732e19557959c0d39603d011f8cbcbbb56f0d9dc7ff30f |
| SHA512 | 3b51abd920843e33d702f7104a42b738e3605f7d65b0c5cebd6649563ddd4ff451d050f5b1acb5118f25066cde3cc6d44a472ae59edfb7daa1b64f705f90a5fc |
C:\Users\Admin\AppData\Local\Temp\Frontpage
| MD5 | aa6a8c0dae15c0f592500bd8facad795 |
| SHA1 | a3464148458fa47000a922610613ec4566251632 |
| SHA256 | 23404b7a1724c8c224fada5a0c7429cdd0a62f3b17e5c45a913ae1b0b1a77f65 |
| SHA512 | c617859708e14b35ef4280c57a814ea6e0765b3499e32d4a014d871092f5d62ad8c416a308cd07475642fc1656d24839fba094ad4c7e604feafd276487207e32 |
C:\Users\Admin\AppData\Local\Temp\Ownership
| MD5 | 2720a96bfc6c052ffbee90eddd29b91c |
| SHA1 | b707906e1c6327d91da83b2637de9b526ce8421d |
| SHA256 | 97bf82b8f22ce2f8ca3fb29a5a8039e9b679655c62077cd1465bd0dd4baaa061 |
| SHA512 | 9a7817a69f7240e0d8db0447ea0382ed6d0c9741471b4e242fb92447a6bc447bdecfc672664ed924128f3d632821f03a05798c3ca74d91268a955e0e5a228d4a |
C:\Users\Admin\AppData\Local\Temp\Thu
| MD5 | 3f9e5757f9c3ef75e75310416c72c35f |
| SHA1 | ae7449c0c4f3f0ca5480ad391219ba989d2e0dbe |
| SHA256 | f656b202b7682064680a2b3b7e4305ef8b378aea601ae7530db148bb6f9a6400 |
| SHA512 | ecaefaa239cf44306134b4618e1d82b80e6ade1f58583c9098a0ed3fa219fe6a87b9af977062d3f654dca1618256a132c80d7aad579b66affa6836c2be64c8df |
C:\Users\Admin\AppData\Local\Temp\Momentum
| MD5 | 98eff6fdbaf188ff8bb9c230612e7ab9 |
| SHA1 | 4c55318bcc31980134c5455b7f736522481e7865 |
| SHA256 | bf06e2f8f8e360f5e8fd7cd39ee631cf2156d7d67e45c54e6ac3638117c30c84 |
| SHA512 | 9b928a550ab978609323b41b0da1f8018a980c3fa50658fd3ce74ce888a2fb6880a480e844c7c9be3921f478fc06cc0e4a6e87c5cfbda6d5cd2ddcb5331eafd8 |
C:\Users\Admin\AppData\Local\Temp\Nvidia
| MD5 | ca2b98b4b4bdfcc2ffb39176fc62faed |
| SHA1 | 44b13597a8c63849fc318ea82b612a3b48714514 |
| SHA256 | 6d0392db8f087952b0e8f81a6beec3b6d888272b4ebf0d55b6736d04c4d2b0bf |
| SHA512 | 5c7b466a4bf02882566a05294acc9d8057340ff420f62a08d509e9d229765b3735e425268ae16147d6ca64e65e0285701f3edef6fcfabbd87b4a6973157d78be |
C:\Users\Admin\AppData\Local\Temp\Kits
| MD5 | f30d40c6dc021747ec711cec5c540c67 |
| SHA1 | 3a59f151d44058c609b987847d192509df506abe |
| SHA256 | da25e600fb5b831ba7e9ea97922aa93e39e48918ff1ef73bbcc8fc9637811a05 |
| SHA512 | a4ec445f8776cead5a23ae85932dd21f56d394323455e4be28a78c12fefe7d7e3b8859dafd7e1a7aeb5abab5cc53de249ff1b9597244a98215a0b267feb0bd80 |
C:\Users\Admin\AppData\Local\Temp\Take
| MD5 | 57668416f8e93c60f4abb89d1c517ce4 |
| SHA1 | 6d2b23395aecfc9ee45cbd69469e946b77eaf3a2 |
| SHA256 | 0e8cb087ea27ae4af9360c478822260600d9af234ca0e9521f5b05904142705f |
| SHA512 | da7e61d9cd89886fcfae4f406e983622d2ecb5714b9398776e65da24f7c91d43915aa1e6e8a45a9713d3865a8be0f15ff2bb34dc45643158c3cf8c7e0395f354 |
C:\Users\Admin\AppData\Local\Temp\Statements
| MD5 | 8f7b991c8211319025ab7a549f997d41 |
| SHA1 | 28f6af2157090dddf26ac677410409904e3e4c21 |
| SHA256 | 21297aa5fab44bb0d2a1fd086b7c1bb9540147ac886d961ad194d1658da94431 |
| SHA512 | 84c641f39b28fa8fcc4a7066aef3bacbba9aa6d1fd77610a1db17ed89fab77532e1eaf9336fe9509ac2fc1dadb7c8a2804b6ef8967daba9100379e0d11d1ab75 |
C:\Users\Admin\AppData\Local\Temp\Earlier
| MD5 | b91d435bbaffb5687bfe3058658285bd |
| SHA1 | ea435f4c116ded230376706c569d8daa900bbd89 |
| SHA256 | b35b27d72e588627174ca07464955396575af36e24e4e546d78309fc7add3b5e |
| SHA512 | 2d97ee33e25517f1d9c1a6d1a6894d077a9e8c9e2696ebc4b5b9ec68825e9c84c7f01e115dbc930829759038da7121e3fd56aa67b00d9cca300ecf7a86a077de |
C:\Users\Admin\AppData\Local\Temp\Presentations
| MD5 | 67757b0d30bede0af4631b56ff072809 |
| SHA1 | eb6735867fe0f5f9ffeb42a2372799cdf1e364bb |
| SHA256 | 860014b58934b74971388c4fa01f3bc0eb90c424e689f4df009521d162bd5924 |
| SHA512 | b82c3fdaa1906b57d92286ba345bdf0a84aa56d5e9c59f79f16d6167cb8accb37001f5223f712d39321fad70cb26b71da34cc9703df4082aa80d679afb541df2 |
C:\Users\Admin\AppData\Local\Temp\Runs
| MD5 | 35f48790b74e042b3edb9b34e3a5f8fd |
| SHA1 | 8006268733957ac11d3af06856388ee6b84739ba |
| SHA256 | 3d98ae96420747ce126d7fe2f1e9b210de27ad38f4802e9a42b390429a1697dd |
| SHA512 | 63a0514bac44b9d5ca60602cf8ea80fdfffa6733ec7ba13fee81736748050bb12d747b35368c7ed2a5364b34bd669281abf8c9444dbf36b092bf45605596be4b |
C:\Users\Admin\AppData\Local\Temp\Deviant
| MD5 | e48388dd9e0aedd98363a8ee899d31c0 |
| SHA1 | 4d08a1c34c2f83371c2324997f4d5d5c2b4f6f46 |
| SHA256 | 7f222b2266e5661b511c38253a06785cdeb4960d1ac50b8a2d2b44b3fd6ff783 |
| SHA512 | 52ad9ceef3d67b7a8abf450a208d166413a54c63d659b2f983c2beaf5b6f89e9dfd490a8569d1febb9e8e708c979bf247c9d14973b710a6b9c3fe8a05bce12be |
C:\Users\Admin\AppData\Local\Temp\Indicate
| MD5 | 616e36dba3e3e214ed1aee198167a4a6 |
| SHA1 | 2b0febf3b291c157ca3190aefc35722094da1532 |
| SHA256 | 946ea516a4ccf57c61daf07a0e68d12ff8c78c85265c87e0deef81bdf8f78c12 |
| SHA512 | 3b6e4fad2da9ef68f026f8489a459d56985c5591476a2f36d5d4c83c3b110a6e95b1d6401f29a6b45d7ee1dad4e18340e0792d6e3bd788bbbe4cadb276c6f198 |
C:\Users\Admin\AppData\Local\Temp\Award
| MD5 | 9ea019a50d3f99eda1ac5a023f5bfb3f |
| SHA1 | c2bcdb92b5591a8f81a58199752283bba61fe27b |
| SHA256 | f9b572b644728ae7766826fb9e23e4b697ed2410eba03932e38581a2b15a482a |
| SHA512 | 86a7287dcfa4309ca28804e4ab469758804dba43709465f8d7a341ef45be6df10e57d9851430c2864675fabded8244737223d6061a98ab03ee2e61b26a864de4 |
C:\Users\Admin\AppData\Local\Temp\Engineer
| MD5 | ff1d4e381695d48100a92e77680e3bac |
| SHA1 | ce7158b1618f1a4c4ce17f8e20500b038484120f |
| SHA256 | 8b6cdaec997e5d31133e0df353ff0f9f3171c81d61094fb368c3454680f9367c |
| SHA512 | 482f180801140f345726efcdddde9dc77ce695a48a27b3811fc8a043c450c4eef9364fc6b60e9a7675e0d7f16b511f2de54c649e22b716c5a4abdb4077922040 |
C:\Users\Admin\AppData\Local\Temp\Ty
| MD5 | 3260fe976c04ac1cdb493cd611b08005 |
| SHA1 | ebe4cc15f418825da444be729091c472e5b51c73 |
| SHA256 | 5494bb02fb31b7008904ae3398ae33e15a6fc8444fe4d7d06279b88e1b466e02 |
| SHA512 | 9959f975feceb743553f1daf8c6814181e361877d2aabc80127628e45c11c70b3fb5d55567c392e13c16626099b18411a99dc2f86fdec0556fa34e0072f521c5 |
C:\Users\Admin\AppData\Local\Temp\Feb
| MD5 | 55698cca8dba864e09d9464c67a38029 |
| SHA1 | 725f70b0e0c7fcdb2102351919206969274b6e66 |
| SHA256 | 37e40f3163834d1d135d24420c2b470a5d7ac0c7454ed5f3bcd47493dd843fe5 |
| SHA512 | cfee11b90e1d6f6f160a4323ce500d5683cc9c31ad1f107e20cab3ebd3f6e7d77e2c9b52b9ad854ea553cf67d261bfa85de2d82fe82b5c25f709f12a1120dca2 |
C:\Users\Admin\AppData\Local\Temp\Ads
| MD5 | a39632492bdd563525ff001f1b86f0e4 |
| SHA1 | 2f2adcb9e9c3d113cc0423ed3d6c5a92c87b6663 |
| SHA256 | 318f36657f1cd378d54e0076449141abd81b9342ed71069295f0b76286a97bf7 |
| SHA512 | 7182b63e5544c1176d71fd60e469fd8a4c4b32806ac8acc9405a4c06227dee52b86adfd7219f3a52179f42aa84fe7ff9bbcbea3c6503a543cb9c6498e0c48c0c |
C:\Users\Admin\AppData\Local\Temp\Sounds
| MD5 | 35451d20e34907863dc1efc7caa019fc |
| SHA1 | c15a690db71ac5f21fbf2186939c36c6caf87dff |
| SHA256 | 05586615c257451ffd0730829d376be051c505ea5e73525c9a3e539d5c1145ef |
| SHA512 | de3552af3ca3d90a846107cc7596d9f29ed75dcbe4308aa636952d662162d36b3b5e5b0c19739554fa68a3c39405dcbf07c5f28bfcdfb4bb50829048322f66e6 |
C:\Users\Admin\AppData\Local\Temp\M
| MD5 | 13c53091b190c9b9df321d61659721d7 |
| SHA1 | 183767c89c56082a91457774033a983e8821db63 |
| SHA256 | bc02e43d1e838339185c837c651861ec01cfa7da7195fe6fdc42fcb14ad08a4d |
| SHA512 | 7122035aa3f19c9f0a8a87db1ad3b20484f88cc681be9f9540813ab5e859b1fe9a39ab4aa3b8b1acc05b8ab5483170f31f0cc305ffb637c72b68505b0107d49f |
C:\Users\Admin\AppData\Local\Temp\Logan
| MD5 | cc16c91de5771b6bb13b0b0d3d1b36ed |
| SHA1 | 6153fce28df72327bb47fefc62881bf2fe2a8f04 |
| SHA256 | 6d0109dc4ac50969a74455ab3470e9ab1e1e9db36fba806086cde963c92deb05 |
| SHA512 | 9a5c6c11500cb30208392b32a4434ed8a6ef6a0016bb78c7fecd64bfcc7da3b1c5cce5e1c8148da122e2077de7a2f0e0466c2a74a3edfd678442d0f5bc6e55f0 |
C:\Users\Admin\AppData\Local\Temp\Pixel
| MD5 | b870a2f983186cda64ca0a0443fdbebf |
| SHA1 | 70cd2505beca64a15454723c8fb185562dfbb594 |
| SHA256 | 5d8b919ef4f7ba8aee86a32d1b5e23f1c3e67d8b16a5b75e0f6d68735d03af95 |
| SHA512 | bbd130c726fd439993673d2d577df8d79f938c914c17ecbfcec41341fca60d0afceb1d67d27b52d9c43490fc4213dd37f0353f901af99ca9db46016a5e386b45 |
C:\Users\Admin\AppData\Local\Temp\Atm
| MD5 | a6f61d79975cb2b509719c66141b6585 |
| SHA1 | 1be912e6a4ccb6ff68534c928d189d40f753da29 |
| SHA256 | 34f21e76ff95e314d32f4c57c02b9f1e127c60f5713ac90ff6b83ca89e722152 |
| SHA512 | 7c22142ef2d2da4cf54a74840a44437bd8fbdb0651210dd7a07785a7ccef5e743d4a5ca7032890f5c0ff04c02c75ed19076cf250c8789d4ab0e8bd3ea0259d5c |
C:\Users\Admin\AppData\Local\Temp\Ports
| MD5 | fa483b9a86de25df5b733f502e92fe7d |
| SHA1 | 67ade79afed62eaf24b814f4c1436fadbce363e3 |
| SHA256 | c02e0aa3ad116a6ec3d7ebc0572500135339beab871783efb8ce8f02fbeef7c2 |
| SHA512 | 4df99695dab8d8e0571d8a6d1bba5fce17c8d5bb6ce44e4151e99141589dba9e4715dbb72fce470dd386c6768863cca98ed4b0e79d53ce3f738b2a6e11a028ed |
C:\Users\Admin\AppData\Local\Temp\Ireland
| MD5 | a443cc49cc739f07a01f812c6df56bf1 |
| SHA1 | 39a16793a3bc225f4452ccd8d0aba365ee593278 |
| SHA256 | 07c18c7636b6fc4feab3263d4544a04fc8ac51162bee1ce9a8fcf08c3a22bb5c |
| SHA512 | 0fa9295754730beb47cb7e7a668ce67c5408eafab18151031046e5f814057c86da72d575925fb4b4634fc68a6fba50b3a298ec7cb4db4a9cc7d7049376d671bc |
C:\Users\Admin\AppData\Local\Temp\Chance
| MD5 | 350486fb745a1f810f0a28a53f0dddc5 |
| SHA1 | 580b192862da85a1a3ba1266f4d502298d5baf4f |
| SHA256 | 270ecffb55583dd2f0daf3d2d81e6e99a70926be93591295bb630deed46b15ae |
| SHA512 | 25747d567e6eb39a7b564b66839f9c7560e9fe052db73cc34f1212dc40a5164cc56fc906c084ce1731239484740b6935386aa10e02876ac03d5b79fc338fde1c |
C:\Users\Admin\AppData\Local\Temp\Stewart
| MD5 | eb8f36865f16229dc775e9c00a4ec3f1 |
| SHA1 | 824c6711705c7a75ce0a6904a38eabe7ddc6c7b4 |
| SHA256 | c3e3cf04f4501eeb37db51b7be288db941bc8f4497067a552af7b19aae1b17a3 |
| SHA512 | 701d8bce6354780e52abca6772fa43c55888d2bbd983a13dc7c95935d52f874903767a5b2eb12bb97fd58460099b6b52f25336f47f4ff0849d081c7c3a1d3940 |
C:\Users\Admin\AppData\Local\Temp\Puzzle
| MD5 | 8b88132864173b12be49544e452ea4b5 |
| SHA1 | 299d8a3805f9a10c7f0c78b7674bba340b784711 |
| SHA256 | 0b6dc43385223928d54f5d840d36c91564a36e7dc835fed0379f41fd4e646262 |
| SHA512 | 352ed7c2ededc87dae45708698d4b1e8d803fe9cbd740b0744be71e48d0a6e0612babaf0a688e90003173a433f787cbae7220495d23d42916fbb6a6130b7901f |
C:\Users\Admin\AppData\Local\Temp\Milf
| MD5 | 1166cd50a320b6a52ca5660cd3ef4940 |
| SHA1 | ec1ccbeeb4bd5e74d3254fe476f5caf8225d9d6d |
| SHA256 | f5297af98bce02876a971da5a312e0d659c43368bc8ca7bb4b6cc5a4469cd140 |
| SHA512 | d9e06782c54699776bb766a86c239d1a5b7c68c238241c9bae9023346ce20e509dd5f4a5c0ea3f6febe0db26ebb8d4f16d24c452b2b48452b727c589ff62c114 |
C:\Users\Admin\AppData\Local\Temp\Basics
| MD5 | 7aba05f59455b446e95576b9a5db9cef |
| SHA1 | 15913d78c6f4acfca103781b90c4ddda5e8748ee |
| SHA256 | 5379782cd93b84b6e0783423b774b3fea7397fb10190f3424da8d40d479a11ed |
| SHA512 | 10594d23452b38c99da659a1e6d1f4cb6e880ca499a209816457404e96c9d4cd529800f060529654d7acf9b37aff95739e650e33545dc48534cb1abb95269166 |
C:\Users\Admin\AppData\Local\Temp\Invitations
| MD5 | 327f5bdcd4541496d30a05f9a6fe842b |
| SHA1 | 9120d2cee8214f0d5ede22a7c65f99cd5f1183c3 |
| SHA256 | 235670fab1d55058a0cc9eac2ff09b047769095e22bd18ba43bb9319b6c20bac |
| SHA512 | 3b4de8192878451c7293803f30ff4452a7dbc2993860e7cfdda48556b062a84e5de8de44700d8d7bdd7c41f7ed96733f8425794bbd9b9de9fcf2b72d0cd4301d |
\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\799275\O
| MD5 | 24f255fd8532d15d5b371acecb54ee5e |
| SHA1 | e818d75277b108a6715af7aabf4151c6fe219dce |
| SHA256 | c0e7af5284a6f6928e46b2d35bd2f3e258227fed21284396df570b94c9aefdf9 |
| SHA512 | 4af6c424851c95fb17834558b7be61907415e312cbdcc1bc42cae4c739e5181aab5a49eeed4c41420dac6d8fb1d65dccab85677e6a349d56849f2685921bc11c |
memory/2212-87-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-88-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-90-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-91-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-103-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-102-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-101-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-100-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-99-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-98-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-97-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-96-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-95-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-94-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-93-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-92-0x00000000006B0000-0x000000000088F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\247bPHuhmOaxs6aFsKmwjRHN.exe
| MD5 | b81ac0bd6737adc5d296e9d86491d9f4 |
| SHA1 | d03ebb99ec66922afde8db9d215951cdc0efb4e1 |
| SHA256 | 67e2d5803b527df56d0c9cede90c29aeecfd0b3910d45fbd46c26e6cbf0e8a89 |
| SHA512 | 5894b140ec2e40b070a5d116d8d021aab9e675f1280924b9b6d9545d8b2c2dfeb96b6cc8ad60b396ebf6ef4b946aa76addbd2d15cf97e5248976394b8d6068ba |
memory/2212-115-0x00000000006B0000-0x000000000088F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\BS4sZN70R0Aj5jy4XAy9HtX6.exe
| MD5 | e600b6015b0312b52214f459fcc6f3c2 |
| SHA1 | 0e763e33524e467b46d27e5f0603cd2165c47fed |
| SHA256 | 65bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad |
| SHA512 | b1c1a68128c2cd75df9cb1d890358fd6bb85d9a62288468a19db3295cc25e6cb97c05fa0b5bc3b1dd2b88bd39b343ce5cd1494ca8ab56352c1e375e88fe7e464 |
memory/2212-131-0x00000000006B0000-0x000000000088F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\92yaqUveSlGxIufvWHNlcK3i.exe
| MD5 | 20c0e4911043acdf83cd6f5818060b6d |
| SHA1 | b38d5071947e729ea05caa84958b515b53da5db6 |
| SHA256 | 656c58153302a82bdc4994a170163628f1aedd101b0efe6471b5af0d4173c1f5 |
| SHA512 | aece9c46c5274e3660016d2795ccc0eae9578fa40ec39679e8385398675fcfbc2d08d7ed105cbafb75ced2224ee8e76720e2bf41d2c25f4a7992fa245b71543b |
C:\Users\Admin\Documents\iofolko5\Q6uUoZRtjMCMBcHsAt8oTiGd.exe
| MD5 | 58d17a7cb2bcd54c13cf1449ddfb0416 |
| SHA1 | 025ceeafaa89fe4cf0f23d4786ec2b75202c1848 |
| SHA256 | 23de941b07e247e342a4828471f23379f7df9e8e0a3361bd5f4ba50bcc612f7a |
| SHA512 | 090fca739aa8ed3658dd805e72f86e2be4e534ca0a7864f0fa5652d6908d547add2bc1e8f30b599cf9474b6ab3f4972ac2de80a736f42df23380096bc171444b |
C:\Users\Admin\Documents\iofolko5\qi866flZxG1ikcUHB9kpnJgi.exe
| MD5 | f7ae445081e10267d2cec9b6b0e2d375 |
| SHA1 | e12892ea4d092e4b959617c6d00356ee23da0797 |
| SHA256 | 569edae4e4c7f5df590c7ee0a96210942e2be22be73beda9bc1528addca234f4 |
| SHA512 | 194a260edb0ce0d6c9b74484b55d64e8d593c990ca647acf4c24dd4b58abee0e586485fb06970557d83cc97159933b55a9fa3cc9316f52c28d86552aa039ab04 |
C:\Users\Admin\Documents\iofolko5\vxbeCHaKnUJNTX7aBJ1sgrqH.exe
| MD5 | a79fa370fdeecbb187f96558a76534b5 |
| SHA1 | 5ef78b7d2c21882cec551528c697f12abb1f8b23 |
| SHA256 | 8ed135aff12b760792f13be121120dcbedad95c2f927289bcb8ae73bc338bda1 |
| SHA512 | e9388634726560299fc31b1e181c5308ac94b31c0656c9d49e5042ca7ff5996b7068b6faf5d09da8b4f4ff3d9d287f54fa3ff79589d6975a161d855c9d9d4846 |
C:\Users\Admin\Documents\iofolko5\ZxsDXXrM9OIe_zneFxLM655G.exe
| MD5 | c883436a51137626711481fed4be79c8 |
| SHA1 | 57c7e6907219e8aae747f64343066963b57508b0 |
| SHA256 | 7e33a3b6de352650c44163c2ff989cad764017c508e13b240f783c08c736f2c5 |
| SHA512 | 8b6c00183876d0bd712e616fcb6db3f7d5ffae4eeeb25fbf6c0a17b725b44f82cf7e2e810404560ab2373cbaf053d7baa89aa999e6c0c59161cf1bf9ab1098b9 |
C:\Users\Admin\Documents\iofolko5\WxoRi98pynMg6RUopktWn7gW.exe
| MD5 | c4d092354c3f964ee1d9671f2517a6c9 |
| SHA1 | 838f3a4d426ea72c2f5cf8164f8ff4fc9e694a1b |
| SHA256 | 1814f8b1c1223b93e9b6ae699f7f8f25fb543ad511e349f39219a4ec222f4f05 |
| SHA512 | c162ff7f53b3a095e779369fb00546dc62dcadb4e394593b40522369add2532274232bad920f5a65ab07636ed544bfce239a42d959dfea01c7c19e2bbfedd5ee |
C:\Users\Admin\Documents\iofolko5\oA1r8FbmsN73vh5_yNrppCZH.exe
| MD5 | b5887a19fe50bfa32b524aaad0a453bc |
| SHA1 | cd1f3905959cd596c83730a5b03ceef4e9f2a877 |
| SHA256 | fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7 |
| SHA512 | 5b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538 |
C:\Users\Admin\Documents\iofolko5\YKJMM7p0zz7fCNq5BCqE0Kb7.exe
| MD5 | f10161c3acde4b7dadcd1eeddcf937f1 |
| SHA1 | ebf47c2e0916fbc430ddc8a90cdd1fe98112f979 |
| SHA256 | 445a933766bf381ebe8530e0795e22ab2bccace28291388aba99808e101e8230 |
| SHA512 | 5024f57f0bff356120598e7faa472c956d843d36a6d83d953c9a7345aee36a14d216f1bde61524a62a0dba4cb4fae4a67dcefaa0b2e8fa5526dfc9a218e985d9 |
memory/2212-226-0x00000000006B0000-0x000000000088F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\An3F1TbHnH_2dNMOncuz2wrt.exe
| MD5 | 025ebe0a476fe1a27749e6da0eea724f |
| SHA1 | fe844380280463b927b9368f9eace55eb97baab7 |
| SHA256 | 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2 |
| SHA512 | 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799 |
memory/2532-257-0x00000000001C0000-0x0000000000843000-memory.dmp
memory/2128-251-0x0000000000D30000-0x0000000001638000-memory.dmp
memory/2212-250-0x0000000008C80000-0x0000000009588000-memory.dmp
memory/2212-249-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-238-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-224-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-221-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-214-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-209-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-204-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-242-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-234-0x0000000008C80000-0x0000000009303000-memory.dmp
memory/2212-233-0x0000000009590000-0x0000000009C13000-memory.dmp
memory/2212-232-0x0000000008C80000-0x0000000009588000-memory.dmp
memory/2212-230-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2212-262-0x00000000006B0000-0x000000000088F000-memory.dmp
memory/2128-268-0x0000000000D30000-0x0000000001638000-memory.dmp
memory/2128-267-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2128-265-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2128-263-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1720-270-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2720-282-0x00000000776C0000-0x00000000776C2000-memory.dmp
memory/2720-284-0x00000000776C0000-0x00000000776C2000-memory.dmp
memory/2720-286-0x00000000776C0000-0x00000000776C2000-memory.dmp
memory/2128-373-0x0000000000D30000-0x0000000001638000-memory.dmp
memory/1088-375-0x0000000000560000-0x0000000000582000-memory.dmp
memory/1736-394-0x0000000000400000-0x0000000000480000-memory.dmp
memory/1088-374-0x0000000005400000-0x00000000055B0000-memory.dmp
memory/2116-372-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2804-333-0x0000000000DA0000-0x0000000000E24000-memory.dmp
memory/2608-294-0x0000000005360000-0x000000000546A000-memory.dmp
memory/2692-293-0x0000000000AE0000-0x0000000000B2E000-memory.dmp
memory/2608-292-0x0000000000950000-0x0000000000CBC000-memory.dmp
memory/2828-316-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2828-314-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2828-312-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2828-310-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2608-309-0x00000000002A0000-0x00000000002C2000-memory.dmp
memory/1340-308-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1340-307-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1340-306-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1340-304-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1340-302-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1340-300-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1340-298-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1340-296-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1088-289-0x0000000000D50000-0x0000000001592000-memory.dmp
memory/1732-288-0x00000000010F0000-0x000000000112A000-memory.dmp
memory/1596-287-0x0000000001070000-0x00000000010C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC3FC.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Temp\CabC4C7.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC5D4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2532-457-0x00000000001C0000-0x0000000000843000-memory.dmp
memory/2532-497-0x00000000001C0000-0x0000000000843000-memory.dmp
memory/2704-726-0x0000000000F80000-0x0000000000FCE000-memory.dmp
memory/1920-750-0x0000000000F20000-0x0000000000F7A000-memory.dmp
C:\ProgramData\GHDBKJKJKKJD\FBAAAK
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-06 01:47
Reported
2024-09-06 02:08
Platform
win10v2004-20240802-en
Max time kernel
441s
Max time network
1171s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3288 set thread context of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WonderAvailable | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\DecreaseHands | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\SourcesShowing | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\BehaviourVibrator | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\AtomBoobs | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| File opened for modification | C:\Windows\AntarcticaTucson | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe
"C:\Users\Admin\AppData\Local\Temp\daisy's destruction.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Desktop Desktop.bat & Desktop.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 799275
C:\Windows\SysWOW64\findstr.exe
findstr /V "TransformationComponentBrideInvasion" Calculate
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Evaluations + ..\Kansas + ..\Monkey + ..\Cookies + ..\Frontpage + ..\Ownership + ..\Thu + ..\Momentum + ..\Nvidia + ..\Kits + ..\Take + ..\Statements + ..\Earlier + ..\Presentations + ..\Runs + ..\Deviant + ..\Indicate + ..\Award + ..\Engineer + ..\Ty + ..\Feb + ..\Ads + ..\Sounds + ..\M + ..\Logan + ..\Pixel + ..\Atm + ..\Ports + ..\Ireland + ..\Chance + ..\Stewart + ..\Puzzle + ..\Milf + ..\Basics + ..\Invitations O
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
Saudi.pif O
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fOBoUGVOdhpeJ.fOBoUGVOdhpeJ | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Desktop
| MD5 | c02234632af315d6f7836aa9384a0c73 |
| SHA1 | ac31913f0d0a359447bbe3f2975137662c38f980 |
| SHA256 | 5cdce3385e52af077cda84889bf670ecae40075017493c7c5fc949b4c5872bd5 |
| SHA512 | 0b65fc6f024a67984f6cd48710ef2ceddf8a9c49c2d9d9d42c95b46f77d8e9f72b41b75d213cb4f38ea0f64bcfd346c3eb5641b48629eb6141a8870e0c613496 |
C:\Users\Admin\AppData\Local\Temp\Calculate
| MD5 | 20db8abb0b58bfce2d12ff899e819402 |
| SHA1 | 75deb5a682ba679460c177cf1e01d3a8d0306770 |
| SHA256 | d4f1f749b022682097ac05deef61b6a78d78bd7aa8829209fb0b057f082cbd03 |
| SHA512 | bfb2e8579ab90ae5a46f9246048ecba231150fccaa4107afc9bfa243d1a43b2ceb8baf85d5a88cd338b5986b8f4c6141eb5777c9f7299371f8a73a9fbf5dc246 |
C:\Users\Admin\AppData\Local\Temp\Grad
| MD5 | d4f9f9bddbc23ec4b089e8c8b9552141 |
| SHA1 | 087a35fad96b427ad23eb86fcaca77270477b754 |
| SHA256 | b3733786e1a273f7da72579b4a26c10a8b569219c765c09ca5a4170e4b83321a |
| SHA512 | 9eea0909dac7fd0fdaee5864ff247844f4a9b690057e5ab82fcac98959b03af75229c622e46a97b4fd916055c0f65f6ca1610c4d4f396a83815977d85b9102e9 |
C:\Users\Admin\AppData\Local\Temp\Evaluations
| MD5 | 3d738ac6cfcadcdacceb6a1f7339e48b |
| SHA1 | 3340454640e8900a07dedaed6d92de5e560bb098 |
| SHA256 | c490ec35c8d09289bbe6f81df6abb99317d63ba950f36fccd96a122045e24e91 |
| SHA512 | a89daf894e21a31d7f0c63b4ba86b1f92f7b3a37dba37283d203c20ea2f34a6ee9a23716d442e8b70da234236d4b8fd4a29b6dc99c3285fc4071a3f6add807b0 |
C:\Users\Admin\AppData\Local\Temp\Kansas
| MD5 | e5863b510e4b784dd5c92aaec8bc6cd4 |
| SHA1 | 7cc1404717757a2f729f71ca010072ef403d370e |
| SHA256 | 58288091bddbde712eae66ecf92c078dad75d19892055c6de942fdecec26eaf9 |
| SHA512 | 366bc746917db2141f8fb6e00f6528c0026710ec42c4e9c6e1d3dd170a1b05a18814a5a10df7a565355b3515eea404a71c82aa77db164b114b15dcfd969df3cf |
C:\Users\Admin\AppData\Local\Temp\Monkey
| MD5 | 366da4e20f6973a658850d0cb0560140 |
| SHA1 | 7463be54871d0a728a36d955b5e4b4935f832539 |
| SHA256 | 2fdc969a47a50f3260018e708fde26e93c2b8b9b56a5f2d1e75d8ba2fcc0dbec |
| SHA512 | fa733e99ee72c39b643f9db1594c73f4928b9aa7a1f0b543409a16de7fb7ecfff26c3e2f0070a1c386f3ede03c214371fcc968231f6c969b23c063257eed4e83 |
C:\Users\Admin\AppData\Local\Temp\Cookies
| MD5 | c8f43801d3fea6fa84b15e661eb57de8 |
| SHA1 | 748e0ee1c29144374e89b7912134e1c9511962ba |
| SHA256 | e0d1ee2e3cffccc5f3732e19557959c0d39603d011f8cbcbbb56f0d9dc7ff30f |
| SHA512 | 3b51abd920843e33d702f7104a42b738e3605f7d65b0c5cebd6649563ddd4ff451d050f5b1acb5118f25066cde3cc6d44a472ae59edfb7daa1b64f705f90a5fc |
C:\Users\Admin\AppData\Local\Temp\Frontpage
| MD5 | aa6a8c0dae15c0f592500bd8facad795 |
| SHA1 | a3464148458fa47000a922610613ec4566251632 |
| SHA256 | 23404b7a1724c8c224fada5a0c7429cdd0a62f3b17e5c45a913ae1b0b1a77f65 |
| SHA512 | c617859708e14b35ef4280c57a814ea6e0765b3499e32d4a014d871092f5d62ad8c416a308cd07475642fc1656d24839fba094ad4c7e604feafd276487207e32 |
C:\Users\Admin\AppData\Local\Temp\Ownership
| MD5 | 2720a96bfc6c052ffbee90eddd29b91c |
| SHA1 | b707906e1c6327d91da83b2637de9b526ce8421d |
| SHA256 | 97bf82b8f22ce2f8ca3fb29a5a8039e9b679655c62077cd1465bd0dd4baaa061 |
| SHA512 | 9a7817a69f7240e0d8db0447ea0382ed6d0c9741471b4e242fb92447a6bc447bdecfc672664ed924128f3d632821f03a05798c3ca74d91268a955e0e5a228d4a |
C:\Users\Admin\AppData\Local\Temp\Thu
| MD5 | 3f9e5757f9c3ef75e75310416c72c35f |
| SHA1 | ae7449c0c4f3f0ca5480ad391219ba989d2e0dbe |
| SHA256 | f656b202b7682064680a2b3b7e4305ef8b378aea601ae7530db148bb6f9a6400 |
| SHA512 | ecaefaa239cf44306134b4618e1d82b80e6ade1f58583c9098a0ed3fa219fe6a87b9af977062d3f654dca1618256a132c80d7aad579b66affa6836c2be64c8df |
C:\Users\Admin\AppData\Local\Temp\Momentum
| MD5 | 98eff6fdbaf188ff8bb9c230612e7ab9 |
| SHA1 | 4c55318bcc31980134c5455b7f736522481e7865 |
| SHA256 | bf06e2f8f8e360f5e8fd7cd39ee631cf2156d7d67e45c54e6ac3638117c30c84 |
| SHA512 | 9b928a550ab978609323b41b0da1f8018a980c3fa50658fd3ce74ce888a2fb6880a480e844c7c9be3921f478fc06cc0e4a6e87c5cfbda6d5cd2ddcb5331eafd8 |
C:\Users\Admin\AppData\Local\Temp\Nvidia
| MD5 | ca2b98b4b4bdfcc2ffb39176fc62faed |
| SHA1 | 44b13597a8c63849fc318ea82b612a3b48714514 |
| SHA256 | 6d0392db8f087952b0e8f81a6beec3b6d888272b4ebf0d55b6736d04c4d2b0bf |
| SHA512 | 5c7b466a4bf02882566a05294acc9d8057340ff420f62a08d509e9d229765b3735e425268ae16147d6ca64e65e0285701f3edef6fcfabbd87b4a6973157d78be |
C:\Users\Admin\AppData\Local\Temp\Kits
| MD5 | f30d40c6dc021747ec711cec5c540c67 |
| SHA1 | 3a59f151d44058c609b987847d192509df506abe |
| SHA256 | da25e600fb5b831ba7e9ea97922aa93e39e48918ff1ef73bbcc8fc9637811a05 |
| SHA512 | a4ec445f8776cead5a23ae85932dd21f56d394323455e4be28a78c12fefe7d7e3b8859dafd7e1a7aeb5abab5cc53de249ff1b9597244a98215a0b267feb0bd80 |
C:\Users\Admin\AppData\Local\Temp\Statements
| MD5 | 8f7b991c8211319025ab7a549f997d41 |
| SHA1 | 28f6af2157090dddf26ac677410409904e3e4c21 |
| SHA256 | 21297aa5fab44bb0d2a1fd086b7c1bb9540147ac886d961ad194d1658da94431 |
| SHA512 | 84c641f39b28fa8fcc4a7066aef3bacbba9aa6d1fd77610a1db17ed89fab77532e1eaf9336fe9509ac2fc1dadb7c8a2804b6ef8967daba9100379e0d11d1ab75 |
C:\Users\Admin\AppData\Local\Temp\Take
| MD5 | 57668416f8e93c60f4abb89d1c517ce4 |
| SHA1 | 6d2b23395aecfc9ee45cbd69469e946b77eaf3a2 |
| SHA256 | 0e8cb087ea27ae4af9360c478822260600d9af234ca0e9521f5b05904142705f |
| SHA512 | da7e61d9cd89886fcfae4f406e983622d2ecb5714b9398776e65da24f7c91d43915aa1e6e8a45a9713d3865a8be0f15ff2bb34dc45643158c3cf8c7e0395f354 |
C:\Users\Admin\AppData\Local\Temp\Earlier
| MD5 | b91d435bbaffb5687bfe3058658285bd |
| SHA1 | ea435f4c116ded230376706c569d8daa900bbd89 |
| SHA256 | b35b27d72e588627174ca07464955396575af36e24e4e546d78309fc7add3b5e |
| SHA512 | 2d97ee33e25517f1d9c1a6d1a6894d077a9e8c9e2696ebc4b5b9ec68825e9c84c7f01e115dbc930829759038da7121e3fd56aa67b00d9cca300ecf7a86a077de |
C:\Users\Admin\AppData\Local\Temp\Presentations
| MD5 | 67757b0d30bede0af4631b56ff072809 |
| SHA1 | eb6735867fe0f5f9ffeb42a2372799cdf1e364bb |
| SHA256 | 860014b58934b74971388c4fa01f3bc0eb90c424e689f4df009521d162bd5924 |
| SHA512 | b82c3fdaa1906b57d92286ba345bdf0a84aa56d5e9c59f79f16d6167cb8accb37001f5223f712d39321fad70cb26b71da34cc9703df4082aa80d679afb541df2 |
C:\Users\Admin\AppData\Local\Temp\Runs
| MD5 | 35f48790b74e042b3edb9b34e3a5f8fd |
| SHA1 | 8006268733957ac11d3af06856388ee6b84739ba |
| SHA256 | 3d98ae96420747ce126d7fe2f1e9b210de27ad38f4802e9a42b390429a1697dd |
| SHA512 | 63a0514bac44b9d5ca60602cf8ea80fdfffa6733ec7ba13fee81736748050bb12d747b35368c7ed2a5364b34bd669281abf8c9444dbf36b092bf45605596be4b |
C:\Users\Admin\AppData\Local\Temp\Deviant
| MD5 | e48388dd9e0aedd98363a8ee899d31c0 |
| SHA1 | 4d08a1c34c2f83371c2324997f4d5d5c2b4f6f46 |
| SHA256 | 7f222b2266e5661b511c38253a06785cdeb4960d1ac50b8a2d2b44b3fd6ff783 |
| SHA512 | 52ad9ceef3d67b7a8abf450a208d166413a54c63d659b2f983c2beaf5b6f89e9dfd490a8569d1febb9e8e708c979bf247c9d14973b710a6b9c3fe8a05bce12be |
C:\Users\Admin\AppData\Local\Temp\Indicate
| MD5 | 616e36dba3e3e214ed1aee198167a4a6 |
| SHA1 | 2b0febf3b291c157ca3190aefc35722094da1532 |
| SHA256 | 946ea516a4ccf57c61daf07a0e68d12ff8c78c85265c87e0deef81bdf8f78c12 |
| SHA512 | 3b6e4fad2da9ef68f026f8489a459d56985c5591476a2f36d5d4c83c3b110a6e95b1d6401f29a6b45d7ee1dad4e18340e0792d6e3bd788bbbe4cadb276c6f198 |
C:\Users\Admin\AppData\Local\Temp\Award
| MD5 | 9ea019a50d3f99eda1ac5a023f5bfb3f |
| SHA1 | c2bcdb92b5591a8f81a58199752283bba61fe27b |
| SHA256 | f9b572b644728ae7766826fb9e23e4b697ed2410eba03932e38581a2b15a482a |
| SHA512 | 86a7287dcfa4309ca28804e4ab469758804dba43709465f8d7a341ef45be6df10e57d9851430c2864675fabded8244737223d6061a98ab03ee2e61b26a864de4 |
C:\Users\Admin\AppData\Local\Temp\Engineer
| MD5 | ff1d4e381695d48100a92e77680e3bac |
| SHA1 | ce7158b1618f1a4c4ce17f8e20500b038484120f |
| SHA256 | 8b6cdaec997e5d31133e0df353ff0f9f3171c81d61094fb368c3454680f9367c |
| SHA512 | 482f180801140f345726efcdddde9dc77ce695a48a27b3811fc8a043c450c4eef9364fc6b60e9a7675e0d7f16b511f2de54c649e22b716c5a4abdb4077922040 |
C:\Users\Admin\AppData\Local\Temp\Ty
| MD5 | 3260fe976c04ac1cdb493cd611b08005 |
| SHA1 | ebe4cc15f418825da444be729091c472e5b51c73 |
| SHA256 | 5494bb02fb31b7008904ae3398ae33e15a6fc8444fe4d7d06279b88e1b466e02 |
| SHA512 | 9959f975feceb743553f1daf8c6814181e361877d2aabc80127628e45c11c70b3fb5d55567c392e13c16626099b18411a99dc2f86fdec0556fa34e0072f521c5 |
C:\Users\Admin\AppData\Local\Temp\Feb
| MD5 | 55698cca8dba864e09d9464c67a38029 |
| SHA1 | 725f70b0e0c7fcdb2102351919206969274b6e66 |
| SHA256 | 37e40f3163834d1d135d24420c2b470a5d7ac0c7454ed5f3bcd47493dd843fe5 |
| SHA512 | cfee11b90e1d6f6f160a4323ce500d5683cc9c31ad1f107e20cab3ebd3f6e7d77e2c9b52b9ad854ea553cf67d261bfa85de2d82fe82b5c25f709f12a1120dca2 |
C:\Users\Admin\AppData\Local\Temp\Ads
| MD5 | a39632492bdd563525ff001f1b86f0e4 |
| SHA1 | 2f2adcb9e9c3d113cc0423ed3d6c5a92c87b6663 |
| SHA256 | 318f36657f1cd378d54e0076449141abd81b9342ed71069295f0b76286a97bf7 |
| SHA512 | 7182b63e5544c1176d71fd60e469fd8a4c4b32806ac8acc9405a4c06227dee52b86adfd7219f3a52179f42aa84fe7ff9bbcbea3c6503a543cb9c6498e0c48c0c |
C:\Users\Admin\AppData\Local\Temp\Sounds
| MD5 | 35451d20e34907863dc1efc7caa019fc |
| SHA1 | c15a690db71ac5f21fbf2186939c36c6caf87dff |
| SHA256 | 05586615c257451ffd0730829d376be051c505ea5e73525c9a3e539d5c1145ef |
| SHA512 | de3552af3ca3d90a846107cc7596d9f29ed75dcbe4308aa636952d662162d36b3b5e5b0c19739554fa68a3c39405dcbf07c5f28bfcdfb4bb50829048322f66e6 |
C:\Users\Admin\AppData\Local\Temp\M
| MD5 | 13c53091b190c9b9df321d61659721d7 |
| SHA1 | 183767c89c56082a91457774033a983e8821db63 |
| SHA256 | bc02e43d1e838339185c837c651861ec01cfa7da7195fe6fdc42fcb14ad08a4d |
| SHA512 | 7122035aa3f19c9f0a8a87db1ad3b20484f88cc681be9f9540813ab5e859b1fe9a39ab4aa3b8b1acc05b8ab5483170f31f0cc305ffb637c72b68505b0107d49f |
C:\Users\Admin\AppData\Local\Temp\Logan
| MD5 | cc16c91de5771b6bb13b0b0d3d1b36ed |
| SHA1 | 6153fce28df72327bb47fefc62881bf2fe2a8f04 |
| SHA256 | 6d0109dc4ac50969a74455ab3470e9ab1e1e9db36fba806086cde963c92deb05 |
| SHA512 | 9a5c6c11500cb30208392b32a4434ed8a6ef6a0016bb78c7fecd64bfcc7da3b1c5cce5e1c8148da122e2077de7a2f0e0466c2a74a3edfd678442d0f5bc6e55f0 |
C:\Users\Admin\AppData\Local\Temp\Pixel
| MD5 | b870a2f983186cda64ca0a0443fdbebf |
| SHA1 | 70cd2505beca64a15454723c8fb185562dfbb594 |
| SHA256 | 5d8b919ef4f7ba8aee86a32d1b5e23f1c3e67d8b16a5b75e0f6d68735d03af95 |
| SHA512 | bbd130c726fd439993673d2d577df8d79f938c914c17ecbfcec41341fca60d0afceb1d67d27b52d9c43490fc4213dd37f0353f901af99ca9db46016a5e386b45 |
C:\Users\Admin\AppData\Local\Temp\Atm
| MD5 | a6f61d79975cb2b509719c66141b6585 |
| SHA1 | 1be912e6a4ccb6ff68534c928d189d40f753da29 |
| SHA256 | 34f21e76ff95e314d32f4c57c02b9f1e127c60f5713ac90ff6b83ca89e722152 |
| SHA512 | 7c22142ef2d2da4cf54a74840a44437bd8fbdb0651210dd7a07785a7ccef5e743d4a5ca7032890f5c0ff04c02c75ed19076cf250c8789d4ab0e8bd3ea0259d5c |
C:\Users\Admin\AppData\Local\Temp\Ports
| MD5 | fa483b9a86de25df5b733f502e92fe7d |
| SHA1 | 67ade79afed62eaf24b814f4c1436fadbce363e3 |
| SHA256 | c02e0aa3ad116a6ec3d7ebc0572500135339beab871783efb8ce8f02fbeef7c2 |
| SHA512 | 4df99695dab8d8e0571d8a6d1bba5fce17c8d5bb6ce44e4151e99141589dba9e4715dbb72fce470dd386c6768863cca98ed4b0e79d53ce3f738b2a6e11a028ed |
C:\Users\Admin\AppData\Local\Temp\Ireland
| MD5 | a443cc49cc739f07a01f812c6df56bf1 |
| SHA1 | 39a16793a3bc225f4452ccd8d0aba365ee593278 |
| SHA256 | 07c18c7636b6fc4feab3263d4544a04fc8ac51162bee1ce9a8fcf08c3a22bb5c |
| SHA512 | 0fa9295754730beb47cb7e7a668ce67c5408eafab18151031046e5f814057c86da72d575925fb4b4634fc68a6fba50b3a298ec7cb4db4a9cc7d7049376d671bc |
C:\Users\Admin\AppData\Local\Temp\Chance
| MD5 | 350486fb745a1f810f0a28a53f0dddc5 |
| SHA1 | 580b192862da85a1a3ba1266f4d502298d5baf4f |
| SHA256 | 270ecffb55583dd2f0daf3d2d81e6e99a70926be93591295bb630deed46b15ae |
| SHA512 | 25747d567e6eb39a7b564b66839f9c7560e9fe052db73cc34f1212dc40a5164cc56fc906c084ce1731239484740b6935386aa10e02876ac03d5b79fc338fde1c |
C:\Users\Admin\AppData\Local\Temp\Stewart
| MD5 | eb8f36865f16229dc775e9c00a4ec3f1 |
| SHA1 | 824c6711705c7a75ce0a6904a38eabe7ddc6c7b4 |
| SHA256 | c3e3cf04f4501eeb37db51b7be288db941bc8f4497067a552af7b19aae1b17a3 |
| SHA512 | 701d8bce6354780e52abca6772fa43c55888d2bbd983a13dc7c95935d52f874903767a5b2eb12bb97fd58460099b6b52f25336f47f4ff0849d081c7c3a1d3940 |
C:\Users\Admin\AppData\Local\Temp\Puzzle
| MD5 | 8b88132864173b12be49544e452ea4b5 |
| SHA1 | 299d8a3805f9a10c7f0c78b7674bba340b784711 |
| SHA256 | 0b6dc43385223928d54f5d840d36c91564a36e7dc835fed0379f41fd4e646262 |
| SHA512 | 352ed7c2ededc87dae45708698d4b1e8d803fe9cbd740b0744be71e48d0a6e0612babaf0a688e90003173a433f787cbae7220495d23d42916fbb6a6130b7901f |
C:\Users\Admin\AppData\Local\Temp\Milf
| MD5 | 1166cd50a320b6a52ca5660cd3ef4940 |
| SHA1 | ec1ccbeeb4bd5e74d3254fe476f5caf8225d9d6d |
| SHA256 | f5297af98bce02876a971da5a312e0d659c43368bc8ca7bb4b6cc5a4469cd140 |
| SHA512 | d9e06782c54699776bb766a86c239d1a5b7c68c238241c9bae9023346ce20e509dd5f4a5c0ea3f6febe0db26ebb8d4f16d24c452b2b48452b727c589ff62c114 |
C:\Users\Admin\AppData\Local\Temp\Basics
| MD5 | 7aba05f59455b446e95576b9a5db9cef |
| SHA1 | 15913d78c6f4acfca103781b90c4ddda5e8748ee |
| SHA256 | 5379782cd93b84b6e0783423b774b3fea7397fb10190f3424da8d40d479a11ed |
| SHA512 | 10594d23452b38c99da659a1e6d1f4cb6e880ca499a209816457404e96c9d4cd529800f060529654d7acf9b37aff95739e650e33545dc48534cb1abb95269166 |
C:\Users\Admin\AppData\Local\Temp\Invitations
| MD5 | 327f5bdcd4541496d30a05f9a6fe842b |
| SHA1 | 9120d2cee8214f0d5ede22a7c65f99cd5f1183c3 |
| SHA256 | 235670fab1d55058a0cc9eac2ff09b047769095e22bd18ba43bb9319b6c20bac |
| SHA512 | 3b4de8192878451c7293803f30ff4452a7dbc2993860e7cfdda48556b062a84e5de8de44700d8d7bdd7c41f7ed96733f8425794bbd9b9de9fcf2b72d0cd4301d |
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\799275\O
| MD5 | 24f255fd8532d15d5b371acecb54ee5e |
| SHA1 | e818d75277b108a6715af7aabf4151c6fe219dce |
| SHA256 | c0e7af5284a6f6928e46b2d35bd2f3e258227fed21284396df570b94c9aefdf9 |
| SHA512 | 4af6c424851c95fb17834558b7be61907415e312cbdcc1bc42cae4c739e5181aab5a49eeed4c41420dac6d8fb1d65dccab85677e6a349d56849f2685921bc11c |
memory/4516-84-0x0000000001440000-0x000000000161F000-memory.dmp
memory/4516-85-0x0000000001440000-0x000000000161F000-memory.dmp
memory/4516-87-0x0000000001440000-0x000000000161F000-memory.dmp