Malware Analysis Report

2024-10-19 02:39

Sample ID 240908-wfb7qa1fnf
Target AppFile.zip
SHA256 a929678e0919255b39a895fbcf7c721cb41c26288114a5ee29eee03ba98f959d
Tags
discovery cryptbot redline stealc vidar default logsdiller cloud (tg: @logsdillabot) credential_access evasion execution infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a929678e0919255b39a895fbcf7c721cb41c26288114a5ee29eee03ba98f959d

Threat Level: Known bad

The file AppFile.zip was found to be: Known bad.

Malicious Activity Summary

discovery cryptbot redline stealc vidar default logsdiller cloud (tg: @logsdillabot) credential_access evasion execution infostealer persistence spyware stealer

Vidar

Detect Vidar Stealer

RedLine payload

Stealc

CryptBot

RedLine

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Creates new service(s)

Stops running service(s)

Executes dropped EXE

Reads data files stored by FTP clients

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Power Settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

Modifies system certificate store

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-08 17:52

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-08 17:51

Reported

2024-09-08 18:01

Platform

win7-20240708-en

Max time kernel

239s

Max time network

242s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2092 set thread context of 1576 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ElectoralUnderstand C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
File opened for modification C:\Windows\WwPeriod C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
File opened for modification C:\Windows\InstitutionalInvision C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1720 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1720 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1720 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1720 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1720 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1720 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1720 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1720 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1720 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1720 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1720 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1720 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1720 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1720 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1720 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2092 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2092 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2092 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2092 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2092 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2092 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Processes

C:\Users\Admin\AppData\Local\Temp\AppFile.exe

"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Angel Angel.bat & Angel.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 309056

C:\Windows\SysWOW64\findstr.exe

findstr /V "threateningflightbreachjoel" Springer

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Teams + ..\Entirely + ..\Eyes + ..\Identifier + ..\Incest + ..\Official + ..\Persian + ..\Arts + ..\Asset + ..\Eagle + ..\Sci + ..\Rochester + ..\Communication + ..\Evaluations + ..\Coating + ..\Considering + ..\Indicated + ..\Stamps + ..\Crawford + ..\Schema + ..\Slovenia + ..\Hired + ..\Vast + ..\Husband + ..\Spray + ..\Agents + ..\Coleman + ..\Mods + ..\Hat + ..\Herein + ..\Comfort + ..\Reject + ..\Dining + ..\Gaming + ..\Lending + ..\Dinner u

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Dolls.pif u

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 rTzKXibCiKZCHFYYyL.rTzKXibCiKZCHFYYyL udp
US 185.143.223.148:80 tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Angel

MD5 10d664be6c48cbbfe986cf13389e70d5
SHA1 81c91d173b2a38349b688791ad7a1fd52ba7cfec
SHA256 1544228be4736dfc9a52c9eb675ffe27a75490e71b6697bcfb4896beb99baa17
SHA512 adf5916eeb6c23ddb8b0ec331abab55826dea115fa3675899345319289716aa4181056c9d106e2397a9117bfc1be6a5db1833984d00b249dda11db0bd2e18f67

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 9fce304f6f8b0e39b17488ff2461004a
SHA1 7a2f5480712e430771228a60c6468a21c261015a
SHA256 388238bf76dc4e90837550f3b9ade8c2240ea2330ffbfa54b7bdc14dd64ae31f
SHA512 cbb11d1d73c3979aafe7b374e44f770606d25d3caf4a0aac0197f00580f500004fe32ff9f93a6d7103f7a7db01c35f29ef9e5b95941de98df4f873f37dadf554

C:\Users\Admin\AppData\Local\Temp\Belongs

MD5 08f9d23e902a4b9f1454c0cca8063a4c
SHA1 2d18b94d7e6bfec87661be9c775f989640228efd
SHA256 8eda93d0df79719c2194c895abc443218076fb76a8f8af5bb037491f1a3f42d3
SHA512 1a796a3a24a363f4d5239ea1b972e95000611c6f90be9a0cbe5b8b50195cb11b86e4cb8b4ccc6a4d93822c80e99cccefdb2b585fb48d8ae045ba690459fc164d

C:\Users\Admin\AppData\Local\Temp\Teams

MD5 e4be3f3dfa731bce602265bd78ca96e4
SHA1 da6ee51e4cc450fb2697a8e583590c205c354628
SHA256 3d1c4fc43431a0739b933a0ccc3d6209f3d5e417102adacc99c485dfa78aa306
SHA512 fda626cc19bdf4f36e8ec261597115470a9c44fd5ed43684032fd0694454d30ff28c38d6aed1e765e40fcba9ab618b9fba4a8d2608a7cc0c84404baedfae24b1

C:\Users\Admin\AppData\Local\Temp\Entirely

MD5 e57d41a42c0018011b8d05ead7ba8ea5
SHA1 a5be0444eaf9d294e7043b76533daa5b4391a0de
SHA256 8bef0123411a0a965a9bd62cc22f855df1c84b2ab2f6fdddc5d72d2d0412f0b6
SHA512 4029afff3795c8567b81ced18cd4053efdcf96be62e27bfa7938a7562bba66610a935944e59f39267a757e5d2c5c651c0bd62c89ac485f8d50e5e0c1bb25646c

C:\Users\Admin\AppData\Local\Temp\Eyes

MD5 bf240bdddf4e33588fba0ed1973d7e98
SHA1 7c3c46bc43abdbc82bf41b72860a449433288927
SHA256 a28c88f3dbfd8b8961c30a364b8a38ecdada18b92ac1e77a1c211a7487723c97
SHA512 3990b660f9f53e9a7e626527a53fea00d4b344ba9c90912aa904f336b527cbd87b30e21c3408d215699d1ac5d999b47000f866f38d387312653eeb5d8b768a73

C:\Users\Admin\AppData\Local\Temp\Identifier

MD5 cd4ad18674a26527c0782f2a0d15b277
SHA1 56e92ebf526601f3f5fe99fc3e5dd9b29a99c41c
SHA256 0d34b789bde5b17903b770e563743908bea6d7d0693ef57709dd57dde444eb9a
SHA512 7afac4b0bb0c90ccef4ee14b12b3349e5265eba294e6e5f4dafff894988d07b861cb11dc8dda826420b18288757370bfd0e304e6be578135a1d054c083cdc209

C:\Users\Admin\AppData\Local\Temp\Incest

MD5 74f15b102c0bef94140262ad551bbc24
SHA1 70246a3d8005ca0a91c8d22303c55416b6e9ff4f
SHA256 58376ca5773ce08e2bf4b876cd517ee421030293150ba2dfb50462e34c51c6d9
SHA512 7a0cb169ba7b69d5388678478cfaa4bc82fe854d5a40785fa03a3a0bb955088adbe00f5da8f667df6ea448d6118b372ccdf9fcabceb5e70574573f9a0f8729de

C:\Users\Admin\AppData\Local\Temp\Official

MD5 c28b2871b183dfc806e0855c516e6ab4
SHA1 8f367c25d973e6b690b1ea6799ecd39221371e43
SHA256 12717aac68c10051e3ca2ae75343128eb8a80eec398269d675d5244ade6d9724
SHA512 f02f7bf8885d57a89391768ddf66c8494ff058f5da4d9d316187c210aca6943f6a2dc4c62771ea3a90b10674c27e117f92d6c7df8e2af75bae349a989b86220d

C:\Users\Admin\AppData\Local\Temp\Persian

MD5 4f028498571a78e28b5665bcfaf7bda1
SHA1 db28d1f7a2206c4fc4a17d57373e928bb10c7954
SHA256 84310b39a6c9e5941f61502105e746b3dd836108e2a6c7084612e86d0efb91e4
SHA512 a540c4cd5a8997e7cb7f5cb2ae20859db92991d2f390296c5ac7afe23232679dae30b6db902602893b8b23dcebae07a6b39a57f50adecb3c6367eca174623b24

C:\Users\Admin\AppData\Local\Temp\Arts

MD5 22999c3bfef35ab54dc51cea926d8125
SHA1 aa929c775e9a740f3b6fc403b5bfb13b0ef10e14
SHA256 63f722d605fdd7162f695c55b4c57acf925140a62b93b447d805b1dbcf3d1b1c
SHA512 d750799211beb39b6033f1a85e773b65ed1f576e718c5d9d805b36b6bc152aab7e411d8f2fc73a87b799016f67962ef42a7b7e2c304a5b02b1daf166ac142994

C:\Users\Admin\AppData\Local\Temp\Asset

MD5 79ccf7fd1a2157e74b27c1935707ee99
SHA1 9f1267d4323c5180c8700cbe82ba51456ab40f74
SHA256 d90010bbb47afe5b33fc5bc52295ec6ca955a875fe1001f32bfc870783633ed7
SHA512 35dc6918b9255eba821b0e3418cb58db2ad703aaa731bb2474d78084367e975451142a23348a1911bdc4f7cbfb70eeaba8b6cce2a8f527944f0ed3a4fb1d9129

C:\Users\Admin\AppData\Local\Temp\Eagle

MD5 ffa47b74dc7534579bddc42e8ea9bc21
SHA1 22e0cf8668117e3782a38b8e4f3553c8f79c379d
SHA256 d0e2a600aab27dfc91bc8c1e73e0d0d20489b04bd376e7bf16fe1763ca1f9ce6
SHA512 16f80341dc0386413558c6307a35831f239005f5fadd01818efe95f77c2a12311e5db7943902d16676c12aa1765f20af335a561da1e3f79eb5d9baaee2dc6113

C:\Users\Admin\AppData\Local\Temp\Sci

MD5 f1e239919f64507bc976bee4ac152239
SHA1 b69eb5fec6da7c582aff31820106e0c46ec8dfda
SHA256 a0d3e15d1b12b4b4111786e454770c511221a6eebe271f20849b112d0cb161b9
SHA512 4459e213cd7e36b0008520d030902058a83c2b81bb9333e710561d27ecbcc56468b10994d64488da2fe9b52f033e7a322d6f1fbbcb9081b682acada286f9dff4

C:\Users\Admin\AppData\Local\Temp\Rochester

MD5 2076c81372d64961aeee64296c288ddf
SHA1 4767a7f611e6ac3ceeb692f1a7df90cdd84fc7ca
SHA256 63563ab659575d711cf2a686d7140359850e49bc2f1e9f658105c3adb0663fb8
SHA512 1e40bc944a91fc9608077b1866d6742624f377e7cc2d63903fe2bd24093b17be3aedc70c534497eaaec7ce30ecf318153f3c40af1ff56a82f5ff48fc09cb5976

C:\Users\Admin\AppData\Local\Temp\Communication

MD5 e76ca6497197f496c934e273bc4af7a8
SHA1 1c813197c9434d6d3f359c1c0c6374ce8e5e77e6
SHA256 2adfd0aa33275eaeddbebffef664bcc2f403ebf6335bc593bd490a66e06c3956
SHA512 425fa7c17d9e30e8c3c6ea042a86f6f54f8938ca3491e514e633d111d5cdb0d8094c482c9e08a57cec613178d78c55392c64c8e0d60190c86957a170245e9f3f

C:\Users\Admin\AppData\Local\Temp\Evaluations

MD5 824ca47d6ed68f19c98e3a8585c03fd2
SHA1 00ebf75301539fac6f72012b3dea899797d83eca
SHA256 14e02c722fdb4507967bd77111eceb5c377e4b515f2cc9ca01117df4e1df2965
SHA512 e1b398ab18042a7456e87fd6169bca88e86e718b09111eee11f81cc284599ce3431f852fe1552db950bd39f5ac9703406c206b8b37ff595a05099fefd5ddc81f

C:\Users\Admin\AppData\Local\Temp\Coating

MD5 d4b175095bad046fe31a891e313fac1d
SHA1 3e8268ea2db96566a03b5886ffcd904cc2938940
SHA256 710fcbabe6b6d3fb615d012d3aa5ff551d30590eb9949ad947ce42e313e2a757
SHA512 d78844eb4099962d6eb5c9308e0f80cc3f56c15a525318a6ddc94811f8239eb622df6845ec831eb656157f9695f935d4962ca538f802c0449ac00850b519a007

C:\Users\Admin\AppData\Local\Temp\Considering

MD5 8392df6b6dd3005f67d9e685adf5d98a
SHA1 172ccb65f6b6192c695b53f8ddcedfdbe639fea6
SHA256 89d0790a0691cf5f327ab61f73fa2167a8b54ad0e8b21c22d34887455463448e
SHA512 d6ad83fb2ad1cceeb57098b27145e20e800703440c0cf04ed13c00af9c2baecf82e8ad6e28af556de5e2b38a80d8b987f6c347f18eac0892db23ed2ec81d0b3f

C:\Users\Admin\AppData\Local\Temp\Indicated

MD5 d8d333b7fa6f3f4d117279af7fe5ebd7
SHA1 15360b9018b623a945ccd0a147bff926f9a36b4d
SHA256 c07e05f4515864b97744a19b33e80170911dee7e84b19dff7a624c3b95c0db58
SHA512 e60a6932bc7036ef5f0d031fdacfea0f1c399370336fa36907e3ea1e5a0eec50e135c965452c29dad05f3327efb9c9f063e38e9d5bd68265552248113743f251

C:\Users\Admin\AppData\Local\Temp\Stamps

MD5 05edf987e0e4caf0790d6cd52745918f
SHA1 a657c82fb2b6055696917d16e074e3afad630da7
SHA256 6ce2a376edd727d7295bc0648e844ad281bb96db057b84e803c5bb387ca2f54c
SHA512 38b90f60b303a00b93ea1f0f9b4fa9f6dac7b64d9f0e849699d8220bc70efbd1c038d35cfb7a1c12a2a5b9facaf1accd9fbeadfd5be5ca1ccfb29e51864856bb

C:\Users\Admin\AppData\Local\Temp\Crawford

MD5 aa5687b499c0e31cc570a5b3956e0055
SHA1 0d469ee44ed6a8a57095820ac188477f1ce46e04
SHA256 c6cae2f7545cc6a2382123889ebf816db31d84136c15b36ac488a74eef5e2c86
SHA512 0f11ed72669671ed51e5dd3658c29d9f00f8397b7168db5255e0242924db8ce7514dc318552c80843283f0ad93d8f45951359d8461837a32e3ba8672d8c7fb9b

C:\Users\Admin\AppData\Local\Temp\Schema

MD5 6d6371d8a1877548b2ba892feeec4448
SHA1 9a31d21807d9a7ce9e4701cd63d51ded7db85290
SHA256 85a5a1b465e959f6b55feebae33059f82b972458f8527d5e1361e749b724d13d
SHA512 9dbd7fc2c804e785ea7545ede8408fb647736a1e9731dad40f6256c580a91f1df90cebada0d20776f2b264cde69df8bcb63071b8de24a08944dbfaa5f875a8e0

C:\Users\Admin\AppData\Local\Temp\Slovenia

MD5 398a56733a96146f96dae1f926f8ee34
SHA1 b589aaa2ae0b047d2b91df4daa193f02d68c2563
SHA256 e411f41b9d6fff03fe7d4da422aa30f11bfecb5f5bf9c6cf2088eb84a2a8c018
SHA512 a45e9a93c2f5673204eb1898ca10f7a7e244b512da6f2493b330b266a1d8a2d3db636c5a5a6e67b044cb0ea5a124064ccefb2db3783052e6e6698d9c6d1e7d71

C:\Users\Admin\AppData\Local\Temp\Hired

MD5 a4e79a921d1a40f87f86cc426d0cce0d
SHA1 52ac999f6ed734a3023428194c3422e206987124
SHA256 306e6d43695f56399f0c7ce9c36e2f8e652838a02d0debf6ab98e7fd2f483af6
SHA512 113557e6e6b5316f83ac5899338e3dd63ec281b449f1ee063efceedc94846ece210c8f4b047b804feee2487b7328bd4181c696b4fb7075550fa3a2ced5d01e9e

C:\Users\Admin\AppData\Local\Temp\Vast

MD5 556425c0faef4670d1e22fb6fcc39670
SHA1 25b97fb1cb78439408f439b4c96933c66cf019df
SHA256 11d8b300d94f5e8455d792625260b83dfdc7f258182620d719eb81a71319f4f5
SHA512 96f8e77db9cf14f121842d8a6a3b225597cb89691b72a051703ce6e7367bf38fc6fb0b14ec17789559c472bb1b2243c6bb88daae28dbe4e1154bfb7f5e658bfa

C:\Users\Admin\AppData\Local\Temp\Husband

MD5 792c7f8dd36ccf3dc732e75deafcf3a8
SHA1 7511dd19e3ebaea53bbefc72b10146231f8e607d
SHA256 75443ebd4b9dcbcf0e367a853386ce5a604fe338a34afab63f1ac1141c5eb670
SHA512 32cf33fa12fc7bc125e269b50a584834aec1350ed52f081a8a6c393faa6c68a87cb63463465e13b7c3aeaee534ac21ebf482ebd505d67b0d15b41d9e6a93c1b6

C:\Users\Admin\AppData\Local\Temp\Spray

MD5 81754ffb3a2c2760a080ea70a80eecfe
SHA1 4925a77076e0afd35a110ff68132ef98263b8a92
SHA256 b1e347ec4e03cff9cc62b7bc4d219a6645cf3939a35697551cf77839d72089b6
SHA512 e5d21b5db48e2e67afbbe1cfb813252ea0244e31e165ca124f206c291b53be1b1a74d1eba8894e93adcac5e933204f1dddc92c40c1eb775b5cdf5d440b173ee2

C:\Users\Admin\AppData\Local\Temp\Agents

MD5 e072328c52cc438642327cf2715c6232
SHA1 dc776562767baabb5f469f2245cb844435c57a8b
SHA256 7404865538c5dff10b89c992251d03726be4a25135760af18f2ef9234f875728
SHA512 80a05d449fd00895ac2b36cfd0ceb2b6c41a22a37a9aa28bb0a57d3ee9f43ec528a109eaa91ac5fabc6faccedcf547fd2a9c3278293b0ad1d73561771861df7f

C:\Users\Admin\AppData\Local\Temp\Coleman

MD5 caf81509c6182cdf2b3cf474c21924e7
SHA1 8931ae49b935d30cfb8d192a34d96c1da9a1133f
SHA256 342ada9e312f7bb721e1174b8ce4f23791f02ed04cd6813456072adb2a2330f9
SHA512 d11e61040f5b25cd9740bab941208d82e1f29562705cdff5508909dba6fe848ebe596e7a1daf7a5d30ba97c35816ffe0e8e5a8d7656729ddf7ba349cb8d4da94

C:\Users\Admin\AppData\Local\Temp\Mods

MD5 63991cd3b811a87ef7f756a3a88408f3
SHA1 5887b2746923e3bb209a010c794d6a03f2043cbe
SHA256 16c52c4b922b43b8dd61738190c23f60da5e601a1e84d6cbd277ed7c9bc16675
SHA512 f9115542afa4079772b2edbeb5cbefbb337f976ced77036240624787549ea04937cfebbdc290bdaa8e8523c688b7536af7bd88fe43b053d3dcf811783967c7b6

C:\Users\Admin\AppData\Local\Temp\Hat

MD5 6cb837218c7e7f9b0bb4e5de012b5f0b
SHA1 b64ff496cef53d3555c6624abe4a51f99758bbbf
SHA256 baef9762f9bbd47ee6171396e3c87bb0e7655da35438fe5eb1efd9f3c6a87db5
SHA512 23e250e7bfa8f873dde6d786d9ce0526e83fb42421e152e3e75c6ea01e29ddebae9c2115c0e0e19ae85c73f5d8525eb34a499456090451528f51ffff1986ca62

C:\Users\Admin\AppData\Local\Temp\Herein

MD5 717e7bb87ee5fc6795900e82f92c38a5
SHA1 713b0e36e00b5a9df643fab99eff7fe05ebfd4f7
SHA256 f2c1981a42235a7748d03a68d840fb647d1a591cf3265fc7ec32761ee6bca957
SHA512 955107b6a503ab4c4aad2c5b70cff52e2069fed5bcdc6fac76b69957261c531ef95eb31c728b1d64de35130381be734504d8ed6572824dc744f72b49fcdf3f2d

C:\Users\Admin\AppData\Local\Temp\Comfort

MD5 e85c7c2eb7eed1bea9d92071b7b197e4
SHA1 05f4108a3e331b2a9db2351c9f506b3cbadef771
SHA256 5868a2a8a8376d6f34d125e0c9bf0edd15afd3f82df342a8f079d2417997d137
SHA512 97151aec2e73e10cc9e6fdd2c69c0498f49ff6417807e3e4e9cf0534848f34e77fd09943fa86d860993dc8ae1ae14ad85d073cf5ffa391fe3c582f94b502c491

C:\Users\Admin\AppData\Local\Temp\Reject

MD5 e9157b4c97794aeff095902148ad9532
SHA1 2915ca3cff7a81ea19ed0873fe8266274582158e
SHA256 1f588e2cefb8bafadc9a029a28dcdd93a7e9472e2190caab7a277fa79cffcd77
SHA512 26973ff5887e087632c459597a4652f6917d9a81fa48c1642a56c95221f019696e46f88a6c33d1013e6c009324ee9f99a92e5383acc1b6d619ff6229c3360d96

C:\Users\Admin\AppData\Local\Temp\Dining

MD5 07b2b7969bb80e43ae8d6d565cbab5c4
SHA1 128d43f48928a73ef3446593d63fbfe025cb126c
SHA256 818f6cc7d29bc250a64e02e61c840e1f74432c66bbacef0ce0a75105accdb592
SHA512 45b840b69b09801c4c0528cfc00f8eb50f2a8d2806907a894355ead304f5b1aafdaca9741bf9200b036b9302340d25f6dba7c44e7be651f179736857ef7b3f60

C:\Users\Admin\AppData\Local\Temp\Gaming

MD5 122f66640ca5fcc16ff9106acca0a4c5
SHA1 15ec716fc34c6dfb6be98d56487528a62e0a9fc5
SHA256 7db5db363d38cc28570b882229eaaa3d819bdfb5953ebd3de483e7338285ed0e
SHA512 3052d8791dee53ff955b655a0b9d7ff804b6c1f80806199a61a98cfb58ac52efab8c53caa5e3248b487ad485edfe9959044f94218f754f75ac212f890b789ab4

C:\Users\Admin\AppData\Local\Temp\Lending

MD5 ea6036f36a74ce85b23ec1828d3cc68f
SHA1 f1ce5a30d9774f397d82de04130209b501fd0d1c
SHA256 120a01b7d92584f180e803019867585ed5a106b1d63047ec9b949fa59ed75498
SHA512 5b7d46c88d330a85d524fe5a7aab9232b3644c7299ce7df7d34eae9821baea9ed1070e379a63d8efe6f98c0dcbf1b69adc3f311b26361ab5ea8e648cf9167b66

C:\Users\Admin\AppData\Local\Temp\Dinner

MD5 9278daaaaad5cf175f7e5037f994ae26
SHA1 50c1d167d544a6db08d90ba33ba434147bf4b63e
SHA256 525dff77cccca91f145aa95c71b921ffc029881310ef9a0808e5c0cbc8589420
SHA512 343263a1794b59e1a5cbe8b169f5efab5ee1f3c273a9961104973557b51174730613693b3dc50852f9db4864bd182d1343a3fa97ddbe6f3d04b0656911443c9e

\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\309056\u

MD5 92e78614e5198320c105789a28b5eaa5
SHA1 75411d15bcd89af58e4a82e65bd66487fc7532dd
SHA256 aac38bdd824d85e082b708784705a2d778f0f32ca5594c15a45c0fdddf31a3ac
SHA512 2e8be01a870c5aeefe1beb3072395b2dec3c10964b1556c4727ba444980dcf079c64def4228df212e7dc81542258cb952525d6a1dbb38655cbcaa8ba06717e41

memory/1576-89-0x0000000000950000-0x0000000000B2F000-memory.dmp

memory/1576-90-0x0000000000950000-0x0000000000B2F000-memory.dmp

memory/1576-92-0x0000000000950000-0x0000000000B2F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-08 17:51

Reported

2024-09-08 18:01

Platform

win10v2004-20240802-en

Max time kernel

154s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2984 set thread context of 4800 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ElectoralUnderstand C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
File opened for modification C:\Windows\WwPeriod C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
File opened for modification C:\Windows\InstitutionalInvision C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 940 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1540 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1540 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1540 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1540 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1540 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1540 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1540 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1540 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1540 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1540 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1540 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1540 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2984 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2984 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2984 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2984 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2984 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Processes

C:\Users\Admin\AppData\Local\Temp\AppFile.exe

"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Angel Angel.bat & Angel.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 309056

C:\Windows\SysWOW64\findstr.exe

findstr /V "threateningflightbreachjoel" Springer

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Teams + ..\Entirely + ..\Eyes + ..\Identifier + ..\Incest + ..\Official + ..\Persian + ..\Arts + ..\Asset + ..\Eagle + ..\Sci + ..\Rochester + ..\Communication + ..\Evaluations + ..\Coating + ..\Considering + ..\Indicated + ..\Stamps + ..\Crawford + ..\Schema + ..\Slovenia + ..\Hired + ..\Vast + ..\Husband + ..\Spray + ..\Agents + ..\Coleman + ..\Mods + ..\Hat + ..\Herein + ..\Comfort + ..\Reject + ..\Dining + ..\Gaming + ..\Lending + ..\Dinner u

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Dolls.pif u

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rTzKXibCiKZCHFYYyL.rTzKXibCiKZCHFYYyL udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 185.143.223.148:80 tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Angel

MD5 10d664be6c48cbbfe986cf13389e70d5
SHA1 81c91d173b2a38349b688791ad7a1fd52ba7cfec
SHA256 1544228be4736dfc9a52c9eb675ffe27a75490e71b6697bcfb4896beb99baa17
SHA512 adf5916eeb6c23ddb8b0ec331abab55826dea115fa3675899345319289716aa4181056c9d106e2397a9117bfc1be6a5db1833984d00b249dda11db0bd2e18f67

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 9fce304f6f8b0e39b17488ff2461004a
SHA1 7a2f5480712e430771228a60c6468a21c261015a
SHA256 388238bf76dc4e90837550f3b9ade8c2240ea2330ffbfa54b7bdc14dd64ae31f
SHA512 cbb11d1d73c3979aafe7b374e44f770606d25d3caf4a0aac0197f00580f500004fe32ff9f93a6d7103f7a7db01c35f29ef9e5b95941de98df4f873f37dadf554

C:\Users\Admin\AppData\Local\Temp\Belongs

MD5 08f9d23e902a4b9f1454c0cca8063a4c
SHA1 2d18b94d7e6bfec87661be9c775f989640228efd
SHA256 8eda93d0df79719c2194c895abc443218076fb76a8f8af5bb037491f1a3f42d3
SHA512 1a796a3a24a363f4d5239ea1b972e95000611c6f90be9a0cbe5b8b50195cb11b86e4cb8b4ccc6a4d93822c80e99cccefdb2b585fb48d8ae045ba690459fc164d

C:\Users\Admin\AppData\Local\Temp\Teams

MD5 e4be3f3dfa731bce602265bd78ca96e4
SHA1 da6ee51e4cc450fb2697a8e583590c205c354628
SHA256 3d1c4fc43431a0739b933a0ccc3d6209f3d5e417102adacc99c485dfa78aa306
SHA512 fda626cc19bdf4f36e8ec261597115470a9c44fd5ed43684032fd0694454d30ff28c38d6aed1e765e40fcba9ab618b9fba4a8d2608a7cc0c84404baedfae24b1

C:\Users\Admin\AppData\Local\Temp\Entirely

MD5 e57d41a42c0018011b8d05ead7ba8ea5
SHA1 a5be0444eaf9d294e7043b76533daa5b4391a0de
SHA256 8bef0123411a0a965a9bd62cc22f855df1c84b2ab2f6fdddc5d72d2d0412f0b6
SHA512 4029afff3795c8567b81ced18cd4053efdcf96be62e27bfa7938a7562bba66610a935944e59f39267a757e5d2c5c651c0bd62c89ac485f8d50e5e0c1bb25646c

C:\Users\Admin\AppData\Local\Temp\Official

MD5 c28b2871b183dfc806e0855c516e6ab4
SHA1 8f367c25d973e6b690b1ea6799ecd39221371e43
SHA256 12717aac68c10051e3ca2ae75343128eb8a80eec398269d675d5244ade6d9724
SHA512 f02f7bf8885d57a89391768ddf66c8494ff058f5da4d9d316187c210aca6943f6a2dc4c62771ea3a90b10674c27e117f92d6c7df8e2af75bae349a989b86220d

C:\Users\Admin\AppData\Local\Temp\Communication

MD5 e76ca6497197f496c934e273bc4af7a8
SHA1 1c813197c9434d6d3f359c1c0c6374ce8e5e77e6
SHA256 2adfd0aa33275eaeddbebffef664bcc2f403ebf6335bc593bd490a66e06c3956
SHA512 425fa7c17d9e30e8c3c6ea042a86f6f54f8938ca3491e514e633d111d5cdb0d8094c482c9e08a57cec613178d78c55392c64c8e0d60190c86957a170245e9f3f

C:\Users\Admin\AppData\Local\Temp\Coating

MD5 d4b175095bad046fe31a891e313fac1d
SHA1 3e8268ea2db96566a03b5886ffcd904cc2938940
SHA256 710fcbabe6b6d3fb615d012d3aa5ff551d30590eb9949ad947ce42e313e2a757
SHA512 d78844eb4099962d6eb5c9308e0f80cc3f56c15a525318a6ddc94811f8239eb622df6845ec831eb656157f9695f935d4962ca538f802c0449ac00850b519a007

C:\Users\Admin\AppData\Local\Temp\Crawford

MD5 aa5687b499c0e31cc570a5b3956e0055
SHA1 0d469ee44ed6a8a57095820ac188477f1ce46e04
SHA256 c6cae2f7545cc6a2382123889ebf816db31d84136c15b36ac488a74eef5e2c86
SHA512 0f11ed72669671ed51e5dd3658c29d9f00f8397b7168db5255e0242924db8ce7514dc318552c80843283f0ad93d8f45951359d8461837a32e3ba8672d8c7fb9b

C:\Users\Admin\AppData\Local\Temp\Stamps

MD5 05edf987e0e4caf0790d6cd52745918f
SHA1 a657c82fb2b6055696917d16e074e3afad630da7
SHA256 6ce2a376edd727d7295bc0648e844ad281bb96db057b84e803c5bb387ca2f54c
SHA512 38b90f60b303a00b93ea1f0f9b4fa9f6dac7b64d9f0e849699d8220bc70efbd1c038d35cfb7a1c12a2a5b9facaf1accd9fbeadfd5be5ca1ccfb29e51864856bb

C:\Users\Admin\AppData\Local\Temp\Indicated

MD5 d8d333b7fa6f3f4d117279af7fe5ebd7
SHA1 15360b9018b623a945ccd0a147bff926f9a36b4d
SHA256 c07e05f4515864b97744a19b33e80170911dee7e84b19dff7a624c3b95c0db58
SHA512 e60a6932bc7036ef5f0d031fdacfea0f1c399370336fa36907e3ea1e5a0eec50e135c965452c29dad05f3327efb9c9f063e38e9d5bd68265552248113743f251

C:\Users\Admin\AppData\Local\Temp\Considering

MD5 8392df6b6dd3005f67d9e685adf5d98a
SHA1 172ccb65f6b6192c695b53f8ddcedfdbe639fea6
SHA256 89d0790a0691cf5f327ab61f73fa2167a8b54ad0e8b21c22d34887455463448e
SHA512 d6ad83fb2ad1cceeb57098b27145e20e800703440c0cf04ed13c00af9c2baecf82e8ad6e28af556de5e2b38a80d8b987f6c347f18eac0892db23ed2ec81d0b3f

C:\Users\Admin\AppData\Local\Temp\Evaluations

MD5 824ca47d6ed68f19c98e3a8585c03fd2
SHA1 00ebf75301539fac6f72012b3dea899797d83eca
SHA256 14e02c722fdb4507967bd77111eceb5c377e4b515f2cc9ca01117df4e1df2965
SHA512 e1b398ab18042a7456e87fd6169bca88e86e718b09111eee11f81cc284599ce3431f852fe1552db950bd39f5ac9703406c206b8b37ff595a05099fefd5ddc81f

C:\Users\Admin\AppData\Local\Temp\Rochester

MD5 2076c81372d64961aeee64296c288ddf
SHA1 4767a7f611e6ac3ceeb692f1a7df90cdd84fc7ca
SHA256 63563ab659575d711cf2a686d7140359850e49bc2f1e9f658105c3adb0663fb8
SHA512 1e40bc944a91fc9608077b1866d6742624f377e7cc2d63903fe2bd24093b17be3aedc70c534497eaaec7ce30ecf318153f3c40af1ff56a82f5ff48fc09cb5976

C:\Users\Admin\AppData\Local\Temp\Sci

MD5 f1e239919f64507bc976bee4ac152239
SHA1 b69eb5fec6da7c582aff31820106e0c46ec8dfda
SHA256 a0d3e15d1b12b4b4111786e454770c511221a6eebe271f20849b112d0cb161b9
SHA512 4459e213cd7e36b0008520d030902058a83c2b81bb9333e710561d27ecbcc56468b10994d64488da2fe9b52f033e7a322d6f1fbbcb9081b682acada286f9dff4

C:\Users\Admin\AppData\Local\Temp\Eagle

MD5 ffa47b74dc7534579bddc42e8ea9bc21
SHA1 22e0cf8668117e3782a38b8e4f3553c8f79c379d
SHA256 d0e2a600aab27dfc91bc8c1e73e0d0d20489b04bd376e7bf16fe1763ca1f9ce6
SHA512 16f80341dc0386413558c6307a35831f239005f5fadd01818efe95f77c2a12311e5db7943902d16676c12aa1765f20af335a561da1e3f79eb5d9baaee2dc6113

C:\Users\Admin\AppData\Local\Temp\Asset

MD5 79ccf7fd1a2157e74b27c1935707ee99
SHA1 9f1267d4323c5180c8700cbe82ba51456ab40f74
SHA256 d90010bbb47afe5b33fc5bc52295ec6ca955a875fe1001f32bfc870783633ed7
SHA512 35dc6918b9255eba821b0e3418cb58db2ad703aaa731bb2474d78084367e975451142a23348a1911bdc4f7cbfb70eeaba8b6cce2a8f527944f0ed3a4fb1d9129

C:\Users\Admin\AppData\Local\Temp\Arts

MD5 22999c3bfef35ab54dc51cea926d8125
SHA1 aa929c775e9a740f3b6fc403b5bfb13b0ef10e14
SHA256 63f722d605fdd7162f695c55b4c57acf925140a62b93b447d805b1dbcf3d1b1c
SHA512 d750799211beb39b6033f1a85e773b65ed1f576e718c5d9d805b36b6bc152aab7e411d8f2fc73a87b799016f67962ef42a7b7e2c304a5b02b1daf166ac142994

C:\Users\Admin\AppData\Local\Temp\Persian

MD5 4f028498571a78e28b5665bcfaf7bda1
SHA1 db28d1f7a2206c4fc4a17d57373e928bb10c7954
SHA256 84310b39a6c9e5941f61502105e746b3dd836108e2a6c7084612e86d0efb91e4
SHA512 a540c4cd5a8997e7cb7f5cb2ae20859db92991d2f390296c5ac7afe23232679dae30b6db902602893b8b23dcebae07a6b39a57f50adecb3c6367eca174623b24

C:\Users\Admin\AppData\Local\Temp\Incest

MD5 74f15b102c0bef94140262ad551bbc24
SHA1 70246a3d8005ca0a91c8d22303c55416b6e9ff4f
SHA256 58376ca5773ce08e2bf4b876cd517ee421030293150ba2dfb50462e34c51c6d9
SHA512 7a0cb169ba7b69d5388678478cfaa4bc82fe854d5a40785fa03a3a0bb955088adbe00f5da8f667df6ea448d6118b372ccdf9fcabceb5e70574573f9a0f8729de

C:\Users\Admin\AppData\Local\Temp\Identifier

MD5 cd4ad18674a26527c0782f2a0d15b277
SHA1 56e92ebf526601f3f5fe99fc3e5dd9b29a99c41c
SHA256 0d34b789bde5b17903b770e563743908bea6d7d0693ef57709dd57dde444eb9a
SHA512 7afac4b0bb0c90ccef4ee14b12b3349e5265eba294e6e5f4dafff894988d07b861cb11dc8dda826420b18288757370bfd0e304e6be578135a1d054c083cdc209

C:\Users\Admin\AppData\Local\Temp\Eyes

MD5 bf240bdddf4e33588fba0ed1973d7e98
SHA1 7c3c46bc43abdbc82bf41b72860a449433288927
SHA256 a28c88f3dbfd8b8961c30a364b8a38ecdada18b92ac1e77a1c211a7487723c97
SHA512 3990b660f9f53e9a7e626527a53fea00d4b344ba9c90912aa904f336b527cbd87b30e21c3408d215699d1ac5d999b47000f866f38d387312653eeb5d8b768a73

C:\Users\Admin\AppData\Local\Temp\Slovenia

MD5 398a56733a96146f96dae1f926f8ee34
SHA1 b589aaa2ae0b047d2b91df4daa193f02d68c2563
SHA256 e411f41b9d6fff03fe7d4da422aa30f11bfecb5f5bf9c6cf2088eb84a2a8c018
SHA512 a45e9a93c2f5673204eb1898ca10f7a7e244b512da6f2493b330b266a1d8a2d3db636c5a5a6e67b044cb0ea5a124064ccefb2db3783052e6e6698d9c6d1e7d71

C:\Users\Admin\AppData\Local\Temp\Hired

MD5 a4e79a921d1a40f87f86cc426d0cce0d
SHA1 52ac999f6ed734a3023428194c3422e206987124
SHA256 306e6d43695f56399f0c7ce9c36e2f8e652838a02d0debf6ab98e7fd2f483af6
SHA512 113557e6e6b5316f83ac5899338e3dd63ec281b449f1ee063efceedc94846ece210c8f4b047b804feee2487b7328bd4181c696b4fb7075550fa3a2ced5d01e9e

C:\Users\Admin\AppData\Local\Temp\Mods

MD5 63991cd3b811a87ef7f756a3a88408f3
SHA1 5887b2746923e3bb209a010c794d6a03f2043cbe
SHA256 16c52c4b922b43b8dd61738190c23f60da5e601a1e84d6cbd277ed7c9bc16675
SHA512 f9115542afa4079772b2edbeb5cbefbb337f976ced77036240624787549ea04937cfebbdc290bdaa8e8523c688b7536af7bd88fe43b053d3dcf811783967c7b6

C:\Users\Admin\AppData\Local\Temp\Dinner

MD5 9278daaaaad5cf175f7e5037f994ae26
SHA1 50c1d167d544a6db08d90ba33ba434147bf4b63e
SHA256 525dff77cccca91f145aa95c71b921ffc029881310ef9a0808e5c0cbc8589420
SHA512 343263a1794b59e1a5cbe8b169f5efab5ee1f3c273a9961104973557b51174730613693b3dc50852f9db4864bd182d1343a3fa97ddbe6f3d04b0656911443c9e

C:\Users\Admin\AppData\Local\Temp\Lending

MD5 ea6036f36a74ce85b23ec1828d3cc68f
SHA1 f1ce5a30d9774f397d82de04130209b501fd0d1c
SHA256 120a01b7d92584f180e803019867585ed5a106b1d63047ec9b949fa59ed75498
SHA512 5b7d46c88d330a85d524fe5a7aab9232b3644c7299ce7df7d34eae9821baea9ed1070e379a63d8efe6f98c0dcbf1b69adc3f311b26361ab5ea8e648cf9167b66

C:\Users\Admin\AppData\Local\Temp\Gaming

MD5 122f66640ca5fcc16ff9106acca0a4c5
SHA1 15ec716fc34c6dfb6be98d56487528a62e0a9fc5
SHA256 7db5db363d38cc28570b882229eaaa3d819bdfb5953ebd3de483e7338285ed0e
SHA512 3052d8791dee53ff955b655a0b9d7ff804b6c1f80806199a61a98cfb58ac52efab8c53caa5e3248b487ad485edfe9959044f94218f754f75ac212f890b789ab4

C:\Users\Admin\AppData\Local\Temp\Dining

MD5 07b2b7969bb80e43ae8d6d565cbab5c4
SHA1 128d43f48928a73ef3446593d63fbfe025cb126c
SHA256 818f6cc7d29bc250a64e02e61c840e1f74432c66bbacef0ce0a75105accdb592
SHA512 45b840b69b09801c4c0528cfc00f8eb50f2a8d2806907a894355ead304f5b1aafdaca9741bf9200b036b9302340d25f6dba7c44e7be651f179736857ef7b3f60

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\Reject

MD5 e9157b4c97794aeff095902148ad9532
SHA1 2915ca3cff7a81ea19ed0873fe8266274582158e
SHA256 1f588e2cefb8bafadc9a029a28dcdd93a7e9472e2190caab7a277fa79cffcd77
SHA512 26973ff5887e087632c459597a4652f6917d9a81fa48c1642a56c95221f019696e46f88a6c33d1013e6c009324ee9f99a92e5383acc1b6d619ff6229c3360d96

C:\Users\Admin\AppData\Local\Temp\Comfort

MD5 e85c7c2eb7eed1bea9d92071b7b197e4
SHA1 05f4108a3e331b2a9db2351c9f506b3cbadef771
SHA256 5868a2a8a8376d6f34d125e0c9bf0edd15afd3f82df342a8f079d2417997d137
SHA512 97151aec2e73e10cc9e6fdd2c69c0498f49ff6417807e3e4e9cf0534848f34e77fd09943fa86d860993dc8ae1ae14ad85d073cf5ffa391fe3c582f94b502c491

C:\Users\Admin\AppData\Local\Temp\Herein

MD5 717e7bb87ee5fc6795900e82f92c38a5
SHA1 713b0e36e00b5a9df643fab99eff7fe05ebfd4f7
SHA256 f2c1981a42235a7748d03a68d840fb647d1a591cf3265fc7ec32761ee6bca957
SHA512 955107b6a503ab4c4aad2c5b70cff52e2069fed5bcdc6fac76b69957261c531ef95eb31c728b1d64de35130381be734504d8ed6572824dc744f72b49fcdf3f2d

C:\Users\Admin\AppData\Local\Temp\Hat

MD5 6cb837218c7e7f9b0bb4e5de012b5f0b
SHA1 b64ff496cef53d3555c6624abe4a51f99758bbbf
SHA256 baef9762f9bbd47ee6171396e3c87bb0e7655da35438fe5eb1efd9f3c6a87db5
SHA512 23e250e7bfa8f873dde6d786d9ce0526e83fb42421e152e3e75c6ea01e29ddebae9c2115c0e0e19ae85c73f5d8525eb34a499456090451528f51ffff1986ca62

C:\Users\Admin\AppData\Local\Temp\Coleman

MD5 caf81509c6182cdf2b3cf474c21924e7
SHA1 8931ae49b935d30cfb8d192a34d96c1da9a1133f
SHA256 342ada9e312f7bb721e1174b8ce4f23791f02ed04cd6813456072adb2a2330f9
SHA512 d11e61040f5b25cd9740bab941208d82e1f29562705cdff5508909dba6fe848ebe596e7a1daf7a5d30ba97c35816ffe0e8e5a8d7656729ddf7ba349cb8d4da94

C:\Users\Admin\AppData\Local\Temp\Agents

MD5 e072328c52cc438642327cf2715c6232
SHA1 dc776562767baabb5f469f2245cb844435c57a8b
SHA256 7404865538c5dff10b89c992251d03726be4a25135760af18f2ef9234f875728
SHA512 80a05d449fd00895ac2b36cfd0ceb2b6c41a22a37a9aa28bb0a57d3ee9f43ec528a109eaa91ac5fabc6faccedcf547fd2a9c3278293b0ad1d73561771861df7f

C:\Users\Admin\AppData\Local\Temp\Spray

MD5 81754ffb3a2c2760a080ea70a80eecfe
SHA1 4925a77076e0afd35a110ff68132ef98263b8a92
SHA256 b1e347ec4e03cff9cc62b7bc4d219a6645cf3939a35697551cf77839d72089b6
SHA512 e5d21b5db48e2e67afbbe1cfb813252ea0244e31e165ca124f206c291b53be1b1a74d1eba8894e93adcac5e933204f1dddc92c40c1eb775b5cdf5d440b173ee2

C:\Users\Admin\AppData\Local\Temp\Husband

MD5 792c7f8dd36ccf3dc732e75deafcf3a8
SHA1 7511dd19e3ebaea53bbefc72b10146231f8e607d
SHA256 75443ebd4b9dcbcf0e367a853386ce5a604fe338a34afab63f1ac1141c5eb670
SHA512 32cf33fa12fc7bc125e269b50a584834aec1350ed52f081a8a6c393faa6c68a87cb63463465e13b7c3aeaee534ac21ebf482ebd505d67b0d15b41d9e6a93c1b6

C:\Users\Admin\AppData\Local\Temp\Vast

MD5 556425c0faef4670d1e22fb6fcc39670
SHA1 25b97fb1cb78439408f439b4c96933c66cf019df
SHA256 11d8b300d94f5e8455d792625260b83dfdc7f258182620d719eb81a71319f4f5
SHA512 96f8e77db9cf14f121842d8a6a3b225597cb89691b72a051703ce6e7367bf38fc6fb0b14ec17789559c472bb1b2243c6bb88daae28dbe4e1154bfb7f5e658bfa

C:\Users\Admin\AppData\Local\Temp\Schema

MD5 6d6371d8a1877548b2ba892feeec4448
SHA1 9a31d21807d9a7ce9e4701cd63d51ded7db85290
SHA256 85a5a1b465e959f6b55feebae33059f82b972458f8527d5e1361e749b724d13d
SHA512 9dbd7fc2c804e785ea7545ede8408fb647736a1e9731dad40f6256c580a91f1df90cebada0d20776f2b264cde69df8bcb63071b8de24a08944dbfaa5f875a8e0

C:\Users\Admin\AppData\Local\Temp\309056\u

MD5 92e78614e5198320c105789a28b5eaa5
SHA1 75411d15bcd89af58e4a82e65bd66487fc7532dd
SHA256 aac38bdd824d85e082b708784705a2d778f0f32ca5594c15a45c0fdddf31a3ac
SHA512 2e8be01a870c5aeefe1beb3072395b2dec3c10964b1556c4727ba444980dcf079c64def4228df212e7dc81542258cb952525d6a1dbb38655cbcaa8ba06717e41

memory/4800-86-0x0000000001600000-0x00000000017DF000-memory.dmp

memory/4800-87-0x0000000001600000-0x00000000017DF000-memory.dmp

memory/4800-89-0x0000000001600000-0x00000000017DF000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-08 17:51

Reported

2024-09-08 18:01

Platform

win11-20240802-en

Max time kernel

300s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4196 set thread context of 5240 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ElectoralUnderstand C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
File opened for modification C:\Windows\WwPeriod C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
File opened for modification C:\Windows\InstitutionalInvision C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 472 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4604 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4604 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4604 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4604 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4604 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4604 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 5956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 5956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 5956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 4604 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 4604 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 4604 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4604 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4604 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4196 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 4196 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 4196 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 4196 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 4196 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Processes

C:\Users\Admin\AppData\Local\Temp\AppFile.exe

"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Angel Angel.bat & Angel.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 309056

C:\Windows\SysWOW64\findstr.exe

findstr /V "threateningflightbreachjoel" Springer

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Teams + ..\Entirely + ..\Eyes + ..\Identifier + ..\Incest + ..\Official + ..\Persian + ..\Arts + ..\Asset + ..\Eagle + ..\Sci + ..\Rochester + ..\Communication + ..\Evaluations + ..\Coating + ..\Considering + ..\Indicated + ..\Stamps + ..\Crawford + ..\Schema + ..\Slovenia + ..\Hired + ..\Vast + ..\Husband + ..\Spray + ..\Agents + ..\Coleman + ..\Mods + ..\Hat + ..\Herein + ..\Comfort + ..\Reject + ..\Dining + ..\Gaming + ..\Lending + ..\Dinner u

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Dolls.pif u

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 rTzKXibCiKZCHFYYyL.rTzKXibCiKZCHFYYyL udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp

Files

C:\Users\Admin\AppData\Local\Temp\Angel

MD5 10d664be6c48cbbfe986cf13389e70d5
SHA1 81c91d173b2a38349b688791ad7a1fd52ba7cfec
SHA256 1544228be4736dfc9a52c9eb675ffe27a75490e71b6697bcfb4896beb99baa17
SHA512 adf5916eeb6c23ddb8b0ec331abab55826dea115fa3675899345319289716aa4181056c9d106e2397a9117bfc1be6a5db1833984d00b249dda11db0bd2e18f67

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 9fce304f6f8b0e39b17488ff2461004a
SHA1 7a2f5480712e430771228a60c6468a21c261015a
SHA256 388238bf76dc4e90837550f3b9ade8c2240ea2330ffbfa54b7bdc14dd64ae31f
SHA512 cbb11d1d73c3979aafe7b374e44f770606d25d3caf4a0aac0197f00580f500004fe32ff9f93a6d7103f7a7db01c35f29ef9e5b95941de98df4f873f37dadf554

C:\Users\Admin\AppData\Local\Temp\Belongs

MD5 08f9d23e902a4b9f1454c0cca8063a4c
SHA1 2d18b94d7e6bfec87661be9c775f989640228efd
SHA256 8eda93d0df79719c2194c895abc443218076fb76a8f8af5bb037491f1a3f42d3
SHA512 1a796a3a24a363f4d5239ea1b972e95000611c6f90be9a0cbe5b8b50195cb11b86e4cb8b4ccc6a4d93822c80e99cccefdb2b585fb48d8ae045ba690459fc164d

C:\Users\Admin\AppData\Local\Temp\Teams

MD5 e4be3f3dfa731bce602265bd78ca96e4
SHA1 da6ee51e4cc450fb2697a8e583590c205c354628
SHA256 3d1c4fc43431a0739b933a0ccc3d6209f3d5e417102adacc99c485dfa78aa306
SHA512 fda626cc19bdf4f36e8ec261597115470a9c44fd5ed43684032fd0694454d30ff28c38d6aed1e765e40fcba9ab618b9fba4a8d2608a7cc0c84404baedfae24b1

C:\Users\Admin\AppData\Local\Temp\Entirely

MD5 e57d41a42c0018011b8d05ead7ba8ea5
SHA1 a5be0444eaf9d294e7043b76533daa5b4391a0de
SHA256 8bef0123411a0a965a9bd62cc22f855df1c84b2ab2f6fdddc5d72d2d0412f0b6
SHA512 4029afff3795c8567b81ced18cd4053efdcf96be62e27bfa7938a7562bba66610a935944e59f39267a757e5d2c5c651c0bd62c89ac485f8d50e5e0c1bb25646c

C:\Users\Admin\AppData\Local\Temp\Eyes

MD5 bf240bdddf4e33588fba0ed1973d7e98
SHA1 7c3c46bc43abdbc82bf41b72860a449433288927
SHA256 a28c88f3dbfd8b8961c30a364b8a38ecdada18b92ac1e77a1c211a7487723c97
SHA512 3990b660f9f53e9a7e626527a53fea00d4b344ba9c90912aa904f336b527cbd87b30e21c3408d215699d1ac5d999b47000f866f38d387312653eeb5d8b768a73

C:\Users\Admin\AppData\Local\Temp\Identifier

MD5 cd4ad18674a26527c0782f2a0d15b277
SHA1 56e92ebf526601f3f5fe99fc3e5dd9b29a99c41c
SHA256 0d34b789bde5b17903b770e563743908bea6d7d0693ef57709dd57dde444eb9a
SHA512 7afac4b0bb0c90ccef4ee14b12b3349e5265eba294e6e5f4dafff894988d07b861cb11dc8dda826420b18288757370bfd0e304e6be578135a1d054c083cdc209

C:\Users\Admin\AppData\Local\Temp\Incest

MD5 74f15b102c0bef94140262ad551bbc24
SHA1 70246a3d8005ca0a91c8d22303c55416b6e9ff4f
SHA256 58376ca5773ce08e2bf4b876cd517ee421030293150ba2dfb50462e34c51c6d9
SHA512 7a0cb169ba7b69d5388678478cfaa4bc82fe854d5a40785fa03a3a0bb955088adbe00f5da8f667df6ea448d6118b372ccdf9fcabceb5e70574573f9a0f8729de

C:\Users\Admin\AppData\Local\Temp\Official

MD5 c28b2871b183dfc806e0855c516e6ab4
SHA1 8f367c25d973e6b690b1ea6799ecd39221371e43
SHA256 12717aac68c10051e3ca2ae75343128eb8a80eec398269d675d5244ade6d9724
SHA512 f02f7bf8885d57a89391768ddf66c8494ff058f5da4d9d316187c210aca6943f6a2dc4c62771ea3a90b10674c27e117f92d6c7df8e2af75bae349a989b86220d

C:\Users\Admin\AppData\Local\Temp\Persian

MD5 4f028498571a78e28b5665bcfaf7bda1
SHA1 db28d1f7a2206c4fc4a17d57373e928bb10c7954
SHA256 84310b39a6c9e5941f61502105e746b3dd836108e2a6c7084612e86d0efb91e4
SHA512 a540c4cd5a8997e7cb7f5cb2ae20859db92991d2f390296c5ac7afe23232679dae30b6db902602893b8b23dcebae07a6b39a57f50adecb3c6367eca174623b24

C:\Users\Admin\AppData\Local\Temp\Sci

MD5 f1e239919f64507bc976bee4ac152239
SHA1 b69eb5fec6da7c582aff31820106e0c46ec8dfda
SHA256 a0d3e15d1b12b4b4111786e454770c511221a6eebe271f20849b112d0cb161b9
SHA512 4459e213cd7e36b0008520d030902058a83c2b81bb9333e710561d27ecbcc56468b10994d64488da2fe9b52f033e7a322d6f1fbbcb9081b682acada286f9dff4

C:\Users\Admin\AppData\Local\Temp\Eagle

MD5 ffa47b74dc7534579bddc42e8ea9bc21
SHA1 22e0cf8668117e3782a38b8e4f3553c8f79c379d
SHA256 d0e2a600aab27dfc91bc8c1e73e0d0d20489b04bd376e7bf16fe1763ca1f9ce6
SHA512 16f80341dc0386413558c6307a35831f239005f5fadd01818efe95f77c2a12311e5db7943902d16676c12aa1765f20af335a561da1e3f79eb5d9baaee2dc6113

C:\Users\Admin\AppData\Local\Temp\Rochester

MD5 2076c81372d64961aeee64296c288ddf
SHA1 4767a7f611e6ac3ceeb692f1a7df90cdd84fc7ca
SHA256 63563ab659575d711cf2a686d7140359850e49bc2f1e9f658105c3adb0663fb8
SHA512 1e40bc944a91fc9608077b1866d6742624f377e7cc2d63903fe2bd24093b17be3aedc70c534497eaaec7ce30ecf318153f3c40af1ff56a82f5ff48fc09cb5976

C:\Users\Admin\AppData\Local\Temp\Asset

MD5 79ccf7fd1a2157e74b27c1935707ee99
SHA1 9f1267d4323c5180c8700cbe82ba51456ab40f74
SHA256 d90010bbb47afe5b33fc5bc52295ec6ca955a875fe1001f32bfc870783633ed7
SHA512 35dc6918b9255eba821b0e3418cb58db2ad703aaa731bb2474d78084367e975451142a23348a1911bdc4f7cbfb70eeaba8b6cce2a8f527944f0ed3a4fb1d9129

C:\Users\Admin\AppData\Local\Temp\Arts

MD5 22999c3bfef35ab54dc51cea926d8125
SHA1 aa929c775e9a740f3b6fc403b5bfb13b0ef10e14
SHA256 63f722d605fdd7162f695c55b4c57acf925140a62b93b447d805b1dbcf3d1b1c
SHA512 d750799211beb39b6033f1a85e773b65ed1f576e718c5d9d805b36b6bc152aab7e411d8f2fc73a87b799016f67962ef42a7b7e2c304a5b02b1daf166ac142994

C:\Users\Admin\AppData\Local\Temp\Communication

MD5 e76ca6497197f496c934e273bc4af7a8
SHA1 1c813197c9434d6d3f359c1c0c6374ce8e5e77e6
SHA256 2adfd0aa33275eaeddbebffef664bcc2f403ebf6335bc593bd490a66e06c3956
SHA512 425fa7c17d9e30e8c3c6ea042a86f6f54f8938ca3491e514e633d111d5cdb0d8094c482c9e08a57cec613178d78c55392c64c8e0d60190c86957a170245e9f3f

C:\Users\Admin\AppData\Local\Temp\Evaluations

MD5 824ca47d6ed68f19c98e3a8585c03fd2
SHA1 00ebf75301539fac6f72012b3dea899797d83eca
SHA256 14e02c722fdb4507967bd77111eceb5c377e4b515f2cc9ca01117df4e1df2965
SHA512 e1b398ab18042a7456e87fd6169bca88e86e718b09111eee11f81cc284599ce3431f852fe1552db950bd39f5ac9703406c206b8b37ff595a05099fefd5ddc81f

C:\Users\Admin\AppData\Local\Temp\Coating

MD5 d4b175095bad046fe31a891e313fac1d
SHA1 3e8268ea2db96566a03b5886ffcd904cc2938940
SHA256 710fcbabe6b6d3fb615d012d3aa5ff551d30590eb9949ad947ce42e313e2a757
SHA512 d78844eb4099962d6eb5c9308e0f80cc3f56c15a525318a6ddc94811f8239eb622df6845ec831eb656157f9695f935d4962ca538f802c0449ac00850b519a007

C:\Users\Admin\AppData\Local\Temp\Considering

MD5 8392df6b6dd3005f67d9e685adf5d98a
SHA1 172ccb65f6b6192c695b53f8ddcedfdbe639fea6
SHA256 89d0790a0691cf5f327ab61f73fa2167a8b54ad0e8b21c22d34887455463448e
SHA512 d6ad83fb2ad1cceeb57098b27145e20e800703440c0cf04ed13c00af9c2baecf82e8ad6e28af556de5e2b38a80d8b987f6c347f18eac0892db23ed2ec81d0b3f

C:\Users\Admin\AppData\Local\Temp\Indicated

MD5 d8d333b7fa6f3f4d117279af7fe5ebd7
SHA1 15360b9018b623a945ccd0a147bff926f9a36b4d
SHA256 c07e05f4515864b97744a19b33e80170911dee7e84b19dff7a624c3b95c0db58
SHA512 e60a6932bc7036ef5f0d031fdacfea0f1c399370336fa36907e3ea1e5a0eec50e135c965452c29dad05f3327efb9c9f063e38e9d5bd68265552248113743f251

C:\Users\Admin\AppData\Local\Temp\Stamps

MD5 05edf987e0e4caf0790d6cd52745918f
SHA1 a657c82fb2b6055696917d16e074e3afad630da7
SHA256 6ce2a376edd727d7295bc0648e844ad281bb96db057b84e803c5bb387ca2f54c
SHA512 38b90f60b303a00b93ea1f0f9b4fa9f6dac7b64d9f0e849699d8220bc70efbd1c038d35cfb7a1c12a2a5b9facaf1accd9fbeadfd5be5ca1ccfb29e51864856bb

C:\Users\Admin\AppData\Local\Temp\Crawford

MD5 aa5687b499c0e31cc570a5b3956e0055
SHA1 0d469ee44ed6a8a57095820ac188477f1ce46e04
SHA256 c6cae2f7545cc6a2382123889ebf816db31d84136c15b36ac488a74eef5e2c86
SHA512 0f11ed72669671ed51e5dd3658c29d9f00f8397b7168db5255e0242924db8ce7514dc318552c80843283f0ad93d8f45951359d8461837a32e3ba8672d8c7fb9b

C:\Users\Admin\AppData\Local\Temp\Schema

MD5 6d6371d8a1877548b2ba892feeec4448
SHA1 9a31d21807d9a7ce9e4701cd63d51ded7db85290
SHA256 85a5a1b465e959f6b55feebae33059f82b972458f8527d5e1361e749b724d13d
SHA512 9dbd7fc2c804e785ea7545ede8408fb647736a1e9731dad40f6256c580a91f1df90cebada0d20776f2b264cde69df8bcb63071b8de24a08944dbfaa5f875a8e0

C:\Users\Admin\AppData\Local\Temp\Husband

MD5 792c7f8dd36ccf3dc732e75deafcf3a8
SHA1 7511dd19e3ebaea53bbefc72b10146231f8e607d
SHA256 75443ebd4b9dcbcf0e367a853386ce5a604fe338a34afab63f1ac1141c5eb670
SHA512 32cf33fa12fc7bc125e269b50a584834aec1350ed52f081a8a6c393faa6c68a87cb63463465e13b7c3aeaee534ac21ebf482ebd505d67b0d15b41d9e6a93c1b6

C:\Users\Admin\AppData\Local\Temp\Vast

MD5 556425c0faef4670d1e22fb6fcc39670
SHA1 25b97fb1cb78439408f439b4c96933c66cf019df
SHA256 11d8b300d94f5e8455d792625260b83dfdc7f258182620d719eb81a71319f4f5
SHA512 96f8e77db9cf14f121842d8a6a3b225597cb89691b72a051703ce6e7367bf38fc6fb0b14ec17789559c472bb1b2243c6bb88daae28dbe4e1154bfb7f5e658bfa

C:\Users\Admin\AppData\Local\Temp\Hired

MD5 a4e79a921d1a40f87f86cc426d0cce0d
SHA1 52ac999f6ed734a3023428194c3422e206987124
SHA256 306e6d43695f56399f0c7ce9c36e2f8e652838a02d0debf6ab98e7fd2f483af6
SHA512 113557e6e6b5316f83ac5899338e3dd63ec281b449f1ee063efceedc94846ece210c8f4b047b804feee2487b7328bd4181c696b4fb7075550fa3a2ced5d01e9e

C:\Users\Admin\AppData\Local\Temp\Slovenia

MD5 398a56733a96146f96dae1f926f8ee34
SHA1 b589aaa2ae0b047d2b91df4daa193f02d68c2563
SHA256 e411f41b9d6fff03fe7d4da422aa30f11bfecb5f5bf9c6cf2088eb84a2a8c018
SHA512 a45e9a93c2f5673204eb1898ca10f7a7e244b512da6f2493b330b266a1d8a2d3db636c5a5a6e67b044cb0ea5a124064ccefb2db3783052e6e6698d9c6d1e7d71

C:\Users\Admin\AppData\Local\Temp\Spray

MD5 81754ffb3a2c2760a080ea70a80eecfe
SHA1 4925a77076e0afd35a110ff68132ef98263b8a92
SHA256 b1e347ec4e03cff9cc62b7bc4d219a6645cf3939a35697551cf77839d72089b6
SHA512 e5d21b5db48e2e67afbbe1cfb813252ea0244e31e165ca124f206c291b53be1b1a74d1eba8894e93adcac5e933204f1dddc92c40c1eb775b5cdf5d440b173ee2

C:\Users\Admin\AppData\Local\Temp\Agents

MD5 e072328c52cc438642327cf2715c6232
SHA1 dc776562767baabb5f469f2245cb844435c57a8b
SHA256 7404865538c5dff10b89c992251d03726be4a25135760af18f2ef9234f875728
SHA512 80a05d449fd00895ac2b36cfd0ceb2b6c41a22a37a9aa28bb0a57d3ee9f43ec528a109eaa91ac5fabc6faccedcf547fd2a9c3278293b0ad1d73561771861df7f

C:\Users\Admin\AppData\Local\Temp\Coleman

MD5 caf81509c6182cdf2b3cf474c21924e7
SHA1 8931ae49b935d30cfb8d192a34d96c1da9a1133f
SHA256 342ada9e312f7bb721e1174b8ce4f23791f02ed04cd6813456072adb2a2330f9
SHA512 d11e61040f5b25cd9740bab941208d82e1f29562705cdff5508909dba6fe848ebe596e7a1daf7a5d30ba97c35816ffe0e8e5a8d7656729ddf7ba349cb8d4da94

C:\Users\Admin\AppData\Local\Temp\Mods

MD5 63991cd3b811a87ef7f756a3a88408f3
SHA1 5887b2746923e3bb209a010c794d6a03f2043cbe
SHA256 16c52c4b922b43b8dd61738190c23f60da5e601a1e84d6cbd277ed7c9bc16675
SHA512 f9115542afa4079772b2edbeb5cbefbb337f976ced77036240624787549ea04937cfebbdc290bdaa8e8523c688b7536af7bd88fe43b053d3dcf811783967c7b6

C:\Users\Admin\AppData\Local\Temp\Hat

MD5 6cb837218c7e7f9b0bb4e5de012b5f0b
SHA1 b64ff496cef53d3555c6624abe4a51f99758bbbf
SHA256 baef9762f9bbd47ee6171396e3c87bb0e7655da35438fe5eb1efd9f3c6a87db5
SHA512 23e250e7bfa8f873dde6d786d9ce0526e83fb42421e152e3e75c6ea01e29ddebae9c2115c0e0e19ae85c73f5d8525eb34a499456090451528f51ffff1986ca62

C:\Users\Admin\AppData\Local\Temp\Herein

MD5 717e7bb87ee5fc6795900e82f92c38a5
SHA1 713b0e36e00b5a9df643fab99eff7fe05ebfd4f7
SHA256 f2c1981a42235a7748d03a68d840fb647d1a591cf3265fc7ec32761ee6bca957
SHA512 955107b6a503ab4c4aad2c5b70cff52e2069fed5bcdc6fac76b69957261c531ef95eb31c728b1d64de35130381be734504d8ed6572824dc744f72b49fcdf3f2d

C:\Users\Admin\AppData\Local\Temp\Comfort

MD5 e85c7c2eb7eed1bea9d92071b7b197e4
SHA1 05f4108a3e331b2a9db2351c9f506b3cbadef771
SHA256 5868a2a8a8376d6f34d125e0c9bf0edd15afd3f82df342a8f079d2417997d137
SHA512 97151aec2e73e10cc9e6fdd2c69c0498f49ff6417807e3e4e9cf0534848f34e77fd09943fa86d860993dc8ae1ae14ad85d073cf5ffa391fe3c582f94b502c491

C:\Users\Admin\AppData\Local\Temp\Dinner

MD5 9278daaaaad5cf175f7e5037f994ae26
SHA1 50c1d167d544a6db08d90ba33ba434147bf4b63e
SHA256 525dff77cccca91f145aa95c71b921ffc029881310ef9a0808e5c0cbc8589420
SHA512 343263a1794b59e1a5cbe8b169f5efab5ee1f3c273a9961104973557b51174730613693b3dc50852f9db4864bd182d1343a3fa97ddbe6f3d04b0656911443c9e

C:\Users\Admin\AppData\Local\Temp\Lending

MD5 ea6036f36a74ce85b23ec1828d3cc68f
SHA1 f1ce5a30d9774f397d82de04130209b501fd0d1c
SHA256 120a01b7d92584f180e803019867585ed5a106b1d63047ec9b949fa59ed75498
SHA512 5b7d46c88d330a85d524fe5a7aab9232b3644c7299ce7df7d34eae9821baea9ed1070e379a63d8efe6f98c0dcbf1b69adc3f311b26361ab5ea8e648cf9167b66

C:\Users\Admin\AppData\Local\Temp\Gaming

MD5 122f66640ca5fcc16ff9106acca0a4c5
SHA1 15ec716fc34c6dfb6be98d56487528a62e0a9fc5
SHA256 7db5db363d38cc28570b882229eaaa3d819bdfb5953ebd3de483e7338285ed0e
SHA512 3052d8791dee53ff955b655a0b9d7ff804b6c1f80806199a61a98cfb58ac52efab8c53caa5e3248b487ad485edfe9959044f94218f754f75ac212f890b789ab4

C:\Users\Admin\AppData\Local\Temp\Dining

MD5 07b2b7969bb80e43ae8d6d565cbab5c4
SHA1 128d43f48928a73ef3446593d63fbfe025cb126c
SHA256 818f6cc7d29bc250a64e02e61c840e1f74432c66bbacef0ce0a75105accdb592
SHA512 45b840b69b09801c4c0528cfc00f8eb50f2a8d2806907a894355ead304f5b1aafdaca9741bf9200b036b9302340d25f6dba7c44e7be651f179736857ef7b3f60

C:\Users\Admin\AppData\Local\Temp\Reject

MD5 e9157b4c97794aeff095902148ad9532
SHA1 2915ca3cff7a81ea19ed0873fe8266274582158e
SHA256 1f588e2cefb8bafadc9a029a28dcdd93a7e9472e2190caab7a277fa79cffcd77
SHA512 26973ff5887e087632c459597a4652f6917d9a81fa48c1642a56c95221f019696e46f88a6c33d1013e6c009324ee9f99a92e5383acc1b6d619ff6229c3360d96

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\309056\u

MD5 92e78614e5198320c105789a28b5eaa5
SHA1 75411d15bcd89af58e4a82e65bd66487fc7532dd
SHA256 aac38bdd824d85e082b708784705a2d778f0f32ca5594c15a45c0fdddf31a3ac
SHA512 2e8be01a870c5aeefe1beb3072395b2dec3c10964b1556c4727ba444980dcf079c64def4228df212e7dc81542258cb952525d6a1dbb38655cbcaa8ba06717e41

memory/5240-86-0x0000000001630000-0x000000000180F000-memory.dmp

memory/5240-87-0x0000000001630000-0x000000000180F000-memory.dmp

memory/5240-89-0x0000000001630000-0x000000000180F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-08 17:51

Reported

2024-09-08 18:01

Platform

win10-20240404-en

Max time kernel

244s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"

Signatures

CryptBot

spyware stealer cryptbot

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ElectoralUnderstand C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
File opened for modification C:\Windows\WwPeriod C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
File opened for modification C:\Windows\InstitutionalInvision C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AppFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminIIDHJKFBGI.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 1020 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\AppFile.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1740 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1740 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1740 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1740 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1740 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1740 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1740 wrote to memory of 164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1740 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1740 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 1740 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1740 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1740 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2392 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2392 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2392 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2392 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 2392 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
PID 4604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe
PID 4604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe
PID 4604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe
PID 4604 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe
PID 4604 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe
PID 4604 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe
PID 4604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe
PID 4604 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe
PID 4604 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe
PID 4604 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe
PID 4604 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe
PID 4604 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe
PID 4604 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe
PID 4604 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe
PID 4604 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe
PID 4604 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe
PID 4604 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe
PID 4604 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe
PID 4604 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe
PID 4604 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe
PID 4604 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe
PID 4604 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe
PID 4604 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe
PID 4604 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe
PID 4604 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe
PID 424 wrote to memory of 4692 N/A C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp
PID 424 wrote to memory of 4692 N/A C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp
PID 424 wrote to memory of 4692 N/A C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp
PID 3548 wrote to memory of 4484 N/A C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AppFile.exe

"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Angel Angel.bat & Angel.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 309056

C:\Windows\SysWOW64\findstr.exe

findstr /V "threateningflightbreachjoel" Springer

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Teams + ..\Entirely + ..\Eyes + ..\Identifier + ..\Incest + ..\Official + ..\Persian + ..\Arts + ..\Asset + ..\Eagle + ..\Sci + ..\Rochester + ..\Communication + ..\Evaluations + ..\Coating + ..\Considering + ..\Indicated + ..\Stamps + ..\Crawford + ..\Schema + ..\Slovenia + ..\Hired + ..\Vast + ..\Husband + ..\Spray + ..\Agents + ..\Coleman + ..\Mods + ..\Hat + ..\Herein + ..\Comfort + ..\Reject + ..\Dining + ..\Gaming + ..\Lending + ..\Dinner u

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

Dolls.pif u

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe

C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe

C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe

C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe

C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe

C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe

C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe

C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe

C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe

C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe

C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe

C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe

C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe

C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe

C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe

C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe

C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe

C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe

C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp" /SL5="$F004E,3462581,702464,C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 592

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIIDHJKFBGI.exe"

C:\Users\AdminIIDHJKFBGI.exe

"C:\Users\AdminIIDHJKFBGI.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCAAEBFHJJ.exe"

C:\Users\AdminFCAAEBFHJJ.exe

"C:\Users\AdminFCAAEBFHJJ.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "RRTELIGS"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "RRTELIGS"

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\ProgramData\AAAAKJKJEB.exe

"C:\ProgramData\AAAAKJKJEB.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\IECFHDBAAE.exe

"C:\ProgramData\IECFHDBAAE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGDGIEGHJEGI" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Temp\service123.exe

"C:\Users\Admin\AppData\Local\Temp\service123.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rTzKXibCiKZCHFYYyL.rTzKXibCiKZCHFYYyL udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 240902180529931.tyr.zont16.com udp
RU 176.113.115.33:80 176.113.115.33 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
RU 31.41.244.9:80 31.41.244.9 tcp
RU 176.111.174.109:80 176.111.174.109 tcp
US 8.8.8.8:53 voinformatica.com.pt udp
US 8.8.8.8:53 file-link-iota.vercel.app udp
US 76.76.21.98:80 file-link-iota.vercel.app tcp
PT 80.172.227.23:80 voinformatica.com.pt tcp
PT 80.172.227.23:80 voinformatica.com.pt tcp
CH 179.43.188.227:80 240902180529931.tyr.zont16.com tcp
US 76.76.21.98:80 file-link-iota.vercel.app tcp
US 76.76.21.98:80 file-link-iota.vercel.app tcp
US 76.76.21.98:443 file-link-iota.vercel.app tcp
US 8.8.8.8:53 104.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 33.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 109.174.111.176.in-addr.arpa udp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 98.21.76.76.in-addr.arpa udp
US 8.8.8.8:53 227.188.43.179.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 youtransfer.net udp
PT 80.172.227.23:80 voinformatica.com.pt tcp
PT 80.172.227.23:80 voinformatica.com.pt tcp
CA 158.69.225.124:443 youtransfer.net tcp
PT 80.172.227.23:80 voinformatica.com.pt tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 23.227.172.80.in-addr.arpa udp
PT 80.172.227.23:80 voinformatica.com.pt tcp
PT 80.172.227.23:443 voinformatica.com.pt tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
PT 80.172.227.23:443 voinformatica.com.pt tcp
US 8.8.8.8:53 r10.o.lencr.org udp
US 8.8.8.8:53 124.225.69.158.in-addr.arpa udp
GB 92.123.143.218:80 r10.o.lencr.org tcp
US 8.8.8.8:53 218.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
CZ 46.8.231.109:80 46.8.231.109 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
FI 147.45.126.10:80 147.45.126.10 tcp
US 8.8.8.8:53 109.231.8.46.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 10.126.45.147.in-addr.arpa udp
NL 89.105.223.249:29986 tcp
US 8.8.8.8:53 249.223.105.89.in-addr.arpa udp
NL 45.91.202.63:25415 tcp
US 8.8.8.8:53 tventyv20sb.top udp
FI 147.45.126.10:80 147.45.126.10 tcp
RU 194.87.248.136:80 tventyv20sb.top tcp
US 8.8.8.8:53 136.248.87.194.in-addr.arpa udp
PT 80.172.227.23:443 voinformatica.com.pt tcp
NL 45.91.202.63:25415 tcp
US 8.8.8.8:53 ignoracndwko.shop udp
US 172.67.207.50:443 ignoracndwko.shop tcp
US 8.8.8.8:53 preachstrwnwjw.shop udp
US 104.21.47.108:443 preachstrwnwjw.shop tcp
US 8.8.8.8:53 50.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 complainnykso.shop udp
US 172.67.151.164:443 complainnykso.shop tcp
US 8.8.8.8:53 basedsymsotp.shop udp
US 8.8.8.8:53 108.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 164.151.67.172.in-addr.arpa udp
US 104.21.78.130:443 basedsymsotp.shop tcp
US 8.8.8.8:53 charistmatwio.shop udp
US 172.67.193.197:443 charistmatwio.shop tcp
NL 45.91.202.63:25415 tcp
US 8.8.8.8:53 130.78.21.104.in-addr.arpa udp
US 8.8.8.8:53 grassemenwji.shop udp
US 172.67.154.82:443 grassemenwji.shop tcp
US 8.8.8.8:53 197.193.67.172.in-addr.arpa udp
US 8.8.8.8:53 82.154.67.172.in-addr.arpa udp
US 8.8.8.8:53 stitchmiscpaew.shop udp
US 172.67.136.135:443 stitchmiscpaew.shop tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:443 pool.hashvault.pro tcp
US 8.8.8.8:53 135.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 commisionipwn.shop udp
US 172.67.218.77:443 commisionipwn.shop tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
NL 45.91.202.63:25415 tcp
GB 2.22.99.85:443 steamcommunity.com tcp
PT 80.172.227.23:443 voinformatica.com.pt tcp
US 8.8.8.8:53 77.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 tenntysjuxmz.shop udp
US 104.21.39.10:443 tenntysjuxmz.shop tcp
US 8.8.8.8:53 10.39.21.104.in-addr.arpa udp
US 172.67.207.50:443 ignoracndwko.shop tcp
NL 45.91.202.63:25415 tcp
US 104.21.47.108:443 preachstrwnwjw.shop tcp
US 8.8.8.8:53 gacan.zapto.org udp
US 172.67.151.164:443 complainnykso.shop tcp
US 104.21.78.130:443 basedsymsotp.shop tcp
US 172.67.193.197:443 charistmatwio.shop tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 172.67.154.82:443 grassemenwji.shop tcp
FI 147.45.126.10:80 147.45.126.10 tcp
FI 147.45.126.10:80 147.45.126.10 tcp
NL 45.91.202.63:25415 tcp
US 172.67.136.135:443 stitchmiscpaew.shop tcp
US 172.67.218.77:443 commisionipwn.shop tcp
GB 2.22.99.85:443 steamcommunity.com tcp
US 104.21.39.10:443 tenntysjuxmz.shop tcp
NL 45.91.202.63:25415 tcp
NL 45.91.202.63:25415 tcp
NL 45.91.202.63:25415 tcp
NL 45.91.202.63:25415 tcp
NL 45.91.202.63:25415 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Angel

MD5 10d664be6c48cbbfe986cf13389e70d5
SHA1 81c91d173b2a38349b688791ad7a1fd52ba7cfec
SHA256 1544228be4736dfc9a52c9eb675ffe27a75490e71b6697bcfb4896beb99baa17
SHA512 adf5916eeb6c23ddb8b0ec331abab55826dea115fa3675899345319289716aa4181056c9d106e2397a9117bfc1be6a5db1833984d00b249dda11db0bd2e18f67

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 9fce304f6f8b0e39b17488ff2461004a
SHA1 7a2f5480712e430771228a60c6468a21c261015a
SHA256 388238bf76dc4e90837550f3b9ade8c2240ea2330ffbfa54b7bdc14dd64ae31f
SHA512 cbb11d1d73c3979aafe7b374e44f770606d25d3caf4a0aac0197f00580f500004fe32ff9f93a6d7103f7a7db01c35f29ef9e5b95941de98df4f873f37dadf554

C:\Users\Admin\AppData\Local\Temp\Belongs

MD5 08f9d23e902a4b9f1454c0cca8063a4c
SHA1 2d18b94d7e6bfec87661be9c775f989640228efd
SHA256 8eda93d0df79719c2194c895abc443218076fb76a8f8af5bb037491f1a3f42d3
SHA512 1a796a3a24a363f4d5239ea1b972e95000611c6f90be9a0cbe5b8b50195cb11b86e4cb8b4ccc6a4d93822c80e99cccefdb2b585fb48d8ae045ba690459fc164d

C:\Users\Admin\AppData\Local\Temp\Teams

MD5 e4be3f3dfa731bce602265bd78ca96e4
SHA1 da6ee51e4cc450fb2697a8e583590c205c354628
SHA256 3d1c4fc43431a0739b933a0ccc3d6209f3d5e417102adacc99c485dfa78aa306
SHA512 fda626cc19bdf4f36e8ec261597115470a9c44fd5ed43684032fd0694454d30ff28c38d6aed1e765e40fcba9ab618b9fba4a8d2608a7cc0c84404baedfae24b1

C:\Users\Admin\AppData\Local\Temp\Entirely

MD5 e57d41a42c0018011b8d05ead7ba8ea5
SHA1 a5be0444eaf9d294e7043b76533daa5b4391a0de
SHA256 8bef0123411a0a965a9bd62cc22f855df1c84b2ab2f6fdddc5d72d2d0412f0b6
SHA512 4029afff3795c8567b81ced18cd4053efdcf96be62e27bfa7938a7562bba66610a935944e59f39267a757e5d2c5c651c0bd62c89ac485f8d50e5e0c1bb25646c

C:\Users\Admin\AppData\Local\Temp\Eyes

MD5 bf240bdddf4e33588fba0ed1973d7e98
SHA1 7c3c46bc43abdbc82bf41b72860a449433288927
SHA256 a28c88f3dbfd8b8961c30a364b8a38ecdada18b92ac1e77a1c211a7487723c97
SHA512 3990b660f9f53e9a7e626527a53fea00d4b344ba9c90912aa904f336b527cbd87b30e21c3408d215699d1ac5d999b47000f866f38d387312653eeb5d8b768a73

C:\Users\Admin\AppData\Local\Temp\Identifier

MD5 cd4ad18674a26527c0782f2a0d15b277
SHA1 56e92ebf526601f3f5fe99fc3e5dd9b29a99c41c
SHA256 0d34b789bde5b17903b770e563743908bea6d7d0693ef57709dd57dde444eb9a
SHA512 7afac4b0bb0c90ccef4ee14b12b3349e5265eba294e6e5f4dafff894988d07b861cb11dc8dda826420b18288757370bfd0e304e6be578135a1d054c083cdc209

C:\Users\Admin\AppData\Local\Temp\Incest

MD5 74f15b102c0bef94140262ad551bbc24
SHA1 70246a3d8005ca0a91c8d22303c55416b6e9ff4f
SHA256 58376ca5773ce08e2bf4b876cd517ee421030293150ba2dfb50462e34c51c6d9
SHA512 7a0cb169ba7b69d5388678478cfaa4bc82fe854d5a40785fa03a3a0bb955088adbe00f5da8f667df6ea448d6118b372ccdf9fcabceb5e70574573f9a0f8729de

C:\Users\Admin\AppData\Local\Temp\Official

MD5 c28b2871b183dfc806e0855c516e6ab4
SHA1 8f367c25d973e6b690b1ea6799ecd39221371e43
SHA256 12717aac68c10051e3ca2ae75343128eb8a80eec398269d675d5244ade6d9724
SHA512 f02f7bf8885d57a89391768ddf66c8494ff058f5da4d9d316187c210aca6943f6a2dc4c62771ea3a90b10674c27e117f92d6c7df8e2af75bae349a989b86220d

C:\Users\Admin\AppData\Local\Temp\Persian

MD5 4f028498571a78e28b5665bcfaf7bda1
SHA1 db28d1f7a2206c4fc4a17d57373e928bb10c7954
SHA256 84310b39a6c9e5941f61502105e746b3dd836108e2a6c7084612e86d0efb91e4
SHA512 a540c4cd5a8997e7cb7f5cb2ae20859db92991d2f390296c5ac7afe23232679dae30b6db902602893b8b23dcebae07a6b39a57f50adecb3c6367eca174623b24

C:\Users\Admin\AppData\Local\Temp\Arts

MD5 22999c3bfef35ab54dc51cea926d8125
SHA1 aa929c775e9a740f3b6fc403b5bfb13b0ef10e14
SHA256 63f722d605fdd7162f695c55b4c57acf925140a62b93b447d805b1dbcf3d1b1c
SHA512 d750799211beb39b6033f1a85e773b65ed1f576e718c5d9d805b36b6bc152aab7e411d8f2fc73a87b799016f67962ef42a7b7e2c304a5b02b1daf166ac142994

C:\Users\Admin\AppData\Local\Temp\Asset

MD5 79ccf7fd1a2157e74b27c1935707ee99
SHA1 9f1267d4323c5180c8700cbe82ba51456ab40f74
SHA256 d90010bbb47afe5b33fc5bc52295ec6ca955a875fe1001f32bfc870783633ed7
SHA512 35dc6918b9255eba821b0e3418cb58db2ad703aaa731bb2474d78084367e975451142a23348a1911bdc4f7cbfb70eeaba8b6cce2a8f527944f0ed3a4fb1d9129

C:\Users\Admin\AppData\Local\Temp\Eagle

MD5 ffa47b74dc7534579bddc42e8ea9bc21
SHA1 22e0cf8668117e3782a38b8e4f3553c8f79c379d
SHA256 d0e2a600aab27dfc91bc8c1e73e0d0d20489b04bd376e7bf16fe1763ca1f9ce6
SHA512 16f80341dc0386413558c6307a35831f239005f5fadd01818efe95f77c2a12311e5db7943902d16676c12aa1765f20af335a561da1e3f79eb5d9baaee2dc6113

C:\Users\Admin\AppData\Local\Temp\Sci

MD5 f1e239919f64507bc976bee4ac152239
SHA1 b69eb5fec6da7c582aff31820106e0c46ec8dfda
SHA256 a0d3e15d1b12b4b4111786e454770c511221a6eebe271f20849b112d0cb161b9
SHA512 4459e213cd7e36b0008520d030902058a83c2b81bb9333e710561d27ecbcc56468b10994d64488da2fe9b52f033e7a322d6f1fbbcb9081b682acada286f9dff4

C:\Users\Admin\AppData\Local\Temp\Rochester

MD5 2076c81372d64961aeee64296c288ddf
SHA1 4767a7f611e6ac3ceeb692f1a7df90cdd84fc7ca
SHA256 63563ab659575d711cf2a686d7140359850e49bc2f1e9f658105c3adb0663fb8
SHA512 1e40bc944a91fc9608077b1866d6742624f377e7cc2d63903fe2bd24093b17be3aedc70c534497eaaec7ce30ecf318153f3c40af1ff56a82f5ff48fc09cb5976

C:\Users\Admin\AppData\Local\Temp\Communication

MD5 e76ca6497197f496c934e273bc4af7a8
SHA1 1c813197c9434d6d3f359c1c0c6374ce8e5e77e6
SHA256 2adfd0aa33275eaeddbebffef664bcc2f403ebf6335bc593bd490a66e06c3956
SHA512 425fa7c17d9e30e8c3c6ea042a86f6f54f8938ca3491e514e633d111d5cdb0d8094c482c9e08a57cec613178d78c55392c64c8e0d60190c86957a170245e9f3f

C:\Users\Admin\AppData\Local\Temp\Evaluations

MD5 824ca47d6ed68f19c98e3a8585c03fd2
SHA1 00ebf75301539fac6f72012b3dea899797d83eca
SHA256 14e02c722fdb4507967bd77111eceb5c377e4b515f2cc9ca01117df4e1df2965
SHA512 e1b398ab18042a7456e87fd6169bca88e86e718b09111eee11f81cc284599ce3431f852fe1552db950bd39f5ac9703406c206b8b37ff595a05099fefd5ddc81f

C:\Users\Admin\AppData\Local\Temp\Coating

MD5 d4b175095bad046fe31a891e313fac1d
SHA1 3e8268ea2db96566a03b5886ffcd904cc2938940
SHA256 710fcbabe6b6d3fb615d012d3aa5ff551d30590eb9949ad947ce42e313e2a757
SHA512 d78844eb4099962d6eb5c9308e0f80cc3f56c15a525318a6ddc94811f8239eb622df6845ec831eb656157f9695f935d4962ca538f802c0449ac00850b519a007

C:\Users\Admin\AppData\Local\Temp\Considering

MD5 8392df6b6dd3005f67d9e685adf5d98a
SHA1 172ccb65f6b6192c695b53f8ddcedfdbe639fea6
SHA256 89d0790a0691cf5f327ab61f73fa2167a8b54ad0e8b21c22d34887455463448e
SHA512 d6ad83fb2ad1cceeb57098b27145e20e800703440c0cf04ed13c00af9c2baecf82e8ad6e28af556de5e2b38a80d8b987f6c347f18eac0892db23ed2ec81d0b3f

C:\Users\Admin\AppData\Local\Temp\Indicated

MD5 d8d333b7fa6f3f4d117279af7fe5ebd7
SHA1 15360b9018b623a945ccd0a147bff926f9a36b4d
SHA256 c07e05f4515864b97744a19b33e80170911dee7e84b19dff7a624c3b95c0db58
SHA512 e60a6932bc7036ef5f0d031fdacfea0f1c399370336fa36907e3ea1e5a0eec50e135c965452c29dad05f3327efb9c9f063e38e9d5bd68265552248113743f251

C:\Users\Admin\AppData\Local\Temp\Stamps

MD5 05edf987e0e4caf0790d6cd52745918f
SHA1 a657c82fb2b6055696917d16e074e3afad630da7
SHA256 6ce2a376edd727d7295bc0648e844ad281bb96db057b84e803c5bb387ca2f54c
SHA512 38b90f60b303a00b93ea1f0f9b4fa9f6dac7b64d9f0e849699d8220bc70efbd1c038d35cfb7a1c12a2a5b9facaf1accd9fbeadfd5be5ca1ccfb29e51864856bb

C:\Users\Admin\AppData\Local\Temp\Crawford

MD5 aa5687b499c0e31cc570a5b3956e0055
SHA1 0d469ee44ed6a8a57095820ac188477f1ce46e04
SHA256 c6cae2f7545cc6a2382123889ebf816db31d84136c15b36ac488a74eef5e2c86
SHA512 0f11ed72669671ed51e5dd3658c29d9f00f8397b7168db5255e0242924db8ce7514dc318552c80843283f0ad93d8f45951359d8461837a32e3ba8672d8c7fb9b

C:\Users\Admin\AppData\Local\Temp\Schema

MD5 6d6371d8a1877548b2ba892feeec4448
SHA1 9a31d21807d9a7ce9e4701cd63d51ded7db85290
SHA256 85a5a1b465e959f6b55feebae33059f82b972458f8527d5e1361e749b724d13d
SHA512 9dbd7fc2c804e785ea7545ede8408fb647736a1e9731dad40f6256c580a91f1df90cebada0d20776f2b264cde69df8bcb63071b8de24a08944dbfaa5f875a8e0

C:\Users\Admin\AppData\Local\Temp\Slovenia

MD5 398a56733a96146f96dae1f926f8ee34
SHA1 b589aaa2ae0b047d2b91df4daa193f02d68c2563
SHA256 e411f41b9d6fff03fe7d4da422aa30f11bfecb5f5bf9c6cf2088eb84a2a8c018
SHA512 a45e9a93c2f5673204eb1898ca10f7a7e244b512da6f2493b330b266a1d8a2d3db636c5a5a6e67b044cb0ea5a124064ccefb2db3783052e6e6698d9c6d1e7d71

C:\Users\Admin\AppData\Local\Temp\Hired

MD5 a4e79a921d1a40f87f86cc426d0cce0d
SHA1 52ac999f6ed734a3023428194c3422e206987124
SHA256 306e6d43695f56399f0c7ce9c36e2f8e652838a02d0debf6ab98e7fd2f483af6
SHA512 113557e6e6b5316f83ac5899338e3dd63ec281b449f1ee063efceedc94846ece210c8f4b047b804feee2487b7328bd4181c696b4fb7075550fa3a2ced5d01e9e

C:\Users\Admin\AppData\Local\Temp\Vast

MD5 556425c0faef4670d1e22fb6fcc39670
SHA1 25b97fb1cb78439408f439b4c96933c66cf019df
SHA256 11d8b300d94f5e8455d792625260b83dfdc7f258182620d719eb81a71319f4f5
SHA512 96f8e77db9cf14f121842d8a6a3b225597cb89691b72a051703ce6e7367bf38fc6fb0b14ec17789559c472bb1b2243c6bb88daae28dbe4e1154bfb7f5e658bfa

C:\Users\Admin\AppData\Local\Temp\Husband

MD5 792c7f8dd36ccf3dc732e75deafcf3a8
SHA1 7511dd19e3ebaea53bbefc72b10146231f8e607d
SHA256 75443ebd4b9dcbcf0e367a853386ce5a604fe338a34afab63f1ac1141c5eb670
SHA512 32cf33fa12fc7bc125e269b50a584834aec1350ed52f081a8a6c393faa6c68a87cb63463465e13b7c3aeaee534ac21ebf482ebd505d67b0d15b41d9e6a93c1b6

C:\Users\Admin\AppData\Local\Temp\Spray

MD5 81754ffb3a2c2760a080ea70a80eecfe
SHA1 4925a77076e0afd35a110ff68132ef98263b8a92
SHA256 b1e347ec4e03cff9cc62b7bc4d219a6645cf3939a35697551cf77839d72089b6
SHA512 e5d21b5db48e2e67afbbe1cfb813252ea0244e31e165ca124f206c291b53be1b1a74d1eba8894e93adcac5e933204f1dddc92c40c1eb775b5cdf5d440b173ee2

C:\Users\Admin\AppData\Local\Temp\Agents

MD5 e072328c52cc438642327cf2715c6232
SHA1 dc776562767baabb5f469f2245cb844435c57a8b
SHA256 7404865538c5dff10b89c992251d03726be4a25135760af18f2ef9234f875728
SHA512 80a05d449fd00895ac2b36cfd0ceb2b6c41a22a37a9aa28bb0a57d3ee9f43ec528a109eaa91ac5fabc6faccedcf547fd2a9c3278293b0ad1d73561771861df7f

C:\Users\Admin\AppData\Local\Temp\Coleman

MD5 caf81509c6182cdf2b3cf474c21924e7
SHA1 8931ae49b935d30cfb8d192a34d96c1da9a1133f
SHA256 342ada9e312f7bb721e1174b8ce4f23791f02ed04cd6813456072adb2a2330f9
SHA512 d11e61040f5b25cd9740bab941208d82e1f29562705cdff5508909dba6fe848ebe596e7a1daf7a5d30ba97c35816ffe0e8e5a8d7656729ddf7ba349cb8d4da94

C:\Users\Admin\AppData\Local\Temp\Mods

MD5 63991cd3b811a87ef7f756a3a88408f3
SHA1 5887b2746923e3bb209a010c794d6a03f2043cbe
SHA256 16c52c4b922b43b8dd61738190c23f60da5e601a1e84d6cbd277ed7c9bc16675
SHA512 f9115542afa4079772b2edbeb5cbefbb337f976ced77036240624787549ea04937cfebbdc290bdaa8e8523c688b7536af7bd88fe43b053d3dcf811783967c7b6

C:\Users\Admin\AppData\Local\Temp\Herein

MD5 717e7bb87ee5fc6795900e82f92c38a5
SHA1 713b0e36e00b5a9df643fab99eff7fe05ebfd4f7
SHA256 f2c1981a42235a7748d03a68d840fb647d1a591cf3265fc7ec32761ee6bca957
SHA512 955107b6a503ab4c4aad2c5b70cff52e2069fed5bcdc6fac76b69957261c531ef95eb31c728b1d64de35130381be734504d8ed6572824dc744f72b49fcdf3f2d

C:\Users\Admin\AppData\Local\Temp\Hat

MD5 6cb837218c7e7f9b0bb4e5de012b5f0b
SHA1 b64ff496cef53d3555c6624abe4a51f99758bbbf
SHA256 baef9762f9bbd47ee6171396e3c87bb0e7655da35438fe5eb1efd9f3c6a87db5
SHA512 23e250e7bfa8f873dde6d786d9ce0526e83fb42421e152e3e75c6ea01e29ddebae9c2115c0e0e19ae85c73f5d8525eb34a499456090451528f51ffff1986ca62

C:\Users\Admin\AppData\Local\Temp\Comfort

MD5 e85c7c2eb7eed1bea9d92071b7b197e4
SHA1 05f4108a3e331b2a9db2351c9f506b3cbadef771
SHA256 5868a2a8a8376d6f34d125e0c9bf0edd15afd3f82df342a8f079d2417997d137
SHA512 97151aec2e73e10cc9e6fdd2c69c0498f49ff6417807e3e4e9cf0534848f34e77fd09943fa86d860993dc8ae1ae14ad85d073cf5ffa391fe3c582f94b502c491

C:\Users\Admin\AppData\Local\Temp\Reject

MD5 e9157b4c97794aeff095902148ad9532
SHA1 2915ca3cff7a81ea19ed0873fe8266274582158e
SHA256 1f588e2cefb8bafadc9a029a28dcdd93a7e9472e2190caab7a277fa79cffcd77
SHA512 26973ff5887e087632c459597a4652f6917d9a81fa48c1642a56c95221f019696e46f88a6c33d1013e6c009324ee9f99a92e5383acc1b6d619ff6229c3360d96

C:\Users\Admin\AppData\Local\Temp\Dining

MD5 07b2b7969bb80e43ae8d6d565cbab5c4
SHA1 128d43f48928a73ef3446593d63fbfe025cb126c
SHA256 818f6cc7d29bc250a64e02e61c840e1f74432c66bbacef0ce0a75105accdb592
SHA512 45b840b69b09801c4c0528cfc00f8eb50f2a8d2806907a894355ead304f5b1aafdaca9741bf9200b036b9302340d25f6dba7c44e7be651f179736857ef7b3f60

C:\Users\Admin\AppData\Local\Temp\Gaming

MD5 122f66640ca5fcc16ff9106acca0a4c5
SHA1 15ec716fc34c6dfb6be98d56487528a62e0a9fc5
SHA256 7db5db363d38cc28570b882229eaaa3d819bdfb5953ebd3de483e7338285ed0e
SHA512 3052d8791dee53ff955b655a0b9d7ff804b6c1f80806199a61a98cfb58ac52efab8c53caa5e3248b487ad485edfe9959044f94218f754f75ac212f890b789ab4

C:\Users\Admin\AppData\Local\Temp\Lending

MD5 ea6036f36a74ce85b23ec1828d3cc68f
SHA1 f1ce5a30d9774f397d82de04130209b501fd0d1c
SHA256 120a01b7d92584f180e803019867585ed5a106b1d63047ec9b949fa59ed75498
SHA512 5b7d46c88d330a85d524fe5a7aab9232b3644c7299ce7df7d34eae9821baea9ed1070e379a63d8efe6f98c0dcbf1b69adc3f311b26361ab5ea8e648cf9167b66

C:\Users\Admin\AppData\Local\Temp\Dinner

MD5 9278daaaaad5cf175f7e5037f994ae26
SHA1 50c1d167d544a6db08d90ba33ba434147bf4b63e
SHA256 525dff77cccca91f145aa95c71b921ffc029881310ef9a0808e5c0cbc8589420
SHA512 343263a1794b59e1a5cbe8b169f5efab5ee1f3c273a9961104973557b51174730613693b3dc50852f9db4864bd182d1343a3fa97ddbe6f3d04b0656911443c9e

C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\309056\u

MD5 92e78614e5198320c105789a28b5eaa5
SHA1 75411d15bcd89af58e4a82e65bd66487fc7532dd
SHA256 aac38bdd824d85e082b708784705a2d778f0f32ca5594c15a45c0fdddf31a3ac
SHA512 2e8be01a870c5aeefe1beb3072395b2dec3c10964b1556c4727ba444980dcf079c64def4228df212e7dc81542258cb952525d6a1dbb38655cbcaa8ba06717e41

memory/4604-86-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-87-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-89-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-91-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-93-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-102-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-101-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-100-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-99-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-98-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-97-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-96-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-95-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-94-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-92-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-90-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-106-0x0000000001070000-0x000000000124F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe

MD5 751e3d161454b4c4aa4cf9ff902ebe1c
SHA1 25ea26e9037576f135a8f950ba47afe70195b2e9
SHA256 7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144
SHA512 3e474ea0b0511e8361d80fafc52f0f27f5c8659bc7a40dd31168ea79595c68ab0162295d0fea7b6af4746e4b48279644b93281c094d17c271afe4b4f44029435

C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe

MD5 5ac3358abe03a6faa36599fe785b85b2
SHA1 e79bf35157e110c81a43af2f3b54d7a015f613b3
SHA256 c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae
SHA512 dc64db8b7e6e1f6154f37c6cae0dec3ad1dd3e0a3160951c7e7af8fc943e3bde2573aca6654f73a7818fd74160c87296c6514465acc3013a4e679cf33183ae09

C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe

MD5 64034db3a0ce29dcb4cfb658ab805226
SHA1 d4f1cc6d18b4bebcbc89459583e45d5a0456151d
SHA256 61233c38ece219efc52b96189b470aad5dab514eb76231a980b4e80e0928fd1d
SHA512 9b4fe8ba0d6f2e90c84ede2b37629e2a0cdef80007de95c6b34d86aba2aed655e75deea7d85140b9ea517577b489bdd8e7de88683ee8f62529cfabb640d2877f

C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe

MD5 45fb3cd11b294fe8a05691cdab474786
SHA1 cfec8cb59f94b534280f47fcadd68af89107f124
SHA256 b16ef1bdc9bcba0db197bba5bca6fa08ece713de76412e6bea6de5a8dab2af6f
SHA512 e1e26c7706f8d74ae1a0d6d9b1765ee81440746428ea9c6ca9127326dc8fdb2b2419a79109734848978866f52741902f99031b47cb2c9a09427e5a13f51f1f81

C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe

MD5 65208d6a2c36c758bab95b17fb22e19e
SHA1 ef43d4bae09cfeaff0396f339056ac64437cd36e
SHA256 1071d6290a7dd366135a37c2667366e6642d719c34f25a6ed02bba9de9fa99d0
SHA512 23223f7571699ba9e654bad651a9b23876dc286d72676a60d93466cbc6cc7bb7a514686d107dd769526874aac84d8c56fee7e7b54d1cf78cba08a38e8bda9e85

C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe

MD5 77c1c71f2f7aa135861e6650c90c986e
SHA1 708ed7c02ae52f07adae4a89fce1517a7a0c0aeb
SHA256 95fbb3198cccd713a2fedc945b5e921ebd32570574fa25e284a06dcdd7ff5a32
SHA512 01dbcda09e026a8ae949ebb614eccfa009b44e2d95de94423c44799d185fd95a75b070fc7b14b467e488409e040f9d50fb41afc3c7377a39b6fb23c82152dce8

C:\Users\Admin\Documents\iofolko5\O8WNiPic7NUJgGbKccrS5e5v.exe

MD5 2fd86119bd5a2850cb2489c0f87b6acc
SHA1 4237934315cb5abd2b340d0b8aa8ffa598aa075e
SHA256 d44b9056318db40bbb85bd252da2de2249d33672ea3dff1901e4b7ea2e47118b
SHA512 1e7209458abc10702003bb9325cda4e4dd8c425dbd9453e6043b467b542edaaaf1d0f1222a802af8c03eb7cf4beb3842fb816a6f3779304be7bf31d1fa275c3b

memory/4604-178-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-179-0x0000000001070000-0x000000000124F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe

MD5 cb5ad18649a907f49154af26ad332030
SHA1 46acabf085b42f39bf085432ce436a2d895d8dad
SHA256 8874ee4d9c878a6dc7f2681ec36df05cb09c44ccb3be0ec89569f5bdece80519
SHA512 36363dde451354f6e87ee48a2b68a55cec92887a49e40844141e60ff9374b694aa6a3225a20dfb3f496d1fe0ebf6be7551adf1109ae037dfa80ad7387a19cd8c

memory/4604-190-0x0000000001070000-0x000000000124F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe

MD5 079d166295bafa2ab44902c8bf5ff2a5
SHA1 46e728a035c3fd9618f823a5d0b525a9aa22e1c1
SHA256 dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8
SHA512 949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b

C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe

MD5 353a64f4357229f2fbff5415299b6847
SHA1 7e61652046564004105556327fadd777f5502747
SHA256 e8755a8eb78c2b7e45f588266ed52fe5b6485125b8f23cda1b0843326f1a9fa9
SHA512 d610a3e74516c1cdc7a8c3cc72e549c427ca9de75c50a1f60c8cbc1ae0bf68041d2b2244c44b63fd92c8a6dc9a60ad4cad0ad5d430c91d56c88fb79521bb670a

memory/4604-208-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-224-0x0000000001070000-0x000000000124F000-memory.dmp

memory/424-235-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4604-220-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-222-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-218-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-214-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-212-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-229-0x0000000001070000-0x000000000124F000-memory.dmp

memory/4604-216-0x0000000001070000-0x000000000124F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp

MD5 2260edfd6c7422c618e91e6ae9c2a17f
SHA1 f821fc16d946dfc73c5eadeeec9d3f881787a20c
SHA256 2fa4fc8301ffc6c62a91f85349b38473f6cc1c0be624739e1316943cf9cbb90f
SHA512 b1077673e5830a1c9fc36410f68531aecb21fb2bfd2c494a61a2cce3834057d9e481ef88347e7bd491134067ce29ff54e252c46a385b1bfb048b2836dbf0b74f

memory/2072-243-0x00000000000F0000-0x0000000000162000-memory.dmp

memory/1972-246-0x00007FFD15390000-0x00007FFD15392000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-LNIHU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1972-256-0x0000000140000000-0x00000001419FB000-memory.dmp

memory/3548-261-0x0000000000BA0000-0x0000000000BF4000-memory.dmp

memory/2776-262-0x0000000000A90000-0x0000000000ADA000-memory.dmp

memory/3752-264-0x00000000002D0000-0x0000000000354000-memory.dmp

memory/1880-263-0x00000000006B0000-0x00000000006E8000-memory.dmp

memory/2924-276-0x0000000000400000-0x0000000000657000-memory.dmp

memory/4340-279-0x0000000000400000-0x0000000000643000-memory.dmp

memory/5096-280-0x0000000005C10000-0x000000000610E000-memory.dmp

memory/2924-274-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2924-272-0x0000000000400000-0x0000000000657000-memory.dmp

memory/5096-270-0x0000000000400000-0x0000000000452000-memory.dmp

memory/5096-281-0x00000000057B0000-0x0000000005842000-memory.dmp

memory/4340-268-0x0000000000400000-0x0000000000643000-memory.dmp

memory/5096-283-0x0000000005750000-0x000000000575A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp694.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2072-298-0x000000001D710000-0x000000001D81A000-memory.dmp

memory/2072-301-0x000000001AD60000-0x000000001AD72000-memory.dmp

memory/2072-303-0x000000001AED0000-0x000000001AF0E000-memory.dmp

memory/5096-302-0x0000000006310000-0x0000000006386000-memory.dmp

memory/5096-304-0x0000000006A10000-0x0000000006A2E000-memory.dmp

memory/5096-306-0x0000000007040000-0x0000000007646000-memory.dmp

memory/5096-307-0x0000000006BB0000-0x0000000006CBA000-memory.dmp

memory/5096-308-0x0000000006AE0000-0x0000000006AF2000-memory.dmp

memory/5096-309-0x0000000006B40000-0x0000000006B7E000-memory.dmp

memory/5096-310-0x0000000006CC0000-0x0000000006D0B000-memory.dmp

memory/4340-311-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2072-340-0x000000001BE30000-0x000000001BEA6000-memory.dmp

memory/2072-341-0x0000000002550000-0x000000000256E000-memory.dmp

memory/2072-345-0x000000001E180000-0x000000001E342000-memory.dmp

memory/2072-346-0x000000001F020000-0x000000001F546000-memory.dmp

memory/2924-347-0x0000000000400000-0x0000000000657000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2924-365-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2976-370-0x0000000000400000-0x000000000106F000-memory.dmp

memory/424-371-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2924-374-0x000000001FB60000-0x000000001FDBF000-memory.dmp

memory/2924-384-0x0000000000400000-0x0000000000657000-memory.dmp

C:\ProgramData\EGDGIEGHJEGI\IDBKFH

MD5 dc89cfe2a3b5ff9acb683c7237226713
SHA1 24f19bc7d79fa0c5af945b28616225866ee51dd5
SHA256 ceddefa824f1dd6e7e669d4470e18e557c22fe73359f5b31edf4537473b96148
SHA512 ee5d047e1124351997ecfaa5c8bd3e9ce8a974ac281675cda4d0a55e40f3883336a2378b9ebf3d1f227d01b386c26473c32e39bcab836da2b392bf778a6cf5c2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminFCAAEBFHJJ.exe.log

MD5 957779c42144282d8cd83192b8fbc7cf
SHA1 de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA256 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512 f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

memory/2280-410-0x00000000009C0000-0x0000000000A14000-memory.dmp

C:\ProgramData\EGDGIEGHJEGI\IECFHD

MD5 97f54db01153d253f5291ecdc56f2d70
SHA1 c1a696309a118de9c83856730e6c7a95f3d27246
SHA256 98d289ca6771ec98aee9f44785616537e4b7cb10e37ae92ab463c60d50b57e26
SHA512 8262ef2e0d4d50f12609e793a24be6576c430787f4f7ed722496e94e7e55f1fd95cdf9aaccc0392bee11758fa39f421813b1262bceb46dedca1dfaf7240638f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VSH5XF98\l[1].exe

MD5 1c67f687230addd2815b74bc892a047f
SHA1 38f238cad4286ea4ef25d909979b5cd456a7cac5
SHA256 2c0f008432d2604d3578b9ba1f896ecaff4add7d6ece6051f5940de892c26c91
SHA512 1c5cabf89e98a2d87aca4143b93db5dc9b1c0c9c2557052abe888422afc4e79dd9a641122bd0bbb92d13049b5c7fea8014f4945efbf23c5dd33703f99d80f6b0

C:\ProgramData\GHIJJJEGDBFH\AAEHDA

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\ProgramData\GHIJJJEGDBFH\HJJJDA

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\BAKEBAFIIECB\DHIDHI

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2