Analysis Overview
SHA256
a929678e0919255b39a895fbcf7c721cb41c26288114a5ee29eee03ba98f959d
Threat Level: Known bad
The file AppFile.zip was found to be: Known bad.
Malicious Activity Summary
Vidar
Detect Vidar Stealer
RedLine payload
Stealc
CryptBot
RedLine
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Creates new service(s)
Stops running service(s)
Executes dropped EXE
Reads data files stored by FTP clients
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Power Settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Browser Information Discovery
Delays execution with timeout.exe
Suspicious use of SendNotifyMessage
Modifies system certificate store
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-08 17:52
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-08 17:51
Reported
2024-09-08 18:01
Platform
win7-20240708-en
Max time kernel
239s
Max time network
242s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2092 set thread context of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ElectoralUnderstand | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| File opened for modification | C:\Windows\WwPeriod | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| File opened for modification | C:\Windows\InstitutionalInvision | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AppFile.exe
"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Angel Angel.bat & Angel.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 309056
C:\Windows\SysWOW64\findstr.exe
findstr /V "threateningflightbreachjoel" Springer
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Teams + ..\Entirely + ..\Eyes + ..\Identifier + ..\Incest + ..\Official + ..\Persian + ..\Arts + ..\Asset + ..\Eagle + ..\Sci + ..\Rochester + ..\Communication + ..\Evaluations + ..\Coating + ..\Considering + ..\Indicated + ..\Stamps + ..\Crawford + ..\Schema + ..\Slovenia + ..\Hired + ..\Vast + ..\Husband + ..\Spray + ..\Agents + ..\Coleman + ..\Mods + ..\Hat + ..\Herein + ..\Comfort + ..\Reject + ..\Dining + ..\Gaming + ..\Lending + ..\Dinner u
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
Dolls.pif u
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rTzKXibCiKZCHFYYyL.rTzKXibCiKZCHFYYyL | udp |
| US | 185.143.223.148:80 | tcp | |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Angel
| MD5 | 10d664be6c48cbbfe986cf13389e70d5 |
| SHA1 | 81c91d173b2a38349b688791ad7a1fd52ba7cfec |
| SHA256 | 1544228be4736dfc9a52c9eb675ffe27a75490e71b6697bcfb4896beb99baa17 |
| SHA512 | adf5916eeb6c23ddb8b0ec331abab55826dea115fa3675899345319289716aa4181056c9d106e2397a9117bfc1be6a5db1833984d00b249dda11db0bd2e18f67 |
C:\Users\Admin\AppData\Local\Temp\Springer
| MD5 | 9fce304f6f8b0e39b17488ff2461004a |
| SHA1 | 7a2f5480712e430771228a60c6468a21c261015a |
| SHA256 | 388238bf76dc4e90837550f3b9ade8c2240ea2330ffbfa54b7bdc14dd64ae31f |
| SHA512 | cbb11d1d73c3979aafe7b374e44f770606d25d3caf4a0aac0197f00580f500004fe32ff9f93a6d7103f7a7db01c35f29ef9e5b95941de98df4f873f37dadf554 |
C:\Users\Admin\AppData\Local\Temp\Belongs
| MD5 | 08f9d23e902a4b9f1454c0cca8063a4c |
| SHA1 | 2d18b94d7e6bfec87661be9c775f989640228efd |
| SHA256 | 8eda93d0df79719c2194c895abc443218076fb76a8f8af5bb037491f1a3f42d3 |
| SHA512 | 1a796a3a24a363f4d5239ea1b972e95000611c6f90be9a0cbe5b8b50195cb11b86e4cb8b4ccc6a4d93822c80e99cccefdb2b585fb48d8ae045ba690459fc164d |
C:\Users\Admin\AppData\Local\Temp\Teams
| MD5 | e4be3f3dfa731bce602265bd78ca96e4 |
| SHA1 | da6ee51e4cc450fb2697a8e583590c205c354628 |
| SHA256 | 3d1c4fc43431a0739b933a0ccc3d6209f3d5e417102adacc99c485dfa78aa306 |
| SHA512 | fda626cc19bdf4f36e8ec261597115470a9c44fd5ed43684032fd0694454d30ff28c38d6aed1e765e40fcba9ab618b9fba4a8d2608a7cc0c84404baedfae24b1 |
C:\Users\Admin\AppData\Local\Temp\Entirely
| MD5 | e57d41a42c0018011b8d05ead7ba8ea5 |
| SHA1 | a5be0444eaf9d294e7043b76533daa5b4391a0de |
| SHA256 | 8bef0123411a0a965a9bd62cc22f855df1c84b2ab2f6fdddc5d72d2d0412f0b6 |
| SHA512 | 4029afff3795c8567b81ced18cd4053efdcf96be62e27bfa7938a7562bba66610a935944e59f39267a757e5d2c5c651c0bd62c89ac485f8d50e5e0c1bb25646c |
C:\Users\Admin\AppData\Local\Temp\Eyes
| MD5 | bf240bdddf4e33588fba0ed1973d7e98 |
| SHA1 | 7c3c46bc43abdbc82bf41b72860a449433288927 |
| SHA256 | a28c88f3dbfd8b8961c30a364b8a38ecdada18b92ac1e77a1c211a7487723c97 |
| SHA512 | 3990b660f9f53e9a7e626527a53fea00d4b344ba9c90912aa904f336b527cbd87b30e21c3408d215699d1ac5d999b47000f866f38d387312653eeb5d8b768a73 |
C:\Users\Admin\AppData\Local\Temp\Identifier
| MD5 | cd4ad18674a26527c0782f2a0d15b277 |
| SHA1 | 56e92ebf526601f3f5fe99fc3e5dd9b29a99c41c |
| SHA256 | 0d34b789bde5b17903b770e563743908bea6d7d0693ef57709dd57dde444eb9a |
| SHA512 | 7afac4b0bb0c90ccef4ee14b12b3349e5265eba294e6e5f4dafff894988d07b861cb11dc8dda826420b18288757370bfd0e304e6be578135a1d054c083cdc209 |
C:\Users\Admin\AppData\Local\Temp\Incest
| MD5 | 74f15b102c0bef94140262ad551bbc24 |
| SHA1 | 70246a3d8005ca0a91c8d22303c55416b6e9ff4f |
| SHA256 | 58376ca5773ce08e2bf4b876cd517ee421030293150ba2dfb50462e34c51c6d9 |
| SHA512 | 7a0cb169ba7b69d5388678478cfaa4bc82fe854d5a40785fa03a3a0bb955088adbe00f5da8f667df6ea448d6118b372ccdf9fcabceb5e70574573f9a0f8729de |
C:\Users\Admin\AppData\Local\Temp\Official
| MD5 | c28b2871b183dfc806e0855c516e6ab4 |
| SHA1 | 8f367c25d973e6b690b1ea6799ecd39221371e43 |
| SHA256 | 12717aac68c10051e3ca2ae75343128eb8a80eec398269d675d5244ade6d9724 |
| SHA512 | f02f7bf8885d57a89391768ddf66c8494ff058f5da4d9d316187c210aca6943f6a2dc4c62771ea3a90b10674c27e117f92d6c7df8e2af75bae349a989b86220d |
C:\Users\Admin\AppData\Local\Temp\Persian
| MD5 | 4f028498571a78e28b5665bcfaf7bda1 |
| SHA1 | db28d1f7a2206c4fc4a17d57373e928bb10c7954 |
| SHA256 | 84310b39a6c9e5941f61502105e746b3dd836108e2a6c7084612e86d0efb91e4 |
| SHA512 | a540c4cd5a8997e7cb7f5cb2ae20859db92991d2f390296c5ac7afe23232679dae30b6db902602893b8b23dcebae07a6b39a57f50adecb3c6367eca174623b24 |
C:\Users\Admin\AppData\Local\Temp\Arts
| MD5 | 22999c3bfef35ab54dc51cea926d8125 |
| SHA1 | aa929c775e9a740f3b6fc403b5bfb13b0ef10e14 |
| SHA256 | 63f722d605fdd7162f695c55b4c57acf925140a62b93b447d805b1dbcf3d1b1c |
| SHA512 | d750799211beb39b6033f1a85e773b65ed1f576e718c5d9d805b36b6bc152aab7e411d8f2fc73a87b799016f67962ef42a7b7e2c304a5b02b1daf166ac142994 |
C:\Users\Admin\AppData\Local\Temp\Asset
| MD5 | 79ccf7fd1a2157e74b27c1935707ee99 |
| SHA1 | 9f1267d4323c5180c8700cbe82ba51456ab40f74 |
| SHA256 | d90010bbb47afe5b33fc5bc52295ec6ca955a875fe1001f32bfc870783633ed7 |
| SHA512 | 35dc6918b9255eba821b0e3418cb58db2ad703aaa731bb2474d78084367e975451142a23348a1911bdc4f7cbfb70eeaba8b6cce2a8f527944f0ed3a4fb1d9129 |
C:\Users\Admin\AppData\Local\Temp\Eagle
| MD5 | ffa47b74dc7534579bddc42e8ea9bc21 |
| SHA1 | 22e0cf8668117e3782a38b8e4f3553c8f79c379d |
| SHA256 | d0e2a600aab27dfc91bc8c1e73e0d0d20489b04bd376e7bf16fe1763ca1f9ce6 |
| SHA512 | 16f80341dc0386413558c6307a35831f239005f5fadd01818efe95f77c2a12311e5db7943902d16676c12aa1765f20af335a561da1e3f79eb5d9baaee2dc6113 |
C:\Users\Admin\AppData\Local\Temp\Sci
| MD5 | f1e239919f64507bc976bee4ac152239 |
| SHA1 | b69eb5fec6da7c582aff31820106e0c46ec8dfda |
| SHA256 | a0d3e15d1b12b4b4111786e454770c511221a6eebe271f20849b112d0cb161b9 |
| SHA512 | 4459e213cd7e36b0008520d030902058a83c2b81bb9333e710561d27ecbcc56468b10994d64488da2fe9b52f033e7a322d6f1fbbcb9081b682acada286f9dff4 |
C:\Users\Admin\AppData\Local\Temp\Rochester
| MD5 | 2076c81372d64961aeee64296c288ddf |
| SHA1 | 4767a7f611e6ac3ceeb692f1a7df90cdd84fc7ca |
| SHA256 | 63563ab659575d711cf2a686d7140359850e49bc2f1e9f658105c3adb0663fb8 |
| SHA512 | 1e40bc944a91fc9608077b1866d6742624f377e7cc2d63903fe2bd24093b17be3aedc70c534497eaaec7ce30ecf318153f3c40af1ff56a82f5ff48fc09cb5976 |
C:\Users\Admin\AppData\Local\Temp\Communication
| MD5 | e76ca6497197f496c934e273bc4af7a8 |
| SHA1 | 1c813197c9434d6d3f359c1c0c6374ce8e5e77e6 |
| SHA256 | 2adfd0aa33275eaeddbebffef664bcc2f403ebf6335bc593bd490a66e06c3956 |
| SHA512 | 425fa7c17d9e30e8c3c6ea042a86f6f54f8938ca3491e514e633d111d5cdb0d8094c482c9e08a57cec613178d78c55392c64c8e0d60190c86957a170245e9f3f |
C:\Users\Admin\AppData\Local\Temp\Evaluations
| MD5 | 824ca47d6ed68f19c98e3a8585c03fd2 |
| SHA1 | 00ebf75301539fac6f72012b3dea899797d83eca |
| SHA256 | 14e02c722fdb4507967bd77111eceb5c377e4b515f2cc9ca01117df4e1df2965 |
| SHA512 | e1b398ab18042a7456e87fd6169bca88e86e718b09111eee11f81cc284599ce3431f852fe1552db950bd39f5ac9703406c206b8b37ff595a05099fefd5ddc81f |
C:\Users\Admin\AppData\Local\Temp\Coating
| MD5 | d4b175095bad046fe31a891e313fac1d |
| SHA1 | 3e8268ea2db96566a03b5886ffcd904cc2938940 |
| SHA256 | 710fcbabe6b6d3fb615d012d3aa5ff551d30590eb9949ad947ce42e313e2a757 |
| SHA512 | d78844eb4099962d6eb5c9308e0f80cc3f56c15a525318a6ddc94811f8239eb622df6845ec831eb656157f9695f935d4962ca538f802c0449ac00850b519a007 |
C:\Users\Admin\AppData\Local\Temp\Considering
| MD5 | 8392df6b6dd3005f67d9e685adf5d98a |
| SHA1 | 172ccb65f6b6192c695b53f8ddcedfdbe639fea6 |
| SHA256 | 89d0790a0691cf5f327ab61f73fa2167a8b54ad0e8b21c22d34887455463448e |
| SHA512 | d6ad83fb2ad1cceeb57098b27145e20e800703440c0cf04ed13c00af9c2baecf82e8ad6e28af556de5e2b38a80d8b987f6c347f18eac0892db23ed2ec81d0b3f |
C:\Users\Admin\AppData\Local\Temp\Indicated
| MD5 | d8d333b7fa6f3f4d117279af7fe5ebd7 |
| SHA1 | 15360b9018b623a945ccd0a147bff926f9a36b4d |
| SHA256 | c07e05f4515864b97744a19b33e80170911dee7e84b19dff7a624c3b95c0db58 |
| SHA512 | e60a6932bc7036ef5f0d031fdacfea0f1c399370336fa36907e3ea1e5a0eec50e135c965452c29dad05f3327efb9c9f063e38e9d5bd68265552248113743f251 |
C:\Users\Admin\AppData\Local\Temp\Stamps
| MD5 | 05edf987e0e4caf0790d6cd52745918f |
| SHA1 | a657c82fb2b6055696917d16e074e3afad630da7 |
| SHA256 | 6ce2a376edd727d7295bc0648e844ad281bb96db057b84e803c5bb387ca2f54c |
| SHA512 | 38b90f60b303a00b93ea1f0f9b4fa9f6dac7b64d9f0e849699d8220bc70efbd1c038d35cfb7a1c12a2a5b9facaf1accd9fbeadfd5be5ca1ccfb29e51864856bb |
C:\Users\Admin\AppData\Local\Temp\Crawford
| MD5 | aa5687b499c0e31cc570a5b3956e0055 |
| SHA1 | 0d469ee44ed6a8a57095820ac188477f1ce46e04 |
| SHA256 | c6cae2f7545cc6a2382123889ebf816db31d84136c15b36ac488a74eef5e2c86 |
| SHA512 | 0f11ed72669671ed51e5dd3658c29d9f00f8397b7168db5255e0242924db8ce7514dc318552c80843283f0ad93d8f45951359d8461837a32e3ba8672d8c7fb9b |
C:\Users\Admin\AppData\Local\Temp\Schema
| MD5 | 6d6371d8a1877548b2ba892feeec4448 |
| SHA1 | 9a31d21807d9a7ce9e4701cd63d51ded7db85290 |
| SHA256 | 85a5a1b465e959f6b55feebae33059f82b972458f8527d5e1361e749b724d13d |
| SHA512 | 9dbd7fc2c804e785ea7545ede8408fb647736a1e9731dad40f6256c580a91f1df90cebada0d20776f2b264cde69df8bcb63071b8de24a08944dbfaa5f875a8e0 |
C:\Users\Admin\AppData\Local\Temp\Slovenia
| MD5 | 398a56733a96146f96dae1f926f8ee34 |
| SHA1 | b589aaa2ae0b047d2b91df4daa193f02d68c2563 |
| SHA256 | e411f41b9d6fff03fe7d4da422aa30f11bfecb5f5bf9c6cf2088eb84a2a8c018 |
| SHA512 | a45e9a93c2f5673204eb1898ca10f7a7e244b512da6f2493b330b266a1d8a2d3db636c5a5a6e67b044cb0ea5a124064ccefb2db3783052e6e6698d9c6d1e7d71 |
C:\Users\Admin\AppData\Local\Temp\Hired
| MD5 | a4e79a921d1a40f87f86cc426d0cce0d |
| SHA1 | 52ac999f6ed734a3023428194c3422e206987124 |
| SHA256 | 306e6d43695f56399f0c7ce9c36e2f8e652838a02d0debf6ab98e7fd2f483af6 |
| SHA512 | 113557e6e6b5316f83ac5899338e3dd63ec281b449f1ee063efceedc94846ece210c8f4b047b804feee2487b7328bd4181c696b4fb7075550fa3a2ced5d01e9e |
C:\Users\Admin\AppData\Local\Temp\Vast
| MD5 | 556425c0faef4670d1e22fb6fcc39670 |
| SHA1 | 25b97fb1cb78439408f439b4c96933c66cf019df |
| SHA256 | 11d8b300d94f5e8455d792625260b83dfdc7f258182620d719eb81a71319f4f5 |
| SHA512 | 96f8e77db9cf14f121842d8a6a3b225597cb89691b72a051703ce6e7367bf38fc6fb0b14ec17789559c472bb1b2243c6bb88daae28dbe4e1154bfb7f5e658bfa |
C:\Users\Admin\AppData\Local\Temp\Husband
| MD5 | 792c7f8dd36ccf3dc732e75deafcf3a8 |
| SHA1 | 7511dd19e3ebaea53bbefc72b10146231f8e607d |
| SHA256 | 75443ebd4b9dcbcf0e367a853386ce5a604fe338a34afab63f1ac1141c5eb670 |
| SHA512 | 32cf33fa12fc7bc125e269b50a584834aec1350ed52f081a8a6c393faa6c68a87cb63463465e13b7c3aeaee534ac21ebf482ebd505d67b0d15b41d9e6a93c1b6 |
C:\Users\Admin\AppData\Local\Temp\Spray
| MD5 | 81754ffb3a2c2760a080ea70a80eecfe |
| SHA1 | 4925a77076e0afd35a110ff68132ef98263b8a92 |
| SHA256 | b1e347ec4e03cff9cc62b7bc4d219a6645cf3939a35697551cf77839d72089b6 |
| SHA512 | e5d21b5db48e2e67afbbe1cfb813252ea0244e31e165ca124f206c291b53be1b1a74d1eba8894e93adcac5e933204f1dddc92c40c1eb775b5cdf5d440b173ee2 |
C:\Users\Admin\AppData\Local\Temp\Agents
| MD5 | e072328c52cc438642327cf2715c6232 |
| SHA1 | dc776562767baabb5f469f2245cb844435c57a8b |
| SHA256 | 7404865538c5dff10b89c992251d03726be4a25135760af18f2ef9234f875728 |
| SHA512 | 80a05d449fd00895ac2b36cfd0ceb2b6c41a22a37a9aa28bb0a57d3ee9f43ec528a109eaa91ac5fabc6faccedcf547fd2a9c3278293b0ad1d73561771861df7f |
C:\Users\Admin\AppData\Local\Temp\Coleman
| MD5 | caf81509c6182cdf2b3cf474c21924e7 |
| SHA1 | 8931ae49b935d30cfb8d192a34d96c1da9a1133f |
| SHA256 | 342ada9e312f7bb721e1174b8ce4f23791f02ed04cd6813456072adb2a2330f9 |
| SHA512 | d11e61040f5b25cd9740bab941208d82e1f29562705cdff5508909dba6fe848ebe596e7a1daf7a5d30ba97c35816ffe0e8e5a8d7656729ddf7ba349cb8d4da94 |
C:\Users\Admin\AppData\Local\Temp\Mods
| MD5 | 63991cd3b811a87ef7f756a3a88408f3 |
| SHA1 | 5887b2746923e3bb209a010c794d6a03f2043cbe |
| SHA256 | 16c52c4b922b43b8dd61738190c23f60da5e601a1e84d6cbd277ed7c9bc16675 |
| SHA512 | f9115542afa4079772b2edbeb5cbefbb337f976ced77036240624787549ea04937cfebbdc290bdaa8e8523c688b7536af7bd88fe43b053d3dcf811783967c7b6 |
C:\Users\Admin\AppData\Local\Temp\Hat
| MD5 | 6cb837218c7e7f9b0bb4e5de012b5f0b |
| SHA1 | b64ff496cef53d3555c6624abe4a51f99758bbbf |
| SHA256 | baef9762f9bbd47ee6171396e3c87bb0e7655da35438fe5eb1efd9f3c6a87db5 |
| SHA512 | 23e250e7bfa8f873dde6d786d9ce0526e83fb42421e152e3e75c6ea01e29ddebae9c2115c0e0e19ae85c73f5d8525eb34a499456090451528f51ffff1986ca62 |
C:\Users\Admin\AppData\Local\Temp\Herein
| MD5 | 717e7bb87ee5fc6795900e82f92c38a5 |
| SHA1 | 713b0e36e00b5a9df643fab99eff7fe05ebfd4f7 |
| SHA256 | f2c1981a42235a7748d03a68d840fb647d1a591cf3265fc7ec32761ee6bca957 |
| SHA512 | 955107b6a503ab4c4aad2c5b70cff52e2069fed5bcdc6fac76b69957261c531ef95eb31c728b1d64de35130381be734504d8ed6572824dc744f72b49fcdf3f2d |
C:\Users\Admin\AppData\Local\Temp\Comfort
| MD5 | e85c7c2eb7eed1bea9d92071b7b197e4 |
| SHA1 | 05f4108a3e331b2a9db2351c9f506b3cbadef771 |
| SHA256 | 5868a2a8a8376d6f34d125e0c9bf0edd15afd3f82df342a8f079d2417997d137 |
| SHA512 | 97151aec2e73e10cc9e6fdd2c69c0498f49ff6417807e3e4e9cf0534848f34e77fd09943fa86d860993dc8ae1ae14ad85d073cf5ffa391fe3c582f94b502c491 |
C:\Users\Admin\AppData\Local\Temp\Reject
| MD5 | e9157b4c97794aeff095902148ad9532 |
| SHA1 | 2915ca3cff7a81ea19ed0873fe8266274582158e |
| SHA256 | 1f588e2cefb8bafadc9a029a28dcdd93a7e9472e2190caab7a277fa79cffcd77 |
| SHA512 | 26973ff5887e087632c459597a4652f6917d9a81fa48c1642a56c95221f019696e46f88a6c33d1013e6c009324ee9f99a92e5383acc1b6d619ff6229c3360d96 |
C:\Users\Admin\AppData\Local\Temp\Dining
| MD5 | 07b2b7969bb80e43ae8d6d565cbab5c4 |
| SHA1 | 128d43f48928a73ef3446593d63fbfe025cb126c |
| SHA256 | 818f6cc7d29bc250a64e02e61c840e1f74432c66bbacef0ce0a75105accdb592 |
| SHA512 | 45b840b69b09801c4c0528cfc00f8eb50f2a8d2806907a894355ead304f5b1aafdaca9741bf9200b036b9302340d25f6dba7c44e7be651f179736857ef7b3f60 |
C:\Users\Admin\AppData\Local\Temp\Gaming
| MD5 | 122f66640ca5fcc16ff9106acca0a4c5 |
| SHA1 | 15ec716fc34c6dfb6be98d56487528a62e0a9fc5 |
| SHA256 | 7db5db363d38cc28570b882229eaaa3d819bdfb5953ebd3de483e7338285ed0e |
| SHA512 | 3052d8791dee53ff955b655a0b9d7ff804b6c1f80806199a61a98cfb58ac52efab8c53caa5e3248b487ad485edfe9959044f94218f754f75ac212f890b789ab4 |
C:\Users\Admin\AppData\Local\Temp\Lending
| MD5 | ea6036f36a74ce85b23ec1828d3cc68f |
| SHA1 | f1ce5a30d9774f397d82de04130209b501fd0d1c |
| SHA256 | 120a01b7d92584f180e803019867585ed5a106b1d63047ec9b949fa59ed75498 |
| SHA512 | 5b7d46c88d330a85d524fe5a7aab9232b3644c7299ce7df7d34eae9821baea9ed1070e379a63d8efe6f98c0dcbf1b69adc3f311b26361ab5ea8e648cf9167b66 |
C:\Users\Admin\AppData\Local\Temp\Dinner
| MD5 | 9278daaaaad5cf175f7e5037f994ae26 |
| SHA1 | 50c1d167d544a6db08d90ba33ba434147bf4b63e |
| SHA256 | 525dff77cccca91f145aa95c71b921ffc029881310ef9a0808e5c0cbc8589420 |
| SHA512 | 343263a1794b59e1a5cbe8b169f5efab5ee1f3c273a9961104973557b51174730613693b3dc50852f9db4864bd182d1343a3fa97ddbe6f3d04b0656911443c9e |
\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\309056\u
| MD5 | 92e78614e5198320c105789a28b5eaa5 |
| SHA1 | 75411d15bcd89af58e4a82e65bd66487fc7532dd |
| SHA256 | aac38bdd824d85e082b708784705a2d778f0f32ca5594c15a45c0fdddf31a3ac |
| SHA512 | 2e8be01a870c5aeefe1beb3072395b2dec3c10964b1556c4727ba444980dcf079c64def4228df212e7dc81542258cb952525d6a1dbb38655cbcaa8ba06717e41 |
memory/1576-89-0x0000000000950000-0x0000000000B2F000-memory.dmp
memory/1576-90-0x0000000000950000-0x0000000000B2F000-memory.dmp
memory/1576-92-0x0000000000950000-0x0000000000B2F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-08 17:51
Reported
2024-09-08 18:01
Platform
win10v2004-20240802-en
Max time kernel
154s
Max time network
203s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2984 set thread context of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ElectoralUnderstand | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| File opened for modification | C:\Windows\WwPeriod | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| File opened for modification | C:\Windows\InstitutionalInvision | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AppFile.exe
"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Angel Angel.bat & Angel.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 309056
C:\Windows\SysWOW64\findstr.exe
findstr /V "threateningflightbreachjoel" Springer
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Teams + ..\Entirely + ..\Eyes + ..\Identifier + ..\Incest + ..\Official + ..\Persian + ..\Arts + ..\Asset + ..\Eagle + ..\Sci + ..\Rochester + ..\Communication + ..\Evaluations + ..\Coating + ..\Considering + ..\Indicated + ..\Stamps + ..\Crawford + ..\Schema + ..\Slovenia + ..\Hired + ..\Vast + ..\Husband + ..\Spray + ..\Agents + ..\Coleman + ..\Mods + ..\Hat + ..\Herein + ..\Comfort + ..\Reject + ..\Dining + ..\Gaming + ..\Lending + ..\Dinner u
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
Dolls.pif u
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rTzKXibCiKZCHFYYyL.rTzKXibCiKZCHFYYyL | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 185.143.223.148:80 | tcp | |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Angel
| MD5 | 10d664be6c48cbbfe986cf13389e70d5 |
| SHA1 | 81c91d173b2a38349b688791ad7a1fd52ba7cfec |
| SHA256 | 1544228be4736dfc9a52c9eb675ffe27a75490e71b6697bcfb4896beb99baa17 |
| SHA512 | adf5916eeb6c23ddb8b0ec331abab55826dea115fa3675899345319289716aa4181056c9d106e2397a9117bfc1be6a5db1833984d00b249dda11db0bd2e18f67 |
C:\Users\Admin\AppData\Local\Temp\Springer
| MD5 | 9fce304f6f8b0e39b17488ff2461004a |
| SHA1 | 7a2f5480712e430771228a60c6468a21c261015a |
| SHA256 | 388238bf76dc4e90837550f3b9ade8c2240ea2330ffbfa54b7bdc14dd64ae31f |
| SHA512 | cbb11d1d73c3979aafe7b374e44f770606d25d3caf4a0aac0197f00580f500004fe32ff9f93a6d7103f7a7db01c35f29ef9e5b95941de98df4f873f37dadf554 |
C:\Users\Admin\AppData\Local\Temp\Belongs
| MD5 | 08f9d23e902a4b9f1454c0cca8063a4c |
| SHA1 | 2d18b94d7e6bfec87661be9c775f989640228efd |
| SHA256 | 8eda93d0df79719c2194c895abc443218076fb76a8f8af5bb037491f1a3f42d3 |
| SHA512 | 1a796a3a24a363f4d5239ea1b972e95000611c6f90be9a0cbe5b8b50195cb11b86e4cb8b4ccc6a4d93822c80e99cccefdb2b585fb48d8ae045ba690459fc164d |
C:\Users\Admin\AppData\Local\Temp\Teams
| MD5 | e4be3f3dfa731bce602265bd78ca96e4 |
| SHA1 | da6ee51e4cc450fb2697a8e583590c205c354628 |
| SHA256 | 3d1c4fc43431a0739b933a0ccc3d6209f3d5e417102adacc99c485dfa78aa306 |
| SHA512 | fda626cc19bdf4f36e8ec261597115470a9c44fd5ed43684032fd0694454d30ff28c38d6aed1e765e40fcba9ab618b9fba4a8d2608a7cc0c84404baedfae24b1 |
C:\Users\Admin\AppData\Local\Temp\Entirely
| MD5 | e57d41a42c0018011b8d05ead7ba8ea5 |
| SHA1 | a5be0444eaf9d294e7043b76533daa5b4391a0de |
| SHA256 | 8bef0123411a0a965a9bd62cc22f855df1c84b2ab2f6fdddc5d72d2d0412f0b6 |
| SHA512 | 4029afff3795c8567b81ced18cd4053efdcf96be62e27bfa7938a7562bba66610a935944e59f39267a757e5d2c5c651c0bd62c89ac485f8d50e5e0c1bb25646c |
C:\Users\Admin\AppData\Local\Temp\Official
| MD5 | c28b2871b183dfc806e0855c516e6ab4 |
| SHA1 | 8f367c25d973e6b690b1ea6799ecd39221371e43 |
| SHA256 | 12717aac68c10051e3ca2ae75343128eb8a80eec398269d675d5244ade6d9724 |
| SHA512 | f02f7bf8885d57a89391768ddf66c8494ff058f5da4d9d316187c210aca6943f6a2dc4c62771ea3a90b10674c27e117f92d6c7df8e2af75bae349a989b86220d |
C:\Users\Admin\AppData\Local\Temp\Communication
| MD5 | e76ca6497197f496c934e273bc4af7a8 |
| SHA1 | 1c813197c9434d6d3f359c1c0c6374ce8e5e77e6 |
| SHA256 | 2adfd0aa33275eaeddbebffef664bcc2f403ebf6335bc593bd490a66e06c3956 |
| SHA512 | 425fa7c17d9e30e8c3c6ea042a86f6f54f8938ca3491e514e633d111d5cdb0d8094c482c9e08a57cec613178d78c55392c64c8e0d60190c86957a170245e9f3f |
C:\Users\Admin\AppData\Local\Temp\Coating
| MD5 | d4b175095bad046fe31a891e313fac1d |
| SHA1 | 3e8268ea2db96566a03b5886ffcd904cc2938940 |
| SHA256 | 710fcbabe6b6d3fb615d012d3aa5ff551d30590eb9949ad947ce42e313e2a757 |
| SHA512 | d78844eb4099962d6eb5c9308e0f80cc3f56c15a525318a6ddc94811f8239eb622df6845ec831eb656157f9695f935d4962ca538f802c0449ac00850b519a007 |
C:\Users\Admin\AppData\Local\Temp\Crawford
| MD5 | aa5687b499c0e31cc570a5b3956e0055 |
| SHA1 | 0d469ee44ed6a8a57095820ac188477f1ce46e04 |
| SHA256 | c6cae2f7545cc6a2382123889ebf816db31d84136c15b36ac488a74eef5e2c86 |
| SHA512 | 0f11ed72669671ed51e5dd3658c29d9f00f8397b7168db5255e0242924db8ce7514dc318552c80843283f0ad93d8f45951359d8461837a32e3ba8672d8c7fb9b |
C:\Users\Admin\AppData\Local\Temp\Stamps
| MD5 | 05edf987e0e4caf0790d6cd52745918f |
| SHA1 | a657c82fb2b6055696917d16e074e3afad630da7 |
| SHA256 | 6ce2a376edd727d7295bc0648e844ad281bb96db057b84e803c5bb387ca2f54c |
| SHA512 | 38b90f60b303a00b93ea1f0f9b4fa9f6dac7b64d9f0e849699d8220bc70efbd1c038d35cfb7a1c12a2a5b9facaf1accd9fbeadfd5be5ca1ccfb29e51864856bb |
C:\Users\Admin\AppData\Local\Temp\Indicated
| MD5 | d8d333b7fa6f3f4d117279af7fe5ebd7 |
| SHA1 | 15360b9018b623a945ccd0a147bff926f9a36b4d |
| SHA256 | c07e05f4515864b97744a19b33e80170911dee7e84b19dff7a624c3b95c0db58 |
| SHA512 | e60a6932bc7036ef5f0d031fdacfea0f1c399370336fa36907e3ea1e5a0eec50e135c965452c29dad05f3327efb9c9f063e38e9d5bd68265552248113743f251 |
C:\Users\Admin\AppData\Local\Temp\Considering
| MD5 | 8392df6b6dd3005f67d9e685adf5d98a |
| SHA1 | 172ccb65f6b6192c695b53f8ddcedfdbe639fea6 |
| SHA256 | 89d0790a0691cf5f327ab61f73fa2167a8b54ad0e8b21c22d34887455463448e |
| SHA512 | d6ad83fb2ad1cceeb57098b27145e20e800703440c0cf04ed13c00af9c2baecf82e8ad6e28af556de5e2b38a80d8b987f6c347f18eac0892db23ed2ec81d0b3f |
C:\Users\Admin\AppData\Local\Temp\Evaluations
| MD5 | 824ca47d6ed68f19c98e3a8585c03fd2 |
| SHA1 | 00ebf75301539fac6f72012b3dea899797d83eca |
| SHA256 | 14e02c722fdb4507967bd77111eceb5c377e4b515f2cc9ca01117df4e1df2965 |
| SHA512 | e1b398ab18042a7456e87fd6169bca88e86e718b09111eee11f81cc284599ce3431f852fe1552db950bd39f5ac9703406c206b8b37ff595a05099fefd5ddc81f |
C:\Users\Admin\AppData\Local\Temp\Rochester
| MD5 | 2076c81372d64961aeee64296c288ddf |
| SHA1 | 4767a7f611e6ac3ceeb692f1a7df90cdd84fc7ca |
| SHA256 | 63563ab659575d711cf2a686d7140359850e49bc2f1e9f658105c3adb0663fb8 |
| SHA512 | 1e40bc944a91fc9608077b1866d6742624f377e7cc2d63903fe2bd24093b17be3aedc70c534497eaaec7ce30ecf318153f3c40af1ff56a82f5ff48fc09cb5976 |
C:\Users\Admin\AppData\Local\Temp\Sci
| MD5 | f1e239919f64507bc976bee4ac152239 |
| SHA1 | b69eb5fec6da7c582aff31820106e0c46ec8dfda |
| SHA256 | a0d3e15d1b12b4b4111786e454770c511221a6eebe271f20849b112d0cb161b9 |
| SHA512 | 4459e213cd7e36b0008520d030902058a83c2b81bb9333e710561d27ecbcc56468b10994d64488da2fe9b52f033e7a322d6f1fbbcb9081b682acada286f9dff4 |
C:\Users\Admin\AppData\Local\Temp\Eagle
| MD5 | ffa47b74dc7534579bddc42e8ea9bc21 |
| SHA1 | 22e0cf8668117e3782a38b8e4f3553c8f79c379d |
| SHA256 | d0e2a600aab27dfc91bc8c1e73e0d0d20489b04bd376e7bf16fe1763ca1f9ce6 |
| SHA512 | 16f80341dc0386413558c6307a35831f239005f5fadd01818efe95f77c2a12311e5db7943902d16676c12aa1765f20af335a561da1e3f79eb5d9baaee2dc6113 |
C:\Users\Admin\AppData\Local\Temp\Asset
| MD5 | 79ccf7fd1a2157e74b27c1935707ee99 |
| SHA1 | 9f1267d4323c5180c8700cbe82ba51456ab40f74 |
| SHA256 | d90010bbb47afe5b33fc5bc52295ec6ca955a875fe1001f32bfc870783633ed7 |
| SHA512 | 35dc6918b9255eba821b0e3418cb58db2ad703aaa731bb2474d78084367e975451142a23348a1911bdc4f7cbfb70eeaba8b6cce2a8f527944f0ed3a4fb1d9129 |
C:\Users\Admin\AppData\Local\Temp\Arts
| MD5 | 22999c3bfef35ab54dc51cea926d8125 |
| SHA1 | aa929c775e9a740f3b6fc403b5bfb13b0ef10e14 |
| SHA256 | 63f722d605fdd7162f695c55b4c57acf925140a62b93b447d805b1dbcf3d1b1c |
| SHA512 | d750799211beb39b6033f1a85e773b65ed1f576e718c5d9d805b36b6bc152aab7e411d8f2fc73a87b799016f67962ef42a7b7e2c304a5b02b1daf166ac142994 |
C:\Users\Admin\AppData\Local\Temp\Persian
| MD5 | 4f028498571a78e28b5665bcfaf7bda1 |
| SHA1 | db28d1f7a2206c4fc4a17d57373e928bb10c7954 |
| SHA256 | 84310b39a6c9e5941f61502105e746b3dd836108e2a6c7084612e86d0efb91e4 |
| SHA512 | a540c4cd5a8997e7cb7f5cb2ae20859db92991d2f390296c5ac7afe23232679dae30b6db902602893b8b23dcebae07a6b39a57f50adecb3c6367eca174623b24 |
C:\Users\Admin\AppData\Local\Temp\Incest
| MD5 | 74f15b102c0bef94140262ad551bbc24 |
| SHA1 | 70246a3d8005ca0a91c8d22303c55416b6e9ff4f |
| SHA256 | 58376ca5773ce08e2bf4b876cd517ee421030293150ba2dfb50462e34c51c6d9 |
| SHA512 | 7a0cb169ba7b69d5388678478cfaa4bc82fe854d5a40785fa03a3a0bb955088adbe00f5da8f667df6ea448d6118b372ccdf9fcabceb5e70574573f9a0f8729de |
C:\Users\Admin\AppData\Local\Temp\Identifier
| MD5 | cd4ad18674a26527c0782f2a0d15b277 |
| SHA1 | 56e92ebf526601f3f5fe99fc3e5dd9b29a99c41c |
| SHA256 | 0d34b789bde5b17903b770e563743908bea6d7d0693ef57709dd57dde444eb9a |
| SHA512 | 7afac4b0bb0c90ccef4ee14b12b3349e5265eba294e6e5f4dafff894988d07b861cb11dc8dda826420b18288757370bfd0e304e6be578135a1d054c083cdc209 |
C:\Users\Admin\AppData\Local\Temp\Eyes
| MD5 | bf240bdddf4e33588fba0ed1973d7e98 |
| SHA1 | 7c3c46bc43abdbc82bf41b72860a449433288927 |
| SHA256 | a28c88f3dbfd8b8961c30a364b8a38ecdada18b92ac1e77a1c211a7487723c97 |
| SHA512 | 3990b660f9f53e9a7e626527a53fea00d4b344ba9c90912aa904f336b527cbd87b30e21c3408d215699d1ac5d999b47000f866f38d387312653eeb5d8b768a73 |
C:\Users\Admin\AppData\Local\Temp\Slovenia
| MD5 | 398a56733a96146f96dae1f926f8ee34 |
| SHA1 | b589aaa2ae0b047d2b91df4daa193f02d68c2563 |
| SHA256 | e411f41b9d6fff03fe7d4da422aa30f11bfecb5f5bf9c6cf2088eb84a2a8c018 |
| SHA512 | a45e9a93c2f5673204eb1898ca10f7a7e244b512da6f2493b330b266a1d8a2d3db636c5a5a6e67b044cb0ea5a124064ccefb2db3783052e6e6698d9c6d1e7d71 |
C:\Users\Admin\AppData\Local\Temp\Hired
| MD5 | a4e79a921d1a40f87f86cc426d0cce0d |
| SHA1 | 52ac999f6ed734a3023428194c3422e206987124 |
| SHA256 | 306e6d43695f56399f0c7ce9c36e2f8e652838a02d0debf6ab98e7fd2f483af6 |
| SHA512 | 113557e6e6b5316f83ac5899338e3dd63ec281b449f1ee063efceedc94846ece210c8f4b047b804feee2487b7328bd4181c696b4fb7075550fa3a2ced5d01e9e |
C:\Users\Admin\AppData\Local\Temp\Mods
| MD5 | 63991cd3b811a87ef7f756a3a88408f3 |
| SHA1 | 5887b2746923e3bb209a010c794d6a03f2043cbe |
| SHA256 | 16c52c4b922b43b8dd61738190c23f60da5e601a1e84d6cbd277ed7c9bc16675 |
| SHA512 | f9115542afa4079772b2edbeb5cbefbb337f976ced77036240624787549ea04937cfebbdc290bdaa8e8523c688b7536af7bd88fe43b053d3dcf811783967c7b6 |
C:\Users\Admin\AppData\Local\Temp\Dinner
| MD5 | 9278daaaaad5cf175f7e5037f994ae26 |
| SHA1 | 50c1d167d544a6db08d90ba33ba434147bf4b63e |
| SHA256 | 525dff77cccca91f145aa95c71b921ffc029881310ef9a0808e5c0cbc8589420 |
| SHA512 | 343263a1794b59e1a5cbe8b169f5efab5ee1f3c273a9961104973557b51174730613693b3dc50852f9db4864bd182d1343a3fa97ddbe6f3d04b0656911443c9e |
C:\Users\Admin\AppData\Local\Temp\Lending
| MD5 | ea6036f36a74ce85b23ec1828d3cc68f |
| SHA1 | f1ce5a30d9774f397d82de04130209b501fd0d1c |
| SHA256 | 120a01b7d92584f180e803019867585ed5a106b1d63047ec9b949fa59ed75498 |
| SHA512 | 5b7d46c88d330a85d524fe5a7aab9232b3644c7299ce7df7d34eae9821baea9ed1070e379a63d8efe6f98c0dcbf1b69adc3f311b26361ab5ea8e648cf9167b66 |
C:\Users\Admin\AppData\Local\Temp\Gaming
| MD5 | 122f66640ca5fcc16ff9106acca0a4c5 |
| SHA1 | 15ec716fc34c6dfb6be98d56487528a62e0a9fc5 |
| SHA256 | 7db5db363d38cc28570b882229eaaa3d819bdfb5953ebd3de483e7338285ed0e |
| SHA512 | 3052d8791dee53ff955b655a0b9d7ff804b6c1f80806199a61a98cfb58ac52efab8c53caa5e3248b487ad485edfe9959044f94218f754f75ac212f890b789ab4 |
C:\Users\Admin\AppData\Local\Temp\Dining
| MD5 | 07b2b7969bb80e43ae8d6d565cbab5c4 |
| SHA1 | 128d43f48928a73ef3446593d63fbfe025cb126c |
| SHA256 | 818f6cc7d29bc250a64e02e61c840e1f74432c66bbacef0ce0a75105accdb592 |
| SHA512 | 45b840b69b09801c4c0528cfc00f8eb50f2a8d2806907a894355ead304f5b1aafdaca9741bf9200b036b9302340d25f6dba7c44e7be651f179736857ef7b3f60 |
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\Reject
| MD5 | e9157b4c97794aeff095902148ad9532 |
| SHA1 | 2915ca3cff7a81ea19ed0873fe8266274582158e |
| SHA256 | 1f588e2cefb8bafadc9a029a28dcdd93a7e9472e2190caab7a277fa79cffcd77 |
| SHA512 | 26973ff5887e087632c459597a4652f6917d9a81fa48c1642a56c95221f019696e46f88a6c33d1013e6c009324ee9f99a92e5383acc1b6d619ff6229c3360d96 |
C:\Users\Admin\AppData\Local\Temp\Comfort
| MD5 | e85c7c2eb7eed1bea9d92071b7b197e4 |
| SHA1 | 05f4108a3e331b2a9db2351c9f506b3cbadef771 |
| SHA256 | 5868a2a8a8376d6f34d125e0c9bf0edd15afd3f82df342a8f079d2417997d137 |
| SHA512 | 97151aec2e73e10cc9e6fdd2c69c0498f49ff6417807e3e4e9cf0534848f34e77fd09943fa86d860993dc8ae1ae14ad85d073cf5ffa391fe3c582f94b502c491 |
C:\Users\Admin\AppData\Local\Temp\Herein
| MD5 | 717e7bb87ee5fc6795900e82f92c38a5 |
| SHA1 | 713b0e36e00b5a9df643fab99eff7fe05ebfd4f7 |
| SHA256 | f2c1981a42235a7748d03a68d840fb647d1a591cf3265fc7ec32761ee6bca957 |
| SHA512 | 955107b6a503ab4c4aad2c5b70cff52e2069fed5bcdc6fac76b69957261c531ef95eb31c728b1d64de35130381be734504d8ed6572824dc744f72b49fcdf3f2d |
C:\Users\Admin\AppData\Local\Temp\Hat
| MD5 | 6cb837218c7e7f9b0bb4e5de012b5f0b |
| SHA1 | b64ff496cef53d3555c6624abe4a51f99758bbbf |
| SHA256 | baef9762f9bbd47ee6171396e3c87bb0e7655da35438fe5eb1efd9f3c6a87db5 |
| SHA512 | 23e250e7bfa8f873dde6d786d9ce0526e83fb42421e152e3e75c6ea01e29ddebae9c2115c0e0e19ae85c73f5d8525eb34a499456090451528f51ffff1986ca62 |
C:\Users\Admin\AppData\Local\Temp\Coleman
| MD5 | caf81509c6182cdf2b3cf474c21924e7 |
| SHA1 | 8931ae49b935d30cfb8d192a34d96c1da9a1133f |
| SHA256 | 342ada9e312f7bb721e1174b8ce4f23791f02ed04cd6813456072adb2a2330f9 |
| SHA512 | d11e61040f5b25cd9740bab941208d82e1f29562705cdff5508909dba6fe848ebe596e7a1daf7a5d30ba97c35816ffe0e8e5a8d7656729ddf7ba349cb8d4da94 |
C:\Users\Admin\AppData\Local\Temp\Agents
| MD5 | e072328c52cc438642327cf2715c6232 |
| SHA1 | dc776562767baabb5f469f2245cb844435c57a8b |
| SHA256 | 7404865538c5dff10b89c992251d03726be4a25135760af18f2ef9234f875728 |
| SHA512 | 80a05d449fd00895ac2b36cfd0ceb2b6c41a22a37a9aa28bb0a57d3ee9f43ec528a109eaa91ac5fabc6faccedcf547fd2a9c3278293b0ad1d73561771861df7f |
C:\Users\Admin\AppData\Local\Temp\Spray
| MD5 | 81754ffb3a2c2760a080ea70a80eecfe |
| SHA1 | 4925a77076e0afd35a110ff68132ef98263b8a92 |
| SHA256 | b1e347ec4e03cff9cc62b7bc4d219a6645cf3939a35697551cf77839d72089b6 |
| SHA512 | e5d21b5db48e2e67afbbe1cfb813252ea0244e31e165ca124f206c291b53be1b1a74d1eba8894e93adcac5e933204f1dddc92c40c1eb775b5cdf5d440b173ee2 |
C:\Users\Admin\AppData\Local\Temp\Husband
| MD5 | 792c7f8dd36ccf3dc732e75deafcf3a8 |
| SHA1 | 7511dd19e3ebaea53bbefc72b10146231f8e607d |
| SHA256 | 75443ebd4b9dcbcf0e367a853386ce5a604fe338a34afab63f1ac1141c5eb670 |
| SHA512 | 32cf33fa12fc7bc125e269b50a584834aec1350ed52f081a8a6c393faa6c68a87cb63463465e13b7c3aeaee534ac21ebf482ebd505d67b0d15b41d9e6a93c1b6 |
C:\Users\Admin\AppData\Local\Temp\Vast
| MD5 | 556425c0faef4670d1e22fb6fcc39670 |
| SHA1 | 25b97fb1cb78439408f439b4c96933c66cf019df |
| SHA256 | 11d8b300d94f5e8455d792625260b83dfdc7f258182620d719eb81a71319f4f5 |
| SHA512 | 96f8e77db9cf14f121842d8a6a3b225597cb89691b72a051703ce6e7367bf38fc6fb0b14ec17789559c472bb1b2243c6bb88daae28dbe4e1154bfb7f5e658bfa |
C:\Users\Admin\AppData\Local\Temp\Schema
| MD5 | 6d6371d8a1877548b2ba892feeec4448 |
| SHA1 | 9a31d21807d9a7ce9e4701cd63d51ded7db85290 |
| SHA256 | 85a5a1b465e959f6b55feebae33059f82b972458f8527d5e1361e749b724d13d |
| SHA512 | 9dbd7fc2c804e785ea7545ede8408fb647736a1e9731dad40f6256c580a91f1df90cebada0d20776f2b264cde69df8bcb63071b8de24a08944dbfaa5f875a8e0 |
C:\Users\Admin\AppData\Local\Temp\309056\u
| MD5 | 92e78614e5198320c105789a28b5eaa5 |
| SHA1 | 75411d15bcd89af58e4a82e65bd66487fc7532dd |
| SHA256 | aac38bdd824d85e082b708784705a2d778f0f32ca5594c15a45c0fdddf31a3ac |
| SHA512 | 2e8be01a870c5aeefe1beb3072395b2dec3c10964b1556c4727ba444980dcf079c64def4228df212e7dc81542258cb952525d6a1dbb38655cbcaa8ba06717e41 |
memory/4800-86-0x0000000001600000-0x00000000017DF000-memory.dmp
memory/4800-87-0x0000000001600000-0x00000000017DF000-memory.dmp
memory/4800-89-0x0000000001600000-0x00000000017DF000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-08 17:51
Reported
2024-09-08 18:01
Platform
win11-20240802-en
Max time kernel
300s
Max time network
303s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4196 set thread context of 5240 | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ElectoralUnderstand | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| File opened for modification | C:\Windows\WwPeriod | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| File opened for modification | C:\Windows\InstitutionalInvision | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AppFile.exe
"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Angel Angel.bat & Angel.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 309056
C:\Windows\SysWOW64\findstr.exe
findstr /V "threateningflightbreachjoel" Springer
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Teams + ..\Entirely + ..\Eyes + ..\Identifier + ..\Incest + ..\Official + ..\Persian + ..\Arts + ..\Asset + ..\Eagle + ..\Sci + ..\Rochester + ..\Communication + ..\Evaluations + ..\Coating + ..\Considering + ..\Indicated + ..\Stamps + ..\Crawford + ..\Schema + ..\Slovenia + ..\Hired + ..\Vast + ..\Husband + ..\Spray + ..\Agents + ..\Coleman + ..\Mods + ..\Hat + ..\Herein + ..\Comfort + ..\Reject + ..\Dining + ..\Gaming + ..\Lending + ..\Dinner u
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
Dolls.pif u
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rTzKXibCiKZCHFYYyL.rTzKXibCiKZCHFYYyL | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Angel
| MD5 | 10d664be6c48cbbfe986cf13389e70d5 |
| SHA1 | 81c91d173b2a38349b688791ad7a1fd52ba7cfec |
| SHA256 | 1544228be4736dfc9a52c9eb675ffe27a75490e71b6697bcfb4896beb99baa17 |
| SHA512 | adf5916eeb6c23ddb8b0ec331abab55826dea115fa3675899345319289716aa4181056c9d106e2397a9117bfc1be6a5db1833984d00b249dda11db0bd2e18f67 |
C:\Users\Admin\AppData\Local\Temp\Springer
| MD5 | 9fce304f6f8b0e39b17488ff2461004a |
| SHA1 | 7a2f5480712e430771228a60c6468a21c261015a |
| SHA256 | 388238bf76dc4e90837550f3b9ade8c2240ea2330ffbfa54b7bdc14dd64ae31f |
| SHA512 | cbb11d1d73c3979aafe7b374e44f770606d25d3caf4a0aac0197f00580f500004fe32ff9f93a6d7103f7a7db01c35f29ef9e5b95941de98df4f873f37dadf554 |
C:\Users\Admin\AppData\Local\Temp\Belongs
| MD5 | 08f9d23e902a4b9f1454c0cca8063a4c |
| SHA1 | 2d18b94d7e6bfec87661be9c775f989640228efd |
| SHA256 | 8eda93d0df79719c2194c895abc443218076fb76a8f8af5bb037491f1a3f42d3 |
| SHA512 | 1a796a3a24a363f4d5239ea1b972e95000611c6f90be9a0cbe5b8b50195cb11b86e4cb8b4ccc6a4d93822c80e99cccefdb2b585fb48d8ae045ba690459fc164d |
C:\Users\Admin\AppData\Local\Temp\Teams
| MD5 | e4be3f3dfa731bce602265bd78ca96e4 |
| SHA1 | da6ee51e4cc450fb2697a8e583590c205c354628 |
| SHA256 | 3d1c4fc43431a0739b933a0ccc3d6209f3d5e417102adacc99c485dfa78aa306 |
| SHA512 | fda626cc19bdf4f36e8ec261597115470a9c44fd5ed43684032fd0694454d30ff28c38d6aed1e765e40fcba9ab618b9fba4a8d2608a7cc0c84404baedfae24b1 |
C:\Users\Admin\AppData\Local\Temp\Entirely
| MD5 | e57d41a42c0018011b8d05ead7ba8ea5 |
| SHA1 | a5be0444eaf9d294e7043b76533daa5b4391a0de |
| SHA256 | 8bef0123411a0a965a9bd62cc22f855df1c84b2ab2f6fdddc5d72d2d0412f0b6 |
| SHA512 | 4029afff3795c8567b81ced18cd4053efdcf96be62e27bfa7938a7562bba66610a935944e59f39267a757e5d2c5c651c0bd62c89ac485f8d50e5e0c1bb25646c |
C:\Users\Admin\AppData\Local\Temp\Eyes
| MD5 | bf240bdddf4e33588fba0ed1973d7e98 |
| SHA1 | 7c3c46bc43abdbc82bf41b72860a449433288927 |
| SHA256 | a28c88f3dbfd8b8961c30a364b8a38ecdada18b92ac1e77a1c211a7487723c97 |
| SHA512 | 3990b660f9f53e9a7e626527a53fea00d4b344ba9c90912aa904f336b527cbd87b30e21c3408d215699d1ac5d999b47000f866f38d387312653eeb5d8b768a73 |
C:\Users\Admin\AppData\Local\Temp\Identifier
| MD5 | cd4ad18674a26527c0782f2a0d15b277 |
| SHA1 | 56e92ebf526601f3f5fe99fc3e5dd9b29a99c41c |
| SHA256 | 0d34b789bde5b17903b770e563743908bea6d7d0693ef57709dd57dde444eb9a |
| SHA512 | 7afac4b0bb0c90ccef4ee14b12b3349e5265eba294e6e5f4dafff894988d07b861cb11dc8dda826420b18288757370bfd0e304e6be578135a1d054c083cdc209 |
C:\Users\Admin\AppData\Local\Temp\Incest
| MD5 | 74f15b102c0bef94140262ad551bbc24 |
| SHA1 | 70246a3d8005ca0a91c8d22303c55416b6e9ff4f |
| SHA256 | 58376ca5773ce08e2bf4b876cd517ee421030293150ba2dfb50462e34c51c6d9 |
| SHA512 | 7a0cb169ba7b69d5388678478cfaa4bc82fe854d5a40785fa03a3a0bb955088adbe00f5da8f667df6ea448d6118b372ccdf9fcabceb5e70574573f9a0f8729de |
C:\Users\Admin\AppData\Local\Temp\Official
| MD5 | c28b2871b183dfc806e0855c516e6ab4 |
| SHA1 | 8f367c25d973e6b690b1ea6799ecd39221371e43 |
| SHA256 | 12717aac68c10051e3ca2ae75343128eb8a80eec398269d675d5244ade6d9724 |
| SHA512 | f02f7bf8885d57a89391768ddf66c8494ff058f5da4d9d316187c210aca6943f6a2dc4c62771ea3a90b10674c27e117f92d6c7df8e2af75bae349a989b86220d |
C:\Users\Admin\AppData\Local\Temp\Persian
| MD5 | 4f028498571a78e28b5665bcfaf7bda1 |
| SHA1 | db28d1f7a2206c4fc4a17d57373e928bb10c7954 |
| SHA256 | 84310b39a6c9e5941f61502105e746b3dd836108e2a6c7084612e86d0efb91e4 |
| SHA512 | a540c4cd5a8997e7cb7f5cb2ae20859db92991d2f390296c5ac7afe23232679dae30b6db902602893b8b23dcebae07a6b39a57f50adecb3c6367eca174623b24 |
C:\Users\Admin\AppData\Local\Temp\Sci
| MD5 | f1e239919f64507bc976bee4ac152239 |
| SHA1 | b69eb5fec6da7c582aff31820106e0c46ec8dfda |
| SHA256 | a0d3e15d1b12b4b4111786e454770c511221a6eebe271f20849b112d0cb161b9 |
| SHA512 | 4459e213cd7e36b0008520d030902058a83c2b81bb9333e710561d27ecbcc56468b10994d64488da2fe9b52f033e7a322d6f1fbbcb9081b682acada286f9dff4 |
C:\Users\Admin\AppData\Local\Temp\Eagle
| MD5 | ffa47b74dc7534579bddc42e8ea9bc21 |
| SHA1 | 22e0cf8668117e3782a38b8e4f3553c8f79c379d |
| SHA256 | d0e2a600aab27dfc91bc8c1e73e0d0d20489b04bd376e7bf16fe1763ca1f9ce6 |
| SHA512 | 16f80341dc0386413558c6307a35831f239005f5fadd01818efe95f77c2a12311e5db7943902d16676c12aa1765f20af335a561da1e3f79eb5d9baaee2dc6113 |
C:\Users\Admin\AppData\Local\Temp\Rochester
| MD5 | 2076c81372d64961aeee64296c288ddf |
| SHA1 | 4767a7f611e6ac3ceeb692f1a7df90cdd84fc7ca |
| SHA256 | 63563ab659575d711cf2a686d7140359850e49bc2f1e9f658105c3adb0663fb8 |
| SHA512 | 1e40bc944a91fc9608077b1866d6742624f377e7cc2d63903fe2bd24093b17be3aedc70c534497eaaec7ce30ecf318153f3c40af1ff56a82f5ff48fc09cb5976 |
C:\Users\Admin\AppData\Local\Temp\Asset
| MD5 | 79ccf7fd1a2157e74b27c1935707ee99 |
| SHA1 | 9f1267d4323c5180c8700cbe82ba51456ab40f74 |
| SHA256 | d90010bbb47afe5b33fc5bc52295ec6ca955a875fe1001f32bfc870783633ed7 |
| SHA512 | 35dc6918b9255eba821b0e3418cb58db2ad703aaa731bb2474d78084367e975451142a23348a1911bdc4f7cbfb70eeaba8b6cce2a8f527944f0ed3a4fb1d9129 |
C:\Users\Admin\AppData\Local\Temp\Arts
| MD5 | 22999c3bfef35ab54dc51cea926d8125 |
| SHA1 | aa929c775e9a740f3b6fc403b5bfb13b0ef10e14 |
| SHA256 | 63f722d605fdd7162f695c55b4c57acf925140a62b93b447d805b1dbcf3d1b1c |
| SHA512 | d750799211beb39b6033f1a85e773b65ed1f576e718c5d9d805b36b6bc152aab7e411d8f2fc73a87b799016f67962ef42a7b7e2c304a5b02b1daf166ac142994 |
C:\Users\Admin\AppData\Local\Temp\Communication
| MD5 | e76ca6497197f496c934e273bc4af7a8 |
| SHA1 | 1c813197c9434d6d3f359c1c0c6374ce8e5e77e6 |
| SHA256 | 2adfd0aa33275eaeddbebffef664bcc2f403ebf6335bc593bd490a66e06c3956 |
| SHA512 | 425fa7c17d9e30e8c3c6ea042a86f6f54f8938ca3491e514e633d111d5cdb0d8094c482c9e08a57cec613178d78c55392c64c8e0d60190c86957a170245e9f3f |
C:\Users\Admin\AppData\Local\Temp\Evaluations
| MD5 | 824ca47d6ed68f19c98e3a8585c03fd2 |
| SHA1 | 00ebf75301539fac6f72012b3dea899797d83eca |
| SHA256 | 14e02c722fdb4507967bd77111eceb5c377e4b515f2cc9ca01117df4e1df2965 |
| SHA512 | e1b398ab18042a7456e87fd6169bca88e86e718b09111eee11f81cc284599ce3431f852fe1552db950bd39f5ac9703406c206b8b37ff595a05099fefd5ddc81f |
C:\Users\Admin\AppData\Local\Temp\Coating
| MD5 | d4b175095bad046fe31a891e313fac1d |
| SHA1 | 3e8268ea2db96566a03b5886ffcd904cc2938940 |
| SHA256 | 710fcbabe6b6d3fb615d012d3aa5ff551d30590eb9949ad947ce42e313e2a757 |
| SHA512 | d78844eb4099962d6eb5c9308e0f80cc3f56c15a525318a6ddc94811f8239eb622df6845ec831eb656157f9695f935d4962ca538f802c0449ac00850b519a007 |
C:\Users\Admin\AppData\Local\Temp\Considering
| MD5 | 8392df6b6dd3005f67d9e685adf5d98a |
| SHA1 | 172ccb65f6b6192c695b53f8ddcedfdbe639fea6 |
| SHA256 | 89d0790a0691cf5f327ab61f73fa2167a8b54ad0e8b21c22d34887455463448e |
| SHA512 | d6ad83fb2ad1cceeb57098b27145e20e800703440c0cf04ed13c00af9c2baecf82e8ad6e28af556de5e2b38a80d8b987f6c347f18eac0892db23ed2ec81d0b3f |
C:\Users\Admin\AppData\Local\Temp\Indicated
| MD5 | d8d333b7fa6f3f4d117279af7fe5ebd7 |
| SHA1 | 15360b9018b623a945ccd0a147bff926f9a36b4d |
| SHA256 | c07e05f4515864b97744a19b33e80170911dee7e84b19dff7a624c3b95c0db58 |
| SHA512 | e60a6932bc7036ef5f0d031fdacfea0f1c399370336fa36907e3ea1e5a0eec50e135c965452c29dad05f3327efb9c9f063e38e9d5bd68265552248113743f251 |
C:\Users\Admin\AppData\Local\Temp\Stamps
| MD5 | 05edf987e0e4caf0790d6cd52745918f |
| SHA1 | a657c82fb2b6055696917d16e074e3afad630da7 |
| SHA256 | 6ce2a376edd727d7295bc0648e844ad281bb96db057b84e803c5bb387ca2f54c |
| SHA512 | 38b90f60b303a00b93ea1f0f9b4fa9f6dac7b64d9f0e849699d8220bc70efbd1c038d35cfb7a1c12a2a5b9facaf1accd9fbeadfd5be5ca1ccfb29e51864856bb |
C:\Users\Admin\AppData\Local\Temp\Crawford
| MD5 | aa5687b499c0e31cc570a5b3956e0055 |
| SHA1 | 0d469ee44ed6a8a57095820ac188477f1ce46e04 |
| SHA256 | c6cae2f7545cc6a2382123889ebf816db31d84136c15b36ac488a74eef5e2c86 |
| SHA512 | 0f11ed72669671ed51e5dd3658c29d9f00f8397b7168db5255e0242924db8ce7514dc318552c80843283f0ad93d8f45951359d8461837a32e3ba8672d8c7fb9b |
C:\Users\Admin\AppData\Local\Temp\Schema
| MD5 | 6d6371d8a1877548b2ba892feeec4448 |
| SHA1 | 9a31d21807d9a7ce9e4701cd63d51ded7db85290 |
| SHA256 | 85a5a1b465e959f6b55feebae33059f82b972458f8527d5e1361e749b724d13d |
| SHA512 | 9dbd7fc2c804e785ea7545ede8408fb647736a1e9731dad40f6256c580a91f1df90cebada0d20776f2b264cde69df8bcb63071b8de24a08944dbfaa5f875a8e0 |
C:\Users\Admin\AppData\Local\Temp\Husband
| MD5 | 792c7f8dd36ccf3dc732e75deafcf3a8 |
| SHA1 | 7511dd19e3ebaea53bbefc72b10146231f8e607d |
| SHA256 | 75443ebd4b9dcbcf0e367a853386ce5a604fe338a34afab63f1ac1141c5eb670 |
| SHA512 | 32cf33fa12fc7bc125e269b50a584834aec1350ed52f081a8a6c393faa6c68a87cb63463465e13b7c3aeaee534ac21ebf482ebd505d67b0d15b41d9e6a93c1b6 |
C:\Users\Admin\AppData\Local\Temp\Vast
| MD5 | 556425c0faef4670d1e22fb6fcc39670 |
| SHA1 | 25b97fb1cb78439408f439b4c96933c66cf019df |
| SHA256 | 11d8b300d94f5e8455d792625260b83dfdc7f258182620d719eb81a71319f4f5 |
| SHA512 | 96f8e77db9cf14f121842d8a6a3b225597cb89691b72a051703ce6e7367bf38fc6fb0b14ec17789559c472bb1b2243c6bb88daae28dbe4e1154bfb7f5e658bfa |
C:\Users\Admin\AppData\Local\Temp\Hired
| MD5 | a4e79a921d1a40f87f86cc426d0cce0d |
| SHA1 | 52ac999f6ed734a3023428194c3422e206987124 |
| SHA256 | 306e6d43695f56399f0c7ce9c36e2f8e652838a02d0debf6ab98e7fd2f483af6 |
| SHA512 | 113557e6e6b5316f83ac5899338e3dd63ec281b449f1ee063efceedc94846ece210c8f4b047b804feee2487b7328bd4181c696b4fb7075550fa3a2ced5d01e9e |
C:\Users\Admin\AppData\Local\Temp\Slovenia
| MD5 | 398a56733a96146f96dae1f926f8ee34 |
| SHA1 | b589aaa2ae0b047d2b91df4daa193f02d68c2563 |
| SHA256 | e411f41b9d6fff03fe7d4da422aa30f11bfecb5f5bf9c6cf2088eb84a2a8c018 |
| SHA512 | a45e9a93c2f5673204eb1898ca10f7a7e244b512da6f2493b330b266a1d8a2d3db636c5a5a6e67b044cb0ea5a124064ccefb2db3783052e6e6698d9c6d1e7d71 |
C:\Users\Admin\AppData\Local\Temp\Spray
| MD5 | 81754ffb3a2c2760a080ea70a80eecfe |
| SHA1 | 4925a77076e0afd35a110ff68132ef98263b8a92 |
| SHA256 | b1e347ec4e03cff9cc62b7bc4d219a6645cf3939a35697551cf77839d72089b6 |
| SHA512 | e5d21b5db48e2e67afbbe1cfb813252ea0244e31e165ca124f206c291b53be1b1a74d1eba8894e93adcac5e933204f1dddc92c40c1eb775b5cdf5d440b173ee2 |
C:\Users\Admin\AppData\Local\Temp\Agents
| MD5 | e072328c52cc438642327cf2715c6232 |
| SHA1 | dc776562767baabb5f469f2245cb844435c57a8b |
| SHA256 | 7404865538c5dff10b89c992251d03726be4a25135760af18f2ef9234f875728 |
| SHA512 | 80a05d449fd00895ac2b36cfd0ceb2b6c41a22a37a9aa28bb0a57d3ee9f43ec528a109eaa91ac5fabc6faccedcf547fd2a9c3278293b0ad1d73561771861df7f |
C:\Users\Admin\AppData\Local\Temp\Coleman
| MD5 | caf81509c6182cdf2b3cf474c21924e7 |
| SHA1 | 8931ae49b935d30cfb8d192a34d96c1da9a1133f |
| SHA256 | 342ada9e312f7bb721e1174b8ce4f23791f02ed04cd6813456072adb2a2330f9 |
| SHA512 | d11e61040f5b25cd9740bab941208d82e1f29562705cdff5508909dba6fe848ebe596e7a1daf7a5d30ba97c35816ffe0e8e5a8d7656729ddf7ba349cb8d4da94 |
C:\Users\Admin\AppData\Local\Temp\Mods
| MD5 | 63991cd3b811a87ef7f756a3a88408f3 |
| SHA1 | 5887b2746923e3bb209a010c794d6a03f2043cbe |
| SHA256 | 16c52c4b922b43b8dd61738190c23f60da5e601a1e84d6cbd277ed7c9bc16675 |
| SHA512 | f9115542afa4079772b2edbeb5cbefbb337f976ced77036240624787549ea04937cfebbdc290bdaa8e8523c688b7536af7bd88fe43b053d3dcf811783967c7b6 |
C:\Users\Admin\AppData\Local\Temp\Hat
| MD5 | 6cb837218c7e7f9b0bb4e5de012b5f0b |
| SHA1 | b64ff496cef53d3555c6624abe4a51f99758bbbf |
| SHA256 | baef9762f9bbd47ee6171396e3c87bb0e7655da35438fe5eb1efd9f3c6a87db5 |
| SHA512 | 23e250e7bfa8f873dde6d786d9ce0526e83fb42421e152e3e75c6ea01e29ddebae9c2115c0e0e19ae85c73f5d8525eb34a499456090451528f51ffff1986ca62 |
C:\Users\Admin\AppData\Local\Temp\Herein
| MD5 | 717e7bb87ee5fc6795900e82f92c38a5 |
| SHA1 | 713b0e36e00b5a9df643fab99eff7fe05ebfd4f7 |
| SHA256 | f2c1981a42235a7748d03a68d840fb647d1a591cf3265fc7ec32761ee6bca957 |
| SHA512 | 955107b6a503ab4c4aad2c5b70cff52e2069fed5bcdc6fac76b69957261c531ef95eb31c728b1d64de35130381be734504d8ed6572824dc744f72b49fcdf3f2d |
C:\Users\Admin\AppData\Local\Temp\Comfort
| MD5 | e85c7c2eb7eed1bea9d92071b7b197e4 |
| SHA1 | 05f4108a3e331b2a9db2351c9f506b3cbadef771 |
| SHA256 | 5868a2a8a8376d6f34d125e0c9bf0edd15afd3f82df342a8f079d2417997d137 |
| SHA512 | 97151aec2e73e10cc9e6fdd2c69c0498f49ff6417807e3e4e9cf0534848f34e77fd09943fa86d860993dc8ae1ae14ad85d073cf5ffa391fe3c582f94b502c491 |
C:\Users\Admin\AppData\Local\Temp\Dinner
| MD5 | 9278daaaaad5cf175f7e5037f994ae26 |
| SHA1 | 50c1d167d544a6db08d90ba33ba434147bf4b63e |
| SHA256 | 525dff77cccca91f145aa95c71b921ffc029881310ef9a0808e5c0cbc8589420 |
| SHA512 | 343263a1794b59e1a5cbe8b169f5efab5ee1f3c273a9961104973557b51174730613693b3dc50852f9db4864bd182d1343a3fa97ddbe6f3d04b0656911443c9e |
C:\Users\Admin\AppData\Local\Temp\Lending
| MD5 | ea6036f36a74ce85b23ec1828d3cc68f |
| SHA1 | f1ce5a30d9774f397d82de04130209b501fd0d1c |
| SHA256 | 120a01b7d92584f180e803019867585ed5a106b1d63047ec9b949fa59ed75498 |
| SHA512 | 5b7d46c88d330a85d524fe5a7aab9232b3644c7299ce7df7d34eae9821baea9ed1070e379a63d8efe6f98c0dcbf1b69adc3f311b26361ab5ea8e648cf9167b66 |
C:\Users\Admin\AppData\Local\Temp\Gaming
| MD5 | 122f66640ca5fcc16ff9106acca0a4c5 |
| SHA1 | 15ec716fc34c6dfb6be98d56487528a62e0a9fc5 |
| SHA256 | 7db5db363d38cc28570b882229eaaa3d819bdfb5953ebd3de483e7338285ed0e |
| SHA512 | 3052d8791dee53ff955b655a0b9d7ff804b6c1f80806199a61a98cfb58ac52efab8c53caa5e3248b487ad485edfe9959044f94218f754f75ac212f890b789ab4 |
C:\Users\Admin\AppData\Local\Temp\Dining
| MD5 | 07b2b7969bb80e43ae8d6d565cbab5c4 |
| SHA1 | 128d43f48928a73ef3446593d63fbfe025cb126c |
| SHA256 | 818f6cc7d29bc250a64e02e61c840e1f74432c66bbacef0ce0a75105accdb592 |
| SHA512 | 45b840b69b09801c4c0528cfc00f8eb50f2a8d2806907a894355ead304f5b1aafdaca9741bf9200b036b9302340d25f6dba7c44e7be651f179736857ef7b3f60 |
C:\Users\Admin\AppData\Local\Temp\Reject
| MD5 | e9157b4c97794aeff095902148ad9532 |
| SHA1 | 2915ca3cff7a81ea19ed0873fe8266274582158e |
| SHA256 | 1f588e2cefb8bafadc9a029a28dcdd93a7e9472e2190caab7a277fa79cffcd77 |
| SHA512 | 26973ff5887e087632c459597a4652f6917d9a81fa48c1642a56c95221f019696e46f88a6c33d1013e6c009324ee9f99a92e5383acc1b6d619ff6229c3360d96 |
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\309056\u
| MD5 | 92e78614e5198320c105789a28b5eaa5 |
| SHA1 | 75411d15bcd89af58e4a82e65bd66487fc7532dd |
| SHA256 | aac38bdd824d85e082b708784705a2d778f0f32ca5594c15a45c0fdddf31a3ac |
| SHA512 | 2e8be01a870c5aeefe1beb3072395b2dec3c10964b1556c4727ba444980dcf079c64def4228df212e7dc81542258cb952525d6a1dbb38655cbcaa8ba06717e41 |
memory/5240-86-0x0000000001630000-0x000000000180F000-memory.dmp
memory/5240-87-0x0000000001630000-0x000000000180F000-memory.dmp
memory/5240-89-0x0000000001630000-0x000000000180F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-08 17:51
Reported
2024-09-08 18:01
Platform
win10-20240404-en
Max time kernel
244s
Max time network
306s
Command Line
Signatures
CryptBot
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp | N/A |
| N/A | N/A | C:\Users\AdminIIDHJKFBGI.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2392 set thread context of 4604 | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif |
| PID 1880 set thread context of 4340 | N/A | C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3548 set thread context of 5096 | N/A | C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2776 set thread context of 2924 | N/A | C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4304 set thread context of 1928 | N/A | C:\Users\AdminIIDHJKFBGI.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ElectoralUnderstand | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| File opened for modification | C:\Windows\WwPeriod | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| File opened for modification | C:\Windows\InstitutionalInvision | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AppFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminIIDHJKFBGI.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AppFile.exe
"C:\Users\Admin\AppData\Local\Temp\AppFile.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Angel Angel.bat & Angel.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 309056
C:\Windows\SysWOW64\findstr.exe
findstr /V "threateningflightbreachjoel" Springer
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Teams + ..\Entirely + ..\Eyes + ..\Identifier + ..\Incest + ..\Official + ..\Persian + ..\Arts + ..\Asset + ..\Eagle + ..\Sci + ..\Rochester + ..\Communication + ..\Evaluations + ..\Coating + ..\Considering + ..\Indicated + ..\Stamps + ..\Crawford + ..\Schema + ..\Slovenia + ..\Hired + ..\Vast + ..\Husband + ..\Spray + ..\Agents + ..\Coleman + ..\Mods + ..\Hat + ..\Herein + ..\Comfort + ..\Reject + ..\Dining + ..\Gaming + ..\Lending + ..\Dinner u
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
Dolls.pif u
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe
C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe
C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe
C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe
C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe
C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe
C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe
C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe
C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe
C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe
C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe
C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe
C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe
C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe
C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe
C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe
C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe
C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe
C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp" /SL5="$F004E,3462581,702464,C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 592
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIIDHJKFBGI.exe"
C:\Users\AdminIIDHJKFBGI.exe
"C:\Users\AdminIIDHJKFBGI.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCAAEBFHJJ.exe"
C:\Users\AdminFCAAEBFHJJ.exe
"C:\Users\AdminFCAAEBFHJJ.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "RRTELIGS"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "RRTELIGS"
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\ProgramData\AAAAKJKJEB.exe
"C:\ProgramData\AAAAKJKJEB.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\IECFHDBAAE.exe
"C:\ProgramData\IECFHDBAAE.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGDGIEGHJEGI" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rTzKXibCiKZCHFYYyL.rTzKXibCiKZCHFYYyL | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | 240902180529931.tyr.zont16.com | udp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| RU | 176.111.174.109:80 | 176.111.174.109 | tcp |
| US | 8.8.8.8:53 | voinformatica.com.pt | udp |
| US | 8.8.8.8:53 | file-link-iota.vercel.app | udp |
| US | 76.76.21.98:80 | file-link-iota.vercel.app | tcp |
| PT | 80.172.227.23:80 | voinformatica.com.pt | tcp |
| PT | 80.172.227.23:80 | voinformatica.com.pt | tcp |
| CH | 179.43.188.227:80 | 240902180529931.tyr.zont16.com | tcp |
| US | 76.76.21.98:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.98:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.98:443 | file-link-iota.vercel.app | tcp |
| US | 8.8.8.8:53 | 104.44.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.174.111.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.188.43.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | youtransfer.net | udp |
| PT | 80.172.227.23:80 | voinformatica.com.pt | tcp |
| PT | 80.172.227.23:80 | voinformatica.com.pt | tcp |
| CA | 158.69.225.124:443 | youtransfer.net | tcp |
| PT | 80.172.227.23:80 | voinformatica.com.pt | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.227.172.80.in-addr.arpa | udp |
| PT | 80.172.227.23:80 | voinformatica.com.pt | tcp |
| PT | 80.172.227.23:443 | voinformatica.com.pt | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| PT | 80.172.227.23:443 | voinformatica.com.pt | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| US | 8.8.8.8:53 | 124.225.69.158.in-addr.arpa | udp |
| GB | 92.123.143.218:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 218.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| US | 8.8.8.8:53 | 109.231.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.126.45.147.in-addr.arpa | udp |
| NL | 89.105.223.249:29986 | tcp | |
| US | 8.8.8.8:53 | 249.223.105.89.in-addr.arpa | udp |
| NL | 45.91.202.63:25415 | tcp | |
| US | 8.8.8.8:53 | tventyv20sb.top | udp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| RU | 194.87.248.136:80 | tventyv20sb.top | tcp |
| US | 8.8.8.8:53 | 136.248.87.194.in-addr.arpa | udp |
| PT | 80.172.227.23:443 | voinformatica.com.pt | tcp |
| NL | 45.91.202.63:25415 | tcp | |
| US | 8.8.8.8:53 | ignoracndwko.shop | udp |
| US | 172.67.207.50:443 | ignoracndwko.shop | tcp |
| US | 8.8.8.8:53 | preachstrwnwjw.shop | udp |
| US | 104.21.47.108:443 | preachstrwnwjw.shop | tcp |
| US | 8.8.8.8:53 | 50.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | complainnykso.shop | udp |
| US | 172.67.151.164:443 | complainnykso.shop | tcp |
| US | 8.8.8.8:53 | basedsymsotp.shop | udp |
| US | 8.8.8.8:53 | 108.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.151.67.172.in-addr.arpa | udp |
| US | 104.21.78.130:443 | basedsymsotp.shop | tcp |
| US | 8.8.8.8:53 | charistmatwio.shop | udp |
| US | 172.67.193.197:443 | charistmatwio.shop | tcp |
| NL | 45.91.202.63:25415 | tcp | |
| US | 8.8.8.8:53 | 130.78.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grassemenwji.shop | udp |
| US | 172.67.154.82:443 | grassemenwji.shop | tcp |
| US | 8.8.8.8:53 | 197.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.154.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stitchmiscpaew.shop | udp |
| US | 172.67.136.135:443 | stitchmiscpaew.shop | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 135.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | commisionipwn.shop | udp |
| US | 172.67.218.77:443 | commisionipwn.shop | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 45.91.202.63:25415 | tcp | |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| PT | 80.172.227.23:443 | voinformatica.com.pt | tcp |
| US | 8.8.8.8:53 | 77.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 104.21.39.10:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 10.39.21.104.in-addr.arpa | udp |
| US | 172.67.207.50:443 | ignoracndwko.shop | tcp |
| NL | 45.91.202.63:25415 | tcp | |
| US | 104.21.47.108:443 | preachstrwnwjw.shop | tcp |
| US | 8.8.8.8:53 | gacan.zapto.org | udp |
| US | 172.67.151.164:443 | complainnykso.shop | tcp |
| US | 104.21.78.130:443 | basedsymsotp.shop | tcp |
| US | 172.67.193.197:443 | charistmatwio.shop | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 172.67.154.82:443 | grassemenwji.shop | tcp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| FI | 147.45.126.10:80 | 147.45.126.10 | tcp |
| NL | 45.91.202.63:25415 | tcp | |
| US | 172.67.136.135:443 | stitchmiscpaew.shop | tcp |
| US | 172.67.218.77:443 | commisionipwn.shop | tcp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 104.21.39.10:443 | tenntysjuxmz.shop | tcp |
| NL | 45.91.202.63:25415 | tcp | |
| NL | 45.91.202.63:25415 | tcp | |
| NL | 45.91.202.63:25415 | tcp | |
| NL | 45.91.202.63:25415 | tcp | |
| NL | 45.91.202.63:25415 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Angel
| MD5 | 10d664be6c48cbbfe986cf13389e70d5 |
| SHA1 | 81c91d173b2a38349b688791ad7a1fd52ba7cfec |
| SHA256 | 1544228be4736dfc9a52c9eb675ffe27a75490e71b6697bcfb4896beb99baa17 |
| SHA512 | adf5916eeb6c23ddb8b0ec331abab55826dea115fa3675899345319289716aa4181056c9d106e2397a9117bfc1be6a5db1833984d00b249dda11db0bd2e18f67 |
C:\Users\Admin\AppData\Local\Temp\Springer
| MD5 | 9fce304f6f8b0e39b17488ff2461004a |
| SHA1 | 7a2f5480712e430771228a60c6468a21c261015a |
| SHA256 | 388238bf76dc4e90837550f3b9ade8c2240ea2330ffbfa54b7bdc14dd64ae31f |
| SHA512 | cbb11d1d73c3979aafe7b374e44f770606d25d3caf4a0aac0197f00580f500004fe32ff9f93a6d7103f7a7db01c35f29ef9e5b95941de98df4f873f37dadf554 |
C:\Users\Admin\AppData\Local\Temp\Belongs
| MD5 | 08f9d23e902a4b9f1454c0cca8063a4c |
| SHA1 | 2d18b94d7e6bfec87661be9c775f989640228efd |
| SHA256 | 8eda93d0df79719c2194c895abc443218076fb76a8f8af5bb037491f1a3f42d3 |
| SHA512 | 1a796a3a24a363f4d5239ea1b972e95000611c6f90be9a0cbe5b8b50195cb11b86e4cb8b4ccc6a4d93822c80e99cccefdb2b585fb48d8ae045ba690459fc164d |
C:\Users\Admin\AppData\Local\Temp\Teams
| MD5 | e4be3f3dfa731bce602265bd78ca96e4 |
| SHA1 | da6ee51e4cc450fb2697a8e583590c205c354628 |
| SHA256 | 3d1c4fc43431a0739b933a0ccc3d6209f3d5e417102adacc99c485dfa78aa306 |
| SHA512 | fda626cc19bdf4f36e8ec261597115470a9c44fd5ed43684032fd0694454d30ff28c38d6aed1e765e40fcba9ab618b9fba4a8d2608a7cc0c84404baedfae24b1 |
C:\Users\Admin\AppData\Local\Temp\Entirely
| MD5 | e57d41a42c0018011b8d05ead7ba8ea5 |
| SHA1 | a5be0444eaf9d294e7043b76533daa5b4391a0de |
| SHA256 | 8bef0123411a0a965a9bd62cc22f855df1c84b2ab2f6fdddc5d72d2d0412f0b6 |
| SHA512 | 4029afff3795c8567b81ced18cd4053efdcf96be62e27bfa7938a7562bba66610a935944e59f39267a757e5d2c5c651c0bd62c89ac485f8d50e5e0c1bb25646c |
C:\Users\Admin\AppData\Local\Temp\Eyes
| MD5 | bf240bdddf4e33588fba0ed1973d7e98 |
| SHA1 | 7c3c46bc43abdbc82bf41b72860a449433288927 |
| SHA256 | a28c88f3dbfd8b8961c30a364b8a38ecdada18b92ac1e77a1c211a7487723c97 |
| SHA512 | 3990b660f9f53e9a7e626527a53fea00d4b344ba9c90912aa904f336b527cbd87b30e21c3408d215699d1ac5d999b47000f866f38d387312653eeb5d8b768a73 |
C:\Users\Admin\AppData\Local\Temp\Identifier
| MD5 | cd4ad18674a26527c0782f2a0d15b277 |
| SHA1 | 56e92ebf526601f3f5fe99fc3e5dd9b29a99c41c |
| SHA256 | 0d34b789bde5b17903b770e563743908bea6d7d0693ef57709dd57dde444eb9a |
| SHA512 | 7afac4b0bb0c90ccef4ee14b12b3349e5265eba294e6e5f4dafff894988d07b861cb11dc8dda826420b18288757370bfd0e304e6be578135a1d054c083cdc209 |
C:\Users\Admin\AppData\Local\Temp\Incest
| MD5 | 74f15b102c0bef94140262ad551bbc24 |
| SHA1 | 70246a3d8005ca0a91c8d22303c55416b6e9ff4f |
| SHA256 | 58376ca5773ce08e2bf4b876cd517ee421030293150ba2dfb50462e34c51c6d9 |
| SHA512 | 7a0cb169ba7b69d5388678478cfaa4bc82fe854d5a40785fa03a3a0bb955088adbe00f5da8f667df6ea448d6118b372ccdf9fcabceb5e70574573f9a0f8729de |
C:\Users\Admin\AppData\Local\Temp\Official
| MD5 | c28b2871b183dfc806e0855c516e6ab4 |
| SHA1 | 8f367c25d973e6b690b1ea6799ecd39221371e43 |
| SHA256 | 12717aac68c10051e3ca2ae75343128eb8a80eec398269d675d5244ade6d9724 |
| SHA512 | f02f7bf8885d57a89391768ddf66c8494ff058f5da4d9d316187c210aca6943f6a2dc4c62771ea3a90b10674c27e117f92d6c7df8e2af75bae349a989b86220d |
C:\Users\Admin\AppData\Local\Temp\Persian
| MD5 | 4f028498571a78e28b5665bcfaf7bda1 |
| SHA1 | db28d1f7a2206c4fc4a17d57373e928bb10c7954 |
| SHA256 | 84310b39a6c9e5941f61502105e746b3dd836108e2a6c7084612e86d0efb91e4 |
| SHA512 | a540c4cd5a8997e7cb7f5cb2ae20859db92991d2f390296c5ac7afe23232679dae30b6db902602893b8b23dcebae07a6b39a57f50adecb3c6367eca174623b24 |
C:\Users\Admin\AppData\Local\Temp\Arts
| MD5 | 22999c3bfef35ab54dc51cea926d8125 |
| SHA1 | aa929c775e9a740f3b6fc403b5bfb13b0ef10e14 |
| SHA256 | 63f722d605fdd7162f695c55b4c57acf925140a62b93b447d805b1dbcf3d1b1c |
| SHA512 | d750799211beb39b6033f1a85e773b65ed1f576e718c5d9d805b36b6bc152aab7e411d8f2fc73a87b799016f67962ef42a7b7e2c304a5b02b1daf166ac142994 |
C:\Users\Admin\AppData\Local\Temp\Asset
| MD5 | 79ccf7fd1a2157e74b27c1935707ee99 |
| SHA1 | 9f1267d4323c5180c8700cbe82ba51456ab40f74 |
| SHA256 | d90010bbb47afe5b33fc5bc52295ec6ca955a875fe1001f32bfc870783633ed7 |
| SHA512 | 35dc6918b9255eba821b0e3418cb58db2ad703aaa731bb2474d78084367e975451142a23348a1911bdc4f7cbfb70eeaba8b6cce2a8f527944f0ed3a4fb1d9129 |
C:\Users\Admin\AppData\Local\Temp\Eagle
| MD5 | ffa47b74dc7534579bddc42e8ea9bc21 |
| SHA1 | 22e0cf8668117e3782a38b8e4f3553c8f79c379d |
| SHA256 | d0e2a600aab27dfc91bc8c1e73e0d0d20489b04bd376e7bf16fe1763ca1f9ce6 |
| SHA512 | 16f80341dc0386413558c6307a35831f239005f5fadd01818efe95f77c2a12311e5db7943902d16676c12aa1765f20af335a561da1e3f79eb5d9baaee2dc6113 |
C:\Users\Admin\AppData\Local\Temp\Sci
| MD5 | f1e239919f64507bc976bee4ac152239 |
| SHA1 | b69eb5fec6da7c582aff31820106e0c46ec8dfda |
| SHA256 | a0d3e15d1b12b4b4111786e454770c511221a6eebe271f20849b112d0cb161b9 |
| SHA512 | 4459e213cd7e36b0008520d030902058a83c2b81bb9333e710561d27ecbcc56468b10994d64488da2fe9b52f033e7a322d6f1fbbcb9081b682acada286f9dff4 |
C:\Users\Admin\AppData\Local\Temp\Rochester
| MD5 | 2076c81372d64961aeee64296c288ddf |
| SHA1 | 4767a7f611e6ac3ceeb692f1a7df90cdd84fc7ca |
| SHA256 | 63563ab659575d711cf2a686d7140359850e49bc2f1e9f658105c3adb0663fb8 |
| SHA512 | 1e40bc944a91fc9608077b1866d6742624f377e7cc2d63903fe2bd24093b17be3aedc70c534497eaaec7ce30ecf318153f3c40af1ff56a82f5ff48fc09cb5976 |
C:\Users\Admin\AppData\Local\Temp\Communication
| MD5 | e76ca6497197f496c934e273bc4af7a8 |
| SHA1 | 1c813197c9434d6d3f359c1c0c6374ce8e5e77e6 |
| SHA256 | 2adfd0aa33275eaeddbebffef664bcc2f403ebf6335bc593bd490a66e06c3956 |
| SHA512 | 425fa7c17d9e30e8c3c6ea042a86f6f54f8938ca3491e514e633d111d5cdb0d8094c482c9e08a57cec613178d78c55392c64c8e0d60190c86957a170245e9f3f |
C:\Users\Admin\AppData\Local\Temp\Evaluations
| MD5 | 824ca47d6ed68f19c98e3a8585c03fd2 |
| SHA1 | 00ebf75301539fac6f72012b3dea899797d83eca |
| SHA256 | 14e02c722fdb4507967bd77111eceb5c377e4b515f2cc9ca01117df4e1df2965 |
| SHA512 | e1b398ab18042a7456e87fd6169bca88e86e718b09111eee11f81cc284599ce3431f852fe1552db950bd39f5ac9703406c206b8b37ff595a05099fefd5ddc81f |
C:\Users\Admin\AppData\Local\Temp\Coating
| MD5 | d4b175095bad046fe31a891e313fac1d |
| SHA1 | 3e8268ea2db96566a03b5886ffcd904cc2938940 |
| SHA256 | 710fcbabe6b6d3fb615d012d3aa5ff551d30590eb9949ad947ce42e313e2a757 |
| SHA512 | d78844eb4099962d6eb5c9308e0f80cc3f56c15a525318a6ddc94811f8239eb622df6845ec831eb656157f9695f935d4962ca538f802c0449ac00850b519a007 |
C:\Users\Admin\AppData\Local\Temp\Considering
| MD5 | 8392df6b6dd3005f67d9e685adf5d98a |
| SHA1 | 172ccb65f6b6192c695b53f8ddcedfdbe639fea6 |
| SHA256 | 89d0790a0691cf5f327ab61f73fa2167a8b54ad0e8b21c22d34887455463448e |
| SHA512 | d6ad83fb2ad1cceeb57098b27145e20e800703440c0cf04ed13c00af9c2baecf82e8ad6e28af556de5e2b38a80d8b987f6c347f18eac0892db23ed2ec81d0b3f |
C:\Users\Admin\AppData\Local\Temp\Indicated
| MD5 | d8d333b7fa6f3f4d117279af7fe5ebd7 |
| SHA1 | 15360b9018b623a945ccd0a147bff926f9a36b4d |
| SHA256 | c07e05f4515864b97744a19b33e80170911dee7e84b19dff7a624c3b95c0db58 |
| SHA512 | e60a6932bc7036ef5f0d031fdacfea0f1c399370336fa36907e3ea1e5a0eec50e135c965452c29dad05f3327efb9c9f063e38e9d5bd68265552248113743f251 |
C:\Users\Admin\AppData\Local\Temp\Stamps
| MD5 | 05edf987e0e4caf0790d6cd52745918f |
| SHA1 | a657c82fb2b6055696917d16e074e3afad630da7 |
| SHA256 | 6ce2a376edd727d7295bc0648e844ad281bb96db057b84e803c5bb387ca2f54c |
| SHA512 | 38b90f60b303a00b93ea1f0f9b4fa9f6dac7b64d9f0e849699d8220bc70efbd1c038d35cfb7a1c12a2a5b9facaf1accd9fbeadfd5be5ca1ccfb29e51864856bb |
C:\Users\Admin\AppData\Local\Temp\Crawford
| MD5 | aa5687b499c0e31cc570a5b3956e0055 |
| SHA1 | 0d469ee44ed6a8a57095820ac188477f1ce46e04 |
| SHA256 | c6cae2f7545cc6a2382123889ebf816db31d84136c15b36ac488a74eef5e2c86 |
| SHA512 | 0f11ed72669671ed51e5dd3658c29d9f00f8397b7168db5255e0242924db8ce7514dc318552c80843283f0ad93d8f45951359d8461837a32e3ba8672d8c7fb9b |
C:\Users\Admin\AppData\Local\Temp\Schema
| MD5 | 6d6371d8a1877548b2ba892feeec4448 |
| SHA1 | 9a31d21807d9a7ce9e4701cd63d51ded7db85290 |
| SHA256 | 85a5a1b465e959f6b55feebae33059f82b972458f8527d5e1361e749b724d13d |
| SHA512 | 9dbd7fc2c804e785ea7545ede8408fb647736a1e9731dad40f6256c580a91f1df90cebada0d20776f2b264cde69df8bcb63071b8de24a08944dbfaa5f875a8e0 |
C:\Users\Admin\AppData\Local\Temp\Slovenia
| MD5 | 398a56733a96146f96dae1f926f8ee34 |
| SHA1 | b589aaa2ae0b047d2b91df4daa193f02d68c2563 |
| SHA256 | e411f41b9d6fff03fe7d4da422aa30f11bfecb5f5bf9c6cf2088eb84a2a8c018 |
| SHA512 | a45e9a93c2f5673204eb1898ca10f7a7e244b512da6f2493b330b266a1d8a2d3db636c5a5a6e67b044cb0ea5a124064ccefb2db3783052e6e6698d9c6d1e7d71 |
C:\Users\Admin\AppData\Local\Temp\Hired
| MD5 | a4e79a921d1a40f87f86cc426d0cce0d |
| SHA1 | 52ac999f6ed734a3023428194c3422e206987124 |
| SHA256 | 306e6d43695f56399f0c7ce9c36e2f8e652838a02d0debf6ab98e7fd2f483af6 |
| SHA512 | 113557e6e6b5316f83ac5899338e3dd63ec281b449f1ee063efceedc94846ece210c8f4b047b804feee2487b7328bd4181c696b4fb7075550fa3a2ced5d01e9e |
C:\Users\Admin\AppData\Local\Temp\Vast
| MD5 | 556425c0faef4670d1e22fb6fcc39670 |
| SHA1 | 25b97fb1cb78439408f439b4c96933c66cf019df |
| SHA256 | 11d8b300d94f5e8455d792625260b83dfdc7f258182620d719eb81a71319f4f5 |
| SHA512 | 96f8e77db9cf14f121842d8a6a3b225597cb89691b72a051703ce6e7367bf38fc6fb0b14ec17789559c472bb1b2243c6bb88daae28dbe4e1154bfb7f5e658bfa |
C:\Users\Admin\AppData\Local\Temp\Husband
| MD5 | 792c7f8dd36ccf3dc732e75deafcf3a8 |
| SHA1 | 7511dd19e3ebaea53bbefc72b10146231f8e607d |
| SHA256 | 75443ebd4b9dcbcf0e367a853386ce5a604fe338a34afab63f1ac1141c5eb670 |
| SHA512 | 32cf33fa12fc7bc125e269b50a584834aec1350ed52f081a8a6c393faa6c68a87cb63463465e13b7c3aeaee534ac21ebf482ebd505d67b0d15b41d9e6a93c1b6 |
C:\Users\Admin\AppData\Local\Temp\Spray
| MD5 | 81754ffb3a2c2760a080ea70a80eecfe |
| SHA1 | 4925a77076e0afd35a110ff68132ef98263b8a92 |
| SHA256 | b1e347ec4e03cff9cc62b7bc4d219a6645cf3939a35697551cf77839d72089b6 |
| SHA512 | e5d21b5db48e2e67afbbe1cfb813252ea0244e31e165ca124f206c291b53be1b1a74d1eba8894e93adcac5e933204f1dddc92c40c1eb775b5cdf5d440b173ee2 |
C:\Users\Admin\AppData\Local\Temp\Agents
| MD5 | e072328c52cc438642327cf2715c6232 |
| SHA1 | dc776562767baabb5f469f2245cb844435c57a8b |
| SHA256 | 7404865538c5dff10b89c992251d03726be4a25135760af18f2ef9234f875728 |
| SHA512 | 80a05d449fd00895ac2b36cfd0ceb2b6c41a22a37a9aa28bb0a57d3ee9f43ec528a109eaa91ac5fabc6faccedcf547fd2a9c3278293b0ad1d73561771861df7f |
C:\Users\Admin\AppData\Local\Temp\Coleman
| MD5 | caf81509c6182cdf2b3cf474c21924e7 |
| SHA1 | 8931ae49b935d30cfb8d192a34d96c1da9a1133f |
| SHA256 | 342ada9e312f7bb721e1174b8ce4f23791f02ed04cd6813456072adb2a2330f9 |
| SHA512 | d11e61040f5b25cd9740bab941208d82e1f29562705cdff5508909dba6fe848ebe596e7a1daf7a5d30ba97c35816ffe0e8e5a8d7656729ddf7ba349cb8d4da94 |
C:\Users\Admin\AppData\Local\Temp\Mods
| MD5 | 63991cd3b811a87ef7f756a3a88408f3 |
| SHA1 | 5887b2746923e3bb209a010c794d6a03f2043cbe |
| SHA256 | 16c52c4b922b43b8dd61738190c23f60da5e601a1e84d6cbd277ed7c9bc16675 |
| SHA512 | f9115542afa4079772b2edbeb5cbefbb337f976ced77036240624787549ea04937cfebbdc290bdaa8e8523c688b7536af7bd88fe43b053d3dcf811783967c7b6 |
C:\Users\Admin\AppData\Local\Temp\Herein
| MD5 | 717e7bb87ee5fc6795900e82f92c38a5 |
| SHA1 | 713b0e36e00b5a9df643fab99eff7fe05ebfd4f7 |
| SHA256 | f2c1981a42235a7748d03a68d840fb647d1a591cf3265fc7ec32761ee6bca957 |
| SHA512 | 955107b6a503ab4c4aad2c5b70cff52e2069fed5bcdc6fac76b69957261c531ef95eb31c728b1d64de35130381be734504d8ed6572824dc744f72b49fcdf3f2d |
C:\Users\Admin\AppData\Local\Temp\Hat
| MD5 | 6cb837218c7e7f9b0bb4e5de012b5f0b |
| SHA1 | b64ff496cef53d3555c6624abe4a51f99758bbbf |
| SHA256 | baef9762f9bbd47ee6171396e3c87bb0e7655da35438fe5eb1efd9f3c6a87db5 |
| SHA512 | 23e250e7bfa8f873dde6d786d9ce0526e83fb42421e152e3e75c6ea01e29ddebae9c2115c0e0e19ae85c73f5d8525eb34a499456090451528f51ffff1986ca62 |
C:\Users\Admin\AppData\Local\Temp\Comfort
| MD5 | e85c7c2eb7eed1bea9d92071b7b197e4 |
| SHA1 | 05f4108a3e331b2a9db2351c9f506b3cbadef771 |
| SHA256 | 5868a2a8a8376d6f34d125e0c9bf0edd15afd3f82df342a8f079d2417997d137 |
| SHA512 | 97151aec2e73e10cc9e6fdd2c69c0498f49ff6417807e3e4e9cf0534848f34e77fd09943fa86d860993dc8ae1ae14ad85d073cf5ffa391fe3c582f94b502c491 |
C:\Users\Admin\AppData\Local\Temp\Reject
| MD5 | e9157b4c97794aeff095902148ad9532 |
| SHA1 | 2915ca3cff7a81ea19ed0873fe8266274582158e |
| SHA256 | 1f588e2cefb8bafadc9a029a28dcdd93a7e9472e2190caab7a277fa79cffcd77 |
| SHA512 | 26973ff5887e087632c459597a4652f6917d9a81fa48c1642a56c95221f019696e46f88a6c33d1013e6c009324ee9f99a92e5383acc1b6d619ff6229c3360d96 |
C:\Users\Admin\AppData\Local\Temp\Dining
| MD5 | 07b2b7969bb80e43ae8d6d565cbab5c4 |
| SHA1 | 128d43f48928a73ef3446593d63fbfe025cb126c |
| SHA256 | 818f6cc7d29bc250a64e02e61c840e1f74432c66bbacef0ce0a75105accdb592 |
| SHA512 | 45b840b69b09801c4c0528cfc00f8eb50f2a8d2806907a894355ead304f5b1aafdaca9741bf9200b036b9302340d25f6dba7c44e7be651f179736857ef7b3f60 |
C:\Users\Admin\AppData\Local\Temp\Gaming
| MD5 | 122f66640ca5fcc16ff9106acca0a4c5 |
| SHA1 | 15ec716fc34c6dfb6be98d56487528a62e0a9fc5 |
| SHA256 | 7db5db363d38cc28570b882229eaaa3d819bdfb5953ebd3de483e7338285ed0e |
| SHA512 | 3052d8791dee53ff955b655a0b9d7ff804b6c1f80806199a61a98cfb58ac52efab8c53caa5e3248b487ad485edfe9959044f94218f754f75ac212f890b789ab4 |
C:\Users\Admin\AppData\Local\Temp\Lending
| MD5 | ea6036f36a74ce85b23ec1828d3cc68f |
| SHA1 | f1ce5a30d9774f397d82de04130209b501fd0d1c |
| SHA256 | 120a01b7d92584f180e803019867585ed5a106b1d63047ec9b949fa59ed75498 |
| SHA512 | 5b7d46c88d330a85d524fe5a7aab9232b3644c7299ce7df7d34eae9821baea9ed1070e379a63d8efe6f98c0dcbf1b69adc3f311b26361ab5ea8e648cf9167b66 |
C:\Users\Admin\AppData\Local\Temp\Dinner
| MD5 | 9278daaaaad5cf175f7e5037f994ae26 |
| SHA1 | 50c1d167d544a6db08d90ba33ba434147bf4b63e |
| SHA256 | 525dff77cccca91f145aa95c71b921ffc029881310ef9a0808e5c0cbc8589420 |
| SHA512 | 343263a1794b59e1a5cbe8b169f5efab5ee1f3c273a9961104973557b51174730613693b3dc50852f9db4864bd182d1343a3fa97ddbe6f3d04b0656911443c9e |
C:\Users\Admin\AppData\Local\Temp\309056\Dolls.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\309056\u
| MD5 | 92e78614e5198320c105789a28b5eaa5 |
| SHA1 | 75411d15bcd89af58e4a82e65bd66487fc7532dd |
| SHA256 | aac38bdd824d85e082b708784705a2d778f0f32ca5594c15a45c0fdddf31a3ac |
| SHA512 | 2e8be01a870c5aeefe1beb3072395b2dec3c10964b1556c4727ba444980dcf079c64def4228df212e7dc81542258cb952525d6a1dbb38655cbcaa8ba06717e41 |
memory/4604-86-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-87-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-89-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-91-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-93-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-102-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-101-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-100-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-99-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-98-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-97-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-96-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-95-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-94-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-92-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-90-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-106-0x0000000001070000-0x000000000124F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\crS6XBfPgyO17ocaD1TyHy8Z.exe
| MD5 | 751e3d161454b4c4aa4cf9ff902ebe1c |
| SHA1 | 25ea26e9037576f135a8f950ba47afe70195b2e9 |
| SHA256 | 7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144 |
| SHA512 | 3e474ea0b0511e8361d80fafc52f0f27f5c8659bc7a40dd31168ea79595c68ab0162295d0fea7b6af4746e4b48279644b93281c094d17c271afe4b4f44029435 |
C:\Users\Admin\Documents\iofolko5\fftv3FbErK_praKexn_D0tgM.exe
| MD5 | 5ac3358abe03a6faa36599fe785b85b2 |
| SHA1 | e79bf35157e110c81a43af2f3b54d7a015f613b3 |
| SHA256 | c44148c0f3c14aea282ec116e768f5d3c58a50672d9e4b3867198a34069bf2ae |
| SHA512 | dc64db8b7e6e1f6154f37c6cae0dec3ad1dd3e0a3160951c7e7af8fc943e3bde2573aca6654f73a7818fd74160c87296c6514465acc3013a4e679cf33183ae09 |
C:\Users\Admin\Documents\iofolko5\AABTcZ9dEiwDHnk4f6FRTf6U.exe
| MD5 | 64034db3a0ce29dcb4cfb658ab805226 |
| SHA1 | d4f1cc6d18b4bebcbc89459583e45d5a0456151d |
| SHA256 | 61233c38ece219efc52b96189b470aad5dab514eb76231a980b4e80e0928fd1d |
| SHA512 | 9b4fe8ba0d6f2e90c84ede2b37629e2a0cdef80007de95c6b34d86aba2aed655e75deea7d85140b9ea517577b489bdd8e7de88683ee8f62529cfabb640d2877f |
C:\Users\Admin\Documents\iofolko5\0B_1KJ0j3CGf6bIs6KK3krXo.exe
| MD5 | 45fb3cd11b294fe8a05691cdab474786 |
| SHA1 | cfec8cb59f94b534280f47fcadd68af89107f124 |
| SHA256 | b16ef1bdc9bcba0db197bba5bca6fa08ece713de76412e6bea6de5a8dab2af6f |
| SHA512 | e1e26c7706f8d74ae1a0d6d9b1765ee81440746428ea9c6ca9127326dc8fdb2b2419a79109734848978866f52741902f99031b47cb2c9a09427e5a13f51f1f81 |
C:\Users\Admin\Documents\iofolko5\cXY1aFKOKeNzsxIumGTMpa_B.exe
| MD5 | 65208d6a2c36c758bab95b17fb22e19e |
| SHA1 | ef43d4bae09cfeaff0396f339056ac64437cd36e |
| SHA256 | 1071d6290a7dd366135a37c2667366e6642d719c34f25a6ed02bba9de9fa99d0 |
| SHA512 | 23223f7571699ba9e654bad651a9b23876dc286d72676a60d93466cbc6cc7bb7a514686d107dd769526874aac84d8c56fee7e7b54d1cf78cba08a38e8bda9e85 |
C:\Users\Admin\Documents\iofolko5\yu2Syaq4g56REltqba4CNHtN.exe
| MD5 | 77c1c71f2f7aa135861e6650c90c986e |
| SHA1 | 708ed7c02ae52f07adae4a89fce1517a7a0c0aeb |
| SHA256 | 95fbb3198cccd713a2fedc945b5e921ebd32570574fa25e284a06dcdd7ff5a32 |
| SHA512 | 01dbcda09e026a8ae949ebb614eccfa009b44e2d95de94423c44799d185fd95a75b070fc7b14b467e488409e040f9d50fb41afc3c7377a39b6fb23c82152dce8 |
C:\Users\Admin\Documents\iofolko5\O8WNiPic7NUJgGbKccrS5e5v.exe
| MD5 | 2fd86119bd5a2850cb2489c0f87b6acc |
| SHA1 | 4237934315cb5abd2b340d0b8aa8ffa598aa075e |
| SHA256 | d44b9056318db40bbb85bd252da2de2249d33672ea3dff1901e4b7ea2e47118b |
| SHA512 | 1e7209458abc10702003bb9325cda4e4dd8c425dbd9453e6043b467b542edaaaf1d0f1222a802af8c03eb7cf4beb3842fb816a6f3779304be7bf31d1fa275c3b |
memory/4604-178-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-179-0x0000000001070000-0x000000000124F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\6a4XzHQ6jn_mUuMQCUo_5PHf.exe
| MD5 | cb5ad18649a907f49154af26ad332030 |
| SHA1 | 46acabf085b42f39bf085432ce436a2d895d8dad |
| SHA256 | 8874ee4d9c878a6dc7f2681ec36df05cb09c44ccb3be0ec89569f5bdece80519 |
| SHA512 | 36363dde451354f6e87ee48a2b68a55cec92887a49e40844141e60ff9374b694aa6a3225a20dfb3f496d1fe0ebf6be7551adf1109ae037dfa80ad7387a19cd8c |
memory/4604-190-0x0000000001070000-0x000000000124F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\gow9A3uZPKtn9Ftd_ORmJBUB.exe
| MD5 | 079d166295bafa2ab44902c8bf5ff2a5 |
| SHA1 | 46e728a035c3fd9618f823a5d0b525a9aa22e1c1 |
| SHA256 | dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8 |
| SHA512 | 949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b |
C:\Users\Admin\Documents\iofolko5\5YHMjpcPvi7qYgGf0ItYoctK.exe
| MD5 | 353a64f4357229f2fbff5415299b6847 |
| SHA1 | 7e61652046564004105556327fadd777f5502747 |
| SHA256 | e8755a8eb78c2b7e45f588266ed52fe5b6485125b8f23cda1b0843326f1a9fa9 |
| SHA512 | d610a3e74516c1cdc7a8c3cc72e549c427ca9de75c50a1f60c8cbc1ae0bf68041d2b2244c44b63fd92c8a6dc9a60ad4cad0ad5d430c91d56c88fb79521bb670a |
memory/4604-208-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-224-0x0000000001070000-0x000000000124F000-memory.dmp
memory/424-235-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4604-220-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-222-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-218-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-214-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-212-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-229-0x0000000001070000-0x000000000124F000-memory.dmp
memory/4604-216-0x0000000001070000-0x000000000124F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0EL43.tmp\5YHMjpcPvi7qYgGf0ItYoctK.tmp
| MD5 | 2260edfd6c7422c618e91e6ae9c2a17f |
| SHA1 | f821fc16d946dfc73c5eadeeec9d3f881787a20c |
| SHA256 | 2fa4fc8301ffc6c62a91f85349b38473f6cc1c0be624739e1316943cf9cbb90f |
| SHA512 | b1077673e5830a1c9fc36410f68531aecb21fb2bfd2c494a61a2cce3834057d9e481ef88347e7bd491134067ce29ff54e252c46a385b1bfb048b2836dbf0b74f |
memory/2072-243-0x00000000000F0000-0x0000000000162000-memory.dmp
memory/1972-246-0x00007FFD15390000-0x00007FFD15392000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-LNIHU.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1972-256-0x0000000140000000-0x00000001419FB000-memory.dmp
memory/3548-261-0x0000000000BA0000-0x0000000000BF4000-memory.dmp
memory/2776-262-0x0000000000A90000-0x0000000000ADA000-memory.dmp
memory/3752-264-0x00000000002D0000-0x0000000000354000-memory.dmp
memory/1880-263-0x00000000006B0000-0x00000000006E8000-memory.dmp
memory/2924-276-0x0000000000400000-0x0000000000657000-memory.dmp
memory/4340-279-0x0000000000400000-0x0000000000643000-memory.dmp
memory/5096-280-0x0000000005C10000-0x000000000610E000-memory.dmp
memory/2924-274-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2924-272-0x0000000000400000-0x0000000000657000-memory.dmp
memory/5096-270-0x0000000000400000-0x0000000000452000-memory.dmp
memory/5096-281-0x00000000057B0000-0x0000000005842000-memory.dmp
memory/4340-268-0x0000000000400000-0x0000000000643000-memory.dmp
memory/5096-283-0x0000000005750000-0x000000000575A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp694.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2072-298-0x000000001D710000-0x000000001D81A000-memory.dmp
memory/2072-301-0x000000001AD60000-0x000000001AD72000-memory.dmp
memory/2072-303-0x000000001AED0000-0x000000001AF0E000-memory.dmp
memory/5096-302-0x0000000006310000-0x0000000006386000-memory.dmp
memory/5096-304-0x0000000006A10000-0x0000000006A2E000-memory.dmp
memory/5096-306-0x0000000007040000-0x0000000007646000-memory.dmp
memory/5096-307-0x0000000006BB0000-0x0000000006CBA000-memory.dmp
memory/5096-308-0x0000000006AE0000-0x0000000006AF2000-memory.dmp
memory/5096-309-0x0000000006B40000-0x0000000006B7E000-memory.dmp
memory/5096-310-0x0000000006CC0000-0x0000000006D0B000-memory.dmp
memory/4340-311-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2072-340-0x000000001BE30000-0x000000001BEA6000-memory.dmp
memory/2072-341-0x0000000002550000-0x000000000256E000-memory.dmp
memory/2072-345-0x000000001E180000-0x000000001E342000-memory.dmp
memory/2072-346-0x000000001F020000-0x000000001F546000-memory.dmp
memory/2924-347-0x0000000000400000-0x0000000000657000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/2924-365-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2976-370-0x0000000000400000-0x000000000106F000-memory.dmp
memory/424-371-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2924-374-0x000000001FB60000-0x000000001FDBF000-memory.dmp
memory/2924-384-0x0000000000400000-0x0000000000657000-memory.dmp
C:\ProgramData\EGDGIEGHJEGI\IDBKFH
| MD5 | dc89cfe2a3b5ff9acb683c7237226713 |
| SHA1 | 24f19bc7d79fa0c5af945b28616225866ee51dd5 |
| SHA256 | ceddefa824f1dd6e7e669d4470e18e557c22fe73359f5b31edf4537473b96148 |
| SHA512 | ee5d047e1124351997ecfaa5c8bd3e9ce8a974ac281675cda4d0a55e40f3883336a2378b9ebf3d1f227d01b386c26473c32e39bcab836da2b392bf778a6cf5c2 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminFCAAEBFHJJ.exe.log
| MD5 | 957779c42144282d8cd83192b8fbc7cf |
| SHA1 | de83d08d2cca06b9ff3d1ef239d6b60b705d25fe |
| SHA256 | 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51 |
| SHA512 | f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd |
memory/2280-410-0x00000000009C0000-0x0000000000A14000-memory.dmp
C:\ProgramData\EGDGIEGHJEGI\IECFHD
| MD5 | 97f54db01153d253f5291ecdc56f2d70 |
| SHA1 | c1a696309a118de9c83856730e6c7a95f3d27246 |
| SHA256 | 98d289ca6771ec98aee9f44785616537e4b7cb10e37ae92ab463c60d50b57e26 |
| SHA512 | 8262ef2e0d4d50f12609e793a24be6576c430787f4f7ed722496e94e7e55f1fd95cdf9aaccc0392bee11758fa39f421813b1262bceb46dedca1dfaf7240638f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VSH5XF98\l[1].exe
| MD5 | 1c67f687230addd2815b74bc892a047f |
| SHA1 | 38f238cad4286ea4ef25d909979b5cd456a7cac5 |
| SHA256 | 2c0f008432d2604d3578b9ba1f896ecaff4add7d6ece6051f5940de892c26c91 |
| SHA512 | 1c5cabf89e98a2d87aca4143b93db5dc9b1c0c9c2557052abe888422afc4e79dd9a641122bd0bbb92d13049b5c7fea8014f4945efbf23c5dd33703f99d80f6b0 |
C:\ProgramData\GHIJJJEGDBFH\AAEHDA
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\ProgramData\GHIJJJEGDBFH\HJJJDA
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\BAKEBAFIIECB\DHIDHI
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |