e259f8e69085151805395fad4970f4e2b3920363b32a692bfd4eab6680c8d8e9

Resubmissions

21-11-2024 16:39

241121-t5z9qsxrhj 10

20-11-2024 17:39

241120-v79rma1ckp 10

08-11-2024 04:15

241108-evbfasvhlm 7

08-11-2024 02:54

241108-dd3b1ssqbw 7

Analysis

max time kernel
140s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Animalia_Setup.exe
Size

683.8MB
MD5

d652c61668315117399986777c68c09b
SHA1

ffdbec785a4ad9b9ce41618ad233fc04b8e8ccc8
SHA256

e259f8e69085151805395fad4970f4e2b3920363b32a692bfd4eab6680c8d8e9
SHA512

3745ec26d5acac91d62638392b167ccbb124080593dcb1ffdabef68460726397d200a3b439a8e63a2989a15e6b75f397ddc5366730958ecc213c6b84b622ad43
SSDEEP

98304:6wRECL/6tcnGp2ml3Q51nALymL0wmLHhfKxButG2jqlWedjOfXlHJ0zCYJqvJj:mCecGp283y1YyS0JLHIJnnQXlH+zsB

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Animalia_Setup.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Animalia_Setup.tmp

Executes dropped EXE 7 IoCs

Processes:

Animalia_Setup.tmpAnimalia_Setup.tmpAutoIt3.exeAnimalia.exeAnimalia.tmpMyProg-x64.exeMyProg-x64.exe

pid	Process
3520	Animalia_Setup.tmp
1892	Animalia_Setup.tmp
4980	AutoIt3.exe
3920	Animalia.exe
2036	Animalia.tmp
3972	MyProg-x64.exe
4292	MyProg-x64.exe

Loads dropped DLL 4 IoCs

Processes:

Animalia_Setup.tmpAnimalia_Setup.tmp

pid	Process
3520	Animalia_Setup.tmp
3520	Animalia_Setup.tmp
1892	Animalia_Setup.tmp
1892	Animalia_Setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
3992	tasklist.exe
5068	tasklist.exe
4220	tasklist.exe
4476	tasklist.exe
4072	tasklist.exe
2248	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

AutoIt3.exe

description	pid	Process	procid_target
PID 4980 set thread context of 4232	4980	AutoIt3.exe	131

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AutoIt3.exeAnimalia.exeAddInProcess32.exeAnimalia.tmpAnimalia_Setup.exeAnimalia_Setup.tmpAnimalia_Setup.exeAnimalia_Setup.tmp

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Animalia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Animalia.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Animalia_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Animalia_Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Animalia_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Animalia_Setup.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AutoIt3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Modifies registry class 15 IoCs

Processes:

Animalia.tmp

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AnimaliaFile.myp\shell\open\command	Animalia.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Applications\MyProg-x64.exe\SupportedTypes\.myp	Animalia.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AnimaliaFile.myp\ = "Animalia File"	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AnimaliaFile.myp	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.myp	Animalia.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.myp\OpenWithProgids\AnimaliaFile.myp	Animalia.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AnimaliaFile.myp\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Animalia\\MyProg-x64.exe,0"	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Applications\MyProg-x64.exe\SupportedTypes	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Applications	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.myp\OpenWithProgids	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AnimaliaFile.myp\shell	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AnimaliaFile.myp\shell\open	Animalia.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AnimaliaFile.myp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Animalia\\MyProg-x64.exe\" \"%1\""	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Applications\MyProg-x64.exe	Animalia.tmp
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\AnimaliaFile.myp\DefaultIcon	Animalia.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Animalia_Setup.tmpAnimalia.tmp

pid	Process
1892	Animalia_Setup.tmp
1892	Animalia_Setup.tmp
2036	Animalia.tmp
2036	Animalia.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	Process
Token: SeDebugPrivilege	4220	tasklist.exe
Token: SeDebugPrivilege	4476	tasklist.exe
Token: SeDebugPrivilege	4072	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	3992	tasklist.exe
Token: SeDebugPrivilege	5068	tasklist.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Animalia_Setup.tmpAnimalia.tmp

pid	Process
1892	Animalia_Setup.tmp
2036	Animalia.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Animalia_Setup.exeAnimalia_Setup.tmpAnimalia_Setup.exeAnimalia_Setup.tmpcmd.execmd.execmd.execmd.execmd.execmd.exeAutoIt3.exeAnimalia.exeAnimalia.tmp

description	pid	Process	procid_target
PID 2948 wrote to memory of 3520	2948	Animalia_Setup.exe	91
PID 2948 wrote to memory of 3520	2948	Animalia_Setup.exe	91
PID 2948 wrote to memory of 3520	2948	Animalia_Setup.exe	91
PID 3520 wrote to memory of 1592	3520	Animalia_Setup.tmp	95
PID 3520 wrote to memory of 1592	3520	Animalia_Setup.tmp	95
PID 3520 wrote to memory of 1592	3520	Animalia_Setup.tmp	95
PID 1592 wrote to memory of 1892	1592	Animalia_Setup.exe	96
PID 1592 wrote to memory of 1892	1592	Animalia_Setup.exe	96
PID 1592 wrote to memory of 1892	1592	Animalia_Setup.exe	96
PID 1892 wrote to memory of 4000	1892	Animalia_Setup.tmp	104
PID 1892 wrote to memory of 4000	1892	Animalia_Setup.tmp	104
PID 4000 wrote to memory of 4220	4000	cmd.exe	106
PID 4000 wrote to memory of 4220	4000	cmd.exe	106
PID 4000 wrote to memory of 1128	4000	cmd.exe	107
PID 4000 wrote to memory of 1128	4000	cmd.exe	107
PID 1892 wrote to memory of 1992	1892	Animalia_Setup.tmp	108
PID 1892 wrote to memory of 1992	1892	Animalia_Setup.tmp	108
PID 1992 wrote to memory of 4476	1992	cmd.exe	110
PID 1992 wrote to memory of 4476	1992	cmd.exe	110
PID 1992 wrote to memory of 4136	1992	cmd.exe	111
PID 1992 wrote to memory of 4136	1992	cmd.exe	111
PID 1892 wrote to memory of 1844	1892	Animalia_Setup.tmp	112
PID 1892 wrote to memory of 1844	1892	Animalia_Setup.tmp	112
PID 1844 wrote to memory of 4072	1844	cmd.exe	114
PID 1844 wrote to memory of 4072	1844	cmd.exe	114
PID 1844 wrote to memory of 3972	1844	cmd.exe	115
PID 1844 wrote to memory of 3972	1844	cmd.exe	115
PID 1892 wrote to memory of 2004	1892	Animalia_Setup.tmp	116
PID 1892 wrote to memory of 2004	1892	Animalia_Setup.tmp	116
PID 2004 wrote to memory of 2248	2004	cmd.exe	118
PID 2004 wrote to memory of 2248	2004	cmd.exe	118
PID 2004 wrote to memory of 652	2004	cmd.exe	119
PID 2004 wrote to memory of 652	2004	cmd.exe	119
PID 1892 wrote to memory of 3620	1892	Animalia_Setup.tmp	120
PID 1892 wrote to memory of 3620	1892	Animalia_Setup.tmp	120
PID 3620 wrote to memory of 3992	3620	cmd.exe	122
PID 3620 wrote to memory of 3992	3620	cmd.exe	122
PID 3620 wrote to memory of 4952	3620	cmd.exe	123
PID 3620 wrote to memory of 4952	3620	cmd.exe	123
PID 1892 wrote to memory of 1432	1892	Animalia_Setup.tmp	124
PID 1892 wrote to memory of 1432	1892	Animalia_Setup.tmp	124
PID 1432 wrote to memory of 5068	1432	cmd.exe	126
PID 1432 wrote to memory of 5068	1432	cmd.exe	126
PID 1432 wrote to memory of 2880	1432	cmd.exe	127
PID 1432 wrote to memory of 2880	1432	cmd.exe	127
PID 1892 wrote to memory of 4980	1892	Animalia_Setup.tmp	128
PID 1892 wrote to memory of 4980	1892	Animalia_Setup.tmp	128
PID 1892 wrote to memory of 4980	1892	Animalia_Setup.tmp	128
PID 4980 wrote to memory of 3920	4980	AutoIt3.exe	129
PID 4980 wrote to memory of 3920	4980	AutoIt3.exe	129
PID 4980 wrote to memory of 3920	4980	AutoIt3.exe	129
PID 4980 wrote to memory of 3508	4980	AutoIt3.exe	130
PID 4980 wrote to memory of 3508	4980	AutoIt3.exe	130
PID 4980 wrote to memory of 3508	4980	AutoIt3.exe	130
PID 4980 wrote to memory of 4232	4980	AutoIt3.exe	131
PID 4980 wrote to memory of 4232	4980	AutoIt3.exe	131
PID 4980 wrote to memory of 4232	4980	AutoIt3.exe	131
PID 4980 wrote to memory of 4232	4980	AutoIt3.exe	131
PID 4980 wrote to memory of 4232	4980	AutoIt3.exe	131
PID 3920 wrote to memory of 2036	3920	Animalia.exe	132
PID 3920 wrote to memory of 2036	3920	Animalia.exe	132
PID 3920 wrote to memory of 2036	3920	Animalia.exe	132
PID 2036 wrote to memory of 3972	2036	Animalia.tmp	138
PID 2036 wrote to memory of 3972	2036	Animalia.tmp	138

C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\is-V6TAM.tmp\Animalia_Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-V6TAM.tmp\Animalia_Setup.tmp" /SL5="$D0264,4776157,814080,C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\is-58GSE.tmp\Animalia_Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-58GSE.tmp\Animalia_Setup.tmp" /SL5="$E0264,4776157,814080,C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
      - C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        6⤵
        
        PID:1128
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
      - C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        6⤵
        
        PID:4136
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
      - C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        6⤵
        
        PID:3972
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
      - C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        6⤵
        
        PID:652
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3620
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
      - C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        6⤵
        
        PID:4952
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
      - C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        6⤵
        
        PID:2880
    - - C:\Users\Admin\AppData\Roaming\Dokany Project\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Roaming\Dokany Project\\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Dokany Project\\Time.eml"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\temp\Animalia.exe
        
        "C:\temp\Animalia.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\is-HT8I8.tmp\Animalia.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HT8I8.tmp\Animalia.tmp" /SL5="$B0040,843430,814080,C:\temp\Animalia.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"
        8⤵
        Executes dropped EXE
        
        PID:3972
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        
        PID:3508
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4232

C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe
"C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"
1⤵
- Executes dropped EXE
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe

Filesize
83KB

MD5
5e228e133980d70be45102bdebb200ce

SHA1
59556ba5fc259c84dbcb57f182b722c7b31f6257

SHA256
39da6b9d4f23e879e31d698d14c21e0644c9256505c22a68577cd513f6afcab9

SHA512
c9348b22b6f96c2104e1c440df99c7d3340661064b58934f21e0e8e8307c34d301a3f05f3189c5f3e80bfcd8352003dd6fa4d9db1847884939b3a098693fac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HIVME.tmp\is-V769Q.tmp

Filesize
432B

MD5
8f6eb9e75e6a6f0c0d58fb697c10cedf

SHA1
6944935dfdc33e0c6db26869bf25eda85a2622d8

SHA256
e2b8677434501735fb0233ed0cc2ffee5bf6fb4387c51dbcb2585a70e42e4f08

SHA512
a946252b2e3705eae751a2672d4ade1499eceb28c48b4be6150c4201ee20a7b9a4450c75e06b07f5daa3528041a566931d988fbd0c2ea90240d61008895ba44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HT8I8.tmp\Animalia.tmp

Filesize
3.2MB

MD5
2e23446366c0aa53b79ae08278e68a5b

SHA1
2172d6d23b447e6725c0e81343b18112c3634428

SHA256
a6b497ef42cf0f2506a83eef8f18de1e31ffd5dbf888d6d3c3bfbdded54f1d84

SHA512
2bdccaa4d4068c62e4318ecc045da23946ff088f826083d0a16051d8128457c13a9ee880cdea7425f83516a265f990d095df2681a3f26e2b4b9c62144a8151f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKS8C.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V6TAM.tmp\Animalia_Setup.tmp

Filesize
3.2MB

MD5
d558678a30299a8af9f0af3079bd29ba

SHA1
343c5a46ecd97d3ffe33a4148e79c67032c5208a

SHA256
f862c70a303b1335df33f7494a39bd1419004c2906e168084ce05bc738dd7cc8

SHA512
1d7b3643415847bba3001c6e7bd62283cced828e37b68ebc8ec79df4e0e079569cf27fbd3356c8478fcc9a85d86da84b71b52a0b136da65f0a8e9254f3c6d39e

Download Submit
C:\Users\Admin\AppData\Roaming\Dokany Project\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Roaming\Dokany Project\Time.eml

Filesize
2.8MB

MD5
0b77be61749cf678934f47e441a20c81

SHA1
5119b665f8e5260bccd9d6638a3aa376630a23a3

SHA256
d2309d5c6c13af7c376821875d11f515653663cccb49589f35d585a4d3b136e4

SHA512
29282b2e7a801d2bc6de2fddd61e442fab55dcfc30242af0f80d8204adf1a916d95d5a6b560819efda92b60bcfd4a97269080ce45dbf4d823ee70866a3102ecd

Download Submit
C:\temp\Animalia.exe

Filesize
1.7MB

MD5
924083300365f62e344776b9bd60ff45

SHA1
f46928b202675de33e52d44a983070d576f70109

SHA256
dcb210636a39d1226b713ff492e6f23903b658f59a32dd17f6c324549e7fac78

SHA512
1b2a3b7d2bd2531975e989495d5becb007a1ac3d9d0853ba69be36f8f7c50cef8c11c276a007909564debb942ae8aea9c4fa76c0b69f6c5cbc1161a46b085931

Download Submit
memory/1592-164-0x0000000000E80000-0x0000000000F55000-memory.dmp

Filesize
852KB

Download
memory/1592-15-0x0000000000E80000-0x0000000000F55000-memory.dmp

Filesize
852KB

Download
memory/1592-239-0x0000000000E80000-0x0000000000F55000-memory.dmp

Filesize
852KB

Download
memory/1892-23-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1892-166-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1892-165-0x0000000000440000-0x0000000000774000-memory.dmp

Filesize
3.2MB

Download
memory/1892-237-0x0000000000440000-0x0000000000774000-memory.dmp

Filesize
3.2MB

Download
memory/2036-267-0x00000000003D0000-0x0000000000704000-memory.dmp

Filesize
3.2MB

Download
memory/2036-254-0x00000000003D0000-0x0000000000704000-memory.dmp

Filesize
3.2MB

Download
memory/2948-19-0x0000000000E80000-0x0000000000F55000-memory.dmp

Filesize
852KB

Download
memory/2948-2-0x0000000000E81000-0x0000000000F29000-memory.dmp

Filesize
672KB

Download
memory/2948-1-0x0000000000E80000-0x0000000000F55000-memory.dmp

Filesize
852KB

Download
memory/3520-17-0x00000000009F0000-0x0000000000D24000-memory.dmp

Filesize
3.2MB

Download
memory/3520-6-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download
memory/3920-244-0x00000000005E0000-0x00000000006B5000-memory.dmp

Filesize
852KB

Download
memory/3920-253-0x00000000005E0000-0x00000000006B5000-memory.dmp

Filesize
852KB

Download
memory/3920-268-0x00000000005E0000-0x00000000006B5000-memory.dmp

Filesize
852KB

Download
memory/4232-249-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4232-248-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download