Analysis Overview
SHA256
41f2e8b68fe406f818f0ab48067d967cc0a3430a9ddb97a191b3fca163b756ab
Threat Level: Known bad
The file 66D7C25E25D943FF9972AD4E2821A586.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-14 20:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-14 20:21
Reported
2021-05-14 20:23
Platform
win7v20210410
Max time kernel
76s
Max time network
10s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66D7C25E25D943FF9972AD4E2821A586.exe
"C:\Users\Admin\AppData\Local\Temp\66D7C25E25D943FF9972AD4E2821A586.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c IDrlwJfYJMXmiwvMLejGiwpEbzAYBNQCCBNmtKWnUyoSIhlcKugZfCLGzmNHpdbWWxXGgWHqyOLwSsWpoyhxmQjZPuuFXggDIjVhdDuOnhTBQJNeCEmtrebuoXQoQeeRmiz
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cJSEYmWkWKpyarezPlAGPOtzNYXvleeIdiGTLUuDuklbOKPNZJefHMQGEmRZBmqUIAPkvpHUtXADEHEeplvBZMwDdZgjeuwGk
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c PhVEdQeikKjheXUPQsrmUVmkUvUcSXVTagSsuFUGnRBssrXsshdK
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c LcTNKJTWHfhOaVNyDIlvbqezoURnCrEGldGTYDvVqJRCgCYoljOEygyLamFQRczDKHEegTuZkfvNoAyFVJgfgZBW
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c UAnYGtFfgRHYVTsuOzQRaCSxZUiirgLuHRzaHwF
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c QbUJnHqQWpAGKtSaItYMWnjZuBdtmYnNNFqVIpV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rhCXAMlbIpgvnaQrwtQfFzGEIidtAfAdlUEGulyjCLneKrEtxoszjcVJHXfavyXzJYkEOlWQYEMUVDUECkJa & irPYUYpUNPbOyzMRqdlkAcHIwOrrLQkcEcBUvFUkNWlPfyPpoMBVmuvMcuXuUuoWDwpKSRxxvYnElSzVYUUYgdVnYPndINdHNgkhVyddaimBISBDNwiqklIjuLLrztMIHRQWHyqTDEGiRxP & hVCGGdvDGYipzhXhxQTRwFVHwhvG & AcMWEPbBywscjdIYQAfGzMqAYyHZVFzTPqyDxhObmLfOCcOfhJkNiZlOxjXmonGAIbFjlyDCLRiHbjXCdsMjzGMPQ & oodffqtPytQBtiyIwfSCsogxoQMxueLQvUWcjcCuCIuSMOjEuLEvWhZ & TVungKIrzZyl & KvFMLZJwvIzEihcngToUVBsfrRSZrmNJwzvfYKk & dYbjNUivhEtyWdfotdJTiJYXVKCNQyAEIUEWttCpKcLnxHNL & glHqsuGqmseazGitmbwLat & OApLYmCgWQJCVSDsNYWENmQsPExUlLqMllSAicIAXruCKrjkWyhMcmjfJSWzyHrlPWaKZepadcHKahGMsoYtnhdKYCRfngcfZVMNKCkTVVvqSBXckleWJZMBGILbkTTeqsKbBSwPWypCRdSvFctgk & FqokieQOHwwzqARmUaphqDPpJfQfRQPFQBLKgfLYYobiBbdsFyALyYnelZBRjBXRjvDnOukEHlgS & IIjZnJLftmRrJAgOTMblGVtUR & mUWtVKGWBdfSORjCoWLctGWQObRHmNDaiUlRzqEivNYYnqYFYtNiovnSXyfbSYvONXKTHcpoaEYdHYsNmjJxqcpLv & ThKugndplBdyXDVFPDnolYNCYGfeOsNYbfBVbjfAZnNQvxgumcGGjhuVA & oIogcTOsHIwqiDgYoMlWyEapCaKiLppG & frGsLeUetMGtmhrsgyzKDeDdYMeoHFnncFSmHGbKdUqSMyryHPbrPWQjAdaYZLxnh & JTcDKIIJzJeLDTIXBRocJmOFZdhnL & mBEEcpJryOxuCilOMndwlDfSbltQEzxlXPpAiYbngbMzqCWHckDOoJxWkMikyTmLxloNYKGNqRNNQWRUhbxzPFwgcjgx & jzxYwZPxpILEPOdVGufUjYInyVPpTaMcjWObaOPWeArOJPqRKaOyYmFhLWSypGARWfsTZTDSdaSLVTOdVXnBDGbMdBMcWKMcZkSxbuSRPWPFHTsRiCpjoZgfRFDbuiW & FvMKwxSPyGLHRRybpUgzAAhqXCCRDxLHqoZliHQNJxuChGnqAuhkTCuypLMmRqkLVrHISUfBtAJyxLMsrCsbumObeUqcVdVIo & GpYQiFQMiaSqKnYccfJOEcfpGXUTGNFwWZtDahxMGxsvEwlCbmUGZxQkUOplLWyzMR & KxcroUXiprSFFNaviSZwC & C:\Windows\system32\cmd < Naufrago.vssm
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^MPJomTHJarWYKrSxnHIhGEIlXeqEtUnnpLOyyJXoCUxrBcBNOGmEhseoimkvSrFbFbPYfMgPJmLMpEIBBjPbcUkSJFYFbBdngXbrGCnesKUNGdZCQKVFhieLkWfJNIs$" Vedi.vssm
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
Ove.exe.com U
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com U
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | njaGvPNGKkiUMRKjPgJaMEzTNckPW.njaGvPNGKkiUMRKjPgJaMEzTNckPW | udp |
Files
memory/480-60-0x00000000753E1000-0x00000000753E3000-memory.dmp
memory/1980-61-0x0000000000000000-mapping.dmp
memory/1908-62-0x0000000000000000-mapping.dmp
memory/1764-63-0x0000000000000000-mapping.dmp
memory/1740-64-0x0000000000000000-mapping.dmp
memory/1148-65-0x0000000000000000-mapping.dmp
memory/812-66-0x0000000000000000-mapping.dmp
memory/1420-67-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Naufrago.vssm
| MD5 | 0ea939d07910e5680eaba781fed9f4c6 |
| SHA1 | 16750a9faa7f86001bb3a37d3af8c74aabf7a558 |
| SHA256 | e9067185c072df4711476e5077b05471f837d2a26bdf9f2df4c12c8927c64101 |
| SHA512 | 2d49b427d0975ea5ceb291e96989efa7f520411a4166f1fea51e4e7d376f62454f45446f742c38e251084b00e250ec9079578802eb30aa978e52ca1ab0f089c9 |
memory/308-69-0x0000000000000000-mapping.dmp
memory/676-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedi.vssm
| MD5 | 66079f39d09ee60c306bcc68975da688 |
| SHA1 | 87730e83e05c23aa25adf46a3dcb328fe17b06f1 |
| SHA256 | 3348730b4ed962b95008cffd4126567719718e6685f07bd9d17ffca597987dad |
| SHA512 | 0171b2d381f807531e34feda16c920edf5c9914629ad84f636e469bad6e42466e943ba81aa69eb6f25086d8d9f76a790520a9fe8abaf6e8f477f847f58b70ed7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rivederla.vssm
| MD5 | 02e2ea2921d002a9ab6ad0a6a7d819e3 |
| SHA1 | ce00c57854ea9a00204be2ca09fbcd14344dd7cc |
| SHA256 | 43529889b51250b91d4c484535c1290b8c46a68871143b86edbbbc81c595f634 |
| SHA512 | 791a5512be1ebbfd8d5d6b4ca0966cb4da2bac29c6034e3843b95cea43467ffdf3d3301bdf0666c1fad1026df151a2d70d33c4e1e5c747eee27fd7418b73c760 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/852-74-0x0000000000000000-mapping.dmp
memory/1540-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\U
| MD5 | 02e2ea2921d002a9ab6ad0a6a7d819e3 |
| SHA1 | ce00c57854ea9a00204be2ca09fbcd14344dd7cc |
| SHA256 | 43529889b51250b91d4c484535c1290b8c46a68871143b86edbbbc81c595f634 |
| SHA512 | 791a5512be1ebbfd8d5d6b4ca0966cb4da2bac29c6034e3843b95cea43467ffdf3d3301bdf0666c1fad1026df151a2d70d33c4e1e5c747eee27fd7418b73c760 |
memory/540-81-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Raccontava.vssm
| MD5 | 4060e7e4fc30ebcd661fadfe92a79984 |
| SHA1 | 3bfcb1d2de4ea0aa83d2269a2b8387a1af5eed89 |
| SHA256 | ce9030cbf2306e115248c29d96eca5f57dfab5ea5d4fc4f6bdfdaeec6be78ecb |
| SHA512 | 499014b7254e6c762efc3bcf8fe4edf9f239d39313473c34ca68e335d133cff218c028c203cb468b23aade481faddc415d17fe930a08341b8aeaa95d4af67c39 |
memory/540-85-0x0000000000110000-0x0000000000111000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-14 20:21
Reported
2021-05-14 20:23
Platform
win10v20210410
Max time kernel
136s
Max time network
139s
Command Line
Signatures
CryptBot
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ysROCbH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\ysROCbH.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66D7C25E25D943FF9972AD4E2821A586.exe
"C:\Users\Admin\AppData\Local\Temp\66D7C25E25D943FF9972AD4E2821A586.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c IDrlwJfYJMXmiwvMLejGiwpEbzAYBNQCCBNmtKWnUyoSIhlcKugZfCLGzmNHpdbWWxXGgWHqyOLwSsWpoyhxmQjZPuuFXggDIjVhdDuOnhTBQJNeCEmtrebuoXQoQeeRmiz
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cJSEYmWkWKpyarezPlAGPOtzNYXvleeIdiGTLUuDuklbOKPNZJefHMQGEmRZBmqUIAPkvpHUtXADEHEeplvBZMwDdZgjeuwGk
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c PhVEdQeikKjheXUPQsrmUVmkUvUcSXVTagSsuFUGnRBssrXsshdK
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c LcTNKJTWHfhOaVNyDIlvbqezoURnCrEGldGTYDvVqJRCgCYoljOEygyLamFQRczDKHEegTuZkfvNoAyFVJgfgZBW
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c UAnYGtFfgRHYVTsuOzQRaCSxZUiirgLuHRzaHwF
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c QbUJnHqQWpAGKtSaItYMWnjZuBdtmYnNNFqVIpV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rhCXAMlbIpgvnaQrwtQfFzGEIidtAfAdlUEGulyjCLneKrEtxoszjcVJHXfavyXzJYkEOlWQYEMUVDUECkJa & irPYUYpUNPbOyzMRqdlkAcHIwOrrLQkcEcBUvFUkNWlPfyPpoMBVmuvMcuXuUuoWDwpKSRxxvYnElSzVYUUYgdVnYPndINdHNgkhVyddaimBISBDNwiqklIjuLLrztMIHRQWHyqTDEGiRxP & hVCGGdvDGYipzhXhxQTRwFVHwhvG & AcMWEPbBywscjdIYQAfGzMqAYyHZVFzTPqyDxhObmLfOCcOfhJkNiZlOxjXmonGAIbFjlyDCLRiHbjXCdsMjzGMPQ & oodffqtPytQBtiyIwfSCsogxoQMxueLQvUWcjcCuCIuSMOjEuLEvWhZ & TVungKIrzZyl & KvFMLZJwvIzEihcngToUVBsfrRSZrmNJwzvfYKk & dYbjNUivhEtyWdfotdJTiJYXVKCNQyAEIUEWttCpKcLnxHNL & glHqsuGqmseazGitmbwLat & OApLYmCgWQJCVSDsNYWENmQsPExUlLqMllSAicIAXruCKrjkWyhMcmjfJSWzyHrlPWaKZepadcHKahGMsoYtnhdKYCRfngcfZVMNKCkTVVvqSBXckleWJZMBGILbkTTeqsKbBSwPWypCRdSvFctgk & FqokieQOHwwzqARmUaphqDPpJfQfRQPFQBLKgfLYYobiBbdsFyALyYnelZBRjBXRjvDnOukEHlgS & IIjZnJLftmRrJAgOTMblGVtUR & mUWtVKGWBdfSORjCoWLctGWQObRHmNDaiUlRzqEivNYYnqYFYtNiovnSXyfbSYvONXKTHcpoaEYdHYsNmjJxqcpLv & ThKugndplBdyXDVFPDnolYNCYGfeOsNYbfBVbjfAZnNQvxgumcGGjhuVA & oIogcTOsHIwqiDgYoMlWyEapCaKiLppG & frGsLeUetMGtmhrsgyzKDeDdYMeoHFnncFSmHGbKdUqSMyryHPbrPWQjAdaYZLxnh & JTcDKIIJzJeLDTIXBRocJmOFZdhnL & mBEEcpJryOxuCilOMndwlDfSbltQEzxlXPpAiYbngbMzqCWHckDOoJxWkMikyTmLxloNYKGNqRNNQWRUhbxzPFwgcjgx & jzxYwZPxpILEPOdVGufUjYInyVPpTaMcjWObaOPWeArOJPqRKaOyYmFhLWSypGARWfsTZTDSdaSLVTOdVXnBDGbMdBMcWKMcZkSxbuSRPWPFHTsRiCpjoZgfRFDbuiW & FvMKwxSPyGLHRRybpUgzAAhqXCCRDxLHqoZliHQNJxuChGnqAuhkTCuypLMmRqkLVrHISUfBtAJyxLMsrCsbumObeUqcVdVIo & GpYQiFQMiaSqKnYccfJOEcfpGXUTGNFwWZtDahxMGxsvEwlCbmUGZxQkUOplLWyzMR & KxcroUXiprSFFNaviSZwC & C:\Windows\system32\cmd < Naufrago.vssm
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^MPJomTHJarWYKrSxnHIhGEIlXeqEtUnnpLOyyJXoCUxrBcBNOGmEhseoimkvSrFbFbPYfMgPJmLMpEIBBjPbcUkSJFYFbBdngXbrGCnesKUNGdZCQKVFhieLkWfJNIs$" Vedi.vssm
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
Ove.exe.com U
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com U
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ysROCbH.exe"
C:\Users\Admin\AppData\Local\Temp\ysROCbH.exe
"C:\Users\Admin\AppData\Local\Temp\ysROCbH.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\KNVglUKfWRL & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com"
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | njaGvPNGKkiUMRKjPgJaMEzTNckPW.njaGvPNGKkiUMRKjPgJaMEzTNckPW | udp |
| N/A | 8.8.8.8:53 | remkdi35.top | udp |
| N/A | 8.8.8.8:53 | morkqz03.top | udp |
| N/A | 35.233.146.63:80 | morkqz03.top | tcp |
| N/A | 8.8.8.8:53 | sulejx04.top | udp |
| N/A | 35.245.17.142:80 | sulejx04.top | tcp |
| N/A | 35.245.17.142:80 | sulejx04.top | tcp |
Files
memory/2728-114-0x0000000000000000-mapping.dmp
memory/3992-115-0x0000000000000000-mapping.dmp
memory/188-116-0x0000000000000000-mapping.dmp
memory/2876-117-0x0000000000000000-mapping.dmp
memory/3616-118-0x0000000000000000-mapping.dmp
memory/1604-119-0x0000000000000000-mapping.dmp
memory/4084-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Naufrago.vssm
| MD5 | 0ea939d07910e5680eaba781fed9f4c6 |
| SHA1 | 16750a9faa7f86001bb3a37d3af8c74aabf7a558 |
| SHA256 | e9067185c072df4711476e5077b05471f837d2a26bdf9f2df4c12c8927c64101 |
| SHA512 | 2d49b427d0975ea5ceb291e96989efa7f520411a4166f1fea51e4e7d376f62454f45446f742c38e251084b00e250ec9079578802eb30aa978e52ca1ab0f089c9 |
memory/1288-122-0x0000000000000000-mapping.dmp
memory/2192-123-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedi.vssm
| MD5 | 66079f39d09ee60c306bcc68975da688 |
| SHA1 | 87730e83e05c23aa25adf46a3dcb328fe17b06f1 |
| SHA256 | 3348730b4ed962b95008cffd4126567719718e6685f07bd9d17ffca597987dad |
| SHA512 | 0171b2d381f807531e34feda16c920edf5c9914629ad84f636e469bad6e42466e943ba81aa69eb6f25086d8d9f76a790520a9fe8abaf6e8f477f847f58b70ed7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rivederla.vssm
| MD5 | 02e2ea2921d002a9ab6ad0a6a7d819e3 |
| SHA1 | ce00c57854ea9a00204be2ca09fbcd14344dd7cc |
| SHA256 | 43529889b51250b91d4c484535c1290b8c46a68871143b86edbbbc81c595f634 |
| SHA512 | 791a5512be1ebbfd8d5d6b4ca0966cb4da2bac29c6034e3843b95cea43467ffdf3d3301bdf0666c1fad1026df151a2d70d33c4e1e5c747eee27fd7418b73c760 |
memory/2108-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/864-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\U
| MD5 | 02e2ea2921d002a9ab6ad0a6a7d819e3 |
| SHA1 | ce00c57854ea9a00204be2ca09fbcd14344dd7cc |
| SHA256 | 43529889b51250b91d4c484535c1290b8c46a68871143b86edbbbc81c595f634 |
| SHA512 | 791a5512be1ebbfd8d5d6b4ca0966cb4da2bac29c6034e3843b95cea43467ffdf3d3301bdf0666c1fad1026df151a2d70d33c4e1e5c747eee27fd7418b73c760 |
memory/3776-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Raccontava.vssm
| MD5 | 4060e7e4fc30ebcd661fadfe92a79984 |
| SHA1 | 3bfcb1d2de4ea0aa83d2269a2b8387a1af5eed89 |
| SHA256 | ce9030cbf2306e115248c29d96eca5f57dfab5ea5d4fc4f6bdfdaeec6be78ecb |
| SHA512 | 499014b7254e6c762efc3bcf8fe4edf9f239d39313473c34ca68e335d133cff218c028c203cb468b23aade481faddc415d17fe930a08341b8aeaa95d4af67c39 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ove.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/3776-134-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/3428-135-0x0000000000000000-mapping.dmp
memory/748-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ysROCbH.exe
| MD5 | 28a024e96caa7e9c45db8fe0a5f8556c |
| SHA1 | 5d5db21fc5a07dd1d2430f3b5b5dbb57f15d92b9 |
| SHA256 | 3c310a7653f5e1d1e943fb1c8d2de86a791a8fc64af671519a5f093290a85c5c |
| SHA512 | 4ed9b9373bb8e0e2eecdbdd4a04da1d2802364a6bb2cf40be87b243478087b303a35bbab5ad53bd201f6cce61474ef3c8eaf5e9c6211ae6923a09b5ece3f80f8 |
C:\Users\Admin\AppData\Local\Temp\ysROCbH.exe
| MD5 | 28a024e96caa7e9c45db8fe0a5f8556c |
| SHA1 | 5d5db21fc5a07dd1d2430f3b5b5dbb57f15d92b9 |
| SHA256 | 3c310a7653f5e1d1e943fb1c8d2de86a791a8fc64af671519a5f093290a85c5c |
| SHA512 | 4ed9b9373bb8e0e2eecdbdd4a04da1d2802364a6bb2cf40be87b243478087b303a35bbab5ad53bd201f6cce61474ef3c8eaf5e9c6211ae6923a09b5ece3f80f8 |
memory/4056-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\KNVglUKfWRL\files_\SYSTEM~1.TXT
| MD5 | add28645bf2e168bc5d9ea8a6edc6671 |
| SHA1 | 4ade5fde0909923b54bcf53b66b404004155bb3b |
| SHA256 | a7fb38788ea09d97ec96198a97d588764b7a538cff557b9d0d7290ae50f78ec5 |
| SHA512 | fdb6a0076ace051c402c5de9fb8435cef53b015f0a7d84915502a3ecb1ae0d097895ca9fdbb42446ed648cbe021aa944aaf4d48c79b5aac49e271eefcd245345 |
C:\Users\Admin\AppData\Local\Temp\KNVglUKfWRL\_Files\_SCREE~1.JPE
| MD5 | cacd5573306d1ea3a0d14cdf0249ba03 |
| SHA1 | e0fda58253606f5ec4736621a8d2c832598fb846 |
| SHA256 | f31066c53408be057f8bcaad9041e4f2f90ef06750045bb3150f4bafb4789a17 |
| SHA512 | d73e96916e1eb4f6003d118c8807558ba67c6cd4f084b94ae5e12b6000d4433ddbadadcfa98a547a57af6d6549c175b0dd55213fc8423143930f5a21e28b263d |
C:\Users\Admin\AppData\Local\Temp\KNVglUKfWRL\_Files\_INFOR~1.TXT
| MD5 | 2235c6969e214fd09fc15930a3eb1399 |
| SHA1 | 06aa3bc79ecb831ec368c6ef1da0e7e4def021a9 |
| SHA256 | be905c380d32ea32991cb9523dff779693aada5ae5a3e5ec7223771b361640bd |
| SHA512 | 6f698f9fb91c70eaa38e9b21e2a23d27b8b750d860bd5ceff7df0081fd6761fa08176ab8c7c4fce230a7d72bf5c4a4cddbb11b724caf74cb4ae2d1548bc76da9 |
C:\Users\Admin\AppData\Local\Temp\KNVglUKfWRL\NKHTVG~1.ZIP
| MD5 | 8c0de3c85bbd1efe49628b66edf72295 |
| SHA1 | 6a6b401b176d859a8816c394687fc00b20902c48 |
| SHA256 | 0070f38e91e31236997b3fb969e42ebc187b9898fd7c512e4d72c12dfadd78e2 |
| SHA512 | 35297826ec4fe80c98b28eb0e84645fa12dcb5b3dd2dc1345845905697c607e8ce32f055cd83b67405d8287b8aa22895411695c886240855b4bea54f2aa790f1 |
C:\Users\Admin\AppData\Local\Temp\KNVglUKfWRL\files_\SCREEN~1.JPG
| MD5 | cacd5573306d1ea3a0d14cdf0249ba03 |
| SHA1 | e0fda58253606f5ec4736621a8d2c832598fb846 |
| SHA256 | f31066c53408be057f8bcaad9041e4f2f90ef06750045bb3150f4bafb4789a17 |
| SHA512 | d73e96916e1eb4f6003d118c8807558ba67c6cd4f084b94ae5e12b6000d4433ddbadadcfa98a547a57af6d6549c175b0dd55213fc8423143930f5a21e28b263d |
C:\Users\Admin\AppData\Local\Temp\KNVglUKfWRL\BDUNOG~1.ZIP
| MD5 | 05bf36c5d359abb968d1791320bb2a1c |
| SHA1 | 591120be745f69f0b2b5a36db2f77ac7bac6cd65 |
| SHA256 | e96870638bd9e0ce24665c8f9c70c342e68bc78fde9b92f8c5085955ce26f22e |
| SHA512 | 69ba8d69bae87b183303bacef827ad84c45d141dc826f508c44129dae92236a180d2f6a4e5183dcf6fe82c40e6c3b8f9677d5e3cdd888348783b19d34d8986fb |
memory/4060-146-0x0000000000000000-mapping.dmp
memory/2388-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 28a024e96caa7e9c45db8fe0a5f8556c |
| SHA1 | 5d5db21fc5a07dd1d2430f3b5b5dbb57f15d92b9 |
| SHA256 | 3c310a7653f5e1d1e943fb1c8d2de86a791a8fc64af671519a5f093290a85c5c |
| SHA512 | 4ed9b9373bb8e0e2eecdbdd4a04da1d2802364a6bb2cf40be87b243478087b303a35bbab5ad53bd201f6cce61474ef3c8eaf5e9c6211ae6923a09b5ece3f80f8 |
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 28a024e96caa7e9c45db8fe0a5f8556c |
| SHA1 | 5d5db21fc5a07dd1d2430f3b5b5dbb57f15d92b9 |
| SHA256 | 3c310a7653f5e1d1e943fb1c8d2de86a791a8fc64af671519a5f093290a85c5c |
| SHA512 | 4ed9b9373bb8e0e2eecdbdd4a04da1d2802364a6bb2cf40be87b243478087b303a35bbab5ad53bd201f6cce61474ef3c8eaf5e9c6211ae6923a09b5ece3f80f8 |
memory/748-151-0x0000000000400000-0x000000000085D000-memory.dmp
memory/748-150-0x0000000000980000-0x0000000000ACA000-memory.dmp
memory/2388-153-0x0000000000400000-0x000000000085D000-memory.dmp
memory/2388-152-0x0000000000860000-0x000000000090E000-memory.dmp