Analysis Overview
SHA256
8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529
Threat Level: Known bad
The file 8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529 was found to be: Known bad.
Malicious Activity Summary
xmrig
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
ServHelper
suricata: ET MALWARE Known Sinkhole Response Header
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Grants admin privileges
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
Executes dropped EXE
Downloads MZ/PE file
Deletes itself
Loads dropped DLL
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks installed software on the system
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Runs net.exe
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Checks SCSI registry key(s)
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-14 10:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-14 10:45
Reported
2021-09-14 10:47
Platform
win10v20210408
Max time kernel
151s
Max time network
137s
Command Line
Signatures
ServHelper
SmokeLoader
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
xmrig
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\616.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1357.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\616.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1C70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2318.exe | N/A |
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1C70.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1C70.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B38.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B38.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1C70.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rdpclip.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1C70.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 664 set thread context of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe | C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe |
| PID 2264 set thread context of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\616.exe | C:\Users\Admin\AppData\Local\Temp\616.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | N/A | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\616.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1C70.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe
"C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe"
C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe
"C:\Users\Admin\AppData\Local\Temp\8d5b421f25dba8060d6d0975b71c491cf60817e956327bbc12e1055a44637529.exe"
C:\Users\Admin\AppData\Local\Temp\616.exe
C:\Users\Admin\AppData\Local\Temp\616.exe
C:\Users\Admin\AppData\Local\Temp\B38.exe
C:\Users\Admin\AppData\Local\Temp\B38.exe
C:\Users\Admin\AppData\Local\Temp\616.exe
C:\Users\Admin\AppData\Local\Temp\616.exe
C:\Users\Admin\AppData\Local\Temp\1357.exe
C:\Users\Admin\AppData\Local\Temp\1357.exe
C:\Users\Admin\AppData\Local\Temp\1C70.exe
C:\Users\Admin\AppData\Local\Temp\1C70.exe
C:\Users\Admin\AppData\Local\Temp\2318.exe
C:\Users\Admin\AppData\Local\Temp\2318.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 20
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r1b3acux\r1b3acux.cmdline"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\B38.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5436.tmp" "c:\Users\Admin\AppData\Local\Temp\r1b3acux\CSC4109AB9BC2E044DA9AEFFD9AD2E3D0ED.TMP"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\SysWOW64\cmd.exe
cmd /c net start rdpdr
C:\Windows\SysWOW64\net.exe
net start rdpdr
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\SysWOW64\cmd.exe
cmd /c net start TermService
C:\Windows\SysWOW64\net.exe
net start TermService
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TermService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fazanaharahe1.xyz | udp |
| NL | 192.42.116.41:80 | fazanaharahe1.xyz | tcp |
| US | 8.8.8.8:53 | xandelissane2.xyz | udp |
| NL | 192.42.116.41:80 | xandelissane2.xyz | tcp |
| US | 8.8.8.8:53 | ustiassosale3.xyz | udp |
| NL | 192.42.116.41:80 | ustiassosale3.xyz | tcp |
| US | 8.8.8.8:53 | cytheriata4.xyz | udp |
| NL | 192.42.116.41:80 | cytheriata4.xyz | tcp |
| US | 8.8.8.8:53 | ggiergionard5.xyz | udp |
| NL | 192.42.116.41:80 | ggiergionard5.xyz | tcp |
| US | 8.8.8.8:53 | rrelleynaniy6.store | udp |
| US | 8.8.8.8:53 | danniemusoa7.store | udp |
| BE | 35.205.61.67:80 | danniemusoa7.store | tcp |
| US | 8.8.8.8:53 | nastanizab8.store | udp |
| BE | 35.205.61.67:80 | nastanizab8.store | tcp |
| US | 8.8.8.8:53 | onyokandis9.store | udp |
| BE | 35.205.61.67:80 | onyokandis9.store | tcp |
| US | 8.8.8.8:53 | dmunaavank10.store | udp |
| BE | 35.205.61.67:80 | dmunaavank10.store | tcp |
| US | 8.8.8.8:53 | gilmandros11.site | udp |
| NL | 192.42.116.41:80 | gilmandros11.site | tcp |
| US | 8.8.8.8:53 | cusanthana12.site | udp |
| NL | 192.42.116.41:80 | cusanthana12.site | tcp |
| US | 8.8.8.8:53 | willietjeana13.site | udp |
| NL | 192.42.116.41:80 | willietjeana13.site | tcp |
| US | 8.8.8.8:53 | ximusokall14.site | udp |
| NL | 192.42.116.41:80 | ximusokall14.site | tcp |
| US | 8.8.8.8:53 | blodinetisha15.site | udp |
| NL | 192.42.116.41:80 | blodinetisha15.site | tcp |
| US | 8.8.8.8:53 | urydiahadyss16.club | udp |
| US | 8.8.8.8:53 | glasamaddama17.club | udp |
| US | 8.8.8.8:53 | marlingarly18.club | udp |
| US | 8.8.8.8:53 | alluvianna19.club | udp |
| US | 8.8.8.8:53 | xandirkaniel20.club | udp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| NL | 194.5.159.236:80 | 194.5.159.236 | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| US | 8.8.8.8:53 | telete.in | udp |
| DE | 195.201.225.248:443 | telete.in | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| US | 8.8.8.8:53 | leventcastajanslari.bykmedya.com | udp |
| TR | 31.192.214.222:80 | leventcastajanslari.bykmedya.com | tcp |
| MD | 94.158.245.117:80 | 94.158.245.117 | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| RU | 94.250.251.116:80 | 94.250.251.116 | tcp |
| LV | 5.188.89.24:80 | xandirkaniel20.club | tcp |
| DE | 144.76.183.53:63565 | tcp | |
| RU | 94.250.251.116:80 | 94.250.251.116 | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
Files
memory/664-114-0x00000000034A0000-0x00000000034A9000-memory.dmp
memory/888-115-0x0000000000400000-0x0000000000409000-memory.dmp
memory/888-116-0x0000000000402E68-mapping.dmp
memory/3024-117-0x00000000005D0000-0x00000000005E6000-memory.dmp
memory/2264-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\616.exe
| MD5 | ae6da8513fb80a0509ea550d961ee1e5 |
| SHA1 | 6b1bd8307e06243f47c471ff06384f7182f3415b |
| SHA256 | d3e07d2539c6a3b5a7e8406b7df1de4b57708eae19575b52e6c139f625f5faf0 |
| SHA512 | 950fb0f7684223843a94d95e101e8c9870bf047623e3da6d3f3486dac59e9b1494f6dd10900b084f3715528b9da7cdda5d00c644b18f9088a3f8a2f807240ada |
C:\Users\Admin\AppData\Local\Temp\616.exe
| MD5 | ae6da8513fb80a0509ea550d961ee1e5 |
| SHA1 | 6b1bd8307e06243f47c471ff06384f7182f3415b |
| SHA256 | d3e07d2539c6a3b5a7e8406b7df1de4b57708eae19575b52e6c139f625f5faf0 |
| SHA512 | 950fb0f7684223843a94d95e101e8c9870bf047623e3da6d3f3486dac59e9b1494f6dd10900b084f3715528b9da7cdda5d00c644b18f9088a3f8a2f807240ada |
memory/2264-121-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/3136-123-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B38.exe
| MD5 | 817ac34d1ded306b9ac0a1afd049d014 |
| SHA1 | 0977e75da937405c1a486e3c530f84f32b0c9374 |
| SHA256 | bae92c8e5a1bd4894f7c0931f281afface73430f43b8ce0eace583fff764ee5d |
| SHA512 | 8683e59745ba5a4c4949a864bc45193070f636dae79a40fea87f97cd32c64c3165ee4050ce5d31534d2d5013ffe358f40115662fdec802799f89a0af731257dd |
C:\Users\Admin\AppData\Local\Temp\B38.exe
| MD5 | 817ac34d1ded306b9ac0a1afd049d014 |
| SHA1 | 0977e75da937405c1a486e3c530f84f32b0c9374 |
| SHA256 | bae92c8e5a1bd4894f7c0931f281afface73430f43b8ce0eace583fff764ee5d |
| SHA512 | 8683e59745ba5a4c4949a864bc45193070f636dae79a40fea87f97cd32c64c3165ee4050ce5d31534d2d5013ffe358f40115662fdec802799f89a0af731257dd |
memory/840-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1357.exe
| MD5 | 608b93e344bd3dbb09d0af9da6856061 |
| SHA1 | b7c8bd7bace350d3c9c054ebb58f25535d22ee95 |
| SHA256 | 5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4 |
| SHA512 | 6e47bb4688737505af62a8c67cea4143185dc047340d8943d412b5274b229bd24628a31576a3250cdfb69b0b4fcfd74140fe83355f49527e7cf9f465c30ac131 |
C:\Users\Admin\AppData\Local\Temp\1357.exe
| MD5 | 608b93e344bd3dbb09d0af9da6856061 |
| SHA1 | b7c8bd7bace350d3c9c054ebb58f25535d22ee95 |
| SHA256 | 5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4 |
| SHA512 | 6e47bb4688737505af62a8c67cea4143185dc047340d8943d412b5274b229bd24628a31576a3250cdfb69b0b4fcfd74140fe83355f49527e7cf9f465c30ac131 |
memory/3136-129-0x00000000018A0000-0x00000000019EA000-memory.dmp
memory/3136-130-0x0000000000400000-0x00000000017C1000-memory.dmp
memory/840-131-0x00000000050A0000-0x00000000050A1000-memory.dmp
memory/840-132-0x00000000054B0000-0x00000000058AF000-memory.dmp
memory/840-134-0x0000000005DB0000-0x0000000005DB1000-memory.dmp
memory/3940-135-0x0000000000400000-0x0000000000490000-memory.dmp
memory/3940-136-0x000000000048AC9E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\616.exe
| MD5 | ae6da8513fb80a0509ea550d961ee1e5 |
| SHA1 | 6b1bd8307e06243f47c471ff06384f7182f3415b |
| SHA256 | d3e07d2539c6a3b5a7e8406b7df1de4b57708eae19575b52e6c139f625f5faf0 |
| SHA512 | 950fb0f7684223843a94d95e101e8c9870bf047623e3da6d3f3486dac59e9b1494f6dd10900b084f3715528b9da7cdda5d00c644b18f9088a3f8a2f807240ada |
memory/840-138-0x00000000050A2000-0x00000000050A3000-memory.dmp
memory/840-139-0x00000000050A3000-0x00000000050A4000-memory.dmp
memory/840-142-0x0000000005950000-0x0000000005951000-memory.dmp
memory/3940-144-0x0000000005840000-0x0000000005841000-memory.dmp
memory/1200-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1C70.exe
| MD5 | 41a70f114bda5249101c447699138072 |
| SHA1 | c8cc8a9c38750b73b0846525ebe46057dca6347b |
| SHA256 | f97814c36e18f9b2e5c0c31854dfe9b07377b8db9597e9719a5006b94a899803 |
| SHA512 | 1e70b8aae5fb51bdfec176a05c0c74407cf32e02a11c864e277a698b8fc79ce39a9b02657fde9ed47f2964859b51c4bb12b04c2a44b3270348f8c84170e78fd7 |
memory/3940-147-0x0000000005770000-0x0000000005C6E000-memory.dmp
memory/840-148-0x00000000050A4000-0x00000000050A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C70.exe
| MD5 | 41a70f114bda5249101c447699138072 |
| SHA1 | c8cc8a9c38750b73b0846525ebe46057dca6347b |
| SHA256 | f97814c36e18f9b2e5c0c31854dfe9b07377b8db9597e9719a5006b94a899803 |
| SHA512 | 1e70b8aae5fb51bdfec176a05c0c74407cf32e02a11c864e277a698b8fc79ce39a9b02657fde9ed47f2964859b51c4bb12b04c2a44b3270348f8c84170e78fd7 |
memory/3940-150-0x00000000057E0000-0x00000000057E5000-memory.dmp
memory/840-152-0x00000000058E0000-0x00000000058E1000-memory.dmp
memory/3940-151-0x00000000057F0000-0x00000000057F2000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
memory/1452-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2318.exe
| MD5 | af5513b5bd8693c763d573f63a60115d |
| SHA1 | e96879e2727dde064fa55302584e314781b52607 |
| SHA256 | 4829947a4fdc5394f34820c85c8a0a7d63086e0e006b0e980f82285bad951678 |
| SHA512 | 88450e3645c8ce73339696a9d2845332ea877a8f477f341538be77119edf38c2d67db23118c572a2836b43e50f297b03ce893b441c1301134cc44dde5001547f |
C:\Users\Admin\AppData\Local\Temp\2318.exe
| MD5 | af5513b5bd8693c763d573f63a60115d |
| SHA1 | e96879e2727dde064fa55302584e314781b52607 |
| SHA256 | 4829947a4fdc5394f34820c85c8a0a7d63086e0e006b0e980f82285bad951678 |
| SHA512 | 88450e3645c8ce73339696a9d2845332ea877a8f477f341538be77119edf38c2d67db23118c572a2836b43e50f297b03ce893b441c1301134cc44dde5001547f |
memory/1452-157-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/840-161-0x0000000007D80000-0x0000000007D81000-memory.dmp
memory/1200-160-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
memory/1200-163-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/1200-164-0x0000000077020000-0x00000000771AE000-memory.dmp
memory/1200-165-0x0000000005580000-0x0000000005581000-memory.dmp
memory/1200-167-0x00000000056B0000-0x00000000056B1000-memory.dmp
memory/1452-168-0x000000001BF70000-0x000000001BF72000-memory.dmp
memory/1200-169-0x00000000055E0000-0x00000000055E1000-memory.dmp
memory/1452-171-0x000000001BE90000-0x000000001BF3E000-memory.dmp
memory/1200-172-0x00000000054E0000-0x0000000005AE6000-memory.dmp
memory/2656-173-0x0000000000000000-mapping.dmp
memory/2656-178-0x000001D07DF10000-0x000001D07DF11000-memory.dmp
memory/2656-181-0x000001D07E1D0000-0x000001D07E1D1000-memory.dmp
memory/2656-182-0x000001D07DFC0000-0x000001D07DFC2000-memory.dmp
memory/2656-183-0x000001D07DFC3000-0x000001D07DFC5000-memory.dmp
memory/1200-184-0x0000000005620000-0x0000000005621000-memory.dmp
memory/2368-189-0x0000000000000000-mapping.dmp
memory/2368-192-0x0000000007240000-0x0000000007241000-memory.dmp
memory/2368-193-0x00000000071F0000-0x00000000071F1000-memory.dmp
memory/2368-194-0x00000000078B0000-0x00000000078B1000-memory.dmp
memory/2368-195-0x00000000071F2000-0x00000000071F3000-memory.dmp
memory/2368-196-0x0000000008110000-0x0000000008111000-memory.dmp
memory/2368-197-0x00000000081B0000-0x00000000081B1000-memory.dmp
memory/2368-199-0x0000000008280000-0x0000000008281000-memory.dmp
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
memory/2368-204-0x0000000007540000-0x0000000007541000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\616.exe.log
| MD5 | 605f809fab8c19729d39d075f7ffdb53 |
| SHA1 | c546f877c9bd53563174a90312a8337fdfc5fdd9 |
| SHA256 | 6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556 |
| SHA512 | 82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3 |
memory/2368-207-0x0000000008930000-0x0000000008931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 28d9755addec05c0b24cca50dfe3a92b |
| SHA1 | 7d3156f11c7a7fb60d29809caf93101de2681aa3 |
| SHA256 | abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9 |
| SHA512 | 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42 |
memory/2368-213-0x0000000009FF0000-0x0000000009FF1000-memory.dmp
memory/2368-214-0x00000000096E0000-0x00000000096E1000-memory.dmp
memory/3788-215-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\r1b3acux\r1b3acux.cmdline
| MD5 | 59515d05de3ffe0d490ed0fc7fdb9945 |
| SHA1 | 7d823c3d29934fbc0ce17b0351ba957cbd1def22 |
| SHA256 | 2b07afbc43ce3254e9294b77bb979fadc5bd405035b83034678bca0ce9585ec9 |
| SHA512 | 3deaeb0a9543969360a63d180929804508b2c4ff0b2ba7ec82d587d6c8d72ff4fc38a3a284b996062057d2ed0a0fb49137cc74669b865f5af7fc76139291609e |
\??\c:\Users\Admin\AppData\Local\Temp\r1b3acux\r1b3acux.0.cs
| MD5 | 9f8ab7eb0ab21443a2fe06dab341510e |
| SHA1 | 2b88b3116a79e48bab7114e18c9b9674e8a52165 |
| SHA256 | e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9 |
| SHA512 | 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b |
memory/3716-218-0x0000000000000000-mapping.dmp
memory/2684-219-0x0000000000000000-mapping.dmp
memory/1200-220-0x0000000006FF0000-0x0000000006FF1000-memory.dmp
memory/1200-221-0x00000000076F0000-0x00000000076F1000-memory.dmp
memory/196-222-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\r1b3acux\CSC4109AB9BC2E044DA9AEFFD9AD2E3D0ED.TMP
| MD5 | bd1f7ffe64fe029ff4e6a82afa0f4ee6 |
| SHA1 | 24ccd5a4570f80481bdd00b3be11ae16db163be0 |
| SHA256 | d83589ef9fb1182fbd66cf0fb85ba1f1171127d07e6a7b51c64e3445416b22d1 |
| SHA512 | 03df538e31b311b9cc5b10af54cb0895d097cf45a70f6edb52a366f35c7fa6ba50e6b94360c797bdff326279bd58e514c9639898a1a71482b35df70126cd00ba |
C:\Users\Admin\AppData\Local\Temp\RES5436.tmp
| MD5 | 7698decce2be4cfed2ec195a355cfa84 |
| SHA1 | 6485c9d4d68e57f31ebc87be6388dbe9544fa84b |
| SHA256 | 6ca628234e69e4d4c4939ab7544a36634cd259b0bbeb993d080e73ae8986ee4d |
| SHA512 | 4ad0c00fc8355083d0fa6509dc7a82ac365528683db96e97bc774596e76491be379d0d3a15a9be9c36e355ffeb590211a407b74ae69b02565e3850762b1b2bca |
C:\Users\Admin\AppData\Local\Temp\r1b3acux\r1b3acux.dll
| MD5 | 93b6f44ba90a838331efd9d6e02121a7 |
| SHA1 | 5b2bbf728dbf592d74b027da39e08d7c7a5d2821 |
| SHA256 | aa5f5b5f625ac6f39d6028fc0701b521666940a266e172ae3a0be6f9737cfb32 |
| SHA512 | 650564b6599ae346c9b2e543fd5958897458d8fa5cad6e7d8b962eaf2caa6ed1e864ed97b73e6524569ebf4dfa2d86bf7ada71bf97d65b347ec90514330a5966 |
memory/2368-226-0x0000000008710000-0x0000000008711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
| MD5 | 794bf0ae26a7efb0c516cf4a7692c501 |
| SHA1 | c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2 |
| SHA256 | 97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825 |
| SHA512 | 20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75 |
memory/1200-232-0x0000000007570000-0x0000000007571000-memory.dmp
memory/2368-233-0x00000000071F3000-0x00000000071F4000-memory.dmp
memory/1200-234-0x0000000007640000-0x0000000007641000-memory.dmp
memory/2368-255-0x00000000099E0000-0x00000000099E1000-memory.dmp
memory/836-256-0x0000000000000000-mapping.dmp
memory/836-266-0x00000000065B2000-0x00000000065B3000-memory.dmp
memory/836-265-0x00000000065B0000-0x00000000065B1000-memory.dmp
memory/836-277-0x0000000008390000-0x00000000083C3000-memory.dmp
memory/836-291-0x000000007F610000-0x000000007F611000-memory.dmp
memory/1720-511-0x0000000000000000-mapping.dmp
memory/1720-522-0x0000000004B52000-0x0000000004B53000-memory.dmp
memory/1720-521-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/2656-528-0x000001D07DFC6000-0x000001D07DFC8000-memory.dmp
memory/1720-553-0x000000007F0E0000-0x000000007F0E1000-memory.dmp
memory/3960-773-0x0000000000000000-mapping.dmp
memory/3960-784-0x0000000007422000-0x0000000007423000-memory.dmp
memory/3960-783-0x0000000007420000-0x0000000007421000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | f3068198b62b4b70404ec46694d632be |
| SHA1 | 7b0b31ae227cf2a78cb751573a9d07f755104ea0 |
| SHA256 | bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8 |
| SHA512 | ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795 |
memory/3960-809-0x000000007EC90000-0x000000007EC91000-memory.dmp
memory/1688-1048-0x0000000000000000-mapping.dmp
memory/1304-1049-0x0000000000000000-mapping.dmp
memory/3484-1050-0x0000000000000000-mapping.dmp
memory/2088-1087-0x0000000000000000-mapping.dmp
memory/3840-1088-0x0000000000000000-mapping.dmp
memory/688-1091-0x0000000000000000-mapping.dmp
memory/1044-1092-0x0000000000000000-mapping.dmp
memory/3544-1093-0x0000000000000000-mapping.dmp
memory/1168-1094-0x0000000000000000-mapping.dmp
memory/188-1095-0x0000000000000000-mapping.dmp
memory/3380-1096-0x0000000000000000-mapping.dmp
memory/3716-1097-0x0000000000000000-mapping.dmp
memory/196-1098-0x0000000000000000-mapping.dmp